feat: relations

On-behalf-of: @SAP [email protected]
Signed-off-by: Artem Shcherbatiuk <[email protected]>

Author: vertex451

gateway/resolver/relationships.go

@@ -0,0 +1,190 @@
+package resolver
+
+import (
+	"fmt"
+	"strings"
+
+	"github.com/graphql-go/graphql"
+	"go.opentelemetry.io/otel"
+	"go.opentelemetry.io/otel/attribute"
+	"go.opentelemetry.io/otel/trace"
+	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
+	"k8s.io/apimachinery/pkg/runtime/schema"
+
+	"github.com/openmfp/golang-commons/logger"
+)
+
+// RelationshipResolver handles resolution of relationships between Kubernetes resources
+type RelationshipResolver struct {
+	log        *logger.Logger
+	groupNames map[string]string
+}
+
+// EnhancedRef represents our custom relationship reference structure
+type EnhancedRef struct {
+	Kind         string `json:"kind,omitempty"`
+	GroupVersion string `json:"groupVersion,omitempty"`
+	Name         string `json:"name"`
+	Namespace    string `json:"namespace,omitempty"`
+}
+
+// NewRelationshipResolver creates a new relationship resolver
+func NewRelationshipResolver(log *logger.Logger, groupNames map[string]string) *RelationshipResolver {
+	return &RelationshipResolver{
+		log:        log,
+		groupNames: groupNames,
+	}
+}
+
+// IsRelationshipField checks if a field name follows the relationship convention (<kind>Ref)
+func IsRelationshipField(fieldName string) bool {
+	return strings.HasSuffix(fieldName, "Ref")
+}
+
+// ExtractTargetKind extracts the target kind from a relationship field name
+// e.g., "roleRef" -> "Role"
+func ExtractTargetKind(fieldName string) string {
+	if !IsRelationshipField(fieldName) {
+		return ""
+	}
+
+	// Remove "Ref" suffix and capitalize first letter
+	kindName := strings.TrimSuffix(fieldName, "Ref")
+	if len(kindName) == 0 {
+		return ""
+	}
+
+	return strings.ToUpper(kindName[:1]) + kindName[1:]
+}
+
+// CreateSingleRelationResolver creates a GraphQL field resolver for a single relation field
+func (r *RelationshipResolver) CreateSingleRelationResolver(sourceGVK schema.GroupVersionKind, fieldName string) graphql.FieldResolveFn {
+	return func(p graphql.ResolveParams) (interface{}, error) {
+		_, span := otel.Tracer("").Start(p.Context, "ResolveSingleRelation",
+			trace.WithAttributes(
+				attribute.String("sourceKind", sourceGVK.Kind),
+				attribute.String("fieldName", fieldName),
+			))
+		defer span.End()
+
+		// Get the source object from the parent resolver
+		sourceObj, ok := p.Source.(map[string]interface{})
+		if !ok {
+			return nil, fmt.Errorf("expected source to be map[string]interface{}, got %T", p.Source)
+		}
+
+		// Extract the relationship reference from the source object
+		refValue, found, err := unstructured.NestedFieldNoCopy(sourceObj, fieldName)
+		if err != nil {
+			r.log.Debug().Err(err).Str("field", fieldName).Msg("Error accessing relationship field")
+			return nil, nil // Return nil for optional field
+		}
+		if !found {
+			return nil, nil // Field not present, return nil
+		}
+
+		refMap, ok := refValue.(map[string]interface{})
+		if !ok {
+			r.log.Debug().Str("field", fieldName).Msg("Relationship field is not a map")
+			return nil, nil
+		}
+
+		// Create enhanced reference
+		enhancedRef, err := r.createEnhancedRef(refMap, sourceObj, sourceGVK, fieldName)
+		if err != nil {
