feat: migrate events api

Author: oliverbaehler

internal/cache/registries.go

@@ -241,16 +241,19 @@ func (c *RegistryRuleSetCache) HashRules(specRules []rules.OCIRegistry) string {
 		for i := range exact {
 			exact[i] = strings.TrimSpace(exact[i])
 		}
+
 		sort.Strings(exact)
 
 		policies := make([]string, 0, len(r.Policy))
 		for _, p := range r.Policy {
 			policies = append(policies, strings.TrimSpace(string(p)))
 		}
+
 		sort.Strings(policies)
 
 		b.WriteString("exact")
 		b.WriteString(sepField)
+
 		for i, v := range exact {
 			if i > 0 {
 				b.WriteString(sepList)
@@ -267,6 +270,7 @@ func (c *RegistryRuleSetCache) HashRules(specRules []rules.OCIRegistry) string {
 		b.WriteString(sepField)
 		b.WriteString("negate")
 		b.WriteString(sepField)
+
 		if match.Negate {
 			b.WriteString("1")
 		} else {
@@ -276,6 +280,7 @@ func (c *RegistryRuleSetCache) HashRules(specRules []rules.OCIRegistry) string {
 		b.WriteString(sepField)
 		b.WriteString("policy")
 		b.WriteString(sepField)
+
 		for i, p := range policies {
 			if i > 0 {
 				b.WriteString(sepList)

internal/cache/registries_test.go

@@ -94,7 +94,7 @@ func TestRegistryRuleSetCacheGetOrBuild(t *testing.T) {
 		{
 			name: "registry with negated expression builds ruleset",
 			rules: []rules.OCIRegistry{
-				registryWithExpression(api.RegExpression{
+				registryWithExpression(api.ExpressionRegex{
 					Expression: "trusted/.*",
 					Negate:     true,
 				}),
@@ -242,7 +242,7 @@ func TestRegistryRuleSetCacheBuildRuleSet(t *testing.T) {
 	specRules := []rules.OCIRegistry{
 		registry("harbor/.*"),
 		registryWithPolicy("ghcr.io/.*", corev1.PullAlways, corev1.PullIfNotPresent),
-		registryWithExpression(api.RegExpression{
+		registryWithExpression(api.ExpressionRegex{
 			Expression: "trusted/.*",
 			Negate:     true,
 		}),
@@ -267,16 +267,16 @@ func TestRegistryRuleSetCacheBuildRuleSet(t *testing.T) {
 		t.Fatalf("expected %d compiled rules, got %d", len(specRules), len(rs.Compiled))
 	}
 
-	if rs.Compiled[0].Expression.Expression != "harbor/.*" {
-		t.Fatalf("expected first expression harbor/.*, got %q", rs.Compiled[0].Expression.Expression)
+	if rs.Compiled[0].Match.Expression != "harbor/.*" {
+		t.Fatalf("expected first expression harbor/.*, got %q", rs.Compiled[0].Match.Expression)
 	}
 
 	if len(rs.Compiled[0].AllowedPolicy) != 0 {
 		t.Fatal("expected first rule to allow any pull policy")
 	}
 
-	if rs.Compiled[1].Expression.Expression != "ghcr.io/.*" {
-		t.Fatalf("expected second expression ghcr.io/.*, got %q", rs.Compiled[1].Expression.Expression)
+	if rs.Compiled[1].Match.Expression != "ghcr.io/.*" {
+		t.Fatalf("expected second expression ghcr.io/.*, got %q", rs.Compiled[1].Match.Expression)
 	}
 
 	if len(rs.Compiled[1].AllowedPolicy) != 2 {
@@ -291,7 +291,7 @@ func TestRegistryRuleSetCacheBuildRuleSet(t *testing.T) {
 		t.Fatal("expected PullIfNotPresent to be allowed")
 	}
 
-	if !rs.Compiled[2].Expression.Negate {
+	if !rs.Compiled[2].Match.Negate {
 		t.Fatal("expected third expression to be negated")
 	}
 }
@@ -363,7 +363,7 @@ func TestRegistryRuleSetCacheMatchReference(t *testing.T) {
 		{
 			name: "negated expression matches non-matching reference",
 			rules: []rules.OCIRegistry{
-				registryWithExpression(api.RegExpression{
+				registryWithExpression(api.ExpressionRegex{
 					Expression: "trusted/.*",
 					Negate:     true,
 				}),
@@ -377,7 +377,7 @@ func TestRegistryRuleSetCacheMatchReference(t *testing.T) {
 		{
 			name: "negated expression does not match matching reference",
 			rules: []rules.OCIRegistry{
-				registryWithExpression(api.RegExpression{
+				registryWithExpression(api.ExpressionRegex{
 					Expression: "trusted/.*",
 					Negate:     true,
 				}),
@@ -406,7 +406,7 @@ func TestRegistryRuleSetCacheMatchReference(t *testing.T) {
 		{
 			name: "nested regex expression wins over legacy url",
 			rules: []rules.OCIRegistry{
-				registryWithExpression(api.RegExpression{
+				registryWithExpression(api.ExpressionRegex{
 					Expression: "nested/.*",
 				}),
 			},
@@ -417,7 +417,7 @@ func TestRegistryRuleSetCacheMatchReference(t *testing.T) {
 		{
 			name: "legacy url is ignored when nested regex expression is set",
 			rules: []rules.OCIRegistry{
-				registryWithExpression(api.RegExpression{
+				registryWithExpression(api.ExpressionRegex{
 					Expression: "nested/.*",
 				}),
 			},
@@ -449,8 +449,8 @@ func TestRegistryRuleSetCacheMatchReference(t *testing.T) {
 					t.Fatal("expected match, got nil")
 				}
 
-				if got.Expression.Expression != tt.wantExpr {
-					t.Fatalf("expected expression %q, got %q", tt.wantExpr, got.Expression.Expression)
+				if got.Match.Expression != tt.wantExpr {
+					t.Fatalf("expected expression %q, got %q", tt.wantExpr, got.Match.Expression)
 				}
 
 				return
@@ -526,7 +526,7 @@ func TestRegistryRuleSetCacheMatchRuleSetWithPullPolicy(t *testing.T) {
 		{
 			name: "negated expression respects pull policy",
 			rules: []rules.OCIRegistry{
-				registryWithExpressionAndPolicy(api.RegExpression{
+				registryWithExpressionAndPolicy(api.ExpressionRegex{
 					Expression: "trusted/.*",
 					Negate:     true,
 				}, corev1.PullIfNotPresent),
@@ -541,7 +541,7 @@ func TestRegistryRuleSetCacheMatchRuleSetWithPullPolicy(t *testing.T) {
 		{
 			name: "negated expression still rejects forbidden pull policy",
 			rules: []rules.OCIRegistry{
-				registryWithExpressionAndPolicy(api.RegExpression{
+				registryWithExpressionAndPolicy(api.ExpressionRegex{
 					Expression: "trusted/.*",
 					Negate:     true,
 				}, corev1.PullNever),
@@ -577,8 +577,8 @@ func TestRegistryRuleSetCacheMatchRuleSetWithPullPolicy(t *testing.T) {
 					t.Fatal("expected match, got nil")
 				}
 
-				if got.Expression.Expression != tt.wantExpr {
-					t.Fatalf("expected expression %q, got %q", tt.wantExpr, got.Expression.Expression)
+				if got.Match.Expression != tt.wantExpr {
+					t.Fatalf("expected expression %q, got %q", tt.wantExpr, got.Match.Expression)
 				}
 
 				return
@@ -611,8 +611,8 @@ func TestRegistryRuleSetCacheMatch(t *testing.T) {
 		t.Fatal("expected match, got nil")
 	}
 
-	if got.Expression.Expression != "harbor/.*" {
-		t.Fatalf("expected harbor/.*, got %q", got.Expression.Expression)
+	if got.Match.Expression != "harbor/.*" {
+		t.Fatalf("expected harbor/.*, got %q", got.Match.Expression)
 	}
 }
 
@@ -714,14 +714,14 @@ func TestRegistryRuleSetCacheHashRules(t *testing.T) {
 		c := NewRegistryRuleSetCache(nil)
 
 		hashA := c.HashRules([]rules.OCIRegistry{
-			registryWithExpression(api.RegExpression{
+			registryWithExpression(api.ExpressionRegex{
 				Expression: "trusted/.*",
 				Negate:     false,
 			}),
 		})
 
 		hashB := c.HashRules([]rules.OCIRegistry{
-			registryWithExpression(api.RegExpression{
+			registryWithExpression(api.ExpressionRegex{
 				Expression: "trusted/.*",
 				Negate:     true,
 			}),
@@ -924,35 +924,43 @@ func TestRegistryRuleSetCacheInsertForTest(t *testing.T) {
 
 func registry(expression string) rules.OCIRegistry {
 	return rules.OCIRegistry{
-		RegExpression: api.RegExpression{
-			Expression: expression,
-			Negate:     false,
+		ExpressionMatch: api.ExpressionMatch{
+			ExpressionRegex: api.ExpressionRegex{
+				Expression: expression,
+				Negate:     false,
+			},
 		},
 	}
 }
 
 func registryWithPolicy(expression string, policies ...corev1.PullPolicy) rules.OCIRegistry {
 	return rules.OCIRegistry{
-		RegExpression: api.RegExpression{
-			Expression: expression,
-			Negate:     false,
+		ExpressionMatch: api.ExpressionMatch{
+			ExpressionRegex: api.ExpressionRegex{
+				Expression: expression,
+				Negate:     false,
+			},
 		},
 		Policy: policies,
 	}
 }
 
-func registryWithExpression(expression api.RegExpression) rules.OCIRegistry {
+func registryWithExpression(expression api.ExpressionRegex) rules.OCIRegistry {
 	return rules.OCIRegistry{
-		RegExpression: expression,
+		ExpressionMatch: api.ExpressionMatch{
+			ExpressionRegex: expression,
+		},
 	}
 }
 
 func registryWithExpressionAndPolicy(
-	expression api.RegExpression,
+	expression api.ExpressionRegex,
 	policies ...corev1.PullPolicy,
 ) rules.OCIRegistry {
 	return rules.OCIRegistry{
-		RegExpression: expression,
-		Policy:        policies,
+		ExpressionMatch: api.ExpressionMatch{
+			ExpressionRegex: expression,
+		},
+		Policy: policies,
 	}
 }

internal/webhook/dra/validate.go

@@ -5,6 +5,7 @@ package dra
 
 import (
 	"context"
+	"fmt"
 	"net/http"
 
 	corev1 "k8s.io/api/core/v1"
@@ -119,7 +120,17 @@ func (h *deviceClass) validateResourceRequest(
 		case allowed.Match(dc.Name) || selector:
 			return nil
 		default:
-			recorder.Eventf(obj, tnt, corev1.EventTypeWarning, events.ReasonForbiddenDeviceClass, events.ActionValidationDenied, "%s %s/%s DeviceClass %s is forbidden for the current Tenant", req.Kind.Kind, req.Namespace, req.Name, &dc)
+			recorder.LabeledEvent(
+				obj,
+				corev1.EventTypeWarning,
+				events.ReasonForbiddenDeviceClass,
+				events.ActionValidationDenied,
+				fmt.Sprintf("%s %s/%s DeviceClass %s is forbidden for the current tenant", req.Kind.Kind, req.Namespace, req.Name, dc),
+			).
+				WithRelated(tnt).
+				WithTenantLabel(tnt).
+				WithRequestAnnotations(req).
+				Emit(ctx)
 
 			return ad.Deny(caperrors.NewDeviceClassForbidden(dc.Name, *allowed).Error())
 		}

internal/webhook/gateway/validate_class.go

@@ -5,6 +5,7 @@ package gateway
 
 import (
 	"context"
+	"fmt"
 	"net/http"
 
 	corev1 "k8s.io/api/core/v1"
@@ -100,7 +101,17 @@ func (r *class) validate(
 	}
 
 	if gatewayClass == nil {
-		recorder.Eventf(gatewayObj, tnt, corev1.EventTypeWarning, events.ReasonMissingGatewayClass, events.ActionValidationDenied, "Gateway %s/%s is missing GatewayClass", req.Namespace, req.Name)
+		recorder.LabeledEvent(
+			gatewayObj,
+			corev1.EventTypeWarning,
+			events.ReasonMissingGatewayClass,
+			events.ActionValidationDenied,
+			fmt.Sprintf("Gateway %s/%s is missing GatewayClass", req.Namespace, req.Name),
+		).
+			WithRelated(tnt).
+			WithTenantLabel(tnt).
+			WithRequestAnnotations(req).
+			Emit(ctx)
 
 		return ad.Deny(caperrors.NewGatewayClassUndefined(*allowed).Error())
 	}
@@ -127,7 +138,17 @@ func (r *class) validate(
 	case allowed.Match(gatewayClass.Name) || selector:
 		return nil
 	default:
-		recorder.Eventf(gatewayObj, tnt, corev1.EventTypeWarning, events.ReasonForbiddenGatewayClass, events.ActionValidationDenied, "Gateway %s/%s GatewayClass %s is forbidden for the current Tenant", req.Namespace, req.Name, &gatewayClass)
+		recorder.LabeledEvent(
+			gatewayObj,
+			corev1.EventTypeWarning,
+			events.ReasonForbiddenGatewayClass,
+			events.ActionValidationDenied,
+			fmt.Sprintf("Gateway %s/%s GatewayClass %s is forbidden for the current Tenant", req.Namespace, req.Name, gatewayClass.GetName()),
+		).
+			WithRelated(tnt).
+			WithTenantLabel(tnt).
+			WithRequestAnnotations(req).
+			Emit(ctx)
 
