Add provider side namespaces claims

Signed-off-by: Mangirdas Judeikis <mangirdas@judeikis.lt>
On-behalf-of: @SAP mangirdas.judeikis@sap.com

Author: mjudeikis

backend/controllers/serviceexport/serviceexport_controller.go

@@ -55,6 +55,7 @@ type APIServiceExportReconciler struct {
 func NewAPIServiceExportReconciler(
 	ctx context.Context,
 	mgr mcmanager.Manager,
+	scope kubebindv1alpha2.InformerScope,
 	opts controller.TypedOptions[mcreconcile.Request],
 ) (*APIServiceExportReconciler, error) {
 	if err := mgr.GetFieldIndexer().IndexField(ctx, &kubebindv1alpha2.APIServiceExport{}, indexers.ServiceExportByBoundSchema,
@@ -66,6 +67,7 @@ func NewAPIServiceExportReconciler(
 		manager: mgr,
 		opts:    opts,
 		reconciler: reconciler{
+			scope: scope,
 			getBoundSchema: func(ctx context.Context, cache cache.Cache, namespace, name string) (*kubebindv1alpha2.BoundSchema, error) {
 				var schema kubebindv1alpha2.BoundSchema
 				key := types.NamespacedName{Namespace: namespace, Name: name}

backend/controllers/serviceexport/serviceexport_reconcile.go

@@ -31,6 +31,7 @@ import (
 )
 
 type reconciler struct {
+	scope          kubebindv1alpha2.InformerScope
 	getBoundSchema func(ctx context.Context, cache cache.Cache, namespace, name string) (*kubebindv1alpha2.BoundSchema, error)
 }
 
@@ -41,6 +42,12 @@ func (r *reconciler) reconcile(ctx context.Context, cache cache.Cache, export *k
 		errs = append(errs, err)
 	}
 
+	if r.scope == kubebindv1alpha2.ClusterScope {
+		if err := r.ensureClusterPermissions(ctx, cache, export); err != nil {
+			errs = append(errs, err)
+		}
+	}
+
 	return utilerrors.NewAggregate(errs)
 }
 
@@ -86,3 +93,12 @@ func (r *reconciler) ensureSchema(ctx context.Context, cache cache.Cache, export
 
 	return nil
 }
+
+// ensureClusterPermissions ensures that the necessary cluster-wide permissions are in place for the exported APIs.
+// This runs only when backend is operating in ClusterScope. In this scenario, there might not yet be a namespace so
+// APIServiceNamespace reconciliation cannot be used.
+func (r *reconciler) ensureClusterPermissions(ctx context.Context, cache cache.Cache, export *kubebindv1alpha2.APIServiceExport) error {
+	// TODO(mjudeikis): implement this for cluster scoped resources.
+	// https://github.com/kube-bind/kube-bind/issues/344
+	return nil
+}

backend/controllers/serviceexportrequest/serviceexportrequest_reconcile.go

@@ -70,6 +70,11 @@ func (r *reconciler) reconcile(ctx context.Context, cl client.Client, cache cach
 		return fmt.Errorf("failed to ensure exports: %w", err)
 	}
 
