Add path annotation to apibindings

mjudeikis · mjudeikis · commit b7a09dc46f93 · 2025-10-30T14:59:28.000+02:00
Signed-off-by: Mangirdas Judeikis <mangirdas@judeikis.lt> On-behalf-of: @SAP mangirdas.judeikis@sap.com
diff --git a/pkg/admission/pathannotation/pathannotation_admission.go b/pkg/admission/pathannotation/pathannotation_admission.go
@@ -69,6 +69,7 @@ type pathAnnotationPlugin struct {
 
 var pathAnnotationResources = sets.New[string](
 	apisv1alpha2.Resource("apiexports").String(),
+	apisv1alpha2.Resource("apibindings").String(),
 	tenancyv1alpha1.Resource("workspacetypes").String(),
 )
 
@@ -105,6 +106,10 @@ func (p *pathAnnotationPlugin) Admit(ctx context.Context, a admission.Attributes
 
 	logicalCluster, err := p.getLogicalCluster(clusterName, corev1alpha1.LogicalClusterName)
 	if err != nil {
+		// We skip adding for system bindings if the logical cluster is not found during creation. This is racy during workspace bootstrap.
+		if apierrors.IsNotFound(err) && a.GetResource().GroupResource() == apisv1alpha2.Resource("apibindings") {
+			return nil
+		}
 		return admission.NewForbidden(a, fmt.Errorf("cannot get this workspace: %w", err))
 	}
 	thisPath := logicalCluster.Annotations[core.LogicalClusterPathAnnotationKey]
@@ -146,6 +151,10 @@ func (p *pathAnnotationPlugin) Validate(ctx context.Context, a admission.Attribu
 	if pathAnnotationResources.Has(a.GetResource().GroupResource().String()) || found {
 		logicalCluster, err := p.getLogicalCluster(clusterName, corev1alpha1.LogicalClusterName)
 		if err != nil {
+			// We skip adding for system bindings if the logical cluster is not found during creation. This is racy during workspace bootstrap.
+			if apierrors.IsNotFound(err) && a.GetResource().GroupResource() == apisv1alpha2.Resource("apibindings") {
+				return nil
+			}
 			return admission.NewForbidden(a, fmt.Errorf("cannot get this workspace: %w", err))
 		}
 		thisPath := logicalCluster.Annotations[core.LogicalClusterPathAnnotationKey]
@@ -154,7 +163,7 @@ func (p *pathAnnotationPlugin) Validate(ctx context.Context, a admission.Attribu
 		}
 
 		if value != thisPath {
-			return admission.NewForbidden(a, fmt.Errorf("annotation %q must match canonical path %q", core.LogicalClusterPathAnnotationKey, thisPath))
+			return admission.NewForbidden(a, fmt.Errorf("annotation %q must match canonical path %q, but got %q", core.LogicalClusterPathAnnotationKey, thisPath, value))
 		}
 	}
 

Original file line number	Diff line number	Diff line change
`@@ -69,6 +69,7 @@ type pathAnnotationPlugin struct {`
`69`	`69`
`70`	`70`	`var pathAnnotationResources = sets.New[string](`
`71`	`71`	`apisv1alpha2.Resource("apiexports").String(),`
	`72`	`+ apisv1alpha2.Resource("apibindings").String(),`
`72`	`73`	`tenancyv1alpha1.Resource("workspacetypes").String(),`
`73`	`74`	`)`
`74`	`75`
`@@ -105,6 +106,10 @@ func (p *pathAnnotationPlugin) Admit(ctx context.Context, a admission.Attributes`
`105`	`106`
`106`	`107`	`logicalCluster, err := p.getLogicalCluster(clusterName, corev1alpha1.LogicalClusterName)`
`107`	`108`	`if err != nil {`
	`109`	`+ // We skip adding for system bindings if the logical cluster is not found during creation. This is racy during workspace bootstrap.`
	`110`	`+ if apierrors.IsNotFound(err) && a.GetResource().GroupResource() == apisv1alpha2.Resource("apibindings") {`
	`111`	`+ return nil`
	`112`	`+ }`
`108`	`113`	`return admission.NewForbidden(a, fmt.Errorf("cannot get this workspace: %w", err))`
`109`	`114`	`}`
`110`	`115`	`thisPath := logicalCluster.Annotations[core.LogicalClusterPathAnnotationKey]`
`@@ -146,6 +151,10 @@ func (p *pathAnnotationPlugin) Validate(ctx context.Context, a admission.Attribu`
`146`	`151`	`if pathAnnotationResources.Has(a.GetResource().GroupResource().String()) \|\| found {`
`147`	`152`	`logicalCluster, err := p.getLogicalCluster(clusterName, corev1alpha1.LogicalClusterName)`
`148`	`153`	`if err != nil {`
	`154`	`+ // We skip adding for system bindings if the logical cluster is not found during creation. This is racy during workspace bootstrap.`
	`155`	`+ if apierrors.IsNotFound(err) && a.GetResource().GroupResource() == apisv1alpha2.Resource("apibindings") {`
	`156`	`+ return nil`
	`157`	`+ }`
`149`	`158`	`return admission.NewForbidden(a, fmt.Errorf("cannot get this workspace: %w", err))`
`150`	`159`	`}`
`151`	`160`	`thisPath := logicalCluster.Annotations[core.LogicalClusterPathAnnotationKey]`
`@@ -154,7 +163,7 @@ func (p *pathAnnotationPlugin) Validate(ctx context.Context, a admission.Attribu`
`154`	`163`	`}`
`155`	`164`
`156`	`165`	`if value != thisPath {`
`157`		`- return admission.NewForbidden(a, fmt.Errorf("annotation %q must match canonical path %q", core.LogicalClusterPathAnnotationKey, thisPath))`
	`166`	`+ return admission.NewForbidden(a, fmt.Errorf("annotation %q must match canonical path %q, but got %q", core.LogicalClusterPathAnnotationKey, thisPath, value))`
`158`	`167`	`}`
`159`	`168`	`}`
`160`	`169`