implement MCP namespace

Author: Diaphteiros

api/clusters/v1alpha1/constants/reasons.go

@@ -11,6 +11,8 @@ const (
 	ReasonConfigurationProblem = "ConfigurationProblem"
 	// ReasonInternalError indicates that something went wrong internally.
 	ReasonInternalError = "InternalError"
+	// ReasonWaitingForNamespaceDeletion indicates that something is waiting for a namespace to be deleted.
+	ReasonWaitingForNamespaceDeletion = "WaitingForNamespaceDeletion"
 	// ReasonWaitingForClusterRequest indicates that something is waiting for a ClusterRequest to become ready.
 	ReasonWaitingForClusterRequest = "WaitingForClusterRequest"
 	// ReasonWaitingForClusterRequestDeletion indicates that something is waiting for a ClusterRequest to be deleted.

api/core/v2alpha1/constants.go

@@ -6,10 +6,11 @@ const (
 )
 
 const (
-	MCPLabel          = GroupName + "/mcp"
+	MCPNameLabel      = GroupName + "/mcp-name"
+	MCPNamespaceLabel = GroupName + "/mcp-namespace"
 	OIDCProviderLabel = GroupName + "/oidc-provider"
 
-	MCPFinalizer = MCPLabel
+	MCPFinalizer = GroupName + "/mcp"
 
 	// ServiceDependencyFinalizerPrefix is the prefix for the dependency finalizers that are added to MCP resources by associated services.
 	ServiceDependencyFinalizerPrefix = "services.openmcp.cloud/"

internal/controllers/managedcontrolplane/access.go

@@ -21,19 +21,18 @@ import (
 	commonapi "github.com/openmcp-project/openmcp-operator/api/common"
 	apiconst "github.com/openmcp-project/openmcp-operator/api/constants"
 	corev2alpha1 "github.com/openmcp-project/openmcp-operator/api/core/v2alpha1"
-	libutils "github.com/openmcp-project/openmcp-operator/lib/utils"
 )
 
 // manageAccessRequests aligns the existing AccessRequests for the MCP with the currently configured OIDC providers.
 // It uses the given createCon function to create conditions for AccessRequests and returns a set of conditions that should be removed from the MCP status.
 // The bool return value specifies whether everything related to MCP access is in the desired state or not. If 'false', it is recommended to requeue the MCP.
-func (r *ManagedControlPlaneReconciler) manageAccessRequests(ctx context.Context, mcp *corev2alpha1.ManagedControlPlaneV2, cr *clustersv1alpha1.ClusterRequest, createCon func(conType string, status metav1.ConditionStatus, reason, message string)) (bool, sets.Set[string], errutils.ReasonableError) {
-	updatedAccessRequests, rerr := r.createOrUpdateDesiredAccessRequests(ctx, mcp, cr, createCon)
+func (r *ManagedControlPlaneReconciler) manageAccessRequests(ctx context.Context, mcp *corev2alpha1.ManagedControlPlaneV2, platformNamespace string, cr *clustersv1alpha1.ClusterRequest, createCon func(conType string, status metav1.ConditionStatus, reason, message string)) (bool, sets.Set[string], errutils.ReasonableError) {
+	updatedAccessRequests, rerr := r.createOrUpdateDesiredAccessRequests(ctx, mcp, platformNamespace, cr, createCon)
 	if rerr != nil {
 		return false, nil, rerr
 	}
 
