add path annotation to apibindings

On-behalf-of: @SAP [email protected]
Signed-off-by: Mangirdas Judeikis <[email protected]>

Author: mjudeikis

pkg/admission/apibinding/apibinding_admission.go

@@ -42,7 +42,9 @@ import (
 	apisv1alpha2 "github.com/kcp-dev/kcp/sdk/apis/apis/v1alpha2"
 	"github.com/kcp-dev/kcp/sdk/apis/apis/v1alpha2/permissionclaims"
 	"github.com/kcp-dev/kcp/sdk/apis/core"
+	corev1alpha1 "github.com/kcp-dev/kcp/sdk/apis/core/v1alpha1"
 	kcpinformers "github.com/kcp-dev/kcp/sdk/client/informers/externalversions"
+	corev1alpha1listers "github.com/kcp-dev/kcp/sdk/client/listers/core/v1alpha1"
 )
 
 const (
@@ -69,6 +71,11 @@ type apiBindingAdmission struct {
 
 	getAPIExport func(path logicalcluster.Path, name string) (*apisv1alpha2.APIExport, error)
 
+	logicalClusterLister corev1alpha1listers.LogicalClusterClusterLister
+	// getLogicalCluster is a convenience function for easier unit testing,
+	// it reads a LogicalCluster resource with the given name and from the given cluster.
+	getLogicalCluster func(clusterName logicalcluster.Name, name string) (*corev1alpha1.LogicalCluster, error)
+
 	apiExportIndexer      cache.Indexer
 	cacheAPIExportIndexer cache.Indexer
 
@@ -324,6 +331,15 @@ func (o *apiBindingAdmission) SetKcpInformers(local, global kcpinformers.SharedI
 	o.apiExportIndexer = local.Apis().V1alpha2().APIExports().Informer().GetIndexer()
 	o.cacheAPIExportIndexer = global.Apis().V1alpha2().APIExports().Informer().GetIndexer()
 
+	logicalClusterReady := local.Core().V1alpha1().LogicalClusters().Informer().HasSynced
+	o.SetReadyFunc(func() bool {
+		return logicalClusterReady()
+	})
+	o.logicalClusterLister = local.Core().V1alpha1().LogicalClusters().Lister()
+	o.getLogicalCluster = func(clusterName logicalcluster.Name, name string) (*corev1alpha1.LogicalCluster, error) {
+		return o.logicalClusterLister.Cluster(clusterName).Get(name)
+	}
+
 	indexers.AddIfNotPresentOrDie(local.Tenancy().V1alpha1().WorkspaceTypes().Informer().GetIndexer(), cache.Indexers{
 		indexers.ByLogicalClusterPathAndName: indexers.IndexByLogicalClusterPathAndName,
 	})

pkg/admission/apibinding/apibinding_interface.go

@@ -30,6 +30,7 @@ type apiBinding interface {
 	Validate() field.ErrorList
 	ValidateUpdate(oldBinding apiBinding) field.ErrorList
 	ToUnstructured() (map[string]interface{}, error)
+	GetAnnotations() map[string]string
 }
 
 type bindingReference interface {

pkg/admission/apibinding/apibinding_v1alpha1.go

@@ -52,6 +52,10 @@ func (b *apiBindingV1alpha1) SetLabels(labels map[string]string) {
 	b.binding.Labels = labels
 }
 
+func (b apiBindingV1alpha1) GetAnnotations() map[string]string {
+	return b.binding.Annotations
+}
+
 func (b *apiBindingV1alpha1) Validate() field.ErrorList {
 	return apisv1alpha1.ValidateAPIBinding(b.binding)
 }

pkg/admission/apibinding/apibinding_v1alpha2.go

@@ -52,6 +52,10 @@ func (b *apiBindingV1alpha2) SetLabels(labels map[string]string) {
 	b.binding.Labels = labels
 }
 
+func (b apiBindingV1alpha2) GetAnnotations() map[string]string {
+	return b.binding.Annotations
+}
+
 func (b apiBindingV1alpha2) Validate() field.ErrorList {
 	return apisv1alpha2.ValidateAPIBinding(b.binding)
 }

pkg/admission/pathannotation/pathannotation_admission.go

@@ -20,6 +20,7 @@ import (
 	"context"
 	"fmt"
 	"io"
+	"strings"
 
 	apierrors "k8s.io/apimachinery/pkg/api/errors"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
@@ -69,6 +70,7 @@ type pathAnnotationPlugin struct {
 
 var pathAnnotationResources = sets.New[string](
 	apisv1alpha2.Resource("apiexports").String(),
+	apisv1alpha2.Resource("apibindings").String(),
 	tenancyv1alpha1.Resource("workspacetypes").String(),
 )
 
@@ -105,6 +107,10 @@ func (p *pathAnnotationPlugin) Admit(ctx context.Context, a admission.Attributes
 
 	logicalCluster, err := p.getLogicalCluster(clusterName, corev1alpha1.LogicalClusterName)
 	if err != nil {
+		// We skip adding annotation if the logical cluster is not found during creation of apibindings. This is racy during workspace bootstrap.
+		if apierrors.IsNotFound(err) && (a.GetResource().GroupResource() == apisv1alpha2.Resource("apibindings") && strings.Contains(a.GetName(), "kcp.io")) {
+			return nil
+		}
 		return admission.NewForbidden(a, fmt.Errorf("cannot get this workspace: %w", err))
 	}
 	thisPath := logicalCluster.Annotations[core.LogicalClusterPathAnnotationKey]
@@ -133,7 +139,12 @@ func (p *pathAnnotationPlugin) Validate(ctx context.Context, a admission.Attribu
 		return nil
 	}
 
-	if a.GetResource().GroupResource() == corev1alpha1.Resource("logicalclusters") {
+	// We don't validate LogicalCluster resources themselves.
+	// In addition, we skip validation for apibindings whose name contains "kcp.io" (system bindings),
+	// as during bootstrap of the workspace its racy with creation of the LogicalCluster resource.
+	// They will be eventually labeled, it will just takes a bit longer.
+	if a.GetResource().GroupResource() == corev1alpha1.Resource("logicalclusters") ||
+		(a.GetResource().GroupResource() == apisv1alpha2.Resource("apibindings") && strings.Contains(a.GetName(), "kcp.io")) {
 		return nil
 	}