create new APIResourceSchemas when CRDs or PRs change, improve mutation logic accessibility

On-behalf-of: @SAP [email protected]

Author: xrstf

internal/controller/apiresourceschema/controller.go

@@ -20,7 +20,6 @@ import (
 	"context"
 	"fmt"
 	"reflect"
-	"strings"
 
 	"github.com/kcp-dev/logicalcluster/v3"
 	"go.uber.org/zap"
@@ -122,31 +121,29 @@ func (r *Reconciler) Reconcile(ctx context.Context, request reconcile.Request) (
 
 func (r *Reconciler) reconcile(ctx context.Context, log *zap.SugaredLogger, pubResource *syncagentv1alpha1.PublishedResource) (*reconcile.Result, error) {
 	// find the resource that the PublishedResource is referring to
-	localGVK := projection.PublishedResourceSourceGVK(pubResource)
+	localGK := projection.PublishedResourceSourceGK(pubResource)
 
 	client, err := discovery.NewClient(r.restConfig)
 	if err != nil {
 		return nil, fmt.Errorf("failed to create discovery client: %w", err)
 	}
 
-	crd, err := client.RetrieveCRD(ctx, localGVK)
+	// fetch the original, full CRD from the cluster
+	crd, err := client.RetrieveCRD(ctx, localGK)
 	if err != nil {
 		return nil, fmt.Errorf("failed to discover resource defined in PublishedResource: %w", err)
 	}
 
-	// project the CRD
-	projectedCRD, err := r.applyProjection(crd, pubResource)
+	// project the CRD (i.e. strip unwanted versions, rename values etc.)
+	projectedCRD, err := projection.ApplyProjection(crd, pubResource)
 	if err != nil {
 		return nil, fmt.Errorf("failed to apply projection rules: %w", err)
 	}
 
-	// to prevent changing the source GVK e.g. from "apps/v1 Daemonset" to "core/v1 Pod",
-	// we include the source GVK in hashed form in the final APIResourceSchema name.
+	// generate a unique name for this exact state of the CRD
 	arsName := r.getAPIResourceSchemaName(projectedCRD)
 
-	// ARS'es cannot be updated, their entire spec is immutable. For now we do not care about
-	// CRDs being updated on the service cluster, but in the future (TODO) we must allow
-	// service owners to somehow publish updated CRDs without changing their API version.
+	// ensure ARS exists (don't try to reconcile it, it's basically entirely immutable)
 	wsCtx := kontext.WithCluster(ctx, r.lcName)
 	ars := &kcpdevv1alpha1.APIResourceSchema{}
 	err = r.kcpClient.Get(wsCtx, types.NamespacedName{Name: arsName}, ars, &ctrlruntimeclient.GetOptions{})
@@ -159,7 +156,7 @@ func (r *Reconciler) reconcile(ctx context.Context, log *zap.SugaredLogger, pubR
 		return nil, fmt.Errorf("failed to check for APIResourceSchema: %w", err)
 	}
 
-	// Update Status with ARS name
+	// update Status with ARS name
 	if pubResource.Status.ResourceSchemaName != arsName {
 		original := pubResource.DeepCopy()
 		pubResource.Status.ResourceSchemaName = arsName
@@ -176,7 +173,7 @@ func (r *Reconciler) reconcile(ctx context.Context, log *zap.SugaredLogger, pubR
 }
 
 func (r *Reconciler) createAPIResourceSchema(ctx context.Context, log *zap.SugaredLogger, projectedCRD *apiextensionsv1.CustomResourceDefinition, arsName string) error {
-	// prefix is irrelevant as the reconciling framework will use arsName anyway
+	// prefix is irrelevant as the name is overridden later
 	converted, err := kcpdevv1alpha1.CRDToAPIResourceSchema(projectedCRD, "irrelevant")
 	if err != nil {
 		return fmt.Errorf("failed to convert CRD: %w", err)
@@ -198,59 +195,13 @@ func (r *Reconciler) createAPIResourceSchema(ctx context.Context, log *zap.Sugar
 	return r.kcpClient.Create(ctx, ars)
 }
 
