Match claims to classes using label selectors

[negz]

What problem are you facing?

In Crossplane 0.3 we introduced support for "provider specific" (aka "non-portable", aka "strongly typed") resource classes. During the development cycle we identified that if a claim must explicitly reference a provider specific resource class in order to enable dynamic provisioning, then the claim itself is now provider specific and no longer portable across providers. We solved this issue by introducing portable resource classes.

A portable resource class is effectively an indirection to a non-portable resource class. Portable resource classes can be set as the default for a particular namespace, and will be used by any resource claims of their corresponding kind that do not specify a resource class for dynamic provisioning, or a managed resource for static provisioning. This can be thought of as "publishing" non-portable resource classes (which may exist in a distinct namespace used to logically group infrastructure) to other namespaces, where applications may use them to satisfy claims for their infrastructure requirements.

This pattern is flexible and powerful, but Crossplane maintainers and community members have observed that it's verbose; three distinct Kubernetes resources (a claim, portable class, and non-portable class) must exist for dynamic provisioning to occur.

How could Crossplane help solve your problem?

Crossplane could remove the need for portable resource classes by using label selectors at the resource claim level, rather than the concept of a default class.

User experience

Resource claim authors who have a specific, non-portable resource class in mind just set the claim's classRef to that resource class (including its type metadata) just like they did before #723. Resource claim authors who have a specific, managed resource in mind just set the claim's resourceRef as they do today for static provisioning. Resource claim authors who don't know exactly what resource class they want omit the classRef, omit the resourceRef, and supply zero or more classSelector labels to match.

For example:

---
# Imagine this resource claim is created by a hypothetical GitLab stack
# controller to satisfy a request for a new GitLab installation. It does not
# specifically name a resource class, but declares it wants an experimental
# grade PostgreSQLInstance that is compatible with the Gitlab stack, in
# region us-east-1.
apiVersion: database.crossplane.io/v1alpha1
kind: PostgreSQLInstance
metadata:
  name: gitlab-database
  namespace: gitlab-experiments
spec:
  classSelector:
    matchLabels:
      stack: gitlab
      grade: experimental
      region: us-east-1
  writeConnectionSecretToRef:
    name: app-postgresql-connection

Note that under this proposal the concept of a "portable class" is removed, so any reference to "class" or "resource class" means "non-portable resource class", for example CloudSQLInstanceClass.

From the claim author's perspective Crossplane would handle dynamic provisioning of the above PostgreSQLInstance claim by:

1. "Finding" all classes that match its .spec.classSelector.matchLabels.
2. "Picking one at random".
3. Seting the PostgreSQLInstance .spec.classRef to the randomly selected resource class.
4. Dynamically provisioning and binding as we do today.

This proposal has the following properties:

• It supports portable, strongly typed, dynamic provisioning using only two concepts; resource claims and resource classes.
• It works the same for a hypothetical non-portable CloudSQLInstanceClaim as it does for a portable PostgreSQLInstanceClaim.
• It approximates support for "default resource classes". Label a resource class {default: "true"} to make it the global default for compatible resource claims (that select that label). Label a resource class {default: "true", namespace: app-project1-dev}, to make it the "default for a namespace" (actually, the default for any claim that selects those labels).
• It makes resource class selection non-deterministic. If multiple resource classes match the labels, one is chosen at random.
• It removes the concept of "publishing" a class to a namespace. This means a cluster operator can set a class as the "default" (kind of - see above) for app namespaces that don't exist yet, but also makes it harder for app operators to determine what resource classes they could choose from, presuming the resource classes lived in a distinct infrastructure namespace.
• It enables a rudimentary form of "matching" (dare I say scheduling?) of resource claims by decoupling the language used to match claims to classes from the (strongly typed) language used to describe classes.

Elaborating on that last bullet, it's hard to match the requirements of a resource claim to the capabilities of a resource class on spec alone due to the "lowest common denominator" problem of multi cloud. The RedisCluster claim, for example, exposes a field named engineVersion, which specifies its desired version of Redis (e.g. "3.2"). Ideally we'd use this snippet of information to intelligently match a RedisCluster claim to a resource class for dynamic provisioning, but that is hard(TM). The following resource classes could satisfy a RedisCluster claim today:

• GCP CloudMemorystoreInstanceClass has an equivalent field to engineVersion - it's named redisVersion and expects the version to be written as "REDIS_3_2", not "3.2".
• AWS ReplicationGroupClass has an engineVersion field that expects the patch version to be included, i.e. "3.2.0".
• Azure RedisClass has no field for engine version. It's just always version 3.2.

