add identity resolution

Author: mjudeikis

v2/README.md

@@ -49,6 +49,11 @@ v2/
   multi-version) are accepted; the provider stays the enforcing side.
 - The konnector maintains a `coordination.k8s.io/Lease` per Connection on the
   provider (heartbeat) — the hook a service-layer reaper keys off.
+- **kcp-aware cluster identity**: the provider's stable identity is the kcp
+  `LogicalCluster` ("cluster") UID when present (a kcp workspace serves
+  `core.kcp.io`, and has no `kube-system`), falling back to the `kube-system`
+  namespace UID on plain Kubernetes. A provider RBAC denial on the identity read
+  surfaces as `PermissionDenied`.
 - `relatedResources` sync selected Secrets/ConfigMaps in the declared direction,
   scoped like the binding, GC'd when they stop matching or on unbind.
 - The provider side is the **multicluster-runtime engaged cluster** for each
@@ -67,9 +72,7 @@ v2/
 
 Known POC simplifications (tracked against the proposal): the `Mapper`
 extension is not implemented; OpenAPI synthesis is best-effort (fidelity limits
-above); cluster identity still derives from the `kube-system` namespace UID, so
-true kcp logical clusters (no kube-system) need an alternative identity source;
-and syncer stop-on-disengage + productionization (RBAC/HA/Helm) remain.
+above); and syncer stop-on-disengage + productionization (RBAC/HA/Helm) remain.
 
 ## Build
 

v2/konnector/engine/remote/remote.go

@@ -23,7 +23,10 @@ import (
 	"fmt"
 
 	corev1 "k8s.io/api/core/v1"
+	apierrors "k8s.io/apimachinery/pkg/api/errors"
+	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
 	"k8s.io/apimachinery/pkg/runtime"
+	"k8s.io/apimachinery/pkg/runtime/schema"
 	"k8s.io/apimachinery/pkg/types"
 	"k8s.io/client-go/rest"
 	"k8s.io/client-go/tools/clientcmd"
@@ -72,18 +75,37 @@ func RestConfigFromConnection(ctx context.Context, c client.Client, conn *corev1
 	return cfg, nil
 }
 
-// ClusterUID returns a stable identity for the cluster behind c, derived from
-// the kube-system namespace UID. This works on plain Kubernetes providers.
+// logicalClusterGVK is kcp's per-workspace singleton identity object.
+var logicalClusterGVK = schema.GroupVersionKind{Group: "core.kcp.io", Version: "v1alpha1", Kind: "LogicalCluster"}
+
+// ClusterUID returns a stable identity for the cluster behind c. It tries, in
+// order:
+//   - the kcp LogicalCluster "cluster" object's UID (kcp / logical clusters,
+//     which have no kube-system namespace) — preferred when present, since only
+//     a kcp-shaped cluster serves core.kcp.io; then
+//   - the kube-system namespace UID (plain Kubernetes).
 //
-// TODO(v2): kcp / logical-cluster providers have no kube-system namespace; the
-// OpenAPI path will need a different identity source (proposal gap #7).
+// A Forbidden error from a source is surfaced (so the caller can report
+// PermissionDenied) rather than silently falling through.
 func ClusterUID(ctx context.Context, c client.Client) (string, error) {
+	lc := &unstructured.Unstructured{}
+	lc.SetGroupVersionKind(logicalClusterGVK)
+	lcErr := c.Get(ctx, types.NamespacedName{Name: "cluster"}, lc)
+	if lcErr == nil && lc.GetUID() != "" {
+		return string(lc.GetUID()), nil
+	}
+	if apierrors.IsForbidden(lcErr) {
+		return "", lcErr
+	}
+
 	var ns corev1.Namespace
-	if err := c.Get(ctx, types.NamespacedName{Name: "kube-system"}, &ns); err != nil {
-		return "", fmt.Errorf("getting kube-system namespace for cluster identity: %w", err)
+	nsErr := c.Get(ctx, types.NamespacedName{Name: "kube-system"}, &ns)
+	if nsErr == nil && ns.UID != "" {
+		return string(ns.UID), nil
 	}
-	if ns.UID == "" {
-		return "", fmt.Errorf("kube-system namespace UID is empty")
+	if apierrors.IsForbidden(nsErr) {
+		return "", nsErr
 	}
-	return string(ns.UID), nil
+
+	return "", fmt.Errorf("cannot determine cluster identity (no LogicalCluster: %v; no kube-system namespace: %v)", lcErr, nsErr)
 }

