Add support for external references.

- Add ReadOnly flag to resource. True indicates an external resource we want to read (no create/update/delete)
- Reuse template  to describe the external resource (gvkn). Reason: we could templatize the name part of the external resource
- Use as much of existing resource reconcile flow as possible. Reason: we can optionally support ReadyWhen and IncludeWhen rules for the external resource

api/v1alpha1/types.go

@@ -88,8 +88,11 @@ type Validation struct {
 type Resource struct {
 	// +kubebuilder:validation:Required
 	ID string `json:"id,omitempty"`
-	// +kubebuilder:validation:Required
+	// +kubebuilder:validation:Optional
 	Template runtime.RawExtension `json:"template,omitempty"`
+	// ReadOnly indicates an external resource we want to read and use in the Graph
+	// +kubebuilder:validation:Optional
+	ReadOnly bool `json:"readOnly,omitempty"`
 	// +kubebuilder:validation:Optional
 	ReadyWhen []string `json:"readyWhen,omitempty"`
 	// +kubebuilder:validation:Optional

config/crd/bases/kro.run_resourcegraphdefinitions.yaml

@@ -79,6 +79,10 @@ spec:
                       items:
                         type: string
                       type: array
+                    readOnly:
+                      description: ReadOnly indicates an external resource we want
+                        to read and use in the Graph
+                      type: boolean
                     readyWhen:
                       items:
                         type: string
@@ -88,7 +92,6 @@ spec:
                       x-kubernetes-preserve-unknown-fields: true
                   required:
                   - id
-                  - template
                   type: object
                 type: array
               schema:

helm/crds/kro.run_resourcegraphdefinitions.yaml

@@ -79,6 +79,10 @@ spec:
                       items:
                         type: string
                       type: array
+                    readOnly:
+                      description: ReadOnly indicates an external resource we want
+                        to read and use in the Graph
+                      type: boolean
                     readyWhen:
                       items:
                         type: string
@@ -88,7 +92,6 @@ spec:
                       x-kubernetes-preserve-unknown-fields: true
                   required:
                   - id
-                  - template
                   type: object
                 type: array
               schema:

pkg/controller/instance/controller_reconcile.go

@@ -196,6 +196,12 @@ func (igr *instanceGraphReconciler) handleResourceReconciliation(
 	}
 
 	resourceState.State = "SYNCED"
+
+	// For read-only resources, don't perform updates
+	if igr.runtime.ResourceDescriptor(resourceID).IsReadOnly() {
+		return nil
+	}
+
 	return igr.updateResource(ctx, rc, resource, observed, resourceID, resourceState)
 }
 
@@ -354,6 +360,12 @@ func (igr *instanceGraphReconciler) deleteResourcesInOrder(ctx context.Context)
 			continue
 		}
 
+		// Skip deletion for read-only resources
+		if igr.runtime.ResourceDescriptor(resourceID).IsReadOnly() {
+			igr.state.ResourceStates[resourceID].State = "DELETED"
+			continue
+		}
+
 		if err := igr.deleteResource(ctx, resourceID); err != nil {
 			return err
 		}

pkg/graph/builder.go

@@ -340,6 +340,7 @@ func (b *Builder) buildRGResource(rgResource *v1alpha1.Resource, namespacedResou
 		includeWhenExpressions: includeWhen,
 		namespaced:             isNamespaced,
 		order:                  order,
+		readOnly:               rgResource.ReadOnly,
 	}, nil
 }
 

pkg/graph/resource.go

@@ -73,6 +73,8 @@ type Resource struct {
 	// order reflects the original order in which the resources were specified,
 	// and lets us keep the client-specified ordering where the dependencies allow.
 	order int
+	// readOnly indicates if the resource should only be read and not created/updated
+	readOnly bool
 }
 
 // GetDependencies returns the dependencies of the resource.
@@ -164,6 +166,11 @@ func (r *Resource) IsNamespaced() bool {
 	return r.namespaced
 }
 
+// IsReadOnly returns whether the resource is read-only
+func (r *Resource) IsReadOnly() bool {
+	return r.readOnly
+}
+
 // DeepCopy returns a deep copy of the resource.
 func (r *Resource) DeepCopy() *Resource {
 	return &Resource{
@@ -177,5 +184,6 @@ func (r *Resource) DeepCopy() *Resource {
 		readyWhenExpressions:   slices.Clone(r.readyWhenExpressions),
 		includeWhenExpressions: slices.Clone(r.includeWhenExpressions),
 		namespaced:             r.namespaced,
+		readOnly:               r.readOnly,
 	}
 }

pkg/runtime/interfaces.go

@@ -116,6 +116,10 @@ type ResourceDescriptor interface {
 	// IsNamespaced returns true if the resource is namespaced, and false if it's
 	// cluster-scoped.
 	IsNamespaced() bool
+
+	// IsReadOnly returns true if the resource is marked as read only
+	// This is used for external references
+	IsReadOnly() bool
 }
 
 // Resource extends `ResourceDescriptor` to include the actual resource data.

pkg/runtime/runtime_test.go

@@ -2613,6 +2613,7 @@ type mockResource struct {
 	conditions       []string
 	topLevelFields   []string
 	namespaced       bool
+	readOnly         bool
 	obj              *unstructured.Unstructured
 }
 
@@ -2656,6 +2657,10 @@ func (m *mockResource) Unstructured() *unstructured.Unstructured {
 	return m.obj
 }
 
+func (m *mockResource) IsReadOnly() bool {
+	return m.readOnly
+}
+
 type mockResourceOption func(*mockResource)
 
 /* func withGVR(group, version, resource string) mockResourceOption {
@@ -2686,6 +2691,11 @@ func withReadyExpressions(exprs []string) mockResourceOption {
 	}
 }
 
+func withReadOnly(ro bool) mockResourceOption {
+	return func(m *mockResource) {
+		m.readOnly = ro
+	}
+}
 func withConditions(conditions []string) mockResourceOption {
 	return func(m *mockResource) {
 		m.conditions = conditions