We could try to solve this by having resource claims expose the intersection (or the union?) of every possible resource class's set of fields in some standardised fashion, then teach each resource claim controller how to match the standardised resource claim fields to the provider specific resource class fields, or we could just use labels.

For example this resource claim specifies that it needs Redis 3.2:

---
apiVersion: cache.crossplane.io/v1alpha1
kind: RedisCluster
metadata:
  name: gitlab-cache
  namespace: gitlab-experiments
spec:
  classSelector:
    matchLabels:
      stack: gitlab
      engineVersion: "3.2"
  writeConnectionSecretToRef:
    name: gitlab-cache-connection

While these resource classes specify that they can satisfy claims that need Redis 3.2, while also using documented, high fidelity, validated, schemas when dynamically provisioning managed resources:

---
apiVersion: cache.gcp.crossplane.io/v1alpha2
kind: CloudMemorystoreInstanceClass
metadata:
  name: gitlab-development-default
  namespace: gcp-infra-dev
  labels:
    engineVersion: "3.2"
specTemplate:
  tier: STANDARD_HA
  region: us-west2
  memorySizeGb: 1
  redisVersion: REDIS_3_2
  providerRef:
    name: example
    namespace: gcp-infra-dev
  reclaimPolicy: Delete
---
apiVersion: cache.azure.crossplane.io/v1alpha2
kind: RedisClass
metadata:
  name: azure-redis-standard
  namespace: azure-infra-dev
  labels:
    engineVersion: "3.2"
specTemplate:
  resourceGroupName: group-westus-1
  location: West US
  sku:
    name: Basic
    family: C
    capacity: 0
  enableNonSslPort: true
  providerRef:
    name: example
    namespace: azure-infra-dev
  reclaimPolicy: Delete

Implementation Details

There are a lot of quotation marks in the above steps because what would actually be happening under the hood would be more like a race to satisfy the claim. In Crossplane there is not one controller for each resource claim kind, but rather one controller for each possible (resource claim, managed resource) tuple. This allows an infrastructure stack that adds support for a managed resource that could satisfy a resource claim to implement the dynamic provisioning and claim binding logic for said claim without having to touch Crossplane core. Put otherwise, crossplaneio/stack-gcp can add support for CloudSQLInstance resources to satisfy MySQLInstance claims in crossplaneio/stack-gcp, instead of teaching crossplaneio/crossplane how to dynamically provision a CloudSQLInstance. Hence the race. In reality the following would happen for the example above:

• All resource claim controllers are updated to only reconcile resources with a resourceRef or a classRef.
• A new "class selector" controller is introduced for each (resource claim, resource class) tuple. Its job is to set the classRef for resource classes that omit it, by using their classSelector.

Upon the creation of a PostgreSQLInstance without a classRef or resourceRef:

1. Every class selector controller watching for PostgreSQLInstance claims has a reconcile queued. I'll use the (PostgreSQLInstance, CloudSQLInstanceClass) controller for this example, but (PostgreSQLInstance, RDSInstanceClass) and (PostgreSQLInstance, MysqlServerClass) controllers would run through the process in parallel.
2. The controller would list all CloudSQLInstanceClass resources (in any namespace) that matched the PostgresSQLInstance claim' label selectors.
3. If no CloudSQLInstanceClass matched the labels, the reconcile is done. Otherwise, one of the matching CloudSQLInstanceClass resources is selected at random.
4. The controller sleeps for a small, jittered amount of time then sets the classRef of the PostgreSQLInstance to the selected CloudSQLInstanceClass. The jitter reduces the chance of two controllers trying to set the classRef at the same time. If two controllers do try to set the classRef at the same time one will fail to commit the change due to the PostgreSQLInstance claim's resource version having changed since it was read.
5. The reconcile is done. With the classRef set the PostgresSQLInstance now passes the watch predicates of the (PostgreSQLInstance, CloudSQLInstance) resource claim reconciler, which dynamically provisions and binds it.

