Add provider side namespaces

Author: mjudeikis

README.md

@@ -62,6 +62,14 @@ All the actions shown between the clusters are done by the konnector, except: th
 
 To get familiar with setting up the environment, please check out docs at [kube-bind.io](https://docs.kube-bind.io/main/setup).
 
+## API Changes in v0.6.0 release
+
+Addition of `PermissionClaims` to APIServiceExportSpec. It allows service provider to specify what additional resources are needed by the service consumer to effectively use the exported API. In example of a database service, the service consumer might need to create Secrets for database credentials, or ConfigMaps for configuration settings.
+
+Because objects are namespaced on provider and consumer side, to establish correct RBAC `APIServiceNamespace` controller now creates Roles and RoleBindings.
+There is caviate that if backend operates in `ClusterScope` mode, the necessary cluster-wide permissions are created. 
+Importnat: If provider wants to iniciate object, like `ConfigMap` or `Secret`, the provider needs to create `APIServiceNamespace` first, so that the necessary Roles and RoleBindings are created. This will 
+
 ## API Changes in v0.5.0 release
 
 Version v0.5.0 includes significant architectural improvements to the API structure:

apiserviceexport.yaml

@@ -0,0 +1,33 @@
+apiVersion: kube-bind.io/v1alpha2
+kind: APIServiceExportRequest
+metadata:
+  name: sheriffs
+spec:
+  namespaces:
+  - name: sheriff-operations
+  - name: sheriff-intelligence
+  permissionClaims:
+  - resource: secrets
+    selector:
+      labelSelector:
+        matchLabels:
+          app: sheriff
+          security: high
+      namedResources:
+      - name: sheriff-badge-credentials
+      - name: sheriff-jurisdiction-config
+  - resource: configmaps
+    selector:
+      labelSelector:
+        matchLabels:
+          app: sheriff
+          component: enforcement
+      namedResources:
+      - name: sheriff-jurisdiction-map
+      - name: sheriff-enforcement-rules
+  resources:
+  - group: wildwest.dev
+    resource: sheriffs
+    versions:
+    - v1alpha1
+status: {}

backend/controllers/serviceexport/serviceexport_controller.go

@@ -55,6 +55,7 @@ type APIServiceExportReconciler struct {
 func NewAPIServiceExportReconciler(
 	ctx context.Context,
 	mgr mcmanager.Manager,
+	scope kubebindv1alpha2.InformerScope,
 	opts controller.TypedOptions[mcreconcile.Request],
 ) (*APIServiceExportReconciler, error) {
 	if err := mgr.GetFieldIndexer().IndexField(ctx, &kubebindv1alpha2.APIServiceExport{}, indexers.ServiceExportByBoundSchema,
@@ -66,6 +67,7 @@ func NewAPIServiceExportReconciler(
 		manager: mgr,
 		opts:    opts,
 		reconciler: reconciler{
+			scope: scope,
 			getBoundSchema: func(ctx context.Context, cache cache.Cache, namespace, name string) (*kubebindv1alpha2.BoundSchema, error) {
 				var schema kubebindv1alpha2.BoundSchema
 				key := types.NamespacedName{Namespace: namespace, Name: name}

backend/controllers/serviceexport/serviceexport_reconcile.go

@@ -31,6 +31,7 @@ import (
 )
 
 type reconciler struct {
+	scope          kubebindv1alpha2.InformerScope
 	getBoundSchema func(ctx context.Context, cache cache.Cache, namespace, name string) (*kubebindv1alpha2.BoundSchema, error)
 }
 
@@ -41,6 +42,12 @@ func (r *reconciler) reconcile(ctx context.Context, cache cache.Cache, export *k
 		errs = append(errs, err)
 	}
 
+	if r.scope == kubebindv1alpha2.ClusterScope {
+		if err := r.ensureClusterPermissions(ctx, cache, export); err != nil {
+			errs = append(errs, err)
+		}
+	}
+
 	return utilerrors.NewAggregate(errs)
 }
 
@@ -86,3 +93,12 @@ func (r *reconciler) ensureSchema(ctx context.Context, cache cache.Cache, export
 
 	return nil
 }
+
+// ensureClusterPermissions ensures that the necessary cluster-wide permissions are in place for the exported APIs.
+// This runs only when backend is operating in ClusterScope. In this scenario, there might not yet be a namespace so
+// APIServiceNamespace reconciliation cannot be used.
+func (r *reconciler) ensureClusterPermissions(ctx context.Context, cache cache.Cache, export *kubebindv1alpha2.APIServiceExport) error {
+	// TODO(mjudeikis): implement this for cluster scoped resources.
+	// https://github.com/kube-bind/kube-bind/issues/344
+	return nil
+}

backend/controllers/serviceexportrequest/serviceexportrequest_reconcile.go

@@ -70,6 +70,11 @@ func (r *reconciler) reconcile(ctx context.Context, cl client.Client, cache cach
 		return fmt.Errorf("failed to ensure exports: %w", err)
 	}
 
