Rename clusterscopeisolation to isolation

Signed-off-by: Mangirdas Judeikis <mangirdas@judeikis.lt>
On-behalf-of: @SAP mangirdas.judeikis@sap.com

Author: mjudeikis

backend/controllers/serviceexportrequest/serviceexportrequest_controller.go

@@ -49,9 +49,9 @@ type APIServiceExportRequestReconciler struct {
 	manager mcmanager.Manager
 	opts    controller.TypedOptions[mcreconcile.Request]
 
-	informerScope          kubebindv1alpha2.InformerScope
-	clusterScopedIsolation kubebindv1alpha2.Isolation
-	reconciler             reconciler
+	informerScope kubebindv1alpha2.InformerScope
+	isolation     kubebindv1alpha2.Isolation
+	reconciler    reconciler
 }
 
 // NewAPIServiceExportRequestReconciler returns a new APIServiceExportRequestReconciler to reconcile APIServiceExportRequests.
@@ -75,14 +75,14 @@ func NewAPIServiceExportRequestReconciler(
 	}
 
 	r := &APIServiceExportRequestReconciler{
-		manager:                mgr,
-		opts:                   opts,
-		informerScope:          scope,
-		clusterScopedIsolation: isolation,
+		manager:       mgr,
+		opts:          opts,
+		informerScope: scope,
+		isolation:     isolation,
 		reconciler: reconciler{
-			informerScope:          scope,
-			clusterScopedIsolation: isolation,
-			schemaSource:           schemaSource,
+			informerScope: scope,
+			isolation:     isolation,
+			schemaSource:  schemaSource,
 			getBoundSchema: func(ctx context.Context, cl client.Client, namespace, name string) (*kubebindv1alpha2.BoundSchema, error) {
 				var schema kubebindv1alpha2.BoundSchema
 				key := types.NamespacedName{Namespace: namespace, Name: name}

backend/controllers/serviceexportrequest/serviceexportrequest_reconcile.go

@@ -40,9 +40,9 @@ import (
 )
 
 type reconciler struct {
-	informerScope          kubebindv1alpha2.InformerScope
-	clusterScopedIsolation kubebindv1alpha2.Isolation
-	schemaSource           string
+	informerScope kubebindv1alpha2.InformerScope
+	isolation     kubebindv1alpha2.Isolation
+	schemaSource  string
 
 	getBoundSchema    func(ctx context.Context, cl client.Client, namespace, name string) (*kubebindv1alpha2.BoundSchema, error)
 	createBoundSchema func(ctx context.Context, cl client.Client, schema *kubebindv1alpha2.BoundSchema) error
@@ -134,7 +134,7 @@ func (r *reconciler) getExportedSchemas(ctx context.Context, cl client.Client) (
 	return boundSchemas, nil
 }
 
-func (r *reconciler) ensureBoundSchemas(ctx context.Context, cl client.Client, cache cache.Cache, req *kubebindv1alpha2.APIServiceExportRequest) error {
+func (r *reconciler) ensureBoundSchemas(ctx context.Context, cl client.Client, _ cache.Cache, req *kubebindv1alpha2.APIServiceExportRequest) error {
 	exportedSchemas, err := r.getExportedSchemas(ctx, cl)
 	if err != nil {
 		return err
@@ -167,7 +167,7 @@ func (r *reconciler) ensureBoundSchemas(ctx context.Context, cl client.Client, c
 				// we need to rewrite the BoundSchema's scope accordingly. For all
 				// other isolation strategies, as well as for namespaced schemas,
 				// no changes are necessary.
-				if boundSchema.Spec.Scope == apiextensionsv1.NamespaceScoped && r.clusterScopedIsolation == kubebindv1alpha2.IsolationNamespaced {
+				if boundSchema.Spec.Scope == apiextensionsv1.NamespaceScoped && r.isolation == kubebindv1alpha2.IsolationNamespaced {
 					boundSchema.Spec.Scope = apiextensionsv1.ClusterScoped
 				}
 
@@ -185,7 +185,6 @@ func (r *reconciler) ensureExports(ctx context.Context, cl client.Client, cache
 	logger := klog.FromContext(ctx)
 
 	var schemas []*kubebindv1alpha2.BoundSchema
-	var scope apiextensionsv1.ResourceScope
 	if req.Status.Phase == kubebindv1alpha2.APIServiceExportRequestPhasePending {
 		for _, res := range req.Spec.Resources {
 			name := res.ResourceGroupName()
@@ -207,7 +206,6 @@ func (r *reconciler) ensureExports(ctx context.Context, cl client.Client, cache
 
