feat: Introduce v1alpha2 version of LlamaStackDistribution CRD

[VaishnaviHire]

This PR introduces the v1alpha2 API version for the LlamaStackDistribution CRD, enabling declarative, Kubernetes-native configuration of LlamaStack servers. Instead of requiring users to manually craft and supply a config.yaml via ConfigMap (as in v1alpha1), the operator now generates the server configuration automatically from structured CR fields (providers, resources, storage, networking). Both API versions are served concurrently with full conversion webhook support.

v1alpha2 Example

The v1alpha2 API replaces environment-variable-driven configuration with structured, declarative fields. All provider fields use typed []ProviderConfig slices with CEL validation.

Basic : single Ollama provider:

apiVersion: llamastack.io/v1alpha2
kind: LlamaStackDistribution
metadata:
  name: llamastackdistribution-v1alpha2-sample
spec:
  distribution:
    name: starter
  providers:
    inference:
      - provider: ollama
        endpoint: http://ollama-server-service.ollama-dist.svc.cluster.local:11434/v1
  resources:
    models:
      - name: "llama3.2:1b"
  networking:
    port: 8321
  workload:
    replicas: 1

Advanced : vLLM with secret refs, PostgreSQL storage, pgvector:

apiVersion: llamastack.io/v1alpha2
kind: LlamaStackDistribution
metadata:
  name: llamastack-vllm-pg
spec:
  distribution:
    name: starter
  providers:
    inference:
      - provider: vllm
        endpoint: http://vllm-service.vllm.svc.cluster.local:8000/v1
        secretRefs:
          api_key:
            name: vllm-creds
            key: token
    vectorIo:
      - provider: pgvector
        secretRefs:
          host:
            name: pg-credentials
            key: host
        settings:
          port: 5432
          db: llamastack
  resources:
    models:
      - name: llama3.2-8b
  storage:
    kv:
      type: redis
      endpoint: redis://redis-service.redis.svc.cluster.local:6379
    sql:
      type: postgres
      connectionString:
        name: pg-credentials
        key: dsn
  disabled:
    - safety
  workload:
    replicas: 2

Review Guide

This is a large PR (86 files, ~18k lines). The sections below group changes by area matching the commit structure. Each section is self-contained and can be reviewed independently.

1. v1alpha2 CRD Schema & Conversion (commit: e7cc5c2)

File	What to review
api/v1alpha2/llamastackdistribution_types.go	New spec/status types. Key design: typed []ProviderConfig slices with CEL validation for provider ID uniqueness. OverrideConfig is mutually exclusive with providers/resources/storage/disabled.
api/v1alpha2/zz_generated.deepcopy.go	Auto-generated
api/v1alpha1/llamastackdistribution_conversion.go	Bidirectional v1alpha1 ↔ v1alpha2 conversion. Uses JSON blob annotations (annV1Alpha1Extras, annV1Alpha2Extras) for lossless round-trips in both directions.
api/v1alpha1/llamastackdistribution_conversion_test.go	Round-trip tests: providers, resources, storage, disabled, TLS, expose hostname, status fields
config/crd/bases/llamastack.io_llamastackdistributions.yaml	Generated CRD YAML with OpenAPI and CEL rules

2. Validating Webhook (commit: a45c9f6)

File	What to review
api/v1alpha2/llamastackdistribution_webhook.go	Validating webhook: provider ID uniqueness across all API types, distribution name validation, model provider reference checks
api/v1alpha2/llamastackdistribution_webhook_test.go	Unit tests: cross-slice collision detection, deriveProviderID behavior, unknown distribution rejection, edge cases
config/webhook/*	Webhook service, manifests, kustomize config
config/certmanager/*	Certificate and issuer for vanilla Kubernetes
config/crd/kustomization.yaml	Enabled webhook/cert-manager patches
config/default/kustomization.yaml	Enabled webhook and cert-manager components
config/default/manager_webhook_patch.yaml	Webhook port and TLS cert volume mount
main.go	Webhook registration

3. Config Generation Pipeline (commit: 3feb572)

File	What to review
pkg/config/config.go	Pipeline: resolve base config → expand providers → expand resources → apply storage → apply disabled APIs → clean registered_resources → override port → render YAML. Key: deep-copy safety, deterministic output
pkg/config/provider.go	Provider expansion: remote:: prefix, endpoint → base_url, sorted secret ref iteration, settings merge with override protection
pkg/config/resource.go	Model/tool/shield expansion with default provider resolution and provider existence validation
pkg/config/storage.go	KV (sqlite/redis) and SQL (sqlite/postgres) with secret env var mapping
pkg/config/secret_resolver.go	Resolves secretRefs maps to env vars (LLSD_<PROVIDER_ID>_<KEY>) and ${env.VAR_NAME} substitutions
pkg/config/resolver.go	Base config resolver: resolves embedded configs by distribution name
pkg/config/version.go	Config version detection (supports versions 1-2)
pkg/config/types.go	Shared types: BaseConfig, ProviderEntry, GeneratedConfig
pkg/config/config_test.go	Unit tests: determinism, provider/resource expansion, storage, secret resolution, disabled API cleanup, deep-copy safety
pkg/config/configs/*/config.yaml	Embedded base configs for starter, starter-gpu, postgres-demo distributions
distributions.json	Distribution metadata

