✨ Check for identityHash in APIExport admission and support multiple versions for APIs in permission claims

[hasheddan]

Summary

This patch set includes two primary changes:

Update the APIResourceSchema generation to consider multiple versions of
an API and append the schemas to one ARS rather than generating a
separate ARS for each.

Signed-off-by: hasheddan [email protected]

Adds an APIExport admission plugin that, for the time-being, only
validates that any permissionClaims for types that are not built-in
include an identityHash.

Signed-off-by: hasheddan [email protected]

The first can be observed when creating an APIExport with permissionClaims on FlowSchemas or PriorityLevelConfigurations.

Before:

🤖 (kxp) k -s https://192.168.1.189:6443/services/apiexport/root/kxp.crossplane.io/clusters/* api-versions
apiextensions.crossplane.io/v1
apiextensions.crossplane.io/v1alpha1
flowcontrol.apiserver.k8s.io/v1beta1
pkg.crossplane.io/v1
pkg.crossplane.io/v1alpha1
pkg.crossplane.io/v1beta1
secrets.crossplane.io/v1alpha1
v1

After:

🤖 (kxp) k -s https://192.168.1.189:6443/services/apiexport/root/kxp.crossplane.io/clusters/* api-versions
apiextensions.crossplane.io/v1
apiextensions.crossplane.io/v1alpha1
flowcontrol.apiserver.k8s.io/v1beta1
flowcontrol.apiserver.k8s.io/v1beta2
pkg.crossplane.io/v1
pkg.crossplane.io/v1alpha1
pkg.crossplane.io/v1beta1
secrets.crossplane.io/v1alpha1
v1

The second can be observed by trying to include a permissionClaim for something like Deployment (not built-in) without an identityHash:

🤖 (kxp) cat bad-export.yaml 
apiVersion: apis.kcp.dev/v1alpha1
kind: APIExport
metadata:
  name: data.my.domain
spec:
  latestResourceSchemas:
    - today.widgets.data.my.domain
  permissionClaims:
    - group: ""
      resource: "secrets"
    - group: ""
      resource: "configmaps"
    - group: ""
      resource: "namespaces"
    - group: "apps"
      resource: "deployments"
🤖 (kxp) k apply -f bad-export.yaml 
Error from server (Forbidden): error when creating "bad-export.yaml": apiexports.apis.kcp.dev "data.my.domain" is forbidden: spec.permissionClaims.[3].identityHash: Invalid value: "": identityHash is required for API types that are not built-in

Related issue(s)

Fixes #2161
xref #2152 (more work to be done on exposing conditions for other failure modes)

[hasheddan]

I think the process of how we add the ARS to the sync target set can be improved here as we are essentially duplicating these for every apiSet even though we know they are always present. That being said, I opted to not include in this PR as it was already carrying a fairly large diff. Planning to address in follow-up.

[hasheddan]

We could consider moving this anonymous import into builtin.go as inclusion of the package without also importing core install will cause init() to panic.

[ncdc]

Sounds like we should?

[hasheddan]

I'm happy to, though in theory this is a change in behavior that is not strictly how all consumers would have to behave today. In practice, kcp is installing the core types into the legacy schema before this init() runs, but not all consumers have to. In general I don't love this pattern of registering schemas in init() calls, and would lean towards going ahead and moving the anonymous import (as you suggest) to cover the 99% case here.

[ncdc]

@sttts what do you prefer?

[hasheddan]

@sttts any thoughts here?

[sttts]

don't have much context here. But in general it is highly discourage to use the legacyscheme in any way, especially in new code like kcp. Create dedicated schemes and add the group you want via the AddToScheme methods.

[hasheddan]

Need to cleanup some of these e2e tests that I believe are correctly failing now.

[ncdc]

You can use .Index here

[ncdc]

nit: I would call this isBuiltIn

[ncdc]

Suggested change

	func NewAPIExportAdmission(isInternal func(apisv1alpha1.GroupResource) bool) *APIExportAdmission {
	func NewAPIExportAdmission(isBuiltIn func(apisv1alpha1.GroupResource) bool) *APIExportAdmission {

[ncdc]

Since this is an update, I know it doesn't matter for the code under test, but should we fill in the "old" object here?

[hasheddan]

Happy to 👍🏻

[ncdc]

Unless you're intending to vary the return based on the input, I think this can be a normal bool and you can set the function pointer once, inside t.Run?

[ncdc]

Sounds like we should?

[ncdc]

/lgtm

Would like to hear Stefan's thoughts on the import question

[hasheddan]

/assign @sttts

[sttts]

what is this used for? don't like to see the legacyscheme in our code.

[hasheddan]

@sttts this isn’t strictly new in this patch set, just being relocated from the syncer API reconciler. I presume the legacy scheme is being used as the sync target is assumed to be Kubernetes API-compatible. Happy to update this to explicitly add each type in the internal API list below to the scheme.

[ncdc]

I would recommend doing a follow-up to deal with legacyscheme usage as a whole

[hasheddan]

@ncdc happy to open a tracking issue and tackle 👍🏻

[ncdc]

@hasheddan yes let's do that please, thanks!

[ncdc]

Approving. Keep merging & iterate on 😄
/approve

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: ncdc

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• pkg/admission/OWNERS [ncdc]
• pkg/virtual/OWNERS [ncdc]
• test/OWNERS [ncdc]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment