implement mcp purpose override

Diaphteiros · Diaphteiros · commit c65af884769d · 2025-09-04T15:32:14.000+02:00
diff --git a/api/constants/constants.go b/api/constants/constants.go
@@ -16,6 +16,8 @@ const (
 
 	// ManagedByLabel is used to indicate which controller manages the resource.
 	ManagedByLabel = OpenMCPGroupName + "/managed-by"
+	// ManagedPurposeLabel is used to indicate the purpose of the resource.
+	ManagedPurposeLabel = OpenMCPGroupName + "/managed-purpose"
 
 	// OnboardingNameLabel is used to store the name on the onboarding cluster of a resource.
 	OnboardingNameLabel = OpenMCPGroupName + "/onboarding-name"
diff --git a/api/core/v2alpha1/constants.go b/api/core/v2alpha1/constants.go
@@ -8,9 +8,13 @@ const (
 )
 
 const (
-	MCPNameLabel      = GroupName + "/mcp-name"
-	MCPNamespaceLabel = GroupName + "/mcp-namespace"
-	OIDCProviderLabel = GroupName + "/oidc-provider"
+	MCPNameLabel            = GroupName + "/mcp-name"
+	MCPNamespaceLabel       = GroupName + "/mcp-namespace"
+	OIDCProviderLabel       = GroupName + "/oidc-provider"
+	MCPPurposeOverrideLabel = GroupName + "/purpose-override"
+
+	// ManagedPurposeMCPPurposeOverride is used as value for the managed purpose label. It must not be modified.
+	ManagedPurposeMCPPurposeOverride = "mcp-purpose-override"
 
 	MCPFinalizer = GroupName + "/mcp"
 
diff --git a/cmd/openmcp-operator/app/mcp/init.go b/cmd/openmcp-operator/app/mcp/init.go
@@ -7,20 +7,28 @@ import (
 	"time"
 
 	"github.com/spf13/cobra"
+	admissionv1 "k8s.io/api/admissionregistration/v1"
 	rbacv1 "k8s.io/api/rbac/v1"
 	"k8s.io/apimachinery/pkg/runtime"
+	"k8s.io/utils/ptr"
+	"sigs.k8s.io/controller-runtime/pkg/client"
 
 	crdutil "github.com/openmcp-project/controller-utils/pkg/crds"
+	"github.com/openmcp-project/controller-utils/pkg/resources"
 
 	clustersv1alpha1 "github.com/openmcp-project/openmcp-operator/api/clusters/v1alpha1"
 	apiconst "github.com/openmcp-project/openmcp-operator/api/constants"
+	corev2alpha1 "github.com/openmcp-project/openmcp-operator/api/core/v2alpha1"
 	"github.com/openmcp-project/openmcp-operator/api/crds"
 	"github.com/openmcp-project/openmcp-operator/api/install"
 	"github.com/openmcp-project/openmcp-operator/cmd/openmcp-operator/app/options"
 	"github.com/openmcp-project/openmcp-operator/internal/controllers/managedcontrolplane"
 	"github.com/openmcp-project/openmcp-operator/lib/clusteraccess"
 )
 