-func (r *Reconciler) applyProjection(crd *apiextensionsv1.CustomResourceDefinition, pr *syncagentv1alpha1.PublishedResource) (*apiextensionsv1.CustomResourceDefinition, error) {
-	result := crd.DeepCopy()
-
-	// Currently CRDs generated by our discovery mechanism already set these to true, but that's just
-	// because it doesn't care to set them correctly; we keep this code here because from here on,
-	// in kcp, we definitely want them to be true.
-	result.Spec.Versions[0].Served = true
-	result.Spec.Versions[0].Storage = true
-
-	projection := pr.Spec.Projection
-	if projection == nil {
-		return result, nil
-	}
-
-	if projection.Group != "" {
-		result.Spec.Group = projection.Group
-	}
-
-	if projection.Version != "" {
-		result.Spec.Versions[0].Name = projection.Version
-	}
-
-	if projection.Kind != "" {
-		result.Spec.Names.Kind = projection.Kind
-		result.Spec.Names.ListKind = projection.Kind + "List"
-
-		result.Spec.Names.Singular = strings.ToLower(result.Spec.Names.Kind)
-		result.Spec.Names.Plural = result.Spec.Names.Singular + "s"
-	}
-
-	if projection.Plural != "" {
-		result.Spec.Names.Plural = projection.Plural
-	}
-
-	if projection.Scope != "" {
-		result.Spec.Scope = apiextensionsv1.ResourceScope(projection.Scope)
-	}
-
-	if projection.Categories != nil {
-		result.Spec.Names.Categories = projection.Categories
-	}
-
-	if projection.ShortNames != nil {
-		result.Spec.Names.ShortNames = projection.ShortNames
-	}
-
-	return result, nil
-}
-
 // getAPIResourceSchemaName generates the name for the ARS in kcp. Note that
 // kcp requires, just like CRDs, that ARS are named following a specific pattern.
 func (r *Reconciler) getAPIResourceSchemaName(crd *apiextensionsv1.CustomResourceDefinition) string {
-	checksum := crypto.Hash(crd.Spec.Names)
+	crd = crd.DeepCopy()
+	crd.Spec.Conversion = nil
+
+	checksum := crypto.Hash(crd.Spec)
 
 	// include a leading "v" to prevent SHA-1 hashes with digits to break the name
 	return fmt.Sprintf("v%s.%s.%s", checksum[:8], crd.Spec.Names.Plural, crd.Spec.Group)

internal/discovery/client.go

@@ -156,6 +156,7 @@ func (c *Client) RetrieveCRD(ctx context.Context, gk schema.GroupKind) (*apiexte
 		crd.ObjectMeta = metav1.ObjectMeta{
 			Name:        oldMeta.Name,
 			Annotations: filterAnnotations(oldMeta.Annotations),
+			Generation:  oldMeta.Generation, // is stored as an annotation for convenience on the ARS
 		}
 		crd.Status.Conditions = []apiextensionsv1.CustomResourceDefinitionCondition{}
 
@@ -232,9 +233,7 @@ func (c *Client) RetrieveCRD(ctx context.Context, gk schema.GroupKind) (*apiexte
 	// fill-in the schema for each version, making sure that versions are sorted
 	// according to Kubernetes rules.
 	sortedVersions := availableVersions.UnsortedList()
-	slices.SortFunc(sortedVersions, func(a, b string) int {
-		return version.CompareKubeAwareVersionStrings(a, b)
-	})
+	slices.SortFunc(sortedVersions, version.CompareKubeAwareVersionStrings)
 
 	for _, version := range sortedVersions {
 		subresources := subresourcesPerVersion[version]

internal/projection/projection.go

@@ -17,18 +17,25 @@ limitations under the License.
 package projection
 
 import (
+	"errors"
+	"fmt"
+	"slices"
+	"strings"
+
 	syncagentv1alpha1 "github.com/kcp-dev/api-syncagent/sdk/apis/syncagent/v1alpha1"
 
