handle isolation with resources

Author: mjudeikis

backend/controllers/servicenamespace/servicenamespace_controller.go

@@ -75,7 +75,8 @@ func NewAPIServiceNamespaceReconciler(
 		informerScope: scope,
 		isolation:     isolation,
 		reconciler: reconciler{
-			scope: scope,
+			scope:     scope,
+			isolation: isolation,
 
 			getNamespace: func(ctx context.Context, cache cache.Cache, name string) (*corev1.Namespace, error) {
 				var ns corev1.Namespace

backend/controllers/servicenamespace/servicenamespace_reconcile.go

@@ -39,7 +39,8 @@ import (
 )
 
 type reconciler struct {
-	scope kubebindv1alpha2.InformerScope
+	scope     kubebindv1alpha2.InformerScope
+	isolation kubebindv1alpha2.Isolation
 
 	getNamespace    func(ctx context.Context, cache cache.Cache, name string) (*corev1.Namespace, error)
 	createNamespace func(ctx context.Context, client client.Client, ns *corev1.Namespace) error
@@ -52,11 +53,20 @@ type reconciler struct {
 
 func (c *reconciler) reconcile(ctx context.Context, client client.Client, cache cache.Cache, sns *kubebindv1alpha2.APIServiceNamespace) error {
 	var ns *corev1.Namespace
-	nsName := sns.Namespace + "-" + sns.Name
-	if sns.Status.Namespace != "" {
+	var nsName string
+	switch {
+	case sns.Status.Namespace != "":
+		// use existing namespace from status
 		nsName = sns.Status.Namespace
-		ns, _ = c.getNamespace(ctx, cache, nsName) // golint:errcheck
+	case c.isolation == kubebindv1alpha2.IsolationNone:
+		nsName = sns.Name
+	case c.isolation == kubebindv1alpha2.IsolationNamespaced || c.isolation == kubebindv1alpha2.IsolationPrefixed:
+		nsName = sns.Namespace + "-" + sns.Name
+	default:
+		return fmt.Errorf("unknown isolation strategy: %s", c.isolation)
 	}
+	ns, _ = c.getNamespace(ctx, cache, nsName)
+
 	if ns == nil {
 		ns = &corev1.Namespace{
 			ObjectMeta: metav1.ObjectMeta{

backend/options/options.go

@@ -210,6 +210,8 @@ func (options *Options) Complete() (*CompletedOptions, error) {
 		options.Isolation = string(kubebindv1alpha2.IsolationNamespaced)
 	case "none":
 		options.Isolation = string(kubebindv1alpha2.IsolationNone)
+	default:
+		options.Isolation = string(kubebindv1alpha2.IsolationNone)
 	}
 
 	if options.ExternalCAFile != "" && options.ExternalCA != nil {

docs/content/usage/api-concepts.md

@@ -114,7 +114,7 @@ spec:
           consumer: consumer123
 
   # How isolation is done at the provider side
-  clusterScopedIsolation: Prefixed
+  isolation: Prefixed
   # informerScope is the scope of the APIServiceExport. It can be either Cluster or Namespace.
 	#
 	# Cluster:    The konnector has permission to watch all namespaces at once and cluster-scoped resources.

pkg/konnector/controllers/cluster/serviceexport/serviceexport_reconcile.go

@@ -144,7 +144,7 @@ func (r *reconciler) ensureControllers(ctx context.Context, namespace, name stri
 		}
 
 		processedSchemas[name] = true // This is only schemas names (suffix)
-		isClusterScoped = schema.Spec.Scope == apiextensionsv1.ClusterScoped || schema.Spec.InformerScope == kubebindv1alpha2.ClusterScope
+		isClusterScoped = schema.Spec.InformerScope == kubebindv1alpha2.ClusterScope
 	}
 
 	// Ensure controller for permission claims
@@ -267,16 +267,20 @@ func (r *reconciler) ensureControllerForSchema(ctx context.Context, export *kube
 				return providerBindClient.KubeBindV1alpha2().APIServiceNamespaces(sn.Namespace).Create(ctx, sn, metav1.CreateOptions{})
 			})
 
-	case export.Spec.ClusterScopedIsolation == kubebindv1alpha2.IsolationNone:
+	case export.Spec.Isolation == kubebindv1alpha2.IsolationNone:
+		logger.V(4).Info("Using None isolation strategy", "export", export.Name)
 		isolationStrategy = isolation.NewNone(r.providerNamespace, providerNamespaceUID)
 
-	case export.Spec.ClusterScopedIsolation == kubebindv1alpha2.IsolationPrefixed:
+	case export.Spec.Isolation == kubebindv1alpha2.IsolationPrefixed:
+		logger.V(4).Info("Using Prefixed isolation strategy", "export", export.Name)
 		isolationStrategy = isolation.NewPrefixed(r.providerNamespace, providerNamespaceUID)
 
-	case export.Spec.ClusterScopedIsolation == kubebindv1alpha2.IsolationNamespaced:
+	case export.Spec.Isolation == kubebindv1alpha2.IsolationNamespaced:
+		logger.V(4).Info("Using Namespaced isolation strategy", "export", export.Name)
 		isolationStrategy = isolation.NewNamespaced(r.providerNamespace)
 	default:
 		// Default to None isolation strategy if no valid isolation strategy is specified
+		logger.V(4).Info("Using default None isolation strategy", "export", export.Name)
 		isolationStrategy = isolation.NewNone(r.providerNamespace, providerNamespaceUID)
 	}
 
@@ -343,7 +347,7 @@ func (r *reconciler) ensureControllersForPermissionClaims(
 	ctx context.Context,
 	export *kubebindv1alpha2.APIServiceExport,
 	binding *kubebindv1alpha2.APIServiceBinding,
-	isClusterScoped bool, // schema.Spec.Scope == apiextensionsv1.ClusterScoped || schema.Spec.InformerScope == kubebindv1alpha2.ClusterScope
+	isClusterScoped bool, // schema.Spec.InformerScope == kubebindv1alpha2.ClusterScope
 ) error {
 	logger := klog.FromContext(ctx)
 

pkg/konnector/controllers/cluster/serviceexport/spec/spec_reconcile.go

@@ -112,6 +112,7 @@ func (r *reconciler) reconcile(ctx context.Context, obj *unstructured.Unstructur
 		}
 
 		logger.Info("Creating upstream object")
+		logger.V(4).Info("Upstream object", "object", fmt.Sprintf("%s", upstream.Object))
 		if _, err := r.createProviderObject(ctx, upstream); err != nil && !apierrors.IsAlreadyExists(err) {
 			return err
 		} else if apierrors.IsAlreadyExists(err) {