koprs 0.9.4

A reusable, ergonomic library that streamlines Kubernetes operator development, allowing developers to build controllers with significantly less code.
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910

//! Controller framework for building Kubernetes operators.
//!
//! Provides [`Reconciler`], [`Context`], and [`ControllerBuilder`] — the three
//! building blocks needed to run a reconciliation loop on top of `kube-runtime`.
//!
//! [`ControllerBuilder`] handles the operational skeleton every production
//! operator needs: graceful shutdown on SIGTERM/SIGINT, `/healthz`/`/readyz`
//! HTTP probes, leader election, and per-reconcile timeouts. Implement
//! [`Reconciler`] for your custom resource and call [`ControllerBuilder::run`]
//! — everything else is automatic.
//!
//! # Quick start
//!
//! ```no_run
//! use std::sync::Arc;
//! use koprs::controller::{Action, Context, ControllerBuilder, Reconciler};
//! use koprs::error::KubeGenericError;
//! use kube::Client;
//!
//! struct MyOperator;
//! type MyCR = k8s_openapi::api::core::v1::ConfigMap;
//!
//! impl Reconciler<MyCR> for MyOperator {
//!     type Error = KubeGenericError;
//!
//!     async fn reconcile(
//!         &self,
//!         _cr: Arc<MyCR>,
//!         _ctx: Arc<Context>,
//!     ) -> Result<Action, Self::Error> {
//!         Ok(Action::await_change())
//!     }
//! }
//!
//! # async fn example(client: Client) -> Result<(), koprs::error::KubeGenericError> {
//! let ctx = Context::new(client.clone());
//! let api = kube::Api::<MyCR>::namespaced(client, "my-namespace");
//! ControllerBuilder::new(api)
//!     .health_port(8080)
//!     .graceful_shutdown()
//!     .reconcile_timeout(std::time::Duration::from_secs(300))
//!     .run(MyOperator, ctx)
//!     .await?;
//! # Ok(())
//! # }
//! ```

use std::marker::PhantomData;
use std::sync::Arc;
use std::sync::atomic::{AtomicBool, Ordering};
use std::time::Duration;

use futures::StreamExt;
use k8s_openapi::api::coordination::v1::{Lease, LeaseSpec};
use k8s_openapi::apimachinery::pkg::apis::meta::v1::MicroTime;
use k8s_openapi::apimachinery::pkg::apis::meta::v1::ObjectMeta;
use kube::Client;
use tracing::{debug, error, info, warn};

use crate::error::{KubeGenericError, Result};
use crate::observability::{Metrics, serve_metrics};
use crate::traits::KubeResource;

// ---------------------------------------------------------------------------
// Re-exports — operators only need `use koprs::controller::*`
// ---------------------------------------------------------------------------

pub use kube_runtime::controller::Action;
pub use kube_runtime::reflector::ObjectRef;
pub use kube_runtime::watcher;

// ---------------------------------------------------------------------------
// Context
// ---------------------------------------------------------------------------

/// Shared context passed to every reconcile and error-policy call.
///
/// Holds the Kubernetes [`Client`] and any user-supplied data `T`.
/// Use [`Context::new`] when no extra state is needed, or
/// [`Context::with_data`] to attach your own configuration, metrics
/// handles, or other shared state.
///
/// The `T = ()` default means [`Context`] is a valid type alias for
/// simple operators that do not need extra data.
pub struct Context<T = ()> {
    /// The Kubernetes API client.
    pub client: Client,
    /// User-supplied data shared across all reconcile calls.
    pub data: T,
}

impl Context<()> {
    /// Create a context with a Kubernetes client and no extra data.
    pub fn new(client: Client) -> Arc<Self> {
        Arc::new(Self { client, data: () })
    }
}

impl<T> Context<T> {
    /// Create a context with a Kubernetes client and user-supplied data.
    pub fn with_data(client: Client, data: T) -> Arc<Self> {
        Arc::new(Self { client, data })
    }
}