 		return ad.Deny(caperrors.NewGatewayClassForbidden(gatewayObj.Name, *allowed).Error())
 	}

internal/webhook/generic/custom_resource_quota.go

@@ -80,7 +80,17 @@ func (r *resourceCounterHandler) OnCreate(
 		})
 		if err != nil {
 			if errors.As(err, &caperrors.CustomResourceQuotaError{}) {
-				recorder.Eventf(tnt, nil, corev1.EventTypeWarning, events.ReasonOverprovision, events.ActionValidationDenied, "Resource %s/%s in API group %s cannot be created, limit usage of %d has been reached", req.Namespace, req.Name, kgv, limit)
+				recorder.LabeledEvent(
+					tnt,
+					corev1.EventTypeWarning,
+					events.ReasonOverprovision,
+					events.ActionValidationDenied,
+					fmt.Sprintf("Resource %s/%s in API group %s cannot be created, limit usage of %d has been reached", req.Namespace, req.Name, kgv, limit),
+				).
+					WithRelated(tnt).
+					WithTenantLabel(tnt).
+					WithRequestAnnotations(req).
+					Emit(ctx)
 			}
 
 			return ad.ErroredResponse(err)

internal/webhook/ingress/validate_class.go

@@ -5,6 +5,7 @@ package ingress
 
 import (
 	"context"
+	"fmt"
 	"net/http"
 
 	corev1 "k8s.io/api/core/v1"
@@ -100,7 +101,17 @@ func (r *class) validate(
 	ingressClass := ingress.IngressClass()
 
 	if ingressClass == nil {
-		recorder.Eventf(ingress.GetClientObject(), tnt, corev1.EventTypeWarning, events.ReasonMissingIngressClass, events.ActionValidationDenied, "Ingress %s/%s is missing IngressClass", req.Namespace, req.Name)
+		recorder.LabeledEvent(
+			ingress.GetClientObject(),
+			corev1.EventTypeWarning,
+			events.ReasonMissingIngressClass,
+			events.ActionValidationDenied,
+			"ingress is missing ingressclass",
+		).
+			WithRelated(tnt).
+			WithTenantLabel(tnt).
+			WithRequestAnnotations(req).
+			Emit(ctx)
 
 		return ad.Deny(caperrors.NewIngressClassUndefined(*allowed).Error())
 	}
@@ -128,7 +139,17 @@ func (r *class) validate(
 	case allowed.Match(*ingressClass) || selector:
 		return nil
 	default:
-		recorder.Eventf(ingress.GetClientObject(), tnt, corev1.EventTypeWarning, events.ReasonForbiddenIngressClass, events.ActionValidationDenied, "Ingress %s/%s IngressClass %s is forbidden for the current Tenant", req.Namespace, req.Name, &ingressClass)
+		recorder.LabeledEvent(
+			ingress.GetClientObject(),
+			corev1.EventTypeWarning,
+			events.ReasonForbiddenIngressClass,
+			events.ActionValidationDenied,
+			fmt.Sprintf("ingressclass %s is forbidden for the elected tenant", *ingressClass),
+		).
+			WithRelated(tnt).
+			WithTenantLabel(tnt).
+			WithRequestAnnotations(req).
+			Emit(ctx)
 
 		return ad.Deny(caperrors.NewIngressClassForbidden(*ingressClass, *allowed).Error())
 	}

internal/webhook/ingress/validate_collision.go

@@ -96,7 +96,17 @@ func (r *collision) validate(
 
 	var collisionErr *caperrors.IngressHostnameCollisionError
 	if errors.As(err, &collisionErr) {
-		recorder.Eventf(ing.GetClientObject(), tnt, corev1.EventTypeWarning, events.ReasonIngressHostnameCollision, events.ActionValidationDenied, "Ingress %s/%s hostname is colliding", ing.Namespace(), ing.Name())
+		recorder.LabeledEvent(
+			ing.GetClientObject(),
+			corev1.EventTypeWarning,
+			events.ReasonIngressHostnameCollision,
+			events.ActionValidationDenied,
+			"ingress hostname is colliding",
+		).
+			WithRelated(tnt).
+			WithTenantLabel(tnt).
+			WithRequestAnnotations(req).
+			Emit(ctx)
 	}
 
 	return ad.Deny(err.Error())