Merge pull request #321 from timbyr/unpropogatedlabels

k8s-ci-robot · web-flow · commit d9eb636447e6 · 2023-09-15T12:20:14.000-07:00
Support unpropagated labels
diff --git a/cmd/manager/main.go b/cmd/manager/main.go
@@ -70,6 +70,7 @@ var (
 	webhookServerPort       int
 	restartOnSecretRefresh  bool
 	unpropagatedAnnotations arrayArg
+	unpropagatedLabels      arrayArg
 	excludedNamespaces      arrayArg
 	managedNamespaceLabels  arrayArg
 	managedNamespaceAnnots  arrayArg
@@ -148,6 +149,7 @@ func parseFlags() {
 	flag.IntVar(&qps, "apiserver-qps-throttle", 50, "The maximum QPS to the API server. See the user guide for more information.")
 	flag.BoolVar(&stats.SuppressObjectTags, "suppress-object-tags", true, "If true, suppresses the kinds of object metrics to reduce metric cardinality. See the user guide for more information.")
 	flag.IntVar(&webhookServerPort, "webhook-server-port", 443, "The port that the webhook server serves at.")
+	flag.Var(&unpropagatedLabels, "unpropagated-label", "An label that, if present, will be stripped out of any propagated copies of an object. May be specified multiple times, with each instance specifying one label. See the user guide for more information.")
 	flag.Var(&unpropagatedAnnotations, "unpropagated-annotation", "An annotation that, if present, will be stripped out of any propagated copies of an object. May be specified multiple times, with each instance specifying one annotation. See the user guide for more information.")
 	flag.Var(&excludedNamespaces, "excluded-namespace", "A namespace that, if present, will be excluded from HNC management. May be specified multiple times, with each instance specifying one namespace. See the user guide for more information.")
 	flag.StringVar(&includedNamespacesRegex, "included-namespace-regex", ".*", "Namespace regular expression. Namespaces that match this regexp will be included and handle by HNC. The regex is implicitly wrapped by \"^...$\" and may only be specified once.")
@@ -163,6 +165,7 @@ func parseFlags() {
 
 	// Assign the array args to the configuration variables after the args are parsed.
 	config.UnpropagatedAnnotations = unpropagatedAnnotations
+	config.UnpropagatedLabels = unpropagatedLabels
 
 	// Assign the exclusion label args to the configuration
 	for _, label := range nopropagationLabel {
diff --git a/config/crd/bases/hnc.x-k8s.io_hierarchicalresourcequotas.yaml b/config/crd/bases/hnc.x-k8s.io_hierarchicalresourcequotas.yaml
@@ -91,3 +91,4 @@ spec:
         type: object
     served: true
     storage: true
+    subresources: {}
diff --git a/docs/user-guide/how-to.md b/docs/user-guide/how-to.md
@@ -951,6 +951,14 @@ Interesting parameters include:
   used to remove an annotation on the source object that's has a special meaning
   to another system, such as GKE Config Sync. If you restart HNC after changing
   this arg, all _existing_ propagated objects will also be updated.
+* `--unpropagated-label=<string>`: empty by default, this argument
+  can be specified multiple times, with each parameter representing an
+  label name, such as `example.com/foo`. When HNC propagates objects from
+  ancestor to descendant namespaces, it will strip these labels out of the
+  metadata of the _copy_ of the object, if it exists. For example, this can be
+  used to remove an label on the source object that's has a special meaning
+  to another system, such as ArgoCD. If you restart HNC after changing
+  this arg, all _existing_ propagated objects will also be updated.
 * `--apiserver-qps-throttle=<integer>`: set to 50 by default, this limits how many
   requests HNC will send to the Kubernetes apiserver per second in the steady
   state (it may briefly allow up to 50% more than this number). Setting this
diff --git a/internal/config/default_config.go b/internal/config/default_config.go
@@ -9,6 +9,15 @@ package config
 // times.
 var UnpropagatedAnnotations []string
 
