Merge pull request GoogleCloudPlatform#1149 from maqiuyujoyce/202401-move-defaulter-no-bc

Move the state-into-spec defaulter from webhook to controllers

Author: google-oss-prow[bot]

pkg/controller/dcl/controller.go

@@ -197,6 +197,9 @@ func (r *Reconciler) Reconcile(ctx context.Context, req reconcile.Request) (res
 	if err != nil {
 		return reconcile.Result{}, fmt.Errorf("could not parse resource %s: %w", req.NamespacedName.String(), err)
 	}
+	if err := r.handleDefaultStateIntoSpecValue(resource); err != nil {
+		return reconcile.Result{}, fmt.Errorf("error handling default values for resource '%v': %w", k8s.GetNamespacedName(resource), err)
+	}
 	if err := r.applyChangesForBackwardsCompatibility(ctx, resource); err != nil {
 		return reconcile.Result{}, fmt.Errorf("error applying changes to resource '%v' for backwards compatibility: %v", k8s.GetNamespacedName(resource), err)
 	}
@@ -414,6 +417,15 @@ func (r *Reconciler) obtainResourceLeaseIfNecessary(ctx context.Context, resourc
 	return nil
 }
 
+func (r *Reconciler) handleDefaultStateIntoSpecValue(resource *dcl.Resource) error {
+	// Validate or set the default value (cluster-level or namespace-level) for
+	// the 'state-into-spec' annotation.
+	if err := k8s.ValidateOrDefaultStateIntoSpecAnnotation(&resource.Resource, k8s.StateMergeIntoSpec); err != nil {
+		return fmt.Errorf("error validating or defaulting the '%v' annotation for resource '%v': %w", k8s.StateIntoSpecAnnotation, k8s.GetNamespacedName(resource), err)
+	}
+	return nil
+}
+
 func (r *Reconciler) applyChangesForBackwardsCompatibility(ctx context.Context, resource *dcl.Resource) error {
 	// Ensure the resource has a hierarchical reference. This is done to be
 	// backwards compatible with resources created before the webhook for
@@ -430,13 +442,6 @@ func (r *Reconciler) applyChangesForBackwardsCompatibility(ctx context.Context,
 	if err := k8s.EnsureHierarchicalReference(ctx, &resource.Resource, hierarchicalRefs, containers, r.Client); err != nil {
 		return fmt.Errorf("error ensuring resource '%v' has a hierarchical reference: %v", k8s.GetNamespacedName(resource), err)
 	}
-
-	// Ensure the resource has a state-into-spec annotation.
-	// This is done to be backwards compatible with resources
-	// created before the webhook for defaulting the annotation was added.
-	if err := k8s.EnsureSpecIntoSateAnnotation(&resource.Resource); err != nil {
-		return fmt.Errorf("error ensuring resource '%v' has a '%v' annotation: %v", k8s.GetNamespacedName(resource), k8s.StateIntoSpecAnnotation, err)
-	}
 	return nil
 }
 

pkg/controller/iam/auditconfig/iamauditconfig_controller.go

@@ -139,6 +139,9 @@ func (r *Reconciler) Reconcile(ctx context.Context, request reconcile.Request) (
 		}
 		return reconcile.Result{}, err
 	}
+	if err := r.handleDefaultStateIntoSpecValue(&auditConfig); err != nil {
+		return reconcile.Result{}, fmt.Errorf("error handling default values for IAM policy '%v': %w", k8s.GetNamespacedName(&auditConfig), err)
+	}
 	reconcileContext := &reconcileContext{
 		Reconciler:     r,
 		Ctx:            ctx,
@@ -159,6 +162,15 @@ func (r *Reconciler) Reconcile(ctx context.Context, request reconcile.Request) (
 	return reconcile.Result{RequeueAfter: jitteredPeriod}, nil
 }
 
