use labels on the internal resources created to watch and select them…

… from topology

Signed-off-by: Guilherme Cassolato <[email protected]>

controllers/envoy_gateway_extension_reconciler.go

@@ -12,6 +12,7 @@ import (
  "github.com/kuadrant/policy-machinery/machinery"
  "github.com/samber/lo"
  metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+ "k8s.io/apimachinery/pkg/labels"
  k8stypes "k8s.io/apimachinery/pkg/types"
  "k8s.io/client-go/dynamic"
  "k8s.io/utils/ptr"
@@ -78,7 +79,7 @@ func (r *envoyGatewayExtensionReconciler) Reconcile(ctx context.Context, _ []con
  resource := r.client.Resource(kuadrantenvoygateway.EnvoyExtensionPoliciesResource).Namespace(desiredEnvoyExtensionPolicy.GetNamespace())
 
  existingEnvoyExtensionPolicyObj, found := lo.Find(topology.Objects().Children(gateway), func(child machinery.Object) bool {
- return child.GroupVersionKind().GroupKind() == kuadrantenvoygateway.EnvoyExtensionPolicyGroupKind && child.GetName() == desiredEnvoyExtensionPolicy.GetName() && child.GetNamespace() == desiredEnvoyExtensionPolicy.GetNamespace()
+ return child.GroupVersionKind().GroupKind() == kuadrantenvoygateway.EnvoyExtensionPolicyGroupKind && child.GetName() == desiredEnvoyExtensionPolicy.GetName() && child.GetNamespace() == desiredEnvoyExtensionPolicy.GetNamespace() && labels.Set(child.(*controller.RuntimeObject).GetLabels()).AsSelector().Matches(labels.Set(desiredEnvoyExtensionPolicy.GetLabels()))
  })
 
  // create
@@ -184,6 +185,7 @@ func buildEnvoyExtensionPolicyForGateway(gateway *machinery.Gateway, wasmConfig
  ObjectMeta: metav1.ObjectMeta{
  Name: wasm.ExtensionName(gateway.GetName()),
  Namespace: gateway.GetNamespace(),
+ Labels: KuadrantManagedObjectLabels(),
  OwnerReferences: []metav1.OwnerReference{
  {
  APIVersion: gateway.GroupVersionKind().GroupVersion().String(),

controllers/envoy_gateway_rate_limit_cluster_reconciler.go

@@ -14,6 +14,7 @@ import (
  "github.com/samber/lo"
  apiextensionsv1 "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1"
  metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+ "k8s.io/apimachinery/pkg/labels"
  k8stypes "k8s.io/apimachinery/pkg/types"
  "k8s.io/client-go/dynamic"
  "k8s.io/utils/ptr"
@@ -98,7 +99,7 @@ func (r *envoyGatewayRateLimitClusterReconciler) Reconcile(ctx context.Context,
  resource := r.client.Resource(kuadrantenvoygateway.EnvoyPatchPoliciesResource).Namespace(desiredEnvoyPatchPolicy.GetNamespace())
 
  existingEnvoyPatchPolicyObj, found := lo.Find(topology.Objects().Children(gateway), func(child machinery.Object) bool {
- return child.GroupVersionKind().GroupKind() == kuadrantenvoygateway.EnvoyPatchPolicyGroupKind && child.GetName() == desiredEnvoyPatchPolicy.GetName() && child.GetNamespace() == desiredEnvoyPatchPolicy.GetNamespace()
+ return child.GroupVersionKind().GroupKind() == kuadrantenvoygateway.EnvoyPatchPolicyGroupKind && child.GetName() == desiredEnvoyPatchPolicy.GetName() && child.GetNamespace() == desiredEnvoyPatchPolicy.GetNamespace() && labels.Set(child.(*controller.RuntimeObject).GetLabels()).AsSelector().Matches(labels.Set(desiredEnvoyPatchPolicy.GetLabels()))
  })
 