// ---------------------------------------------------------------------------
// Reconciler trait
// ---------------------------------------------------------------------------

/// Trait that operator authors implement to define reconciliation logic.
///
/// `CR` is the primary custom resource type being reconciled.
/// `T` is the shared context data type and defaults to `()`.
///
/// `error_policy` has a default implementation that requeues after 30 seconds.
/// Override it only if you need custom backoff or logging.
///
/// # Implementing
///
/// ```no_run
/// use std::sync::Arc;
/// use koprs::controller::{Action, Context, Reconciler};
/// use koprs::error::KubeGenericError;
///
/// struct MyOperator;
/// type MyCR = k8s_openapi::api::core::v1::ConfigMap;
///
/// impl Reconciler<MyCR> for MyOperator {
///     type Error = KubeGenericError;
///
///     async fn reconcile(
///         &self,
///         _cr: Arc<MyCR>,
///         _ctx: Arc<Context>,
///     ) -> Result<Action, Self::Error> {
///         Ok(Action::await_change())
///     }
///     // error_policy defaults to requeue(30s) — no need to implement it
/// }
/// ```
pub trait Reconciler<CR, T = ()>: Send + Sync + 'static
where
    CR: KubeResource,
    T: Send + Sync + 'static,
{
    /// The error type returned by [`reconcile`](Self::reconcile).
    type Error: std::error::Error + Send + Sync + 'static;

    /// Reconcile the given resource to its desired state.
    ///
    /// Called whenever the resource changes or a requeue fires. Return
    /// [`Action::await_change`] to wait for the next watch event or
    /// [`Action::requeue`] to retry after a fixed duration.
    ///
    /// The returned future must be `Send` because the controller runtime
    /// executes reconciles on a multi-threaded executor.
    fn reconcile(
        &self,
        cr: Arc<CR>,
        ctx: Arc<Context<T>>,
    ) -> impl std::future::Future<Output = std::result::Result<Action, Self::Error>> + Send;

    /// Decide how to handle a failed reconcile.
    ///
    /// Defaults to requeue after 30 seconds. Override to implement custom
    /// backoff strategies or to add per-error logging.
    fn error_policy(&self, _cr: Arc<CR>, _err: &Self::Error, _ctx: Arc<Context<T>>) -> Action {
        Action::requeue(Duration::from_secs(30))
    }
}

// ---------------------------------------------------------------------------
// Internal: health server
// ---------------------------------------------------------------------------

/// Serve HTTP/1.1 health probes on an already-bound listener.
///
/// `GET /healthz` — `200 OK` always (liveness).
/// `GET /readyz`  — `200 OK` once `ready` flips to `true`, else `503` (readiness).
pub(crate) async fn serve_health(listener: tokio::net::TcpListener, ready: Arc<AtomicBool>) {
    use bytes::Bytes;
    use http_body_util::Full;
    use hyper::body::Incoming;
    use hyper::server::conn::http1;
    use hyper::service::service_fn;
    use hyper::{Request, Response, StatusCode};
    use hyper_util::rt::TokioIo;

    loop {
        let Ok((stream, _)) = listener.accept().await else {
            break;
        };
        let ready = ready.clone();
        tokio::spawn(async move {
            let io = TokioIo::new(stream);
            let svc = service_fn(move |req: Request<Incoming>| {
                let ready = ready.clone();
                async move {
                    let (status, body): (StatusCode, &'static str) =
                        if req.uri().path() == "/readyz" {
                            if ready.load(Ordering::Acquire) {
                                (StatusCode::OK, "ok")
                            } else {
                                (StatusCode::SERVICE_UNAVAILABLE, "not ready")
                            }
                        } else {
                            (StatusCode::OK, "ok")
                        };
                    Ok::<_, std::convert::Infallible>(
                        Response::builder()
                            .status(status)
                            .header("content-type", "text/plain")
                            .body(Full::new(Bytes::from_static(body.as_bytes())))
                            .unwrap(),
                    )
                }
            });
            let _ = http1::Builder::new().serve_connection(io, svc).await;
        });
    }
}