4. Controller Integration (commit: bf90527)

File	What to review
controllers/v1alpha2_config.go	v1alpha2 config handling: determines config source (override / generated / default), creates immutable ConfigMaps with content-hash naming, validates secret/ConfigMap refs, injects secret-backed env vars into pod spec, cleans up old ConfigMaps
controllers/llamastackdistribution_controller.go	Integration: calls handleV1Alpha2NativeConfig before standard reconcile. Dual status update path for v1alpha2 CRs
controllers/kubebuilder_rbac.go	RBAC markers: added secrets (get/list/watch) and configmaps (delete)
controllers/resource_helper.go	Deprecated startupScript. Sets RUN_CONFIG_PATH env var; image's built-in entrypoint.sh handles startup
controllers/resource_helper_test.go	Updated assertions: RUN_CONFIG_PATH instead of command/args overrides
controllers/suite_test.go	Envtest setup with webhook server
controllers/testing_support_test.go	Test constants and helpers
controllers/llamastackdistribution_controller_test.go	Envtest integration tests: config generation, ConfigMap creation, secret env var injection, status updates
config/rbac/role.yaml	Generated ClusterRole with secrets and configmaps-delete permissions

5. OpenShift Webhook Overlay (commit: e3f405b)

File	What to review
config/openshift/kustomization.yaml	OpenShift overlay: replaces cert-manager with service-serving certificates
config/openshift/crd_ca_patch.yaml	CRD CA injection annotation
config/openshift/manager_webhook_patch.yaml	Manager cert volume mount
config/openshift/webhook_ca_patch.yaml	Webhook CA injection annotation

6. E2E Tests (commit: c6d24e8)

File	What to review
tests/e2e/creation_v1alpha2_test.go	v1alpha2 CR creation, ConfigMap generation, Ready phase, secret env var injection into Deployment
tests/e2e/conversion_test.go	Cross-version read (v1alpha1 as v1alpha2 and vice versa)
tests/e2e/webhook_validation_test.go	Webhook rejects: missing distribution, duplicate provider IDs, invalid provider references
tests/e2e/validation_test.go	CRD structure, webhook service/TLS, operator readiness
tests/e2e/creation_test.go	Updated v1alpha1 creation tests
tests/e2e/e2e_test.go	Test suite registration
tests/e2e/test_utils.go	Test helpers
.github/workflows/run-e2e-test.yml	CI workflow updates for v1alpha2 targets

7. Documentation & Samples (commit: 3b6972b)

File	What to review
docs/migration-v1alpha1-to-v1alpha2.md	Migration guide: field mapping tables, before/after examples, step-by-step migration
docs/api-overview.md	Full v1alpha2 API reference for both versions
README.md	Updated quick start with v1alpha2 examples using secretRefs and list syntax
config/samples/v1alpha1/*	Existing samples moved into versioned subdirectory
config/samples/v1alpha2/*	New v1alpha2 samples: basic, HA, vLLM+Postgres, networking
specs/002-operator-generated-config/*	Updated spec contracts and data model

8. Build Tooling & Release (commit: b5a2df7)

File	What to review
Makefile	Build target updates for v1alpha2
.gitignore	Ignore patterns for generated artifacts
go.mod / go.sum	Dependency updates
release/operator.yaml	Regenerated release manifest with all v1alpha2 resources

[VaishnaviHire]

@Mergifyio rebase

[mergify]

rebase

✅ Branch has been successfully rebased

[mfleader]

Missing test coverage for FR-097 (preserve running Deployment on config generation failure).

[mfleader]

Where is this covered? I don't see a test that creates a Deployment first, then fails config generation, then checks the Deployment is unchanged.

[eoinfennessy]

Final few comments on the API.

[eoinfennessy]

Just a thought. Should we remove the ApiKey field if it is possible for users to supply API_KEY here?

[VaishnaviHire]

This one was a shorthand just for user convenience , since api key is one of the most common secret. I can remove this

[eoinfennessy]

Is it also possible to add a CEL check to ensure each ID is unique when multiple providers are specified?

[eoinfennessy]

Never mind. I see this is handled in webhook validation.

[eoinfennessy]

I'm unsure why this is a pointer. Are we differentiating the behaviour of false and nil? Should this just be a bool?

