Implementing the new OverrideRules

Signed-off-by: Xinzhao Xu <z2d@jifangcheng.com>

artifacts/example/clusteroverridepolicy.yaml

@@ -8,11 +8,12 @@ spec:
       kind: Deployment
       name: nginx
       namespace: default
-  targetCluster:
+  overrideRules:
-    clusterNames:
+    - targetCluster:
-      - member1
+        clusterNames:
-  overriders:
+          - member1
-    plaintext:
+      overriders:
-      - operator: replace
+        plaintext:
-        path: /spec/replicas
+          - operator: replace
-        value: 1
+            path: /spec/replicas
+            value: 1

artifacts/example/example-override.yaml

@@ -13,22 +13,23 @@ spec:
         matchLabels:
           image: nginx
   # this override policy will only apply to resources propagated to the matching clusters
-  targetCluster:
+  overrideRules:
-    clusterNames:             # user can either select cluster by names or by labelselector
+    - targetCluster:
-      - dc-1-cluster-1
+        clusterNames:             # user can either select cluster by names or by labelselector
-      - dc-1-cluster-2
+          - dc-1-cluster-1
-    labelSelector:
+          - dc-1-cluster-2
-      matchLabels:
+        labelSelector:
-        failuredomain.kubernetes.io/region: dc1
+          matchLabels:
-  # all matching targetClusters would share the same set of overrides below
+            failuredomain.kubernetes.io/region: dc1
-  overriders:
+      # all matching targetClusters would share the same set of overrides below
-    plaintext:
+      overriders:
-    - path: "/spec/template/spec/containers/0/image"
+        plaintext:
-      operator: replace
+        - path: "/spec/template/spec/containers/0/image"
-      value: "dc-1.registry.io/nginx:1.17.0-alpine"
+          operator: replace
-    - path: "/metadata/annotations"
+          value: "dc-1.registry.io/nginx:1.17.0-alpine"
-      operator: add
+        - path: "/metadata/annotations"
-      value:
+          operator: add
-        foo: bar
+          value:
-    - path: "/metadata/annotations/foo"
+            foo: bar
-      operator: remove
+        - path: "/metadata/annotations/foo"
+          operator: remove

artifacts/example/overridepolicy_command.yaml

@@ -7,12 +7,13 @@ spec:
   resourceSelectors:
     - apiVersion: apps/v1
       kind: Deployment
-  targetCluster:
+  overrideRules:
-    clusterNames:
+    - targetCluster:
-      - member1
+        clusterNames:
-  overriders:
+          - member1
-    commandOverrider:
+      overriders:
-      - containerName: alpine
+        commandOverrider:
-        operator: add
+          - containerName: alpine
-        value:
+            operator: add
-          - test
+            value:
+              - test

artifacts/example/overridepolicy_image.yaml

@@ -7,12 +7,22 @@ spec:
   resourceSelectors:
     - apiVersion: apps/v1
       kind: Deployment
-  targetCluster:
+  overrideRules:
-    labelSelector:
+    - targetCluster:
-      matchLabels:
+        labelSelector:
-        location: us
+          matchLabels:
-  overriders:
+            location: us
-    imageOverrider:
+      overriders:
-      - component: Registry
+        imageOverrider:
-        operator: replace
+          - component: Registry
-        value: fictional.registry.us
+            operator: replace
+            value: fictional.registry.us
+    - targetCluster:
+        labelSelector:
+          matchLabels:
+            location: cn
+      overriders:
+        imageOverrider:
+          - component: Registry
+            operator: replace
+            value: fictional.registry.cn

artifacts/example/overridepolicy_simple.yaml

@@ -8,12 +8,13 @@ spec:
     - apiVersion: apps/v1
       kind: Deployment
       name: nginx
-  targetCluster:
+  overrideRules:
-    clusterNames:
+    - targetCluster:
-      - member1
+        clusterNames:
-  overriders:
+          - member1
-    plaintext:
+      overriders:
-      - path: "/metadata/annotations"
+        plaintext:
-        operator: add
+          - path: "/metadata/annotations"
-        value:
+            operator: add
-          foo: bar
+            value:
+              foo: bar

pkg/util/overridemanager/overridemanager.go

@@ -33,6 +33,12 @@ type overrideOption struct {
 	Value interface{} `json:"value,omitempty"`
 }
 
+type policyOverriders struct {
+	name       string
+	namespace  string
+	overriders policyv1alpha1.Overriders
+}
+
 type overrideManagerImpl struct {
 	client.Client
 }
@@ -89,20 +95,20 @@ func (o *overrideManagerImpl) applyClusterOverrides(rawObj *unstructured.Unstruc
 		return nil, nil
 	}
 