// ---------------------------------------------------------------------------
// Internal: graceful shutdown signal
// ---------------------------------------------------------------------------

/// Resolves on SIGTERM (Unix) or Ctrl+C (all platforms).
async fn shutdown_signal() {
    let ctrl_c = async {
        tokio::signal::ctrl_c()
            .await
            .expect("failed to install Ctrl+C handler");
    };
    #[cfg(unix)]
    {
        let mut sigterm = tokio::signal::unix::signal(tokio::signal::unix::SignalKind::terminate())
            .expect("failed to install SIGTERM handler");
        tokio::select! {
            _ = ctrl_c => {},
            _ = sigterm.recv() => {},
        }
    }
    #[cfg(not(unix))]
    ctrl_c.await;
}

// ---------------------------------------------------------------------------
// Internal: leader election
// ---------------------------------------------------------------------------

pub(crate) struct LeaderElectionConfig {
    pub(crate) namespace: String,
    pub(crate) name: String,
    pub(crate) identity: String,
    pub(crate) lease_duration_secs: i32,
    pub(crate) renew_period: Duration,
    pub(crate) retry_period: Duration,
}

/// Attempt to acquire or renew the Lease.
///
/// Returns `true` if this identity now holds the lease.
/// Returns `false` if another identity holds a non-expired lease.
/// Optimistic locking: passes `resourceVersion` to detect concurrent writers.
pub(crate) async fn try_acquire_or_renew(
    config: &LeaderElectionConfig,
    client: &Client,
) -> Result<bool> {
    let api: kube::Api<Lease> = kube::Api::namespaced(client.clone(), &config.namespace);
    let now = chrono::Utc::now();
    let now_micro = MicroTime(now);

    let existing = api
        .get(&config.name)
        .await
        .map(Some)
        .or_else(|e| match &e {
            kube::Error::Api(ae) if ae.code == 404 => Ok(None),
            _ => Err(KubeGenericError::Kube(e)),
        })?;

    match existing {
        None => {
            let lease = build_lease(
                &config.name,
                &config.namespace,
                &config.identity,
                config.lease_duration_secs,
                now_micro.clone(),
                now_micro,
                None,
                Some(0),
            );
            match api.create(&kube::api::PostParams::default(), &lease).await {
                Ok(_) => Ok(true),
                Err(kube::Error::Api(e)) if e.code == 409 => Ok(false),
                Err(e) => Err(KubeGenericError::Kube(e)),
            }
        }
        Some(existing) => {
            let spec = existing.spec.as_ref();
            let holder = spec.and_then(|s| s.holder_identity.as_deref());
            let renew_time = spec.and_then(|s| s.renew_time.as_ref()).map(|t| t.0);
            let duration_secs = spec
                .and_then(|s| s.lease_duration_seconds)
                .unwrap_or(config.lease_duration_secs);

            let is_expired = renew_time.map_or(true, |rt| {
                now > rt + chrono::Duration::seconds(duration_secs as i64)
            });

            if holder != Some(config.identity.as_str()) && !is_expired {
                return Ok(false);
            }

            let transitioning = holder != Some(config.identity.as_str());
            let acquire_time = if transitioning {
                now_micro.clone()
            } else {
                spec.and_then(|s| s.acquire_time.clone())
                    .unwrap_or_else(|| now_micro.clone())
            };
            let transitions = spec
                .and_then(|s| s.lease_transitions)
                .map(|t| if transitioning { t + 1 } else { t });

            let new_lease = build_lease(
                &config.name,
                &config.namespace,
                &config.identity,
                config.lease_duration_secs,
                acquire_time,
                now_micro,
                existing.metadata.resource_version.clone(),
                transitions,
            );

            match api
                .replace(&config.name, &kube::api::PostParams::default(), &new_lease)
                .await
            {
                Ok(_) => Ok(true),
                Err(kube::Error::Api(e)) if e.code == 409 => Ok(false),
                Err(e) => Err(KubeGenericError::Kube(e)),
            }
        }
    }
}