-	accessRequestsInDeletion, rerr := r.deleteUndesiredAccessRequests(ctx, mcp, updatedAccessRequests, createCon)
+	accessRequestsInDeletion, rerr := r.deleteUndesiredAccessRequests(ctx, mcp, platformNamespace, updatedAccessRequests, createCon)
 	if rerr != nil {
 		return false, nil, rerr
 	}
@@ -82,10 +81,9 @@ func (r *ManagedControlPlaneReconciler) manageAccessRequests(ctx context.Context
 // createOrUpdateDesiredAccessRequests creates/updates all AccessRequests that are desired according to the ManagedControlPlane's configured OIDC providers.
 // It returns a mapping from OIDC provider names to the corresponding AccessRequests.
 // If the ManagedControlPlane has a non-zero DeletionTimestamp, no AccessRequests will be created or updated and the returned map will be empty.
-func (r *ManagedControlPlaneReconciler) createOrUpdateDesiredAccessRequests(ctx context.Context, mcp *corev2alpha1.ManagedControlPlaneV2, cr *clustersv1alpha1.ClusterRequest, createCon func(conType string, status metav1.ConditionStatus, reason, message string)) (map[string]*clustersv1alpha1.AccessRequest, errutils.ReasonableError) {
+func (r *ManagedControlPlaneReconciler) createOrUpdateDesiredAccessRequests(ctx context.Context, mcp *corev2alpha1.ManagedControlPlaneV2, platformNamespace string, cr *clustersv1alpha1.ClusterRequest, createCon func(conType string, status metav1.ConditionStatus, reason, message string)) (map[string]*clustersv1alpha1.AccessRequest, errutils.ReasonableError) {
 	log := logging.FromContextOrPanic(ctx)
 
-	namespace := libutils.StableRequestNamespace(mcp.Namespace)
 	updatedAccessRequests := map[string]*clustersv1alpha1.AccessRequest{}
 	var oidcProviders []*commonapi.OIDCProviderConfig
 
@@ -104,10 +102,10 @@ func (r *ManagedControlPlaneReconciler) createOrUpdateDesiredAccessRequests(ctx
 
 	for _, oidc := range oidcProviders {
 		log.Debug("Creating/updating AccessRequest for OIDC provider", "oidcProviderName", oidc.Name)
-		arName := ctrlutils.K8sNameHash(mcp.Name, oidc.Name)
+		arName := ctrlutils.K8sNameUUIDUnsafe(mcp.Name, oidc.Name)
 		ar := &clustersv1alpha1.AccessRequest{}
 		ar.Name = arName
-		ar.Namespace = namespace
+		ar.Namespace = platformNamespace
 		if _, err := controllerutil.CreateOrUpdate(ctx, r.PlatformCluster.Client(), ar, func() error {
 			ar.Spec.RequestRef = &commonapi.ObjectReference{
 				Name:      cr.Name,
@@ -119,7 +117,8 @@ func (r *ManagedControlPlaneReconciler) createOrUpdateDesiredAccessRequests(ctx
 			if ar.Labels == nil {
 				ar.Labels = map[string]string{}
 			}
-			ar.Labels[corev2alpha1.MCPLabel] = mcp.Name
+			ar.Labels[corev2alpha1.MCPNameLabel] = mcp.Name
+			ar.Labels[corev2alpha1.MCPNamespaceLabel] = mcp.Namespace
 			ar.Labels[apiconst.ManagedByLabel] = ControllerName
 			ar.Labels[corev2alpha1.OIDCProviderLabel] = oidc.Name
 
@@ -139,17 +138,17 @@ func (r *ManagedControlPlaneReconciler) createOrUpdateDesiredAccessRequests(ctx
 // deleteUndesiredAccessRequests deletes all AccessRequests that belong to the given ManagedControlPlane, but are not in the updatedAccessRequests map.
 // These are AccessRequests that have been created for a previous version of the ManagedControlPlane and are not needed anymore.
 // It returns a set of OIDC provider names for which the AccessRequests are still in deletion. If the set is empty, all undesired AccessRequests have been deleted.
-func (r *ManagedControlPlaneReconciler) deleteUndesiredAccessRequests(ctx context.Context, mcp *corev2alpha1.ManagedControlPlaneV2, updatedAccessRequests map[string]*clustersv1alpha1.AccessRequest, createCon func(conType string, status metav1.ConditionStatus, reason, message string)) (sets.Set[string], errutils.ReasonableError) {
+func (r *ManagedControlPlaneReconciler) deleteUndesiredAccessRequests(ctx context.Context, mcp *corev2alpha1.ManagedControlPlaneV2, platformNamespace string, updatedAccessRequests map[string]*clustersv1alpha1.AccessRequest, createCon func(conType string, status metav1.ConditionStatus, reason, message string)) (sets.Set[string], errutils.ReasonableError) {
 	log := logging.FromContextOrPanic(ctx)
 
