relation

On-behalf-of: @SAP [email protected]
Signed-off-by: Artem Shcherbatiuk <[email protected]>

Author: vertex451

gateway/resolver/relationships.go

@@ -31,6 +31,14 @@ type RelationshipRef struct {
 	Namespace    string `json:"namespace,omitempty"`
 }
 
+// EnhancedRef represents our custom relationship reference structure
+type EnhancedRef struct {
+	Kind         string `json:"kind,omitempty"`
+	GroupVersion string `json:"groupVersion,omitempty"`
+	Name         string `json:"name"`
+	Namespace    string `json:"namespace,omitempty"`
+}
+
 // NewRelationshipResolver creates a new relationship resolver
 func NewRelationshipResolver(log *logger.Logger, runtimeClient client.WithWatch, groupNames map[string]string) *RelationshipResolver {
 	return &RelationshipResolver{
@@ -93,7 +101,7 @@ func (r *RelationshipResolver) CreateRelationshipResolver(sourceGVK schema.Group
 		}
 
 		// Parse the relationship reference
-		ref, err := r.parseRelationshipRef(refMap)
+		ref, err := r.parseRelationshipRef(refMap, sourceObj, sourceGVK, fieldName)
 		if err != nil {
 			return nil, fmt.Errorf("error parsing relationship ref: %v", err)
 		}
@@ -110,12 +118,63 @@ func (r *RelationshipResolver) CreateRelationshipResolver(sourceGVK schema.Group
 		}
 
 		// Fetch the referenced resource
-		return r.fetchReferencedResource(ctx, ref, targetGVK)
+		return r.fetchReferencedResource(ctx, ref, targetGVK, sourceObj, sourceGVK)
+	}
+}
+
+// CreateRelationsResolver creates a GraphQL field resolver for the relations field
+func (r *RelationshipResolver) CreateRelationsResolver(sourceGVK schema.GroupVersionKind, relationshipFields []string) graphql.FieldResolveFn {
+	return func(p graphql.ResolveParams) (interface{}, error) {
+		_, span := otel.Tracer("").Start(p.Context, "ResolveRelations",
+			trace.WithAttributes(
+				attribute.String("sourceKind", sourceGVK.Kind),
+				attribute.Int("relationshipCount", len(relationshipFields)),
+			))
+		defer span.End()
+
+		// Get the source object from the parent resolver
+		sourceObj, ok := p.Source.(map[string]interface{})
+		if !ok {
+			return nil, fmt.Errorf("expected source to be map[string]interface{}, got %T", p.Source)
+		}
+
+		relations := make(map[string]interface{})
+
+		for _, fieldName := range relationshipFields {
+			// Extract the relationship reference from the source object
+			refValue, found, err := unstructured.NestedFieldNoCopy(sourceObj, fieldName)
+			if err != nil {
+				r.log.Debug().Err(err).Str("field", fieldName).Msg("Error accessing relationship field")
+				continue
+			}
+			if !found {
+				continue // Field not present, skip
+			}
+
+			refMap, ok := refValue.(map[string]interface{})
+			if !ok {
+				r.log.Debug().Str("field", fieldName).Msg("Relationship field is not a map")
+				continue
+			}
+
+			// Create enhanced reference
+			enhancedRef, err := r.createEnhancedRef(refMap, sourceObj, sourceGVK, fieldName)
+			if err != nil {
+				r.log.Debug().Err(err).Str("field", fieldName).Msg("Error creating enhanced reference")
+				continue
+			}
+
+			// Add to relations without "Ref" suffix
+			relationName := strings.TrimSuffix(fieldName, "Ref")
+			relations[relationName] = enhancedRef
+		}
+
+		return relations, nil
 	}
 }
 
 // parseRelationshipRef parses a relationship reference from a map
-func (r *RelationshipResolver) parseRelationshipRef(refMap map[string]interface{}) (*RelationshipRef, error) {
+func (r *RelationshipResolver) parseRelationshipRef(refMap map[string]interface{}, sourceObj map[string]interface{}, sourceGVK schema.GroupVersionKind, fieldName string) (*RelationshipRef, error) {
 	ref := &RelationshipRef{}
 
 	if kind, ok := refMap["kind"].(string); ok {
@@ -126,17 +185,17 @@ func (r *RelationshipResolver) parseRelationshipRef(refMap map[string]interface{
 		ref.GroupVersion = groupVersion
 	}
 
+	// Handle native Kubernetes apiGroup field (used in roleRef, clusterRoleRef, etc.)
 	if apiGroup, ok := refMap["apiGroup"].(string); ok {
-		// Handle RBAC-style references where apiGroup is specified separately
-		if apiGroup != "" {
-			// For RBAC, we need to construct the groupVersion
-			// Default to v1 if no version specified in the groupVersion field
-			if ref.GroupVersion == "" {
-				ref.GroupVersion = apiGroup + "/v1"
-			}
-		} else {
+		// For RBAC resources, apiGroup + kind determines the groupVersion
+		if apiGroup == "rbac.authorization.k8s.io" {
+			ref.GroupVersion = "rbac.authorization.k8s.io/v1"
+		} else if apiGroup == "" {
 			// Empty apiGroup means core/v1
 			ref.GroupVersion = "v1"
+		} else {
+			// Default to v1 for other groups
+			ref.GroupVersion = apiGroup + "/v1"
 		}
 	}
 
@@ -148,11 +207,101 @@ func (r *RelationshipResolver) parseRelationshipRef(refMap map[string]interface{
 
 	if namespace, ok := refMap["namespace"].(string); ok {
 		ref.Namespace = namespace
+	} else {
+		// For native Kubernetes references like roleRef, infer namespace from source
+		ref.Namespace = r.inferNamespaceForReference(sourceObj, sourceGVK, fieldName, ref.Kind)
 	}
 
 	return ref, nil
 }
 
+// createEnhancedRef transforms a native Kubernetes reference to our enhanced structure
+func (r *RelationshipResolver) createEnhancedRef(nativeRefMap map[string]interface{}, sourceObj map[string]interface{}, sourceGVK schema.GroupVersionKind, fieldName string) (map[string]interface{}, error) {
+	enhancedRef := make(map[string]interface{})
+
+	// Extract name (required)
+	name, ok := nativeRefMap["name"].(string)
+	if !ok {
+		return nil, fmt.Errorf("name is required in relationship reference")
+	}
+	enhancedRef["name"] = name
+
+	// Extract or infer kind
+	if kind, ok := nativeRefMap["kind"].(string); ok {
+		enhancedRef["kind"] = kind
+	} else {
+		// Infer kind from field name
+		targetKind := ExtractTargetKind(fieldName)
+		if targetKind != "" {
+			enhancedRef["kind"] = targetKind
+		}
+	}
+
+	// Extract or construct groupVersion
+	if groupVersion, ok := nativeRefMap["groupVersion"].(string); ok {
+		enhancedRef["groupVersion"] = groupVersion
+	} else if apiGroup, ok := nativeRefMap["apiGroup"].(string); ok {
+		// Construct groupVersion from apiGroup
+		if apiGroup == "rbac.authorization.k8s.io" {
+			enhancedRef["groupVersion"] = "rbac.authorization.k8s.io/v1"
+		} else if apiGroup == "" {
+			enhancedRef["groupVersion"] = "v1"
+		} else {
+			enhancedRef["groupVersion"] = apiGroup + "/v1"
+		}
+	}
+
+	// Extract or infer namespace
+	if namespace, ok := nativeRefMap["namespace"].(string); ok {
+		enhancedRef["namespace"] = namespace
+	} else {
+		// Infer namespace from source object and relationship context
+		targetKind, _ := enhancedRef["kind"].(string)
+		inferredNamespace := r.inferNamespaceForReference(sourceObj, sourceGVK, fieldName, targetKind)
+		if inferredNamespace != "" {
+			enhancedRef["namespace"] = inferredNamespace
+		}
+	}
+
+	r.log.Debug().
+		Str("fieldName", fieldName).
+		Str("name", name).
+		Interface("enhancedRef", enhancedRef).
+		Msg("Created enhanced reference")
+
+	return enhancedRef, nil
+}
+
+// inferNamespaceForReference infers the namespace for a reference based on Kubernetes conventions
+func (r *RelationshipResolver) inferNamespaceForReference(sourceObj map[string]interface{}, sourceGVK schema.GroupVersionKind, fieldName string, targetKind string) string {
+	// For roleRef in RoleBinding, the referenced Role is in the same namespace as the RoleBinding
+	if fieldName == "roleRef" && sourceGVK.Kind == "RoleBinding" && targetKind == "Role" {
+		if metadata, found := sourceObj["metadata"]; found {
+			if metadataMap, ok := metadata.(map[string]interface{}); ok {
+				if namespace, ok := metadataMap["namespace"].(string); ok {
+					return namespace
+				}
+			}
+		}
+	}
+
+	// For clusterRoleRef or when targeting ClusterRole, no namespace needed (cluster-scoped)
+	if fieldName == "roleRef" && targetKind == "ClusterRole" {
+		return ""
+	}
+
+	// Default: try to use source object's namespace for namespaced targets
+	if metadata, found := sourceObj["metadata"]; found {
+		if metadataMap, ok := metadata.(map[string]interface{}); ok {
+			if namespace, ok := metadataMap["namespace"].(string); ok {
+				return namespace
+			}
+		}
+	}
+
+	return ""
+}
+
 // resolveTargetGVK resolves the target GroupVersionKind from the relationship reference
 func (r *RelationshipResolver) resolveTargetGVK(ref *RelationshipRef, sourceGVK schema.GroupVersionKind) (schema.GroupVersionKind, error) {
 	targetGVK := schema.GroupVersionKind{
@@ -187,7 +336,7 @@ func (r *RelationshipResolver) resolveTargetGVK(ref *RelationshipRef, sourceGVK
 }
 
 // fetchReferencedResource fetches the referenced Kubernetes resource
-func (r *RelationshipResolver) fetchReferencedResource(ctx context.Context, ref *RelationshipRef, targetGVK schema.GroupVersionKind) (interface{}, error) {
+func (r *RelationshipResolver) fetchReferencedResource(ctx context.Context, ref *RelationshipRef, targetGVK schema.GroupVersionKind, sourceObj map[string]interface{}, sourceGVK schema.GroupVersionKind) (interface{}, error) {
 	// Create an unstructured object to hold the result
 	obj := &unstructured.Unstructured{}
 	obj.SetGroupVersionKind(targetGVK)
@@ -196,11 +345,18 @@ func (r *RelationshipResolver) fetchReferencedResource(ctx context.Context, ref
 		Name: ref.Name,
 	}
 
-	// If namespace is specified in the ref, use it
+	// Set namespace if specified and target is namespaced
 	if ref.Namespace != "" {
 		key.Namespace = ref.Namespace
 	}
 
+	r.log.Debug().
+		Str("refName", ref.Name).
+		Str("refNamespace", ref.Namespace).
+		Str("targetGVK", targetGVK.String()).
+		Str("sourceKind", sourceGVK.Kind).
+		Msg("Fetching referenced resource")
+
 	// Get the object using the runtime client
 	if err := r.runtimeClient.Get(ctx, key, obj); err != nil {
 		r.log.Error().Err(err).