+	if err := r.ensureAPIServiceNamespaces(ctx, cl, cache, req); err != nil {
+		conditions.SetSummary(req)
+		return fmt.Errorf("failed to ensure APIServiceNamespaces: %w", err)
+	}
+
 	// TODO(mjudeikis): we could potentially add finallizer to APIServiceExport above or "adopt" boundschemas
 	// with owner references once export is created.
 	// https://github.com/kube-bind/kube-bind/issues/297
@@ -367,3 +372,34 @@ func isClaimableAPI(claim kubebindv1alpha2.PermissionClaim) bool {
 	}
 	return false
 }
+
+func (r *reconciler) ensureAPIServiceNamespaces(ctx context.Context, cl client.Client, cache cache.Cache, req *kubebindv1alpha2.APIServiceExportRequest) error {
+	logger := klog.FromContext(ctx)
+
+	// TODO(mjudeikis): We have this object above already, pass it down to avoid extra get.
+	export := &kubebindv1alpha2.APIServiceExport{}
+	if err := cl.Get(ctx, client.ObjectKey{Namespace: req.Namespace, Name: req.Name}, export); err != nil {
+		return fmt.Errorf("failed to get APIServiceExport %s/%s: %w", req.Namespace, req.Name, err)
+	}
+
+	for _, ns := range req.Spec.Namespaces {
+		apiServiceNamespace := helpers.APIServiceNamespaceFromExport(export, ns.Name)
+		currentAPIServiceNamespace := &kubebindv1alpha2.APIServiceNamespace{}
+		err := cache.Get(ctx, client.ObjectKey{Namespace: apiServiceNamespace.Namespace, Name: apiServiceNamespace.Name}, currentAPIServiceNamespace)
+		if err != nil {
+			if apierrors.IsNotFound(err) {
+				logger.V(1).Info("Creating APIServiceNamespace", "name", apiServiceNamespace.Name, "namespace", apiServiceNamespace.Namespace)
+				if err := cl.Create(ctx, apiServiceNamespace); err != nil {
+					if apierrors.IsAlreadyExists(err) {
+						continue
+					}
+					return err
+				}
+			} else {
+				return err
+			}
+		}
+	}
+
+	return nil
+}

backend/controllers/servicenamespace/servicenamespace_reconcile.go

@@ -106,7 +106,7 @@ func (c *reconciler) reconcile(ctx context.Context, client client.Client, cache
 					Rules: permissions,
 				}
 				// Create new ClusterRole
-				if err := client.Create(ctx, role); err != nil {
+				if err := client.Create(ctx, role); !errors.IsAlreadyExists(err) {
 					return fmt.Errorf("failed to create ClusterRole %s: %w", name, err)
 				}
 			} else {

backend/server.go

@@ -147,6 +147,7 @@ func NewServer(ctx context.Context, c *Config) (*Server, error) {
 	s.ServiceExport, err = serviceexport.NewAPIServiceExportReconciler(
 		ctx,
 		s.Config.Manager,
+		kubebindv1alpha2.InformerScope(c.Options.ConsumerScope),
 		opts,
 	)
 	if err != nil {

contrib/kcp/README.md

@@ -170,6 +170,8 @@ kubectl apply -f contrib/kcp/deploy/examples/sheriff.yaml
 ```
 
 
+
+
 ## Debug
 
 ```bash

contrib/kcp/deploy/resources/apiexport-kube-bind.io.yaml

@@ -54,7 +54,7 @@ spec:
       crd: {}
   - group: kube-bind.io
     name: apiserviceexportrequests
-    schema: v250929-62fc678.apiserviceexportrequests.kube-bind.io
+    schema: v251020-7892cc6.apiserviceexportrequests.kube-bind.io
     storage:
       crd: {}
   - group: kube-bind.io

contrib/kcp/deploy/resources/apiresourceschema-apiserviceexportrequests.kube-bind.io.yaml

@@ -2,7 +2,7 @@ apiVersion: apis.kcp.io/v1alpha1
 kind: APIResourceSchema
 metadata:
   creationTimestamp: null
-  name: v250929-62fc678.apiserviceexportrequests.kube-bind.io
+  name: v251020-7892cc6.apiserviceexportrequests.kube-bind.io
 spec:
   conversion:
     strategy: None
@@ -208,6 +208,25 @@ spec:
             spec specifies how an API service from a service provider should be bound in the
             local consumer cluster.
           properties:
+            namespaces:
+              description: |-
+                namespaces specifies the namespaces to bootstrap as part of this request.
+                When objects originate from provider side, the consumer does not always know the necessary details.
+                This field allows provider to pre-heat the necessary namespaces on provider side by creating
+                APIServiceNamespace objects attached to the APIServiceExport. More namespaces can be created later by the consumer.
+              items:
+                properties:
+                  name:
+                    description: name is the name of the namespace to create on provider
+                      side.
+                    type: string
+                required:
+                - name
+                type: object
+              type: array
+              x-kubernetes-validations:
+              - message: namespaces are immutable
+                rule: self == oldSelf
             parameters:
               description: |-
                 parameters holds service provider specific parameters for this binding