-	namespace := libutils.StableRequestNamespace(mcp.Namespace)
 	accessRequestsInDeletion := sets.New[string]()
 
 	// delete all AccessRequests that have previously been created for this ManagedControlPlane but are not needed anymore
 	oidcARs := &clustersv1alpha1.AccessRequestList{}
-	if err := r.PlatformCluster.Client().List(ctx, oidcARs, client.InNamespace(namespace), client.HasLabels{corev2alpha1.OIDCProviderLabel}, client.MatchingLabels{
-		corev2alpha1.MCPLabel:   mcp.Name,
-		apiconst.ManagedByLabel: ControllerName,
+	if err := r.PlatformCluster.Client().List(ctx, oidcARs, client.InNamespace(platformNamespace), client.HasLabels{corev2alpha1.OIDCProviderLabel}, client.MatchingLabels{
+		corev2alpha1.MCPNameLabel:      mcp.Name,
+		corev2alpha1.MCPNamespaceLabel: mcp.Namespace,
+		apiconst.ManagedByLabel:        ControllerName,
 	}); err != nil {
 		rerr := errutils.WithReason(fmt.Errorf("error listing AccessRequests for ManagedControlPlane '%s/%s': %w", mcp.Namespace, mcp.Name, err), cconst.ReasonPlatformClusterInteractionProblem)
 		createCon(corev2alpha1.ConditionAllAccessReady, metav1.ConditionFalse, rerr.Reason(), rerr.Error())
@@ -197,8 +196,9 @@ func (r *ManagedControlPlaneReconciler) deleteUndesiredAccessSecrets(ctx context
 	// delete all AccessRequest secrets that have been copied to the Onboarding cluster and belong to AccessRequests that are no longer needed
 	mcpSecrets := &corev1.SecretList{}
 	if err := r.OnboardingCluster.Client().List(ctx, mcpSecrets, client.InNamespace(mcp.Namespace), client.HasLabels{corev2alpha1.OIDCProviderLabel}, client.MatchingLabels{
-		corev2alpha1.MCPLabel:   mcp.Name,
-		apiconst.ManagedByLabel: ControllerName,
+		corev2alpha1.MCPNameLabel:      mcp.Name,
+		corev2alpha1.MCPNamespaceLabel: mcp.Namespace,
+		apiconst.ManagedByLabel:        ControllerName,
 	}); err != nil {
 		rerr := errutils.WithReason(fmt.Errorf("error listing secrets for ManagedControlPlane '%s/%s': %w", mcp.Namespace, mcp.Name, err), cconst.ReasonOnboardingClusterInteractionProblem)
 		createCon(corev2alpha1.ConditionAllAccessReady, metav1.ConditionFalse, rerr.Reason(), rerr.Error())
@@ -268,14 +268,15 @@ func (r *ManagedControlPlaneReconciler) syncAccessSecrets(ctx context.Context, m
 				return false, rerr
 			}
 			mcpSecret := &corev1.Secret{}
-			mcpSecret.Name = ctrlutils.K8sNameHash(mcp.Name, providerName)
+			mcpSecret.Name = ctrlutils.K8sNameUUIDUnsafe(mcp.Name, providerName)
 			mcpSecret.Namespace = mcp.Namespace
 			if _, err := controllerutil.CreateOrUpdate(ctx, r.OnboardingCluster.Client(), mcpSecret, func() error {
 				mcpSecret.Data = arSecret.Data
 				if mcpSecret.Labels == nil {
 					mcpSecret.Labels = map[string]string{}
 				}
-				mcpSecret.Labels[corev2alpha1.MCPLabel] = mcp.Name
+				mcpSecret.Labels[corev2alpha1.MCPNameLabel] = mcp.Name
+				mcpSecret.Labels[corev2alpha1.MCPNamespaceLabel] = mcp.Namespace
 				mcpSecret.Labels[corev2alpha1.OIDCProviderLabel] = providerName
 				mcpSecret.Labels[apiconst.ManagedByLabel] = ControllerName
 

internal/controllers/managedcontrolplane/clusters.go

@@ -15,10 +15,9 @@ import (
 	clustersv1alpha1 "github.com/openmcp-project/openmcp-operator/api/clusters/v1alpha1"
 	cconst "github.com/openmcp-project/openmcp-operator/api/clusters/v1alpha1/constants"
 	corev2alpha1 "github.com/openmcp-project/openmcp-operator/api/core/v2alpha1"
-	libutils "github.com/openmcp-project/openmcp-operator/lib/utils"
 )
 
