WIP

On-behalf-of: @SAP christoph.mewes@sap.com

Author: xrstf

deploy/crd/kcp.io/syncagent.kcp.io_publishedresources.yaml

@@ -373,7 +373,11 @@ spec:
                           provided by an APIExport and not Kube-native.
                         type: string
                       kind:
-                        description: Kind is the object kind of the related resource (for example "Secret").
+                        description: |-
+                          Kind is the object kind of the related resource (for example "Secret").
+
+                          Deprecated: Use "Resource" instead. This field is limited to "ConfigMap" and "Secret" and will
+                          be removed in the future. Kind and Resource cannot be specified at the same time.
                         type: string
                       mutation:
                         description: |-
@@ -710,21 +714,23 @@ spec:
                           group:
                             description: The API group, for example "myservice.example.com". Leave empty to not modify the API group.
                             type: string
-                          kind:
-                            description: The resource Kind, for example "Database". Leave empty to not modify the kind.
+                          resource:
+                            description: The resource name, for example "databases". Leave empty to not modify the resource.
                             type: string
                           version:
                             description: The API version, for example "v1beta1". Leave empty to not modify the version.
                             type: string
                         type: object
+                      resource:
+                        description: Resource is the name of the related resource (for example "secrets").
+                        type: string
                       version:
                         description: |-
                           Version is the API version of the related resource. This can be left blank to automatically
                           use the preferred version.
                         type: string
                     required:
                       - identifier
-                      - kind
                       - object
                       - origin
                     type: object

hack/update-codegen-sdk.sh

@@ -39,6 +39,10 @@ $GOBIN/controller-gen \
   "object:headerFile=$BOILERPLATE_HEADER" \
   paths=./internal/sync/apis/...
 
+$GOBIN/controller-gen \
+  "object:headerFile=$BOILERPLATE_HEADER" \
+  paths=./test/crds/...
+
 cd sdk
 rm -rf -- applyconfiguration clientset informers listers
 

internal/controller/apiexport/controller.go

@@ -28,12 +28,14 @@ import (
 	predicateutil "github.com/kcp-dev/api-syncagent/internal/controllerutil/predicate"
 	"github.com/kcp-dev/api-syncagent/internal/projection"
 	"github.com/kcp-dev/api-syncagent/internal/resources/reconciling"
+	"github.com/kcp-dev/api-syncagent/internal/validation"
 	syncagentv1alpha1 "github.com/kcp-dev/api-syncagent/sdk/apis/syncagent/v1alpha1"
 
 	kcpdevv1alpha1 "github.com/kcp-dev/kcp/sdk/apis/apis/v1alpha1"
 
 	"k8s.io/apimachinery/pkg/labels"
 	"k8s.io/apimachinery/pkg/runtime/schema"
+	"k8s.io/apimachinery/pkg/types"
 	"k8s.io/apimachinery/pkg/util/sets"
 	"k8s.io/client-go/tools/record"
 	"sigs.k8s.io/controller-runtime/pkg/builder"
@@ -110,10 +112,16 @@ func Add(
 
 func (r *Reconciler) Reconcile(ctx context.Context, request reconcile.Request) (reconcile.Result, error) {
 	r.log.Debug("Processing")
-	return reconcile.Result{}, r.reconcile(ctx)
+
+	apiExport := &kcpdevv1alpha1.APIExport{}
+	if err := r.kcpClient.Get(ctx, types.NamespacedName{Name: r.apiExportName}, apiExport); err != nil {
+		return reconcile.Result{}, ctrlruntimeclient.IgnoreNotFound(err)
+	}
+
+	return reconcile.Result{}, r.reconcile(ctx, apiExport)
 }
 
-func (r *Reconciler) reconcile(ctx context.Context) error {
+func (r *Reconciler) reconcile(ctx context.Context, apiExport *kcpdevv1alpha1.APIExport) error {
 	// find all PublishedResources
 	pubResources := &syncagentv1alpha1.PublishedResourceList{}
 	if err := r.localClient.List(ctx, pubResources, &ctrlruntimeclient.ListOptions{
@@ -122,22 +130,45 @@ func (r *Reconciler) reconcile(ctx context.Context) error {
 		return fmt.Errorf("failed to list PublishedResources: %w", err)
 	}
 
