POC mounts promotion

Author: mjudeikis

cli/pkg/workspace/plugin/create.go

@@ -126,17 +126,17 @@ func (o *CreateWorkspaceOptions) Run(ctx context.Context) error {
 		return fmt.Errorf("--ignore-existing must not be used with non-absolute type path")
 	}
 
-	var structuredWorkspaceType tenancyv1alpha1.WorkspaceTypeReference
+	var structuredWorkspaceType *tenancyv1alpha1.WorkspaceTypeReference
 	if o.Type != "" {
 		separatorIndex := strings.LastIndex(o.Type, ":")
 		switch separatorIndex {
 		case -1:
-			structuredWorkspaceType = tenancyv1alpha1.WorkspaceTypeReference{
+			structuredWorkspaceType = &tenancyv1alpha1.WorkspaceTypeReference{
 				Name: tenancyv1alpha1.WorkspaceTypeName(strings.ToLower(o.Type)),
 				// path is defaulted through admission
 			}
 		default:
-			structuredWorkspaceType = tenancyv1alpha1.WorkspaceTypeReference{
+			structuredWorkspaceType = &tenancyv1alpha1.WorkspaceTypeReference{
 				Name: tenancyv1alpha1.WorkspaceTypeName(strings.ToLower(o.Type[separatorIndex+1:])),
 				Path: o.Type[:separatorIndex],
 			}

cli/pkg/workspace/plugin/create_test.go

@@ -49,7 +49,7 @@ func TestCreate(t *testing.T) {
 		markReady          bool
 
 		newWorkspaceName                 string
-		newWorkspaceType                 tenancyv1alpha1.WorkspaceTypeReference
+		newWorkspaceType                 *tenancyv1alpha1.WorkspaceTypeReference
 		useAfterCreation, ignoreExisting bool
 
 		expected *clientcmdapi.Config
@@ -144,7 +144,7 @@ func TestCreate(t *testing.T) {
 			},
 			existingWorkspaces: []string{"bar"},
 			newWorkspaceName:   "bar",
-			newWorkspaceType:   tenancyv1alpha1.WorkspaceTypeReference{Path: "root", Name: "universal"},
+			newWorkspaceType:   &tenancyv1alpha1.WorkspaceTypeReference{Path: "root", Name: "universal"},
 			useAfterCreation:   true,
 			markReady:          true,
 			ignoreExisting:     true,
@@ -170,7 +170,7 @@ func TestCreate(t *testing.T) {
 			},
 			newWorkspaceName: "bar",
 			ignoreExisting:   true,
-			newWorkspaceType: tenancyv1alpha1.WorkspaceTypeReference{Name: "universal"},
+			newWorkspaceType: &tenancyv1alpha1.WorkspaceTypeReference{Name: "universal"},
 			wantErr:          true,
 		},
 	}
@@ -196,7 +196,7 @@ func TestCreate(t *testing.T) {
 					},
 					Spec: tenancyv1alpha1.WorkspaceSpec{
 						URL: fmt.Sprintf("https://test%s", currentClusterName.Join(name).RequestPath()),
-						Type: tenancyv1alpha1.WorkspaceTypeReference{
+						Type: &tenancyv1alpha1.WorkspaceTypeReference{
 							Name: "universal",
 							Path: "root",
 						},
@@ -208,10 +208,9 @@ func TestCreate(t *testing.T) {
 			}
 			client := kcpfakeclient.NewSimpleClientset(objects...)
 
-			workspaceType := tt.newWorkspaceType //nolint:govet // TODO(sttts): fixing this above breaks the test
-			empty := tenancyv1alpha1.WorkspaceTypeReference{}
-			if workspaceType == empty {
-				workspaceType = tenancyv1alpha1.WorkspaceTypeReference{
+			workspaceType := tt.newWorkspaceType
+			if tt.newWorkspaceType == nil {
+				workspaceType = &tenancyv1alpha1.WorkspaceTypeReference{
 					Name: "universal",
 					Path: "root",
 				}