+			r.log.Debug().Err(err).Str("field", fieldName).Msg("Error creating enhanced reference")
+			return nil, nil
+		}
+
+		return enhancedRef, nil
+	}
+}
+
+// createEnhancedRef transforms a native Kubernetes reference to our enhanced structure
+func (r *RelationshipResolver) createEnhancedRef(nativeRefMap map[string]interface{}, sourceObj map[string]interface{}, sourceGVK schema.GroupVersionKind, fieldName string) (map[string]interface{}, error) {
+	enhancedRef := make(map[string]interface{})
+
+	// Extract name (required)
+	name, ok := nativeRefMap["name"].(string)
+	if !ok {
+		return nil, fmt.Errorf("name is required in relationship reference")
+	}
+	enhancedRef["name"] = name
+
+	// Extract or infer kind
+	if kind, ok := nativeRefMap["kind"].(string); ok {
+		enhancedRef["kind"] = kind
+	} else {
+		// Infer kind from field name
+		targetKind := ExtractTargetKind(fieldName)
+		if targetKind != "" {
+			enhancedRef["kind"] = targetKind
+		}
+	}
+
+	// Extract or construct groupVersion
+	if groupVersion, ok := nativeRefMap["groupVersion"].(string); ok {
+		enhancedRef["groupVersion"] = groupVersion
+	} else if apiGroup, ok := nativeRefMap["apiGroup"].(string); ok {
+		// Construct groupVersion from apiGroup
+		if apiGroup == "rbac.authorization.k8s.io" {
+			enhancedRef["groupVersion"] = "rbac.authorization.k8s.io/v1"
+		} else if apiGroup == "" {
+			enhancedRef["groupVersion"] = "v1"
+		} else {
+			enhancedRef["groupVersion"] = apiGroup + "/v1"
+		}
+	}
+
+	// Extract or infer namespace
+	if namespace, ok := nativeRefMap["namespace"].(string); ok {
+		enhancedRef["namespace"] = namespace
+	} else {
+		// Infer namespace from source object and relationship context
+		targetKind, _ := enhancedRef["kind"].(string)
+		inferredNamespace := r.inferNamespaceForReference(sourceObj, sourceGVK, fieldName, targetKind)
+		if inferredNamespace != "" {
+			enhancedRef["namespace"] = inferredNamespace
+		}
+	}
+
+	r.log.Debug().
+		Str("fieldName", fieldName).
+		Str("name", name).
+		Interface("enhancedRef", enhancedRef).
+		Msg("Created enhanced reference")
+
+	return enhancedRef, nil
+}
+
+// inferNamespaceForReference infers the namespace for a reference based on Kubernetes conventions
+func (r *RelationshipResolver) inferNamespaceForReference(sourceObj map[string]interface{}, sourceGVK schema.GroupVersionKind, fieldName string, targetKind string) string {
+	// For roleRef in RoleBinding, the referenced Role is in the same namespace as the RoleBinding
+	if fieldName == "roleRef" && sourceGVK.Kind == "RoleBinding" && targetKind == "Role" {
+		if metadata, found := sourceObj["metadata"]; found {
+			if metadataMap, ok := metadata.(map[string]interface{}); ok {
+				if namespace, ok := metadataMap["namespace"].(string); ok {
+					return namespace
+				}
+			}
+		}
+	}
+
+	// For clusterRoleRef or when targeting ClusterRole, no namespace needed (cluster-scoped)
+	if fieldName == "roleRef" && targetKind == "ClusterRole" {
+		return ""
+	}
+
+	// Default: try to use source object's namespace for namespaced targets
+	if metadata, found := sourceObj["metadata"]; found {
+		if metadataMap, ok := metadata.(map[string]interface{}); ok {
+			if namespace, ok := metadataMap["namespace"].(string); ok {
+				return namespace
+			}
+		}
+	}
+
+	return ""
+}
+
+// getOriginalGroupName converts sanitized group name back to original

