Initial impl of managed labels/annotations

See kubernetes-retired#47. This is the initial implementation of managed labels and
annotations - that is, the ability to set a label (or annotation) in a
HierarchyConfiguration object, and have that label (...) propagated to
all descendants, similar to the way objects are propagated. As with
objects, only allowlisted labels are propagated, as defined by the
command line option '--managed-namespace-[labels|annotations]'.

Still to come: validator support, better conditions for conflicts,
better testing for external namespaces.

Tested: see new integ tests.

Author: adrianludwin

api/v1alpha2/hierarchy_types.go

@@ -55,12 +55,14 @@ const (
 	ConditionBadConfiguration string = "BadConfiguration"
 
 	// Condition reasons.
-	ReasonAncestor      string = "AncestorHaltActivities"
-	ReasonDeletingCRD   string = "DeletingCRD"
-	ReasonInCycle       string = "InCycle"
-	ReasonParentMissing string = "ParentMissing"
-	ReasonIllegalParent string = "IllegalParent"
-	ReasonAnchorMissing string = "SubnamespaceAnchorMissing"
+	ReasonAncestor                 string = "AncestorHaltActivities"
+	ReasonDeletingCRD              string = "DeletingCRD"
+	ReasonInCycle                  string = "InCycle"
+	ReasonParentMissing            string = "ParentMissing"
+	ReasonIllegalParent            string = "IllegalParent"
+	ReasonAnchorMissing            string = "SubnamespaceAnchorMissing"
+	ReasonIllegalManagedLabel      string = "IllegalManagedLabel"
+	ReasonIllegalManagedAnnotation string = "IllegalManagedAnnotation"
 )
 
 // AllConditions have all the conditions by type and reason. Please keep this
@@ -124,6 +126,18 @@ type HierarchyConfigurationSpec struct {
 	// AllowCascadingDeletion indicates if the subnamespaces of this namespace are
 	// allowed to cascading delete.
 	AllowCascadingDeletion bool `json:"allowCascadingDeletion,omitempty"`
+
+	// Lables is a list of labels and values to apply to the current namespace and all of its
+	// descendants. All label keys must be specified on the command line by
+	// --managed-namespace-labels. A namespace cannot have a KVP that conflicts with one of its
+	// ancestors.
+	Labels []MetaKVP `json:"labels,omitempty"`
+
+	// Annotations is a list of annotations and values to apply to the current namespace and all of
+	// its descendants. All annotation keys must be specified on the command line by
+	// --managed-namespace-annotations. A namespace cannot have a KVP that conflicts with one of its
+	// ancestors.
+	Annotations []MetaKVP `json:"annotations,omitempty"`
 }
 
 // HierarchyStatus defines the observed state of Hierarchy
@@ -147,6 +161,15 @@ type HierarchyConfigurationList struct {
 	Items           []HierarchyConfiguration `json:"items"`
 }
 
+// MetaKVP represents a label or annotation
+type MetaKVP struct {
+	// Name is the name of the label or annotation.
+	Name string `json:"name"`
+
+	// Value is the value of the label or annotation.
+	Value string `json:"value"`
+}
+
 // metav1.Condition is introduced in k8s.io/apimachinery v0.20.0-alpha.1 and we
 // don't want to take a dependency on it yet, thus we copied the below struct from
 // https://github.com/kubernetes/apimachinery/blob/master/pkg/apis/meta/v1/types.go:

api/v1alpha2/zz_generated.deepcopy.go

@@ -65,6 +65,8 @@ var (
 	restartOnSecretRefresh  bool
 	unpropagatedAnnotations arrayArg
 	excludedNamespaces      arrayArg
+	managedNamespaceLabels  arrayArg
+	managedNamespaceAnnots  arrayArg
 	includedNamespacesRegex string
 )
 
@@ -99,11 +101,29 @@ func main() {
 	flag.Var(&excludedNamespaces, "excluded-namespace", "A namespace that, if present, will be excluded from HNC management. May be specified multiple times, with each instance specifying one namespace. See the user guide for more information.")
 	flag.StringVar(&includedNamespacesRegex, "included-namespace-regex", ".*", "Namespace regular expression. Namespaces that match this regexp will be included and handle by HNC. As it is a regex, this parameter cannot be specified multiple times. Implicit wrapping of the expression \"^...$\" is done here")
 	flag.BoolVar(&restartOnSecretRefresh, "cert-restart-on-secret-refresh", false, "Kills the process when secrets are refreshed so that the pod can be restarted (secrets take up to 60s to be updated by running pods)")
+	flag.Var(&managedNamespaceLabels, "managed-namespace-labels", "A list of labels on namespaces that are managed by HNC. These labels may only be set via the HierarchyConfiguration object. See the user guide for more information.")
+	flag.Var(&managedNamespaceAnnots, "managed-namespace-annotations", "A list of annotations on namespaces that are managed by HNC. These labels may only be set via the HierarchyConfiguration object. See the user guide for more details.")
 	flag.Parse()
+
 	// Assign the array args to the configuration variables after the args are parsed.
 	config.UnpropagatedAnnotations = unpropagatedAnnotations
-
 	config.SetNamespaces(includedNamespacesRegex, excludedNamespaces...)
+	config.ManagedNamespaceLabels = map[string]bool{}
+	for _, l := range managedNamespaceLabels {
+		if strings.Contains(l, v1a2.MetaGroup) {
+			setupLog.Info("Error: cannot use --managed-namespace-labels to control labels in the " + v1a2.MetaGroup + " group")
+			os.Exit(1)
+		}
+		config.ManagedNamespaceLabels[l] = true
+	}
+	config.ManagedNamespaceAnnotations = map[string]bool{}
+	for _, a := range managedNamespaceAnnots {
+		if strings.Contains(a, v1a2.MetaGroup) {
+			setupLog.Info("Error: cannot use --managed-namespace-annotations to control annotations in the " + v1a2.MetaGroup + " group")
+			os.Exit(1)
+		}
+		config.ManagedNamespaceAnnotations[a] = true
+	}
 
 	// Enable OpenCensus exporters to export metrics
 	// to Stackdriver Monitoring.

cmd/manager/main.go

@@ -46,6 +46,44 @@ spec:
                 description: AllowCascadingDeletion indicates if the subnamespaces
                   of this namespace are allowed to cascading delete.
                 type: boolean
+              annotations:
+                description: Annotations is a list of annotations and values to apply
+                  to the current namespace and all of its descendants. All annotation
+                  keys must be specified on the command line by --managed-namespace-annotations.
+                  A namespace cannot have a KVP that conflicts with one of its ancestors.
+                items:
+                  description: MetaKVP represents a label or annotation
+                  properties:
+                    name:
+                      description: Name is the name of the label or annotation.
+                      type: string
+                    value:
+                      description: Value is the value of the label or annotation.
+                      type: string
+                  required:
+                  - name
+                  - value
+                  type: object
+                type: array
+              labels:
+                description: Lables is a list of labels and values to apply to the
+                  current namespace and all of its descendants. All label keys must
+                  be specified on the command line by --managed-namespace-labels.
+                  A namespace cannot have a KVP that conflicts with one of its ancestors.
+                items:
+                  description: MetaKVP represents a label or annotation
+                  properties:
+                    name:
+                      description: Name is the name of the label or annotation.
+                      type: string
+                    value:
+                      description: Value is the value of the label or annotation.
+                      type: string
+                  required:
+                  - name
+                  - value
+                  type: object
+                type: array
               parent:
                 description: Parent indicates the parent of this namespace, if any.
                 type: string

config/crd/bases/hnc.x-k8s.io_hierarchyconfigurations.yaml

@@ -1,10 +1,22 @@
 package config
 
-// UnpropgatedAnnotations is a list of annotations on objects that should _not_ be propagated by HNC.
-// Much like HNC itself, other systems (such as GKE Config Sync) use annotations to "claim" an
-// object - such as deleting objects it doesn't recognize. By removing these annotations on
-// propgated objects, HNC ensures that other systems won't attempt to claim the same object.
-//
-// This value is controlled by the --unpropagated-annotation command line, which may be set multiple
-// times.
-var UnpropagatedAnnotations []string
+var (
+	// UnpropgatedAnnotations is a list of annotations on objects that should _not_ be propagated by HNC.
+	// Much like HNC itself, other systems (such as GKE Config Sync) use annotations to "claim" an
+	// object - such as deleting objects it doesn't recognize. By removing these annotations on
+	// propgated objects, HNC ensures that other systems won't attempt to claim the same object.
+	//
+	// This value is controlled by the --unpropagated-annotation command line, which may be set multiple
+	// times.
+	UnpropagatedAnnotations []string
+
+	// ManagedNamespaceLabels is a set of labels whose values are controlled by the "labels" field in
+	// the HierarchyController CR. Any label in this list is removed from all managed namespaces
+	// unless specifically specified by the HC of the namespace or one of its ancestors.
+	ManagedNamespaceLabels map[string]bool
+
+	// ManagedNamespaceAnnotations is a set of annotations whose values are controlled by the "labels" field in
+	// the HierarchyController CR. Any label in this list is removed from all managed namespaces
+	// unless specifically specified by the HC of the namespace or one of its ancestors.
+	ManagedNamespaceAnnotations map[string]bool
+)

internal/config/default_config.go

@@ -32,6 +32,14 @@ type Namespace struct {
 	// and to store the tree labels of external namespaces.
 	labels map[string]string
 
+	// ManagedLabels are all managed labels explicitly set on this namespace (i.e., excluding anything
+	// set by ancestors).
+	ManagedLabels map[string]string
+
+	// ManagedAnnotations are all managed annotations explicitly set on this namespace (i.e.,
+	// excluding anything set by ancestors).
+	ManagedAnnotations map[string]string
+
 	// sourceObjects store the objects created by users, identified by GVK and name.
 	// It serves as the source of truth for object controllers to propagate objects.
 	sourceObjects objects