feature: Related resource label selector

[mjudeikis]

Feature Description

Consider a usecase:

1. I want to use 3rd party operator to make it "as a service". In this case https://github.com/zalando/postgres-operator
2. It works quite well but I'm not able to sync resulting secrets due to them not having any ref in the main object. They are just "labelSelector" based.

Example:

k get postgresql -A -o yaml                                                                                                                              07:29:30
apiVersion: v1
items:
- apiVersion: acid.zalan.do/v1
  kind: postgresql
  metadata:
    creationTimestamp: "2025-03-01T20:28:55Z"
    generation: 1
    labels:
      syncagent.kcp.io/agent-name: acid.zalan.do-syncagent
      syncagent.kcp.io/remote-object-cluster: n8png67i0vb069ir
      syncagent.kcp.io/remote-object-name: inmemory-postgres
      syncagent.kcp.io/remote-object-namespace: default
    name: pg-7505d64a54e061b7acd5-2035d4aace33e98627a4
    namespace: n8png67i0vb069ir
    resourceVersion: "4190"
    uid: 1a52f26a-88a6-47e3-abdb-0fa282f71137
  spec:
    numberOfInstances: 1
    postgresql:
      version: "17"
    teamId: example-team
    volume:
      size: 1Gi
  status:
    PostgresClusterStatus: Running
kind: List
metadata:
  resourceVersion: ""

and secrets:

apiVersion: v1
items:
- apiVersion: v1
  data:
    password: b3BBTWJuTDdvelRFenkwOFRScnFCVUMyaWx6RnBtMDg2eXFCcXVkcjdEZ1c4U2VIdkU2dDZ2WlRIajFoQTRzeg==
    username: cG9zdGdyZXM=
  kind: Secret
  metadata:
    creationTimestamp: "2025-03-01T20:28:55Z"
    labels:
      application: spilo
      cluster-name: pg-7505d64a54e061b7acd5-2035d4aace33e98627a4
      team: example-team
    name: postgres.pg-7505d64a54e061b7acd5-2035d4aace33e98627a4.credentials.postgresql.acid.zalan.do
    namespace: n8png67i0vb069ir
    resourceVersion: "4014"
    uid: ef11ddd3-199e-4836-bfe1-70a30fb9f10c
  type: Opaque
- apiVersion: v1
  data:
    password: a3pwZlViZ3F5Mk96S28yeFNYZUViUUZ0TUZSZ0lJNUhJRDN1Njh3ZTlLY20xU1djcTIyS2JiZlFvUHpJN3h0aQ==
    username: c3RhbmRieQ==
  kind: Secret
  metadata:
    creationTimestamp: "2025-03-01T20:28:56Z"
    labels:
      application: spilo
      cluster-name: pg-7505d64a54e061b7acd5-2035d4aace33e98627a4
      team: example-team
    name: standby.pg-7505d64a54e061b7acd5-2035d4aace33e98627a4.credentials.postgresql.acid.zalan.do
    namespace: n8png67i0vb069ir
    resourceVersion: "4015"
    uid: 9fc72851-fad5-4b64-9c83-3b12cfa274ec
  type: Opaque
kind: List
metadata:
  resourceVersion: ""

Proposed Solution

I would want to have something like this:

apiVersion: syncagent.kcp.io/v1alpha1
kind: PublishedResource
metadata:
  name: publish-postgres-postgresql
spec:
  resource:
    kind: postgresql
    apiGroup: acid.zalan.do
    version: v1
  naming:
    # This is the implicit default configuration.
    namespace: "$remoteClusterName"
    name: "pg-$remoteNamespaceHash-$remoteNameHash"
  related:
      identifier: pg-secret"
      origin: service
      kind: Secret
      labelSelector:
        namespace: "$remoteClusterName"
        matchLabels:
          cluster-name: "$remoteClusterName"

I can provide label selectors (potentially namespace too to avoid false-positives as we use namespace isolation).

Alternative Solutions

No response

Want to contribute?

• I would like to work on this issue.

Additional Context

No response

[mjudeikis]

This API is bit confusing:

type RelatedResourceReference struct {
	Name      ResourceLocator  `json:"name"`
	Namespace *ResourceLocator `json:"namespace,omitempty"`
}

type ResourceLocator struct {
	Path  string                `json:"path"`
	Regex *RegexResourceLocator `json:"regex,omitempty"`
}

I kinda expected to be able simply refer by Name and Namespace (as fields implied the names) but its something else.
Maybe we can do something like:

NameLocation ResourceLocator  `json:"nameLocator"`
Name `json:"name"`
NamespaceLocation *ResourceLocator  `json:"namespaceLocator"`
Namespace *string  `json:"namespace"`

As not it is overloading the names with something else :/

[xrstf]

You already can use "constants" by using the regex locator: https://github.com/kcp-dev/api-syncagent/blob/main/docs/publish-resources.md#related-resources

        # to inject static values, select a meaningless string value
        # and leave the pattern empty
        #
        # namespace:
        #   path: metadata.uid
        #   regex:
        #     replacement: kube-system

It's not the most pretty, but the whole idea behind the related resource locators is that they work based of references in the main object. Having related resources that are not linked at all in the main resource wasn't planned, hence the "hack" to use regexes for static values.

The nice thing about using references was that the mutation logic can be applied once and then all the code needs to do is follow the configured paths/regexes in the original (kcp) and mutated (service cluster-side) object to learn about the names, so that no extra naming mutation rules need to be specified.

The @embik already wanted to work on this and make it more flexible by adding something or other.

If we now add label selector support, what is configured in the PublishedResource? The label selector itself (will it be applied identically on both sides, kcp and service cluster?) or a reference to the label selector?

[mjudeikis]

You already can use "constants" by using the regex locator: https://github.com/kcp-dev/api-syncagent/blob/main/docs/publish-resources.md#related-resources

        # to inject static values, select a meaningless string value
        # and leave the pattern empty
        #
        # namespace:
        #   path: metadata.uid
        #   regex:
        #     replacement: kube-system

It's not the most pretty, but the whole idea behind the related resource locators is that they work based of references in the main object. Having related resources that are not linked at all in the main resource wasn't planned, hence the "hack" to use regexes for static values.

The nice thing about using references was that the mutation logic can be applied once and then all the code needs to do is follow the configured paths/regexes in the original (kcp) and mutated (service cluster-side) object to learn about the names, so that no extra naming mutation rules need to be specified.

The @embik already wanted to work on this and make it more flexible by adding something or other.

If we now add label selector support, what is configured in the PublishedResource? The label selector itself (will it be applied identically on both sides, kcp and service cluster?) or a reference to the label selector?

I think I'm having a hard time understanding this API. Given 2 objects in my original post, how would this look like?