+// currently hard-coded, can be made configurable in the future if needed
+const MCPPurposeOverrideValidationPolicyName = "mcp-purpose-override-validation"
+
 func NewInitCommand(po *options.PersistentOptions) *cobra.Command {
 	opts := &InitOptions{
 		PersistentOptions: po,
@@ -94,6 +102,11 @@ func (o *InitOptions) Run(ctx context.Context) error {
 						Resources: []string{"customresourcedefinitions"},
 						Verbs:     []string{"*"},
 					},
+					{
+						APIGroups: []string{"admissionregistration.k8s.io"},
+						Resources: []string{"validatingadmissionpolicies", "validatingadmissionpolicybindings"},
+						Verbs:     []string{"*"},
+					},
 				},
 			},
 		})
@@ -111,6 +124,115 @@ func (o *InitOptions) Run(ctx context.Context) error {
 	if err := crdManager.CreateOrUpdateCRDs(ctx, &o.Log); err != nil {
 		return fmt.Errorf("error creating/updating CRDs: %w", err)
 	}
+
+	// ensure ValidatingAdmissionPolicy to prevent removal or changes to the MCP purpose override label
+	labelSelector := client.MatchingLabels{
+		apiconst.ManagedByLabel:      managedcontrolplane.ControllerName,
+		apiconst.ManagedPurposeLabel: corev2alpha1.ManagedPurposeMCPPurposeOverride,
+	}
+	evapbs := &admissionv1.ValidatingAdmissionPolicyBindingList{}
+	if err := onboardingCluster.Client().List(ctx, evapbs, labelSelector); err != nil {
+		return fmt.Errorf("error listing ValidatingAdmissionPolicyBindings: %w", err)
+	}
+	for _, evapb := range evapbs.Items {
+		if evapb.Name != MCPPurposeOverrideValidationPolicyName {
+			setupLog.Info("Deleting existing ValidatingAdmissionPolicyBinding with architecture immutability purpose", "name", evapb.Name)
+			if err := onboardingCluster.Client().Delete(ctx, &evapb); client.IgnoreNotFound(err) != nil {
+				return fmt.Errorf("error deleting ValidatingAdmissionPolicyBinding '%s': %w", evapb.Name, err)
+			}
+		}
+	}
+	evaps := &admissionv1.ValidatingAdmissionPolicyList{}
+	if err := onboardingCluster.Client().List(ctx, evaps, labelSelector); err != nil {
+		return fmt.Errorf("error listing ValidatingAdmissionPolicies: %w", err)
+	}
+	for _, evap := range evaps.Items {
+		if evap.Name != MCPPurposeOverrideValidationPolicyName {
+			setupLog.Info("Deleting existing ValidatingAdmissionPolicy with architecture immutability purpose", "name", evap.Name)
+			if err := onboardingCluster.Client().Delete(ctx, &evap); client.IgnoreNotFound(err) != nil {
+				return fmt.Errorf("error deleting ValidatingAdmissionPolicy '%s': %w", evap.Name, err)
+			}
+		}
+	}
+	setupLog.Info("creating/updating ValidatingAdmissionPolicies to prevent undesired changes to the MCP purpose override label ...")
+	vapm := resources.NewValidatingAdmissionPolicyMutator(MCPPurposeOverrideValidationPolicyName, admissionv1.ValidatingAdmissionPolicySpec{
+		FailurePolicy: ptr.To(admissionv1.Fail),
+		MatchConstraints: &admissionv1.MatchResources{
+			ResourceRules: []admissionv1.NamedRuleWithOperations{
+				{
+					RuleWithOperations: admissionv1.RuleWithOperations{
+						Operations: []admissionv1.OperationType{
+							admissionv1.Create,
+							admissionv1.Update,
+						},
+						Rule: admissionv1.Rule{ // match all resources, actual restriction happens in the binding
+							APIGroups:   []string{"*"},
+							APIVersions: []string{"*"},
+							Resources:   []string{"*"},
+						},
+					},
+				},
+			},
+		},
+		Variables: []admissionv1.Variable{
+			{
+				Name:       "purposeOverrideLabel",
+				Expression: fmt.Sprintf(`(has(object.metadata.labels) && "%s" in object.metadata.labels) ? object.metadata.labels["%s"] : ""`, corev2alpha1.MCPPurposeOverrideLabel, corev2alpha1.MCPPurposeOverrideLabel),
+			},
+			{
+				Name:       "oldPurposeOverrideLabel",
+				Expression: fmt.Sprintf(`(oldObject != null && has(oldObject.metadata.labels) && "%s" in oldObject.metadata.labels) ? oldObject.metadata.labels["%s"] : ""`, corev2alpha1.MCPPurposeOverrideLabel, corev2alpha1.MCPPurposeOverrideLabel),
+			},
+		},
+		Validations: []admissionv1.Validation{
+			{
+				Expression: `request.operation == "CREATE" || (variables.oldPurposeOverrideLabel == variables.purposeOverrideLabel)`,
+				Message:    fmt.Sprintf(`The label "%s" is immutable, it cannot be added after creation and is not allowed to be changed or removed once set.`, corev2alpha1.MCPPurposeOverrideLabel),
+			},
+		},
+	})
+	vapm.MetadataMutator().WithLabels(map[string]string{
+		apiconst.ManagedByLabel:      managedcontrolplane.ControllerName,
+		apiconst.ManagedPurposeLabel: corev2alpha1.ManagedPurposeMCPPurposeOverride,
+	})
+	if err := resources.CreateOrUpdateResource(ctx, onboardingCluster.Client(), vapm); err != nil {
+		return fmt.Errorf("error creating/updating ValidatingAdmissionPolicy for mcp purpose override validation: %w", err)
+	}
+
+	vapbm := resources.NewValidatingAdmissionPolicyBindingMutator(MCPPurposeOverrideValidationPolicyName, admissionv1.ValidatingAdmissionPolicyBindingSpec{
+		PolicyName: MCPPurposeOverrideValidationPolicyName,
+		ValidationActions: []admissionv1.ValidationAction{
+			admissionv1.Deny,
+		},
+		MatchResources: &admissionv1.MatchResources{
+			ResourceRules: []admissionv1.NamedRuleWithOperations{
+				{
+					RuleWithOperations: admissionv1.RuleWithOperations{
+						Operations: []admissionv1.OperationType{
+							admissionv1.Create,
+							admissionv1.Update,
+						},
+						Rule: admissionv1.Rule{
+							APIGroups:   []string{corev2alpha1.GroupVersion.Group},
+							APIVersions: []string{corev2alpha1.GroupVersion.Version},
+							Resources: []string{
+								"managedcontrolplanev2s",
+							},
+						},
+					},
+				},
+			},
+		},
+	})
+	vapbm.MetadataMutator().WithLabels(map[string]string{
+		apiconst.ManagedByLabel:      managedcontrolplane.ControllerName,
+		apiconst.ManagedPurposeLabel: corev2alpha1.ManagedPurposeMCPPurposeOverride,
+	})
+	if err := resources.CreateOrUpdateResource(ctx, onboardingCluster.Client(), vapbm); err != nil {
+		return fmt.Errorf("error creating/updating ValidatingAdmissionPolicyBinding for mcp purpose override validation: %w", err)
+	}
+	setupLog.Info("ValidatingAdmissionPolicy and ValidatingAdmissionPolicyBinding for mcp purpose override validation created/updated")
+
 	log.Info("Finished init command")
 	return nil
 }
diff --git a/internal/controllers/managedcontrolplane/controller.go b/internal/controllers/managedcontrolplane/controller.go
@@ -204,17 +204,23 @@ func (r *ManagedControlPlaneReconciler) handleCreateOrUpdate(ctx context.Context
 	cr := &clustersv1alpha1.ClusterRequest{}
 	cr.Name = mcp.Name
 	cr.Namespace = platformNamespace
+	// determine cluster request purpose
+	purpose := r.Config.MCPClusterPurpose
+	if override, ok := mcp.Labels[corev2alpha1.MCPPurposeOverrideLabel]; ok && override != "" {
+		log.Info("Using purpose override from MCP label", "purposeOverride", override)
+		purpose = override
+	}
 	if err := r.PlatformCluster.Client().Get(ctx, client.ObjectKeyFromObject(cr), cr); err != nil {
 		if !apierrors.IsNotFound(err) {
 			rr.ReconcileError = errutils.WithReason(fmt.Errorf("unable to get ClusterRequest '%s/%s': %w", cr.Namespace, cr.Name, err), cconst.ReasonPlatformClusterInteractionProblem)
 			createCon(corev2alpha1.ConditionClusterRequestReady, metav1.ConditionFalse, rr.ReconcileError.Reason(), rr.ReconcileError.Error())
 			return rr
 		}
 