pub(crate) fn build_lease(
    name: &str,
    namespace: &str,
    identity: &str,
    lease_duration_secs: i32,
    acquire_time: MicroTime,
    renew_time: MicroTime,
    resource_version: Option<String>,
    lease_transitions: Option<i32>,
) -> Lease {
    Lease {
        metadata: ObjectMeta {
            name: Some(name.to_string()),
            namespace: Some(namespace.to_string()),
            resource_version,
            ..Default::default()
        },
        spec: Some(LeaseSpec {
            holder_identity: Some(identity.to_string()),
            lease_duration_seconds: Some(lease_duration_secs),
            acquire_time: Some(acquire_time),
            renew_time: Some(renew_time),
            lease_transitions,
            ..Default::default()
        }),
    }
}

/// Block until this identity successfully acquires the Lease.
async fn acquire_leader_lease(config: &LeaderElectionConfig, client: &Client) -> Result<()> {
    info!(
        identity = %config.identity,
        lease = %config.name,
        ns = %config.namespace,
        "Waiting to become leader"
    );
    loop {
        match try_acquire_or_renew(config, client).await {
            Ok(true) => {
                info!(identity = %config.identity, "Acquired leader lease");
                return Ok(());
            }
            Ok(false) => {
                debug!(identity = %config.identity, "Lease held by another, retrying");
                tokio::time::sleep(config.retry_period).await;
            }
            Err(e) => {
                warn!(error = %e, "Error acquiring leader lease, retrying");
                tokio::time::sleep(config.retry_period).await;
            }
        }
    }
}

/// Periodically renew the Lease; signals `stop_tx` when the lease is
/// definitively lost (taken by another replica or unrecoverable API errors).
async fn renew_leader_lease_loop(
    config: LeaderElectionConfig,
    client: Client,
    stop_tx: tokio::sync::watch::Sender<bool>,
) {
    let mut consecutive_errors: u32 = 0;
    loop {
        tokio::time::sleep(config.renew_period).await;
        match try_acquire_or_renew(&config, &client).await {
            Ok(true) => {
                consecutive_errors = 0;
                debug!(identity = %config.identity, "Leader lease renewed");
            }
            Ok(false) => {
                error!(
                    identity = %config.identity,
                    "Leader lease taken by another replica — stopping controller"
                );
                stop_tx.send(true).ok();
                return;
            }
            Err(e) => {
                consecutive_errors += 1;
                warn!(
                    error = %e,
                    consecutive_errors,
                    "Failed to renew leader lease"
                );
                if consecutive_errors >= 3 {
                    error!(
                        identity = %config.identity,
                        "Could not renew leader lease after 3 attempts — stopping controller"
                    );
                    stop_tx.send(true).ok();
                    return;
                }
            }
        }
    }
}

// ---------------------------------------------------------------------------
// ControllerBuilder
// ---------------------------------------------------------------------------

type ConfigureFn<CR> =
    Box<dyn FnOnce(kube_runtime::Controller<CR>) -> kube_runtime::Controller<CR> + Send + 'static>;

