Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

bug: APIExport controller uses first encountered GroupResource match for internal APIs, but separate schemas exist for built-in APIs with multiple versions #2161

Closed
hasheddan opened this issue Oct 10, 2022 · 2 comments · Fixed by #2169
Closed

bug: APIExport controller uses first encountered GroupResource match for internal APIs, but separate schemas exist for built-in APIs with multiple versions #2161

hasheddan opened this issue Oct 10, 2022 · 2 comments · Fixed by #2169
Assignees
@hasheddan
Labels
kind/bug Categorizes issue or PR as related to a bug.

Comments

@hasheddan
Copy link
Member

Describe the bug

APIResourceSchema for all built-in APIs are generated here and then stored in a slice. When evaluating whether a permission claim is for an internal API, we loop through the generated APIResourceSchema and select the first match by group / resource. However, some built-in APIs (such as FlowSchema v1beta1 and v1beta2) have multiple versions, but have a separate APIResourceSchema generated for each version. This means that when we loop through, we always use the schema that was added to the slice first.

Steps To Reproduce

  1. Start kcp.
  2. Export FlowSchemas.
  3. Observe that only v1beta1 is served.

Expected Behaviour

I believe what would be expected here is that we do match on GroupResource, but that the APIResourceSchema returned contains schemas for both versions of the given resource.

Additional Context

No response
@hasheddan hasheddan added the kind/bug Categorizes issue or PR as related to a bug. label Oct 10, 2022
@hasheddan
Copy link
Member Author

/assign

@ncdc ncdc added this to kcp Oct 10, 2022
@ncdc ncdc moved this to New in kcp Oct 10, 2022
@hasheddan
Copy link
Member Author

Verified that exporting FlowSchemas only exports v1beta1:

🤖 (kxp) k -s https://192.168.1.189:6443/services/apiexport/root/kxp.crossplane.io/clusters/* api-versions
apiextensions.crossplane.io/v1
apiextensions.crossplane.io/v1alpha1
flowcontrol.apiserver.k8s.io/v1beta1
pkg.crossplane.io/v1
pkg.crossplane.io/v1alpha1
pkg.crossplane.io/v1beta1
secrets.crossplane.io/v1alpha1
v1

With my forthcoming change that combines versions in an APIResourceSchema:

🤖 (kxp) k -s https://192.168.1.189:6443/services/apiexport/root/kxp.crossplane.io/clusters/* api-versions
apiextensions.crossplane.io/v1
apiextensions.crossplane.io/v1alpha1
flowcontrol.apiserver.k8s.io/v1beta1
flowcontrol.apiserver.k8s.io/v1beta2
pkg.crossplane.io/v1
pkg.crossplane.io/v1alpha1
pkg.crossplane.io/v1beta1
secrets.crossplane.io/v1alpha1
v1

@hasheddan hasheddan mentioned this issue Oct 11, 2022
Merged
Repository owner moved this from New to Done in kcp Oct 17, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@hasheddan hasheddan

Labels
kind/bug Categorizes issue or PR as related to a bug.
Projects
kcp
Status: Done
Milestone
No milestone
1 participant
@hasheddan