(feat) support remote YAML sources in PolicyRefs (#1721)

Add a url field to PolicyRef so ClusterProfile/Profile can reference YAML content
served over HTTP/HTTPS, bypassing the ~1 MB ConfigMap size limit.

When url is set, Sveltos fetches the content on every reconciliation and redeploys
if the hash has changed. A periodic requeue (default 5 minutes, configurable via interval)
drives change detection without requiring a Kubernetes watch event.

Optional auth is supported via a secretRef pointing to a Secret with token, username+password
or caFile keys. Set template: true to have the fetched content treated as a Go template,
equivalent to the projectsveltos.io/template annotation on a ConfigMap.

```yaml
  policyRefs:
    - deploymentType: Remote
      remoteURL:
        interval: 1h0m0s
        url: https://github.com/kubernetes-sigs/metrics-server/releases/latest/download/components.yaml
```

Author: gianlucam76

api/v1beta1/spec.go

@@ -611,25 +611,30 @@ type TemplateResourceRef struct {
 	IgnoreStatusChanges bool `json:"ignoreStatusChanges,omitempty"`
 }
 
+// +kubebuilder:validation:XValidation:rule="has(self.remoteURL) != has(self.kind)",message="either remoteURL or kind must be set, but not both"
 type PolicyRef struct {
 	// Namespace of the referenced resource.
 	// For ClusterProfile namespace can be left empty. In such a case, namespace will
 	// be implicit set to cluster's namespace.
 	// For Profile namespace must be left empty. Profile namespace will be used.
 	// Namespace can be expressed as a template and instantiate using any cluster field.
+	// Not used when RemoteURL is set.
 	// +optional
 	Namespace string `json:"namespace,omitempty"`
 
 	// Name of the referenced resource.
 	// Name can be expressed as a template and instantiate using any cluster field.
-	// +kubebuilder:validation:MinLength=1
-	Name string `json:"name"`
+	// Required when RemoteURL is not set.
+	// +optional
+	Name string `json:"name,omitempty"`
 
 	// Kind of the resource. Supported kinds are:
 	// - ConfigMap/Secret
 	// - flux GitRepository;OCIRepository;Bucket
+	// Required when RemoteURL is not set.
 	// +kubebuilder:validation:Enum=GitRepository;OCIRepository;Bucket;ConfigMap;Secret
-	Kind string `json:"kind"`
+	// +optional
+	Kind string `json:"kind,omitempty"`
 
 	// Path to the directory containing the YAML files.
 	// Defaults to 'None', which translates to the root path of the SourceRef.
@@ -671,6 +676,40 @@ type PolicyRef struct {
 	// +kubebuilder:default:=false
 	// +optional
 	SkipNamespaceCreation bool `json:"skipNamespaceCreation,omitempty"`
+
+	// RemoteURL configures fetching content from an HTTP/HTTPS endpoint.
+	// When set, Kind/Name/Namespace must be omitted.
+	// +optional
+	RemoteURL *RemoteURL `json:"remoteURL,omitempty"`
+}
+
+// RemoteURL groups all fields related to fetching policy content from an HTTP/HTTPS endpoint.
+type RemoteURL struct {
+	// URL is an HTTP/HTTPS endpoint serving raw YAML/JSON/KYAML content.
+	// Sveltos fetches the content on every reconciliation and redeploys if the
+	// content hash has changed.
+	// +kubebuilder:validation:Pattern=`^https?://`
+	URL string `json:"url"`
+
+	// Interval defines how often Sveltos re-fetches the URL to detect changes.
+	// Defaults to 5 minutes.
+	// +optional
+	Interval *metav1.Duration `json:"interval,omitempty"`
+
+	// SecretRef references a Secret in the management cluster containing optional
+	// credentials for fetching the URL. Supported Secret keys:
+	//   "token"              — Bearer token (Authorization: Bearer <token>)
+	//   "username"+"password" — HTTP Basic Auth
+	//   "caFile"             — PEM-encoded CA certificate for TLS verification
+	// +optional
+	SecretRef *corev1.LocalObjectReference `json:"secretRef,omitempty"`
+
+	// Template indicates that the content served at URL is a Go template that
+	// must be instantiated using cluster fields and templateResourceRefs values
+	// before deployment. Equivalent to the projectsveltos.io/template annotation
+	// on a ConfigMap or Secret.
+	// +optional
+	Template bool `json:"template,omitempty"`
 }
 