[negz]

In summary,

[negz]

It makes resource class selection non-deterministic. If multiple resource classes match the labels, one is chosen at random.

This is potentially the downfall of this proposal. Imagine the case in which a resource claim author doesn't really know what they want, except that they want a PostgreSQLInstance. They omit the resourceRef, classRef, and classSelector when submitting their new resource claim. Under this proposal we'd treat that as "I have no opinion, pick any resource class at random". You could imagine that in a large Crossplane deployment there might be a lot of suitable resource classes, and it would probably be better to pick the cheap one rather than the super expensive production one.

We could alleviate this by:

• Adding a weight to resource classes. We'd then only pick a random resource class when multiple resource classes of the same weight matched a resource claim's labels. "Weight" in this case could be used to model "price" - higher weights for cheaper resource classes.
• Adding some special knob or label to allow resource classes to explicitly opt into, or out of the "empty label selectors" case.
• Treating the empty set of label selectors as matching nothing, rather than everything. I believe this would be unusual in Kubernetes, and would also require resource claim authors to somehow determine what labels they could select on before writing a claim.
• Strongly suggesting that by convention resource claims with no opinion use a label selector like {"default": "true"}.

I like the idea of introducing a weight, but no one controller can know the weight of all resource classes that exist; they only know the weights of the kind of resource class they're concerned with. One (not great) way they could coordinate on this would be via a rudimentary vote, i.e.:

1. Find all the resource classes they're concerned with (e.g. CloudSQLInstanceClass) that match the PostgreSQLInstance resource claim's label selectors.
2. Pick the class with the highest weight.
3. Write their highest weight to the annotations of the PostgreSQLInstance under reconciliation as {"class-weight.crossplane.io/weight": "class-kind"}, e.g. {"class-weight.crossplane.io/100": "CloudSQLInstance.gcp.storage.crossplane.io/v1alpha2"}.
4. Wait for a predetermined amount of time.
5. Fetch the PostgreSQLInstance, sort the class-weight labels, and see if the class they're concerned with had the highest weight.

[hasheddan]

Thanks for compiling these thoughts into a proposal! I like the idea of having less objects required to dynamically provision resources, but I worry that deferring all of this logic to the "non-portable" resource classes may end up being more difficult from a UX perspective than the current "portable" class pattern with scale. If you think about having 100 namespaces in a Crossplane control cluster, the labeling of non-portable classes in "infrastructure namespaces" could end up being rather verbose, and if you only are responsible for your team's namespace, it may be frustrating to discover that a non-portable class in a different namespace (i.e. gcp-infra-dev) has had its labels changed without your knowledge. In short, I think we want the configurations for resources exposed by non-portable classes to be reusable, so adding / removing labels for different use-cases is somewhat concerning (even if it happens infrequently).

I believe a large portion of burden expressed in this proposal could be alleviated by introducing cluster-scoped portable classes, something we have discussed in the past, and "scheduling" using labels on both cluster and namespace portable classes. The cluster-scoped portable classes remove the requirement of creating new portable class objects just to be able to dynamically provision resources in a namespace, and the the labels provide the matching functionality you outline, while still keeping control of the behavior at the namespace level if desired. The default class controllers could be changed to class selector controllers that include this label matching functionality.

To demonstrate this functionality, we can refactor the example above:

1. We have two non-portable resource classes in "infrastructure namespaces" that can satisfy a RedisCluster claim (labels removed).

---
apiVersion: cache.gcp.crossplane.io/v1alpha2
kind: CloudMemorystoreInstanceClass
metadata:
  name: gcp-redis-standard
  namespace: gcp-infra-dev
specTemplate:
  tier: STANDARD_HA
  region: us-west2
  memorySizeGb: 1
  redisVersion: REDIS_3_2
  providerRef:
    name: example
    namespace: gcp-infra-dev
  reclaimPolicy: Delete
---
apiVersion: cache.azure.crossplane.io/v1alpha2
kind: RedisClass
metadata:
  name: azure-redis-standard
  namespace: azure-infra-dev
specTemplate:
  resourceGroupName: group-westus-1
  location: West US
  sku:
    name: Basic
    family: C
    capacity: 0
  enableNonSslPort: true
  providerRef:
    name: example
    namespace: azure-infra-dev
  reclaimPolicy: Delete

2. We have two cluster-scoped portable classes, which reference the non-portable classes and have labels that can be used for matching (the naming is a little weird with RedisClusterClusterClass, but that could be worked out later).