v2/konnector/engine/remote/remote_test.go

@@ -0,0 +1,91 @@
+/*
+Copyright 2026 The Kube Bind Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package remote
+
+import (
+	"context"
+	"testing"
+
+	"github.com/stretchr/testify/require"
+	corev1 "k8s.io/api/core/v1"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
+	"k8s.io/apimachinery/pkg/runtime"
+	"k8s.io/apimachinery/pkg/types"
+	clientgoscheme "k8s.io/client-go/kubernetes/scheme"
+	"sigs.k8s.io/controller-runtime/pkg/client/fake"
+)
+
+func identityScheme(t *testing.T) *runtime.Scheme {
+	t.Helper()
+	s := runtime.NewScheme()
+	require.NoError(t, clientgoscheme.AddToScheme(s))
+	// Register the kcp LogicalCluster GVK as unstructured so the fake client can
+	// serve it.
+	s.AddKnownTypeWithName(logicalClusterGVK, &unstructured.Unstructured{})
+	s.AddKnownTypeWithName(logicalClusterGVK.GroupVersion().WithKind("LogicalClusterList"), &unstructured.UnstructuredList{})
+	return s
+}
+
+func logicalCluster(uid string) *unstructured.Unstructured {
+	lc := &unstructured.Unstructured{}
+	lc.SetGroupVersionKind(logicalClusterGVK)
+	lc.SetName("cluster")
+	lc.SetUID(types.UID(uid))
+	return lc
+}
+
+func TestClusterUID_KubeSystem(t *testing.T) {
+	s := identityScheme(t)
+	c := fake.NewClientBuilder().WithScheme(s).WithObjects(
+		&corev1.Namespace{ObjectMeta: metav1.ObjectMeta{Name: "kube-system", UID: "ks-uid"}},
+	).Build()
+
+	uid, err := ClusterUID(context.Background(), c)
+	require.NoError(t, err)
+	require.Equal(t, "ks-uid", uid, "plain Kubernetes should use the kube-system namespace UID")
+}
+
+func TestClusterUID_KCPLogicalClusterFallback(t *testing.T) {
+	s := identityScheme(t)
+	// No kube-system namespace (a kcp logical cluster) — only a LogicalCluster.
+	c := fake.NewClientBuilder().WithScheme(s).WithObjects(logicalCluster("lc-uid")).Build()
+
+	uid, err := ClusterUID(context.Background(), c)
+	require.NoError(t, err)
+	require.Equal(t, "lc-uid", uid, "a kcp logical cluster should fall back to the LogicalCluster UID")
+}
+
+func TestClusterUID_LogicalClusterWinsWhenBothPresent(t *testing.T) {
+	s := identityScheme(t)
+	c := fake.NewClientBuilder().WithScheme(s).WithObjects(
+		&corev1.Namespace{ObjectMeta: metav1.ObjectMeta{Name: "kube-system", UID: "ks-uid"}},
+		logicalCluster("lc-uid"),
+	).Build()
+
+	uid, err := ClusterUID(context.Background(), c)
+	require.NoError(t, err)
+	require.Equal(t, "lc-uid", uid, "a kcp-shaped cluster (LogicalCluster present) should prefer the LogicalCluster UID")
+}
+
+func TestClusterUID_NoSource(t *testing.T) {
+	s := identityScheme(t)
+	c := fake.NewClientBuilder().WithScheme(s).Build()
+
+	_, err := ClusterUID(context.Background(), c)
+	require.Error(t, err, "with neither source the identity is undeterminable")
+}

v2/konnector/test/e2e/framework/framework.go

@@ -36,6 +36,7 @@ import (
 	apiextensionsv1 "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1"
 	apierrors "k8s.io/apimachinery/pkg/api/errors"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
 	apimachineryruntime "k8s.io/apimachinery/pkg/runtime"
 	"k8s.io/apimachinery/pkg/runtime/schema"
 	utilruntime "k8s.io/apimachinery/pkg/util/runtime"
@@ -228,6 +229,58 @@ func (e *Env) CopyProviderSecret(t *testing.T, name string) *corev1.Secret {
 	}
 }
 
