cloudogu · alexander-dammeier · Oct 23, 2025 · Oct 21, 2025 · Oct 21, 2025 · Oct 21, 2025
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -10,6 +10,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ### Added
 - [#121] Added use case to check if dogus actually use the desired version and config before completing the blueprint
+- [#135] Support for the blueprint mask custom resource.
 - [#129] Reconciliation of the blueprint on changes of dogu-crs, ces-configMaps and ces-secrets
 - [#131] Ignore loglevel changes while debug-mode is active
 

diff --git a/go.mod b/go.mod
@@ -6,7 +6,7 @@ require (
 	github.com/Masterminds/semver/v3 v3.4.0
 	github.com/cloudogu/ces-commons-lib v0.2.0
 	github.com/cloudogu/cesapp-lib v0.18.1
-	github.com/cloudogu/k8s-blueprint-lib/v2 v2.0.0-20251023074126-1be92019bece
+	github.com/cloudogu/k8s-blueprint-lib/v3 v3.0.0
 	github.com/cloudogu/k8s-debug-mode-cr-lib v1.0.0
 	github.com/cloudogu/k8s-dogu-lib/v2 v2.10.0
 	github.com/cloudogu/k8s-registry-lib v0.6.0
@@ -15,7 +15,7 @@ require (
 	github.com/google/go-cmp v0.7.0
 	github.com/stretchr/testify v1.11.1
 	go.uber.org/zap v1.27.0
-	golang.org/x/exp v0.0.0-20251009144603-d2f985daa21b
+	golang.org/x/exp v0.0.0-20251017212417-90e834f514db
 	golang.org/x/net v0.46.0
 	k8s.io/api v0.34.1
 	k8s.io/apimachinery v0.34.1
@@ -71,7 +71,7 @@ require (
 	github.com/prometheus/client_golang v1.23.2 // indirect
 	github.com/prometheus/client_model v0.6.2 // indirect
 	github.com/prometheus/common v0.67.1 // indirect
-	github.com/prometheus/procfs v0.17.0 // indirect
+	github.com/prometheus/procfs v0.18.0 // indirect
 	github.com/sirupsen/logrus v1.9.3 // indirect
 	github.com/spf13/pflag v1.0.10 // indirect
 	github.com/stretchr/objx v0.5.2 // indirect

diff --git a/go.sum b/go.sum
@@ -18,10 +18,8 @@ github.com/cloudogu/ces-commons-lib v0.2.0 h1:yOEZWFl4W9N3J/6fok4svE3UufK5GQQtyx
 github.com/cloudogu/ces-commons-lib v0.2.0/go.mod h1:4rvR2RTDDaz5a6OZ1fW27G0MOnl5I3ackeiHxt4gn3o=
 github.com/cloudogu/cesapp-lib v0.18.1 h1:LMdGktIefm/PuhdPqpLTPvjY1smO06EEGBbRSAaYi7U=
 github.com/cloudogu/cesapp-lib v0.18.1/go.mod h1:J05eXFxnz4enZblABlmiVTZaUtJ+LIhlJ2UF6l9jpDw=
-github.com/cloudogu/k8s-blueprint-lib/v2 v2.0.0-20251023074126-1be92019bece h1:/cmnzgb6bafAeBT/9e0AvV/S1UZtc+mk8Gqo/ccLf6g=
-github.com/cloudogu/k8s-blueprint-lib/v2 v2.0.0-20251023074126-1be92019bece/go.mod h1:Qyi8M+HJMHJfhXN6Zotey/tXjFuJDM9RIXn+FjQaJAU=
-github.com/cloudogu/k8s-blueprint-lib/v2 v2.0.0 h1:3opEauJ733KlUEhsBVDpi4MdYeiEXg63oedX+/F2Btk=
-github.com/cloudogu/k8s-blueprint-lib/v2 v2.0.0/go.mod h1:Qyi8M+HJMHJfhXN6Zotey/tXjFuJDM9RIXn+FjQaJAU=
+github.com/cloudogu/k8s-blueprint-lib/v3 v3.0.0 h1:XDWrVVmQ1aJ00aisCNQ1nJqOHVK9LB3q92swJFMZEFg=
+github.com/cloudogu/k8s-blueprint-lib/v3 v3.0.0/go.mod h1:3E1iLra8//8+kCwBjuDi6b0iwtNoArYfOIYnzNXSFMQ=
 github.com/cloudogu/k8s-debug-mode-cr-lib v1.0.0 h1:geZjXwWQY8d8aEWA9l2is/DwlADdOHQveBokPK63XH0=
 github.com/cloudogu/k8s-debug-mode-cr-lib v1.0.0/go.mod h1:OPAO5P5ZSZkEexP9YOWNj4wEE8T3wqs92yyP5muymxQ=
 github.com/cloudogu/k8s-dogu-lib/v2 v2.10.0 h1:flTmcBHzHU6uiwpXnlxLi93sKmYD85pul//8KxkkgGI=
@@ -184,6 +182,8 @@ github.com/prometheus/common v0.67.1 h1:OTSON1P4DNxzTg4hmKCc37o4ZAZDv0cfXLkOt0oE
 github.com/prometheus/common v0.67.1/go.mod h1:RpmT9v35q2Y+lsieQsdOh5sXZ6ajUGC8NjZAmr8vb0Q=
 github.com/prometheus/procfs v0.17.0 h1:FuLQ+05u4ZI+SS/w9+BWEM2TXiHKsUQ9TADiRH7DuK0=
 github.com/prometheus/procfs v0.17.0/go.mod h1:oPQLaDAMRbA+u8H5Pbfq+dl3VDAvHxMUOVhe0wYB2zw=
+github.com/prometheus/procfs v0.18.0 h1:2QTA9cKdznfYJz7EDaa7IiJobHuV7E1WzeBwcrhk0ao=
+github.com/prometheus/procfs v0.18.0/go.mod h1:M0aotyiemPhBCM0z5w87kL22CxfcH05ZpYlu+b4J7mw=
 github.com/rogpeppe/go-internal v1.13.1 h1:KvO1DLK/DRN07sQ1LQKScxyZJuNnedQ5/wKSR38lUII=
 github.com/rogpeppe/go-internal v1.13.1/go.mod h1:uMEvuHeurkdAXX61udpOXGD/AzZDWNMNyH2VO9fmH0o=
 github.com/shirou/gopsutil/v3 v3.24.5 h1:i0t8kL+kQTvpAYToeuiVk3TgDeKOFioZO3Ztz/iZ9pI=
@@ -249,6 +249,8 @@ golang.org/x/crypto v0.43.0 h1:dduJYIi3A3KOfdGOHX8AVZ/jGiyPa3IbBozJ5kNuE04=
 golang.org/x/crypto v0.43.0/go.mod h1:BFbav4mRNlXJL4wNeejLpWxB7wMbc79PdRGhWKncxR0=
 golang.org/x/exp v0.0.0-20251009144603-d2f985daa21b h1:18qgiDvlvH7kk8Ioa8Ov+K6xCi0GMvmGfGW0sgd/SYA=
 golang.org/x/exp v0.0.0-20251009144603-d2f985daa21b/go.mod h1:j/pmGrbnkbPtQfxEe5D0VQhZC6qKbfKifgD0oM7sR70=
+golang.org/x/exp v0.0.0-20251017212417-90e834f514db h1:by6IehL4BH5k3e3SJmcoNbOobMey2SLpAF79iPOEBvw=
+golang.org/x/exp v0.0.0-20251017212417-90e834f514db/go.mod h1:j/pmGrbnkbPtQfxEe5D0VQhZC6qKbfKifgD0oM7sR70=
 golang.org/x/mod v0.2.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
 golang.org/x/mod v0.3.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
 golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=

diff --git a/k8s/helm/Chart.yaml b/k8s/helm/Chart.yaml
@@ -24,5 +24,6 @@ version: 0.0.0-replaceme
 appVersion: "0.0.0-replaceme"
 
