Skip to content

fix: allow managed metadata defined per tenant #1947

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
oliverbaehler merged 2 commits into from
Jun 3, 2026
Merged

fix: allow managed metadata defined per tenant #1947

Show file tree
Hide file tree
Changes from 1 commit
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
5fdc609
fix: allow managed metadata defined per tenant
oliverbaehler Jun 3, 2026
089e0c6
fix: allow managed metadata defined per tenant
oliverbaehler Jun 3, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
245 changes: 236 additions & 9 deletions e2e/namespace_metadata_forbidden_test.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -31,11 +31,22 @@ var _ = Describe("creating a Namespace with user-specified labels and annotation
NamespaceOptions: &capsulev1beta2.NamespaceOptions{
ForbiddenLabels: api.ForbiddenListSpec{
Exact: []string{"foo", "bar"},
Regex: "^gatsby-.*$",
Regex: "^gatsby-.*$|^managed\\.projectcapsule\\.dev/",
},
ForbiddenAnnotations: api.ForbiddenListSpec{
Exact: []string{"foo", "bar"},
Regex: "^gatsby-.*$",
Regex: "^gatsby-.*$|^managed\\.projectcapsule\\.dev/",
},
AdditionalMetadataList: []api.AdditionalMetadataSelectorSpec{
{
Labels: map[string]string{
"managed.projectcapsule.dev/customer": "acme",
"managed.projectcapsule.dev/tenant": "{{ tenant.name }}",
},
Annotations: map[string]string{
"managed.projectcapsule.dev/source": "capsule",
},
},
},
},
Owners: rbac.OwnerListSpec{
Expand All @@ -54,10 +65,13 @@ var _ = Describe("creating a Namespace with user-specified labels and annotation
JustBeforeEach(func() {
EventuallyCreation(func() error {
tnt.ResourceVersion = ""

return k8sClient.Create(context.TODO(), tnt)
}).Should(Succeed())

TenantReady(tnt, metav1.ConditionTrue, defaultTimeoutInterval)
})

JustAfterEach(func() {
EventuallyDeletion(tnt)
})
Expand All @@ -68,18 +82,37 @@ var _ = Describe("creating a Namespace with user-specified labels and annotation
"bim": "baz",
meta.TenantLabel: tnt.GetName(),
})

NamespaceCreation(ns, tnt.Spec.Owners[0].UserSpec, defaultTimeoutInterval).Should(Succeed())
NamespaceIsPartOfTenant(tnt, ns).Should(Succeed())

})

By("specifying non-forbidden annotations", func() {
ns := NewNamespace("", map[string]string{
meta.TenantLabel: tnt.GetName(),
})
ns.SetAnnotations(map[string]string{"bim": "baz"})

NamespaceCreation(ns, tnt.Spec.Owners[0].UserSpec, defaultTimeoutInterval).Should(Succeed())
NamespaceIsPartOfTenant(tnt, ns).Should(Succeed())
})

By("allowing forbidden-prefix labels and annotations when they are managed by Capsule", func() {
ns := NewNamespace("", map[string]string{
meta.TenantLabel: tnt.GetName(),
})

NamespaceCreation(ns, tnt.Spec.Owners[0].UserSpec, defaultTimeoutInterval).Should(Succeed())
NamespaceIsPartOfTenant(tnt, ns).Should(Succeed())

Eventually(func(g Gomega) {
err := k8sClient.Get(context.Background(), types.NamespacedName{Name: ns.GetName()}, ns)
g.Expect(err).ToNot(HaveOccurred())

g.Expect(ns.GetLabels()).To(HaveKeyWithValue("managed.projectcapsule.dev/customer", "acme"))
g.Expect(ns.GetLabels()).To(HaveKeyWithValue("managed.projectcapsule.dev/tenant", tnt.GetName()))
g.Expect(ns.GetAnnotations()).To(HaveKeyWithValue("managed.projectcapsule.dev/source", "capsule"))
}, defaultTimeoutInterval, time.Second).Should(Succeed())
})
})

Expand All @@ -89,35 +122,61 @@ var _ = Describe("creating a Namespace with user-specified labels and annotation
"foo": "bar",
meta.TenantLabel: tnt.GetName(),
})