---
apiVersion: cache.crossplane.io/v1alpha1
kind: RedisClusterClusterClass
metadata:
  name: gitlab-redis-standard
  labels:
    stack: "gitlab"
    engineVersion: "3.2"
classRef:
  kind: CloudMemorystoreInstanceClass
  apiVersion: cache.gcp.crossplane.io/v1alpha2
  name: gcp-redis-standard
  namespace: gcp-infra-dev
---
apiVersion: cache.crossplane.io/v1alpha1
kind: RedisClusterClusterClass
metadata:
  name: redis-standard
  labels:
    engineVersion: "3.2"
classRef:
  kind: RedisClass
  apiVersion: cache.azure.crossplane.io/v1alpha2
  name: azure-redis-standard
  namespace: azure-infra-dev

3. We create a new namespace app-project1-dev and a RedisCluster claim in it.

---
apiVersion: cache.crossplane.io/v1alpha1
kind: RedisCluster
metadata:
  name: gitlab-cache
  namespace: app-project1-dev
spec:
  classSelector:
    matchLabels:
      stack: gitlab
      engineVersion: "3.2"
  writeConnectionSecretToRef:
    name: gitlab-cache-connection

In this scenario, there are no namespace-scoped portable classes in app-project1-dev, so the class selector controller will instead look to for cluster-scoped portable classes, find that gitlab-redis-standard matches all labels and assign it as the classRef for the claim.

This scenario is suitable for a user who does not want to define their own portable classes and is comfortable with the possibility that labels used to "schedule" their resources may change. If a user would instead like to have control over the scheduling behavior, they could create a namespace-scoped portable class:

---
apiVersion: cache.crossplane.io/v1alpha1
kind: RedisClusterClass
metadata:
  name: gitlab-redis-standard
  labels:
    stack: "gitlab"
    engineVersion: "3.2"
classRef:
  kind: CloudMemorystoreInstanceClass
  apiVersion: cache.gcp.crossplane.io/v1alpha2
  name: gcp-redis-standard
  namespace: gcp-infra-dev

Now when they create the claim, the class selector controller will find that there exists a portable class with matching labels in the namespace, and will use it instead of looking to see if cluster-scoped portable classes with matching labels exist.

This pattern appears to alleviate the concerns of needing to create extra objects, while also preserving the "class of service" pattern. It may still be annoying as a new user who is testing out Crossplane to need to create portable classes at all, but on a scaled organizational level, I think it may work better.

[negz]

@hasheddan It seems like there is tension between Crossplane's API model being:

1. Predictable, flexible, and composable enough to suit the needs of a larger org.
2. Simple enough that early adopters can pick up the concepts and get up and running quickly.

I agree that we would sacrifice predictability and discoverability by removing the portable class concept as my design proposes. I also agree that adding cluster scoped equivalents of the existing portable classes would mean there were fewer concepts that application operators needed to be concerned with, presuming someone else (cluster operators) took care of it for them.

Portable classes, cluster scoped portable classes, and label selectors on portable classes do a lot for point 1, but I think this comes at the expense of point 2. What I'm wondering is if there's a design that satisfies points 1 and 2. Something flexible enough for larger orgs but not intimidating for simpler use cases.

Portable classes have the following good properties:

• They make it easy for app operators to discover the classes of service they can choose from.
• They narrow the scope of class selection (aka defaulting) to the namespace.

Conversely, when any non-portable class in any namespace can elect itself (by altering its labels) to match any resource claim in any namespace it's easy for a change in the labels of class A in namespace A to have an unintended impact on class B in namespace B.

So given the above, what if we:

• Removed the concept of portable resource classes.
• Used class selector labels to match claims with (non-portable) resource classes.
• Selected only classes from the claim's namespace.
• Dynamically provisioned managed resources in the namespace of their class's provider, not their class.

This means the process of configuring an application namespace A's classes of service changes from "create a non-portable resource class in infrastructure namespace N, then reference it from a portable resource class in application namespace A" to "create a non-portable resource class in application namespace A". I think this would have the following properties:

• Increase potential duplication (aka reduce potential reuse) of resource classes.
• Increase the discoverability of resource classes. Application owners immediately see the actual resource classes they may select, including the labels they can select on and the concrete parameters that will be used for dynamic provisioning, rather than an indirection.
• Make it easier to reason about how Crossplane dynamic provisioning works.

This would lead to the following user flows.

A new Crossplane user exploring dynamic provisioning for the first time:

1. Explorer creates a GCP Provider in namespace testing.
2. Explorer creates a CloudSQLInstance resource class with no labels in namespace testing.
3. Explorer creates N PostgreSQLInstance claims with no label selectors in namespace testing.
4. Done. Explorer has N CloudSQLInstance managed resources in namespace testing, provisioned and bound to their claims.

An org in which infrastructure operators are distinct from app operators:

1. InfraOp creates a GCP Provider and an AWS Provider in namespace us-east-1.
2. InfraOp creates various networking managed resources in namespace us-east-1.
3. InfraOp creates a CloudSQLInstance labelled {engine: postgresql, version: "9.6"} and an RDSInstance resource labelled {engine: mysql, version: "5.7"} in namespace app-team1, with a providerRef to the Providers in namespace us-east-1.
4. AppOp wants a Postgres 9.6 database, but doesn't know what shape it should be. They list the available classes in their namespace, see the CloudSQLInstance satisfies their needs, and create a PostgreSQLInstance claim with class selector labels {engine: postgresql, version: "9.6"}.
5. Done. AppOp has a CloudSQLInstance managed resource in namespace us-east-1, bound to their claim in namespace app-team1.

A Wordpress app stack that wants to select a "sane default" MySQL resource class for instances of the app it enables:

1. Wordpress stack author ensures the creation of each Wordpress resource causes the creation of a MySQLInstance claim with class selector labels {stack: wordpress} by default. Possibly they make the resource class label selectors that will be used for the MySQLInstance claim configurable on the Wordpress resource, e.g. as .spec.databaseSelector.
2. InfraOp creates a GCP Provider in namespace us-east-1.
3. AppOp creates namespace 'my-cool-blog`.
4. AppOp creates a CloudSQLInstanceClass labeled {stack: wordpress} in namespace my-cool-blog, referencing the Provider in us-east-1.
5. AppOp creates a Wordpress in namespace my-cool-blog.
6. Done. AppOp has a Wordpress workload that uses a CloudSQLInstance created in namespace us-east-1.

[hasheddan]

@negz I agree that this addresses my concern with changing labels, but I am not sure that I think the following should be a goal:

Increase potential duplication (aka reduce potential reuse) of resource classes

In my mind, the ability to reuse non-portable resource classes is a major feature of Crossplane. Portable classes create a layer that defines how they are reused. Essentially, the configuration (non-portable resource class) is reusable, while the use-case (portable resource class) is configurable. If claims can only make use of non-portable resource classes in their namespace, I once again think this breaks down at scale. If an InfraOp wanted the same CloudSQLInstanceClass to be used as default for every app namespace in an org and there was 100 app namespaces, they would need to create 100 copies of the same CloudSQLInstanceClass. With a cluster-scoped portable resource class, they could create one cluster-scoped portable resource class that specified the single CloudSQLInstanceClass as default for all namespaces, unless a different namespace-scoped portable resource class overrides it.

As an organization scales, the growth in number of resources being created with the cluster-scoped portable class model is logarithmic at best and linear at worst (i.e. a new namespace can have classes of service and sane defaults defined with 0 additional configuration) , while with the non-portable class in namespace model it is linear at best and exponential at worst (i.e. every new namespace will need its own non-portable classes, and creating a non-portable class that you want available in every namespace would require copying it to every namespace).