cli/pkg/workspace/plugin/use.go

@@ -224,7 +224,7 @@ func (o *UseWorkspaceOptions) Run(ctx context.Context) (err error) {
 			if ws, err := o.kcpClusterClient.Cluster(parentClusterName).TenancyV1alpha1().Workspaces().Get(ctx, workspaceName, metav1.GetOptions{}); apierrors.IsNotFound(err) {
 				notFound = true
 			} else if err == nil {
-				workspaceType = &ws.Spec.Type
+				workspaceType = ws.Spec.Type
 			}
 		}
 	}

cli/pkg/workspace/plugin/use_test.go

@@ -753,7 +753,7 @@ func TestUse(t *testing.T) {
 							Annotations: map[string]string{logicalcluster.AnnotationKey: lcluster.String()},
 						},
 						Spec: tenancyv1alpha1.WorkspaceSpec{
-							Type: tenancyv1alpha1.WorkspaceTypeReference{
+							Type: &tenancyv1alpha1.WorkspaceTypeReference{
 								Name: "universal",
 								Path: "root",
 							},
@@ -779,7 +779,7 @@ func TestUse(t *testing.T) {
 						},
 						Spec: tenancyv1alpha1.WorkspaceSpec{
 							URL: fmt.Sprintf("https://test%s", homeWorkspace.RequestPath()),
-							Type: tenancyv1alpha1.WorkspaceTypeReference{
+							Type: &tenancyv1alpha1.WorkspaceTypeReference{
 								Name: "home",
 								Path: "root",
 							},

config/crds/tenancy.kcp.io_workspaces.yaml

@@ -27,7 +27,7 @@ spec:
       name: Region
       type: string
     - description: The current phase (e.g. Scheduling, Initializing, Ready, Deleting)
-      jsonPath: .metadata.labels['tenancy\.kcp\.io/phase']
+      jsonPath: .status.phase
       name: Phase
       type: string
     - description: URL to access the workspace
@@ -147,6 +147,60 @@ spec:
                     type: object
                     x-kubernetes-map-type: atomic
                 type: object
+              mount:
+                description: |-
+                  Mount is a reference to a mount that is used to mount the workspace.
+                  If specified, logicalcluster will not be created and the workspace will be mounted
+                  using reference mount object.
+                properties:
+                  ref:
+                    description: Reference is an ObjectReference to the object that
+                      is mounted.
+                    properties:
+                      apiVersion:
+                        description: API version of the referent.
+                        type: string
+                      fieldPath:
+                        description: |-
+                          If referring to a piece of an object instead of an entire object, this string
+                          should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2].
+                          For example, if the object reference is to a container within a pod, this would take on a value like:
+                          "spec.containers{name}" (where "name" refers to the name of the container that triggered
+                          the event) or if no container name is specified "spec.containers[2]" (container with
+                          index 2 in this pod). This syntax is chosen only to have some well-defined way of
+                          referencing a part of an object.
+                        type: string
+                      kind:
+                        description: |-
+                          Kind of the referent.
+                          More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+                        type: string
+                      name:
+                        description: |-
+                          Name of the referent.
+                          More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+                        type: string
+                      namespace:
+                        description: |-
+                          Namespace of the referent.
+                          More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/
+                        type: string
+                      resourceVersion:
+                        description: |-
+                          Specific resourceVersion to which this reference is made, if any.
+                          More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency
+                        type: string
+                      uid:
+                        description: |-
+                          UID of the referent.
+                          More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids
+                        type: string
+                    type: object
+                    x-kubernetes-map-type: atomic
+                type: object
+                x-kubernetes-validations:
+                - message: mount is immutable
+                  rule: self == oldSelf
               type:
                 description: |-
                   type defines properties of the workspace both on creation (e.g. initial
@@ -184,6 +238,8 @@ spec:
               rule: '!has(oldSelf.URL) || has(self.URL)'
             - message: cluster cannot be unset
               rule: '!has(oldSelf.cluster) || has(self.cluster)'
+            - message: spec.mount and spec.type cannot both be set
+              rule: '!(has(self.mount) && has(self.type))'
           status:
             default: {}
             description: WorkspaceStatus communicates the observed state of the Workspace.