-	// filter out those PRs that have not yet been processed into an ARS
+	// filter out those PRs that have not yet been processed into an ARS or that are invalid
 	filteredPubResources := slices.DeleteFunc(pubResources.Items, func(pr syncagentv1alpha1.PublishedResource) bool {
+		// TODO: Turn this into a webhook or CEL expressions.
+		if err := validation.ValidatePublishedResource(&pr); err != nil {
+			r.log.With("pr", pr.Name, "error", err).Warn("Ignoring invalid PublishedResource.")
+			return true
+		}
+
 		return pr.Status.ResourceSchemaName == ""
 	})
 
 	// for each PR, we note down the created ARS and also the GVKs of related resources
-	arsList := sets.New[string]()
-	claimedResources := sets.New[permissionClaim]()
+	newARSList := sets.New[string]()
+	for _, pubResource := range filteredPubResources {
+		newARSList.Insert(pubResource.Status.ResourceSchemaName)
+	}
 
-	// PublishedResources use kinds, but the PermissionClaims use resource names (plural),
-	// so we must translate accordingly
-	mapper := r.kcpClient.RESTMapper()
+	// To determine if the GVR of a related resource needs to be listed as a permission claim,
+	// we first need to figure out all the GVRs our APIExport contains. This is not just the
+	// list of ARS we just built, but also potentially other ARS's that exist in the APIExport
+	// and that we would not touch.
+	allARSList := mergeResourceSchemas(apiExport.Spec.LatestResourceSchemas, newARSList)
+
+	// turn the flat list of schema names ("version.resource.group") into a lookup table consisting
+	// of group/resource only
+	ourOwnResources := sets.New[schema.GroupResource]()
+	for _, schemaName := range allARSList {
+		gvr, err := parseSchemaName(schemaName)
+		if err != nil {
+			return fmt.Errorf("failed to assemble own resources: %w", err)
+		}
 
-	for _, pubResource := range filteredPubResources {
-		arsList.Insert(pubResource.Status.ResourceSchemaName)
+		ourOwnResources.Insert(gvr.GroupResource())
+	}
+
+	// Now we can finally assemble the list of required permission claims.
+	claimedResources := sets.New[permissionClaim]()
 
+	for _, pubResource := range filteredPubResources {
 		// to evaluate the namespace filter, the agent needs to fetch the namespace
 		if filter := pubResource.Spec.Filter; filter != nil && filter.Namespace != nil {
 			claimedResources.Insert(permissionClaim{
@@ -153,40 +184,27 @@ func (r *Reconciler) reconcile(ctx context.Context) error {
 			})
 		}
 
-		// Add a claim for every related resource, but make sure to project the GVK
-		// of related resources to their kcp-side equivalent first if they originate
-		// on the service cluster.
+		// Add a claim for every foreign (!) related resource, but make sure to
+		// project the GVR of related resources to their kcp-side equivalent first
+		// if they originate on the service cluster.
 		for _, rr := range pubResource.Spec.Related {
-			kcpGVK := projection.RelatedResourceKcpGVK(&rr)
-
-			versions := []string{}
-			if kcpGVK.Version != "" {
-				versions = append(versions, kcpGVK.Version)
-			}
-
-			mapping, err := mapper.RESTMapping(schema.GroupKind{
-				Group: kcpGVK.Group,
-				Kind:  kcpGVK.Kind,
-			}, versions...)
-			if err != nil {
-				return fmt.Errorf("unknown related resource kind %q: %w", rr.Kind, err)
-			}
+			kcpGVR := projection.RelatedResourceKcpGVR(&rr)
 
+			// We always want to see namespaces, for simplicity. Technically if we knew the scope
+			// of every related resource, we could determine if a namespace claim is truly necessary.
 			claimedResources.Insert(permissionClaim{
-				Group:        kcpGVK.Group,
-				Resource:     mapping.Resource.Resource,
-				IdentityHash: rr.IdentityHash,
+				Group:    "",
+				Resource: "namespaces",
 			})
-		}
-	}
 