/// Builder for a controller reconciliation loop.
///
/// Wraps `kube-runtime::Controller` and adds:
///
/// | Method | What it provides |
/// |--------|-----------------|
/// | `.health_port(port)` | `GET /healthz` + `GET /readyz` server |
/// | `.graceful_shutdown()` | Clean stop on SIGTERM or Ctrl+C |
/// | `.leader_election(ns, name)` | Kubernetes Lease-based HA leader election |
/// | `.reconcile_timeout(dur)` | Kill and requeue stuck reconciles |
///
/// # Example
///
/// ```no_run
/// use koprs::controller::{Action, Context, ControllerBuilder, ObjectRef, Reconciler, watcher};
/// use koprs::error::KubeGenericError;
/// use kube::{Api, Client};
/// use k8s_openapi::api::core::v1::ConfigMap;
/// use std::sync::Arc;
/// use std::time::Duration;
///
/// struct MyOperator;
/// type MyCR = k8s_openapi::api::core::v1::ConfigMap;
///
/// impl Reconciler<MyCR> for MyOperator {
///     type Error = KubeGenericError;
///     async fn reconcile(&self, _cr: Arc<MyCR>, _ctx: Arc<Context>) -> Result<Action, KubeGenericError> {
///         Ok(Action::await_change())
///     }
/// }
///
/// # async fn example(client: Client, cm_api: Api<ConfigMap>) -> Result<(), KubeGenericError> {
/// let ctx = Context::new(client.clone());
/// let api = Api::<MyCR>::namespaced(client, "my-namespace");
/// ControllerBuilder::new(api)
///     .health_port(8080)
///     .graceful_shutdown()
///     .leader_election("my-namespace", "my-operator-leader")
///     .reconcile_timeout(Duration::from_secs(300))
///     .run(MyOperator, ctx)
///     .await?;
/// # Ok(())
/// # }
/// ```
pub struct ControllerBuilder<CR, T = ()>
where
    CR: KubeResource,
{
    api: kube::Api<CR>,
    pub(crate) watcher_config: watcher::Config,
    pub(crate) configure: Option<ConfigureFn<CR>>,
    pub(crate) health_port: Option<u16>,
    pub(crate) metrics_port: Option<u16>,
    pub(crate) graceful_shutdown: bool,
    pub(crate) reconcile_timeout: Option<Duration>,
    pub(crate) leader_election: Option<LeaderElectionConfig>,
    pub(crate) concurrency: Option<u16>,
    _phantom: PhantomData<T>,
}

impl<CR, T> ControllerBuilder<CR, T>
where
    CR: KubeResource,
    T: Send + Sync + 'static,
{
    /// Create a new builder from a pre-built [`kube::Api`].
    ///
    /// The `Api` determines the watch scope:
    /// - `Api::namespaced(client, "ns")` — one namespace
    /// - `Api::all(client)` — all namespaces / cluster-wide
    pub fn new(api: kube::Api<CR>) -> Self {
        Self {
            api,
            watcher_config: watcher::Config::default(),
            configure: None,
            health_port: None,
            metrics_port: None,
            graceful_shutdown: false,
            reconcile_timeout: None,
            leader_election: None,
            concurrency: None,
            _phantom: PhantomData,
        }
    }

    /// Start a health probe HTTP server on `0.0.0.0:<port>`.
    ///
    /// `GET /healthz` always returns `200 OK`.
    /// `GET /readyz` returns `503` until the first reconcile result, then `200 OK`.
    ///
    /// If the port is already in use, [`run`](ControllerBuilder::run) returns
    /// an error before the controller loop starts.
    pub fn health_port(mut self, port: u16) -> Self {
        self.health_port = Some(port);
        self
    }

    /// Start a Prometheus metrics server on `0.0.0.0:<port>`.
    ///
    /// `GET /metrics` returns reconcile counts, error counts (by kind and
    /// error), and reconcile duration histograms in Prometheus text
    /// exposition format. Recording happens automatically around every
    /// reconcile — see [`Metrics`] for the full list of collectors.
    ///
    /// If the port is already in use, [`run`](ControllerBuilder::run) returns
    /// an error before the controller loop starts.
    pub fn metrics_port(mut self, port: u16) -> Self {
        self.metrics_port = Some(port);
        self
    }

    /// Stop the controller loop cleanly on SIGTERM or Ctrl+C.
    ///
    /// The loop stops accepting new work; reconciles already running inside
    /// `kube-runtime` are allowed to complete.
    pub fn graceful_shutdown(mut self) -> Self {
        self.graceful_shutdown = true;
        self
    }

