cybozu-go · ymmt2005 · Dec 6, 2021 · Sep 23, 2021 · Oct 5, 2021 · Oct 5, 2021
diff --git a/api/v1/subnamespace_types.go b/api/v1/subnamespace_types.go
@@ -16,13 +16,28 @@ const (
 	SubNamespaceConflict = SubNamespaceStatus("conflict")
 )
 
+// SubNamespaceSpec defines the desired state of SubNamespace
+type SubNamespaceSpec struct {
+	// Labels are the labels to be propagated to the sub-namespace
+	// +optional
+	Labels map[string]string `json:"labels,omitempty"`
+
+	// Annotations are the annotations to be propagated to the sub-namespace.
+	// +optional
+	Annotations map[string]string `json:"annotations,omitempty"`
+}
+
 //+kubebuilder:object:root=true
 
 // SubNamespace is the Schema for the subnamespaces API
 type SubNamespace struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
 
+	// Spec is the spec of SubNamespace.
+	// +optional
+	Spec SubNamespaceSpec `json:"spec,omitempty"`
+
 	// Status is the status of SubNamespace.
 	// +optional
 	Status SubNamespaceStatus `json:"status,omitempty"`

diff --git a/api/v1/zz_generated.deepcopy.go b/api/v1/zz_generated.deepcopy.go
diff --git a/charts/accurate/MIGRATION.md b/charts/accurate/MIGRATION.md
@@ -70,6 +70,18 @@ controller:
     # https://metallb.universe.tf/usage/#requesting-specific-ips
     # - metallb.universe.tf/address-pool
 
+    # controller.config.subNamespaceLabelKeys -- Labels to be propagated to sub-namespaces from SubNamespace resource.
+    # It is also possible to specify a glob pattern that can be interpreted by Go's "path.Match" func.
+    # https://pkg.go.dev/path#Match
+    subNamespaceLabelKeys: []
+    # - app
+
+    # controller.config.subNamespaceAnnotationKeys -- Annotations to be propagated to sub-namespaces from SubNamespace resource.
+    # It is also possible to specify a glob pattern that can be interpreted by Go's "path.Match" func.
+    # https://pkg.go.dev/path#Match
+    subNamespaceAnnotationKeys: []
+    # - foo.bar/baz
+
     # controller.config.watches -- List of GVK for namespace-scoped resources that can be propagated.
     # Any namespace-scoped resource is allowed.
     watches:

diff --git a/charts/accurate/crds/accurate.cybozu.com_subnamespaces.yaml b/charts/accurate/crds/accurate.cybozu.com_subnamespaces.yaml
@@ -32,6 +32,21 @@ spec:
             type: string
           metadata:
             type: object
+          spec:
+            description: Spec is the spec of SubNamespace.
+            properties:
+              annotations:
+                additionalProperties:
+                  type: string
+                description: Annotations are the annotations to be propagated to the
+                  sub-namespace.
+                type: object
+              labels:
+                additionalProperties:
+                  type: string
+                description: Labels are the labels to be propagated to the sub-namespace
+                type: object
+            type: object
           status:
             description: Status is the status of SubNamespace.
             enum:

diff --git a/charts/accurate/templates/configmap.yaml b/charts/accurate/templates/configmap.yaml
@@ -13,4 +13,10 @@ data:
     {{- with .Values.controller.config.annotationKeys }}
     annotationKeys: {{ toYaml . | nindent 6 }}
     {{- end }}
+    {{- with .Values.controller.config.subNamespaceLabelKeys }}
+    subNamespaceLabelKeys: {{ toYaml . | nindent 6 }}
+    {{- end }}
+    {{- with .Values.controller.config.subNamespaceAnnotationKeys }}
+    subNamespaceAnnotationKeys: {{ toYaml . | nindent 6 }}
+    {{- end }}
     watches: {{ toYaml .Values.controller.config.watches | nindent 6 }}
diff --git a/charts/accurate/values.yaml b/charts/accurate/values.yaml
@@ -40,6 +40,18 @@ controller:
     # https://metallb.universe.tf/usage/#requesting-specific-ips
     # - metallb.universe.tf/address-pool
 