The specs seem to suggest that the presence of a non-nil expose object enables ingress. Maybe the Enabled field is actually unnecessary?

• expose omitted → Expose is nil → no Ingress
• expose: {} → Expose is non-nil → create Ingress (with defaults)
• expose: {hostname: "foo.example.com"} → create Ingress with that hostname

[eoinfennessy]

Should we follow a similar pattern to what I described above for ExposeConfig? I.e. remove Enabled from this struct and make SecretName strictly required?

The presence or absence of tls will indicate whether or not it is enabled.

[VaishnaviHire]

We don't need the SecretName here. I will remove it from spec. The only required files is ca-bundle configmap

[eoinfennessy]

I think it's no harm keeping SecretName here if it is our intent to serve LLS with TLS. It seems from the specs that this is the case.

Thinking more about this, TLSSpec is effectively configuring both incoming (SecretName) and outgoing (CABundle) TLS config. For that reason the Enabled boolean is overloaded here. I think we should rework this. How about the following? (@rhuss, hi, would appreciate your thoughts too if you have time)

# Before (conflates server and client; `enabled` is overloaded)
networking:
  tls:
    enabled: true
    secretName: llama-tls
    caBundle:
      configMapName: custom-ca

# After (separates server and client. Removes redundant `enabled`)
# If a CA bundle is provided, client-side TLS is enabled
# If TLS config is provided, server-side TLS is enabled
networking:
  tls:
    secretName: llama-tls
  caBundle:
    configMapName: custom-ca

[VaishnaviHire]

I think regarding SecretName, I can open a follow-up PR , since it will need additional verification for downstream. Keep the configmap to continue to support v1alpha1 features.

[eoinfennessy]

I had a good conversation with Claude about this and came up with the suggestion below:

Suggestion: Separate server TLS from CA trust configuration

The current TLSSpec conflates two distinct concerns:

1. Server TLS (serving) — the cert/key the LlamaStack server presents to incoming clients
2. CA trust (outbound) — custom CA certificates the server trusts when connecting to external services (provider endpoints, etc.)

These have different lifecycles, different audiences, and different security implications. As-is, adding a serving certificate secret to this struct would mix both under a single tls field in NetworkingSpec, making the API harder to reason about as it grows.

Proposed change:

1. Move caBundle to the top level of LlamaStackDistributionSpec. CA trust is a cross-cutting runtime concern (not a networking topology one), and caBundle already follows the dominant Kubernetes naming convention used by core webhooks, APIService, CRD conversion webhooks, and cert-manager.
2. Replace TLSSpec with a server TLS struct inside NetworkingSpec that holds the serving certificate secret reference. This is where server-side TLS naturally belongs.

# Before
spec:
  networking:
    tls:
      caBundle:
        configMapName: my-ca-bundle

# After
spec:
  caBundle:
    configMapName: my-ca-bundle
  networking:
    tls:
      secretName: my-serving-cert

This gives us clear semantics (each field does one thing), independent lifecycle (CA trust without server TLS and vice versa), and aligns with how the broader Kubernetes ecosystem models these concepts (e.g., OpenShift separates trustedCA from route TLS termination; Istio separates caCertificates from server gateway TLS).

[eoinfennessy]

Review of config gen pipeline. There are some critical issues that need to be addressed.

[eoinfennessy]

It's possible that values from the settings map can override the endpoint, secret refs, and the API key.

Should we skip adding items that are already in cfg? And log a warning?

[eoinfennessy]

Or maybe add settings to the cfg map first and then add fields like base_url secret_refs and api_key?

We need to be careful that secret_refs can't override api_key too (which it can currently).

[eoinfennessy]

The order of iteration is non-deterministic. This could potentially cause unnecessary Deployment updates.

We should sort the keys before iterating.

[eoinfennessy]

The order of iteration is non-deterministic. This could potentially cause unnecessary Deployment updates.

We should sort the keys before iterating.

[eoinfennessy]

This is all effectively dead code because the disabled enum already specifies snake-case values.

[eoinfennessy]

This function mutates the provided config, which is unconventional and unexpected for a render function.

Consider having buildOrderedConfig write to out["registered_resources"] instead of config.Extra["registered_resources"].

[eoinfennessy]

This field is effectively unused because we never use it in buildOrderedConfig.

We should delete it to avoid confusion.

[eoinfennessy]

This check is not needed. It is always true

[eoinfennessy]

We have no validation that the model's provider ID actually exists.

The model can be registered with a non-existent provider and no error is returned. The llama-stack server would fail at startup with a confusing error about an unknown provider.

We should consider adding validation for this at the admission layer if not too complex. Otherwise, we can validate here and return an error so the CR's status can reflect the issue to users.