    /// Enable Kubernetes Lease-based leader election.
    ///
    /// [`run`](ControllerBuilder::run) blocks until this pod acquires the
    /// named `Lease` object in `namespace`, then starts the controller. A
    /// background task renews the lease every 5 seconds (lease duration: 15 s).
    /// If the lease is lost the controller stops cleanly.
    ///
    /// The pod's identity defaults to `$POD_NAME` (downward API) falling back
    /// to `$HOSTNAME`.
    pub fn leader_election(
        mut self,
        namespace: impl Into<String>,
        name: impl Into<String>,
    ) -> Self {
        let identity = std::env::var("POD_NAME")
            .or_else(|_| std::env::var("HOSTNAME"))
            .unwrap_or_else(|_| "unknown".to_string());
        self.leader_election = Some(LeaderElectionConfig {
            namespace: namespace.into(),
            name: name.into(),
            identity,
            lease_duration_secs: 15,
            renew_period: Duration::from_secs(5),
            retry_period: Duration::from_secs(2),
        });
        self
    }

    /// Cancel and requeue any reconcile that runs longer than `timeout`.
    ///
    /// The reconciler is given `Action::requeue(timeout)` on expiry so
    /// the resource is retried after the same duration.
    pub fn reconcile_timeout(mut self, timeout: Duration) -> Self {
        self.reconcile_timeout = Some(timeout);
        self
    }

    /// Apply a label selector to the primary resource watch.
    pub fn label_selector(mut self, selector: impl Into<String>) -> Self {
        let s = selector.into();
        self.watcher_config = self.watcher_config.labels(&s);
        self
    }

    /// Override the watcher configuration for the primary resource watch.
    pub fn watcher_config(mut self, config: watcher::Config) -> Self {
        self.watcher_config = config;
        self
    }

    /// Limit the number of reconciles that may run concurrently.
    ///
    /// Defaults to `0` (unbounded). Set to a positive value to cap concurrent
    /// reconciles across all objects. A single object is never reconciled
    /// concurrently regardless of this setting.
    pub fn concurrency(mut self, n: u16) -> Self {
        self.concurrency = Some(n);
        self
    }

    /// Override the timing parameters for leader election.
    ///
    /// Must be called **after** [`.leader_election()`](ControllerBuilder::leader_election).
    ///
    /// | Parameter | Meaning |
    /// |-----------|---------|
    /// | `lease_duration` | How long the lease is valid without renewal |
    /// | `renew_period` | How often the leader renews the lease |
    /// | `retry_period` | How often a non-leader retries acquisition |
    ///
    /// # Panics
    ///
    /// Panics if called before `.leader_election()`.
    pub fn leader_election_timings(
        mut self,
        lease_duration: Duration,
        renew_period: Duration,
        retry_period: Duration,
    ) -> Self {
        let le = self
            .leader_election
            .as_mut()
            .expect("leader_election_timings must be called after leader_election");
        le.lease_duration_secs = lease_duration.as_secs() as i32;
        le.renew_period = renew_period;
        le.retry_period = retry_period;
        self
    }

    /// Watch child resources that this CR owns via Kubernetes owner references.
    ///
    /// Whenever a resource of type `Child` changes, `kube-runtime` traverses
    /// its owner references to find the parent CR and re-queues it. Use this
    /// for resources you create and set an owner reference on (e.g. Deployments,
    /// Services, ConfigMaps managed by your operator).
    ///
    /// The `Child` type must carry an [`OwnerReference`] pointing back at `CR`.
    ///
    /// Multiple calls compose — each call adds another owned type on top of
    /// previously registered watches.
    ///
    /// [`OwnerReference`]: k8s_openapi::apimachinery::pkg::apis::meta::v1::OwnerReference
    ///
    /// # Example
    ///
    /// ```no_run
    /// use k8s_openapi::api::apps::v1::Deployment;
    /// use k8s_openapi::api::core::v1::ConfigMap;
    /// use koprs::controller::{ControllerBuilder, watcher};
    ///
    /// async fn example(api: kube::Api<ConfigMap>, deploy_api: kube::Api<Deployment>) {
    ///     let _builder: ControllerBuilder<ConfigMap> = ControllerBuilder::new(api)
    ///         .owns(deploy_api, watcher::Config::default());
    /// }
    /// ```
    pub fn owns<Child>(mut self, api: kube::Api<Child>, config: watcher::Config) -> Self
    where
        Child: crate::traits::KubeResource,
    {
        let existing = self.configure.take();
        self.configure = Some(Box::new(move |ctl| {
            let ctl = ctl.owns(api, config);
            match existing {
                Some(f) => f(ctl),
                None => ctl,
            }
        }));
        self
    }