 			// Collect all schemas for hashing.
 			// TODO(mjudeikis) Scope is same for all crds so we keep stamping it over. We might want to change this
-			scope = boundSchema.Spec.Scope
 			schemas = append(schemas, boundSchema)
 		}
 
@@ -236,11 +234,9 @@ func (r *reconciler) ensureExports(ctx context.Context, cl client.Client, cache
 			},
 			Spec: kubebindv1alpha2.APIServiceExportSpec{
 				InformerScope: r.informerScope,
+				Isolation:     r.isolation,
 			},
 		}
-		if scope == apiextensionsv1.ClusterScoped {
-			export.Spec.ClusterScopedIsolation = r.clusterScopedIsolation
-		}
 
 		for _, res := range req.Spec.Resources {
 			export.Spec.Resources = append(export.Spec.Resources, kubebindv1alpha2.APIServiceExportResource{

backend/controllers/servicenamespace/servicenamespace_controller.go

@@ -50,9 +50,9 @@ type APIServiceNamespaceReconciler struct {
 	manager mcmanager.Manager
 	opts    controller.TypedOptions[mcreconcile.Request]
 
-	informerScope          kubebindv1alpha2.InformerScope
-	clusterScopedIsolation kubebindv1alpha2.Isolation
-	reconciler             reconciler
+	informerScope kubebindv1alpha2.InformerScope
+	isolation     kubebindv1alpha2.Isolation
+	reconciler    reconciler
 }
 
 // NewAPIServiceNamespaceReconciler returns a new APIServiceNamespaceReconciler to reconcile APIServiceNamespaces.
@@ -70,10 +70,10 @@ func NewAPIServiceNamespaceReconciler(
 	}
 
 	r := &APIServiceNamespaceReconciler{
-		manager:                mgr,
-		opts:                   opts,
-		informerScope:          scope,
-		clusterScopedIsolation: isolation,
+		manager:       mgr,
+		opts:          opts,
+		informerScope: scope,
+		isolation:     isolation,
 		reconciler: reconciler{
 			scope: scope,
 

backend/oidc/oidc_test.go

@@ -53,6 +53,7 @@ func TestLoadTLSConfig_Success(t *testing.T) {
 	// Verify the TLS config was created
 	if config == nil {
 		t.Fatal("Expected non-nil TLS config")
+		return
 	}
 
 	if config.RootCAs == nil {
@@ -194,6 +195,7 @@ func TestLoadTLSConfig_MultipleCerts(t *testing.T) {
 	// Verify the TLS config was created
 	if config == nil {
 		t.Fatal("Expected non-nil TLS config")
+		return
 	}
 
 	if config.RootCAs == nil {

backend/options/options.go

@@ -48,14 +48,14 @@ type ExtraOptions struct {
 
 	Provider string
 
-	NamespacePrefix        string
-	PrettyName             string
-	ConsumerScope          string
-	ClusterScopedIsolation string
-	ExternalAddress        string
-	ExternalCAFile         string
-	ExternalCA             []byte
-	TLSExternalServerName  string
+	NamespacePrefix       string
+	PrettyName            string
+	ConsumerScope         string
+	Isolation             string
+	ExternalAddress       string
+	ExternalCAFile        string
+	ExternalCA            []byte
+	TLSExternalServerName string
 	// Defines the source of the schema for the bind screen.
 	// Options are:
 	// CustomResourceDefinition.v1.apiextensions.k8s.io
@@ -101,14 +101,14 @@ func NewOptions() *Options {
 		ProviderKcp: providerkcp.NewOptions(),
 