-func (r *ManagedControlPlaneReconciler) deleteRelatedClusterRequests(ctx context.Context, mcp *corev2alpha1.ManagedControlPlaneV2) (sets.Set[string], errutils.ReasonableError) {
+func (r *ManagedControlPlaneReconciler) deleteRelatedClusterRequests(ctx context.Context, mcp *corev2alpha1.ManagedControlPlaneV2, platformNamespace string) (sets.Set[string], errutils.ReasonableError) {
 	log := logging.FromContextOrPanic(ctx)
 
 	// delete depending cluster requests, if any
@@ -42,16 +41,15 @@ func (r *ManagedControlPlaneReconciler) deleteRelatedClusterRequests(ctx context
 	}
 
 	// fetch cluster requests, if any exist
-	namespace := libutils.StableRequestNamespace(mcp.Namespace)
 	resources := map[string]*clustersv1alpha1.ClusterRequest{}
 	errs := errutils.NewReasonableErrorList()
 	for crName := range crNames {
 		cr := &clustersv1alpha1.ClusterRequest{}
 		cr.SetName(crName)
-		cr.SetNamespace(namespace)
+		cr.SetNamespace(platformNamespace)
 		if err := r.PlatformCluster.Client().Get(ctx, client.ObjectKeyFromObject(cr), cr); err != nil {
 			if !apierrors.IsNotFound(err) {
-				errs.Append(errutils.WithReason(fmt.Errorf("error getting ClusterRequest '%s/%s': %w", namespace, crName, err), cconst.ReasonPlatformClusterInteractionProblem))
+				errs.Append(errutils.WithReason(fmt.Errorf("error getting ClusterRequest '%s/%s': %w", platformNamespace, crName, err), cconst.ReasonPlatformClusterInteractionProblem))
 			}
 			continue
 		}
@@ -78,7 +76,7 @@ func (r *ManagedControlPlaneReconciler) deleteRelatedClusterRequests(ctx context
 		log.Info("Deleting ClusterRequest", "crName", crName, "namespace", cr.GetNamespace())
 		if err := r.PlatformCluster.Client().Delete(ctx, cr); err != nil {
 			if !apierrors.IsNotFound(err) {
-				errs.Append(errutils.WithReason(fmt.Errorf("error deleting ClusterRequest '%s/%s': %w", namespace, crName, err), cconst.ReasonPlatformClusterInteractionProblem))
+				errs.Append(errutils.WithReason(fmt.Errorf("error deleting ClusterRequest '%s/%s': %w", platformNamespace, crName, err), cconst.ReasonPlatformClusterInteractionProblem))
 			} else {
 				log.Debug("ClusterRequest not found during deletion", "crName", crName, "namespace", cr.GetNamespace())
 				delete(resources, crName) // remove from resources if not found

internal/controllers/managedcontrolplane/controller.go

@@ -6,6 +6,7 @@ import (
 	"strings"
 	"time"
 
+	corev1 "k8s.io/api/core/v1"
 	apierrors "k8s.io/apimachinery/pkg/api/errors"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
@@ -20,6 +21,7 @@ import (
 	"sigs.k8s.io/controller-runtime/pkg/reconcile"
 	"sigs.k8s.io/controller-runtime/pkg/source"
 
+	"github.com/openmcp-project/controller-utils/pkg/clusteraccess"
 	"github.com/openmcp-project/controller-utils/pkg/clusters"
 	"github.com/openmcp-project/controller-utils/pkg/collections"
 	"github.com/openmcp-project/controller-utils/pkg/collections/filters"
@@ -182,14 +184,32 @@ func (r *ManagedControlPlaneReconciler) handleCreateOrUpdate(ctx context.Context
 			return rr
 		}
 	}
+
+	// ensure that the MCP namespace on the platform cluster exists
+	mcpLabels := map[string]string{
+		corev2alpha1.MCPNameLabel:      mcp.Name,
+		corev2alpha1.MCPNamespaceLabel: mcp.Namespace,
+		apiconst.ManagedByLabel:        ControllerName,
+	}
+	platformNamespace, err := libutils.StableMCPNamespace(mcp.Name, mcp.Namespace)
+	if err != nil {
+		rr.ReconcileError = errutils.WithReason(err, cconst.ReasonInternalError)
+		createCon(corev2alpha1.ConditionMeta, metav1.ConditionFalse, rr.ReconcileError.Reason(), rr.ReconcileError.Error())
+		return rr
+	}
+	_, err = clusteraccess.EnsureNamespace(ctx, r.PlatformCluster.Client(), platformNamespace, pairs.MapToPairs(mcpLabels)...)
+	if err != nil {
+		rr.ReconcileError = errutils.WithReason(fmt.Errorf("error ensuring namespace '%s' on platform cluster: %w", platformNamespace, err), cconst.ReasonPlatformClusterInteractionProblem)
+		createCon(corev2alpha1.ConditionMeta, metav1.ConditionFalse, rr.ReconcileError.Reason(), rr.ReconcileError.Error())
+		return rr
+	}
 	createCon(corev2alpha1.ConditionMeta, metav1.ConditionTrue, "", "")
 
 	// ensure that the ClusterRequest exists
 	// since ClusterRequests are basically immutable, updating them is not required
-	namespace := libutils.StableRequestNamespace(mcp.Namespace)
 	cr := &clustersv1alpha1.ClusterRequest{}
 	cr.Name = mcp.Name
-	cr.Namespace = namespace
+	cr.Namespace = platformNamespace
 	if err := r.PlatformCluster.Client().Get(ctx, client.ObjectKeyFromObject(cr), cr); err != nil {
 		if !apierrors.IsNotFound(err) {
 			rr.ReconcileError = errutils.WithReason(fmt.Errorf("unable to get ClusterRequest '%s/%s': %w", cr.Namespace, cr.Name, err), cconst.ReasonPlatformClusterInteractionProblem)
@@ -198,6 +218,7 @@ func (r *ManagedControlPlaneReconciler) handleCreateOrUpdate(ctx context.Context
 		}
 
 		log.Info("ClusterRequest not found, creating it", "clusterRequestName", cr.Name, "clusterRequestNamespace", cr.Namespace, "purpose", r.Config.MCPClusterPurpose)
+		cr.Labels = mcpLabels
 		cr.Spec = clustersv1alpha1.ClusterRequestSpec{
 			Purpose:                r.Config.MCPClusterPurpose,
 			WaitForClusterDeletion: ptr.To(true),
@@ -222,7 +243,7 @@ func (r *ManagedControlPlaneReconciler) handleCreateOrUpdate(ctx context.Context
 	createCon(corev2alpha1.ConditionClusterRequestReady, metav1.ConditionTrue, "", "ClusterRequest is ready")
 
 	// manage AccessRequests
-	allAccessReady, removeConditions, rerr := r.manageAccessRequests(ctx, mcp, cr, createCon)
+	allAccessReady, removeConditions, rerr := r.manageAccessRequests(ctx, mcp, platformNamespace, cr, createCon)
 	rr.ConditionsToRemove = removeConditions.UnsortedList()
 	if rerr != nil {
 		rr.ReconcileError = rerr
@@ -281,7 +302,13 @@ func (r *ManagedControlPlaneReconciler) handleDelete(ctx context.Context, mcp *c
 	log.Debug("All service resources deleted")
 