config/root-phase0/apiexport-tenancy.kcp.io.yaml

@@ -6,7 +6,7 @@ metadata:
 spec:
   latestResourceSchemas:
   - v240903-d6797056a.workspacetypes.tenancy.kcp.io
-  - v241020-fce06d31d.workspaces.tenancy.kcp.io
+  - v250202-2fb34bcbd.workspaces.tenancy.kcp.io
   maximalPermissionPolicy:
     local: {}
 status: {}

config/root-phase0/apiresourceschema-workspaces.tenancy.kcp.io.yaml

@@ -2,7 +2,7 @@ apiVersion: apis.kcp.io/v1alpha1
 kind: APIResourceSchema
 metadata:
   creationTimestamp: null
-  name: v241020-fce06d31d.workspaces.tenancy.kcp.io
+  name: v250202-2fb34bcbd.workspaces.tenancy.kcp.io
 spec:
   group: tenancy.kcp.io
   names:
@@ -26,7 +26,7 @@ spec:
       name: Region
       type: string
     - description: The current phase (e.g. Scheduling, Initializing, Ready, Deleting)
-      jsonPath: .metadata.labels['tenancy\.kcp\.io/phase']
+      jsonPath: .status.phase
       name: Phase
       type: string
     - description: URL to access the workspace
@@ -145,6 +145,60 @@ spec:
                   type: object
                   x-kubernetes-map-type: atomic
               type: object
+            mount:
+              description: |-
+                Mount is a reference to a mount that is used to mount the workspace.
+                If specified, logicalcluster will not be created and the workspace will be mounted
+                using reference mount object.
+              properties:
+                ref:
+                  description: Reference is an ObjectReference to the object that
+                    is mounted.
+                  properties:
+                    apiVersion:
+                      description: API version of the referent.
+                      type: string
+                    fieldPath:
+                      description: |-
+                        If referring to a piece of an object instead of an entire object, this string
+                        should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2].
+                        For example, if the object reference is to a container within a pod, this would take on a value like:
+                        "spec.containers{name}" (where "name" refers to the name of the container that triggered
+                        the event) or if no container name is specified "spec.containers[2]" (container with
+                        index 2 in this pod). This syntax is chosen only to have some well-defined way of
+                        referencing a part of an object.
+                      type: string
+                    kind:
+                      description: |-
+                        Kind of the referent.
+                        More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+                      type: string
+                    name:
+                      description: |-
+                        Name of the referent.
+                        More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+                      type: string
+                    namespace:
+                      description: |-
+                        Namespace of the referent.
+                        More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/
+                      type: string
+                    resourceVersion:
+                      description: |-
+                        Specific resourceVersion to which this reference is made, if any.
+                        More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency
+                      type: string
+                    uid:
+                      description: |-
+                        UID of the referent.
+                        More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids
+                      type: string
+                  type: object
+                  x-kubernetes-map-type: atomic
+              type: object
+              x-kubernetes-validations:
+              - message: mount is immutable
+                rule: self == oldSelf
             type:
               description: |-
                 type defines properties of the workspace both on creation (e.g. initial
@@ -182,6 +236,8 @@ spec:
             rule: '!has(oldSelf.URL) || has(self.URL)'
           - message: cluster cannot be unset
             rule: '!has(oldSelf.cluster) || has(self.cluster)'
+          - message: spec.mount and spec.type cannot both be set
+            rule: '!(has(self.mount) && has(self.type))'
         status:
           default: {}
           description: WorkspaceStatus communicates the observed state of the Workspace.

pkg/admission/workspace/admission.go

@@ -164,30 +164,46 @@ func (o *workspace) Validate(ctx context.Context, a admission.Attributes, _ admi
 			return fmt.Errorf("failed to convert unstructured to Workspace: %w", err)
 		}
 
