make workspace updates code-drive vs user drive

Author: mjudeikis

config/root-phase0/apiexport-tenancy.kcp.io.yaml

@@ -9,7 +9,7 @@ spec:
   resources:
   - group: tenancy.kcp.io
     name: workspaces
-    schema: v241020-fce06d31d.workspaces.tenancy.kcp.io
+    schema: v250315-28b43d5a9.workspaces.tenancy.kcp.io
     storage:
       crd: {}
   - group: tenancy.kcp.io

pkg/admission/workspace/admission.go

@@ -213,11 +213,11 @@ func (o *workspace) Validate(ctx context.Context, a admission.Attributes, _ admi
 				return admission.NewForbidden(a, errors.New("spec.type cannot be set for mounted workspaces"))
 			}
 			// Check for immutability of spec.type via pointers checks first.
-			if (old.Spec.Type == nil && ws.Spec.Type != nil) || (old.Spec.Type != nil && ws.Spec.Type == nil) {
+			if !isSystemPrivileged && ((old.Spec.Type == nil && ws.Spec.Type != nil) || (old.Spec.Type != nil && ws.Spec.Type == nil)) {
 				return admission.NewForbidden(a, errors.New("spec.type is immutable"))
 			}
 			// Check for immutability of spec.type via field checks.
-			if old.Spec.Type != nil && ws.Spec.Type != nil {
+			if !isSystemPrivileged && old.Spec.Type != nil && ws.Spec.Type != nil {
 				if old.Spec.Type.Path != ws.Spec.Type.Path || old.Spec.Type.Name != ws.Spec.Type.Name {
 					return admission.NewForbidden(a, errors.New("spec.type is immutable"))
 				}

pkg/indexers/indexers.go

@@ -137,3 +137,19 @@ func ByPathAndNameWithFallback[T runtime.Object](groupResource schema.GroupResou
 	// Didn't find it locally - try remote
 	return ByPathAndName[T](groupResource, globalIndexer, path, name)
 }
+
+// IndexByWorkspaceLogicalClusterAndURL indexes by logical cluster path and object name, if the annotation exists.
+func IndexByWorkspaceLogicalClusterAndURL(obj interface{}) ([]string, error) {
+	metaObj, ok := obj.(metav1.Object)
+	if !ok {
+		return []string{}, fmt.Errorf("obj is supposed to be a metav1.Object, but is %T", obj)
+	}
+	if path, found := metaObj.GetAnnotations()[core.LogicalClusterPathAnnotationKey]; found {
+		return []string{
+			logicalcluster.NewPath(path).Join(metaObj.GetName()).String(),
+			logicalcluster.From(metaObj).Path().Join(metaObj.GetName()).String(),
+		}, nil
+	}
+
+	return []string{logicalcluster.From(metaObj).Path().Join(metaObj.GetName()).String()}, nil
+}

pkg/indexers/workspace.go

@@ -0,0 +1,38 @@
+/*
+Copyright 2022 The KCP Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package indexers
+
+import (
+	"fmt"
+
+	tenancyv1alpha1 "github.com/kcp-dev/kcp/sdk/apis/tenancy/v1alpha1"
+)
+
+const (
+	// WorkspaceByURL is the indexer workspace by its url.
+	WorkspaceByURL = "WorkspaceByURL"
+)
+
+// IndexAPIExportByIdentity is an index function that indexes an APIExport by its identity hash.
+func IndexWorkspaceByURL(obj interface{}) (string, error) {
+	ws, ok := obj.(*tenancyv1alpha1.Workspace)
+	if !ok {
+		return "", fmt.Errorf("obj %T is not an APIExportEndpointSlice", obj)
+	}
+
+	return ws.Spec.URL, nil
+}