+// MakeProviderKCPLike turns the provider into a kcp-shaped cluster: it installs
+// a LogicalCluster CRD + the singleton "cluster" object (the kcp per-workspace
+// identity object). On a real kcp workspace there is no kube-system namespace,
+// so identity comes from the LogicalCluster; the konnector prefers it whenever
+// it is present (which only a kcp-shaped cluster serves), so we don't need to
+// remove kube-system here (envtest has no namespace controller to finalize it
+// away anyway). Returns the LogicalCluster's UID.
+func (e *Env) MakeProviderKCPLike(t *testing.T, ctx context.Context) string {
+	t.Helper()
+
+	require.NoError(t, e.ProviderClient.Create(ctx, logicalClusterCRD()))
+	lcGVR := schema.GroupVersionResource{Group: "core.kcp.io", Version: "v1alpha1", Resource: "logicalclusters"}
+	require.Eventually(t, func() bool {
+		_, err := e.ProviderDyn.Resource(lcGVR).List(ctx, metav1.ListOptions{})
+		return err == nil
+	}, 30*time.Second, 200*time.Millisecond, "provider should serve LogicalCluster")
+
+	lc := &unstructured.Unstructured{}
+	lc.SetGroupVersionKind(schema.GroupVersionKind{Group: "core.kcp.io", Version: "v1alpha1", Kind: "LogicalCluster"})
+	lc.SetName("cluster")
+	require.NoError(t, e.ProviderClient.Create(ctx, lc))
+	require.NoError(t, e.ProviderClient.Get(ctx, client.ObjectKey{Name: "cluster"}, lc))
+	uid := string(lc.GetUID())
+	require.NotEmpty(t, uid)
+	return uid
+}
+
+func logicalClusterCRD() *apiextensionsv1.CustomResourceDefinition {
+	preserve := true
+	return &apiextensionsv1.CustomResourceDefinition{
+		ObjectMeta: metav1.ObjectMeta{Name: "logicalclusters.core.kcp.io"},
+		Spec: apiextensionsv1.CustomResourceDefinitionSpec{
+			Group: "core.kcp.io",
+			Names: apiextensionsv1.CustomResourceDefinitionNames{
+				Plural: "logicalclusters", Singular: "logicalcluster", Kind: "LogicalCluster", ListKind: "LogicalClusterList",
+			},
+			Scope: apiextensionsv1.ClusterScoped,
+			Versions: []apiextensionsv1.CustomResourceDefinitionVersion{{
+				Name: "v1alpha1", Served: true, Storage: true,
+				Schema: &apiextensionsv1.CustomResourceValidation{
+					OpenAPIV3Schema: &apiextensionsv1.JSONSchemaProps{
+						Type: "object",
+						Properties: map[string]apiextensionsv1.JSONSchemaProps{
+							"spec": {Type: "object", XPreserveUnknownFields: &preserve},
+						},
+					},
+				},
+			}},
+		},
+	}
+}
+
 // InstallExportedWidgetCRD installs the demo Widget CRD on the provider, labeled
 // as exported.
 func (e *Env) InstallExportedWidgetCRD(t *testing.T) schema.GroupVersionResource {

v2/konnector/test/e2e/tier2_test.go v2/konnector/test/e2e/policies_test.gov2/konnector/test/e2e/tier2_test.go renamed to v2/konnector/test/e2e/policies_test.go

@@ -33,12 +33,12 @@ import (
 	corev1alpha1 "github.com/kube-bind/kube-bind/v2/sdk/apis/core/v1alpha1"
 )
 
-// TestSlimCoreTier2 exercises the Tier-2 "Decided" features. It shares one
-// envtest pair (spinning a fresh one per case exhausts envtest resources):
+// TestSlimCorePolicies exercises the binding/connection policy knobs. It shares
+// one envtest pair (spinning a fresh one per case exhausts envtest resources):
 // deletion-policy Orphan, updatePolicy Always, autoBind, pullPolicy All, and
 // PermissionDenied. The widgets-dependent cases run first, before the extra
 // Connections (autoBind/All) re-stamp the widgets CRD.
-func TestSlimCoreTier2(t *testing.T) {
+func TestSlimCorePolicies(t *testing.T) {
 	env := framework.Start(t)
 	ctx := context.Background()
 	gvr := env.InstallExportedWidgetCRD(t)