-	// We always want to see namespaces, for simplicity. Technically if we knew the scope
-	// of every related resource, we could determine if a namespace claim is truly necessary.
-	if claimedResources.Len() > 0 {
-		claimedResources.Insert(permissionClaim{
-			Group:    "",
-			Resource: "namespaces",
-		})
+			if !ourOwnResources.Has(kcpGVR.GroupResource()) {
+				claimedResources.Insert(permissionClaim{
+					Group:        kcpGVR.Group,
+					Resource:     kcpGVR.Resource,
+					IdentityHash: rr.IdentityHash,
+				})
+			}
+		}
 	}
 
 	// We always want to create events.
@@ -195,14 +213,9 @@ func (r *Reconciler) reconcile(ctx context.Context) error {
 		Resource: "events",
 	})
 
-	if arsList.Len() == 0 {
-		r.log.Debug("No ready PublishedResources available.")
-		return nil
-	}
-
 	// reconcile an APIExport in kcp
 	factories := []reconciling.NamedAPIExportReconcilerFactory{
-		r.createAPIExportReconciler(arsList, claimedResources, r.agentName, r.apiExportName, r.recorder),
+		r.createAPIExportReconciler(newARSList, claimedResources, r.agentName, r.apiExportName, r.recorder),
 	}
 
 	if err := reconciling.ReconcileAPIExports(ctx, factories, "", r.kcpClient); err != nil {

internal/controller/apiexport/reconciler.go

@@ -28,6 +28,7 @@ import (
 
 	corev1 "k8s.io/api/core/v1"
 	"k8s.io/apimachinery/pkg/runtime"
+	"k8s.io/apimachinery/pkg/runtime/schema"
 	"k8s.io/apimachinery/pkg/util/sets"
 	"k8s.io/client-go/tools/record"
 )
@@ -179,8 +180,23 @@ func createSchemaEvents(obj runtime.Object, oldSchemas, newSchemas []string, rec
 }
 
 func parseResourceGroup(schema string) string {
+	gvr, _ := parseSchemaName(schema)
+	return gvr.GroupResource().String()
+}
+
+// parseSchemaName parses an APIResourceSchema name and returns it in form of
+// a GVR. Note: the version in the result will not be a Kubernetes version, but
+// the version of the ARS!
+func parseSchemaName(name string) (schema.GroupVersionResource, error) {
 	// <version>.<resource>.<group>
-	parts := strings.SplitN(schema, ".", 2)
+	parts := strings.SplitN(name, ".", 3)
+	if len(parts) != 3 {
+		return schema.GroupVersionResource{}, fmt.Errorf("invalid schema name %q, must consist of version.resource.group.", name)
+	}
 
-	return parts[1]
+	return schema.GroupVersionResource{
+		Group:    parts[2],
+		Version:  parts[0],
+		Resource: parts[1],
+	}, nil
 }

internal/controller/syncmanager/controller.go

@@ -28,6 +28,7 @@ import (
 	"github.com/kcp-dev/api-syncagent/internal/controllerutil"
 	"github.com/kcp-dev/api-syncagent/internal/controllerutil/predicate"
 	"github.com/kcp-dev/api-syncagent/internal/discovery"
+	"github.com/kcp-dev/api-syncagent/internal/validation"
 	syncagentv1alpha1 "github.com/kcp-dev/api-syncagent/sdk/apis/syncagent/v1alpha1"
 
 	kcpapisv1alpha1 "github.com/kcp-dev/kcp/sdk/apis/apis/v1alpha1"
@@ -415,6 +416,12 @@ func isSyncEnabled(pr *syncagentv1alpha1.PublishedResource) bool {
 func (r *Reconciler) ensureSyncControllers(ctx context.Context, log *zap.SugaredLogger, publishedResources []syncagentv1alpha1.PublishedResource) error {
 	requiredWorkers := sets.New[string]()
 	for _, pr := range publishedResources {
+		// TODO: Turn this into a webhook or CEL expressions.
+		if err := validation.ValidatePublishedResource(&pr); err != nil {
+			r.log.With("pr", pr.Name, "error", err).Warn("Ignoring invalid PublishedResource.")
+			continue
+		}
+
 		if isSyncEnabled(&pr) {
 			requiredWorkers.Insert(getPublishedResourceKey(&pr))
 		}

internal/projection/projection.go

@@ -113,57 +113,64 @@ func ProjectCRD(crd *apiextensionsv1.CustomResourceDefinition, pubRes *syncagent
 	return result, nil
 }
 