+	apiextensionsv1 "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1"
 	"k8s.io/apimachinery/pkg/runtime/schema"
+	"k8s.io/apimachinery/pkg/util/sets"
+	"k8s.io/apimachinery/pkg/version"
 )
 
-// PublishedResourceSourceGVK returns the source GVK of the local resources
+// PublishedResourceSourceGK returns the source GK of the local resources
 // that are supposed to be published.
-func PublishedResourceSourceGVK(pubRes *syncagentv1alpha1.PublishedResource) schema.GroupVersionKind {
-	return schema.GroupVersionKind{
-		Group:   pubRes.Spec.Resource.APIGroup,
-		Version: pubRes.Spec.Resource.Version,
-		Kind:    pubRes.Spec.Resource.Kind,
+func PublishedResourceSourceGK(pubRes *syncagentv1alpha1.PublishedResource) schema.GroupKind {
+	return schema.GroupKind{
+		Group: pubRes.Spec.Resource.APIGroup,
+		Kind:  pubRes.Spec.Resource.Kind,
 	}
 }
 
@@ -59,3 +66,161 @@ func PublishedResourceProjectedGVK(pubRes *syncagentv1alpha1.PublishedResource)
 		Kind:    kind,
 	}
 }
+
+func ApplyProjection(crd *apiextensionsv1.CustomResourceDefinition, pubRes *syncagentv1alpha1.PublishedResource) (*apiextensionsv1.CustomResourceDefinition, error) {
+	result := crd.DeepCopy()
+
+	// reduce the CRD down to the selected versions
+	result, err := stripUnwantedVersions(result, pubRes)
+	if err != nil {
+		return nil, err
+	}
+
+	// if there is no storage version left, we use the latest served version
+	result, err = adjustStorageVersion(result)
+	if err != nil {
+		return nil, err
+	}
+
+	// now we get to actually project something, if desired
+	result, err = projectCRD(result, pubRes)
+	if err != nil {
+		return nil, err
+	}
+
+	return result, nil
+}
+
+func stripUnwantedVersions(crd *apiextensionsv1.CustomResourceDefinition, pubRes *syncagentv1alpha1.PublishedResource) (*apiextensionsv1.CustomResourceDefinition, error) {
+	src := pubRes.Spec.Resource
+
+	if src.Version != "" && len(src.Versions) > 0 {
+		return nil, errors.New("cannot configure both .version and .versions in as the source of a PublishedResource")
+	}
+
+	crd.Spec.Versions = slices.DeleteFunc(crd.Spec.Versions, func(ver apiextensionsv1.CustomResourceDefinitionVersion) bool {
+		switch {
+		case src.Version != "":
+			return ver.Name != src.Version
+		case len(src.Versions) > 0:
+			return !slices.Contains(src.Versions, ver.Name)
+		default:
+			return false // i.e. keep all versions by default
+		}
+	})
+
+	if len(crd.Spec.Versions) == 0 {
+		switch {
+		case src.Version != "":
+			return nil, fmt.Errorf("CRD does not contain version %s", src.Version)
+		case len(src.Versions) > 0:
+			return nil, fmt.Errorf("CRD does not contain any of versions %v", src.Versions)
+		default:
+			return nil, errors.New("CRD contains no versions")
+		}
+	}
+
+	return crd, nil
+}
+
+func adjustStorageVersion(crd *apiextensionsv1.CustomResourceDefinition) (*apiextensionsv1.CustomResourceDefinition, error) {
+	var hasStorage bool
+	latestServed := -1
+	for i, v := range crd.Spec.Versions {
+		if v.Storage {
+			hasStorage = true
+		}
+		if v.Served {
+			latestServed = i
+		}
+	}
+
+	if latestServed < 0 {
+		return nil, errors.New("no CRD version selected that is marked as served")
+	}
+
+	if !hasStorage {
