update allowed namespaces type in AzureClusterIdentity

api/v1alpha3/azureclusteridentity_conversion.go

@@ -0,0 +1,87 @@
+/*
+Copyright 2021 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package v1alpha3
+
+import (
+	apiconversion "k8s.io/apimachinery/pkg/conversion"
+	infrav1alpha4 "sigs.k8s.io/cluster-api-provider-azure/api/v1alpha4"
+	utilconversion "sigs.k8s.io/cluster-api/util/conversion"
+	"sigs.k8s.io/controller-runtime/pkg/conversion"
+)
+
+// ConvertTo converts this AzureCluster to the Hub version (v1alpha4).
+func (src *AzureClusterIdentity) ConvertTo(dstRaw conversion.Hub) error { // nolint
+	dst := dstRaw.(*infrav1alpha4.AzureClusterIdentity)
+	if err := Convert_v1alpha3_AzureClusterIdentity_To_v1alpha4_AzureClusterIdentity(src, dst, nil); err != nil {
+		return err
+	}
+
+	// Manually restore data.
+	restored := &infrav1alpha4.AzureClusterIdentity{}
+	if ok, err := utilconversion.UnmarshalData(src, restored); err != nil || !ok {
+		return err
+	}
+
+	if len(src.Spec.AllowedNamespaces) > 0 {
+		dst.Spec.AllowedNamespaces = &infrav1alpha4.AllowedNamespaces{}
+		for _, ns := range src.Spec.AllowedNamespaces {
+			dst.Spec.AllowedNamespaces.NamespaceList = append(dst.Spec.AllowedNamespaces.NamespaceList, ns)
+		}
+		dst.Spec.AllowedNamespaces.Selector = restored.Spec.AllowedNamespaces.Selector
+	}
+
+	return nil
+}
+
+// ConvertFrom converts from the Hub version (v1alpha4) to this version.
+func (dst *AzureClusterIdentity) ConvertFrom(srcRaw conversion.Hub) error { // nolint
+	src := srcRaw.(*infrav1alpha4.AzureClusterIdentity)
+	if err := Convert_v1alpha4_AzureClusterIdentity_To_v1alpha3_AzureClusterIdentity(src, dst, nil); err != nil {
+		return err
+	}
+
+	// Preserve Hub data on down-conversion.
+	if err := utilconversion.MarshalData(src, dst); err != nil {
+		return err
+	}
+
+	if src.Spec.AllowedNamespaces != nil {
+		for _, ns := range src.Spec.AllowedNamespaces.NamespaceList {
+			dst.Spec.AllowedNamespaces = append(dst.Spec.AllowedNamespaces, ns)
+		}
+	}
+
+	return nil
+}
+
+// Convert_v1alpha3_AzureClusterIdentitySpec_To_v1alpha4_AzureClusterIdentitySpec.
+func Convert_v1alpha3_AzureClusterIdentitySpec_To_v1alpha4_AzureClusterIdentitySpec(in *AzureClusterIdentitySpec, out *infrav1alpha4.AzureClusterIdentitySpec, s apiconversion.Scope) error { //nolint
+	if err := autoConvert_v1alpha3_AzureClusterIdentitySpec_To_v1alpha4_AzureClusterIdentitySpec(in, out, s); err != nil {
+		return err
+	}
+
+	return nil
+}
+
+// Convert_v1alpha4_AzureClusterIdentitySpec_To_v1alpha3_AzureClusterIdentitySpec
+func Convert_v1alpha4_AzureClusterIdentitySpec_To_v1alpha3_AzureClusterIdentitySpec(in *infrav1alpha4.AzureClusterIdentitySpec, out *AzureClusterIdentitySpec, s apiconversion.Scope) error { //nolint
+	if err := autoConvert_v1alpha4_AzureClusterIdentitySpec_To_v1alpha3_AzureClusterIdentitySpec(in, out, s); err != nil {
+		return err
+	}
+
+	return nil
+}

api/v1alpha4/azureclusteridentity_conversion.go

@@ -0,0 +1,23 @@
+/*
+Copyright 2021 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package v1alpha4
+
+// Hub marks AzureClusterIdentity as a conversion hub.
+func (*AzureClusterIdentity) Hub() {}
+
+// Hub marks AzureClusterIdentityList as a conversion hub.
+func (*AzureClusterIdentityList) Hub() {}

api/v1alpha4/azureclusteridentity_types.go

@@ -22,6 +22,25 @@ import (
 	clusterv1 "sigs.k8s.io/cluster-api/api/v1alpha4"
 )
 
+// AllowedNamespaces defines the namespaces the clusters are allowed to use the identity from
+// NamespaceList takes precedence over the Selector
+type AllowedNamespaces struct {
+	// A nil or empty list indicates that AzureCluster cannot use the identity from any namespace.
+	//
+	// +optional
+	// +nullable
+	NamespaceList []string `json:"list"`
+	// Selector is a selector of namespaces that AzureCluster can
+	// use this Identity from. This is a standard Kubernetes LabelSelector,
+	// a label query over a set of resources. The result of matchLabels and
+	// matchExpressions are ANDed.
+	//
+	// A nil or empty selector indicates that AzureCluster cannot use this
+	// AzureClusterIdentity from any namespace.
+	// +optional
+	Selector *metav1.LabelSelector `json:"selector"`
+}
+
 // AzureClusterIdentitySpec defines the parameters that are used to create an AzureIdentity
 type AzureClusterIdentitySpec struct {
 	// UserAssignedMSI or Service Principal
@@ -36,14 +55,15 @@ type AzureClusterIdentitySpec struct {
 	ClientSecret corev1.SecretReference `json:"clientSecret,omitempty"`
 	// Service principal primary tenant id.
 	TenantID string `json:"tenantID"`
-	// AllowedNamespaces is an array of namespaces that AzureClusters can
-	// use this Identity from.
+	// AllowedNamespaces is used to identify the namespaces the clusters are allowed to use the identity from.
+	// Namespaces can be selected either using an array of namespaces or with label selector.
+	// An empty allowedNamespaces object indicates that AzureClusters can use this identity from any namespace.
+	// If this object is nil, no namespaces will be allowed (default behaviour, if this field is not provided)
+	// A namespace should be either in the NamespaceList or match with Selector to use the identity.
 	//
-	// An empty list (default) indicates that AzureClusters can use this
-	// Identity from any namespace. This field is intentionally not a
-	// pointer because the nil behavior (no namespaces) is undesirable here.
 	// +optional
-	AllowedNamespaces []string `json:"allowedNamespaces"`
+	// +nullable
+	AllowedNamespaces *AllowedNamespaces `json:"allowedNamespaces"`
 }
 
 // AzureClusterIdentityStatus defines the observed state of AzureClusterIdentity
@@ -86,20 +106,6 @@ func (c *AzureClusterIdentity) SetConditions(conditions clusterv1.Conditions) {
 	c.Status.Conditions = conditions
 }
 
-// ClusterNamespaceAllowed indicates if the cluster namespace is allowed
-func (c *AzureClusterIdentity) ClusterNamespaceAllowed(namespace string) bool {
-	if len(c.Spec.AllowedNamespaces) == 0 {
-		return true
-	}
-	for _, v := range c.Spec.AllowedNamespaces {
-		if v == namespace {
-			return true
-		}
-	}
-
-	return false
-}
-
 func init() {
 	SchemeBuilder.Register(&AzureClusterIdentity{}, &AzureClusterIdentityList{})
 }