-		if old.Spec.Cluster != "" && ws.Spec.Cluster == "" {
-			return admission.NewForbidden(a, errors.New("spec.cluster cannot be unset"))
-		}
-		if old.Spec.Cluster != ws.Spec.Cluster && !isSystemPrivileged {
-			return admission.NewForbidden(a, errors.New("spec.cluster can only be changed by system privileged users"))
-		}
-		if old.Spec.URL != ws.Spec.URL && !isSystemPrivileged {
-			return admission.NewForbidden(a, errors.New("spec.URL can only be changed by system privileged users"))
-		}
+		if !old.Spec.IsMounted() {
+			if old.Spec.Cluster != "" && ws.Spec.Cluster == "" {
+				return admission.NewForbidden(a, errors.New("spec.cluster cannot be unset"))
+			}
+			if old.Spec.Cluster != ws.Spec.Cluster && !isSystemPrivileged {
+				return admission.NewForbidden(a, errors.New("spec.cluster can only be changed by system privileged users"))
+			}
+			if old.Spec.URL != ws.Spec.URL && !isSystemPrivileged {
+				return admission.NewForbidden(a, errors.New("spec.URL can only be changed by system privileged users"))
+			}
 
-		if errs := validation.ValidateImmutableField(ws.Spec.Type, old.Spec.Type, field.NewPath("spec", "type")); len(errs) > 0 {
-			return admission.NewForbidden(a, errs.ToAggregate())
-		}
-		if old.Spec.Type.Path != ws.Spec.Type.Path || old.Spec.Type.Name != ws.Spec.Type.Name {
-			return admission.NewForbidden(a, errors.New("spec.type is immutable"))
-		}
+			if errs := validation.ValidateImmutableField(ws.Spec.Type, old.Spec.Type, field.NewPath("spec", "type")); len(errs) > 0 {
+				return admission.NewForbidden(a, errs.ToAggregate())
+			}
+			if old.Spec.Type.Path != ws.Spec.Type.Path || old.Spec.Type.Name != ws.Spec.Type.Name {
+				return admission.NewForbidden(a, errors.New("spec.type is immutable"))
+			}
+			// If we're transitioning to "Ready", make sure that spec.cluster and spec.URL are set.
+			// This applies only for non-mounted workspaces.
+			if old.Status.Phase != corev1alpha1.LogicalClusterPhaseReady && ws.Status.Phase == corev1alpha1.LogicalClusterPhaseReady {
+				if ws.Spec.Cluster == "" {
+					return admission.NewForbidden(a, fmt.Errorf("spec.cluster must be set for phase %s", ws.Status.Phase))
+				}
+				if ws.Spec.URL == "" {
+					return admission.NewForbidden(a, fmt.Errorf("spec.URL must be set for phase %s", ws.Status.Phase))
+				}
+			}
 
-		// If we're transitioning to "Ready", make sure that spec.cluster and spec.URL are set.
-		if old.Status.Phase != corev1alpha1.LogicalClusterPhaseReady && ws.Status.Phase == corev1alpha1.LogicalClusterPhaseReady {
-			if ws.Spec.Cluster == "" {
-				return admission.NewForbidden(a, fmt.Errorf("spec.cluster must be set for phase %s", ws.Status.Phase))
+		} else {
+			if old.Spec.Mount.Reference.Kind != ws.Spec.Mount.Reference.Kind {
+				return admission.NewForbidden(a, errors.New("spec.mount.kind is immutable"))
+			}
+			if old.Spec.Mount.Reference.Name != ws.Spec.Mount.Reference.Name {
+				return admission.NewForbidden(a, errors.New("spec.mount.name is immutable"))
+			}
+			if old.Spec.Mount.Reference.Namespace != ws.Spec.Mount.Reference.Namespace {
+				return admission.NewForbidden(a, errors.New("spec.mount.namespace is immutable"))
 			}
-			if ws.Spec.URL == "" {
-				return admission.NewForbidden(a, fmt.Errorf("spec.URL must be set for phase %s", ws.Status.Phase))
+			if old.Spec.Mount.Reference.APIVersion != ws.Spec.Mount.Reference.APIVersion {
+				return admission.NewForbidden(a, errors.New("spec.mount.apiVersion is immutable"))
 			}
 		}
 	case admission.Create: