feat: add additional host configuration options for images, policy

Add additional host options for the policy service, allowing insecure
registries and pulling the latest tag of an OCI ref.

Signed-off-by: Dan Norris <protochron@users.noreply.github.com>

Cargo.toml

@@ -1,6 +1,6 @@
 [package]
 name = "wasmcloud-operator"
-version = "0.2.0"
+version = "0.2.1"
 edition = "2021"
 
 [[bin]]

crates/types/Cargo.toml

@@ -1,6 +1,6 @@
 [package]
 name = "wasmcloud-operator-types"
-version = "0.1.2"
+version = "0.1.3"
 edition = "2021"
 
 [dependencies]

crates/types/src/v1alpha1/wasmcloud_host_config.rs

@@ -54,14 +54,30 @@ pub struct WasmCloudHostConfigSpec {
     /// The Jetstream domain to use for the NATS sidecar. Defaults to "default".
     #[serde(default = "default_jetstream_domain")]
     pub jetstream_domain: String,
+    /// Allow the host to deploy using the latest tag on OCI components or providers
+    #[serde(default)]
+    pub allow_latest: bool,
+    /// Allow the host to pull artifacts from OCI registries insecurely
+    #[serde(default)]
+    pub allowed_insecure: Option<Vec<String>>,
     /// The log level to use for the host. Defaults to "INFO".
     #[serde(default = "default_log_level")]
     pub log_level: String,
+    pub policy_service: Option<PolicyService>,
     /// Kubernetes scheduling options for the wasmCloud host.
     pub scheduling_options: Option<KubernetesSchedulingOptions>,
 }
 
 #[derive(Serialize, Deserialize, Clone, Debug, JsonSchema)]
+#[serde(rename_all = "camelCase")]
+pub struct PolicyService {
+    pub subject: Option<String>,
+    pub timeout_ms: Option<u32>,
+    pub changes_subject: Option<String>,
+}
+
+#[derive(Serialize, Deserialize, Clone, Debug, JsonSchema)]
+#[serde(rename_all = "camelCase")]
 pub struct KubernetesSchedulingOptions {
     /// Run hosts as a DaemonSet instead of a Deployment.
     #[serde(default)]

sample.yaml

@@ -4,7 +4,7 @@ metadata:
   name: my-wasmcloud-cluster
   namespace: default
 spec:
-  hostReplicas: 2
+  hostReplicas: 1
   issuers:
     - CDKF6OKPOBQKAX57UOXO7SCHURTOZWKWIVPC2HFJTGFXY5VJX44ECEHH
   # The lattice to connect the hosts to
@@ -18,23 +18,39 @@ spec:
   secretName: cluster-secrets
   logLevel: INFO
   natsAddress: nats://nats-cluster.default.svc.cluster.local
+  ################################################
+  # Additional options that can be set for hosts:
+  ################################################
+  # allowLatest: true
+  # allowedInsecure:
+  #   - "localhost:5001"
+  #   - "kind-registry:5000"
+  # Policy service configuration
+  # policyService:
+  #   subject: "foo"
+  #   changesSubject: "bar"
+  #   timeoutMs: 5000
   # Additional options to control how the underlying wasmCloud hosts are scheduled in Kubernetes.
   # This includes setting resource requirements for the nats and wasmCloud host
   # containers along with any additional pot template settings.
-  #schedulingOptions:
+  # schedulingOptions:
   # Enable the following to run the wasmCloud hosts as a DaemonSet
-  #daemonset: true
+  # daemonset: true
   # Set the resource requirements for the nats and wasmCloud host containers.
-  #resources:
-  #  nats:
-  #    requests:
-  #      cpu: 100m
-  # wasmCloudHost:
-  #    requests:
-  #      cpu: 100m
+  # resources:
+  #   nats:
+  #     requests:
+  #       cpu: 100m
+  #  wasmCloudHost:
+  #     requests:
+  #       cpu: 100m
   # Any additional pod template settings to apply to the wasmCloud host pods.
   # See https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.29/#podspec-v1-core for all valid options.
   # Note that you *cannot* set the `containers` field here as it is managed by the controller.
-  #pod_template_additions:
+  # podTemplateAdditions:
+  #   spec:
+  #     env:
+  #       - name: HOST_IP
+  #         value: spec.hostIP
   #  nodeSelector:
   #    kubernetes.io/os: linux

src/controller.rs

@@ -342,6 +342,48 @@ fn pod_template(config: &WasmCloudHostConfig, _ctx: Arc<Context>) -> PodTemplate
         });
     }
 
+    if config.spec.allow_latest {
+        wasmcloud_env.push(EnvVar {
+            name: "WASMCLOUD_OCI_ALLOW_LATEST".to_string(),
+            value: Some("true".to_string()),
+            ..Default::default()
+        });
+    }
+
+    if let Some(values) = &config.spec.allowed_insecure {
+        wasmcloud_env.push(EnvVar {
+            name: "WASMCLOUD_OCI_ALLOWED_INSECURE".to_string(),
+            value: Some(values.join(",")),
+            ..Default::default()
+        });
+    }
+
+    if let Some(policy) = &config.spec.policy_service {
+        if let Some(subject) = &policy.subject {
+            wasmcloud_env.push(EnvVar {
+                name: "WASMCLOUD_POLICY_TOPIC".to_string(),
+                value: Some(subject.clone()),
+                ..Default::default()
+            });
+        }
+
+        if let Some(changes) = &policy.changes_subject {
+            wasmcloud_env.push(EnvVar {
+                name: "WASMCLOUD_POLICY_CHANGES_TOPIC".to_string(),
+                value: Some(changes.clone()),
+                ..Default::default()
+            });
+        }
+
+        if let Some(timeout) = &policy.timeout_ms {
+            wasmcloud_env.push(EnvVar {
+                name: "WASMCLOUD_POLICY_TIMEOUT".to_string(),
+                value: Some(timeout.to_string()),
+                ..Default::default()
+            });
+        }
+    }
+
     if let Some(labels) = &config.spec.host_labels {
         for (k, v) in labels.iter() {
             wasmcloud_env.push(EnvVar {