proposal change for clusterset api

Signed-off-by: ldpliu <[email protected]>

Author: ldpliu

enhancements/sig-architecture/30-clusterset-override/README.md

@@ -30,7 +30,7 @@ So, In this proposal, we change the managedClusterSets spec and want to provide
 
 ```go
 type ManagedClusterSetSpec struct {
-    // Selector represents a selector of ManagedClusters by labels and names.
+    // Selector represents a selector of ManagedClusters.
     ClusterSelector ManagedClusterSelector  `json:"clusterSelector"`
 }
 
@@ -324,72 +324,96 @@ Currently, managedClusterSet has three consumers: [placement](https://github.com
 
 So we could finish the migration by four steps, and step 1 and step 2 will be finished in OCM 0.7.0. and step 3 and step 4 will be finished in OCM 0.8.0
 
-1. [Implement in OCM 0.7.0]Update the managedClusterSet API which only includes an exclusive way to select target managedClusters.
+1. [Implement in OCM 0.7.0]Update the managedClusterSet API which only includes "LegacyClusterSetLabel" in clusterSelector.
 
 ```go
+// ManagedClusterSetSpec describes the attributes of the ManagedClusterSet
 type ManagedClusterSetSpec struct {
-    // Selector represents a selector of ManagedClusters by labels and names.
+	// ClusterSelector represents a selector of ManagedClusters
+	// +optional
+	// +kubebuilder:default:={selectorType: LegacyClusterSetLabel}
+	ClusterSelector ManagedClusterSelector `json:"clusterSelector,omitempty"`
+}
+
+// ManagedClusterSelector represents a selector of ManagedClusters
+type ManagedClusterSelector struct {
+	// SelectorType could only be "LegacyClusterSetLabel" now, will support more SelectorType later
+	// "LegacyClusterSetLabel" means to use label "cluster.open-cluster-management.io/clusterset:<ManagedClusterSet Name>"" to select target clusters.
+	// +kubebuilder:validation:Enum=LegacyClusterSetLabel
+	// +kubebuilder:default:=LegacyClusterSetLabel
+	// +required
+	SelectorType SelectorType `json:"selectorType,omitempty"`
+}
+
+type SelectorType string
+
+const (
+	LegacyClusterSetLabel SelectorType = "LegacyClusterSetLabel"
+)
+```
+
+2. [Implement in OCM 0.7.0]`multicloud-operators-foundation`, `submariner-addon`, `placement` change the code to integrate with new managedClusterSet api
+
+  a. `multicloud-operators-foundation` uses managedClusterSet for resource group purpose. So it should only watch the following managedClusterSets:
+  - `spec.ClusterSelector.SelectorType` is `LegacyClusterSetLabel`
+
+  b. `submariner-addon` uses managedClusterSet group clusters based on the network. And in different managedClusterSet, the clusters should be exclusive. So it should only watch the following managedClusterSet:
+  - `spec.ClusterSelector.SelectorType` is `LegacyClusterSetLabel`
+
+  c. `placement` using new `ClusterSelector` to select target clusters.
+
+3. [Implement in OCM 0.8.0] Update full managedClusterSet api and RBAC
+```go
+type ManagedClusterSetSpec struct {
+    // Selector represents a selector of ManagedClusters.
     ClusterSelector ManagedClusterSelector  `json:"clusterSelector"`
 }
 
 type ManagedClusterSelector struct{
     // "" means to use the current mechanism of matching label <cluster.open-cluster-management.io/clusterset:<ManagedClusterSet Name>.
-    // (future) "LabelSelector" means to use the LabelSelector to select target managedClusters
+   	// "LegacyClusterSetLabel" means to use label "cluster.open-cluster-management.io/clusterset:<ManagedClusterSet Name>"" to select target clusters.
+    // "LabelSelector" means to use the LabelSelector to select target managedClusters
     // "ExclusiveLabel" means to use a particular cluster label. It is guaranteed that clustersets with same label key are exclusive with each others
     // +optional
     SelectorType SelectorType `json:"selectorType"`
 
     // ExclusiveLabel defines one label which clusterset could use to select target managedClusters. In this way, we will:
     // 1. Guarantee clustersets with same label key are exclusive
     // 2. Enable additional permission check when cluster joining/leaving a clusterset (the label key should start with the reserved prefix "cluster.open-cluster-management.io/" and "info.open-cluster-management.io/");
-    ExclusiveLabel *ExclusiveLabel `json:"exclusiveLabel"`
+    ExclusiveLabel *ManagedClusterLabel `json:"exclusiveLabel"`
+
+    // LabelSelector define the general labelSelector which clusterset will use to select target managedClusters
+    LabelSelector *metav1.LabelSelector `json:"labelSelector"`
 }
 
 type SelectorType string
 
 const (
+    LabelSelector         SelectorType = "LabelSelector"
     ExclusiveLabel        SelectorType = "ExclusiveLabel"
+    LegacyClusterSetLabel SelectorType = "LegacyClusterSetLabel"
 )
 
-//ExclusiveLabel defines one cluster label
-type ExclusiveLabel struct {
-    //Key is "cluster.open-cluster-management.io/clusterset" by default and can only be cluster.open-cluster-management.io/
+//ManagedClusterLabel defines one label
+type ManagedClusterLabel struct {
     Key string `json:"key"`
-    //Value can only be empty or the name of the clusterset.
     Value string `json:"value"`
 }
 ```
 
-- `LabelSelector` will not be included
-- `ExclusiveLabel.Key` must be `cluster.open-cluster-management.io/clusterset` and `ExclusiveLabel.Value` must be `ManagedClusterset Name`    
-- Both `managedclusterset/join` and `managedclusters/label` permission will be supported
+- Support both `join` and `label` permission
 
-2. [Implement in OCM 0.7.0]`multicloud-operators-foundation`, `submariner-addon`, `placement` change the code to integrate with new managedClusterSet api
+4. [Implement in OCM 0.8.0] `multicloud-operators-foundation`, `submariner-addon`, `placement` change the code to integrate with new managedClusterSet api
 
   a. `multicloud-operators-foundation` uses managedClusterSet for resource group purpose. So it should only watch the following managedClusterSets:
-  - `spec.ClusterSelector.SelectorType` is `ExclusiveLabel` and the `ExclusiveLabel.Key` must be `cluster.open-cluster-management.io/clusterset`
-  - `spec.ClusterSelector.SelectorType` is ""
-
-  b. `multicloud-operators-foundation` gives the users `join` permission to a managedClusterSet if the user has "admin" permission to the managedClusterSet. So the `join` permission should be changed with the following rule:
-    ```yaml
-    - apiGroups: ["cluster.open-cluster-management.io"]
-      resources: ["managedclusters/label"]
-      resourceNames: ["cluster.open-cluster-management.io/clusterset:<ManagedClusterSet Name>"]
-      verbs: ["create"]
-    ```
+  - `spec.ClusterSelector.SelectorType` is `LegacyClusterSetLabel`
+  - `spec.ClusterSelector.SelectorType` is `ExclusiveLabel` and `spec.ClusterSelector.ExclusiveLabel.Key` is `cluster.open-cluster-management.io/clusterset`, value is `ManagedClusterSet Name`
 
-  c. `submariner-addon` uses managedClusterSet group clusters based on the network. And in different managedClusterSet, the clusters should be exclusive. So it should only watch the following managedClusterSet:
-  - `spec.ClusterSelector.SelectorType` is `ExclusiveLabel` and the `ExclusiveLabel.Key` must be `cluster.open-cluster-management.io/clusterset`, the `ExclusiveLabel.Value` must be managedClusterSet name.
-  - `spec.ClusterSelector.SelectorType` is ""
-
-  d. `placement` using new `ClusterSelector` to select target clusters.
-
-3. [Implement in OCM 0.8.0] Update full managedClusterSet api and RBAC
-- Include `LabelSelector`
-- Take off the restriction for “ExclusiveLabel.Key” and “ExclusiveLabel.Value”
-- Deprecate `managedclusterset/join` permission
+  b. `submariner-addon` uses managedClusterSet group clusters based on the network. And in different managedClusterSet, the clusters should be exclusive. So it should only watch the following managedClusterSet:
+  - `spec.ClusterSelector.SelectorType` is `LegacyClusterSetLabel`
+  - `spec.ClusterSelector.SelectorType` is `ExclusiveLabel` and `spec.ClusterSelector.ExclusiveLabel.Key` is `cluster.open-cluster-management.io/clusterset`, value is `ManagedClusterSet Name`
 
-4. [Implement in OCM 0.8.0] `placement` uses the new managedClusterSet api to select managedClusters for each managedClusterSet.
+  c. `placement` using new `ClusterSelector` to select target clusters.
 
 ## Upgrade / Downgrade Strategy 
 The new api is compatible with the previous version. So there is no external work needed when upgrading

enhancements/sig-architecture/30-clusterset-override/metadata.yaml

@@ -9,5 +9,5 @@ approvers:
   - "@elgnay"
   - "@deads2k"
 creation-date: 2021-11-30
-last-updated: 2022-02-24
+last-updated: 2022-04-13
 status: provisional