pkg/indexers/workspace_test.go

@@ -0,0 +1,75 @@
+/*
+Copyright 2025 The KCP Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package indexers
+
+import (
+	"reflect"
+	"testing"
+
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+
+	tenancyv1alpha1 "github.com/kcp-dev/kcp/sdk/apis/tenancy/v1alpha1"
+)
+
+func TestIndexWorkspaceByURL(t *testing.T) {
+	tests := map[string]struct {
+		obj     interface{}
+		want    string
+		wantErr bool
+	}{
+		"not a Workspace": {
+			obj:     "not a Workspace",
+			want:    "",
+			wantErr: true,
+		},
+		"valid Workspace without url": {
+			obj: &tenancyv1alpha1.Workspace{
+				ObjectMeta: metav1.ObjectMeta{
+					Name: "foo",
+				},
+				Spec: tenancyv1alpha1.WorkspaceSpec{},
+			},
+			wantErr: false,
+			want:    "",
+		},
+		"valid Workspace with url": {
+			obj: &tenancyv1alpha1.Workspace{
+				ObjectMeta: metav1.ObjectMeta{
+					Name: "foo",
+				},
+				Spec: tenancyv1alpha1.WorkspaceSpec{
+					URL: "https://example.com",
+				},
+			},
+			wantErr: false,
+			want:    "https://example.com",
+		},
+	}
+
+	for name, tt := range tests {
+		t.Run(name, func(t *testing.T) {
+			got, err := IndexWorkspaceByURL(tt.obj)
+			if (err != nil) != tt.wantErr {
+				t.Errorf("IndexWorkspaceByURL() error = %v, wantErr %v", err, tt.wantErr)
+				return
+			}
+			if !reflect.DeepEqual(got, tt.want) {
+				t.Errorf("IndexWorkspaceByURL() got = %v, want %v", got, tt.want)
+			}
+		})
+	}
+}

pkg/reconciler/tenancy/workspace/workspace_controller.go

@@ -275,7 +275,8 @@ func (c *Controller) process(ctx context.Context, key string) (bool, error) {
 }
 
 // InstallIndexers adds the additional indexers that this controller requires to the informers.
-func InstallIndexers(workspaceInformer tenancyv1alpha1informers.WorkspaceClusterInformer,
+func InstallIndexers(
+	workspaceInformer tenancyv1alpha1informers.WorkspaceClusterInformer,
 	globalShardInformer corev1alpha1informers.ShardClusterInformer,
 	globalWorkspaceTypeInformer tenancyv1alpha1informers.WorkspaceTypeClusterInformer,
 ) {

pkg/reconciler/tenancy/workspacemounts/workspace_indexes.go

@@ -0,0 +1,96 @@
+/*
+Copyright 2022 The KCP Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package workspacemounts
+
+import (
+	"encoding/json"
+	"fmt"
+	"strings"
+
+	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
+	"k8s.io/apimachinery/pkg/runtime/schema"
+
+	"github.com/kcp-dev/logicalcluster/v3"
+
+	tenancyv1alpha1 "github.com/kcp-dev/kcp/sdk/apis/tenancy/v1alpha1"
+)
+
+const workspaceByURL = "WorkspaceByURL"
+
+// indexWorkspaceByURL is an index for workspaces by their URL.
+func indexWorkspaceByURL(obj interface{}) ([]string, error) {
+	ws, ok := obj.(*tenancyv1alpha1.Workspace)
+	if !ok {
+		return nil, fmt.Errorf("obj %T is not an Workspace", obj)
+	}
+
+	return []string{ws.Spec.URL}, nil
+}
+
+const workspaceMountsReferenceIndex = "WorkspacesByMountReference"
+
+type workspaceMountsReferenceKey struct {
+	ClusterName string `json:"clusterName"`
+	Group       string `json:"group"`
+	Resource    string `json:"resource"`
+	Name        string `json:"name"`
+	Namespace   string `json:"namespace,omitempty"`
+}
+
+func indexWorkspaceByMountObject(obj interface{}) ([]string, error) {
+	ws, ok := obj.(*tenancyv1alpha1.Workspace)
+	if !ok {
+		return []string{}, fmt.Errorf("obj is supposed to be a Workspace, but is %T", obj)
+	}
+
+	if ws.Spec.Mount == nil {
+		return nil, nil
+	}
+
+	key := workspaceMountsReferenceKey{
+		ClusterName: logicalcluster.From(ws).String(),
+		// TODO(sttts): do proper REST mapping
+		Resource:  strings.ToLower(ws.Spec.Mount.Reference.Kind) + "s",
+		Name:      ws.Spec.Mount.Reference.Name,
+		Namespace: ws.Spec.Mount.Reference.Namespace,
+	}
+	cs := strings.SplitN(ws.Spec.Mount.Reference.APIVersion, "/", 2)
+	if len(cs) == 2 {
+		key.Group = cs[0]
+	}
+	bs, err := json.Marshal(key)
+	if err != nil {
+		return nil, fmt.Errorf("unable to marshal mount reference: %w", err)
+	}
+
+	return []string{string(bs)}, nil
+}
+
+func indexWorkspaceByMountObjectValue(gvr schema.GroupVersionResource, obj *unstructured.Unstructured) (string, error) {
+	key := workspaceMountsReferenceKey{
+		ClusterName: logicalcluster.From(obj).String(),
+		Group:       gvr.Group,
+		Resource:    gvr.Resource,
+		Name:        obj.GetName(),
+		Namespace:   obj.GetNamespace(),
+	}
+	bs, err := json.Marshal(key)
+	if err != nil {
+		return "", fmt.Errorf("unable to marshal mount reference: %w", err)
+	}
+	return string(bs), nil
+}

