Add namespace scoped ParametersReference to IngressClass

[hbagdi]

What type of PR is this?

/kind feature
/kind api-change

What this PR does / why we need it:

This PR adds two new field Scope and Namespace to IngressClass.spec.Parameters (feature gated).

Which issue(s) this PR fixes:

Fixes #97396

Does this PR introduce a user-facing change?

IngressClass resource can now reference a resource in a specific namespace 
for implementation-specific configuration(previously only Cluster-level resources were allowed). 
This feature can be enabled using the IngressClassNamespacedParams feature gate.

Additional documentation e.g., KEPs (Kubernetes Enhancement Proposals), usage docs, etc.:

• KEP
• Enhancement issue

/sig network
/cc @robscott
/priority important-soon

[robscott]

Thanks for your work on this @hbagdi! I took a quick look at this and I think you're headed in the right direction, just a few comments but likely missed some things. Will try to take a more thorough look later this week.

[robscott]

Although I know this has been done in validation (including by me), I think the proper way to do this is in strategy like what NetworkPolicy is doing (https://github.com/kubernetes/kubernetes/blob/master/pkg/registry/networking/networkpolicy/strategy.go#L52)

[hbagdi]

@robscott I tried taking up the strategy route but ran into a problem in validation code:
Scope is a new field with a default value. If Scope is force reset in strategy and validation package performs validation on the field, then the validation fails because Scope is an empty string.
We can update the validation code to run only if Scope is not empty but that doesn't seem correct.

[hbagdi]

I went ahead and updated the code as per #97058 with one exception that validation for Scope field is feature gated. Does that seem reasonable?

[hbagdi]

/retest

[robscott]

Thanks for all your work on this!

[hbagdi]

@thockin Thanks for the review. I've updated the PR, except #99275 (comment), where I've a question. PTAL when you get a chance.

[thockin]

minor: We're adding a +featureGate=IngressClassNamespacedParams tag for gated fields, which would be both of these

[hbagdi]

A quick grep revealed no prior art.
I added the tag here as well as in k8s.io/api/networking/*. Let me know if we only need this in pkg/apis.

[thockin]

We really only needed in the versioned files, but most people sync those comments to the unversioned

[thockin]

minor: you could make this named and typed for the Params struct, so you don't need the additional nil-check (I think)

[hbagdi]

Tried but this didn't work. I'm not familiar with codegen here but based on some reading of a few zz_generated.defaults.go that's not the case.
Furthermore, scheme.AddTypeDefaultingFunc() requires a type which implements runtime.Object.

[hbagdi]

/test pull-kubernetes-unit
/test pull-kubernetes-e2e-ubuntu-gce-network-policies

[thockin]

We really only needed in the versioned files, but most people sync those comments to the unversioned

[thockin]

nit: the last arg should be "" - the field name and error are encoded in the type

[hbagdi]

Thanks for this comment. I came to the same conclusion but then my confidence gave way to the code already in this file. Changing it back.

[thockin]

minor: the downside of using DerefOr is that you will return a "required" error when you should return an "invalid". If the user went out of their way to specify namespace: "" that is different than not specifying anything (nil)

[thockin]

DerefOr is OK for scope because you check the set of allowed values

[hbagdi]

I got rid off DerefOr for namespace.

[thockin]

last arg should be (note the quoting)

"`parameters.scope` is set to 'Namespace'"

[thockin]

last arg should be

"`parameters.scope` is set to 'Cluster'"

[thockin]

The rest of the human-friendly error will be assembed from the error type and field path

[thockin]

Even worse than above, this will allow a user to set scope: Cluster and namespace: "" and it will pass validation. namespace must be nil, not "".

[thockin]

Add another - same this case but set namespace to "" - it should fail

[thockin]

I can't find anything left to complain about. No fun!

/lgtm
/approve

[k8s-ci-robot]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: hbagdi, thockin

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• api/OWNERS [thockin]
• pkg/apis/networking/OWNERS [thockin]
• pkg/features/OWNERS [thockin]
• pkg/printers/OWNERS [thockin]
• pkg/registry/OWNERS [thockin]
• staging/src/k8s.io/api/OWNERS [thockin]
• staging/src/k8s.io/client-go/OWNERS [thockin]
• staging/src/k8s.io/kubectl/OWNERS [thockin]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[hbagdi]

@thockin @robscott Could I get a /lgtm again? I had to rebase due to a conflict in pkg/features/kube_features.go.

[robscott]

/lgtm

[hbagdi]

/test pull-kubernetes-e2e-kind-ipv6

[k8s-ci-robot]

@hbagdi: The following test failed, say /retest to rerun all failed tests:

Test name	Commit	Details	Rerun command
pull-kubernetes-integration	a7fc920	link	/test pull-kubernetes-integration

Full PR test history. Your PR dashboard. Please help us cut down on flakes by linking to an open issue when you hit one in your PR.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here.

[robscott]

/retest