fix(registry): implement field selector filtering for label-based resources

[kvaps]

What this PR does

Fixes field selector filtering for registry resources (Applications, TenantModules, TenantSecrets) when using kubectl with field selectors like --field-selector=metadata.namespace=tenant-kvaps or metadata.name=test.

Controller-runtime cache doesn't support field selectors natively, which caused incorrect filtering behavior. This PR implements manual filtering for metadata.name and metadata.namespace field selectors in List() and Watch() methods.

Changes:

• Created pkg/registry/fields package with ParseFieldSelector utility for common field selector parsing
• Refactored field selector logic in application, tenantmodule, and tenantsecret registries to use the common implementation
• Implemented manual post-processing filtering after label-based queries
• Removed Raw field usage and field selectors from client.ListOptions

Release note

[registry] Fix field selector filtering for kubectl queries with metadata.name and metadata.namespace selectors

Summary by CodeRabbit

• Bug Fixes
  • Enhanced field selector filtering for Applications, TenantModules, and TenantSecrets to properly honor name and namespace field criteria.
  • List and Watch operations now correctly apply field-based filtering with proper namespace validation.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[coderabbitai]

Caution

Review failed

The pull request is closed.

📝 Walkthrough

Walkthrough

This pull request introduces custom field selector filtering for Kubernetes resources by replacing controller-runtime's field selector handling with client-side filtering logic. A new filter module parses field selectors to extract metadata.name and metadata.namespace constraints, which are then applied manually during List and Watch operations across Applications, TenantModule, and TenantSecret REST endpoints.

Changes

Cohort / File(s)	Summary
New Filter Infrastructure pkg/registry/fields/filter.go	Introduces Filter struct with Name and Namespace fields, ParseFieldSelector() function to extract exact-match constraints, and MatchesName(), MatchesNamespace() methods for validation.
Application REST Endpoint pkg/registry/apps/application/rest.go	Replaces Kubernetes field selector parsing with custom fieldfilter.ParseFieldSelector(). Removes server-side field selector from ListOptions; adds client-side filtering during List/Watch for name and namespace matching. Introduces custom watcher wrapper for event filtering.
TenantModule REST Endpoint pkg/registry/core/tenantmodule/rest.go	Adopts custom field filtering with early-exit for namespace mismatches. Eliminates FieldSelector from ListOptions; applies manual per-item filtering during list iteration and wraps Watch events with custom filtering logic.
TenantSecret REST Endpoint pkg/registry/core/tenantsecret/rest.go	Implements field-based filtering by removing Raw ListOptions and performing manual filtering on retrieved results using fieldFilter.MatchesName() and fieldFilter.MatchesNamespace() with namespace-consistency checks.

Sequence Diagram(s)

sequenceDiagram
    participant Client
    participant REST as REST Handler
    participant Filter as Field Filter
    participant HelmRelease as HelmRelease Lister
    participant Converter as Resource Converter

    Client->>REST: List Request (field selector)
    REST->>Filter: ParseFieldSelector()
    Filter-->>REST: Filter{Name, Namespace}
    
    REST->>REST: Check namespace match
    alt Namespace mismatch
        REST-->>Client: Empty List
    else Namespace matches
        REST->>HelmRelease: List with LabelSelector
        HelmRelease-->>REST: HelmRelease items
        
        loop For each HelmRelease
            REST->>Filter: MatchesName() + MatchesNamespace()
            Filter-->>REST: true/false
            alt Matches
                REST->>Converter: Convert to Resource
                Converter-->>REST: Resource
                REST->>REST: Add to results
            end
        end
        
        REST-->>Client: Filtered Resource List
    end

Loading

sequenceDiagram
    participant Client
    participant REST as REST Handler
    participant Filter as Field Filter
    participant Watcher as HelmRelease Watcher
    participant CustomWatcher as Custom Event Filter
    participant Converter as Resource Converter

    Client->>REST: Watch Request (field selector)
    REST->>Filter: ParseFieldSelector()
    Filter-->>REST: Filter{Name, Namespace}
    
    REST->>Watcher: Watch with LabelSelector
    Watcher-->>CustomWatcher: HelmRelease events
    
    loop For each event
        CustomWatcher->>Filter: MatchesName() + MatchesNamespace()
        Filter-->>CustomWatcher: true/false
        alt Matches
            CustomWatcher->>Converter: Convert to Resource event
            Converter-->>CustomWatcher: Resource event
            CustomWatcher-->>Client: Filtered event
        else No match
            CustomWatcher->>CustomWatcher: Filter out
        end
    end

Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~22 minutes

Poem

🐰 Hoppy hopping through the fields so fine,
We filter names and namespaces in line!
No more server-side confusion, clarity blooms,
Client-side filtering sweeps through the rooms.
Metadata matched with precision and care,
Custom filters dancing everywhere! ✨

✨ Finishing touches

• 📝 Generate docstrings

---

📜 Recent review details

Configuration used: defaults

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between beea09f and 88f469b.

📒 Files selected for processing (4)

• pkg/registry/apps/application/rest.go
• pkg/registry/core/tenantmodule/rest.go
• pkg/registry/core/tenantsecret/rest.go
• pkg/registry/fields/filter.go

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[gemini-code-assist]

Summary of Changes

Hello @kvaps, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request resolves an issue where kubectl field selector queries for custom resources like Applications, TenantModules, and TenantSecrets were not working as expected. The core problem stemmed from the controller-runtime cache's lack of native support for field selectors. The solution involves introducing a new, dedicated utility for parsing field selectors and then applying manual filtering for metadata.name and metadata.namespace after the initial data retrieval. This ensures that kubectl commands with these field selectors now correctly filter the results.

Highlights

• Centralized Field Selector Parsing: Introduced a new pkg/registry/fields package with a ParseFieldSelector utility to centralize and standardize the parsing of field selectors across different resource registries.
• Manual Field Selector Filtering: Implemented manual post-processing for metadata.name and metadata.namespace field selectors within the List() and Watch() methods for Application, TenantModule, and TenantSecret resources. This addresses the limitation where controller-runtime cache does not natively support field selectors.
• Refactored Client List Options: Removed the Raw field and direct FieldSelector usage from client.ListOptions when querying the underlying client, aligning with the manual filtering approach.
• Corrected kubectl Queries: Fixed the incorrect filtering behavior for kubectl queries using --field-selector=metadata.name or --field-selector=metadata.namespace for Application, TenantModule, and TenantSecret resources.

🧠 New Feature in Public Preview: You can now enable Memory to help Gemini Code Assist learn from your team's feedback. This makes future code reviews more consistent and personalized to your project's style. Click here to enable Memory in your admin console.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[gemini-code-assist]

Code Review

This pull request introduces a new fieldfilter package to manually process Kubernetes field selectors for metadata.name and metadata.namespace. This change addresses a limitation where the controller-runtime cache does not support field selectors. The List and Watch methods in pkg/registry/apps/application/rest.go, pkg/registry/core/tenantmodule/rest.go, and pkg/registry/core/tenantsecret/rest.go have been updated to remove FieldSelector from client.ListOptions when querying the cache. Instead, they now parse the field selector using the new fieldfilter package and apply manual filtering for metadata.name and metadata.namespace on the fetched resources. Additionally, an early exit is implemented in List operations if the field selector's namespace does not match the context namespace.