Add path annotation to apibindings

Signed-off-by: Mangirdas Judeikis <[email protected]>
On-behalf-of: @SAP [email protected]

Author: mjudeikis

pkg/admission/apibinding/apibinding_interface.go

@@ -30,6 +30,7 @@ type apiBinding interface {
 	Validate() field.ErrorList
 	ValidateUpdate(oldBinding apiBinding) field.ErrorList
 	ToUnstructured() (map[string]interface{}, error)
+	GetAnnotations() map[string]string
 }
 
 type bindingReference interface {

pkg/admission/apibinding/apibinding_v1alpha1.go

@@ -52,6 +52,10 @@ func (b *apiBindingV1alpha1) SetLabels(labels map[string]string) {
 	b.binding.Labels = labels
 }
 
+func (b apiBindingV1alpha1) GetAnnotations() map[string]string {
+	return b.binding.Annotations
+}
+
 func (b *apiBindingV1alpha1) Validate() field.ErrorList {
 	return apisv1alpha1.ValidateAPIBinding(b.binding)
 }

pkg/admission/apibinding/apibinding_v1alpha2.go

@@ -52,6 +52,10 @@ func (b *apiBindingV1alpha2) SetLabels(labels map[string]string) {
 	b.binding.Labels = labels
 }
 
+func (b apiBindingV1alpha2) GetAnnotations() map[string]string {
+	return b.binding.Annotations
+}
+
 func (b apiBindingV1alpha2) Validate() field.ErrorList {
 	return apisv1alpha2.ValidateAPIBinding(b.binding)
 }

pkg/admission/pathannotation/pathannotation_admission.go

@@ -20,6 +20,7 @@ import (
 	"context"
 	"fmt"
 	"io"
+	"strings"
 
 	apierrors "k8s.io/apimachinery/pkg/api/errors"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
@@ -69,6 +70,7 @@ type pathAnnotationPlugin struct {
 
 var pathAnnotationResources = sets.New[string](
 	apisv1alpha2.Resource("apiexports").String(),
+	apisv1alpha2.Resource("apibindings").String(),
 	tenancyv1alpha1.Resource("workspacetypes").String(),
 )
 
@@ -105,6 +107,10 @@ func (p *pathAnnotationPlugin) Admit(ctx context.Context, a admission.Attributes
 
 	logicalCluster, err := p.getLogicalCluster(clusterName, corev1alpha1.LogicalClusterName)
 	if err != nil {
+		// We skip gradually adding annotation for system bindings, if the logical cluster is not found during creation. This is racy during workspace bootstrap.
+		if apierrors.IsNotFound(err) && a.GetResource().GroupResource() == apisv1alpha2.Resource("apibindings") && strings.Contains(a.GetName(), "kcp.io") {
+			return nil
+		}
 		return admission.NewForbidden(a, fmt.Errorf("cannot get this workspace: %w", err))
 	}
 	thisPath := logicalCluster.Annotations[core.LogicalClusterPathAnnotationKey]
@@ -133,7 +139,12 @@ func (p *pathAnnotationPlugin) Validate(ctx context.Context, a admission.Attribu
 		return nil
 	}
 
-	if a.GetResource().GroupResource() == corev1alpha1.Resource("logicalclusters") {
+	// We don't validate LogicalCluster resources themselves.
+	// In addition, we skip validation for apibindings whose name contains "kcp.io" (system bindings),
+	// as during bootstrap of the workspace its racy with creation of the LogicalCluster resource.
+	// They will be eventually labeled, it will just takes a bit longer.
+	if a.GetResource().GroupResource() == corev1alpha1.Resource("logicalclusters") ||
+		(a.GetResource().GroupResource() == apisv1alpha2.Resource("apibindings") && strings.Contains(a.GetName(), "kcp.io")) {
 		return nil
 	}