gateway/resolver/resolver.go

@@ -30,6 +30,7 @@ type Provider interface {
 	CustomQueriesProvider
 	CommonResolver() graphql.FieldResolveFn
 	SanitizeGroupName(string) string
+	GetRelationshipResolver() *RelationshipResolver
 }
 
 type CrudProvider interface {
@@ -50,16 +51,22 @@ type CustomQueriesProvider interface {
 type Service struct {
 	log *logger.Logger
 	// groupNames stores relation between sanitized group names and original group names that are used in the Kubernetes API
-	groupNames    map[string]string // map[sanitizedGroupName]originalGroupName
-	runtimeClient client.WithWatch
+	groupNames           map[string]string // map[sanitizedGroupName]originalGroupName
+	runtimeClient        client.WithWatch
+	relationshipResolver *RelationshipResolver
 }
 
 func New(log *logger.Logger, runtimeClient client.WithWatch) *Service {
-	return &Service{
+	service := &Service{
 		log:           log,
 		groupNames:    make(map[string]string),
 		runtimeClient: runtimeClient,
 	}
+
+	// Initialize relationship resolver
+	service.relationshipResolver = NewRelationshipResolver(log, service.groupNames)
+
+	return service
 }
 
 // ListItems returns a GraphQL CommonResolver function that lists Kubernetes resources of the given GroupVersionKind.
@@ -397,6 +404,10 @@ func (r *Service) getOriginalGroupName(groupName string) string {
 	return groupName
 }
 
+func (r *Service) GetRelationshipResolver() *RelationshipResolver {
+	return r.relationshipResolver
+}
+
 func compareUnstructured(a, b unstructured.Unstructured, fieldPath string) int {
 	segments := strings.Split(fieldPath, ".")
 

gateway/resolver/subscription.go

@@ -79,6 +79,16 @@ func (r *Service) runWatch(
 
 	fieldsToWatch := extractRequestedFields(p.Info)
 
+	// Extract relationship watches (for future implementation)
+	relationshipWatches := r.extractRelationshipWatches(fieldsToWatch, gvk)
+	if len(relationshipWatches) > 0 {
+		r.log.Debug().
+			Int("relationshipCount", len(relationshipWatches)).
+			Str("sourceGVK", gvk.String()).
+			Msg("Detected relationships in subscription - multiple watches not yet implemented")
+		// TODO: Implement multiple watches for relationships
+	}
+
 	list := &unstructured.UnstructuredList{}
 	list.SetGroupVersionKind(schema.GroupVersionKind{
 		Group: gvk.Group, Version: gvk.Version, Kind: gvk.Kind + "List",
@@ -356,3 +366,75 @@ func CreateSubscriptionResolver(isSingle bool) graphql.FieldResolveFn {
 		return source, nil
 	}
 }
+
+// RelationshipWatch represents a relationship that needs to be watched
+type RelationshipWatch struct {
+	FieldPath   string
+	TargetGVK   schema.GroupVersionKind
+	TargetScope v1.ResourceScope
+}
+
+// extractRelationshipWatches analyzes requested fields to identify relationships that need additional watches
+func (r *Service) extractRelationshipWatches(fieldsToWatch []string, sourceGVK schema.GroupVersionKind) []RelationshipWatch {
+	var relationshipWatches []RelationshipWatch
+
+	for _, fieldPath := range fieldsToWatch {
+		// Check if this field path contains a relationship field
+		pathParts := strings.Split(fieldPath, ".")
+		for i, part := range pathParts {
+			if IsRelationshipField(part) {
+				targetKind := ExtractTargetKind(part)
+				if targetKind != "" {
+					// Try to resolve the target GVK
+					// For now, we'll make some assumptions about common relationships
+					targetGVK := r.resolveTargetGVK(targetKind, sourceGVK)
+					if targetGVK != (schema.GroupVersionKind{}) {
+						// TODO: Determine target scope - for now assume same as source
+						relationshipWatches = append(relationshipWatches, RelationshipWatch{
+							FieldPath:   strings.Join(pathParts[:i+1], "."),
+							TargetGVK:   targetGVK,
+							TargetScope: v1.NamespaceScoped, // Default assumption
+						})
+					}
+				}
+			}
+		}
+	}
+
+	return relationshipWatches
+}
+
+// resolveTargetGVK attempts to resolve the target GVK for a relationship
+func (r *Service) resolveTargetGVK(targetKind string, sourceGVK schema.GroupVersionKind) schema.GroupVersionKind {
+	// Handle common RBAC relationships
+	switch targetKind {
+	case "Role":
+		return schema.GroupVersionKind{
+			Group:   "rbac.authorization.k8s.io",
+			Version: "v1",
+			Kind:    "Role",
+		}
+	case "ClusterRole":
+		return schema.GroupVersionKind{
+			Group:   "rbac.authorization.k8s.io",
+			Version: "v1",
+			Kind:    "ClusterRole",
+		}
+	case "ServiceAccount":
+		return schema.GroupVersionKind{
+			Group:   "",
+			Version: "v1",
+			Kind:    "ServiceAccount",
+		}
+	case "User", "Group":
+		// These are not Kubernetes resources, so we can't watch them
+		return schema.GroupVersionKind{}
+	default:
+		// For other kinds, assume same group/version as source
+		return schema.GroupVersionKind{
+			Group:   sourceGVK.Group,
+			Version: sourceGVK.Version,
+			Kind:    targetKind,
+		}
+	}
+}