Merge pull request #3486 from embik/permission-claims-v1alpha2

Move permission claim object selectors from APIExport to APIBinding

Author: kcp-ci-bot

cli/pkg/bind/plugin/bind.go

@@ -235,7 +235,7 @@ func (b *BindOptions) parsePermissionClaim(claim string, accepted bool) error {
 		parsedClaim.State = apisv1alpha2.ClaimRejected
 	}
 	// TODO(mjudeikis): Once we add support for selectors/
-	parsedClaim.All = true
+	parsedClaim.Selector = apisv1alpha2.PermissionClaimSelector{MatchAll: true}
 
 	if accepted {
 		b.acceptedPermissionClaims = append(b.acceptedPermissionClaims, parsedClaim)

cli/pkg/workspace/plugin/use.go

@@ -430,7 +430,7 @@ func findUnresolvedPermissionClaims(out io.Writer, apiBindings []apisv1alpha2.AP
 			var found, ack, verbsMatch bool
 			var verbsExpected, verbsActual sets.Set[string]
 			for _, specClaim := range binding.Spec.PermissionClaims {
-				if !exportedClaim.Equal(specClaim.PermissionClaim) {
+				if !exportedClaim.EqualGRI(specClaim.PermissionClaim) {
 					continue
 				}
 				found = true

cli/pkg/workspace/plugin/use_test.go

@@ -961,12 +961,14 @@ func (b *bindingBuilder) WithPermissionClaim(group, resource, identityHash strin
 	}
 
 	pc := apisv1alpha2.AcceptablePermissionClaim{
-		PermissionClaim: apisv1alpha2.PermissionClaim{
-			GroupResource: apisv1alpha2.GroupResource{
-				Group:    group,
-				Resource: resource,
+		ScopedPermissionClaim: apisv1alpha2.ScopedPermissionClaim{
+			PermissionClaim: apisv1alpha2.PermissionClaim{
+				GroupResource: apisv1alpha2.GroupResource{
+					Group:    group,
+					Resource: resource,
+				},
+				IdentityHash: identityHash,
 			},
-			IdentityHash: identityHash,
 		},
 	}
 

config/crds/apis.kcp.io_apibindings.yaml

@@ -399,11 +399,6 @@ spec:
                     Its purpose is to determine the added permissions that a service provider may
                     request and that a consumer may accept and allow the service provider access to.
                   properties:
-                    all:
-                      description: |-
-                        all claims all resources for the given group/resource.
-                        This is mutually exclusive with resourceSelector.
-                      type: boolean
                     group:
                       default: ""
                       description: |-
@@ -412,6 +407,7 @@ spec:
                       pattern: ^(|[a-z0-9]([-a-z0-9]*[a-z0-9](\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*)?)$
                       type: string
                     identityHash:
+                      default: ""
                       description: |-
                         This is the identity for a given APIExport that the APIResourceSchema belongs to.
                         The hash can be found on APIExport and APIResourceSchema's status.
@@ -425,31 +421,6 @@ spec:
                         not provided by an api export.
                       pattern: ^[a-z][-a-z0-9]*[a-z0-9]$
                       type: string
-                    resourceSelector:
-                      description: resourceSelector is a list of claimed resource
-                        selectors.
-                      items:
-                        properties:
-                          name:
-                            description: |-
-                              name of an object within a claimed group/resource.
-                              It matches the metadata.name field of the underlying object.
-                              If namespace is unset, all objects matching that name will be claimed.
-                            maxLength: 253
-                            minLength: 1
-                            pattern: ^([a-z0-9][-a-z0-9_.]*)?[a-z0-9]$
-                            type: string
-                          namespace:
-                            description: |-
-                              namespace containing the named object. Matches metadata.namespace field.
-                              If "name" is unset, all objects from the namespace are being claimed.
-                            minLength: 1
-                            type: string
-                        type: object
-                        x-kubernetes-validations:
-                        - message: at least one field must be set
-                          rule: has(self.__namespace__) || has(self.name)
-                      type: array
                     verbs:
                       description: |-
                         verbs is a list of supported API operation types (this includes
@@ -464,10 +435,6 @@ spec:
                   - resource
                   - verbs
                   type: object
-                  x-kubernetes-validations:
-                  - message: either "all" or "resourceSelector" must be set
-                    rule: (has(self.all) && self.all) != (has(self.resourceSelector)
-                      && size(self.resourceSelector) > 0)
                 type: array
                 x-kubernetes-list-map-keys:
                 - group

