feat: namespace metadata sync on creation projectcapsule#1378

Signed-off-by: Siarhei Rasiukevich <[email protected]>

Author: CharlieR-o-o-t

charts/capsule/templates/mutatingwebhookconfiguration.yaml

@@ -81,12 +81,12 @@ webhooks:
   sideEffects: None
   timeoutSeconds: {{ $.Values.webhooks.mutatingWebhooksTimeoutSeconds }}
 {{- end }}
-{{- with .Values.webhooks.hooks.namespaceOwnerReference }} 
+{{- with .Values.webhooks.hooks.namespacesPatch }}
 - admissionReviewVersions:
     - v1
     - v1beta1
   clientConfig:
-    {{- include "capsule.webhooks.service" (dict "path" "/namespace-owner-reference" "ctx" $) | nindent 4 }}
+    {{- include "capsule.webhooks.service" (dict "path" "/namespace-patch" "ctx" $) | nindent 4 }}
   failurePolicy: {{ .failurePolicy }}
   matchPolicy: Equivalent
   name: owner.namespace.projectcapsule.dev

charts/capsule/templates/validatingwebhookconfiguration.yaml

@@ -68,12 +68,12 @@ webhooks:
   sideEffects: None
   timeoutSeconds: {{ $.Values.webhooks.validatingWebhooksTimeoutSeconds }}
 {{- end }}
-{{ with .Values.webhooks.hooks.namespaces }}
+{{ with .Values.webhooks.hooks.namespacesValidation }}
 - admissionReviewVersions:
     - v1
     - v1beta1
   clientConfig:
-    {{- include "capsule.webhooks.service" (dict "path" "/namespaces" "ctx" $) | nindent 4 }}
+    {{- include "capsule.webhooks.service" (dict "path" "/namespace-validate" "ctx" $) | nindent 4 }}
   failurePolicy: {{ .failurePolicy }}
   matchPolicy: Equivalent
   name: namespaces.projectcapsule.dev

charts/capsule/values.yaml

@@ -265,8 +265,6 @@ webhooks:
 
   # Hook Configuration
   hooks:
-    namespaceOwnerReference:
-      failurePolicy: Fail
     cordoning:
       failurePolicy: Fail
       namespaceSelector:
@@ -279,7 +277,9 @@ webhooks:
         matchExpressions:
           - key: capsule.clastix.io/tenant
             operator: Exists
-    namespaces:
+    namespacesPatch:
+      failurePolicy: Fail
+    namespacesValidation:
       failurePolicy: Fail
     networkpolicies:
       failurePolicy: Fail

controllers/tenant/namespaces.go

@@ -52,93 +52,8 @@ func (r *Manager) syncNamespaceMetadata(ctx context.Context, namespace string, t
 			return
 		}
 