 annotations:
-  "k8s.cloudogu.com/ces-dependency/k8s-blueprint-operator-crd": ">=2.0.0, <3.0.0"
-  "k8s.cloudogu.com/ces-dependency/k8s-dogu-operator-crd": ">=2.10.0, <3.0.0"
+  # we need the -0 as otherwise we cannot depend on (and therefore test) pre-release versions
+  "k8s.cloudogu.com/ces-dependency/k8s-blueprint-operator-crd": ">=3.0.0-0, <4.0.0"
+  "k8s.cloudogu.com/ces-dependency/k8s-dogu-operator-crd": ">=2.10.0-0, <3.0.0"
diff --git a/k8s/helm/templates/blueprint-mask-role.yaml b/k8s/helm/templates/blueprint-mask-role.yaml
@@ -0,0 +1,16 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  labels:
+  {{- include "k8s-blueprint-operator.labels" . | nindent 4 }}
+  name: {{ include "k8s-blueprint-operator.name" . }}-blueprint-mask-role
+rules:
+  # issue permissions to read/update fields beyond the status
+  - apiGroups:
+      - k8s.cloudogu.com
+    resources:
+      - blueprintmasks
+    verbs:
+      - get
+      - list
+      - watch
diff --git a/k8s/helm/templates/blueprint-mask-rolebinding.yaml b/k8s/helm/templates/blueprint-mask-rolebinding.yaml
@@ -0,0 +1,13 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  labels:
+  {{- include "k8s-blueprint-operator.labels" . | nindent 4 }}
+  name: {{ include "k8s-blueprint-operator.name" . }}-blueprint-mask-rolebinding
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: {{ include "k8s-blueprint-operator.name" . }}-blueprint-mask-role
+subjects:
+  - kind: ServiceAccount
+    name: {{ include "k8s-blueprint-operator.name" . }}-controller-manager
diff --git a/main.go b/main.go
@@ -7,7 +7,7 @@ import (
 	"os"
 	"time"
 
-	bpv2 "github.com/cloudogu/k8s-blueprint-lib/v2/api/v2"
+	bpv3 "github.com/cloudogu/k8s-blueprint-lib/v3/api/v3"
 	"github.com/cloudogu/k8s-blueprint-operator/v2/pkg"
 	"github.com/cloudogu/k8s-blueprint-operator/v2/pkg/adapter/reconciler"
 	"github.com/cloudogu/k8s-blueprint-operator/v2/pkg/config"
@@ -46,7 +46,7 @@ var (
 func init() {
 	utilruntime.Must(clientgoscheme.AddToScheme(scheme))
 
-	utilruntime.Must(bpv2.AddToScheme(scheme))
+	utilruntime.Must(bpv3.AddToScheme(scheme))
 	utilruntime.Must(v2.AddToScheme(scheme))
 	// +kubebuilder:scaffold:scheme
 }
@@ -86,7 +86,7 @@ func startOperator(
 		return fmt.Errorf("unable to bootstrap application context: %w", err)
 	}
 
-	err = configureManager(k8sManager, bootstrap.Reconciler)
+	err = configureManager(k8sManager, bootstrap.BlueprintReconciler)
 	if err != nil {
 		return fmt.Errorf("unable to configure manager: %w", err)
 	}
@@ -110,7 +110,7 @@ func NewK8sManager(
 func configureManager(k8sManager controllerManager, blueprintReconciler *reconciler.BlueprintReconciler) error {
 	err := blueprintReconciler.SetupWithManager(k8sManager)
 	if err != nil {
-		return fmt.Errorf("unable to configure reconciler: %w", err)
+		return fmt.Errorf("unable to configure blueprint reconciler: %w", err)
 	}
 
 	err = addChecks(k8sManager)

diff --git a/main_internal_test.go b/main_internal_test.go
@@ -11,13 +11,12 @@ import (
 	"github.com/stretchr/testify/require"
 
 	"k8s.io/apimachinery/pkg/runtime"
-	"k8s.io/apimachinery/pkg/runtime/schema"
 	"k8s.io/client-go/rest"
 	ctrl "sigs.k8s.io/controller-runtime"
 	"sigs.k8s.io/controller-runtime/pkg/config"
 	"sigs.k8s.io/controller-runtime/pkg/manager"
 
-	bpv2 "github.com/cloudogu/k8s-blueprint-lib/v2/api/v2"
+	bpv3 "github.com/cloudogu/k8s-blueprint-lib/v3/api/v3"
 	config2 "github.com/cloudogu/k8s-blueprint-operator/v2/pkg/config"
 )
 
@@ -173,7 +172,7 @@ func Test_startOperator(t *testing.T) {
 		require.Error(t, err)
 		assert.ErrorContains(t, err, "unable to bootstrap application context: failed to get remote dogu registry credentials: environment variable DOGU_REGISTRY_PASSWORD must be set")
 	})
-	t.Run("should fail to configure reconciler", func(t *testing.T) {
+	t.Run("should fail to configure blueprint reconciler", func(t *testing.T) {
 		// given
 		t.Setenv("NAMESPACE", "ecosystem")
 		t.Setenv("STAGE", "development")
@@ -212,7 +211,7 @@ func Test_startOperator(t *testing.T) {
 