[eoinfennessy]

Review of webhooks:

We need to comprehensively test all validation logic (webhook and CEL). Currently we don't do any testing of validation logic.

There are some problems with data loss and stale data in the conversion logic. I added a suggestion to fix this.

[VaishnaviHire]

@eoinfennessy I have addressed the comments and updated the commits. Please take a look.

[eoinfennessy]

@VaishnaviHire, thanks for addressing the comments. In future review cycles on this PR, please avoid squashing and force-pushing. Instead, please add new commits for each change. This makes it easier for me to review the changes that have been made between PR reviews, which is especially tricky in such a large PR.

[mergify]

This pull request has merge conflicts that must be resolved before it can be merged. @VaishnaviHire please rebase it. https://docs.github.com/en/pull-requests/collaborating-with-pull-requests/working-with-forks/syncing-a-fork

[eoinfennessy]

I re-reviewed after the previous suggestions. Thanks for addressing these. Couple of things left from these reviews:

1. CEL validation tests: Let's add envtest tests to ensure all of our complex CEL validation is actually working.
2. Split TLSSpec for server and client: see my latest comment in the thread above discussing this
3. Small bug remaining in resource.go (see below)

[eoinfennessy]

The check mc.Provider != "" means: "only validate if the user explicitly set a provider." But this creates a blind spot — if the user omits the provider and the default is used, no existence check happens at all. The default provider could be stale or wrong, and the error would only surface at LlamaStack server startup with a confusing message about an unknown provider.

The fix is simply:

if !providerExists(provider, userProviders, base) {

This validates the provider regardless of whether it came from the user or from the default, which is what you'd want — if we resolved a provider name, we should verify it exists.

[eoinfennessy]

Review focussing on /controller. Mostly minor suggestions, but a couple of major things related to surfacing errors and status.

[eoinfennessy]

FR-097 states:

If config generation or validation fails during a CR update, the operator MUST preserve the current running Deployment (image, ConfigMap, env vars) unchanged and set status condition ConfigGenerated=False with the failure reason. The running instance MUST NOT be disrupted.

Two gaps:

1. ConfigGenerated=False is never set. When handleV1Alpha2NativeConfig fails, v1a2Result is nil, so finalizeReconciliation takes the else branch and calls updateStatus — which only writes v1alpha1 status fields. SetV1Alpha2Condition is only called inside persistV1Alpha2Status, which is only reached on success. The constant ReasonConfigGenFailed is declared but unused. The failure is logged to operator stdout but never surfaces in .status.conditions.

2. No structural guarantee the Deployment is preserved. handleV1Alpha2NativeConfig mutates v1Instance in-place (setting UserConfig and appending env vars) after all fallible operations, then reconcileResources uses the same pointer to reconcile the Deployment. Today the mutation ordering is safe — mutations happen last, after all fallible steps. But this is an implicit invariant: if a fallible step is later added after the UserConfig assignment, reconcileResources would reconcile against a half-modified spec, potentially pointing the Deployment at a ConfigMap that doesn't exist.

Suggested approach: On handleV1Alpha2NativeConfig error, skip reconcileResources, persist ConfigGenerated=False with the failure reason, and return the error to requeue. This satisfies both halves of FR-097: the Deployment is untouched and the failure is visible in status.

[eoinfennessy]

There's also no test asserting that .status.conditions contains ConfigGenerated=False after a failed config generation.

[eoinfennessy]

This is unused

[eoinfennessy]

We should return the status update error to match v1alpha1 behaviour in the else block, and ensure the status is eventually consistent.

[eoinfennessy]

We should remove the stale updateStatus comment above this line

[eoinfennessy]

We could maybe consider aggregating errors here to provide a better UX.

[eoinfennessy]

We could aggregate errors here too.

[eoinfennessy]

There's no ObservedGeneration set on the condition. Without it, a client can't distinguish whether a ConfigGenerated=True condition was set for the current spec generation or a previous one. Consider setting condition.ObservedGeneration = instance.Generation to match the convention used by most Kubernetes controllers.

[eoinfennessy]

This is repeated 6 times. Consider writing a helper:

func setupV1Alpha2Env(t *testing.T, prefix string) (ns *corev1.Namespace, opNs *corev1.Namespace)

[eoinfennessy]

This is repeated 5 times. Consider a helper:

func newV1Alpha2Reconciler(t *testing.T, opNamespace string) *controllers.LlamaStackDistributionReconciler

[eoinfennessy]

The agents API has been renamed to responses: llamastack/llama-stack#5195

We probably need to update this in all embedded configs

[VaishnaviHire]

@eoinfennessy I have addressed the comments. Additionally I added deploy time feature flag for v1alpha2 - an overlay v1alpha1-only that deploys only the v1alpha1 CRD.