+// UnpropgatedLabels is a list of labels on objects that should _not_ be propagated by HNC.
+// Much like HNC itself, other systems (such as ArgoCD) use labels to "claim" an
+// object - such as deleting objects it doesn't recognize. By removing these labels on
+// propgated objects, HNC ensures that other systems won't attempt to claim the same object.
+//
+// This value is controlled by the --unpropagated-label command line, which may be set multiple
+// times.
+var UnpropagatedLabels []string
+
 // NoPropagationLabel specifies a label Key and Value which will cause an object to be excluded
 // from propagation if the object defines that label with this specific value.
 type NoPropagationLabel struct {
diff --git a/internal/objects/reconciler.go b/internal/objects/reconciler.go
@@ -503,6 +503,11 @@ func cleanSource(src *unstructured.Unstructured) *unstructured.Unstructured {
 		labels = map[string]string{}
 	}
 	labels[api.LabelManagedByApps] = api.MetaGroup
+
+	// Clean out bad labels.
+	for _, unprop := range config.UnpropagatedLabels {
+		delete(labels, unprop)
+	}
 	src.SetLabels(labels)
 
 	return src
diff --git a/internal/objects/reconciler_test.go b/internal/objects/reconciler_test.go
@@ -389,6 +389,7 @@ var _ = Describe("Basic propagation", func() {
 
 		// This is empty by default.
 		config.UnpropagatedAnnotations = nil
+		config.UnpropagatedLabels = nil
 	})
 
 	AfterEach(func() {
@@ -777,6 +778,54 @@ var _ = Describe("Basic propagation", func() {
 		}).Should(Succeed(), "waiting for annot-a to be unpropagated")
 	})
 
+	It("should avoid propagating banned labels", func() {
+		SetParent(ctx, barName, fooName)
+		MakeObjectWithLabels(ctx, "roles", fooName, "foo-label-role", map[string]string{
+			"label-a": "value-a",
+			"label-b": "value-b",
+		})
+
+		// Ensure the object is propagated with both labels
+		Eventually(func() error {
+			inst, err := GetObject(ctx, "roles", barName, "foo-label-role")
+			if err != nil {
+				return err
+			}
+			labels := inst.GetLabels()
+			if labels["label-a"] != "value-a" {
+				return fmt.Errorf("label-a: want 'value-a', got %q", labels["label-a"])
+			}
+			if labels["label-b"] != "value-b" {
+				return fmt.Errorf("label-b: want 'value-b', got %q", labels["label-b"])
+			}
+			return nil
+		}).Should(Succeed(), "waiting for initial sync of foo-label-role")
+		DeleteObject(ctx, "roles", fooName, "foo-label-role")
+
+		// Tell the HNC config not to propagate label-a and verify that this time, it's not labelated
+		config.UnpropagatedLabels = []string{"label-a"}
+		MakeObjectWithLabels(ctx, "roles", fooName, "foo-label-role", map[string]string{
+			"label-a": "value-a",
+			"label-b": "value-b",
+		})
+
+		// Verify that the label no longer appears
+		Eventually(func() error {
+			inst, err := GetObject(ctx, "roles", barName, "foo-label-role")
+			if err != nil {
+				return err
+			}
+			labels := inst.GetLabels()
+			if val, ok := labels["label-a"]; ok {
+				return fmt.Errorf("label-a: wanted it to be missing, got %q", val)
+			}
+			if labels["label-b"] != "value-b" {
+				return fmt.Errorf("label-b: want 'value-b', got %q", labels["label-b"])
+			}
+			return nil
+		}).Should(Succeed(), "waiting for label-a to be unpropagated")
+	})
+
 	It("should avoid propagating when no selector is set if the sync mode is 'AllowPropagate'", func() {
 		AddToHNCConfig(ctx, "", "secrets", api.AllowPropagate)
 		// Set tree as bar -> foo(root).