-		log.Info("ClusterRequest not found, creating it", "clusterRequestName", cr.Name, "clusterRequestNamespace", cr.Namespace, "purpose", r.Config.MCPClusterPurpose)
+		log.Info("ClusterRequest not found, creating it", "clusterRequestName", cr.Name, "clusterRequestNamespace", cr.Namespace, "purpose", purpose)
 		cr.Labels = mcpLabels
 		cr.Spec = clustersv1alpha1.ClusterRequestSpec{
-			Purpose:                r.Config.MCPClusterPurpose,
+			Purpose:                purpose,
 			WaitForClusterDeletion: ptr.To(true),
 		}
 		if err := r.PlatformCluster.Client().Create(ctx, cr); err != nil {
@@ -223,7 +229,7 @@ func (r *ManagedControlPlaneReconciler) handleCreateOrUpdate(ctx context.Context
 			return rr
 		}
 	} else {
-		log.Debug("ClusterRequest found", "clusterRequestName", cr.Name, "clusterRequestNamespace", cr.Namespace, "purposeInConfig", r.Config.MCPClusterPurpose, "purposeInClusterRequest", cr.Spec.Purpose)
+		log.Debug("ClusterRequest found", "clusterRequestName", cr.Name, "clusterRequestNamespace", cr.Namespace, "configuredPurpose", purpose, "purposeInClusterRequest", cr.Spec.Purpose)
 	}
 
 	// check if the ClusterRequest is ready