  // create
@@ -147,7 +148,7 @@ func (r *envoyGatewayRateLimitClusterReconciler) Reconcile(ctx context.Context,
  // cleanup envoy gateway clusters for gateways that are not in the effective policies
  staleEnvoyPatchPolicies := topology.Objects().Items(func(o machinery.Object) bool {
  _, desired := desiredEnvoyPatchPolicies[k8stypes.NamespacedName{Name: o.GetName(), Namespace: o.GetNamespace()}]
- return o.GroupVersionKind().GroupKind() == kuadrantenvoygateway.EnvoyPatchPolicyGroupKind && !desired
+ return o.GroupVersionKind().GroupKind() == kuadrantenvoygateway.EnvoyPatchPolicyGroupKind && labels.Set(o.(*controller.RuntimeObject).GetLabels()).AsSelector().Matches(RateLimitObjectLabels()) && !desired
  })
 
  for _, envoyPatchPolicy := range staleEnvoyPatchPolicies {
@@ -169,7 +170,7 @@ func (r *envoyGatewayRateLimitClusterReconciler) buildDesiredEnvoyPatchPolicy(li
  ObjectMeta: metav1.ObjectMeta{
  Name: RateLimitClusterName(gateway.GetName()),
  Namespace: gateway.GetNamespace(),
- Labels: map[string]string{rateLimitClusterLabelKey: "true"},
+ Labels: RateLimitObjectLabels(),
  OwnerReferences: []metav1.OwnerReference{
  {
  APIVersion: gateway.GroupVersionKind().GroupVersion().String(),

controllers/istio_extension_reconciler.go

@@ -13,6 +13,7 @@ import (
  istiov1beta1 "istio.io/api/type/v1beta1"
  istioclientgoextensionv1alpha1 "istio.io/client-go/pkg/apis/extensions/v1alpha1"
  metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+ "k8s.io/apimachinery/pkg/labels"
  k8stypes "k8s.io/apimachinery/pkg/types"
  "k8s.io/client-go/dynamic"
  "k8s.io/utils/ptr"
@@ -78,7 +79,7 @@ func (r *istioExtensionReconciler) Reconcile(ctx context.Context, _ []controller
  resource := r.client.Resource(kuadrantistio.WasmPluginsResource).Namespace(desiredWasmPlugin.GetNamespace())
 
  existingWasmPluginObj, found := lo.Find(topology.Objects().Children(gateway), func(child machinery.Object) bool {
- return child.GroupVersionKind().GroupKind() == kuadrantistio.WasmPluginGroupKind && child.GetName() == desiredWasmPlugin.GetName() && child.GetNamespace() == desiredWasmPlugin.GetNamespace()
+ return child.GroupVersionKind().GroupKind() == kuadrantistio.WasmPluginGroupKind && child.GetName() == desiredWasmPlugin.GetName() && child.GetNamespace() == desiredWasmPlugin.GetNamespace() && labels.Set(child.(*controller.RuntimeObject).GetLabels()).AsSelector().Matches(labels.Set(desiredWasmPlugin.GetLabels()))
  })
 
  // create
@@ -186,6 +187,7 @@ func buildIstioWasmPluginForGateway(gateway *machinery.Gateway, wasmConfig wasm.
  ObjectMeta: metav1.ObjectMeta{
  Name: wasm.ExtensionName(gateway.GetName()),
  Namespace: gateway.GetNamespace(),
+ Labels: KuadrantManagedObjectLabels(),
  OwnerReferences: []metav1.OwnerReference{
  {
  APIVersion: gateway.GroupVersionKind().GroupVersion().String(),

controllers/istio_rate_limit_cluster_reconciler.go

@@ -15,6 +15,7 @@ import (
  istiov1beta1 "istio.io/api/type/v1beta1"
  istioclientgonetworkingv1alpha3 "istio.io/client-go/pkg/apis/networking/v1alpha3"
  metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+ "k8s.io/apimachinery/pkg/labels"
  k8stypes "k8s.io/apimachinery/pkg/types"
  "k8s.io/client-go/dynamic"
  "k8s.io/utils/ptr"
@@ -98,7 +99,7 @@ func (r *istioRateLimitClusterReconciler) Reconcile(ctx context.Context, _ []con
  resource := r.client.Resource(kuadrantistio.EnvoyFiltersResource).Namespace(desiredEnvoyFilter.GetNamespace())
 