 		ExtraOptions: ExtraOptions{
-			Provider:               "kubernetes",
-			NamespacePrefix:        "cluster-",
-			PrettyName:             "Backend",
-			ConsumerScope:          string(kubebindv1alpha2.NamespacedScope),
-			ClusterScopedIsolation: string(kubebindv1alpha2.IsolationPrefixed),
-			SchemaSource:           CustomResourceDefinitionSource.String(),
-			Frontend:               "embedded", // Not used, but indicates to use embedded frontend using SPA.
-			TokenExpiry:            1 * time.Hour,
+			Provider:        "kubernetes",
+			NamespacePrefix: "cluster-",
+			PrettyName:      "Backend",
+			ConsumerScope:   string(kubebindv1alpha2.NamespacedScope),
+			Isolation:       string(kubebindv1alpha2.IsolationPrefixed),
+			SchemaSource:    CustomResourceDefinitionSource.String(),
+			Frontend:        "embedded", // Not used, but indicates to use embedded frontend using SPA.
+			TokenExpiry:     1 * time.Hour,
 		},
 	}
 	return opts
@@ -151,7 +151,10 @@ func (options *Options) AddFlags(fs *pflag.FlagSet) {
 	fs.StringVar(&options.NamespacePrefix, "namespace-prefix", options.NamespacePrefix, "The prefix to use for cluster namespaces")
 	fs.StringVar(&options.PrettyName, "pretty-name", options.PrettyName, "Pretty name for the backend")
 	fs.StringVar(&options.ConsumerScope, "consumer-scope", options.ConsumerScope, "How consumers access the service provider cluster. In Kubernetes, \"namespaced\" allows namespace isolation. In kcp, \"cluster\" allows workspace isolation, and with that allows cluster-scoped resources to bind and it is generally more performant.")
-	fs.StringVar(&options.ClusterScopedIsolation, "cluster-scoped-isolation", options.ClusterScopedIsolation, "How cluster scoped service objects are isolated between multiple consumers on the provider side. Among the choices, \"prefixed\" prepends the name of the cluster namespace to an object's name; \"namespaced\" maps a consumer side object into a namespaced object inside the corresponding cluster namespace; \"none\" is used for the case of a dedicated provider where isolation is not necessary.")
+	// TODO(mjudeikis): remove deprecated flag in future release
+	fs.StringVar(&options.Isolation, "cluster-scoped-isolation", options.Isolation, "How cluster scoped service objects are isolated between multiple consumers on the provider side. Among the choices, \"prefixed\" prepends the name of the cluster namespace to an object's name; \"namespaced\" maps a consumer side object into a namespaced object inside the corresponding cluster namespace; \"none\" is used for the case of a dedicated provider where isolation is not necessary.")
+	_ = fs.MarkDeprecated("cluster-scoped-isolation", "use --isolation instead")
+	fs.StringVar(&options.Isolation, "isolation", options.Isolation, "Deprecated: use --cluster-scoped-isolation instead. How cluster scoped service objects are isolated between multiple consumers on the provider side. Among the choices, \"prefixed\" prepends the name of the cluster namespace to an object's name; \"namespaced\" maps a consumer side object into a namespaced object inside the corresponding cluster namespace; \"none\" is used for the case of a dedicated provider where isolation is not necessary.")
 	fs.StringVar(&options.ExternalAddress, "external-address", options.ExternalAddress, "The external address for the service provider cluster, including https:// and port. If not specified, service account's hosts are used.")
 	fs.StringVar(&options.ExternalCAFile, "external-ca-file", options.ExternalCAFile, "The external CA file for the service provider cluster. If not specified, service account's CA is used.")
 	fs.StringVar(&options.TLSExternalServerName, "external-server-name", options.TLSExternalServerName, "The external (TLS) server name used by consumers to talk to the service provider cluster. This can be useful to select the right certificate via SNI.")
@@ -200,13 +203,13 @@ func (options *Options) Complete() (*CompletedOptions, error) {
 	if strings.ToLower(options.ConsumerScope) == "cluster" {
 		options.ConsumerScope = string(kubebindv1alpha2.ClusterScope)
 	}
-	switch strings.ToLower(options.ClusterScopedIsolation) {
+	switch strings.ToLower(options.Isolation) {
 	case "prefixed":
-		options.ClusterScopedIsolation = string(kubebindv1alpha2.IsolationPrefixed)
+		options.Isolation = string(kubebindv1alpha2.IsolationPrefixed)
 	case "namespaced":
-		options.ClusterScopedIsolation = string(kubebindv1alpha2.IsolationNamespaced)
+		options.Isolation = string(kubebindv1alpha2.IsolationNamespaced)
 	case "none":
-		options.ClusterScopedIsolation = string(kubebindv1alpha2.IsolationNone)
+		options.Isolation = string(kubebindv1alpha2.IsolationNone)
 	}
 
 	if options.ExternalCAFile != "" && options.ExternalCA != nil {

backend/server.go

@@ -179,7 +179,7 @@ func NewServer(ctx context.Context, c *Config) (*Server, error) {
 		s.Config.Manager,
 		opts,
 		kubebindv1alpha2.InformerScope(c.Options.ConsumerScope),
-		kubebindv1alpha2.Isolation(c.Options.ClusterScopedIsolation),
+		kubebindv1alpha2.Isolation(c.Options.Isolation),
 	)
 	if err != nil {
 		return nil, fmt.Errorf("error setting up APIServiceNamespace Controller: %w", err)
@@ -195,7 +195,7 @@ func NewServer(ctx context.Context, c *Config) (*Server, error) {
 		s.Config.Manager,
 		opts,
 		kubebindv1alpha2.InformerScope(c.Options.ConsumerScope),
-		kubebindv1alpha2.Isolation(c.Options.ClusterScopedIsolation),
+		kubebindv1alpha2.Isolation(c.Options.Isolation),
 		c.Options.SchemaSource,
 	)
 	if err != nil {

