✨ Add classNamespace to topology

[Danil-Grigorev]

What this PR does / why we need it:

Adding classNamespace variable to the cluster topology, which allows to point to a ClusterClass in a different namespace. This field is dormant, and is used for differentiation only.

Which issue(s) this PR fixes (optional, in fixes #<issue number>(, fixes #<issue_number>, ...) format, will close the issue(s) when PR gets merged):
Related to #5673

/area clusterclass

[salasberryfin]

Thanks @Danil-Grigorev! I added a small suggestion but I think this looks good.

[salasberryfin]

Thanks @Danil-Grigorev

/lgtm

[k8s-ci-robot]

LGTM label has been added.

Git tree hash: c4b418743a4683ae623b3264aae7636c41ad5675

[salasberryfin]

/assign @chrischdi

[k8s-ci-robot]

New changes are detected. LGTM label has been removed.

[fabriziopandini]

Wondering if we should default to current namespace ...

Pros: it is explicit and consistent to what we do for other references
Cons: it add "noises" to the containing struct while we don't have a clean nesting yet

A compromise might be to keep it empty for now and start defaulting when we will introduce a nested struct
@JoelSpeed opinions?

[JoelSpeed]

The namespace of the object can never change, so, defaulting this value to the current namespace would make sense, and make the API explicit. I can't foresee us ever, in the future, wanting to default this to a specific namespace, as we have no concept of a core namespace.

That said, I could see a use case where a cluster admin wants to default this field themselves. In the future they could leverage MutatingAdmissionPolicy to set the namespace always to a certain namespace where they keep their classes. Could defaulting this (since it would have to be a webhook, or MAP) then cause interference with any logic the cluster admin has there? They'd have to make sure that their defaulting went before ours 🤔

I think I would err on the side here, or not defaulting it and just explaining that the empty namespace means that the namespace of the cluster is leveraged, as it is now.

[sbueringer]

Makes sense to me, thx for the explanation Joel!

[fabriziopandini]

Might be I'm wrong, but I did not found a place where we are enforcing "Changing classNamespace is not supported".
Also, out of curiosity, why are we introducing this limitation?

[Danil-Grigorev]

That’s mainly due to tests performed on that operation locally. It seems when changing classNamespace, many referenced template components change namespace too, as they have to preserve ownership references, and instead of rebase performing minimal modifications of the resource, it has to switch resources entirely. This seemed as a larger scope change.

I’ll add a validation on the field modifications.

[fabriziopandini]

Thanks clarification
It would be great if we can add the same note as a godoc explanation for check above

[Danil-Grigorev]

I composed a clarification message on the field. It seems there is no need for additional tests as TestLocalObjectTemplatesAreCompatible is already covering template namespace changes.

[sbueringer]

I added another comment already but I didn't see validation for this. To be honest I'm really wondering what's going on here. Rebase across namespaces shouldn't lead to problems

What do you mean with: "it has to switch resources entirely"?

[fabriziopandini]

Thinking a little bit more about this, I think we change this index so performance in the webhook are optimized and also the resulting code will be more readable (both here and in clusterClassToCluster)

[fabriziopandini]

Note for self: this seems still open no matter if it reports outdated

[Danil-Grigorev]

@chrischdi @fabriziopandini Can I get another review? All comments are addressed here.

[k8s-ci-robot]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
Once this PR has been reviewed and has the lgtm label, please ask for approval from chrischdi. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[sbueringer]

Thank you for working on this and thx for the patience. Sorry for the delay

[sbueringer]

I don't understand this limitation.

Example:

Before rebase: CC1 in test1 namespace referencing templates in test1 namespace
After rebase: CC2 in test2 namespace referencing templates in test2 namespace

Why doesn't this work?

EDIT: I also didn't find anything in our webhook that blocks changing the namespace, maybe this godoc comment is just outdated

Related: #11352 (comment)

[sbueringer]

What is Cluster templates referring to? To me this comment is mostly confusing to be honest

[sbueringer]

Doesn't MinLength=1 conflict with "Empty namespace assumes the namespace of the cluster object"?

I assume valid values are / should be:

• not set => which is what "empty namespace" is referring to
• set to a string with length between 1 and 253

Not valid:

• setting it to an empty string ("")

If I'm correct, maybe we should simply update the comment above to: "If namespace is not set we assume the namespace of the Cluster object"

P.S. I'm aware that when an end user sets the classNamespace field to "", the field will be removed by our mutating webhook on the Cluster object (because of the omitempty) and then passes the OpenAPI schema validation. Nonetheless it's probably cleaner to use "not set" vs. "empty string" (also because empty string is forbidden by the OpenAPI schema)

[Danil-Grigorev]

I think this was originally a suggestion from Joel. Cross-referencing it here for the context: #11352 (comment) I validated it, and it works great. Typically an ”” value will be stored on the resource if it is once set (even via a controller), but here it blocks the round trip on API server via MinLength and falls back to +optional, removing the field, thus making it use class metadata.namespace instead.

This is what allowed to add defaulting of the value in the E2E tests followup, suggested in #11395 (comment), allowing to greatly reduce templates duplication.

[sbueringer]

Okay. Can we modify the comment to say "If the namespace is empty or not set ..." ?

[sbueringer]

If there's a specific place where we got this regex from, let's please mention it (I guess it's sort of the "standard" regexp to validate Kubernetes object names?)

[sbueringer]

I'm not sure I'm following the discussion (but I also don't know the previous version of the code).

But I was also wondering why we don't simply use one index (e.g. ClusterClassRefField) that has the format namespace/name?

As ClusterClassNameField index is always used together with the ClusterClassNamespaceField index I don't see the need to maintain two indices.