squash! feat: add expression support to workloadSelector (#57)

controllers/authzctrl/reconcile_authpolicy.go

@@ -29,11 +29,10 @@ func (r *Controller) reconcileAuthPolicy(ctx context.Context, target *unstructur
 	found := &istiosecurityv1beta1.AuthorizationPolicy{}
 	justCreated := false
 
-	err = r.Get(ctx, types.NamespacedName{
+	typeName := types.NamespacedName{
 		Name:      desired.Name,
-		Namespace: desired.Namespace,
-	}, found)
-	if err != nil {
+		Namespace: desired.Namespace}
+	if errGet := r.Get(ctx, typeName, found); errGet != nil {
 		if k8serr.IsNotFound(err) {
 			errCreate := r.Create(ctx, desired)
 			if client.IgnoreAlreadyExists(errCreate) != nil {
@@ -42,7 +41,7 @@ func (r *Controller) reconcileAuthPolicy(ctx context.Context, target *unstructur
 
 			justCreated = true
 		} else {
-			return fmt.Errorf("unable to fetch AuthorizationPolicy: %w", err)
+			return fmt.Errorf("unable to fetch AuthorizationPolicy: %w", errGet)
 		}
 	}
 

pkg/platform/types.go

@@ -31,6 +31,10 @@ type ProtectedResource struct {
 	ObjectReference `json:"ref,omitempty"`
 	// WorkloadSelector defines labels used to identify and select the specific workload
 	// to which the authorization policy should be applied.
+	// All provided label selectors must be present on the Service to find a match.
+	//
+	// go expressions are handled in the selector key and value to set dynamic values from the current ObjectReference;
+	// e.g. "routing.opendatahub.io/{{.kind}}": "{{.metadata.name}}", // > "routing.opendatahub.io/Service": "MyService"
 	WorkloadSelector map[string]string `json:"workloadSelector,omitempty"`
 	// HostPaths defines paths in custom resource where hosts for this component are defined.
 	HostPaths []string `json:"hostPaths,omitempty"` // TODO(mvp): should we switch to annotations like in routing?