+    # controller.config.subNamespaceLabelKeys -- Labels to be propagated to sub-namespaces from SubNamespace resource.
+    # It is also possible to specify a glob pattern that can be interpreted by Go's "path.Match" func.
+    # https://pkg.go.dev/path#Match
+    subNamespaceLabelKeys: []
+    # - app
+
+    # controller.config.subNamespaceAnnotationKeys -- Annotations to be propagated to sub-namespaces from SubNamespace resource.
+    # It is also possible to specify a glob pattern that can be interpreted by Go's "path.Match" func.
+    # https://pkg.go.dev/path#Match
+    subNamespaceAnnotationKeys: []
+    # - foo.bar/baz
+
     # controller.config.watches -- List of GVK for namespace-scoped resources that can be propagated.
     # Any namespace-scoped resource is allowed.
     watches:

diff --git a/cmd/accurate-controller/sub/run.go b/cmd/accurate-controller/sub/run.go
@@ -87,10 +87,12 @@ func subMain(ns, addr string, port int) error {
 		return fmt.Errorf("failed to setup indexer for namespaces: %w", err)
 	}
 	if err := (&controllers.NamespaceReconciler{
-		Client:         mgr.GetClient(),
-		LabelKeys:      cfg.LabelKeys,
-		AnnotationKeys: cfg.AnnotationKeys,
-		Watched:        watched,
+		Client:                     mgr.GetClient(),
+		LabelKeys:                  cfg.LabelKeys,
+		AnnotationKeys:             cfg.AnnotationKeys,
+		SubNamespaceLabelKeys:      cfg.SubNamespaceLabelKeys,
+		SubNamespaceAnnotationKeys: cfg.SubNamespaceAnnotationKeys,
+		Watched:                    watched,
 	}).SetupWithManager(mgr); err != nil {
 		return fmt.Errorf("unable to create Namespace controller: %w", err)
 	}

diff --git a/cmd/kubectl-accurate/sub/sub_create.go b/cmd/kubectl-accurate/sub/sub_create.go
@@ -13,10 +13,12 @@ import (
 )
 
 type subCreateOpts struct {
-	streams genericclioptions.IOStreams
-	client  client.Client
-	name    string
-	parent  string
+	streams     genericclioptions.IOStreams
+	client      client.Client
+	name        string
+	parent      string
+	labels      map[string]string
+	annotations map[string]string
 }
 
 func newSubCreateCmd(streams genericclioptions.IOStreams, config *genericclioptions.ConfigFlags) *cobra.Command {
@@ -36,6 +38,8 @@ This effectively creates a namespace named NAME as a sub-namespace of NS.`,
 		},
 	}
 
+	cmd.Flags().StringToStringVar(&opts.labels, "labels", opts.labels, "the labels to be propagated to the sub-namespace. Example: a=b,c=d")
+	cmd.Flags().StringToStringVar(&opts.annotations, "annotations", opts.annotations, "the annotations to be propagated to the sub-namespace. Example: a=b,c=d")
 	return cmd
 }
 
@@ -64,6 +68,8 @@ func (o *subCreateOpts) Run(ctx context.Context) error {
 	sn := &accuratev1.SubNamespace{}
 	sn.Namespace = o.parent
 	sn.Name = o.name
+	sn.Spec.Labels = o.labels
+	sn.Spec.Annotations = o.annotations
 
 	if err := o.client.Create(ctx, sn); err != nil {
 		return fmt.Errorf("failed to create a SubNamespace: %w", err)

diff --git a/cmd/kubectl-accurate/sub/sub_move.go b/cmd/kubectl-accurate/sub/sub_move.go
@@ -84,6 +84,11 @@ func (o *subMoveOpts) Run(ctx context.Context) error {
 
 	fmt.Fprintf(o.streams.Out, "the parent has changed to %s\n", o.parent)
 
+	oldSN := &accuratev1.SubNamespace{}
+	if err := o.client.Get(ctx, client.ObjectKey{Name: o.name, Namespace: orig}, oldSN); err != nil {
+		return fmt.Errorf("failed to get original SubNamespace %s/%s: %w", orig, o.name, err)
+	}
+
 	if !o.orphan {
 		oldSN := &accuratev1.SubNamespace{}
 		oldSN.Namespace = orig
@@ -101,6 +106,8 @@ func (o *subMoveOpts) Run(ctx context.Context) error {
 	sn := &accuratev1.SubNamespace{}
 	sn.Namespace = o.parent
 	sn.Name = o.name
+	sn.Spec.Labels = oldSN.Spec.Labels
+	sn.Spec.Annotations = oldSN.Spec.Annotations
 	if err := o.client.Create(ctx, sn); err != nil {
 		return fmt.Errorf("failed to create SubNamespace in %s: %w", o.parent, err)
 	}

diff --git a/config/crd/bases/accurate.cybozu.com_subnamespaces.yaml b/config/crd/bases/accurate.cybozu.com_subnamespaces.yaml
@@ -33,6 +33,21 @@ spec:
             type: string
           metadata:
             type: object
+          spec:
+            description: Spec is the spec of SubNamespace.
+            properties:
+              annotations:
+                additionalProperties:
+                  type: string
+                description: Annotations are the annotations to be propagated to the
+                  sub-namespace.
+                type: object
+              labels:
+                additionalProperties:
+                  type: string
+                description: Labels are the labels to be propagated to the sub-namespace
+                type: object
+            type: object
           status:
             description: Status is the status of SubNamespace.
             enum:

diff --git a/controllers/namespace_controller.go b/controllers/namespace_controller.go
@@ -6,23 +6,31 @@ import (
 	"path"
 	"reflect"
 
+	accuratev1 "github.com/cybozu-go/accurate/api/v1"
 	"github.com/cybozu-go/accurate/pkg/constants"
 	corev1 "k8s.io/api/core/v1"
 	"k8s.io/apimachinery/pkg/api/equality"
 	apierrors "k8s.io/apimachinery/pkg/api/errors"
 	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
+	"k8s.io/apimachinery/pkg/types"
+	"k8s.io/client-go/util/workqueue"
 	ctrl "sigs.k8s.io/controller-runtime"
 	"sigs.k8s.io/controller-runtime/pkg/client"
+	"sigs.k8s.io/controller-runtime/pkg/event"
+	"sigs.k8s.io/controller-runtime/pkg/handler"
 	"sigs.k8s.io/controller-runtime/pkg/log"
 	"sigs.k8s.io/controller-runtime/pkg/reconcile"
+	"sigs.k8s.io/controller-runtime/pkg/source"
 )
 
 // NamespaceReconciler reconciles a Namespace object
 type NamespaceReconciler struct {
 	client.Client
-	LabelKeys      []string
-	AnnotationKeys []string
-	Watched        []*unstructured.Unstructured
+	LabelKeys                  []string
+	AnnotationKeys             []string
+	SubNamespaceLabelKeys      []string
+	SubNamespaceAnnotationKeys []string
+	Watched                    []*unstructured.Unstructured
 }
 
 var _ reconcile.Reconciler = &NamespaceReconciler{}
@@ -92,6 +100,29 @@ func (r *NamespaceReconciler) propagateMeta(ctx context.Context, ns, parent *cor
 			ns.Annotations[k] = v
 		}
 	}
+
+	if _, ok := ns.Labels[constants.LabelParent]; ok {
+		subNS := &accuratev1.SubNamespace{}
+		err := r.Get(ctx, types.NamespacedName{Name: ns.Name, Namespace: parent.Name}, subNS)
+		if err != nil && !apierrors.IsNotFound(err) {
+			return fmt.Errorf("failed to get sub namespace %s/%s: %w", ns.Name, parent.Name, err)
+		}
+
+		for k, v := range subNS.Spec.Labels {
+			if ok := r.matchSubNamespaceLabelKey(k); ok {
+				ns.Labels[k] = v
+			}
+		}
+		for k, v := range subNS.Spec.Annotations {
+			if ok := r.matchSubNamespaceAnnotationKey(k); ok {
+				if ns.Annotations == nil {
+					ns.Annotations = make(map[string]string)
+				}
+				ns.Annotations[k] = v
+			}
+		}
+	}
+
 	if !reflect.DeepEqual(ns.ObjectMeta, orig.ObjectMeta) {
 		if err := r.Update(ctx, ns); err != nil {
 			return fmt.Errorf("failed to propagate labels/annotations for namespace %s: %w", ns.Name, err)
@@ -101,25 +132,19 @@ func (r *NamespaceReconciler) propagateMeta(ctx context.Context, ns, parent *cor
 }
 
 func (r *NamespaceReconciler) matchLabelKey(key string) bool {
-	for _, l := range r.LabelKeys {
-		// The glob pattern has been verified to be in the valid format when reading the config file.
-		if ok, _ := path.Match(l, key); ok {
-			return true
-		}
-	}
-
-	return false
+	return matchKey(key, r.LabelKeys)
 }
 
 func (r *NamespaceReconciler) matchAnnotationKey(key string) bool {
-	for _, a := range r.AnnotationKeys {
-		// The glob pattern has been verified to be in the valid format when reading the config file.
-		if ok, _ := path.Match(a, key); ok {
-			return true
-		}
-	}
+	return matchKey(key, r.AnnotationKeys)
+}
 
-	return false
+func (r *NamespaceReconciler) matchSubNamespaceLabelKey(key string) bool {
+	return matchKey(key, r.SubNamespaceLabelKeys)
+}
+
+func (r *NamespaceReconciler) matchSubNamespaceAnnotationKey(key string) bool {
+	return matchKey(key, r.SubNamespaceAnnotationKeys)
 }
 
 func (r *NamespaceReconciler) propagateResource(ctx context.Context, res *unstructured.Unstructured, parent, ns string) error {
@@ -351,7 +376,35 @@ func (r *NamespaceReconciler) reconcileTemplateNamespace(ctx context.Context, ns
 
 // SetupWithManager sets up the controller with the Manager.
 func (r *NamespaceReconciler) SetupWithManager(mgr ctrl.Manager) error {
+	subNSHandler := func(o client.Object, q workqueue.RateLimitingInterface) {
+		q.Add(reconcile.Request{NamespacedName: types.NamespacedName{
+			Name: o.GetName(),
+		}})
+	}
+
 	return ctrl.NewControllerManagedBy(mgr).
 		For(&corev1.Namespace{}).
+		Watches(&source.Kind{Type: &accuratev1.SubNamespace{}}, handler.Funcs{
+			CreateFunc: func(ev event.CreateEvent, q workqueue.RateLimitingInterface) {
+				subNSHandler(ev.Object, q)
+			},
+			UpdateFunc: func(ev event.UpdateEvent, q workqueue.RateLimitingInterface) {
+				if ev.ObjectNew.GetDeletionTimestamp() != nil {
+					return
+				}
+				subNSHandler(ev.ObjectOld, q)
+			},
+		}).
 		Complete(r)
 }
+
+func matchKey(key string, list []string) bool {
+	for _, l := range list {
+		// The glob pattern has been verified to be in the valid format when reading the config file.
+		if ok, _ := path.Match(l, key); ok {
+			return true
+		}
+	}
+
+	return false
+}