store original remote name as annotation, use hashed values for labels

On-behalf-of: @SAP christoph.mewes@sap.com

Author: xrstf

internal/sync/meta.go

@@ -22,6 +22,8 @@ import (
 	"github.com/kcp-dev/logicalcluster/v3"
 	"go.uber.org/zap"
 
+	"github.com/kcp-dev/api-syncagent/internal/crypto"
+
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
 	"k8s.io/apimachinery/pkg/labels"
@@ -56,7 +58,7 @@ func ensureAnnotations(obj metav1.Object, desiredAnnotations map[string]string)
 }
 
 func ensureFinalizer(ctx context.Context, log *zap.SugaredLogger, client ctrlruntimeclient.Client, obj *unstructured.Unstructured, finalizer string) (updated bool, err error) {
-	finalizers := sets.New[string](obj.GetFinalizers()...)
+	finalizers := sets.New(obj.GetFinalizers()...)
 	if finalizers.Has(deletionFinalizer) {
 		return false, nil
 	}
@@ -75,7 +77,7 @@ func ensureFinalizer(ctx context.Context, log *zap.SugaredLogger, client ctrlrun
 }
 
 func removeFinalizer(ctx context.Context, log *zap.SugaredLogger, client ctrlruntimeclient.Client, obj *unstructured.Unstructured, finalizer string) (updated bool, err error) {
-	finalizers := sets.New[string](obj.GetFinalizers()...)
+	finalizers := sets.New(obj.GetFinalizers()...)
 	if !finalizers.Has(deletionFinalizer) {
 		return false, nil
 	}
@@ -122,27 +124,32 @@ func (k objectKey) String() string {
 }
 
 func (k objectKey) Key() string {
-	result := k.Name
-	if k.Namespace != "" {
-		result = k.Namespace + "_" + result
-	}
-	if k.ClusterName != "" {
-		result = string(k.ClusterName) + "_" + result
-	}
-
-	return result
+	return crypto.Hash(k)
 }
 
 func (k objectKey) Labels() labels.Set {
-	return labels.Set{
-		remoteObjectClusterLabel:   string(k.ClusterName),
-		remoteObjectNamespaceLabel: k.Namespace,
-		remoteObjectNameLabel:      k.Name,
+	// Name and namespace can be more than 63 characters long, so we must hash them
+	// to turn them into valid label values. The full, original value is kept as an annotation.
+	s := labels.Set{
+		remoteObjectClusterLabel:  string(k.ClusterName),
+		remoteObjectNameHashLabel: crypto.Hash(k.Name),
 	}
+
+	if k.Namespace != "" {
+		s[remoteObjectNamespaceHashLabel] = crypto.Hash(k.Namespace)
+	}
+
+	return s
 }
 
 func (k objectKey) Annotations() labels.Set {
-	s := labels.Set{}
+	s := labels.Set{
+		remoteObjectNameAnnotation: k.Name,
+	}
+
+	if k.Namespace != "" {
+		s[remoteObjectNamespaceAnnotation] = k.Namespace
+	}
 
 	if !k.WorkspacePath.Empty() {
 		s[remoteObjectWorkspacePathAnnotation] = k.WorkspacePath.String()

internal/sync/metadata.go

@@ -17,6 +17,7 @@ limitations under the License.
 package sync
 
 import (
+	"fmt"
 	"maps"
 	"strings"
 
@@ -29,7 +30,7 @@ import (
 	"sigs.k8s.io/controller-runtime/pkg/reconcile"
 )
 
-func stripMetadata(obj *unstructured.Unstructured) *unstructured.Unstructured {
+func stripMetadata(obj *unstructured.Unstructured) error {
 	obj.SetCreationTimestamp(metav1.Time{})
 	obj.SetFinalizers(nil)
 	obj.SetGeneration(0)
@@ -39,70 +40,100 @@ func stripMetadata(obj *unstructured.Unstructured) *unstructured.Unstructured {
 	obj.SetUID("")
 	obj.SetSelfLink("")
 
-	stripAnnotations(obj)
-	stripLabels(obj)
+	if err := stripAnnotations(obj); err != nil {
+		return fmt.Errorf("failed to strip annotations: %w", err)
+	}
+	if err := stripLabels(obj); err != nil {
+		return fmt.Errorf("failed to strip labels: %w", err)
+	}
 
