use K8sNameUUID instead of K8sNameHash and let each mcp have its own namespace

Author: Diaphteiros

go.mod

@@ -10,8 +10,9 @@ require (
 	dario.cat/mergo v1.0.2
 	github.com/onsi/ginkgo/v2 v2.25.1
 	github.com/onsi/gomega v1.38.1
-	github.com/openmcp-project/controller-utils v0.17.0
+	github.com/openmcp-project/controller-utils v0.17.1-0.20250815092130-15c510e7eb87
 	github.com/openmcp-project/openmcp-operator/api v0.11.0
+	github.com/openmcp-project/openmcp-operator/lib v0.11.0
 	github.com/spf13/cobra v1.9.1
 	k8s.io/api v0.33.4
 	k8s.io/apimachinery v0.33.4

go.sum

@@ -97,8 +97,10 @@ github.com/onsi/ginkgo/v2 v2.25.1 h1:Fwp6crTREKM+oA6Cz4MsO8RhKQzs2/gOIVOUscMAfZY
 github.com/onsi/ginkgo/v2 v2.25.1/go.mod h1:ppTWQ1dh9KM/F1XgpeRqelR+zHVwV81DGRSDnFxK7Sk=
 github.com/onsi/gomega v1.38.1 h1:FaLA8GlcpXDwsb7m0h2A9ew2aTk3vnZMlzFgg5tz/pk=
 github.com/onsi/gomega v1.38.1/go.mod h1:LfcV8wZLvwcYRwPiJysphKAEsmcFnLMK/9c+PjvlX8g=
-github.com/openmcp-project/controller-utils v0.17.0 h1:dZsMX2ur/b1759+aKJmcJRdkOVJ131czE6AtIGKX1dE=
-github.com/openmcp-project/controller-utils v0.17.0/go.mod h1:RgatwIEftAvHbhd3FIyXb2Sm0N6/AK8A2aF8zBxK930=
+github.com/openmcp-project/controller-utils v0.17.1-0.20250815092130-15c510e7eb87 h1:PB/IG0h2fQNRdD5RfQprRkG2195XZA8fNVlLwDaj078=
+github.com/openmcp-project/controller-utils v0.17.1-0.20250815092130-15c510e7eb87/go.mod h1:PCxwUUek1PJA1/NHxFW9xFe5h+9erCyAgt+SkDrL4xk=
+github.com/openmcp-project/openmcp-operator/lib v0.11.0 h1:ga+n/lKwovULi/KYw3HttWVMKplON4S4dzIAIBg5CV4=
+github.com/openmcp-project/openmcp-operator/lib v0.11.0/go.mod h1:/FjNH8TJfbRomUYNvhtt4Peb1nrhe1IovCfun9DUMhY=
 github.com/pkg/errors v0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4=
 github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
 github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=

lib/clusteraccess/clusteraccess.go

@@ -3,6 +3,7 @@ package clusteraccess
 import (
 	"context"
 	"fmt"
+	"strings"
 	"time"
 
 	"github.com/openmcp-project/controller-utils/pkg/logging"
@@ -26,7 +27,9 @@ import (
 )
 
 const (
-	controllerName = "ClusterAccess"
+	controllerName        = "ClusterAccess"
+	requestSuffixMCP      = "--mcp"
+	requestSuffixWorkload = "--wl"
 )
 
 // Reconciler is an interface for reconciling access to openMCP clusters.
@@ -123,10 +126,14 @@ func (r *reconcilerImpl) WithWorkloadScheme(scheme *runtime.Scheme) Reconciler {
 }
 
 func (r *reconcilerImpl) MCPCluster(ctx context.Context, request reconcile.Request) (*clusters.Cluster, error) {
+	platformNamespace, err := libutils.StableMCPNamespace(request.Name, request.Namespace)
+	if err != nil {
+		return nil, err
+	}
 	mcpAccessRequest := &clustersv1alpha1.AccessRequest{
 		ObjectMeta: metav1.ObjectMeta{
-			Name:      libutils.StableRequestNameMCP(request.Name, r.controllerName),
-			Namespace: libutils.StableRequestNamespace(request.Namespace),
+			Name:      StableRequestName(r.controllerName, request) + requestSuffixMCP,
+			Namespace: platformNamespace,
 		},
 	}
 
@@ -143,10 +150,14 @@ func (r *reconcilerImpl) MCPCluster(ctx context.Context, request reconcile.Reque
 }
 
 func (r *reconcilerImpl) WorkloadCluster(ctx context.Context, request reconcile.Request) (*clusters.Cluster, error) {
+	platformNamespace, err := libutils.StableMCPNamespace(request.Name, request.Namespace)
+	if err != nil {
+		return nil, err
+	}
 	workloadAccessRequest := &clustersv1alpha1.AccessRequest{
 		ObjectMeta: metav1.ObjectMeta{
-			Name:      libutils.StableRequestNameWorkload(request.Name, r.controllerName),
-			Namespace: libutils.StableRequestNamespace(request.Namespace),
+			Name:      StableRequestName(r.controllerName, request) + requestSuffixWorkload,
+			Namespace: platformNamespace,
 		},
 	}
 
