datum-cloud · zachsmith1 · Jan 22, 2026 · Jan 19, 2026 · Jan 22, 2026 · Jan 22, 2026
diff --git a/api/v1alpha1/connector_types.go b/api/v1alpha1/connector_types.go
@@ -3,6 +3,7 @@
 package v1alpha1
 
 import (
+	corev1 "k8s.io/api/core/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 )
 
@@ -33,7 +34,9 @@ type ConnectorCapability struct {
 
 // ConnectorSpec defines the desired state of Connector.
 type ConnectorSpec struct {
-	ConnectorClassName string `json:"connectorClassName,omitempty"`
+	// +kubebuilder:validation:Required
+	// +kubebuilder:validation:MinLength=1
+	ConnectorClassName string `json:"connectorClassName"`
 
 	// Capabilities desired to be supported by the connector.
 	//
@@ -136,8 +139,34 @@ type ConnectorStatus struct {
 	//
 	// +kubebuilder:validation:Optional
 	ConnectionDetails *ConnectorConnectionDetails `json:"connectionDetails,omitempty"`
+
+	// LeaseRef references the Lease used to report connector liveness.
+	//
+	// The connector controller creates the Lease when a Connector is created
+	// and records it here. Connector implementations (agents) are expected to
+	// periodically renew the Lease to indicate liveness.
+	//
+	// +kubebuilder:validation:Optional
+	LeaseRef *corev1.LocalObjectReference `json:"leaseRef,omitempty"`
 }
 
+const (
+	// ConnectorConditionAccepted indicates whether the ConnectorClass is resolved.
+	ConnectorConditionAccepted = "Accepted"
+	// ConnectorConditionReady indicates whether the Connector is ready to tunnel traffic.
+	ConnectorConditionReady = "Ready"
+	// ConnectorReasonAccepted indicates the Connector is accepted by the controller.
+	ConnectorReasonAccepted = "Accepted"
+	// ConnectorReasonReady indicates the Connector is ready to tunnel traffic.
+	ConnectorReasonReady = "ConnectorReady"
+	// ConnectorReasonNotReady indicates the Connector is not ready to tunnel traffic.
+	ConnectorReasonNotReady = "ConnectorNotReady"
+	// ConnectorReasonPending indicates the Connector has not been processed yet.
+	ConnectorReasonPending = "Pending"
+	// ConnectorReasonConnectorClassNotFound indicates the referenced class is missing.
+	ConnectorReasonConnectorClassNotFound = "ConnectorClassNotFound"
+)
+
 const ConnectorNameAnnotation = "networking.datum.org/connector-name"
 
 // +kubebuilder:object:root=true
@@ -154,6 +183,8 @@ type Connector struct {
 	Spec ConnectorSpec `json:"spec,omitempty"`
 
 	// Status defines the observed state of a Connector
+	//
+	// +kubebuilder:default={conditions: {{type: "Accepted", status: "Unknown", reason:"Pending", message:"Waiting for controller", lastTransitionTime: "1970-01-01T00:00:00Z"}}}
 	Status ConnectorStatus `json:"status,omitempty"`
 }
 

diff --git a/api/v1alpha1/connectoradvertisement_types.go b/api/v1alpha1/connectoradvertisement_types.go
@@ -84,7 +84,7 @@ type ConnectorAdvertisementSpec struct {
 	// ConnectorRef references the Connector being advertised.
 	//
 	// +kubebuilder:validation:Required
-	ConnectorRef *LocalConnectorReference `json:"connectorRef"`
+	ConnectorRef LocalConnectorReference `json:"connectorRef"`
 
 	// Layer 4 services being advertised.
 	//
@@ -97,10 +97,32 @@ type ConnectorAdvertisementSpec struct {
 
 // ConnectorAdvertisementStatus defines the observed state of ConnectorAdvertisement.
 type ConnectorAdvertisementStatus struct {
+	// Conditions describe the current conditions of the ConnectorAdvertisement.
+	//
+	// Known conditions:
+	// - Accepted: indicates whether the referenced Connector has been resolved.
+	//   When Accepted is False, the reason will explain why the reference
+	//   could not be resolved (for example, ConnectorNotFound).
+	//
+	// +listType=map
+	// +listMapKey=type
+	Conditions []metav1.Condition `json:"conditions,omitempty"`
 }
 