+func (r *Reconciler) handleDefaultStateIntoSpecValue(auditConfig *iamv1beta1.IAMAuditConfig) error {
+	// Validate or set the default value (cluster-level or namespace-level) for
+	// the 'state-into-spec' annotation.
+	if err := k8s.ValidateOrDefaultStateIntoSpecAnnotation(auditConfig, k8s.StateMergeIntoSpec); err != nil {
+		return fmt.Errorf("error validating or defaulting the '%v' annotation for resource '%v': %w", k8s.StateIntoSpecAnnotation, k8s.GetNamespacedName(auditConfig), err)
+	}
+	return nil
+}
+
 func (r *reconcileContext) doReconcile(auditConfig *iamv1beta1.IAMAuditConfig) (requeue bool, err error) {
 	defer execution.RecoverWithInternalError(&err)
 	if !auditConfig.DeletionTimestamp.IsZero() {

pkg/controller/iam/partialpolicy/iampartialpolicy_controller.go

@@ -151,6 +151,9 @@ func (r *ReconcileIAMPartialPolicy) Reconcile(ctx context.Context, request recon
 		// Error reading the object - requeue the request.
 		return reconcile.Result{}, err
 	}
+	if err := r.handleDefaultStateIntoSpecValue(policy); err != nil {
+		return reconcile.Result{}, fmt.Errorf("error handling default values for IAM partial policy '%v': %w", k8s.GetNamespacedName(policy), err)
+	}
 	runCtx := &reconcileContext{
 		Reconciler:     r,
 		Ctx:            ctx,
@@ -171,6 +174,15 @@ func (r *ReconcileIAMPartialPolicy) Reconcile(ctx context.Context, request recon
 	return reconcile.Result{RequeueAfter: jitteredPeriod}, nil
 }
 
+func (r *ReconcileIAMPartialPolicy) handleDefaultStateIntoSpecValue(pp *iamv1beta1.IAMPartialPolicy) error {
+	// Validate or set the default value (cluster-level or namespace-level) for
+	// the 'state-into-spec' annotation.
+	if err := k8s.ValidateOrDefaultStateIntoSpecAnnotation(pp, k8s.StateMergeIntoSpec); err != nil {
+		return fmt.Errorf("error validating or defaulting the '%v' annotation for resource '%v': %w", k8s.StateIntoSpecAnnotation, k8s.GetNamespacedName(pp), err)
+	}
+	return nil
+}
+
 func (r *reconcileContext) doReconcile(pp *iamv1beta1.IAMPartialPolicy) (requeue bool, err error) {
 	defer execution.RecoverWithInternalError(&err)
 	if !pp.DeletionTimestamp.IsZero() {

pkg/controller/iam/policy/iampolicy_controller.go

@@ -150,6 +150,9 @@ func (r *ReconcileIAMPolicy) Reconcile(ctx context.Context, request reconcile.Re
 		// Error reading the object - requeue the request.
 		return reconcile.Result{}, err
 	}
+	if err := r.handleDefaultStateIntoSpecValue(policy); err != nil {
+		return reconcile.Result{}, fmt.Errorf("error handling default values for IAM policy '%v': %w", k8s.GetNamespacedName(policy), err)
+	}
 	runCtx := &reconcileContext{
 		Reconciler:     r,
 		Ctx:            ctx,
@@ -170,6 +173,15 @@ func (r *ReconcileIAMPolicy) Reconcile(ctx context.Context, request reconcile.Re
 	return reconcile.Result{RequeueAfter: jitteredPeriod}, nil
 }
 
+func (r *ReconcileIAMPolicy) handleDefaultStateIntoSpecValue(policy *iamv1beta1.IAMPolicy) error {
+	// Validate or set the default value (cluster-level or namespace-level) for
+	// the 'state-into-spec' annotation.
+	if err := k8s.ValidateOrDefaultStateIntoSpecAnnotation(policy, k8s.StateMergeIntoSpec); err != nil {
+		return fmt.Errorf("error validating or defaulting the '%v' annotation for resource '%v': %w", k8s.StateIntoSpecAnnotation, k8s.GetNamespacedName(policy), err)
+	}
+	return nil
+}
+
 func (r *reconcileContext) doReconcile(policy *iamv1beta1.IAMPolicy) (requeue bool, err error) {
 	defer execution.RecoverWithInternalError(&err)
 	if !policy.DeletionTimestamp.IsZero() {