 	// delete AccessRequests and related secrets
-	accessReady, removeConditions, rerr := r.manageAccessRequests(ctx, mcp, nil, createCon)
+	platformNamespace, err := libutils.StableMCPNamespace(mcp.Name, mcp.Namespace)
+	if err != nil {
+		rr.ReconcileError = errutils.WithReason(err, cconst.ReasonInternalError)
+		createCon(corev2alpha1.ConditionMeta, metav1.ConditionFalse, rr.ReconcileError.Reason(), rr.ReconcileError.Error())
+		return rr
+	}
+	accessReady, removeConditions, rerr := r.manageAccessRequests(ctx, mcp, platformNamespace, nil, createCon)
 	rr.ConditionsToRemove = removeConditions.UnsortedList()
 	if rerr != nil {
 		rr.ReconcileError = rerr
@@ -298,7 +325,7 @@ func (r *ManagedControlPlaneReconciler) handleDelete(ctx context.Context, mcp *c
 	log.Debug("All AccessRequests deleted")
 
 	// delete cluster requests related to this MCP
-	remainingCRs, rerr := r.deleteRelatedClusterRequests(ctx, mcp)
+	remainingCRs, rerr := r.deleteRelatedClusterRequests(ctx, mcp, platformNamespace)
 	if rerr != nil {
 		rr.ReconcileError = rerr
 		createCon(corev2alpha1.ConditionAllClusterRequestsDeleted, metav1.ConditionFalse, rr.ReconcileError.Reason(), rr.ReconcileError.Error())
@@ -339,6 +366,40 @@ func (r *ManagedControlPlaneReconciler) handleDelete(ctx context.Context, mcp *c
 	createCon(corev2alpha1.ConditionAllClusterRequestsDeleted, metav1.ConditionTrue, "", "All ClusterRequests have been deleted")
 	log.Debug("All ClusterRequests deleted")
 
+	// delete MCP namespace on the platform cluster
+	ns := &corev1.Namespace{}
+	ns.Name = platformNamespace
+	if err := r.PlatformCluster.Client().Get(ctx, client.ObjectKeyFromObject(ns), ns); err != nil {
+		if !apierrors.IsNotFound(err) {
+			rr.ReconcileError = errutils.WithReason(fmt.Errorf("error getting namespace '%s' on platform cluster: %w", platformNamespace, err), cconst.ReasonPlatformClusterInteractionProblem)
+			createCon(corev2alpha1.ConditionMeta, metav1.ConditionFalse, rr.ReconcileError.Reason(), rr.ReconcileError.Error())
+			return rr
+		}
+		log.Debug("Namespace already deleted", "namespace", platformNamespace)
+		ns = nil
+	} else {
+		if ns.Labels[corev2alpha1.MCPNameLabel] != mcp.Name || ns.Labels[corev2alpha1.MCPNamespaceLabel] != mcp.Namespace || ns.Labels[apiconst.ManagedByLabel] != ControllerName {
+			log.Debug("Labels on MCP namespace on platform cluster do not match expected labels, skipping deletion", "platformNamespace", ns.Name)
+		} else {
+			if !ns.DeletionTimestamp.IsZero() {
+				log.Debug("MCP namespace already marked for deletion", "platformNamespace", ns.Name)
+			} else {
+				log.Debug("Deleting MCP namespace on platform cluster", "platformNamespace", ns.Name)
+				if err := r.PlatformCluster.Client().Delete(ctx, ns); err != nil {
+					rr.ReconcileError = errutils.WithReason(fmt.Errorf("error deleting namespace '%s' on platform cluster: %w", platformNamespace, err), cconst.ReasonPlatformClusterInteractionProblem)
+					createCon(corev2alpha1.ConditionMeta, metav1.ConditionFalse, rr.ReconcileError.Reason(), rr.ReconcileError.Error())
+					return rr
+				}
+			}
+		}
+	}
+	if ns != nil {
+		log.Info("Waiting for MCP namespace to be deleted", "platformNamespace", ns.Name)
+		createCon(corev2alpha1.ConditionMeta, metav1.ConditionFalse, cconst.ReasonWaitingForNamespaceDeletion, fmt.Sprintf("Waiting for namespace '%s' to be deleted", platformNamespace))
+		rr.SmartRequeue = ctrlutils.SR_BACKOFF
+		return rr
+	}
+
 	// remove MCP finalizer
 	if controllerutil.RemoveFinalizer(mcp, corev2alpha1.MCPFinalizer) {
 		log.Debug("Removing MCP finalizer")