pkg/reconciler/tenancy/workspacemounts/workspacemounts_controller.go

@@ -18,7 +18,6 @@ package workspacemounts
 
 import (
 	"context"
-	"encoding/json"
 	"fmt"
 	"strings"
 	"time"
@@ -238,7 +237,8 @@ func (c *Controller) process(ctx context.Context, key string) (bool, error) {
 
 	// reconcile the spec
 	specUpdater := &workspaceSpecUpdater{
-		getMountObject: getMountObjectFunc,
+		getMountObject:   getMountObjectFunc,
+		workspaceIndexer: c.workspaceIndexer,
 	}
 	status, err = specUpdater.reconcile(ctx, workspace)
 	if err != nil {
@@ -277,65 +277,15 @@ func (c *Controller) enqueuePotentiallyMountResource(gvr schema.GroupVersionReso
 	}
 }
 
-const workspaceMountsReferenceIndex = "WorkspacesByMountReference"
-
-type workspaceMountsReferenceKey struct {
-	ClusterName string `json:"clusterName"`
-	Group       string `json:"group"`
-	Resource    string `json:"resource"`
-	Name        string `json:"name"`
-	Namespace   string `json:"namespace,omitempty"`
-}
-
 // InstallIndexers adds the additional indexers that this controller requires to the informers.
 func InstallIndexers(
 	workspaceInformer tenancyv1alpha1informers.WorkspaceClusterInformer,
 ) {
 	indexers.AddIfNotPresentOrDie(workspaceInformer.Informer().GetIndexer(), cache.Indexers{
 		workspaceMountsReferenceIndex: indexWorkspaceByMountObject,
 	})
-}
 
-func indexWorkspaceByMountObject(obj interface{}) ([]string, error) {
-	ws, ok := obj.(*tenancyv1alpha1.Workspace)
-	if !ok {
-		return []string{}, fmt.Errorf("obj is supposed to be a Workspace, but is %T", obj)
-	}
-
-	if ws.Spec.Mount == nil {
-		return nil, nil
-	}
-
-	key := workspaceMountsReferenceKey{
-		ClusterName: logicalcluster.From(ws).String(),
-		// TODO(sttts): do proper REST mapping
-		Resource:  strings.ToLower(ws.Spec.Mount.Reference.Kind) + "s",
-		Name:      ws.Spec.Mount.Reference.Name,
-		Namespace: ws.Spec.Mount.Reference.Namespace,
-	}
-	cs := strings.SplitN(ws.Spec.Mount.Reference.APIVersion, "/", 2)
-	if len(cs) == 2 {
-		key.Group = cs[0]
-	}
-	bs, err := json.Marshal(key)
-	if err != nil {
-		return nil, fmt.Errorf("unable to marshal mount reference: %w", err)
-	}
-
-	return []string{string(bs)}, nil
-}
-
-func indexWorkspaceByMountObjectValue(gvr schema.GroupVersionResource, obj *unstructured.Unstructured) (string, error) {
-	key := workspaceMountsReferenceKey{
-		ClusterName: logicalcluster.From(obj).String(),
-		Group:       gvr.Group,
-		Resource:    gvr.Resource,
-		Name:        obj.GetName(),
-		Namespace:   obj.GetNamespace(),
-	}
-	bs, err := json.Marshal(key)
-	if err != nil {
-		return "", fmt.Errorf("unable to marshal mount reference: %w", err)
-	}
-	return string(bs), nil
+	indexers.AddIfNotPresentOrDie(workspaceInformer.Informer().GetIndexer(), cache.Indexers{
+		workspaceByURL: indexWorkspaceByURL,
+	})
 }