From e418f74e34006582086b5c9906614fca7abf3a47 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Oliver=20B=C3=A4hler?= <oliverbaehler@hotmail.com>
Date: Thu, 2 May 2024 11:55:51 +0200
Subject: [PATCH] fix(controller): ensure iteration on capsule ownerreferences
 (#1059)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Signed-off-by: Oliver Bähler <oliverbaehler@hotmail.com>
---
 e2e/namespace_additional_metadata_test.go |  8 +++++++
 pkg/webhook/namespace/freezed.go          |  4 ++++
 pkg/webhook/namespace/prefix.go           |  4 ++++
 pkg/webhook/namespace/quota.go            |  4 ++++
 pkg/webhook/namespace/user_metadata.go    | 10 +++++++++
 pkg/webhook/namespace/utils.go            | 27 +++++++++++++++++++++++
 6 files changed, 57 insertions(+)
 create mode 100644 pkg/webhook/namespace/utils.go

diff --git a/e2e/namespace_additional_metadata_test.go b/e2e/namespace_additional_metadata_test.go
index 9bb3110a..1fd3ad43 100644
--- a/e2e/namespace_additional_metadata_test.go
+++ b/e2e/namespace_additional_metadata_test.go
@@ -21,6 +21,14 @@ var _ = Describe("creating a Namespace for a Tenant with additional metadata", f
 	tnt := &capsulev1beta2.Tenant{
 		ObjectMeta: metav1.ObjectMeta{
 			Name: "tenant-metadata",
+			OwnerReferences: []metav1.OwnerReference{
+				{
+					APIVersion: "cap",
+					Kind:       "dummy",
+					Name:       "tenant-metadata",
+					UID:        "tenant-metadata",
+				},
+			},
 		},
 		Spec: capsulev1beta2.TenantSpec{
 			Owners: capsulev1beta2.OwnerListSpec{
diff --git a/pkg/webhook/namespace/freezed.go b/pkg/webhook/namespace/freezed.go
index a43d5f34..d892056c 100644
--- a/pkg/webhook/namespace/freezed.go
+++ b/pkg/webhook/namespace/freezed.go
@@ -35,6 +35,10 @@ func (r *freezedHandler) OnCreate(client client.Client, decoder *admission.Decod
 		}
 
 		for _, objectRef := range ns.ObjectMeta.OwnerReferences {
+			if !isTenantOwnerReference(objectRef) {
+				continue
+			}
+
 			// retrieving the selected Tenant
 			tnt := &capsulev1beta2.Tenant{}
 			if err := client.Get(ctx, types.NamespacedName{Name: objectRef.Name}, tnt); err != nil {
diff --git a/pkg/webhook/namespace/prefix.go b/pkg/webhook/namespace/prefix.go
index 8e961462..45aa4123 100644
--- a/pkg/webhook/namespace/prefix.go
+++ b/pkg/webhook/namespace/prefix.go
@@ -49,6 +49,10 @@ func (r *prefixHandler) OnCreate(clt client.Client, decoder *admission.Decoder,
 			tnt := &capsulev1beta2.Tenant{}
 
 			for _, or := range ns.ObjectMeta.OwnerReferences {
+				if !isTenantOwnerReference(or) {
+					continue
+				}
+
 				// retrieving the selected Tenant
 				if err := clt.Get(ctx, types.NamespacedName{Name: or.Name}, tnt); err != nil {
 					return utils.ErroredResponse(err)
diff --git a/pkg/webhook/namespace/quota.go b/pkg/webhook/namespace/quota.go
index 360de1e8..1200bbda 100644
--- a/pkg/webhook/namespace/quota.go
+++ b/pkg/webhook/namespace/quota.go
@@ -31,6 +31,10 @@ func (r *quotaHandler) OnCreate(client client.Client, decoder *admission.Decoder
 		}
 
 		for _, objectRef := range ns.ObjectMeta.OwnerReferences {
+			if !isTenantOwnerReference(objectRef) {
+				continue
+			}
+
 			// retrieving the selected Tenant
 			tnt := &capsulev1beta2.Tenant{}
 			if err := client.Get(ctx, types.NamespacedName{Name: objectRef.Name}, tnt); err != nil {
diff --git a/pkg/webhook/namespace/user_metadata.go b/pkg/webhook/namespace/user_metadata.go
index c5917dcd..e60fd02d 100644
--- a/pkg/webhook/namespace/user_metadata.go
+++ b/pkg/webhook/namespace/user_metadata.go
@@ -33,7 +33,12 @@ func (r *userMetadataHandler) OnCreate(client client.Client, decoder *admission.
 		}
 
 		tnt := &capsulev1beta2.Tenant{}
+
 		for _, objectRef := range ns.ObjectMeta.OwnerReferences {
+			if !isTenantOwnerReference(objectRef) {
+				continue
+			}
+
 			// retrieving the selected Tenant
 			if err := client.Get(ctx, types.NamespacedName{Name: objectRef.Name}, tnt); err != nil {
 				return utils.ErroredResponse(err)
@@ -83,7 +88,12 @@ func (r *userMetadataHandler) OnUpdate(client client.Client, decoder *admission.
 		}
 
 		tnt := &capsulev1beta2.Tenant{}
+
 		for _, objectRef := range newNs.ObjectMeta.OwnerReferences {
+			if !isTenantOwnerReference(objectRef) {
+				continue
+			}
+
 			// retrieving the selected Tenant
 			if err := client.Get(ctx, types.NamespacedName{Name: objectRef.Name}, tnt); err != nil {
 				return utils.ErroredResponse(err)
diff --git a/pkg/webhook/namespace/utils.go b/pkg/webhook/namespace/utils.go
new file mode 100644
index 00000000..bb344ae0
--- /dev/null
+++ b/pkg/webhook/namespace/utils.go
@@ -0,0 +1,27 @@
+// Copyright 2020-2023 Project Capsule Authors.
+// SPDX-License-Identifier: Apache-2.0
+
+package namespace
+
+import (
+	"strings"
+
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+
+	capsulev1beta2 "github.com/projectcapsule/capsule/api/v1beta2"
+)
+
+const (
+	ObjectReferenceTenantKind = "Tenant"
+)
+
+func isTenantOwnerReference(or metav1.OwnerReference) bool {
+	parts := strings.Split(or.APIVersion, "/")
+	if len(parts) != 2 {
+		return false
+	}
+
+	group := parts[0]
+
+	return group == capsulev1beta2.GroupVersion.Group && or.Kind == ObjectReferenceTenantKind
+}