 		// then
 		require.Error(t, err)
-		assert.ErrorContains(t, err, "unable to configure manager: unable to configure reconciler")
+		assert.ErrorContains(t, err, "unable to configure manager: unable to configure blueprint reconciler")
 	})
 	t.Run("should fail to add health check to controller manager", func(t *testing.T) {
 		// given
@@ -427,12 +426,8 @@ func Test_startOperator(t *testing.T) {
 
 func createScheme(t *testing.T) *runtime.Scheme {
 	t.Helper()
-
 	scheme := runtime.NewScheme()
-	gv, err := schema.ParseGroupVersion("k8s.cloudogu.com/v2")
-	assert.NoError(t, err)
-
-	scheme.AddKnownTypes(gv, &bpv2.Blueprint{})
+	scheme.AddKnownTypes(bpv3.GroupVersion, &bpv3.Blueprint{}, &bpv3.BlueprintMask{})
 	return scheme
 }
 

diff --git a/pkg/adapter/kubernetes/blueprintcr/v2/interfaces.go b/pkg/adapter/kubernetes/blueprintcr/v2/interfaces.go
diff --git a/...ueprintcr/v2/blueprintSpecCRRepository.go → ...ueprintcr/v3/blueprintSpecCRRepository.go b/...ueprintcr/v2/blueprintSpecCRRepository.go → ...ueprintcr/v3/blueprintSpecCRRepository.go
@@ -1,19 +1,19 @@
-package v2
+package v3
 
 import (
 	"context"
 	"errors"
 	"fmt"
 
-	v2 "github.com/cloudogu/k8s-blueprint-lib/v2/api/v2"
-	serializerv2 "github.com/cloudogu/k8s-blueprint-operator/v2/pkg/adapter/kubernetes/blueprintcr/v2/serializer"
+	bpv3 "github.com/cloudogu/k8s-blueprint-lib/v3/api/v3"
+	serializerv2 "github.com/cloudogu/k8s-blueprint-operator/v2/pkg/adapter/kubernetes/blueprintcr/v3/serializer"
 	corev1 "k8s.io/api/core/v1"
 	k8sErrors "k8s.io/apimachinery/pkg/api/errors"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/utils/ptr"
 	"sigs.k8s.io/controller-runtime/pkg/log"
 
-	bpv2client "github.com/cloudogu/k8s-blueprint-lib/v2/client"
+	bpv3client "github.com/cloudogu/k8s-blueprint-lib/v3/client"
 	"github.com/cloudogu/k8s-blueprint-operator/v2/pkg/domain"
 	"github.com/cloudogu/k8s-blueprint-operator/v2/pkg/domainservice"
 )
@@ -25,18 +25,21 @@ type blueprintSpecRepoContext struct {
 }
 
 type blueprintSpecRepo struct {
-	blueprintClient blueprintInterface
-	eventRecorder   eventRecorder
+	blueprintClient     blueprintInterface
+	blueprintMaskClient blueprintMaskInterface
+	eventRecorder       eventRecorder
 }
 
 // NewBlueprintSpecRepository returns a new BlueprintSpecRepository to interact on BlueprintSpecs.
 func NewBlueprintSpecRepository(
-	blueprintClient bpv2client.BlueprintInterface,
+	blueprintClient bpv3client.BlueprintInterface,
+	blueprintMaskClient bpv3client.BlueprintMaskInterface,
 	eventRecorder eventRecorder,
 ) domainservice.BlueprintSpecRepository {
 	return &blueprintSpecRepo{
-		blueprintClient: blueprintClient,
-		eventRecorder:   eventRecorder,
+		blueprintClient:     blueprintClient,
+		blueprintMaskClient: blueprintMaskClient,
+		eventRecorder:       eventRecorder,
 	}
 }
 
@@ -79,7 +82,12 @@ func (repo *blueprintSpecRepo) GetById(ctx context.Context, blueprintId string)
 		},
 	}
 
