name label added to namespace in not prefixed with capsule.clastix.io

[sagar-jadhav]

Bug description

Namespace has the label name added by Capsule controller which is not prefixed by capsule.clastix.io

How to reproduce

Create a Tenant oil as a cluster admin

apiVersion: capsule.clastix.io/v1beta2
kind: Tenant
metadata:
  name: oil
spec:
  owners:
  - name: alice
    kind: User

Create a namespace oil-db as a Alice user

kubectl create ns oil-db

Describe the namespace oil-db as a Alice user

kubectl describe ns oil-db

Name:         oil-db
Labels:       capsule.clastix.io/tenant=oil
              name=oil-db

No resource quota.

Expected behavior

name label should be prefixed with capsule.clastix.io in the oil-db namespace as it is added by Capsule controller

Additional context

• Helm Chart version: v0.3.1

[sagar-jadhav]

@prometherion I can work on this issue. Please assign it to me.

[MaxFedotov]

Hey @sagar-jadhav.

This change would be backward-incompatible, and may cause problems for users who are relying on this label on different objects.

My opinion is that If really needed, a second label with capsule.clastix.io prefix can be added, but I don’t actually think that it is a big problem to have a label without prefix.

[prometherion]

This change would be backward-incompatible, and may cause problems for users who are relying on this label on different objects.

The first thing I'm thinking of is the capsule-proxy, but we're relying on the capsule.clastix.io/tenant one.

However, you're totally right: we should mark this as deprecated in the upcoming releases so users know in advance prior to the update.

The name label was there since prior to 1.21 there were no enforced labels such as the kubernetes.io/metadata.name.

Although supporting several old Kubernetes versions, I think we can give for granted we wanna support only the latest 3 latest releases of Kubernetes (at the current time of writing, 1.27, 1.26, and 1.25) so we just need to drop that label, document it as a breaking change and we're done.

[sagar-jadhav]

@prometherion in capsule-proxy we have hard coded the name label in the label selector here So if we decide to drop the name label from capsule and use either capsule.clastix.io prefixed label or kubernetes.io/metadata.name label then we need to update the label key in capsule-proxy as well.

[prometherion]

Nice finding, @sagar-jadhav.

We have to coordinate with the capsule-proxy release, then.

[sagar-jadhav]

@prometherion I will open an PR in capsule-proxy to use kubernetes.io/metadata.name instead of name in the label selector.

But How to mark name label deprecated? Do we need to update any doc? If yes please point out the doc which needs to be updated so that I can make that change as well.

[prometherion]

I've just released capsule-proxy v0.4.3, so we can work on a new minor release such as v0.5.0.

[MaxFedotov]

The first thing I'm thinking of is the capsule-proxy, but we're relying on the capsule.clastix.io/tenant one.

However, you're totally right: we should mark this as deprecated in the upcoming releases so users know in advance prior to the update.

The name label was there since prior to 1.21 there were no enforced labels such as the kubernetes.io/metadata.name.

I'm now working on migration to capsulev1beta2 API, so was looking into capsule-proxy code.
kubernetes.io/metadata.name is added only on namespaces, but we also need it on other objects - storageclasses, ingressclasses, priorityclasses. If we have a plan to switch to this label from a name label, we need capsule to add it to all these objects.

[prometherion]

If we have a plan to switch to this label from a name label, we need capsule to add it to all these objects

The name label is still required since Capsule cluster-scoped selection was based on their name and regex.

With #738 we plan to drop this odd situation and rely only on the label selector: are we still on the same page, Max?

[MaxFedotov]

@prometherion Ah, I see. I was confused by the name of the issue, regarding the remaining of the label. If it will be dropped together with regex support and capsule-proxy update then I think everything will be fine. Btw, i can take a task for updating capsule-proxy if needed :)

[sagar-jadhav]

@MaxFedotov Sure you can take up the task to make relevant changes int the capsule-proxy :) cc: @prometherion

[prometherion]

@oliverbaehler @MaxFedotov @bsctl rather than marking that label with a Capsule one, TBH, I would ensure the well-known kubernetes.io/metadata.name is set properly.

This one has been introduced from Kubernetes 1.22, since we're supporting also previous versions of Kubernetes, we just need to be sure it's there. For the proxy, it will be easier to target this.