-	matchingPolicies := o.getMatchingClusterOverridePolicies(policyList.Items, rawObj, cluster)
+	matchingPolicyOverriders := o.getOverridersFromClusterOverridePolicies(policyList.Items, rawObj, cluster)
-	if len(matchingPolicies) == 0 {
+	if len(matchingPolicyOverriders) == 0 {
 		klog.V(2).Infof("No cluster override policy for resource: %s/%s", rawObj.GetNamespace(), rawObj.GetName())
 		return nil, nil
 	}
 
 	appliedList := &AppliedOverrides{}
-	for _, p := range matchingPolicies {
+	for _, p := range matchingPolicyOverriders {
-		if err := applyPolicyOverriders(rawObj, p.Spec.Overriders); err != nil {
+		if err := applyPolicyOverriders(rawObj, p.overriders); err != nil {
-			klog.Errorf("Failed to apply cluster overrides(%s) for resource(%s/%s), error: %v", p.Name, rawObj.GetNamespace(), rawObj.GetName(), err)
+			klog.Errorf("Failed to apply cluster overrides(%s) for resource(%s/%s), error: %v", p.name, rawObj.GetNamespace(), rawObj.GetName(), err)
 			return nil, err
 		}
-		klog.V(2).Infof("Applied cluster overrides(%s) for %s/%s", p.Name, rawObj.GetNamespace(), rawObj.GetName())
+		klog.V(2).Infof("Applied cluster overrides(%s) for resource(%s/%s)", p.name, rawObj.GetNamespace(), rawObj.GetName())
-		appliedList.Add(p.Name, p.Spec.Overriders)
+		appliedList.Add(p.name, p.overriders)
 	}
 
 	return appliedList, nil
@@ -121,26 +127,26 @@ func (o *overrideManagerImpl) applyNamespacedOverrides(rawObj *unstructured.Unst
 		return nil, nil
 	}
 
-	matchingPolicies := o.getMatchingOverridePolicies(policyList.Items, rawObj, cluster)
+	matchingPolicyOverriders := o.getOverridersFromOverridePolicies(policyList.Items, rawObj, cluster)
-	if len(matchingPolicies) == 0 {
+	if len(matchingPolicyOverriders) == 0 {
 		klog.V(2).Infof("No override policy for resource(%s/%s)", rawObj.GetNamespace(), rawObj.GetName())
 		return nil, nil
 	}
 
 	appliedList := &AppliedOverrides{}
-	for _, p := range matchingPolicies {
+	for _, p := range matchingPolicyOverriders {
-		if err := applyPolicyOverriders(rawObj, p.Spec.Overriders); err != nil {
+		if err := applyPolicyOverriders(rawObj, p.overriders); err != nil {
-			klog.Errorf("Failed to apply overrides(%s/%s) for resource(%s/%s), error: %v", p.Namespace, p.Name, rawObj.GetNamespace(), rawObj.GetName(), err)
+			klog.Errorf("Failed to apply overrides(%s/%s) for resource(%s/%s), error: %v", p.namespace, p.name, rawObj.GetNamespace(), rawObj.GetName(), err)
 			return nil, err
 		}
-		klog.V(2).Infof("Applied overrides(%s/%s) for resource(%s/%s)", p.Namespace, p.Name, rawObj.GetNamespace(), rawObj.GetName())
+		klog.V(2).Infof("Applied overrides(%s/%s) for resource(%s/%s)", p.namespace, p.name, rawObj.GetNamespace(), rawObj.GetName())
-		appliedList.Add(p.Name, p.Spec.Overriders)
+		appliedList.Add(p.name, p.overriders)
 	}
 
 	return appliedList, nil
 }
 
-func (o *overrideManagerImpl) getMatchingClusterOverridePolicies(policies []policyv1alpha1.ClusterOverridePolicy, resource *unstructured.Unstructured, cluster *clusterv1alpha1.Cluster) []policyv1alpha1.ClusterOverridePolicy {
+func (o *overrideManagerImpl) getOverridersFromClusterOverridePolicies(policies []policyv1alpha1.ClusterOverridePolicy, resource *unstructured.Unstructured, cluster *clusterv1alpha1.Cluster) []policyOverriders {
 	resourceMatchingPolicies := make([]policyv1alpha1.ClusterOverridePolicy, 0)
 	for _, policy := range policies {
 		if policy.Spec.ResourceSelectors == nil {
@@ -153,29 +159,41 @@ func (o *overrideManagerImpl) getMatchingClusterOverridePolicies(policies []poli
 		}
 	}
 