  existingEnvoyFilterObj, found := lo.Find(topology.Objects().Children(gateway), func(child machinery.Object) bool {
- return child.GroupVersionKind().GroupKind() == kuadrantistio.EnvoyFilterGroupKind && child.GetName() == desiredEnvoyFilter.GetName() && child.GetNamespace() == desiredEnvoyFilter.GetNamespace()
+ return child.GroupVersionKind().GroupKind() == kuadrantistio.EnvoyFilterGroupKind && child.GetName() == desiredEnvoyFilter.GetName() && child.GetNamespace() == desiredEnvoyFilter.GetNamespace() && labels.Set(child.(*controller.RuntimeObject).GetLabels()).AsSelector().Matches(labels.Set(desiredEnvoyFilter.GetLabels()))
  })
 
  // create
@@ -146,7 +147,7 @@ func (r *istioRateLimitClusterReconciler) Reconcile(ctx context.Context, _ []con
  // cleanup istio clusters for gateways that are not in the effective policies
  staleEnvoyFilters := topology.Objects().Items(func(o machinery.Object) bool {
  _, desired := desiredEnvoyFilters[k8stypes.NamespacedName{Name: o.GetName(), Namespace: o.GetNamespace()}]
- return o.GroupVersionKind().GroupKind() == kuadrantistio.EnvoyFilterGroupKind && !desired
+ return o.GroupVersionKind().GroupKind() == kuadrantistio.EnvoyFilterGroupKind && labels.Set(o.(*controller.RuntimeObject).GetLabels()).AsSelector().Matches(RateLimitObjectLabels()) && !desired
  })
 
  for _, envoyFilter := range staleEnvoyFilters {
@@ -168,7 +169,7 @@ func (r *istioRateLimitClusterReconciler) buildDesiredEnvoyFilter(limitador *lim
  ObjectMeta: metav1.ObjectMeta{
  Name: RateLimitClusterName(gateway.GetName()),
  Namespace: gateway.GetNamespace(),
- Labels: map[string]string{rateLimitClusterLabelKey: "true"},
+ Labels: RateLimitObjectLabels(),
  OwnerReferences: []metav1.OwnerReference{
  {
  APIVersion: gateway.GroupVersionKind().GroupVersion().String(),

controllers/ratelimit_workflow.go

@@ -13,6 +13,7 @@ import (
  "github.com/samber/lo"
  "k8s.io/apimachinery/pkg/api/meta"
  metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+ "k8s.io/apimachinery/pkg/labels"
  k8stypes "k8s.io/apimachinery/pkg/types"
  "k8s.io/client-go/dynamic"
  "k8s.io/utils/env"
@@ -134,6 +135,12 @@ func LimitNameToLimitadorIdentifier(rlpKey k8stypes.NamespacedName, uniqueLimitN
  return identifier
 }
 
+func RateLimitObjectLabels() labels.Set {
+ m := KuadrantManagedObjectLabels()
+ m[rateLimitClusterLabelKey] = "true"
+ return m
+}
+
 func RateLimitClusterName(gatewayName string) string {
  return fmt.Sprintf("kuadrant-ratelimiting-%s", gatewayName)
 }

controllers/ratelimitpolicy_status_updater.go

@@ -39,7 +39,7 @@ type rateLimitPolicyStatusUpdater struct {
 func (r *rateLimitPolicyStatusUpdater) Subscription() controller.Subscription {
  return controller.Subscription{
  ReconcileFunc: r.UpdateStatus,
- Events: rateLimitEventMatchers,
+ Events:  rateLimitEventMatchers,
  }
 }
 