+		crd.Spec.Versions[latestServed].Storage = true
+	}
+
+	return crd, nil
+}
+
+func projectCRD(crd *apiextensionsv1.CustomResourceDefinition, pubRes *syncagentv1alpha1.PublishedResource) (*apiextensionsv1.CustomResourceDefinition, error) {
+	projection := pubRes.Spec.Projection
+	if projection == nil {
+		return crd, nil
+	}
+
+	if projection.Group != "" {
+		crd.Spec.Group = projection.Group
+	}
+
+	indexOfVersion := func(v string) int {
+		for i, version := range crd.Spec.Versions {
+			if version.Name == v {
+				return i
+			}
+		}
+
+		return -1
+	}
+
+	// We already validated that Version and Versions can be set at the same time.
+
+	if projection.Version != "" {
+		if size := len(crd.Spec.Versions); size != 1 {
+			return nil, fmt.Errorf("cannot project CRD version to a single version %q because it contains %d versions", projection.Version, size)
+		}
+
+		crd.Spec.Versions[0].Name = projection.Version
+	} else if len(projection.Versions) > 0 {
+		for _, mut := range projection.Versions {
+			fromIdx := indexOfVersion(mut.From)
+			if fromIdx < 0 {
+				return nil, fmt.Errorf("cannot project CRD version %s to %s because there is no %s version", mut.From, mut.To, mut.From)
+			}
+
+			crd.Spec.Versions[fromIdx].Name = mut.To
+		}
+
+		// ensure we ended up with a unique set of versions
+		knownVersions := sets.New[string]()
+		for _, version := range crd.Spec.Versions {
+			if knownVersions.Has(version.Name) {
+				return nil, fmt.Errorf("CRD contains multiple entries for %s after applying mutation rules", version.Name)
+			}
+		}
+
+		// ensure proper Kubernetes-style version order
+		slices.SortFunc(crd.Spec.Versions, func(a, b apiextensionsv1.CustomResourceDefinitionVersion) int {
+			return version.CompareKubeAwareVersionStrings(a.Name, b.Name)
+		})
+	}
+
+	if projection.Kind != "" {
+		crd.Spec.Names.Kind = projection.Kind
+		crd.Spec.Names.ListKind = projection.Kind + "List"
+
+		crd.Spec.Names.Singular = strings.ToLower(crd.Spec.Names.Kind)
+		crd.Spec.Names.Plural = crd.Spec.Names.Singular + "s"
+	}
+
+	if projection.Plural != "" {
+		crd.Spec.Names.Plural = projection.Plural
+	}
+
+	if projection.Scope != "" {
+		crd.Spec.Scope = apiextensionsv1.ResourceScope(projection.Scope)
+	}
+
+	if projection.Categories != nil {
+		crd.Spec.Names.Categories = projection.Categories
+	}
+
+	if projection.ShortNames != nil {
+		crd.Spec.Names.ShortNames = projection.ShortNames
+	}
+
+	return crd, nil
+}

internal/projection/projection_test.go

@@ -41,18 +41,14 @@ func TestPublishedResourceSourceGVK(t *testing.T) {
 		},
 	}
 
-	gvk := PublishedResourceSourceGVK(&pubRes)
+	gk := PublishedResourceSourceGK(&pubRes)
 
-	if gvk.Group != apiGroup {
-		t.Errorf("Expected API group to be %q, but got %q.", apiGroup, gvk.Group)
+	if gk.Group != apiGroup {
+		t.Errorf("Expected API group to be %q, but got %q.", apiGroup, gk.Group)
 	}
 
-	if gvk.Version != version {
-		t.Errorf("Expected version to be %q, but got %q.", version, gvk.Version)
-	}
-
-	if gvk.Kind != kind {
-		t.Errorf("Expected kind to be %q, but got %q.", kind, gvk.Kind)
+	if gk.Kind != kind {
+		t.Errorf("Expected kind to be %q, but got %q.", kind, gk.Kind)
 	}
 }