-	clusterMatchingPolicies := make([]policyv1alpha1.ClusterOverridePolicy, 0)
+	clusterMatchingPolicyOverriders := make([]policyOverriders, 0)
 	for _, policy := range resourceMatchingPolicies {
-		if policy.Spec.TargetCluster == nil {
+		overrideRules := policy.Spec.OverrideRules
-			clusterMatchingPolicies = append(clusterMatchingPolicies, policy)
+		// Since the tuple of '.spec.TargetCluster' and '.spec.Overriders' can not co-exist with '.spec.OverrideRules'
-			continue
+		// (guaranteed by webhook), so we only look '.spec.OverrideRules' here.
+		if len(overrideRules) == 0 {
+			overrideRules = []policyv1alpha1.RuleWithCluster{
+				{
+					TargetCluster: policy.Spec.TargetCluster,
+					Overriders:    policy.Spec.Overriders,
+				},
+			}
 		}
-
+		for _, rule := range overrideRules {
-		if util.ClusterMatches(cluster, *policy.Spec.TargetCluster) {
+			if rule.TargetCluster == nil || (rule.TargetCluster != nil && util.ClusterMatches(cluster, *rule.TargetCluster)) {
-			clusterMatchingPolicies = append(clusterMatchingPolicies, policy)
+				clusterMatchingPolicyOverriders = append(clusterMatchingPolicyOverriders, policyOverriders{
+					name:       policy.Name,
+					namespace:  policy.Namespace,
+					overriders: rule.Overriders,
+				})
+			}
 		}
 	}
 
 	// select policy in which at least one PlaintextOverrider matches target resource.
 	// TODO(RainbowMango): check if the overrider instructions can be applied to target resource.
 
-	sort.Slice(clusterMatchingPolicies, func(i, j int) bool {
+	sort.Slice(clusterMatchingPolicyOverriders, func(i, j int) bool {
-		return clusterMatchingPolicies[i].Name < clusterMatchingPolicies[j].Name
+		return clusterMatchingPolicyOverriders[i].name < clusterMatchingPolicyOverriders[j].name
 	})
 
-	return clusterMatchingPolicies
+	return clusterMatchingPolicyOverriders
 }
 
-func (o *overrideManagerImpl) getMatchingOverridePolicies(policies []policyv1alpha1.OverridePolicy, resource *unstructured.Unstructured, cluster *clusterv1alpha1.Cluster) []policyv1alpha1.OverridePolicy {
+func (o *overrideManagerImpl) getOverridersFromOverridePolicies(policies []policyv1alpha1.OverridePolicy, resource *unstructured.Unstructured, cluster *clusterv1alpha1.Cluster) []policyOverriders {
 	resourceMatchingPolicies := make([]policyv1alpha1.OverridePolicy, 0)
 	for _, policy := range policies {
 		if policy.Spec.ResourceSelectors == nil {
@@ -188,26 +206,38 @@ func (o *overrideManagerImpl) getMatchingOverridePolicies(policies []policyv1alp
 		}
 	}
 
-	clusterMatchingPolicies := make([]policyv1alpha1.OverridePolicy, 0)
+	clusterMatchingPolicyOverriders := make([]policyOverriders, 0)
 	for _, policy := range resourceMatchingPolicies {
-		if policy.Spec.TargetCluster == nil {
+		overrideRules := policy.Spec.OverrideRules
-			clusterMatchingPolicies = append(clusterMatchingPolicies, policy)
+		// Since the tuple of '.spec.TargetCluster' and '.spec.Overriders' can not co-exist with '.spec.OverrideRules'
-			continue
+		// (guaranteed by webhook), so we only look '.spec.OverrideRules' here.
+		if len(overrideRules) == 0 {
+			overrideRules = []policyv1alpha1.RuleWithCluster{
+				{
+					TargetCluster: policy.Spec.TargetCluster,
+					Overriders:    policy.Spec.Overriders,
+				},
+			}
 		}
-
+		for _, rule := range overrideRules {
-		if util.ClusterMatches(cluster, *policy.Spec.TargetCluster) {
+			if rule.TargetCluster == nil || (rule.TargetCluster != nil && util.ClusterMatches(cluster, *rule.TargetCluster)) {
-			clusterMatchingPolicies = append(clusterMatchingPolicies, policy)
+				clusterMatchingPolicyOverriders = append(clusterMatchingPolicyOverriders, policyOverriders{
+					name:       policy.Name,
+					namespace:  policy.Namespace,
+					overriders: rule.Overriders,
+				})
+			}
 		}
 	}
 
 	// select policy in which at least one PlaintextOverrider matches target resource.
 	// TODO(RainbowMango): check if the overrider instructions can be applied to target resource.
 
-	sort.Slice(clusterMatchingPolicies, func(i, j int) bool {
+	sort.Slice(clusterMatchingPolicyOverriders, func(i, j int) bool {
-		return clusterMatchingPolicies[i].Name < clusterMatchingPolicies[j].Name
+		return clusterMatchingPolicyOverriders[i].name < clusterMatchingPolicyOverriders[j].name
 	})
 
-	return clusterMatchingPolicies
+	return clusterMatchingPolicyOverriders
 }
 
 // applyJSONPatch applies the override on to the given unstructured object.