    /// Wire a single secondary (trigger) watch using a typed mapper.
    ///
    /// Whenever a resource of type `Other` changes, `mapper` converts it into
    /// zero or more [`ObjectRef`]s that identify CRs to re-queue. Returning
    /// `None` / an empty iterator drops the event. Returning
    /// `Some(ObjectRef::new("my-cr").within("my-ns"))` re-queues that CR.
    ///
    /// Multiple calls to `.watch()` compose — each watch is added on top of
    /// any previously registered watches and `.with_watches()` calls.
    ///
    /// Use [`owner_label_mapper`][crate::owners::owner_label_mapper] as the
    /// `mapper` argument when the trigger resource carries an owner label
    /// pointing at the CR.
    ///
    /// # Examples
    ///
    /// ```no_run
    /// use k8s_openapi::api::core::v1::{ConfigMap, Namespace};
    /// use koprs::controller::{ControllerBuilder, watcher};
    /// use koprs::owners::owner_label_mapper;
    ///
    /// async fn example(api: kube::Api<Namespace>, cm_api: kube::Api<ConfigMap>) {
    ///     // Re-queue the owning Namespace whenever a managed ConfigMap changes.
    ///     let _builder: ControllerBuilder<Namespace> = ControllerBuilder::new(api)
    ///         .watch(
    ///             cm_api,
    ///             watcher::Config::default().labels("app=my-operator"),
    ///             owner_label_mapper::<ConfigMap, Namespace>("my-operator/owner"),
    ///         );
    ///     // chain .health_port(), .leader_election(), .run(), etc.
    /// }
    /// ```
    pub fn watch<Other, I, F>(
        mut self,
        api: kube::Api<Other>,
        config: watcher::Config,
        mapper: F,
    ) -> Self
    where
        Other: crate::traits::KubeResource,
        I: IntoIterator<Item = kube_runtime::reflector::ObjectRef<CR>> + Send + 'static,
        I::IntoIter: Send,
        F: Fn(Other) -> I + Send + Sync + 'static,
    {
        let existing = self.configure.take();
        self.configure = Some(Box::new(move |ctl| {
            let ctl = ctl.watches(api, config, mapper);
            match existing {
                Some(f) => f(ctl),
                None => ctl,
            }
        }));
        self
    }

    /// Configure additional watches using the full `kube_runtime::Controller` API.
    ///
    /// The closure receives the inner controller and must return it, typically
    /// with `.watches()` or `.owns()` chained. Use this when you need access to
    /// advanced kube-runtime options not covered by [`watch`][ControllerBuilder::watch].
    ///
    /// Multiple calls compose — each call adds on top of previously registered
    /// watches.
    pub fn with_watches<F>(mut self, configure: F) -> Self
    where
        F: FnOnce(kube_runtime::Controller<CR>) -> kube_runtime::Controller<CR> + Send + 'static,
    {
        let existing = self.configure.take();
        self.configure = Some(Box::new(move |ctl| {
            let ctl = configure(ctl);
            match existing {
                Some(f) => f(ctl),
                None => ctl,
            }
        }));
        self
    }

    /// Start the reconciliation loop.
    ///
    /// In order:
    /// 1. Binds the health server if `.health_port()` was set.
    /// 2. Blocks until the leader lease is acquired if `.leader_election()` was set.
    /// 3. Starts the reconcile loop, wrapping each call with a timeout if set.
    /// 4. Stops cleanly on shutdown signal or lease loss.
    pub async fn run<R>(self, reconciler: R, context: Arc<Context<T>>) -> Result<()>
    where
        R: Reconciler<CR, T>,
    {
        let kind = CR::kind(&());
        let client = context.client.clone();
        info!(%kind, "Starting controller");