-		capsuleLabel, _ := utils.GetTypeLabel(&capsulev1beta2.Tenant{})
-
 		res, conflictErr = controllerutil.CreateOrUpdate(ctx, r.Client, ns, func() error {
-			annotations := make(map[string]string)
-			labels := map[string]string{
-				"kubernetes.io/metadata.name": namespace,
-				capsuleLabel:                  tnt.GetName(),
-			}
-
-			if tnt.Spec.NamespaceOptions != nil && tnt.Spec.NamespaceOptions.AdditionalMetadata != nil {
-				for k, v := range tnt.Spec.NamespaceOptions.AdditionalMetadata.Annotations {
-					annotations[k] = v
-				}
-			}
-
-			if tnt.Spec.NamespaceOptions != nil && tnt.Spec.NamespaceOptions.AdditionalMetadata != nil {
-				for k, v := range tnt.Spec.NamespaceOptions.AdditionalMetadata.Labels {
-					labels[k] = v
-				}
-			}
-
-			if tnt.Spec.NodeSelector != nil {
-				annotations = utils.BuildNodeSelector(tnt, annotations)
-			}
-
-			if tnt.Spec.IngressOptions.AllowedClasses != nil {
-				if len(tnt.Spec.IngressOptions.AllowedClasses.Exact) > 0 {
-					annotations[AvailableIngressClassesAnnotation] = strings.Join(tnt.Spec.IngressOptions.AllowedClasses.Exact, ",")
-				}
-
-				if len(tnt.Spec.IngressOptions.AllowedClasses.Regex) > 0 {
-					annotations[AvailableIngressClassesRegexpAnnotation] = tnt.Spec.IngressOptions.AllowedClasses.Regex
-				}
-			}
-
-			if tnt.Spec.StorageClasses != nil {
-				if len(tnt.Spec.StorageClasses.Exact) > 0 {
-					annotations[AvailableStorageClassesAnnotation] = strings.Join(tnt.Spec.StorageClasses.Exact, ",")
-				}
-
-				if len(tnt.Spec.StorageClasses.Regex) > 0 {
-					annotations[AvailableStorageClassesRegexpAnnotation] = tnt.Spec.StorageClasses.Regex
-				}
-			}
-
-			if tnt.Spec.ContainerRegistries != nil {
-				if len(tnt.Spec.ContainerRegistries.Exact) > 0 {
-					annotations[AllowedRegistriesAnnotation] = strings.Join(tnt.Spec.ContainerRegistries.Exact, ",")
-				}
-
-				if len(tnt.Spec.ContainerRegistries.Regex) > 0 {
-					annotations[AllowedRegistriesRegexpAnnotation] = tnt.Spec.ContainerRegistries.Regex
-				}
-			}
-
-			if value, ok := tnt.Annotations[api.ForbiddenNamespaceLabelsAnnotation]; ok {
-				annotations[api.ForbiddenNamespaceLabelsAnnotation] = value
-			}
-
-			if value, ok := tnt.Annotations[api.ForbiddenNamespaceLabelsRegexpAnnotation]; ok {
-				annotations[api.ForbiddenNamespaceLabelsRegexpAnnotation] = value
-			}
-
-			if value, ok := tnt.Annotations[api.ForbiddenNamespaceAnnotationsAnnotation]; ok {
-				annotations[api.ForbiddenNamespaceAnnotationsAnnotation] = value
-			}
-
-			if value, ok := tnt.Annotations[api.ForbiddenNamespaceAnnotationsRegexpAnnotation]; ok {
-				annotations[api.ForbiddenNamespaceAnnotationsRegexpAnnotation] = value
-			}
-
-			if ns.Annotations == nil {
-				ns.SetAnnotations(annotations)
-			} else {
-				for k, v := range annotations {
-					ns.Annotations[k] = v
-				}
-			}
-
-			if ns.Labels == nil {
-				ns.SetLabels(labels)
-			} else {
-				for k, v := range labels {
-					ns.Labels[k] = v
-				}
-			}
-
+			SyncNamespaceMetadata(tnt, ns)
 			return nil
 		})
 
@@ -185,3 +100,92 @@ func (r *Manager) collectNamespaces(ctx context.Context, tenant *capsulev1beta2.
 		return
 	})
 }
+
+// SyncNamespaceMetadata sync namespace metadata according to tenant spec.
+func SyncNamespaceMetadata(tnt *capsulev1beta2.Tenant, ns *corev1.Namespace) {
+	capsuleLabel, _ := utils.GetTypeLabel(&capsulev1beta2.Tenant{})
+
+	annotations := make(map[string]string)
+	labels := map[string]string{
+		"kubernetes.io/metadata.name": ns.GetName(),
+		capsuleLabel:                  tnt.GetName(),
+	}
+
+	if tnt.Spec.NamespaceOptions != nil && tnt.Spec.NamespaceOptions.AdditionalMetadata != nil {
+		for k, v := range tnt.Spec.NamespaceOptions.AdditionalMetadata.Annotations {
+			annotations[k] = v
+		}
+	}
+
+	if tnt.Spec.NamespaceOptions != nil && tnt.Spec.NamespaceOptions.AdditionalMetadata != nil {
+		for k, v := range tnt.Spec.NamespaceOptions.AdditionalMetadata.Labels {
+			labels[k] = v
+		}
+	}
+
+	if tnt.Spec.NodeSelector != nil {
+		annotations = utils.BuildNodeSelector(tnt, annotations)
+	}
+
+	if tnt.Spec.IngressOptions.AllowedClasses != nil {
+		if len(tnt.Spec.IngressOptions.AllowedClasses.Exact) > 0 {
+			annotations[AvailableIngressClassesAnnotation] = strings.Join(tnt.Spec.IngressOptions.AllowedClasses.Exact, ",")
+		}
+
+		if len(tnt.Spec.IngressOptions.AllowedClasses.Regex) > 0 {
+			annotations[AvailableIngressClassesRegexpAnnotation] = tnt.Spec.IngressOptions.AllowedClasses.Regex
+		}
+	}
+
+	if tnt.Spec.StorageClasses != nil {
+		if len(tnt.Spec.StorageClasses.Exact) > 0 {
+			annotations[AvailableStorageClassesAnnotation] = strings.Join(tnt.Spec.StorageClasses.Exact, ",")
+		}
+
+		if len(tnt.Spec.StorageClasses.Regex) > 0 {
+			annotations[AvailableStorageClassesRegexpAnnotation] = tnt.Spec.StorageClasses.Regex
+		}
+	}
+
+	if tnt.Spec.ContainerRegistries != nil {
+		if len(tnt.Spec.ContainerRegistries.Exact) > 0 {
+			annotations[AllowedRegistriesAnnotation] = strings.Join(tnt.Spec.ContainerRegistries.Exact, ",")
+		}
+
+		if len(tnt.Spec.ContainerRegistries.Regex) > 0 {
+			annotations[AllowedRegistriesRegexpAnnotation] = tnt.Spec.ContainerRegistries.Regex
+		}
+	}
+
+	if value, ok := tnt.Annotations[api.ForbiddenNamespaceLabelsAnnotation]; ok {
+		annotations[api.ForbiddenNamespaceLabelsAnnotation] = value
+	}
+
+	if value, ok := tnt.Annotations[api.ForbiddenNamespaceLabelsRegexpAnnotation]; ok {
+		annotations[api.ForbiddenNamespaceLabelsRegexpAnnotation] = value
+	}
+
+	if value, ok := tnt.Annotations[api.ForbiddenNamespaceAnnotationsAnnotation]; ok {
+		annotations[api.ForbiddenNamespaceAnnotationsAnnotation] = value
+	}
+
+	if value, ok := tnt.Annotations[api.ForbiddenNamespaceAnnotationsRegexpAnnotation]; ok {
+		annotations[api.ForbiddenNamespaceAnnotationsRegexpAnnotation] = value
+	}
+
+	if ns.Annotations == nil {
+		ns.SetAnnotations(annotations)
+	} else {
+		for k, v := range annotations {
+			ns.Annotations[k] = v
+		}
+	}
+
+	if ns.Labels == nil {
+		ns.SetLabels(labels)
+	} else {
+		for k, v := range labels {
+			ns.Labels[k] = v
+		}
+	}
+}