NamespaceCreation(ns, tnt.Spec.Owners[0].UserSpec, defaultTimeoutInterval).ShouldNot(Succeed())
NamespaceIsNotPartOfTenant(tnt, ns).Should(Succeed())

})

By("specifying forbidden labels using regex match", func() {
ns := NewNamespace("", map[string]string{
meta.TenantLabel: tnt.GetName(),
"gatsby-foo": "bar",
})

NamespaceCreation(ns, tnt.Spec.Owners[0].UserSpec, defaultTimeoutInterval).ShouldNot(Succeed())
NamespaceIsNotPartOfTenant(tnt, ns).Should(Succeed())
})

By("specifying forbidden annotations using exact match", func() {
ns := NewNamespace("", map[string]string{
meta.TenantLabel: tnt.GetName(),
})
ns.SetAnnotations(map[string]string{"foo": "bar"})

NamespaceCreation(ns, tnt.Spec.Owners[0].UserSpec, defaultTimeoutInterval).ShouldNot(Succeed())
NamespaceIsNotPartOfTenant(tnt, ns).Should(Succeed())

})

By("specifying forbidden annotations using regex match", func() {
ns := NewNamespace("", map[string]string{
meta.TenantLabel: tnt.GetName(),
})
ns.SetAnnotations(map[string]string{"gatsby-foo": "bar"})

NamespaceCreation(ns, tnt.Spec.Owners[0].UserSpec, defaultTimeoutInterval).ShouldNot(Succeed())
NamespaceIsNotPartOfTenant(tnt, ns).Should(Succeed())
})

By("specifying forbidden-prefix labels that are not managed by Capsule", func() {
ns := NewNamespace("", map[string]string{
meta.TenantLabel: tnt.GetName(),
"managed.projectcapsule.dev/user-label": "should-be-denied",
})

NamespaceCreation(ns, tnt.Spec.Owners[0].UserSpec, defaultTimeoutInterval).ShouldNot(Succeed())
NamespaceIsNotPartOfTenant(tnt, ns).Should(Succeed())
})

By("specifying forbidden-prefix annotations that are not managed by Capsule", func() {
ns := NewNamespace("", map[string]string{
meta.TenantLabel: tnt.GetName(),
})
ns.SetAnnotations(map[string]string{
"managed.projectcapsule.dev/user-annotation": "should-be-denied",
})

NamespaceCreation(ns, tnt.Spec.Owners[0].UserSpec, defaultTimeoutInterval).ShouldNot(Succeed())
NamespaceIsNotPartOfTenant(tnt, ns).Should(Succeed())
})
})

Expand Down Expand Up @@ -169,81 +228,249 @@ var _ = Describe("creating a Namespace with user-specified labels and annotation
ns := NewNamespace("forbidden-labels-exact-match", map[string]string{
meta.TenantLabel: tnt.GetName(),
})

NamespaceCreation(ns, tnt.Spec.Owners[0].UserSpec, defaultTimeoutInterval).Should(Succeed())
NamespaceIsPartOfTenant(tnt, ns).Should(Succeed())

rbacPatch(ns.GetName())

Consistently(func() error {
if err := k8sClient.Get(context.Background(), types.NamespacedName{Name: ns.GetName()}, ns); err != nil {
return nil
}

ns.SetLabels(map[string]string{"foo": "bar"})
labels := ns.GetLabels()
if labels == nil {
labels = map[string]string{}
}
labels["foo"] = "bar"
ns.SetLabels(labels)

_, err := cs.CoreV1().Namespaces().Update(context.Background(), ns, metav1.UpdateOptions{})

return err
}, 10*time.Second, time.Second).ShouldNot(Succeed())
})

By("specifying forbidden labels using regex match", func() {
ns := NewNamespace("forbidden-labels-regex-match", map[string]string{
meta.TenantLabel: tnt.GetName(),
})

NamespaceCreation(ns, tnt.Spec.Owners[0].UserSpec, defaultTimeoutInterval).Should(Succeed())
NamespaceIsPartOfTenant(tnt, ns).Should(Succeed())

rbacPatch(ns.GetName())

Consistently(func() error {
if err := k8sClient.Get(context.Background(), types.NamespacedName{Name: ns.GetName()}, ns); err != nil {
return nil
}

ns.SetLabels(map[string]string{"gatsby-foo": "bar"})
labels := ns.GetLabels()
if labels == nil {
labels = map[string]string{}
}
labels["gatsby-foo"] = "bar"
ns.SetLabels(labels)

_, err := cs.CoreV1().Namespaces().Update(context.Background(), ns, metav1.UpdateOptions{})

return err
}, 3*time.Second, time.Second).ShouldNot(Succeed())
})

By("specifying forbidden annotations using exact match", func() {
ns := NewNamespace("forbidden-annotations-exact-match", map[string]string{
meta.TenantLabel: tnt.GetName(),
})

NamespaceCreation(ns, tnt.Spec.Owners[0].UserSpec, defaultTimeoutInterval).Should(Succeed())
NamespaceIsPartOfTenant(tnt, ns).Should(Succeed())

rbacPatch(ns.GetName())

Consistently(func() error {
if err := k8sClient.Get(context.Background(), types.NamespacedName{Name: ns.GetName()}, ns); err != nil {
return nil
}

ns.SetAnnotations(map[string]string{"foo": "bar"})
annotations := ns.GetAnnotations()
if annotations == nil {
annotations = map[string]string{}
}
annotations["foo"] = "bar"
ns.SetAnnotations(annotations)

_, err := cs.CoreV1().Namespaces().Update(context.Background(), ns, metav1.UpdateOptions{})

return err
}, 10*time.Second, time.Second).ShouldNot(Succeed())
})

By("specifying forbidden annotations using regex match", func() {
ns := NewNamespace("forbidden-annotations-regex-match", map[string]string{
meta.TenantLabel: tnt.GetName(),
})

NamespaceCreation(ns, tnt.Spec.Owners[0].UserSpec, defaultTimeoutInterval).Should(Succeed())
NamespaceIsPartOfTenant(tnt, ns).Should(Succeed())

rbacPatch(ns.GetName())

Consistently(func() error {
if err := k8sClient.Get(context.Background(), types.NamespacedName{Name: ns.GetName()}, ns); err != nil {
return nil
}

ns.SetAnnotations(map[string]string{"gatsby-foo": "bar"})
annotations := ns.GetAnnotations()
if annotations == nil {
annotations = map[string]string{}
}
annotations["gatsby-foo"] = "bar"
ns.SetAnnotations(annotations)

_, err := cs.CoreV1().Namespaces().Update(context.Background(), ns, metav1.UpdateOptions{})

return err
}, 10*time.Second, time.Second).ShouldNot(Succeed())
})

By("specifying forbidden-prefix labels that are not managed by Capsule", func() {
ns := NewNamespace("forbidden-managed-prefix-label-update", map[string]string{
meta.TenantLabel: tnt.GetName(),
})

NamespaceCreation(ns, tnt.Spec.Owners[0].UserSpec, defaultTimeoutInterval).Should(Succeed())
NamespaceIsPartOfTenant(tnt, ns).Should(Succeed())

rbacPatch(ns.GetName())

Consistently(func() error {
if err := k8sClient.Get(context.Background(), types.NamespacedName{Name: ns.GetName()}, ns); err != nil {
return nil
}

labels := ns.GetLabels()
if labels == nil {
labels = map[string]string{}
}
labels["managed.projectcapsule.dev/user-label"] = "should-be-denied"
ns.SetLabels(labels)

_, err := cs.CoreV1().Namespaces().Update(context.Background(), ns, metav1.UpdateOptions{})

return err
}, 10*time.Second, time.Second).ShouldNot(Succeed())
})

By("specifying forbidden-prefix annotations that are not managed by Capsule", func() {
ns := NewNamespace("forbidden-managed-prefix-annotation-update", map[string]string{
meta.TenantLabel: tnt.GetName(),
})

NamespaceCreation(ns, tnt.Spec.Owners[0].UserSpec, defaultTimeoutInterval).Should(Succeed())
NamespaceIsPartOfTenant(tnt, ns).Should(Succeed())

rbacPatch(ns.GetName())

Consistently(func() error {
if err := k8sClient.Get(context.Background(), types.NamespacedName{Name: ns.GetName()}, ns); err != nil {
return nil
}

annotations := ns.GetAnnotations()
if annotations == nil {
annotations = map[string]string{}
}
annotations["managed.projectcapsule.dev/user-annotation"] = "should-be-denied"
ns.SetAnnotations(annotations)