 type Clusters struct {

api/v1beta1/zz_generated.deepcopy.go

@@ -977,6 +977,7 @@ spec:
                         Kind of the resource. Supported kinds are:
                         - ConfigMap/Secret
                         - flux GitRepository;OCIRepository;Bucket
+                        Required when RemoteURL is not set.
                       enum:
                       - GitRepository
                       - OCIRepository
@@ -988,7 +989,7 @@ spec:
                       description: |-
                         Name of the referenced resource.
                         Name can be expressed as a template and instantiate using any cluster field.
-                      minLength: 1
+                        Required when RemoteURL is not set.
                       type: string
                     namespace:
                       description: |-
@@ -997,6 +998,7 @@ spec:
                         be implicit set to cluster's namespace.
                         For Profile namespace must be left empty. Profile namespace will be used.
                         Namespace can be expressed as a template and instantiate using any cluster field.
+                        Not used when RemoteURL is set.
                       type: string
                     optional:
                       default: false
@@ -1011,6 +1013,52 @@ spec:
                         Defaults to 'None', which translates to the root path of the SourceRef.
                         Used only for GitRepository;OCIRepository;Bucket
                       type: string
+                    remoteURL:
+                      description: |-
+                        RemoteURL configures fetching content from an HTTP/HTTPS endpoint.
+                        When set, Kind/Name/Namespace must be omitted.
+                      properties:
+                        interval:
+                          description: |-
+                            Interval defines how often Sveltos re-fetches the URL to detect changes.
+                            Defaults to 5 minutes.
+                          type: string
+                        secretRef:
+                          description: |-
+                            SecretRef references a Secret in the management cluster containing optional
+                            credentials for fetching the URL. Supported Secret keys:
+                              "token"              — Bearer token (Authorization: Bearer <token>)
+                              "username"+"password" — HTTP Basic Auth
+                              "caFile"             — PEM-encoded CA certificate for TLS verification
+                          properties:
+                            name:
+                              default: ""
+                              description: |-
+                                Name of the referent.
+                                This field is effectively required, but due to backwards compatibility is
+                                allowed to be empty. Instances of this type with an empty value here are
+                                almost certainly wrong.
+                                More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+                              type: string
+                          type: object
+                          x-kubernetes-map-type: atomic
+                        template:
+                          description: |-
+                            Template indicates that the content served at URL is a Go template that
+                            must be instantiated using cluster fields and templateResourceRefs values
+                            before deployment. Equivalent to the projectsveltos.io/template annotation
+                            on a ConfigMap or Secret.
+                          type: boolean
+                        url:
+                          description: |-
+                            URL is an HTTP/HTTPS endpoint serving raw YAML/JSON/KYAML content.
+                            Sveltos fetches the content on every reconciliation and redeploys if the
+                            content hash has changed.
+                          pattern: ^https?://
+                          type: string
+                      required:
+                      - url
+                      type: object
                     skipNamespaceCreation:
                       default: false
                       description: |-
@@ -1034,10 +1082,10 @@ spec:
                       format: int32
                       minimum: 1
                       type: integer
-                  required:
-                  - kind
-                  - name
                   type: object
+                  x-kubernetes-validations:
+                  - message: either remoteURL or kind must be set, but not both
+                    rule: has(self.remoteURL) != has(self.kind)
                 type: array
                 x-kubernetes-list-type: atomic
               postDeleteChecks: