Runtime Watcher is mostly a validation webhook deployed by Lifecycle Manager in a Kyma cluster. It watches changes in the resources, configured by Watcher custom resources (CRs) in Kyma Control Plane (KCP).
The main Kyma use case for the Runtime Watcher is to reduce Lifecycle Manager's workload which results in a longer success-requeue-interval. With Runtime Watcher enabled and a Watcher CR properly configured, Kyma CRs should be requeued and reconciled only when a Kyma CR spec changes on a Kyma cluster.
Runtime Watcher is able to watch any kind of resources and subresources. It can watch on status or spec changes of those different resources. More details can be found in the Watcher CR definition.
The workflow of Runtime Watcher includes the following main components:
Watcher CRs configure the Virtual Services in KCP, which are used as a reverse proxy to route incoming requests to the correct operator. Watcher CRs are also used to configure the Runtime Watcher deployed in each Kyma cluster. For more details, see the Watcher CR document.
The Runtime Watcher consists of multiple parts. First of all, it has a ValidationWebhookConfiguration with one or more webhooks which is re-used. Instead of its original use case, it is re-used to validate CRUD actions (creating, reading, updating, and deleting) on Kubernetes resources, for the general watch mechanism inside the SKR. These webhooks are configured by the Lifecycle Manager using the Watcher CRs. In addition, a deployment is attached to this webhook, which is the receiver for the validation requests. The deployment converts the validation requests into WatchEvents, which are then sent to KCP using a secured mTLS connection. To establish the secured mTLS connection from a Kyma cluster to KCP, Lifecycle Manager deploys a Secret with a TLS certificate in each Kyma cluster.
The Listener package simplifies setting up an endpoint for an operator residing in KCP, which receives WatchEvents sent by Runtime Watcher to KCP. Follow the guide to learn how to use it.
For further details on Runtime Watcher's architecture, see the Architecture document.