Implement policy namespace selector

Signed-off-by: Stefan Prodan <[email protected]>

controllers/imageupdateautomation_controller.go

@@ -95,6 +95,8 @@ type ImageUpdateAutomationReconciler struct {
 // +kubebuilder:rbac:groups=image.toolkit.fluxcd.io,resources=imageupdateautomations,verbs=get;list;watch;create;update;patch;delete
 // +kubebuilder:rbac:groups=image.toolkit.fluxcd.io,resources=imageupdateautomations/status,verbs=get;update;patch
 // +kubebuilder:rbac:groups=source.toolkit.fluxcd.io,resources=gitrepositories,verbs=get;list;watch
+// +kubebuilder:rbac:groups=image.toolkit.fluxcd.io,resources=imagepolicies,verbs=get;list;watch
+// +kubebuilder:rbac:groups="",resources=secrets;namespaces,verbs=get;list;watch
 
 func (r *ImageUpdateAutomationReconciler) Reconcile(ctx context.Context, req ctrl.Request) (ctrl.Result, error) {
 	log := logr.FromContext(ctx)
@@ -243,11 +245,8 @@ func (r *ImageUpdateAutomationReconciler) Reconcile(ctx context.Context, req ctr
 
 	switch {
 	case auto.Spec.Update != nil && auto.Spec.Update.Strategy == imagev1.UpdateStrategySetters:
-		// For setters we first want to compile a list of _all_ the
-		// policies in the same namespace (maybe in the future this
-		// could be filtered by the automation object).
-		var policies imagev1_reflect.ImagePolicyList
-		if err := r.List(ctx, &policies, &client.ListOptions{Namespace: req.NamespacedName.Namespace}); err != nil {
+		policies, err := r.listPolicies(ctx, &auto)
+		if err != nil {
 			return failWithError(err)
 		}
 
@@ -422,6 +421,39 @@ func (r *ImageUpdateAutomationReconciler) automationsForImagePolicy(obj client.O
 	return reqs
 }
 
+// --- policies
+
+func (r *ImageUpdateAutomationReconciler) listPolicies(ctx context.Context, auto *imagev1.ImageUpdateAutomation) (*imagev1_reflect.ImagePolicyList, error) {
+	var policies imagev1_reflect.ImagePolicyList
+
+	// if no namespace selector, return all policies from the same namespace as the ImageUpdateAutomation
+	if auto.Spec.PolicyNamespaceSelector == nil {
+		if err := r.List(ctx, &policies, client.InNamespace(auto.Namespace)); err != nil {
+			return nil, err
+		}
+		return &policies, nil
+	}
+
+	// select all namespaces that match the PolicyNamespaceSelector
+	var namespaces corev1.NamespaceList
+	if err := r.List(ctx, &namespaces, client.MatchingLabels(auto.Spec.PolicyNamespaceSelector.MatchLabels)); err != nil {
+		return nil, err
+	}
+
+	// return the policies from all namespaces matching the label selector
+	for _, ns := range namespaces.Items {
+		var list imagev1_reflect.ImagePolicyList
+		if err := r.List(ctx, &list, client.InNamespace(ns.Name)); err != nil {
+			return nil, err
+		}
+		for _, pol := range list.Items {
+			policies.Items = append(policies.Items, pol)
+		}
+	}
+
+	return &policies, nil
+}
+
 // --- git ops
 
 type repoAccess struct {

controllers/update_test.go

@@ -87,8 +87,12 @@ var _ = Describe("ImageUpdateAutomation", func() {
 		branch = randStringRunes(8)
 		repositoryPath = "/config-" + randStringRunes(5) + ".git"
 
-		namespace = &corev1.Namespace{}
-		namespace.Name = "image-auto-test-" + randStringRunes(5)
+		namespace = &corev1.Namespace{
+			ObjectMeta: metav1.ObjectMeta{
+				Name:   "image-auto-test-" + randStringRunes(5),
+				Labels: map[string]string{"auto": "enabled"},
+			},
+		}
 		Expect(k8sClient.Create(context.Background(), namespace)).To(Succeed())
 
 		var err error
@@ -258,6 +262,9 @@ Images:
 					Update: &imagev1.UpdateStrategy{
 						Strategy: imagev1.UpdateStrategySetters,
 					},
+					PolicyNamespaceSelector: &imagev1.PolicyNamespaceSelector{
+						MatchLabels: map[string]string{"auto": "enabled"},
+					},
 				},
 			}
 			Expect(k8sClient.Create(context.Background(), updateBySetters)).To(Succeed())