-	return obj
+	return nil
 }
 
-func stripAnnotations(obj *unstructured.Unstructured) *unstructured.Unstructured {
-	annotations := obj.GetAnnotations()
-	if annotations == nil {
-		return obj
+func setNestedMapOmitempty(obj *unstructured.Unstructured, value map[string]string, path ...string) error {
+	if len(value) == 0 {
+		unstructured.RemoveNestedField(obj.Object, path...)
+		return nil
 	}
 
-	delete(annotations, "kcp.io/cluster")
-	delete(annotations, "kubectl.kubernetes.io/last-applied-configuration")
+	return unstructured.SetNestedStringMap(obj.Object, value, path...)
+}
 
-	maps.DeleteFunc(annotations, func(annotation string, _ string) bool {
-		return strings.HasPrefix(annotation, relatedObjectAnnotationPrefix)
-	})
+func stripAnnotations(obj *unstructured.Unstructured) error {
+	annotations := obj.GetAnnotations()
+	if annotations == nil {
+		return nil
+	}
 
-	obj.SetAnnotations(annotations)
+	if err := setNestedMapOmitempty(obj, filterUnsyncableAnnotations(annotations), "metadata", "annotations"); err != nil {
+		return err
+	}
 
-	return obj
+	return nil
 }
 
-func stripLabels(obj *unstructured.Unstructured) *unstructured.Unstructured {
+func stripLabels(obj *unstructured.Unstructured) error {
 	labels := obj.GetLabels()
 	if labels == nil {
-		return obj
+		return nil
 	}
 
-	for _, label := range ignoredRemoteLabels.UnsortedList() {
-		delete(labels, label)
+	if err := setNestedMapOmitempty(obj, filterUnsyncableLabels(labels), "metadata", "labels"); err != nil {
+		return err
 	}
 
-	obj.SetLabels(labels)
-
-	return obj
+	return nil
 }
 
-// ignoredRemoteLabels are labels we never want to copy from the remote to local objects.
-var ignoredRemoteLabels = sets.New[string](
+// unsyncableLabels are labels we never want to copy from the remote to local objects.
+var unsyncableLabels = sets.New(
 	remoteObjectClusterLabel,
-	remoteObjectNamespaceLabel,
-	remoteObjectNameLabel,
+	remoteObjectNamespaceHashLabel,
+	remoteObjectNameHashLabel,
 )
 
-// filterRemoteLabels removes all unwanted remote labels and returns a new label set.
-func filterRemoteLabels(remoteLabels labels.Set) labels.Set {
-	filteredLabels := labels.Set{}
+// filterUnsyncableLabels removes all unwanted remote labels and returns a new label set.
+func filterUnsyncableLabels(original labels.Set) labels.Set {
+	return filterLabels(original, unsyncableLabels)
+}
+
+// unsyncableAnnotations are annotations we never want to copy from the remote to local objects.
+var unsyncableAnnotations = sets.New(
+	"kcp.io/cluster",
+	"kubectl.kubernetes.io/last-applied-configuration",
+	remoteObjectNamespaceAnnotation,
+	remoteObjectNameAnnotation,
+	remoteObjectWorkspacePathAnnotation,
+)
 
-	for k, v := range remoteLabels {
-		if !ignoredRemoteLabels.Has(k) {
-			filteredLabels[k] = v
+// filterUnsyncableAnnotations removes all unwanted remote annotations and returns a new label set.
+func filterUnsyncableAnnotations(original labels.Set) labels.Set {
+	filtered := filterLabels(original, unsyncableAnnotations)
+
+	maps.DeleteFunc(filtered, func(annotation string, _ string) bool {
+		return strings.HasPrefix(annotation, relatedObjectAnnotationPrefix)
+	})
+
+	return filtered
+}
+
+func filterLabels(original labels.Set, forbidList sets.Set[string]) labels.Set {
+	filtered := labels.Set{}
+	for k, v := range original {
+		if !forbidList.Has(k) {
+			filtered[k] = v
 		}
 	}
 
-	return filteredLabels
+	return filtered
 }
 
 func RemoteNameForLocalObject(localObj ctrlruntimeclient.Object) *reconcile.Request {
 	labels := localObj.GetLabels()
+	annotations := localObj.GetAnnotations()
 	clusterName := labels[remoteObjectClusterLabel]
-	namespace := labels[remoteObjectNamespaceLabel]
-	name := labels[remoteObjectNameLabel]
+	namespace := annotations[remoteObjectNamespaceAnnotation]
+	name := annotations[remoteObjectNameAnnotation]
 
 	// reject/ignore invalid/badly labelled object
 	if clusterName == "" || name == "" {
@@ -117,3 +148,43 @@ func RemoteNameForLocalObject(localObj ctrlruntimeclient.Object) *reconcile.Requ
 		},
 	}
 }
+
+// threeWayDiffMetadata is used when updating an object. Since the lastKnownState for any object
+// does not contain syncer-related metadata, this function determines whether labels/annotations are
+// missing by comparing the desired* sets with the current state on the destObj.
+// If a label/annotation is found to be missing or wrong, this function will set it on the sourceObj.
+// This is confusing at first, but the source object here is just a DeepCopy from the actual source
+// object and the caller is not meant to persist changes on the source object. The reason the changes
+// are performed on the source object is so that when creating the patch later on (which is done by
+// comparing the source object with the lastKnownState), the patch will contain the necessary changes.
+func threeWayDiffMetadata(sourceObj, destObj *unstructured.Unstructured, desiredLabels, desiredAnnotations labels.Set) {
+	destLabels := destObj.GetLabels()
+	sourceLabels := sourceObj.GetLabels()
+
+	for label, value := range desiredLabels {
+		if destValue, ok := destLabels[label]; !ok || destValue != value {
+			if sourceLabels == nil {
+				sourceLabels = map[string]string{}
+			}
+
+			sourceLabels[label] = value
+		}
+	}
+
+	sourceObj.SetLabels(sourceLabels)
+
+	destAnnotations := destObj.GetAnnotations()
+	sourceAnnotations := sourceObj.GetAnnotations()
+
+	for label, value := range desiredAnnotations {
+		if destValue, ok := destAnnotations[label]; !ok || destValue != value {
+			if sourceAnnotations == nil {
+				sourceAnnotations = map[string]string{}
+			}
+
+			sourceAnnotations[label] = value
+		}
+	}
+
+	sourceObj.SetAnnotations(sourceAnnotations)
+}

internal/sync/object_syncer.go

@@ -51,6 +51,8 @@ type objectSyncer struct {
 	syncStatusBack bool
 	// whether or not to add/expect a finalizer on the source
 	blockSourceDeletion bool
+	// whether or not to place sync-related metadata on the destination object
+	metadataOnDestination bool
 	// optional mutations for both directions of the sync
 	mutator mutation.Mutator
 	// stateStore is capable of remembering the state of a Kubernetes object
@@ -177,7 +179,9 @@ func (s *objectSyncer) syncObjectSpec(log *zap.SugaredLogger, source, dest syncS
 	}
 
 	sourceObjCopy := source.object.DeepCopy()
-	stripMetadata(sourceObjCopy)
+	if err = stripMetadata(sourceObjCopy); err != nil {
+		return false, fmt.Errorf("failed to strip metadata from source object: %w", err)
+	}
 
 	log = log.With("dest-object", newObjectKey(dest.object, dest.clusterName, logicalcluster.None))
 
@@ -187,10 +191,21 @@ func (s *objectSyncer) syncObjectSpec(log *zap.SugaredLogger, source, dest syncS
 		lastKnownSourceState.SetAPIVersion(sourceObjCopy.GetAPIVersion())
 		lastKnownSourceState.SetKind(sourceObjCopy.GetKind())
 
-		// update annotations (this is important if the admin later flipped the enableWorkspacePaths
-		// option in the PublishedResource)
-		sourceKey := newObjectKey(source.object, source.clusterName, source.workspacePath)
-		ensureAnnotations(sourceObjCopy, sourceKey.Annotations())
+		// We want to now restore/fix broken labels or annotations on the destination object. Not all
+		// of the sync-related metadata is relevant to _finding_ the destination object, so there is
+		// a chance that a user has fiddled with the metadata and would have broken some other part
+		// of the syncing.
+		// The lastKnownState is based on the source object, so just from looking at it we could not
+		// determine whether a label/annotation is missing/broken. However we do need to know this,
+		// because we later have to distinguish between empty and non-empty patches, so that we know
+		// when to requeue or stop syncing. So we cannot just blindly call ensureLabels() on the
+		// sourceObjCopy, as that could create meaningless patches.
+		// To achieve this, we individually check the labels/annotations on the destination object,
+		// which we thankfully already fetched earlier.
+		if s.metadataOnDestination {
+			sourceKey := newObjectKey(source.object, source.clusterName, source.workspacePath)
+			threeWayDiffMetadata(sourceObjCopy, dest.object, sourceKey.Labels(), sourceKey.Annotations())
+		}
 
 		// now we can diff the two versions and create a patch
 		rawPatch, err := s.createMergePatch(lastKnownSourceState, sourceObjCopy)
@@ -221,8 +236,8 @@ func (s *objectSyncer) syncObjectSpec(log *zap.SugaredLogger, source, dest syncS
 		}
 
 		// update selected metadata fields
-		ensureLabels(dest.object, filterRemoteLabels(sourceObjCopy.GetLabels()))
-		ensureAnnotations(dest.object, sourceObjCopy.GetAnnotations())
+		ensureLabels(dest.object, filterUnsyncableLabels(sourceObjCopy.GetLabels()))
+		ensureAnnotations(dest.object, filterUnsyncableAnnotations(sourceObjCopy.GetAnnotations()))
 
 		// TODO: Check if anything has changed and skip the .Update() call if source and dest
 		// are identical w.r.t. the fields we have copied (spec, annotations, labels, ..).
@@ -236,7 +251,8 @@ func (s *objectSyncer) syncObjectSpec(log *zap.SugaredLogger, source, dest syncS
 	}
 
 	if requeue {
-		// remember this object state for the next reconciliation
+		// remember this object state for the next reconciliation (this will strip any syncer-related
+		// metadata the 3-way diff may have added above)
 		if err := s.stateStore.Put(sourceObjCopy, source.clusterName, s.subresources); err != nil {
 			return true, fmt.Errorf("failed to update sync state: %w", err)
 		}
@@ -278,19 +294,20 @@ func (s *objectSyncer) ensureDestinationObject(log *zap.SugaredLogger, source, d
 		return fmt.Errorf("failed to ensure destination namespace: %w", err)
 	}
 
-	// remove source metadata (like UID and generation) to allow destination object creation to succeed
-	stripMetadata(destObj)
+	// remove source metadata (like UID and generation, but also labels and annotations belonging to
+	// the sync-agent) to allow destination object creation to succeed
+	if err := stripMetadata(destObj); err != nil {
+		return fmt.Errorf("failed to strip metadata from destination object: %w", err)
+	}
 
 	// remember the connection between the source and destination object
 	sourceObjKey := newObjectKey(source.object, source.clusterName, source.workspacePath)
 	ensureLabels(destObj, sourceObjKey.Labels())
+	ensureAnnotations(destObj, sourceObjKey.Annotations())
 
 	// remember what agent synced this object
 	s.labelWithAgent(destObj)
 
-	// put optional additional annotations on the new object
-	ensureAnnotations(destObj, sourceObjKey.Annotations())
-
 	// finally, we can create the destination object
 	objectLog := log.With("dest-object", newObjectKey(destObj, dest.clusterName, logicalcluster.None))
 	objectLog.Debugw("Creating destination object…")
@@ -333,9 +350,10 @@ func (s *objectSyncer) adoptExistingDestinationObject(log *zap.SugaredLogger, de
 	// the destination object from another source object, which would then lead to the two source objects
 	// "fighting" about the one destination object.
 	ensureLabels(existingDestObj, sourceKey.Labels())
-	s.labelWithAgent(existingDestObj)
 	ensureAnnotations(existingDestObj, sourceKey.Annotations())
 
+	s.labelWithAgent(existingDestObj)
+
 	if err := dest.client.Update(dest.ctx, existingDestObj); err != nil {
 		return fmt.Errorf("failed to upsert current destination object labels: %w", err)
 	}

internal/sync/state_store.go

@@ -20,9 +20,10 @@ import (
 	"fmt"
 	"strings"
 
-	"github.com/kcp-dev/api-syncagent/internal/crypto"
 	"github.com/kcp-dev/logicalcluster/v3"
 
+	"github.com/kcp-dev/api-syncagent/internal/crypto"
+
 	corev1 "k8s.io/api/core/v1"
 	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
 	"k8s.io/apimachinery/pkg/labels"
@@ -82,7 +83,9 @@ func (op *objectStateStore) Put(obj *unstructured.Unstructured, clusterName logi
 
 func (op *objectStateStore) snapshotObject(obj *unstructured.Unstructured, subresources []string) (string, error) {
 	obj = obj.DeepCopy()
-	obj = stripMetadata(obj)
+	if err := stripMetadata(obj); err != nil {
+		return "", err
+	}
 
 	// besides metadata, we also do not care about the object's subresources
 	data := obj.UnstructuredContent()