@@ -165,9 +176,13 @@ func (r *reconcilerImpl) WorkloadCluster(ctx context.Context, request reconcile.
 func (r *reconcilerImpl) Reconcile(ctx context.Context, request reconcile.Request) (reconcile.Result, error) {
 	log := logging.FromContextOrPanic(ctx).WithName(controllerName)
 
-	requestNamespace := libutils.StableRequestNamespace(request.Namespace)
-	requestNameMCP := libutils.StableRequestNameMCP(request.Name, r.controllerName)
-	requestNameWorkload := libutils.StableRequestNameWorkload(request.Name, r.controllerName)
+	platformNamespace, err := libutils.StableMCPNamespace(request.Name, request.Namespace)
+	if err != nil {
+		return reconcile.Result{}, err
+	}
+	requestNamespace := platformNamespace
+	requestNameMCP := StableRequestName(r.controllerName, request) + requestSuffixMCP
+	requestNameWorkload := StableRequestName(r.controllerName, request) + requestSuffixWorkload
 
 	metadata := requestMetadata(r.controllerName, request)
 
@@ -258,9 +273,13 @@ func (r *reconcilerImpl) Reconcile(ctx context.Context, request reconcile.Reques
 }
 
 func (r *reconcilerImpl) ReconcileDelete(ctx context.Context, request reconcile.Request) (reconcile.Result, error) {
-	requestNamespace := libutils.StableRequestNamespace(request.Namespace)
-	requestNameMCP := libutils.StableRequestNameMCP(request.Name, r.controllerName)
-	requestNameWorkload := libutils.StableRequestNameWorkload(request.Name, r.controllerName)
+	platformNamespace, err := libutils.StableMCPNamespace(request.Name, request.Namespace)
+	if err != nil {
+		return reconcile.Result{}, err
+	}
+	requestNamespace := platformNamespace
+	requestNameMCP := StableRequestName(r.controllerName, request) + requestSuffixMCP
+	requestNameWorkload := StableRequestName(r.controllerName, request) + requestSuffixWorkload
 
 	// Delete the Workload AccessRequest if it exists
 	workloadAccessDeleted, err := deleteAccessRequest(ctx, r.platformClusterClient, requestNameWorkload, requestNamespace)
@@ -719,3 +738,10 @@ func (m *accessRequestMutator) Mutate(accessRequest *clustersv1alpha1.AccessRequ
 		return nil
 	}
 }
+
+// StableRequestName generates a stable name for a Cluster- or AccessRequest related to an MCP.
+// This basically results in '<lowercase_controller_name>--<request_name>'.
+func StableRequestName(controllerName string, request reconcile.Request) string {
+	controllerName = strings.ToLower(controllerName)
+	return fmt.Sprintf("%s--%s", controllerName, request.Name)
+}

lib/clusteraccess/clusteraccess_test.go

@@ -19,7 +19,6 @@ import (
 
 	clustersv1alpha1 "github.com/openmcp-project/openmcp-operator/api/clusters/v1alpha1"
 	"github.com/openmcp-project/openmcp-operator/lib/clusteraccess"
-	"github.com/openmcp-project/openmcp-operator/lib/utils"
 
 	"sigs.k8s.io/controller-runtime/pkg/client"
 
@@ -118,7 +117,7 @@ var _ = Describe("ClusterAccessReconciler", func() {
 		It("should create MCP-/Workload ClusterRequests/AccessRequests", func() {
 			var reconcileResult reconcile.Result
 
-			expectedRequestNamespace := "ob-test"
+			expectedRequestNamespace := "mcp--80158a25-6874-80a6-a75d-94f57da600c0"
 
 			request := reconcile.Request{
 				NamespacedName: client.ObjectKey{
@@ -129,21 +128,21 @@ var _ = Describe("ClusterAccessReconciler", func() {
 
 			accessRequestMCP := &clustersv1alpha1.AccessRequest{
 				ObjectMeta: metav1.ObjectMeta{
-					Name:      utils.StableRequestNameMCP(request.Name, controllerName),
+					Name:      clusteraccess.StableRequestName(controllerName, request) + "--mcp",
 					Namespace: expectedRequestNamespace,
 				},
 			}
 
 			clusterRequestWorkload := &clustersv1alpha1.ClusterRequest{
 				ObjectMeta: metav1.ObjectMeta{
-					Name:      utils.StableRequestNameWorkload(request.Name, controllerName),
+					Name:      clusteraccess.StableRequestName(controllerName, request) + "--wl",
 					Namespace: expectedRequestNamespace,
 				},
 			}
 