v2/konnector/test/e2e/related_resources_test.go

@@ -0,0 +1,98 @@
+/*
+Copyright 2026 The Kube Bind Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package e2e
+
+import (
+	"context"
+	"testing"
+	"time"
+
+	"github.com/stretchr/testify/require"
+	corev1 "k8s.io/api/core/v1"
+	apierrors "k8s.io/apimachinery/pkg/api/errors"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"sigs.k8s.io/controller-runtime/pkg/client"
+
+	"github.com/kube-bind/kube-bind/v2/konnector/test/e2e/framework"
+	corev1alpha1 "github.com/kube-bind/kube-bind/v2/sdk/apis/core/v1alpha1"
+)
+
+// TestSlimCoreRelatedResources binds the Widget API with a relatedResources rule
+// that syncs label-selected Secrets FromProvider, and verifies sync + GC.
+func TestSlimCoreRelatedResources(t *testing.T) {
+	env := framework.Start(t)
+	ctx := context.Background()
+	env.InstallExportedWidgetCRD(t)
+
+	require.NoError(t, env.ConsumerClient.Create(ctx, &corev1alpha1.Connection{
+		ObjectMeta: metav1.ObjectMeta{Name: "demo-provider"},
+		Spec: corev1alpha1.ConnectionSpec{
+			KubeconfigSecretRef: corev1alpha1.SecretKeyRef{Namespace: framework.KubeBindNamespace, Name: "demo-provider-kubeconfig", Key: "kubeconfig"},
+			Schema:              corev1alpha1.SchemaPolicy{Source: corev1alpha1.SchemaSourceCRD},
+		},
+	}))
+	require.NoError(t, env.ConsumerClient.Create(ctx, &corev1alpha1.ClusterBinding{
+		ObjectMeta: metav1.ObjectMeta{Name: "widgets"},
+		Spec: corev1alpha1.BindingSpec{
+			ConnectionRef: corev1alpha1.ConnectionRef{Name: "demo-provider"},
+			APIs:          []corev1alpha1.APIRef{{Name: widgetCRDName}},
+			RelatedResources: []corev1alpha1.RelatedResource{{
+				Group:     "",
+				Resource:  "secrets",
+				Direction: corev1alpha1.FromProvider,
+				Selector: &corev1alpha1.RelatedResourceSelector{
+					LabelSelector: &metav1.LabelSelector{MatchLabels: map[string]string{"app": "widget"}},
+				},
+			}},
+		},
+	}))
+	framework.WaitForConditionTrue(t, func() ([]metav1.Condition, error) {
+		cb := &corev1alpha1.ClusterBinding{}
+		err := env.ConsumerClient.Get(ctx, client.ObjectKey{Name: "widgets"}, cb)
+		return cb.Status.Conditions, err
+	}, corev1alpha1.ConditionReady)
+
+	secretKey := client.ObjectKey{Namespace: "default", Name: "widget-creds"}
+
+	t.Run("a label-selected provider Secret syncs to the consumer", func(t *testing.T) {
+		require.NoError(t, env.ProviderClient.Create(ctx, &corev1.Secret{
+			ObjectMeta: metav1.ObjectMeta{Namespace: "default", Name: "widget-creds", Labels: map[string]string{"app": "widget"}},
+			StringData: map[string]string{"token": "s3cr3t"},
+		}))
+		require.Eventually(t, func() bool {
+			s := &corev1.Secret{}
+			if err := env.ConsumerClient.Get(ctx, secretKey, s); err != nil {
+				return false
+			}
+			return string(s.Data["token"]) == "s3cr3t" &&
+				s.Labels[corev1alpha1.LabelManaged] == "true" &&
+				s.Annotations[corev1alpha1.AnnotationRelatedBinding] != ""
+		}, 30*time.Second, 200*time.Millisecond, "the label-selected provider Secret should sync to the consumer")
+	})
+
+	t.Run("the synced copy is GC'd when it stops matching", func(t *testing.T) {
+		s := &corev1.Secret{}
+		require.NoError(t, env.ProviderClient.Get(ctx, secretKey, s))
+		delete(s.Labels, "app")
+		require.NoError(t, env.ProviderClient.Update(ctx, s))
+
+		require.Eventually(t, func() bool {
+			c := &corev1.Secret{}
+			return apierrors.IsNotFound(env.ConsumerClient.Get(ctx, secretKey, c))
+		}, 30*time.Second, 200*time.Millisecond, "the consumer copy should be GC'd once the Secret stops matching the selector")
+	})
+}