pkg/controller/iam/policymember/iampolicymember_controller.go

@@ -149,6 +149,9 @@ func (r *Reconciler) Reconcile(ctx context.Context, request reconcile.Request) (
 		}
 		return reconcile.Result{}, err
 	}
+	if err := r.handleDefaultStateIntoSpecValue(&memberPolicy); err != nil {
+		return reconcile.Result{}, fmt.Errorf("error handling default values for IAM policy member '%v': %w", k8s.GetNamespacedName(&memberPolicy), err)
+	}
 	reconcileContext := &reconcileContext{
 		Reconciler:     r,
 		Ctx:            ctx,
@@ -172,6 +175,15 @@ func (r *Reconciler) Reconcile(ctx context.Context, request reconcile.Request) (
 	return reconcile.Result{RequeueAfter: requeueAfter}, nil
 }
 
+func (r *Reconciler) handleDefaultStateIntoSpecValue(policyMember *iamv1beta1.IAMPolicyMember) error {
+	// Validate or set the default value (cluster-level or namespace-level) for
+	// the 'state-into-spec' annotation.
+	if err := k8s.ValidateOrDefaultStateIntoSpecAnnotation(policyMember, k8s.StateMergeIntoSpec); err != nil {
+		return fmt.Errorf("error validating or defaulting the '%v' annotation for resource '%v': %w", k8s.StateIntoSpecAnnotation, k8s.GetNamespacedName(policyMember), err)
+	}
+	return nil
+}
+
 func (r *reconcileContext) doReconcile(policyMember *iamv1beta1.IAMPolicyMember) (requeue bool, err error) {
 	defer execution.RecoverWithInternalError(&err)
 	if !policyMember.DeletionTimestamp.IsZero() {

pkg/controller/lifecyclehandler/handler.go

@@ -197,20 +197,22 @@ func reasonForUnresolvableDeps(err error) (string, error) {
 
 func (r *LifecycleHandler) EnsureFinalizers(ctx context.Context, original, resource *k8s.Resource, finalizers ...string) error {
 	if !k8s.EnsureFinalizers(resource, finalizers...) {
-		u, err := original.MarshalAsUnstructured()
+		uo, err := original.MarshalAsUnstructured()
 		if err != nil {
 			return err
 		}
-		copy, err := k8s.NewResource(u)
+		originalCopy, err := k8s.NewResource(uo)
 		if err != nil {
 			return err
 		}
-		if !k8s.EnsureFinalizers(copy, finalizers...) {
-			if err := r.updateAPIServer(ctx, copy); err != nil {
+		if !k8s.EnsureFinalizers(originalCopy, finalizers...) {
+			if err := r.updateAPIServer(ctx, originalCopy); err != nil {
 				return err
 			}
-			// sync the resource up with the updated metadata.
-			resource.ObjectMeta = copy.ObjectMeta
+			// Sync the resource up with the updated metadata except for the
+			// defaulted / pre-processed annotations.
+			originalCopy.ObjectMeta.Annotations = resource.ObjectMeta.Annotations
+			resource.ObjectMeta = originalCopy.ObjectMeta
 		}
 	}
 	return nil

pkg/controller/tf/controller.go

@@ -174,6 +174,9 @@ func (r *Reconciler) Reconcile(ctx context.Context, req reconcile.Request) (res
 	if err != nil {
 		return reconcile.Result{}, fmt.Errorf("could not parse resource %s: %v", req.NamespacedName.String(), err)
 	}
+	if err := r.handleDefaultStateIntoSpecValue(resource); err != nil {
+		return reconcile.Result{}, fmt.Errorf("error handling default values for resource '%v': %w", k8s.GetNamespacedName(resource), err)
+	}
 	if err := r.applyChangesForBackwardsCompatibility(ctx, resource); err != nil {
 		return reconcile.Result{}, fmt.Errorf("error applying changes to resource '%v' for backwards compatibility: %v", k8s.GetNamespacedName(resource), err)
 	}
@@ -398,6 +401,15 @@ func (r *Reconciler) enqueueForImmediateReconciliation(resourceNN types.Namespac
 	r.immediateReconcileRequests <- genEvent
 }
 