 			accessRequestWorkload := &clustersv1alpha1.AccessRequest{
 				ObjectMeta: metav1.ObjectMeta{
-					Name:      utils.StableRequestNameWorkload(request.Name, controllerName),
+					Name:      clusteraccess.StableRequestName(controllerName, request) + "--wl",
 					Namespace: expectedRequestNamespace,
 				},
 			}
@@ -239,7 +238,7 @@ var _ = Describe("ClusterAccessReconciler", func() {
 			It("should delete MCP-/Workload ClusterRequests/AccessRequests", func() {
 				var reconcileResult reconcile.Result
 
-				expectedRequestNamespace := "ob-test"
+				expectedRequestNamespace := "mcp--80158a25-6874-80a6-a75d-94f57da600c0"
 
 				request := reconcile.Request{
 					NamespacedName: client.ObjectKey{
@@ -250,21 +249,21 @@ var _ = Describe("ClusterAccessReconciler", func() {
 
 				accessRequestMCP := &clustersv1alpha1.AccessRequest{
 					ObjectMeta: metav1.ObjectMeta{
-						Name:      utils.StableRequestNameMCP(request.Name, controllerName),
+						Name:      clusteraccess.StableRequestName(controllerName, request) + "--mcp",
 						Namespace: expectedRequestNamespace,
 					},
 				}
 
 				clusterRequestWorkload := &clustersv1alpha1.ClusterRequest{
 					ObjectMeta: metav1.ObjectMeta{
-						Name:      utils.StableRequestNameWorkload(request.Name, controllerName),
+						Name:      clusteraccess.StableRequestName(controllerName, request) + "--wl",
 						Namespace: expectedRequestNamespace,
 					},
 				}
 
 				accessRequestWorkload := &clustersv1alpha1.AccessRequest{
 					ObjectMeta: metav1.ObjectMeta{
-						Name:      utils.StableRequestNameWorkload(request.Name, controllerName),
+						Name:      clusteraccess.StableRequestName(controllerName, request) + "--wl",
 						Namespace: expectedRequestNamespace,
 					},
 				}

lib/clusteraccess/testdata/test-01/access-secrets.yaml

@@ -2,7 +2,7 @@ apiVersion: v1
 kind: Secret
 metadata:
   name: mcp-access
-  namespace: ob-test
+  namespace: mcp--80158a25-6874-80a6-a75d-94f57da600c0
 data:
   kubeconfig: YXBpVmVyc2lvbjogdjEKa2luZDogQ29uZmlnCnByZWZlcmVuY2VzOiB7fQpjbHVzdGVyczoKLSBjbHVzdGVyOgogICAgc2VydmVyOiBodHRwczovL2FwaS5jbHVzdGVyLWIuZXhhbXBsZS5jb206NjQ0MwogIG5hbWU6IGNsdXN0ZXIKY29udGV4dHM6Ci0gY29udGV4dDoKICAgIGNsdXN0ZXI6IGNsdXN0ZXIKICAgIHVzZXI6IHVzZXIKICBuYW1lOiBjb250ZXh0CmN1cnJlbnQtY29udGV4dDogY29udGV4dAp1c2VyczoKLSBuYW1lOiB1c2VyCiAgdXNlcjoKICAgIHRva2VuOiBhYmM=
 
@@ -11,6 +11,6 @@ apiVersion: v1
 kind: Secret
 metadata:
   name: workload-access
-  namespace: ob-test
+  namespace: mcp--80158a25-6874-80a6-a75d-94f57da600c0
 data:
   kubeconfig: YXBpVmVyc2lvbjogdjEKa2luZDogQ29uZmlnCnByZWZlcmVuY2VzOiB7fQpjbHVzdGVyczoKLSBjbHVzdGVyOgogICAgc2VydmVyOiBodHRwczovL2FwaS5jbHVzdGVyLWIuZXhhbXBsZS5jb206NjQ0MwogIG5hbWU6IGNsdXN0ZXIKY29udGV4dHM6Ci0gY29udGV4dDoKICAgIGNsdXN0ZXI6IGNsdXN0ZXIKICAgIHVzZXI6IHVzZXIKICBuYW1lOiBjb250ZXh0CmN1cnJlbnQtY29udGV4dDogY29udGV4dAp1c2VyczoKLSBuYW1lOiB1c2VyCiAgdXNlcjoKICAgIHRva2VuOiBhYmM=

lib/utils/utils.go

@@ -8,34 +8,65 @@ import (
 
 const (
 	prefixOnboarding = "ob-"
-	prefixMCP        = "mcp-"
+	oldPrefixMCP     = "mcp-"
 	prefixWorkload   = "wl-"
+	prefixMCP        = "mcp--"
 )
 