If we do want to be able to make it easier for new users to be able to get up and running, we could always add back the ability to reference a non-portable resource class directly. It might even be a good pattern to say that you can reference non-portable resource classes directly, but only in the namespace in which you are creating your claim. For a new user, this would make it easy to see what classes are available, and dynamic provisioning of a managed resource would occur in the same namespace as the claim (addresses making it easier to reason about how Crossplane dynamic provisioning works). At an organizational level, this feature could essentially be disabled by restricting permissions for app owners to create non-portable resource classes.

So, in summary, I believe this would look as follows:

• Add cluster-scoped portable resource classes
• Add ability to match portable resource classes by label (namespace-scoped override cluster-scoped portable classes)
• Add ability to reference a local non-portable resource class

Would be good to get @prasek / @bassam / @jbw976 thoughts here.

[suskin]

If two controllers do try to set the classRef at the same time one will fail to commit the change

If this is the case, what is the reason for jittering? It seems like it isn't necessary and just adds reconciliation latency without much of a benefit. I am probably missing something here.

This discussion has already covered a lot of ground, so I'll try to respond in a brief way. The comments may be a bit scattered.

Here is my mindset for this type of situation:

• Since we are early in the project, and we already have something that works okay, what is the priority of this work? I usually prioritize things higher if they are coming from user feedback, which sounds like is the case in this situation.
• When making early design decisions, the future design will always be informed by user insights over time, so in my experience there is a diminishing return on spending more time thinking about designs. I tell myself that whatever I decide now will be wrong, so I should just make a best guess and leave the possibilities open so things can be revisited later : ). In this case, I feel this probably applies best to the question of what happens later when this mechanism would be used at scale.
• If you accept that designs will need to be changed in the future, then given that something is going to be wrong no matter how hard we try to design everything perfectly, simpler is better than more complex. I am thinking that fewer pieces and layers sounds simpler than more pieces and layers.
• I agree with the approach of skewing toward optimizing for the users we are trying to attract now, and worrying less about the other situations until we need better support for them in the future

For this particular proposal, I like the goal of trying to simplify things by removing a whole concept. I support trying this and seeing how it goes, especially since it's in response to some user feedback. I agree with @hasheddan that some things may break down later, though I also believe this will happen regardless of which design we go with, so I'm a fan of timeboxing design thinking and then moving ahead with our best guess once we've used the amount of time we want to use.

For the question of labels changing, I didn't quite follow that; I would expect that treating a resource class as immutable would be the best practice, especially when there are consumers of a resource class.

I like that using labels opens the door to auto-generating labels, and fits will with matching to a particular geographic region.

For the question of what the behavior should be when there are no labels, I would apply the rule of least surprise here and go with whatever most users would expect the behavior to be. Matching everything and matching nothing could both work.

[negz]

Relates to #91.

[negz]

Also relates to #922.

[negz]

In my mind, the ability to reuse non-portable resource classes is a major feature of Crossplane.

I mostly agree. I was highlighting the properties of the proposal without putting a value judgement on them. Reducing the reusability of non-portable resource classes is more likely to be a negative than a positive. That said, I question whether global reusability of resource classes warrants the associated increase in user experience complexity.

I once again think this breaks down at scale.

Again, I don't disagree with this statement but if we have to choose between scale and simplicity, I question whether scale is the right optimisation at this stage of our project's lifecycle. I'd happily endorse a proposal that supported both scale and simplicity.

If this is the case, what is the reason for jittering?

If we did conflict, one request would lose the race and suffer some exponentially backed off delay being requeued. The idea is that the jitter would be in the order of seconds to avoid this, but you could be right that it would be faster and simpler to avoid the jitter.

Edit: Oh, but it would not matter, because the winning request set the classRef and thus the process was completed. I think I see your point, and agree we would not need any jitter.

[negz]

Conversely, when any non-portable class in any namespace can elect itself (by altering its labels) to match any resource claim in any namespace it's easy for a change in the labels of class A in namespace A to have an unintended impact on class B in namespace B.

An alternative to #870 (comment) that could help alleviate this concern, help with cases like #922, and still simplify the experience for smaller organisations would be to allow app namespaces to use a namespace level annotation to limit the namespaces to which their resource claims could be matched to (non-portable) resource classes.

An annotation like crossplane.io/select-class-namespaces: us-east-1, eu-west-2 (where us-east-1 and eu-west-2 are infrastructure namespaces) would allow an app namespace to create a relationship between itself and one or more infrastructure namespaces. In this example resource claims would select only against non-portable resource classes that were:

• In the same namespace as the resource claim.
• In one of the namespaces specified by the select-namespaces annotation.

This would allow an app operator (who owned their app namespace) to configure scenarios like "my resource claims should only use resource classes in production infrastructure namespaces" or "my resource claims should only use east coast namespaces" without the need for portable resource classes to be created in their namespace (or to exist at all).

Resource claims created in namespaces that omitted the select-namespaces annotation would be matched against a sensible default. I could be convinced that this should be either:

• Resource classes in any namespace.
• Resource classes only in the same namespace as the claim.

[prasek]

@negz Thanks for writing this up and @hasheddan for the discussion!

The select-class-namespace annotation addresses many of the concerns for globally matching across any namespace, and allows the namespace owner to incrementally expand the scope of label selector matches beyond local (same namespace matches). If the select-class-namespace was omitted by the namespace owner, defaulting to local matches (same namespace as the claim) would reduce the complexity of labels required at scale to get a unique match and be more predictable for new users who didn’t add the annotation to their namespace in a larger shared cluster.

Labels forgo validated unique names that portable resource class names provide, but if we move back to pre #723 behavior that can still be achieved with a claim.spec.classRef to a non-portable class. However that wouldn’t be a portable claim, so we really are losing that aspect with labels.

So with this proposal, portable claims would need to use label selectors.

The select-class-namespace annotation would be a variant of #922 option (a) and a great starting point — possibly for the portable classes we have today, although that might collapse namespaces (and the unique class names in the local namespace and the select-class-namespace) rendering portable class names potentially ambiguous. We could make this an either-or proposition, but starts to get complicated for a user to understand the behavior of the system.

So perhaps #922 option (b) adding claim.spec.classRef.namespace back in for referencing portable classes in a non-local infra namespace is the simplest thing we could do to solve #922 and minimize the number of portable classes needed at scale.

We could also add support for non-portable claim.spec.classRef (pre #723) back in as well for people that don’t care about portability, or want to solve portability by adding conditional logic to a Helm chart or Stack that drops non-portable claims and classes into an app project namespace, so everything is local.

Really like the label/selectors approach but need to think about some of the issues @hasheddan raised, although the select-class-namespace` annotation does address a lot of them IMO, esp. if it defaults to local matching when omitted.

[negz]

Thanks for the feedback @prasek!

Labels forgo validated unique names that portable resource class names provide, but if we move back to pre #723 behavior that can still be achieved with a claim.spec.classRef to a non-portable class. However that wouldn’t be a portable claim, so we really are losing that aspect with labels.

Am I following correctly in my understanding that the value to users of "validated unique [resource class reference] names" is that a resource claim author can know with certainty that their resource claim will match exactly one resource class?

So with this proposal, portable claims would need to use label selectors.

Correct, but is that a bad thing? Under this proposal:

• As you said, we get pre Loose classRef matching for resource claims #723 behaviour, so a claim author could forego labels altogether and set their .spec.classRef explicitly to exactly one non-portable resource class, at the expense of claim portability.
• We can't use label selectors to guarantee that a claim will match exactly one resource class, but we can get very close with a well designed labelling scheme.

I think it might be useful to state what the real world use cases are in which a resource claim author needs portability, and needs to match exactly one predetermined resource class. Needing portability would imply it doesn't matter what provider their claim is satisfied by. I assume needing to match exactly one resource class therefore means they have a need like "I need the Gitlab-blessed production grade resource class for whatever cloud provider is the default".

kind: PostgreSQLInstance
spec:
  classSelector:
    matchLabels:
      gitlab.crossplane.io/default: "true"
      gitlab.crossplane.io/grade: "production"

Does the above (abridged) resource claim's label selector strategy satisfy their need? If the infrastructure operator has ensured there's only one resource class within their namespace's matching scope then they get exactly that one resource class. If there's more than one matching class, is it so bad that we pick one at random? By matching the labels the classes have declared they satisfy the need declared by the resource claim.