feat: auto enable registry addon in workload clusters (#1175)

**What problem does this PR solve?**:
This adds a new feature gate `AutoEnableWorkloadClusterRegistry=true`
that will automatically enable the registry addon on workload cluster
creation when it is enabled on the management cluster.

**Which issue(s) this PR fixes**:
Fixes #

**How Has This Been Tested?**:
<!--
Please describe the tests that you ran to verify your changes.
Provide output from the tests and any manual steps needed to replicate
the tests.
-->

**Special notes for your reviewer**:
<!--
Use this to provide any additional information to the reviewers.
This may include:
- Best way to review the PR.
- Where the author wants the most review attention on.
- etc.
-->

Author: dkoshkin

api/v1alpha1/constants.go

@@ -39,5 +39,6 @@ const (
 	// DNSVariableName is the DNS external patch variable name.
 	DNSVariableName = "dns"
 
-	ClusterUUIDAnnotationKey = APIGroup + "/cluster-uuid"
+	ClusterUUIDAnnotationKey                = APIGroup + "/cluster-uuid"
+	SkipAutoEnablingWorkloadClusterRegistry = APIGroup + "/skip-auto-enabling-workload-cluster-registry"
 )

api/variables/json.go

@@ -78,3 +78,20 @@ func GetClusterVariableByName(
 	}
 	return nil
 }
+
+// UpdateClusterVariable updates the variable in the list of cluster variables.
+// If the variable does not exist, it appends it to the list.
+func UpdateClusterVariable(
+	variable *clusterv1.ClusterVariable,
+	clusterVariables []clusterv1.ClusterVariable,
+) []clusterv1.ClusterVariable {
+	name := variable.Name
+	for i := range clusterVariables {
+		if clusterVariables[i].Name == name {
+			clusterVariables[i] = *variable
+			return clusterVariables
+		}
+	}
+	clusterVariables = append(clusterVariables, *variable)
+	return clusterVariables
+}

charts/cluster-api-runtime-extensions-nutanix/templates/webhooks.yaml

@@ -8,6 +8,25 @@ metadata:
   annotations:
     cert-manager.io/inject-ca-from: '{{ .Release.Namespace}}/{{ template "chart.name" . }}-admission-tls'
 webhooks:
+  - admissionReviewVersions:
+      - v1
+    clientConfig:
+      service:
+        name: '{{ include "chart.name" . }}-admission'
+        namespace: '{{ .Release.Namespace }}'
+        path: /mutate-v1beta1-addons
+    failurePolicy: Fail
+    name: addons-defaulter.caren.nutanix.com
+    rules:
+      - apiGroups:
+          - cluster.x-k8s.io
+        apiVersions:
+          - '*'
+        operations:
+          - CREATE
+        resources:
+          - clusters
+    sideEffects: None
   - admissionReviewVersions:
       - v1
     clientConfig:

cmd/main.go

@@ -40,6 +40,7 @@ import (
 	"github.com/nutanix-cloud-native/cluster-api-runtime-extensions-nutanix/pkg/handlers/generic/lifecycle"
 	"github.com/nutanix-cloud-native/cluster-api-runtime-extensions-nutanix/pkg/handlers/nutanix"
 	"github.com/nutanix-cloud-native/cluster-api-runtime-extensions-nutanix/pkg/handlers/options"
+	"github.com/nutanix-cloud-native/cluster-api-runtime-extensions-nutanix/pkg/webhook/addons"
 	"github.com/nutanix-cloud-native/cluster-api-runtime-extensions-nutanix/pkg/webhook/cluster"
 	"github.com/nutanix-cloud-native/cluster-api-runtime-extensions-nutanix/pkg/webhook/preflight"
 	preflightnutanix "github.com/nutanix-cloud-native/cluster-api-runtime-extensions-nutanix/pkg/webhook/preflight/nutanix"
@@ -237,6 +238,10 @@ func main() {
 		Handler: cluster.NewValidator(mgr.GetClient(), admission.NewDecoder(mgr.GetScheme())),
 	})
 
+	mgr.GetWebhookServer().Register("/mutate-v1beta1-addons", &webhook.Admission{
+		Handler: addons.NewDefaulter(mgr.GetClient(), admission.NewDecoder(mgr.GetScheme())),
+	})
+
 	mgr.GetWebhookServer().Register("/preflight-v1beta1-cluster", &webhook.Admission{
 		Handler: preflight.New(mgr.GetClient(), admission.NewDecoder(mgr.GetScheme()),
 			[]preflight.Checker{

docs/content/addons/registry.md

@@ -31,6 +31,22 @@ spec:
             registry: {}
 ```
 
+## Registry in the workload cluster
+
+When the registry is enabled in the management cluster, it can also be automatically enabled in the workload cluster.
+To enable this behavior, set the following feature gate on the controller:
+
+```text
+  --feature-gates=AutoEnableWorkloadClusterRegistry=true
+```
+
+It is also possible to disable this behavior by setting the following annotation on the Cluster resource:
+
+```yaml
+annotations:
+   caren.nutanix.com/skip-auto-enabling-workload-cluster-registry: "true"
+```
+
 ## Registry Certificate
 
 1. A root CA Certificate is deployed in the provider's namespace.

pkg/feature/feature.go

@@ -7,9 +7,13 @@ import (
 	"k8s.io/component-base/featuregate"
 )
 
+const AutoEnableWorkloadClusterRegistry featuregate.Feature = "AutoEnableWorkloadClusterRegistry"
+
 // defaultFeatureGates returns all known feature gates.
 // To add a new feature, define a key for it above and add it here. The features will be
 // available throughout the codebase.
 func defaultFeatureGates() map[featuregate.Feature]featuregate.FeatureSpec {
-	return map[featuregate.Feature]featuregate.FeatureSpec{}
+	return map[featuregate.Feature]featuregate.FeatureSpec{
+		AutoEnableWorkloadClusterRegistry: {Default: false, PreRelease: featuregate.Alpha},
+	}
 }

pkg/feature/gates.go

@@ -20,8 +20,8 @@ var (
 	//   featuregatetesting "k8s.io/component-base/featuregate/testing"
 	//   featuregatetesting.SetFeatureGateDuringTest(
 	//     t,
-	//     features.Gates,
-	//     features.<FeatureName>,
+	//     feature.Gates,
+	//     feature.<FeatureName>,
 	//     <value>,
 	//   )()
 	MutableGates featuregate.MutableFeatureGate = featuregate.NewFeatureGate()

pkg/webhook/addons/defaulter.go

@@ -0,0 +1,30 @@
+// Copyright 2025 Nutanix. All rights reserved.
+// SPDX-License-Identifier: Apache-2.0
+
+package addons
+
+import (
+	ctrlclient "sigs.k8s.io/controller-runtime/pkg/client"
+	"sigs.k8s.io/controller-runtime/pkg/webhook/admission"
+
+	"github.com/nutanix-cloud-native/cluster-api-runtime-extensions-nutanix/pkg/feature"
+	"github.com/nutanix-cloud-native/cluster-api-runtime-extensions-nutanix/pkg/webhook/addons/registry"
+)
+
+func NewDefaulter(client ctrlclient.Client, decoder admission.Decoder) admission.Handler {
+	return admission.MultiMutatingHandler(
+		allHandlers(client, decoder)...,
+	)
+}
+
+// allHandlers returns a list of all defaulter handlers that should be registered,
+// including any feature-gated handlers.
+func allHandlers(
+	client ctrlclient.Client, decoder admission.Decoder,
+) []admission.Handler {
+	var handlers []admission.Handler
+	if feature.Gates.Enabled(feature.AutoEnableWorkloadClusterRegistry) {
+		handlers = append(handlers, registry.NewWorkloadClusterAutoEnabler(client, decoder).Defaulter())
+	}
+	return handlers
+}

pkg/webhook/addons/defaulter_test.go

@@ -0,0 +1,29 @@
+// Copyright 2025 Nutanix. All rights reserved.
+// SPDX-License-Identifier: Apache-2.0
+
+package addons
+
+import (
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+	featuregatetesting "k8s.io/component-base/featuregate/testing"
+
+	"github.com/nutanix-cloud-native/cluster-api-runtime-extensions-nutanix/pkg/feature"
+)
+
+// Test_allHandlers is a crude test to ensure handlers are only registered when the feature gate is enabled.
+func Test_allHandlers(t *testing.T) {
+	handlers := allHandlers(nil, nil)
+	assert.Empty(t, handlers)
+
+	// Enable the feature gates and test again.
+	featuregatetesting.SetFeatureGateDuringTest(
+		t,
+		feature.Gates,
+		feature.AutoEnableWorkloadClusterRegistry,
+		true,
+	)
+	handlers = allHandlers(nil, nil)
+	assert.Len(t, handlers, 1)
+}

pkg/webhook/addons/doc.go

@@ -0,0 +1,5 @@
+// Copyright 2025 Nutanix. All rights reserved.
+// SPDX-License-Identifier: Apache-2.0
+
+// +kubebuilder:webhook:path=/mutate-v1beta1-addons,mutating=true,failurePolicy=fail,groups="cluster.x-k8s.io",resources=clusters,verbs=create,versions=*,name=addons-defaulter.caren.nutanix.com,admissionReviewVersions=v1,sideEffects=None
+package addons