-	err = serializerv2.SerializeBlueprintAndMask(blueprintSpec, blueprintCR)
+	maskManifest, err := repo.getMaskManifest(ctx, blueprintId, blueprintCR)
+	if err != nil {
+		return nil, err
+	}
+
+	err = serializerv2.SerializeBlueprintAndMask(blueprintSpec, blueprintCR.Spec.Blueprint, maskManifest)
 	if err != nil {
 		invalidErrorEvent := domain.BlueprintSpecInvalidEvent{ValidationError: err}
 		repo.eventRecorder.Event(blueprintCR, corev1.EventTypeWarning, invalidErrorEvent.Name(), invalidErrorEvent.Message())
@@ -90,6 +98,30 @@ func (repo *blueprintSpecRepo) GetById(ctx context.Context, blueprintId string)
 	return blueprintSpec, nil
 }
 
+func (repo *blueprintSpecRepo) getMaskManifest(ctx context.Context, blueprintId string, blueprintCR *bpv3.Blueprint) (*bpv3.BlueprintMaskManifest, error) {
+	if blueprintCR.Spec.MaskSource.Manifest != nil && blueprintCR.Spec.MaskSource.CrRef != nil {
+		err := &domain.InvalidBlueprintError{Message: "blueprint mask and mask ref cannot be set at the same time"}
+		invalidErrorEvent := domain.BlueprintSpecInvalidEvent{ValidationError: err}
+		repo.eventRecorder.Event(blueprintCR, corev1.EventTypeWarning, invalidErrorEvent.Name(), invalidErrorEvent.Message())
+		return nil, fmt.Errorf("could not deserialize blueprint CR %q: %w", blueprintId, err)
+	}
+
+	var maskManifest = blueprintCR.Spec.MaskSource.Manifest
+	if blueprintCR.Spec.MaskSource.CrRef != nil {
+		blueprintMask, maskErr := repo.blueprintMaskClient.Get(ctx, blueprintCR.Spec.MaskSource.CrRef.Name, metav1.GetOptions{})
+		if maskErr != nil {
+			return nil, &domainservice.NotFoundError{
+				WrappedError: maskErr,
+				Message:      fmt.Sprintf("could not get blueprint mask from ref %q in blueprint %q", blueprintCR.Spec.MaskSource.CrRef.Name, blueprintId),
+				DoNotRetry:   false,
+			}
+		}
+
+		maskManifest = blueprintMask.Spec.BlueprintMaskManifest
+	}
+	return maskManifest, nil
+}
+
 func (repo *blueprintSpecRepo) Count(ctx context.Context, limit int) (int, error) {
 	limit64 := int64(limit)
 
@@ -135,13 +167,13 @@ func (repo *blueprintSpecRepo) Update(ctx context.Context, spec *domain.Blueprin
 
 	effectiveBlueprint := serializerv2.ConvertToBlueprintDTO(spec.EffectiveBlueprint)
 
-	updatedBlueprint := &v2.Blueprint{
+	updatedBlueprint := &bpv3.Blueprint{
 		ObjectMeta: metav1.ObjectMeta{
 			Name:              spec.Id,
 			ResourceVersion:   persistenceContext.resourceVersion,
 			CreationTimestamp: metav1.Time{},
 		},
-		Status: &v2.BlueprintStatus{
+		Status: &bpv3.BlueprintStatus{
 			EffectiveBlueprint: &effectiveBlueprint,
 			StateDiff:          serializerv2.ConvertToStateDiffDTO(spec.StateDiff),
 			Conditions:         spec.Conditions,
@@ -165,7 +197,7 @@ func (repo *blueprintSpecRepo) Update(ctx context.Context, spec *domain.Blueprin
 	return nil
 }
 
-func setPersistenceContext(blueprintCR *v2.Blueprint, spec *domain.BlueprintSpec) {
+func setPersistenceContext(blueprintCR *bpv3.Blueprint, spec *domain.BlueprintSpec) {
 	if spec.PersistenceContext == nil {
 		spec.PersistenceContext = make(map[string]interface{}, 1)
 	}
@@ -195,7 +227,7 @@ func getPersistenceContext(ctx context.Context, spec *domain.BlueprintSpec) (blu
 	}
 }
 
-func (repo *blueprintSpecRepo) publishEvents(blueprintCR *v2.Blueprint, events []domain.Event) {
+func (repo *blueprintSpecRepo) publishEvents(blueprintCR *bpv3.Blueprint, events []domain.Event) {
 	for _, event := range events {
 		repo.eventRecorder.Event(blueprintCR, corev1.EventTypeNormal, event.Name(), event.Message())
 	}