e2e/namespace_metadata_controller_test.go

@@ -0,0 +1,95 @@
+//go:build e2e
+
+// Copyright 2020-2023 Project Capsule Authors.
+// SPDX-License-Identifier: Apache-2.0
+
+package e2e
+
+import (
+	"context"
+	. "github.com/onsi/ginkgo/v2"
+	. "github.com/onsi/gomega"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/types"
+
+	capsulev1beta2 "github.com/projectcapsule/capsule/api/v1beta2"
+	"github.com/projectcapsule/capsule/pkg/api"
+)
+
+var _ = Describe("creating a Namespace for a Tenant with additional metadata", func() {
+	tnt := &capsulev1beta2.Tenant{
+		ObjectMeta: metav1.ObjectMeta{
+			Name: "tenant-metadata",
+			OwnerReferences: []metav1.OwnerReference{
+				{
+					APIVersion: "cap",
+					Kind:       "dummy",
+					Name:       "tenant-metadata",
+					UID:        "tenant-metadata",
+				},
+			},
+		},
+		Spec: capsulev1beta2.TenantSpec{
+			Owners: capsulev1beta2.OwnerListSpec{
+				{
+					Name: "gatsby",
+					Kind: "User",
+				},
+			},
+			NamespaceOptions: &capsulev1beta2.NamespaceOptions{
+				AdditionalMetadata: &api.AdditionalMetadataSpec{
+					Labels: map[string]string{
+						"k8s.io/custom-label":     "foo",
+						"clastix.io/custom-label": "bar",
+					},
+					Annotations: map[string]string{
+						"k8s.io/custom-annotation":     "bizz",
+						"clastix.io/custom-annotation": "buzz",
+					},
+				},
+			},
+		},
+	}
+
+	JustBeforeEach(func() {
+		EventuallyCreation(func() error {
+			return k8sClient.Create(context.TODO(), tnt)
+		}).Should(Succeed())
+	})
+	JustAfterEach(func() {
+		Expect(k8sClient.Delete(context.TODO(), tnt)).Should(Succeed())
+	})
+
+	It("should contain Namespace metadata after tenant update", func() {
+		ns := NewNamespace("")
+		NamespaceCreation(ns, tnt.Spec.Owners[0], defaultTimeoutInterval).Should(Succeed())
+		TenantNamespaceList(tnt, defaultTimeoutInterval).Should(ContainElement(ns.GetName()))
+
+		By("checking labels", func() {
+			Expect(k8sClient.Get(context.TODO(), types.NamespacedName{Name: ns.GetName()}, ns)).Should(Succeed())
+			Expect(ns.Labels).ShouldNot(HaveKeyWithValue("newlabel", "foobazbar"))
+
+			tnt.Spec.NamespaceOptions.AdditionalMetadata.Labels["newlabel"] = "foobazbar"
+			Expect(k8sClient.Update(context.TODO(), tnt)).Should(Succeed())
+
+			Eventually(func() (ok bool) {
+				Expect(k8sClient.Get(context.TODO(), types.NamespacedName{Name: ns.GetName()}, ns)).Should(Succeed())
+				ok, _ = Equal(ns.Labels["newlabel"]).Match("foobazbar")
+				return
+			}, defaultTimeoutInterval, defaultPollInterval).Should(BeTrue())
+		})
+		By("checking annotations", func() {
+			Expect(k8sClient.Get(context.TODO(), types.NamespacedName{Name: ns.GetName()}, ns)).Should(Succeed())
+			Expect(ns.Labels).ShouldNot(HaveKeyWithValue("newannotation", "foobazbar"))
+
+			tnt.Spec.NamespaceOptions.AdditionalMetadata.Annotations["newannotation"] = "foobazbar"
+			Expect(k8sClient.Update(context.TODO(), tnt)).Should(Succeed())
+
+			Eventually(func() (ok bool) {
+				Expect(k8sClient.Get(context.TODO(), types.NamespacedName{Name: ns.GetName()}, ns)).Should(Succeed())
+				ok, _ = Equal(ns.Annotations["newannotation"]).Match("foobazbar")
+				return
+			}, defaultTimeoutInterval, defaultPollInterval).Should(BeTrue())
+		})
+	})
+})

