Add path annotation to apibindings

Signed-off-by: Mangirdas Judeikis <[email protected]>
On-behalf-of: @SAP [email protected]

Author: mjudeikis

pkg/admission/pathannotation/pathannotation_admission.go

@@ -69,6 +69,7 @@ type pathAnnotationPlugin struct {
 
 var pathAnnotationResources = sets.New[string](
 	apisv1alpha2.Resource("apiexports").String(),
+	apisv1alpha2.Resource("apibindings").String(),
 	tenancyv1alpha1.Resource("workspacetypes").String(),
 )
 
@@ -105,6 +106,10 @@ func (p *pathAnnotationPlugin) Admit(ctx context.Context, a admission.Attributes
 
 	logicalCluster, err := p.getLogicalCluster(clusterName, corev1alpha1.LogicalClusterName)
 	if err != nil {
+		// We skip adding for system bindings if the logical cluster is not found during creation. This is racy during workspace bootstrap.
+		if apierrors.IsNotFound(err) && a.GetResource().GroupResource() == apisv1alpha2.Resource("apibindings") {
+			return nil
+		}
 		return admission.NewForbidden(a, fmt.Errorf("cannot get this workspace: %w", err))
 	}
 	thisPath := logicalCluster.Annotations[core.LogicalClusterPathAnnotationKey]
@@ -142,19 +147,25 @@ func (p *pathAnnotationPlugin) Validate(ctx context.Context, a admission.Attribu
 		return fmt.Errorf("unexpected type %T", a.GetObject())
 	}
 
-	value, found := u.GetAnnotations()[core.LogicalClusterPathAnnotationKey]
+	annotations := u.GetAnnotations()
+	value, found := annotations[core.LogicalClusterPathAnnotationKey]
 	if pathAnnotationResources.Has(a.GetResource().GroupResource().String()) || found {
 		logicalCluster, err := p.getLogicalCluster(clusterName, corev1alpha1.LogicalClusterName)
 		if err != nil {
+			// We skip adding for system bindings if the logical cluster is not found during creation. This is racy during workspace bootstrap.
+			if apierrors.IsNotFound(err) && a.GetResource().GroupResource() == apisv1alpha2.Resource("apibindings") {
+				return nil
+			}
 			return admission.NewForbidden(a, fmt.Errorf("cannot get this workspace: %w", err))
 		}
 		thisPath := logicalCluster.Annotations[core.LogicalClusterPathAnnotationKey]
 		if thisPath == "" {
 			thisPath = logicalcluster.From(logicalCluster).Path().String()
 		}
 
-		if value != thisPath {
-			return admission.NewForbidden(a, fmt.Errorf("annotation %q must match canonical path %q", core.LogicalClusterPathAnnotationKey, thisPath))
+		// Only validate if annotation is explicitly set (found=true) and paths don't match
+		if found && thisPath != "" && value != thisPath {
+			return admission.NewForbidden(a, fmt.Errorf("annotation for %s, %q must match canonical path %q, but got %q", a.GetName(), core.LogicalClusterPathAnnotationKey, thisPath, value))
 		}
 	}