contrib/kcp/deploy/resources/apiexport-kube-bind.io.yaml

@@ -62,7 +62,7 @@ spec:
       crd: {}
   - group: kube-bind.io
     name: apiserviceexports
-    schema: v251112-503d98b.apiserviceexports.kube-bind.io
+    schema: v251230-e36591a1.apiserviceexports.kube-bind.io
     storage:
       crd: {}
   - group: kube-bind.io

contrib/kcp/deploy/resources/apiresourceschema-apiserviceexports.kube-bind.io.yaml

@@ -1,7 +1,7 @@
 apiVersion: apis.kcp.io/v1alpha1
 kind: APIResourceSchema
 metadata:
-  name: v251112-503d98b.apiserviceexports.kube-bind.io
+  name: v251230-e36591a1.apiserviceexports.kube-bind.io
 spec:
   conversion:
     strategy: None
@@ -466,11 +466,15 @@ spec:
               description: |-
                 ClusterScopedIsolation specifies how cluster scoped service objects are isolated between multiple consumers on the provider side.
                 It can be "Prefixed", "Namespaced", or "None".
+                Deprecated: use Isolation instead.
               enum:
               - Prefixed
               - Namespaced
               - None
               type: string
+              x-kubernetes-validations:
+              - message: clusterScopedIsolation is immutable
+                rule: self == oldSelf
             informerScope:
               description: |-
                 informerScope is the scope of the APIServiceExport. It can be either Cluster or Namespace.
@@ -486,6 +490,18 @@ spec:
               x-kubernetes-validations:
               - message: informerScope is immutable
                 rule: self == oldSelf
+            isolation:
+              description: |-
+                Isolation specifies how service objects are isolated between multiple consumers on the provider side.
+                It can be "Prefixed", "Namespaced", or "None".
+              enum:
+              - Prefixed
+              - Namespaced
+              - None
+              type: string
+              x-kubernetes-validations:
+              - message: isolation is immutable
+                rule: self == oldSelf
             permissionClaims:
               description: |-
                 PermissionClaims records decisions about permission claims requested by the service provider.
@@ -670,6 +686,7 @@ spec:
                 rule: self == oldSelf
           required:
           - informerScope
+          - isolation
           - resources
           type: object
         status:

deploy/charts/backend/crds/kube-bind.io_apiserviceexports.yaml

@@ -469,11 +469,15 @@ spec:
                 description: |-
                   ClusterScopedIsolation specifies how cluster scoped service objects are isolated between multiple consumers on the provider side.
                   It can be "Prefixed", "Namespaced", or "None".
+                  Deprecated: use Isolation instead.
                 enum:
                 - Prefixed
                 - Namespaced
                 - None
                 type: string
+                x-kubernetes-validations:
+                - message: clusterScopedIsolation is immutable
+                  rule: self == oldSelf
               informerScope:
                 description: |-
                   informerScope is the scope of the APIServiceExport. It can be either Cluster or Namespace.
@@ -489,6 +493,18 @@ spec:
                 x-kubernetes-validations:
                 - message: informerScope is immutable
                   rule: self == oldSelf
+              isolation:
+                description: |-
+                  Isolation specifies how service objects are isolated between multiple consumers on the provider side.
+                  It can be "Prefixed", "Namespaced", or "None".
+                enum:
+                - Prefixed
+                - Namespaced
+                - None
+                type: string
+                x-kubernetes-validations:
+                - message: isolation is immutable
+                  rule: self == oldSelf
               permissionClaims:
                 description: |-
                   PermissionClaims records decisions about permission claims requested by the service provider.
@@ -673,6 +689,7 @@ spec:
                   rule: self == oldSelf
             required:
             - informerScope
+            - isolation
             - resources
             type: object
           status:

deploy/charts/backend/templates/deployment.yaml

@@ -76,8 +76,8 @@ spec:
             {{- if .Values.backend.consumerScope }}
             - --consumer-scope={{ .Values.backend.consumerScope }}
             {{- end }}
-            {{- if .Values.backend.clusterScopeIsolation }}
-            - --cluster-scoped-isolation={{ .Values.backend.clusterScopeIsolation }}
+            {{- if .Values.backend.isolation }}
+            - --isolation={{ .Values.backend.isolation }}
             {{- end }}
             {{- if .Values.backend.cookieSigningKey }}
             - --cookie-signing-key={{ .Values.backend.cookieSigningKey }}