e2e/namespace_additional_metadata_test.go e2e/namespace_metadata_webhook_test.go

@@ -37,6 +37,9 @@ var _ = Describe("creating a Namespace for a Tenant with additional metadata", f
 					Kind: "User",
 				},
 			},
+			NodeSelector: map[string]string{
+				"node": "foobar",
+			},
 			NamespaceOptions: &capsulev1beta2.NamespaceOptions{
 				AdditionalMetadata: &api.AdditionalMetadataSpec{
 					Labels: map[string]string{
@@ -67,26 +70,25 @@ var _ = Describe("creating a Namespace for a Tenant with additional metadata", f
 		TenantNamespaceList(tnt, defaultTimeoutInterval).Should(ContainElement(ns.GetName()))
 
 		By("checking additional labels", func() {
-			Eventually(func() (ok bool) {
 				Expect(k8sClient.Get(context.TODO(), types.NamespacedName{Name: ns.GetName()}, ns)).Should(Succeed())
+
 				for k, v := range tnt.Spec.NamespaceOptions.AdditionalMetadata.Labels {
-					if ok, _ = HaveKeyWithValue(k, v).Match(ns.Labels); !ok {
-						return
-					}
+					Expect(ns.Labels).To(HaveKeyWithValue(k, v))
 				}
 				return
-			}, defaultTimeoutInterval, defaultPollInterval).Should(BeTrue())
 		})
 		By("checking additional annotations", func() {
-			Eventually(func() (ok bool) {
-				Expect(k8sClient.Get(context.TODO(), types.NamespacedName{Name: ns.GetName()}, ns)).Should(Succeed())
-				for k, v := range tnt.Spec.NamespaceOptions.AdditionalMetadata.Annotations {
-					if ok, _ = HaveKeyWithValue(k, v).Match(ns.Annotations); !ok {
-						return
-					}
-				}
-				return
-			}, defaultTimeoutInterval, defaultPollInterval).Should(BeTrue())
+			Expect(k8sClient.Get(context.TODO(), types.NamespacedName{Name: ns.GetName()}, ns)).Should(Succeed())
+
+			for k, v := range tnt.Spec.NamespaceOptions.AdditionalMetadata.Annotations {
+				Expect(ns.Annotations).To(HaveKeyWithValue(k, v))
+			}
+			return
+		})
+		By("checking namespace node-selector annotation", func() {
+			Expect(k8sClient.Get(context.TODO(), types.NamespacedName{Name: ns.GetName()}, ns)).Should(Succeed())
+			Expect(ns.Annotations).Should(HaveKeyWithValue("scheduler.alpha.kubernetes.io/node-selector", "node=foobar"))
+			return
 		})
 	})
 })