-// RelatedResourceProjectedGVK returns the effective GVK on the destination side,
-// after the projection rules for the related resource have been applied.
-func RelatedResourceProjectedGVK(rr *syncagentv1alpha1.RelatedResourceSpec) schema.GroupVersionKind {
-	resultGVK := schema.GroupVersionKind{
-		Group:   rr.Group,
-		Version: rr.Version,
-		Kind:    rr.Kind,
+func RelatedResourceGVR(rr *syncagentv1alpha1.RelatedResourceSpec) schema.GroupVersionResource {
+	resultGVR := schema.GroupVersionResource{
+		Group:    rr.Group,
+		Version:  rr.Version,
+		Resource: rr.Resource,
+	}
+
+	// handle legacy kinds
+	//nolint:staticcheck
+	switch rr.Kind {
+	case "ConfigMap":
+		resultGVR.Resource = "configmaps"
+	case "Secret":
+		resultGVR.Resource = "secrets"
 	}
 
+	return resultGVR
+}
+
+// RelatedResourceProjectedGVR returns the effective GVR on the destination side,
+// after the projection rules for the related resource have been applied.
+func RelatedResourceProjectedGVR(rr *syncagentv1alpha1.RelatedResourceSpec) schema.GroupVersionResource {
+	resultGVR := RelatedResourceGVR(rr)
+
 	projection := rr.Projection
 	if projection == nil {
-		return resultGVK
+		return resultGVR
 	}
 
 	if projection.Group != "" {
-		resultGVK.Group = projection.Group
+		resultGVR.Group = projection.Group
 	}
 
 	if projection.Version != "" {
-		resultGVK.Version = projection.Version
+		resultGVR.Version = projection.Version
 	}
 
-	if projection.Kind != "" {
-		resultGVK.Kind = projection.Kind
+	if projection.Resource != "" {
+		resultGVR.Resource = projection.Resource
 	}
 
-	return resultGVK
+	return resultGVR
 }
 
-func RelatedResourceKcpGVK(rr *syncagentv1alpha1.RelatedResourceSpec) schema.GroupVersionKind {
+func RelatedResourceKcpGVR(rr *syncagentv1alpha1.RelatedResourceSpec) schema.GroupVersionResource {
 	if rr.Origin == syncagentv1alpha1.RelatedResourceOriginKcp {
-		return schema.GroupVersionKind{
-			Group:   rr.Group,
-			Version: rr.Version,
-			Kind:    rr.Kind,
-		}
+		return RelatedResourceGVR(rr)
 	}
 
-	return RelatedResourceProjectedGVK(rr)
+	return RelatedResourceProjectedGVR(rr)
 }
 
-func RelatedResourceServiceGVK(rr *syncagentv1alpha1.RelatedResourceSpec) schema.GroupVersionKind {
+func RelatedResourceServiceGVK(rr *syncagentv1alpha1.RelatedResourceSpec) schema.GroupVersionResource {
 	if rr.Origin == syncagentv1alpha1.RelatedResourceOriginService {
-		return schema.GroupVersionKind{
-			Group:   rr.Group,
-			Version: rr.Version,
-			Kind:    rr.Kind,
-		}
+		return RelatedResourceGVR(rr)
 	}
 
-	return RelatedResourceProjectedGVK(rr)
+	return RelatedResourceProjectedGVR(rr)
 }
 
 func stripUnwantedVersions(crd *apiextensionsv1.CustomResourceDefinition, pubRes *syncagentv1alpha1.PublishedResource) (*apiextensionsv1.CustomResourceDefinition, error) {