Allow cluster-scoped related resources for namespaced parents

[sathieu]

Given an Ingress as parent (namespaced), I want to get access to it's parent IngressClass (cluster-scoped).

Some context here and here.

[grzesuav]

@sathieu I will try to determine if it would be possible. If children will be still namespaced-scope in the same namespace I think it would be doable

[Ragatzino]

I'm trying this, it's my first pr : #362

[grzesuav]

hi @sathieu , I checked the code, how your resource rule looks like ? From the code, if parent resource is namespaced, it still can have cluster-wide related resources. The only limitation is, if related resource is namespaced and from another namespace, it does not work currently.

[grzesuav]

ah, wait, there is second check in code, need to test it.

[grzesuav]

#363 - @sathieu @Ragatzino after reviewing code I found a bit simpler way, would appreciate feedback. I will add more unit tests, and documentation

[grzesuav]

just realized it will be slightly more complicated, as it potential requires API changes, need to review this case

[Ragatzino]

Thanks for the reply :). Tell us when you need a review or smt.

[grzesuav]

there is a related discussion in #370

[sathieu]

@grzesuav Couldn't proposed PR be changed to be backward compatible?

i.e. only specifying namespace when different from parent namespace :

{
  "related": {
    "Pod.v1": {
        "resourceInTheParentNamespace": {},
        "someOtherNamespace/someResource": {}
    }
  }
}

[grzesuav]

@sathieu and how you denote cluster-scoped resource here ?

[sathieu]

@grzesuav As they work today, i.e without prefix:

{
  "related": {
    "ClusterRoleBinding.rbac.authorization.k8s.io/v1": {
        "clusterScopedResource": {}
    },
    "Pod.v1": {
        "resourceInTheParentNamespace": {},
        "someOtherNamespace/someResource": {}
    }
  }
}

[grzesuav]

but this is a breaking change - in the proposed PR only the selector is changed, which result in more objects returned as matching. But to create API response, there is RelativeObjectMap type used.

In particular, the PR - #362 was just touching a part of whats need to be done, it was just enqueue parent objects if some related one was modified, it was not causing that in sync request objects from other namespaces will be present, this part is in GetRelatedObjects method - https://github.com/metacontroller/metacontroller/blob/master/pkg/controller/common/customize/manager.go#L335 .

Depending on implementation, lines https://github.com/metacontroller/metacontroller/blob/master/pkg/controller/common/customize/manager.go#L381-L397 should be modified. The issue is there is a RelativeObjectMap type used to hold the relations, and it does not accept the multi-namespace scenarios. Modifying it would cause to brake sync/finalize methods API's, for sure for returning objects from different namespaces.

I will experiment how it would impact ClusterScope resources, but in that case controller would need to know if its handling Cluster or Namespace resource.

The desired format for me would be

{
  "related": {
    "ClusterRoleBinding.rbac.authorization.k8s.io/v1": {
        "clusterScopedResource": {}
    },
    "Pod.v1": {
        "sameNamespace/resourceInTheParentNamespace": {},
        "someOtherNamespace/someResource": {}
    }
  }
}

as it is unambigous - you do not need to handle special case to detect if resource is in the same or other namespace (i.e. by parsing if it has / in name)

[grzesuav]

Depends on #496

[mwgamble]

I'd like to voice support for this proposal. I'd like to use a namespace resource as a related resource for a namespaced-scoped resource. Is there anything I can potentially do to help move this along?