+func (r *Reconciler) handleDefaultStateIntoSpecValue(resource *krmtotf.Resource) error {
+	// Validate or set the default value (cluster-level or namespace-level) for
+	// the 'state-into-spec' annotation.
+	if err := k8s.ValidateOrDefaultStateIntoSpecAnnotation(&resource.Resource, k8s.StateMergeIntoSpec); err != nil {
+		return fmt.Errorf("error validating or defaulting the '%v' annotation for resource '%v': %w", k8s.StateIntoSpecAnnotation, k8s.GetNamespacedName(resource), err)
+	}
+	return nil
+}
+
 func (r *Reconciler) applyChangesForBackwardsCompatibility(ctx context.Context, resource *krmtotf.Resource) error {
 	rc := resource.ResourceConfig
 
@@ -414,13 +426,6 @@ func (r *Reconciler) applyChangesForBackwardsCompatibility(ctx context.Context,
 	if err := k8s.EnsureHierarchicalReference(ctx, &resource.Resource, rc.HierarchicalReferences, rc.Containers, r.Client); err != nil {
 		return fmt.Errorf("error ensuring resource '%v' has a hierarchical reference: %v", k8s.GetNamespacedName(resource), err)
 	}
-
-	// Ensure the resource has a state-into-spec annotation.
-	// This is done to be backwards compatible with resources
-	// created before the webhook for defaulting the annotation was added.
-	if err := k8s.EnsureSpecIntoSateAnnotation(&resource.Resource); err != nil {
-		return fmt.Errorf("error ensuring resource '%v' has a '%v' annotation: %v", k8s.GetNamespacedName(resource), k8s.StateIntoSpecAnnotation, err)
-	}
 	return nil
 }
 

pkg/k8s/state_into_spec_annotation.go

@@ -19,21 +19,16 @@ import (
 	"strings"
 
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
-	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
 )
 
-func ValidateOrDefaultStateIntoSpecAnnotation(obj *unstructured.Unstructured) error {
+// ValidateOrDefaultStateIntoSpecAnnotation validates the value of the
+// 'state-into-spec' annotation if it is set and defaults the annotation to the
+// passed in defaultValue if it is unset.
+func ValidateOrDefaultStateIntoSpecAnnotation(obj metav1.Object, defaultValue string) error {
 	_, found := GetAnnotation(StateIntoSpecAnnotation, obj)
 	if !found {
-		SetAnnotation(StateIntoSpecAnnotation, StateMergeIntoSpec, obj)
-	}
-	return validateStateIntoSpecAnnotation(obj)
-}
-
-func EnsureSpecIntoSateAnnotation(obj *Resource) error {
-	_, found := GetAnnotation(StateIntoSpecAnnotation, obj)
-	if !found {
-		SetAnnotation(StateIntoSpecAnnotation, StateMergeIntoSpec, obj)
+		// TODO(b/322836859): Ensure ComputeAddress doesn't need special handling.
+		SetAnnotation(StateIntoSpecAnnotation, defaultValue, obj)
 	}
 	return validateStateIntoSpecAnnotation(obj)
 }
@@ -44,14 +39,14 @@ func validateStateIntoSpecAnnotation(obj metav1.Object) error {
 		return fmt.Errorf("couldn't find the value for '%v' annotation", StateIntoSpecAnnotation)
 	}
 
-	if !isAcceptedValue(val) {
+	if !isAcceptedValue(val, StateIntoSpecAnnotationValues) {
 		return fmt.Errorf("invalid value '%v' for '%v' annotation, can be one of {%v}", val, StateIntoSpecAnnotation, strings.Join(StateIntoSpecAnnotationValues, ", "))
 	}
 	return nil
 }
 
