[controller, api] Select ingresses and services

This patch extends the resource-selecting function of the webhook to also apply selectors to ingresses and services, like has been already done for secrets. The Cozystack resource definitions have been upgraded to contain two more fields: `ingresses` and `services` and populated with counterparts of the legacy selectors from the dashboard roles. ```release-note [controller, api] Enable marking ingresses and services as user-facing and implement selectors for existing CozystackResourceDefinitions. ``` Signed-off-by: Timofei Larkin <lllamnyp@gmail.com>
2026-01-27 10:18:39 +00:00 · 2025-10-03 18:04:31 +03:00
parent da0eb7a829
commit 9b0f919052
24 changed files with 478 additions and 10 deletions
--- a/internal/lineagecontrollerwebhook/matcher.go
+++ b/internal/lineagecontrollerwebhook/matcher.go
@@ -62,12 +62,12 @@ func matchResourceToSelectorArray(ctx context.Context, name string, templateCont
 	return false
 }

-func matchResourceToExcludeInclude(ctx context.Context, name string, templateContext, l map[string]string, ex, in []*cozyv1alpha1.CozystackResourceDefinitionResourceSelector) bool {
-	if matchResourceToSelectorArray(ctx, name, templateContext, l, ex) {
+func matchResourceToExcludeInclude(ctx context.Context, name string, templateContext, l map[string]string, resources *cozyv1alpha1.CozystackResourceDefinitionResources) bool {
+	if resources == nil {
 		return false
 	}
-	if matchResourceToSelectorArray(ctx, name, templateContext, l, in) {
-		return true
+	if matchResourceToSelectorArray(ctx, name, templateContext, l, resources.Exclude) {
+		return false
 	}
-	return false
+	return matchResourceToSelectorArray(ctx, name, templateContext, l, resources.Include)
 }
--- a/internal/lineagecontrollerwebhook/webhook.go
+++ b/internal/lineagecontrollerwebhook/webhook.go
@@ -19,6 +19,7 @@ import (
 	"sigs.k8s.io/controller-runtime/pkg/log"
 	"sigs.k8s.io/controller-runtime/pkg/webhook/admission"

+	cozyv1alpha1 "github.com/cozystack/cozystack/api/v1alpha1"
 	corev1alpha1 "github.com/cozystack/cozystack/pkg/apis/core/v1alpha1"
 )

@@ -27,6 +28,20 @@ var (
 	AncestryAmbiguous = fmt.Errorf("object ancestry is ambiguous")
 )

+// getResourceSelectors returns the appropriate CozystackResourceDefinitionResources for a given GroupKind
+func (h *LineageControllerWebhook) getResourceSelectors(gk schema.GroupKind, crd *cozyv1alpha1.CozystackResourceDefinition) *cozyv1alpha1.CozystackResourceDefinitionResources {
+	switch {
+	case gk.Group == "" && gk.Kind == "Secret":
+		return &crd.Spec.Secrets
+	case gk.Group == "" && gk.Kind == "Service":
+		return &crd.Spec.Services
+	case gk.Group == "networking.k8s.io" && gk.Kind == "Ingress":
+		return &crd.Spec.Ingresses
+	default:
+		return nil
+	}
+}
+
 // SetupWithManager registers the handler with the webhook server.
 func (h *LineageControllerWebhook) SetupWithManagerAsWebhook(mgr ctrl.Manager) error {
 	cfg := rest.CopyConfig(mgr.GetConfig())
@@ -138,19 +153,16 @@ func (h *LineageControllerWebhook) computeLabels(ctx context.Context, o *unstruc
 		"name":      obj.GetName(),
 		"namespace": o.GetNamespace(),
 	}
-	if o.GetAPIVersion() != "v1" || o.GetKind() != "Secret" {
-		return labels, err
-	}
 	cfg := h.config.Load().(*runtimeConfig)
 	crd := cfg.appCRDMap[appRef{gv.Group, obj.GetKind()}]
+	resourceSelectors := h.getResourceSelectors(o.GroupVersionKind().GroupKind(), crd)

-	// TODO: expand this to work with other resources than Secrets
 	labels[corev1alpha1.TenantResourceLabelKey] = func(b bool) string {
 		if b {
 			return corev1alpha1.TenantResourceLabelValue
 		}
 		return "false"
-	}(matchResourceToExcludeInclude(ctx, o.GetName(), templateLabels, o.GetLabels(), crd.Spec.Secrets.Exclude, crd.Spec.Secrets.Include))
+	}(matchResourceToExcludeInclude(ctx, o.GetName(), templateLabels, o.GetLabels(), resourceSelectors))
 	return labels, err
 }