+	if err := r.ensureAPIServiceNamespaces(ctx, cl, cache, req); err != nil {
+		conditions.SetSummary(req)
+		return fmt.Errorf("failed to ensure APIServiceNamespaces: %w", err)
+	}
+
 	// TODO(mjudeikis): we could potentially add finallizer to APIServiceExport above or "adopt" boundschemas
 	// with owner references once export is created.
 	// https://github.com/kube-bind/kube-bind/issues/297
@@ -367,3 +372,34 @@ func isClaimableAPI(claim kubebindv1alpha2.PermissionClaim) bool {
 	}
 	return false
 }
+
+func (r *reconciler) ensureAPIServiceNamespaces(ctx context.Context, cl client.Client, cache cache.Cache, req *kubebindv1alpha2.APIServiceExportRequest) error {
+	logger := klog.FromContext(ctx)
+
+	// TODO(mjudeikis): We have this object above already, pass it down to avoid extra get.
+	export := &kubebindv1alpha2.APIServiceExport{}
+	if err := cl.Get(ctx, client.ObjectKey{Namespace: req.Namespace, Name: req.Name}, export); err != nil {
+		return fmt.Errorf("failed to get APIServiceExport %s/%s: %w", req.Namespace, req.Name, err)
+	}
+
+	for _, ns := range req.Spec.Namespaces {
+		apiServiceNamespace := helpers.APIServiceNamespaceFromExport(export, ns.Name)
+		currentAPIServiceNamespace := &kubebindv1alpha2.APIServiceNamespace{}
+		err := cache.Get(ctx, client.ObjectKey{Namespace: apiServiceNamespace.Namespace, Name: apiServiceNamespace.Name}, currentAPIServiceNamespace)
+		if err != nil {
+			if apierrors.IsNotFound(err) {
+				logger.V(1).Info("Creating APIServiceNamespace", "name", apiServiceNamespace.Name, "namespace", apiServiceNamespace.Namespace)
+				if err := cl.Create(ctx, apiServiceNamespace); err != nil {
+					if apierrors.IsAlreadyExists(err) {
+						continue
+					}
+					return err
+				}
+			} else {
+				return err
+			}
+		}
+	}
+
+	return nil
+}

backend/controllers/servicenamespace/servicenamespace_reconcile.go

@@ -106,7 +106,7 @@ func (c *reconciler) reconcile(ctx context.Context, client client.Client, cache
 					Rules: permissions,
 				}
 				// Create new ClusterRole
-				if err := client.Create(ctx, role); err != nil {
+				if err := client.Create(ctx, role); !errors.IsAlreadyExists(err) {
 					return fmt.Errorf("failed to create ClusterRole %s: %w", name, err)
 				}
 			} else {

backend/http/handler.go

@@ -350,6 +350,7 @@ type UISchema struct {
 
 	Resources        []kubebindv1alpha2.APIServiceExportResource
 	PermissionClaims []kubebindv1alpha2.PermissionClaim
+	Namespaces       []kubebindv1alpha2.Namespaces
 
 	// SessionID
 	SessionID string
@@ -392,6 +393,7 @@ func (h *handler) handleResources(w http.ResponseWriter, r *http.Request) {
 			Scope:            string(item.Spec.Scope),
 			PermissionClaims: item.Spec.PermissionClaims,
 			Resources:        item.Spec.Resources,
+			Namespaces:       item.Spec.Namespaces,
 			SessionID:        sessionID,
 		})
 	}
@@ -462,6 +464,7 @@ func (h *handler) handleBind(w http.ResponseWriter, r *http.Request) {
 		Spec: kubebindv1alpha2.APIServiceExportRequestSpec{
 			Resources:        module.Spec.Resources,
 			PermissionClaims: module.Spec.PermissionClaims,
+			Namespaces:       module.Spec.Namespaces,
 		},
 	}
 
@@ -524,11 +527,10 @@ func mustRead(f func(name string) ([]byte, error), name string) string {
 // listCollectionModules fetches the list of Collections from the backend cluster.
 // Flow is:
 // 1. List Collection and check what modules we are targeting
-// 2. Get modules from the backend cluster and consutruct shallow-bound schemas (no crd content)
+// 2. Get modules from the backend cluster and consutruct shallow-bound schemas (no crd content).
 func (h *handler) listCollectionModules(ctx context.Context, cluster string) (*catalogv1alpha1.ModuleList, error) {
 	collections, err := h.kubeManager.ListCollections(ctx, cluster)
 	if err != nil {
-
 		return nil, fmt.Errorf("failed to list collections: %w", err)
 	}
 

backend/server.go

@@ -147,6 +147,7 @@ func NewServer(ctx context.Context, c *Config) (*Server, error) {
 	s.ServiceExport, err = serviceexport.NewAPIServiceExportReconciler(
 		ctx,
 		s.Config.Manager,
+		kubebindv1alpha2.InformerScope(c.Options.ConsumerScope),
 		opts,
 	)
 	if err != nil {

backend/template/resources.gohtml

@@ -204,6 +204,16 @@
                 {{end}}
               </li>
               {{end}}
+              {{if $schema.Namespaces}}
+              <li class="list-group-item">
+                <strong>Namespaces ({{len $schema.Namespaces}}):</strong>
+                <div class="mt-1">
+                {{range $schema.Namespaces}}
+                <span class="item-tag">{{.Name}}</span>
+                {{end}}
+                </div>
+              </li>
+              {{end}}
             </ul>
             <div class="card-body">
               <a href="{{if $.Cluster}}/clusters/{{$.Cluster}}{{end}}/bind?s={{$schema.SessionID}}&module={{$schema.Name}}" class="btn bind-btn {{$schema.Name}}">

cli/pkg/kubectl/bind-apiservice/plugin/servicebindings.go

@@ -67,7 +67,7 @@ func (b *BindAPIServiceOptions) createAPIServiceBindings(ctx context.Context, co
 				}
 			}
 		}
-		
+
 		return []*kubebindv1alpha2.APIServiceBinding{existing}, nil
 	}