+const (
+	// ConnectorAdvertisementConditionAccepted indicates the connector reference is resolved.
+	ConnectorAdvertisementConditionAccepted = "Accepted"
+	// ConnectorAdvertisementReasonAccepted indicates the advertisement is accepted.
+	ConnectorAdvertisementReasonAccepted = "Accepted"
+	// ConnectorAdvertisementReasonPending indicates the advertisement has not been processed yet.
+	ConnectorAdvertisementReasonPending = "Pending"
+	// ConnectorAdvertisementReasonConnectorNotFound indicates the referenced connector is missing.
+	ConnectorAdvertisementReasonConnectorNotFound = "ConnectorNotFound"
+)
+
 // +kubebuilder:object:root=true
 // +kubebuilder:subresource:status
+// +kubebuilder:selectablefield:JSONPath=".spec.connectorRef.name"
 
 // ConnectorAdvertisement is the Schema for the connectoradvertisements API.
 type ConnectorAdvertisement struct {
@@ -113,6 +135,8 @@ type ConnectorAdvertisement struct {
 	Spec ConnectorAdvertisementSpec `json:"spec,omitempty"`
 
 	// Status defines the observed state of a ConnectorAdvertisement
+	//
+	// +kubebuilder:default={conditions: {{type: "Accepted", status: "Unknown", reason:"Pending", message:"Waiting for controller", lastTransitionTime: "1970-01-01T00:00:00Z"}}}
 	Status ConnectorAdvertisementStatus `json:"status,omitempty"`
 }
 

diff --git a/api/v1alpha1/connectorclass_types.go b/api/v1alpha1/connectorclass_types.go
@@ -8,6 +8,13 @@ import (
 
 // ConnectorClassSpec defines the desired state of ConnectorClass.
 type ConnectorClassSpec struct {
+	// ControllerName is the name of the controller responsible for this ConnectorClass.
+	//
+	// +kubebuilder:validation:Required
+	// +kubebuilder:validation:MinLength=1
+	// +kubebuilder:validation:MaxLength=253
+	// +kubebuilder:default=networking.datumapis.com/datum-connect
+	ControllerName string `json:"controllerName"`
 }
 
 // ConnectorClassStatus defines the observed state of ConnectorClass.

diff --git a/api/v1alpha1/object_reference_types.go b/api/v1alpha1/object_reference_types.go
@@ -4,5 +4,7 @@ type LocalConnectorReference struct {
 	// Name of the referenced Connector.
 	//
 	// +kubebuilder:validation:Required
+	// +kubebuilder:validation:MinLength=1
+	// +kubebuilder:validation:MaxLength=253
 	Name string `json:"name"`
 }
diff --git a/api/v1alpha1/zz_generated.deepcopy.go b/api/v1alpha1/zz_generated.deepcopy.go
diff --git a/cmd/main.go b/cmd/main.go
@@ -280,6 +280,17 @@ func main() {
 		os.Exit(1)
 	}
 
+	if err := (&controller.ConnectorReconciler{
+		Config: serverConfig,
+	}).SetupWithManager(mgr); err != nil {
+		setupLog.Error(err, "unable to create controller", "controller", "Connector")
+		os.Exit(1)
+	}
+	if err := (&controller.ConnectorAdvertisementReconciler{}).SetupWithManager(mgr); err != nil {
+		setupLog.Error(err, "unable to create controller", "controller", "ConnectorAdvertisement")
+		os.Exit(1)
+	}
+
 	if err := controller.AddIndexers(ctx, mgr); err != nil {
 		setupLog.Error(err, "unable to add indexers")
 		os.Exit(1)

diff --git a/config/crd/bases/networking.datumapis.com_connectoradvertisements.yaml b/config/crd/bases/networking.datumapis.com_connectoradvertisements.yaml
@@ -45,6 +45,8 @@ spec:
                 properties:
                   name:
                     description: Name of the referenced Connector.
+                    maxLength: 253
+                    minLength: 1
                     type: string
                 required:
                 - name
@@ -123,11 +125,87 @@ spec:
             - connectorRef
             type: object
           status:
+            default:
+              conditions:
+              - lastTransitionTime: "1970-01-01T00:00:00Z"
+                message: Waiting for controller
+                reason: Pending
+                status: Unknown
+                type: Accepted
             description: Status defines the observed state of a ConnectorAdvertisement
+            properties:
+              conditions:
+                description: |-
+                  Conditions describe the current conditions of the ConnectorAdvertisement.
+
+                  Known conditions:
+                  - Accepted: indicates whether the referenced Connector has been resolved.
+                    When Accepted is False, the reason will explain why the reference
+                    could not be resolved (for example, ConnectorNotFound).
+                items:
+                  description: Condition contains details for one aspect of the current
+                    state of this API Resource.
+                  properties:
+                    lastTransitionTime:
+                      description: |-
+                        lastTransitionTime is the last time the condition transitioned from one status to another.
+                        This should be when the underlying condition changed.  If that is not known, then using the time when the API field changed is acceptable.
+                      format: date-time
+                      type: string
+                    message:
+                      description: |-
+                        message is a human readable message indicating details about the transition.
+                        This may be an empty string.
+                      maxLength: 32768
+                      type: string
+                    observedGeneration:
+                      description: |-
+                        observedGeneration represents the .metadata.generation that the condition was set based upon.
+                        For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date
+                        with respect to the current state of the instance.
+                      format: int64
+                      minimum: 0
+                      type: integer
+                    reason:
+                      description: |-
+                        reason contains a programmatic identifier indicating the reason for the condition's last transition.
+                        Producers of specific condition types may define expected values and meanings for this field,
+                        and whether the values are considered a guaranteed API.
+                        The value should be a CamelCase string.
+                        This field may not be empty.
+                      maxLength: 1024
+                      minLength: 1
+                      pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
+                      type: string
+                    status:
+                      description: status of the condition, one of True, False, Unknown.
+                      enum:
+                      - "True"
+                      - "False"
+                      - Unknown
+                      type: string
+                    type:
+                      description: type of condition in CamelCase or in foo.example.com/CamelCase.
+                      maxLength: 316
+                      pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
+                      type: string
+                  required:
+                  - lastTransitionTime
+                  - message
+                  - reason
+                  - status
+                  - type
+                  type: object
+                type: array
+                x-kubernetes-list-map-keys:
+                - type
+                x-kubernetes-list-type: map
             type: object
         required:
         - spec
         type: object
+    selectableFields:
+    - jsonPath: .spec.connectorRef.name
     served: true
     storage: true
     subresources:

diff --git a/config/crd/bases/networking.datumapis.com_connectorclasses.yaml b/config/crd/bases/networking.datumapis.com_connectorclasses.yaml
@@ -38,6 +38,16 @@ spec:
             type: object
           spec:
             description: Spec defines the desired state of a ConnectorClass
+            properties:
+              controllerName:
+                default: networking.datumapis.com/datum-connect
+                description: ControllerName is the name of the controller responsible
+                  for this ConnectorClass.
+                maxLength: 253
+                minLength: 1
+                type: string
+            required:
+            - controllerName
             type: object
           status:
             description: Status defines the observed state of a ConnectorClass

diff --git a/config/crd/bases/networking.datumapis.com_connectors.yaml b/config/crd/bases/networking.datumapis.com_connectors.yaml
@@ -68,9 +68,19 @@ spec:
                 - type
                 x-kubernetes-list-type: map
               connectorClassName:
+                minLength: 1
                 type: string
+            required:
+            - connectorClassName
             type: object
           status:
+            default:
+              conditions:
+              - lastTransitionTime: "1970-01-01T00:00:00Z"
+                message: Waiting for controller
+                reason: Pending
+                status: Unknown
+                type: Accepted
             description: Status defines the observed state of a Connector
             properties:
               capabilities:
@@ -265,6 +275,25 @@ spec:
                   rule: '!(self.type != ''PublicKey'' && has(self.publicKey))'
                 - message: publicKey field must be specified if the type is PublicKey
                   rule: self.type == 'PublicKey' && has(self.publicKey)
+              leaseRef:
+                description: |-
+                  LeaseRef references the Lease used to report connector liveness.
+
+                  The connector controller creates the Lease when a Connector is created
+                  and records it here. Connector implementations (agents) are expected to
+                  periodically renew the Lease to indicate liveness.
+                properties:
+                  name:
+                    default: ""
+                    description: |-
+                      Name of the referent.
+                      This field is effectively required, but due to backwards compatibility is
+                      allowed to be empty. Instances of this type with an empty value here are
+                      almost certainly wrong.
+                      More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+                    type: string
+                type: object
+                x-kubernetes-map-type: atomic
             type: object
         required:
         - spec

diff --git a/config/iam/protected-resources/kustomization.yaml b/config/iam/protected-resources/kustomization.yaml
@@ -22,6 +22,10 @@ resources:
   - backends.yaml
   - backendtrafficpolicies.yaml
   - backendtlspolicies.yaml
+  - connectoradvertisements.yaml
+  - connectorclasses.yaml
+  - connectors.yaml
   - httproutefilters.yaml
+  - leases.yaml
   - securitypolicies.yaml
   - trafficprotectionpolicies.yaml
diff --git a/config/iam/protected-resources/leases.yaml b/config/iam/protected-resources/leases.yaml
@@ -0,0 +1,18 @@
+---
+apiVersion: iam.miloapis.com/v1alpha1
+kind: ProtectedResource
+metadata:
+  name: coordination.k8s.io-lease
+spec:
+  serviceRef:
+    name: "coordination.k8s.io"
+  kind: Lease
+  plural: leases
+  singular: lease
+  permissions:
+    - get
+    - update
+    - patch
+  parentResources:
+    - apiGroup: resourcemanager.miloapis.com
+      kind: Project