controllers/state_of_the_world.go

@@ -19,6 +19,7 @@ import (
  istioclientgosecurityv1beta1 "istio.io/client-go/pkg/apis/security/v1beta1"
  corev1 "k8s.io/api/core/v1"
  metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+ "k8s.io/apimachinery/pkg/labels"
  "k8s.io/apimachinery/pkg/runtime/schema"
  "k8s.io/client-go/dynamic"
  "k8s.io/utils/env"
@@ -41,8 +42,10 @@ import (
 )
 
 var (
+ operatorNamespace = env.GetString("OPERATOR_NAMESPACE", "kuadrant-system")
+ kuadrantManagedLabelKey = "kuadrant.io/managed"
+
  ConfigMapGroupKind = schema.GroupKind{Group: corev1.GroupName, Kind: "ConfigMap"}
- operatorNamespace = env.GetString("OPERATOR_NAMESPACE", "kuadrant-system")
 )
 
 // gateway-api permissions
@@ -212,12 +215,13 @@ func (b *BootOptionsBuilder) getEnvoyGatewayOptions() []controller.ControllerOpt
  &egv1alpha1.EnvoyPatchPolicy{},
  envoygateway.EnvoyPatchPoliciesResource,
  metav1.NamespaceAll,
- controller.FilterResourcesByLabel[*egv1alpha1.EnvoyPatchPolicy](fmt.Sprintf("%s=true", rateLimitClusterLabelKey)),
+ controller.FilterResourcesByLabel[*egv1alpha1.EnvoyPatchPolicy](fmt.Sprintf("%s=true", kuadrantManagedLabelKey)),
  )),
  controller.WithRunnable("envoyextensionpolicy watcher", controller.Watch(
  &egv1alpha1.EnvoyExtensionPolicy{},
  envoygateway.EnvoyExtensionPoliciesResource,
  metav1.NamespaceAll,
+ controller.FilterResourcesByLabel[*egv1alpha1.EnvoyExtensionPolicy](fmt.Sprintf("%s=true", kuadrantManagedLabelKey)),
  )),
  controller.WithRunnable("envoysecuritypolicy watcher", controller.Watch(
  &egv1alpha1.SecurityPolicy{},
@@ -252,12 +256,13 @@ func (b *BootOptionsBuilder) getIstioOptions() []controller.ControllerOption {
  &istioclientnetworkingv1alpha3.EnvoyFilter{},
  istio.EnvoyFiltersResource,
  metav1.NamespaceAll,
- controller.FilterResourcesByLabel[*istioclientnetworkingv1alpha3.EnvoyFilter](fmt.Sprintf("%s=true", rateLimitClusterLabelKey)),
+ controller.FilterResourcesByLabel[*istioclientnetworkingv1alpha3.EnvoyFilter](fmt.Sprintf("%s=true", kuadrantManagedLabelKey)),
  )),
  controller.WithRunnable("wasmplugin watcher", controller.Watch(
  &istioclientgoextensionv1alpha1.WasmPlugin{},
  istio.WasmPluginsResource,
  metav1.NamespaceAll,
+ controller.FilterResourcesByLabel[*istioclientgoextensionv1alpha1.WasmPlugin](fmt.Sprintf("%s=true", kuadrantManagedLabelKey)),
  )),
  controller.WithRunnable("authorizationpolicy watcher", controller.Watch(
  &istioclientgosecurityv1beta1.AuthorizationPolicy{},
@@ -439,6 +444,12 @@ func GetKuadrantFromTopology(topology *machinery.Topology) (*kuadrantv1beta1.Kua
  return kuadrant, nil
 }
 
+func KuadrantManagedObjectLabels() labels.Set {
+ return labels.Set(map[string]string{
+ kuadrantManagedLabelKey: "true",
+ })
+}
+
 func isObjectOwnedByGroupKind(o client.Object, groupKind schema.GroupKind) bool {
  for _, o := range o.GetOwnerReferences() {
  oGV, err := schema.ParseGroupVersion(o.APIVersion)