 // StableRequestNamespace returns a stable namespace for ClusterRequests and AccessRequests,
 // that can be created/used on the platform cluster.
 // onboardingNamespace is the namespace of the reconciled resource on the onboarding cluster.
+//
+// Deprecated: Use StableMCPNamespace instead.
 func StableRequestNamespace(onboardingNamespace string) string {
 	return fmt.Sprint(prefixOnboarding, onboardingNamespace)
 }
 
 // StableRequestNameMCP returns a stable name for MCP requests that can be used in a request namespace on the platform cluster.
 // onboardingName is the name of the reconciled resource on the onboarding cluster.
 // controllerName is the name of the controller that is reconciling the resource.
+//
+// Deprecated: Since every MCP now has its own namespace on the platform cluster, producing unique names this way is not required anymore for namespace-scoped resources. Use StableMCPIdentifier for cluster-scoped resources.
 func StableRequestNameMCP(onboardingName, controllerName string) string {
-	return fmt.Sprint(prefixMCP, controller.K8sNameHash(onboardingName, controllerName))
+	return fmt.Sprint(oldPrefixMCP, controller.K8sNameHash(onboardingName, controllerName))
 }
 
 // StableRequestNameWorkload returns a stable name for Workload requests that can be used in a request namespace on the platform cluster.
 // onboardingName is the name of the reconciled resource on the onboarding cluster.
 // controllerName is the name of the controller that is reconciling the resource.
+//
+// Deprecated: Since each MCP now has its own namespace, the controller can choose the request name relatively freely (just avoid conflicts with other controllers).
 func StableRequestNameWorkload(onboardingName, controllerName string) string {
 	return fmt.Sprint(prefixWorkload, controller.K8sNameHash(onboardingName, controllerName))
 }
 
 // StableRequestNameOnboarding returns a stable name for Onboarding requests that can be used in a request namespace on the platform cluster.
 // onboardingName is the name of the reconciled resource on the onboarding cluster.
 // controllerName is the name of the controller that is reconciling the resource.
+//
+// Deprecated: Since each MCP now has its own namespace, the controller can choose the request name relatively freely (just avoid conflicts with other controllers).
 func StableRequestNameOnboarding(onboardingName, controllerName string) string {
 	return fmt.Sprint(prefixOnboarding, controller.K8sNameHash(onboardingName, controllerName))
 }
+
+// StableMCPNamespace computes the namespace on the onboarding cluster that belongs to the given MCP.
+// onboardingName and onboardingNamespace are name and namespace of the MCP resource on the onboarding cluster.
+func StableMCPNamespace(onboardingName, onboardingNamespace string) (string, error) {
+	res, err := controller.K8sNameUUID(onboardingNamespace, onboardingName)
+	if err != nil {
+		return res, fmt.Errorf("error computing MCP namespace on platform cluster: %w", err)
+	}
+	return prefixMCP + res, nil
+}
+
+// StableMCPIdentifier computes a string that is stable for the given MCP name and namespace and at the same time unique across all MCPs.
+// This can be used to name cluster-scoped resources on the platform cluster. It is recommended to add a prefix or suffix to it.
+// For namespaced resources, use the MCP-specific namespace (get the name via StableMCPNamespace).
+// onboardingName and onboardingNamespace are name and namespace of the MCP resource on the onboarding cluster.
+func StableMCPIdentifier(onboardingName, onboardingNamespace string) (string, error) {
+	res, err := controller.K8sNameUUID(onboardingNamespace, onboardingName)
+	if err != nil {
+		return res, fmt.Errorf("error computing MCP identifier for platform cluster: %w", err)
+	}
+	return res, nil
+}

lib/utils/utils_test.go

@@ -53,4 +53,20 @@ var _ = Describe("Utils", func() {
 			Expect(utils.StableRequestNameWorkload(onboardingName, controllerName)).To(Equal(expectedName))
 		})
 	})
+
+	Context("StableMCPNamespace", func() {
+		It("should compute the MCP namespace on the platform cluster", func() {
+			expectedNamespace, err := utils.StableMCPNamespace(onboardingName, onboardingNamespace)
+			Expect(err).NotTo(HaveOccurred())
+			Expect(expectedNamespace).To(Equal("mcp--ed00e8ed-8a09-8c62-a9b8-e6fc20255174"))
+		})
+	})
+
+	Context("StableMCPIdentifier", func() {
+		It("should compute a stable MCP identifier", func() {
+			expectedIdentifier, err := utils.StableMCPIdentifier(onboardingName, onboardingNamespace)
+			Expect(err).NotTo(HaveOccurred())
+			Expect(expectedIdentifier).To(Equal("ed00e8ed-8a09-8c62-a9b8-e6fc20255174"))
+		})
+	})
 })