config/crds/apis.kcp.io_apiexports.yaml

@@ -347,7 +347,7 @@ func validateOverhangingPermissionClaims(_ context.Context, _ admission.Attribut
 		for _, o := range overhanging {
 			var found bool
 			for _, pc := range v2Claims {
-				if pc.Equal(o) {
+				if pc.EqualGRI(o) {
 					found = true
 
 					break

pkg/admission/apibinding/apibinding_admission.go

@@ -598,7 +598,6 @@ func TestValidateOverhangingPermissionClaims(t *testing.T) {
 						Group:    "foo",
 						Resource: "bar",
 					},
-					All:          true,
 					IdentityHash: "baz",
 					Verbs:        []string{"get", "list"},
 				}}
@@ -632,7 +631,6 @@ func TestValidateOverhangingPermissionClaims(t *testing.T) {
 							Group:    "foo",
 							Resource: "bar",
 						},
-						All:          true,
 						IdentityHash: "baz",
 						Verbs:        []string{"get", "list"},
 					},
@@ -641,7 +639,6 @@ func TestValidateOverhangingPermissionClaims(t *testing.T) {
 							Group:    "foo",
 							Resource: "baz",
 						},
-						All:          true,
 						IdentityHash: "bar",
 						Verbs:        []string{"get"},
 					},

pkg/admission/apibinding/apibinding_admission_test.go

@@ -218,7 +218,7 @@ func validateOverhangingPermissionClaims(_ context.Context, _ admission.Attribut
 		for _, o := range overhanging {
 			var found bool
 			for _, pc := range v2Claims {
-				if pc.Equal(o) {
+				if pc.EqualGRI(o) {
 					found = true
 
 					break

pkg/admission/apiexport/admission.go

@@ -433,7 +433,6 @@ func TestValidateOverhangingPermissionClaims(t *testing.T) {
 						Group:    "foo",
 						Resource: "bar",
 					},
-					All:          true,
 					IdentityHash: "baz",
 					Verbs:        []string{"get", "list"},
 				}}
@@ -465,7 +464,6 @@ func TestValidateOverhangingPermissionClaims(t *testing.T) {
 							Group:    "foo",
 							Resource: "bar",
 						},
-						All:          true,
 						IdentityHash: "baz",
 						Verbs:        []string{"get", "list"},
 					},
@@ -474,7 +472,6 @@ func TestValidateOverhangingPermissionClaims(t *testing.T) {
 							Group:    "foo",
 							Resource: "baz",
 						},
-						All:          true,
 						IdentityHash: "bar",
 						Verbs:        []string{"get"},
 					},

pkg/admission/apiexport/admission_test.go

@@ -89,7 +89,7 @@ func (m *mutatingPermissionClaims) Admit(ctx context.Context, a admission.Attrib
 		return err
 	}
 
-	expectedLabels, err := m.permissionClaimLabeler.LabelsFor(ctx, clusterName, a.GetResource().GroupResource(), a.GetName())
+	expectedLabels, err := m.permissionClaimLabeler.LabelsFor(ctx, clusterName, a.GetResource().GroupResource(), a.GetName(), u.GetLabels())
 	if err != nil {
 		return err
 	}
@@ -129,7 +129,7 @@ func (m *mutatingPermissionClaims) Validate(ctx context.Context, a admission.Att
 		return err
 	}
 
-	expectedLabels, err := m.permissionClaimLabeler.LabelsFor(ctx, clusterName, a.GetResource().GroupResource(), a.GetName())
+	expectedLabels, err := m.permissionClaimLabeler.LabelsFor(ctx, clusterName, a.GetResource().GroupResource(), a.GetName(), u.GetLabels())
 	if err != nil {
 		return err
 	}