deploy/crd/kube-bind.io_apiserviceexportrequests.yaml

@@ -212,6 +212,25 @@ spec:
               spec specifies how an API service from a service provider should be bound in the
               local consumer cluster.
             properties:
+              namespaces:
+                description: |-
+                  namespaces specifies the namespaces to bootstrap as part of this request.
+                  When objects originate from provider side, the consumer does not always know the necessary details.
+                  This field allows provider to pre-heat the necessary namespaces on provider side by creating
+                  APIServiceNamespace objects attached to the APIServiceExport. More namespaces can be created later by the consumer.
+                items:
+                  properties:
+                    name:
+                      description: name is the name of the namespace to create on
+                        provider side.
+                      type: string
+                  required:
+                  - name
+                  type: object
+                type: array
+                x-kubernetes-validations:
+                - message: namespaces are immutable
+                  rule: self == oldSelf
               parameters:
                 description: |-
                   parameters holds service provider specific parameters for this binding

pkg/konnector/controllers/cluster/claimedresources/claimedresources_reconciler.go

@@ -31,8 +31,6 @@ import (
 	kubebindv1alpha2 "github.com/kube-bind/kube-bind/sdk/apis/kubebind/v1alpha2"
 )
 
-const label = "kube-bind.io/owner"
-
 type readReconciler struct {
 	getServiceNamespace  func(upstreamNamespace string) (*kubebindv1alpha2.APIServiceNamespace, error)
 	getProviderObject    func(ns, name string) (*unstructured.Unstructured, error)
@@ -185,7 +183,7 @@ func (r readReconciler) makeConsumerOwner(obj *unstructured.Unstructured) {
 	if a == nil {
 		a = map[string]string{}
 	}
-	a[label] = string(kubebindv1alpha2.OwnerConsumer)
+	a[kubebindv1alpha2.ObjectOwnerLabel] = string(kubebindv1alpha2.OwnerConsumer)
 	obj.SetLabels(a)
 }
 
@@ -194,7 +192,7 @@ func (r readReconciler) makeProviderOwner(obj *unstructured.Unstructured) {
 	if a == nil {
 		a = map[string]string{}
 	}
-	a[label] = string(kubebindv1alpha2.OwnerProvider)
+	a[kubebindv1alpha2.ObjectOwnerLabel] = string(kubebindv1alpha2.OwnerProvider)
 	obj.SetLabels(a)
 }
 
@@ -237,7 +235,7 @@ func candidateFromOwnerObj(downstreamNS string, obj *unstructured.Unstructured)
 // consumer or provider side.
 func determineOwner(providerObj, consumerObj *unstructured.Unstructured) (kubebindv1alpha2.Owner, error) {
 	if providerObj != nil {
-		ownerLabel := providerObj.GetLabels()[label]
+		ownerLabel := providerObj.GetLabels()[kubebindv1alpha2.ObjectOwnerLabel]
 		switch ownerLabel {
 		case kubebindv1alpha2.OwnerProvider.String():
 			return kubebindv1alpha2.OwnerProvider, nil
@@ -250,7 +248,7 @@ func determineOwner(providerObj, consumerObj *unstructured.Unstructured) (kubebi
 	}
 
 	if consumerObj != nil {
-		ownerLabel := consumerObj.GetLabels()[label]
+		ownerLabel := consumerObj.GetLabels()[kubebindv1alpha2.ObjectOwnerLabel]
 		switch ownerLabel {
 		case kubebindv1alpha2.OwnerProvider.String():
 			return kubebindv1alpha2.OwnerProvider, nil