_, err := cs.CoreV1().Namespaces().Update(context.Background(), ns, metav1.UpdateOptions{})

return err
}, 10*time.Second, time.Second).ShouldNot(Succeed())
})

By("restoring a Capsule-managed forbidden-prefix label value on update", func() {
ns := NewNamespace("forbidden-managed-label-value-update", map[string]string{
meta.TenantLabel: tnt.GetName(),
})

NamespaceCreation(ns, tnt.Spec.Owners[0].UserSpec, defaultTimeoutInterval).Should(Succeed())
NamespaceIsPartOfTenant(tnt, ns).Should(Succeed())

Eventually(func(g Gomega) {
err := k8sClient.Get(context.Background(), types.NamespacedName{Name: ns.GetName()}, ns)
g.Expect(err).ToNot(HaveOccurred())
g.Expect(ns.GetLabels()).To(HaveKeyWithValue("managed.projectcapsule.dev/customer", "acme"))
}, defaultTimeoutInterval, time.Second).Should(Succeed())

rbacPatch(ns.GetName())

Eventually(func(g Gomega) {
err := k8sClient.Get(context.Background(), types.NamespacedName{Name: ns.GetName()}, ns)
g.Expect(err).ToNot(HaveOccurred())

labels := ns.GetLabels()
if labels == nil {
labels = map[string]string{}
}

labels["managed.projectcapsule.dev/customer"] = "tampered"
ns.SetLabels(labels)

_, err = cs.CoreV1().Namespaces().Update(context.Background(), ns, metav1.UpdateOptions{})
g.Expect(err).ToNot(HaveOccurred())
}, defaultTimeoutInterval, time.Second).Should(Succeed())

Eventually(func(g Gomega) {
err := k8sClient.Get(context.Background(), types.NamespacedName{Name: ns.GetName()}, ns)
g.Expect(err).ToNot(HaveOccurred())

g.Expect(ns.GetLabels()).To(HaveKeyWithValue("managed.projectcapsule.dev/customer", "acme"))
g.Expect(ns.GetLabels()).To(HaveKeyWithValue("managed.projectcapsule.dev/tenant", tnt.GetName()))
}, defaultTimeoutInterval, time.Second).Should(Succeed())
})

By("restoring a Capsule-managed forbidden-prefix annotation value on update", func() {
ns := NewNamespace("forbidden-managed-annotation-value-update", map[string]string{
meta.TenantLabel: tnt.GetName(),
})

NamespaceCreation(ns, tnt.Spec.Owners[0].UserSpec, defaultTimeoutInterval).Should(Succeed())
NamespaceIsPartOfTenant(tnt, ns).Should(Succeed())

Eventually(func(g Gomega) {
err := k8sClient.Get(context.Background(), types.NamespacedName{Name: ns.GetName()}, ns)
g.Expect(err).ToNot(HaveOccurred())
g.Expect(ns.GetAnnotations()).To(HaveKeyWithValue("managed.projectcapsule.dev/source", "capsule"))
}, defaultTimeoutInterval, time.Second).Should(Succeed())

rbacPatch(ns.GetName())

Eventually(func(g Gomega) {
err := k8sClient.Get(context.Background(), types.NamespacedName{Name: ns.GetName()}, ns)
g.Expect(err).ToNot(HaveOccurred())

annotations := ns.GetAnnotations()
if annotations == nil {
annotations = map[string]string{}
}

annotations["managed.projectcapsule.dev/source"] = "tampered"
ns.SetAnnotations(annotations)

_, err = cs.CoreV1().Namespaces().Update(context.Background(), ns, metav1.UpdateOptions{})
g.Expect(err).ToNot(HaveOccurred())
}, defaultTimeoutInterval, time.Second).Should(Succeed())

Eventually(func(g Gomega) {
err := k8sClient.Get(context.Background(), types.NamespacedName{Name: ns.GetName()}, ns)
g.Expect(err).ToNot(HaveOccurred())

g.Expect(ns.GetAnnotations()).To(HaveKeyWithValue("managed.projectcapsule.dev/source", "capsule"))
}, defaultTimeoutInterval, time.Second).Should(Succeed())
})
})
})
Loading
Loading