-func isAcceptedValue(val string) bool {
-	for _, v := range StateIntoSpecAnnotationValues {
+func isAcceptedValue(val string, acceptedValues []string) bool {
+	for _, v := range acceptedValues {
 		if val == v {
 			return true
 		}

pkg/k8s/state_into_spec_annotation_test.go

@@ -22,13 +22,14 @@ import (
 
 func TestValidateOrDefaultStateIntoSpecAnnotation(t *testing.T) {
 	tests := []struct {
-		name        string
-		obj         *unstructured.Unstructured
-		hasError    bool
-		expectedVal string
+		name         string
+		obj          *unstructured.Unstructured
+		defaultValue string
+		hasError     bool
+		expectedVal  string
 	}{
 		{
-			name: "user specifies an accepted value",
+			name: "valid 'state-into-spec' value",
 			obj: &unstructured.Unstructured{
 				Object: map[string]interface{}{
 					"apiVersion": "test1.cnrm.cloud.google.com/v1alpha1",
@@ -40,10 +41,11 @@ func TestValidateOrDefaultStateIntoSpecAnnotation(t *testing.T) {
 					},
 				},
 			},
-			expectedVal: "merge",
+			defaultValue: "merge",
+			expectedVal:  "merge",
 		},
 		{
-			name: "user specifies an unacceptable value",
+			name: "invalid 'state-into-spec' value",
 			obj: &unstructured.Unstructured{
 				Object: map[string]interface{}{
 					"apiVersion": "test1.cnrm.cloud.google.com/v1alpha1",
@@ -55,10 +57,11 @@ func TestValidateOrDefaultStateIntoSpecAnnotation(t *testing.T) {
 					},
 				},
 			},
-			hasError: true,
+			defaultValue: "merge",
+			hasError:     true,
 		},
 		{
-			name: "user specifies an empty string",
+			name: "'state-into-spec' value is an empty string",
 			obj: &unstructured.Unstructured{
 				Object: map[string]interface{}{
 					"apiVersion": "test1.cnrm.cloud.google.com/v1alpha1",
@@ -70,20 +73,22 @@ func TestValidateOrDefaultStateIntoSpecAnnotation(t *testing.T) {
 					},
 				},
 			},
-			hasError: true,
+			defaultValue: "merge",
+			hasError:     true,
 		},
 		{
-			name: "defaulting if absent",
+			name: "'state-into-spec' annotation defaulted to defaultValue if unset",
 			obj: &unstructured.Unstructured{
 				Object: map[string]interface{}{
 					"apiVersion": "test1.cnrm.cloud.google.com/v1alpha1",
 					"kind":       "Test1Bar",
 				},
 			},
-			expectedVal: "merge",
+			defaultValue: "absent",
+			expectedVal:  "absent",
 		},
 		{
-			name: "BigQueryDataset kind can use 'absent' value",
+			name: "BigQueryDataset kind can use 'absent' as the 'state-into-spec' value",
 			obj: &unstructured.Unstructured{
 				Object: map[string]interface{}{
 					"apiVersion": "bigquery.cnrm.cloud.google.com/v1beta1",
@@ -95,10 +100,11 @@ func TestValidateOrDefaultStateIntoSpecAnnotation(t *testing.T) {
 					},
 				},
 			},
-			expectedVal: "absent",
+			defaultValue: "absent",
+			expectedVal:  "absent",
 		},
 		{
-			name: "BigQueryDataset kind can use 'merge' value",
+			name: "BigQueryDataset kind can use 'merge' as the 'state-into-spec' value",
 			obj: &unstructured.Unstructured{
 				Object: map[string]interface{}{
 					"apiVersion": "bigquery.cnrm.cloud.google.com/v1beta1",
@@ -110,14 +116,26 @@ func TestValidateOrDefaultStateIntoSpecAnnotation(t *testing.T) {
 					},
 				},
 			},
-			expectedVal: "merge",
+			defaultValue: "merge",
+			expectedVal:  "merge",
+		},
+		{
+			name: "error out if defaultValue is invalid",
+			obj: &unstructured.Unstructured{
+				Object: map[string]interface{}{
+					"apiVersion": "test1.cnrm.cloud.google.com/v1alpha1",
+					"kind":       "Test1Bar",
+				},
+			},
+			defaultValue: "invalid",
+			hasError:     true,
 		},
 	}
 
 	for _, tc := range tests {
 		tc := tc
 		t.Run(tc.name, func(t *testing.T) {
-			err := ValidateOrDefaultStateIntoSpecAnnotation(tc.obj)
+			err := ValidateOrDefaultStateIntoSpecAnnotation(tc.obj, tc.defaultValue)
 			if tc.hasError {
 				if err == nil {
 					t.Fatalf("got nil, but expect an error")