        // --- Health probes ---
        let ready = Arc::new(AtomicBool::new(false));
        if let Some(port) = self.health_port {
            let listener = tokio::net::TcpListener::bind(("0.0.0.0", port)).await?;
            info!(port, "Health server listening");
            tokio::spawn(serve_health(listener, ready.clone()));
        }

        // --- Metrics ---
        let metrics = if let Some(port) = self.metrics_port {
            let registry = prometheus::Registry::new();
            let metrics = Arc::new(Metrics::new_registered(&registry)?);
            let listener = tokio::net::TcpListener::bind(("0.0.0.0", port)).await?;
            info!(port, "Metrics server listening");
            tokio::spawn(serve_metrics(listener, registry));
            Some(metrics)
        } else {
            None
        };

        // --- Stop signal channel (shared by shutdown + lease loss) ---
        let (stop_tx, mut stop_rx) = tokio::sync::watch::channel(false);
        let has_stop = self.graceful_shutdown || self.leader_election.is_some();

        if self.graceful_shutdown {
            let tx = stop_tx.clone();
            let kind_owned = kind.to_string();
            tokio::spawn(async move {
                shutdown_signal().await;
                info!(kind = %kind_owned, "Shutdown signal received");
                tx.send(true).ok();
            });
        }

        // --- Leader election ---
        if let Some(le) = self.leader_election {
            acquire_leader_lease(&le, &client).await?;
            let tx = stop_tx.clone();
            let client_le = client.clone();
            tokio::spawn(async move {
                renew_leader_lease_loop(le, client_le, tx).await;
            });
        }

        // --- Controller ---
        let mut ctl = kube_runtime::Controller::new(self.api, self.watcher_config);
        if let Some(n) = self.concurrency {
            ctl = ctl.with_config(kube_runtime::controller::Config::default().concurrency(n));
        }
        if let Some(configure) = self.configure {
            ctl = configure(ctl);
        }

        let reconciler = Arc::new(reconciler);
        let error_policy_r = reconciler.clone();
        let ready_ref = ready.clone();
        let reconcile_timeout = self.reconcile_timeout;
        let kind_owned = kind.to_string();

        let run_loop = ctl
            .run(
                move |cr, ctx| {
                    let r = reconciler.clone();
                    let metrics = metrics.clone();
                    let kind = kind_owned.clone();
                    async move {
                        let started = std::time::Instant::now();
                        let result = if let Some(t) = reconcile_timeout {
                            match tokio::time::timeout(t, r.reconcile(cr, ctx)).await {
                                Ok(result) => result,
                                Err(_) => {
                                    warn!("Reconcile timed out after {t:?}, requeueing");
                                    Ok(Action::requeue(t))
                                }
                            }
                        } else {
                            r.reconcile(cr, ctx).await
                        };
                        if let Some(m) = &metrics {
                            match &result {
                                Ok(_) => m.record_success(&kind, started.elapsed()),
                                Err(e) => {
                                    m.record_failure(&kind, &e.to_string(), started.elapsed())
                                }
                            }
                        }
                        result
                    }
                },
                move |cr, err, ctx| error_policy_r.error_policy(cr, err, ctx),
                context,
            )
            .for_each(move |result| {
                ready_ref.store(true, Ordering::Release);
                async move {
                    match result {
                        Ok((obj, _)) => info!(name = %obj.name, "Reconcile succeeded"),
                        Err(e) => warn!(error = %e, "Reconcile failed"),
                    }
                }
            });

        if has_stop {
            tokio::select! {
                _ = run_loop => {},
                _ = async move { stop_rx.wait_for(|v| *v).await.ok(); } => {},
            }
        } else {
            run_loop.await;
        }

        Ok(())
    }
}