Skip to content

Add namespace label selector support for reflection#620

Open
davidswimbird wants to merge 6 commits intoemberstack:mainfrom
davidswimbird:davidswimbird/discussion-409
Open

Add namespace label selector support for reflection#620
davidswimbird wants to merge 6 commits intoemberstack:mainfrom
davidswimbird:davidswimbird/discussion-409

Conversation

@davidswimbird
Copy link
Copy Markdown

@davidswimbird davidswimbird commented Mar 25, 2026

Add two new annotations that allow selecting target namespaces by
Kubernetes label selectors instead of only name regex patterns:

  • reflection-allowed-namespaces-selector
  • reflection-auto-namespaces-selector

When both a name-pattern and a label selector annotation are set, a
namespace matches if it satisfies either condition (OR logic). The label
selector supports standard Kubernetes syntax: equality (=, ==, !=),
existence, and set-based (in, notin) expressions.

This is useful when you want to reflect a secret to a subset of non-deterministic namespaces, that can't be represented with a regex.

For my use case, it makes the manual overhead of managing reflector a lot smaller, as I can automate the label configuration for my namespaces ahead of time, to know that they will be receiving the secrets when the namespace is created with a specified label.

This is based on the suggestion in: Discussion #409

Add two new annotations that allow selecting target namespaces by
Kubernetes label selectors instead of only name regex patterns:
- reflection-allowed-namespaces-selector
- reflection-auto-namespaces-selector

When both a name-pattern and a label selector annotation are set, a
namespace matches if it satisfies either condition (OR logic). The label
selector supports standard Kubernetes syntax: equality (=, ==, !=),
existence, and set-based (in, notin) expressions.

Closes emberstack#409
@davidswimbird davidswimbird force-pushed the davidswimbird/discussion-409 branch from a75fa1c to a704f21 Compare March 25, 2026 10:42
@winromulus
Copy link
Copy Markdown
Contributor

@davidswimbird while I review this, please update the documentation as well (readme)

Copy link
Copy Markdown

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Adds namespace label selector support to the reflector’s “allowed namespaces” and “auto namespaces” logic, enabling selection of target namespaces via standard Kubernetes label selector syntax in addition to existing name/regex matching.

Changes:

  • Introduces two new reflection annotations for label selectors (allowed/auto namespaces selectors) and wires them into MirroringProperties.
  • Implements label-selector matching (with OR logic vs name-pattern matching) and updates mirroring flows to use V1Namespace when available.
  • Adds unit tests and test helpers for selector behavior; exposes internals to the test project.

Reviewed changes

Copilot reviewed 7 out of 7 changed files in this pull request and generated 4 comments.

Show a summary per file
File Description
tests/ES.Kubernetes.Reflector.Tests/LabelSelectorMatchTests.cs Adds unit tests for label selector parsing/matching and OR logic with name patterns.
tests/ES.Kubernetes.Reflector.Tests/Additions/ReflectorAnnotationsBuilder.cs Adds builder helpers for the new selector annotations in tests.
src/ES.Kubernetes.Reflector/Mirroring/Core/ResourceMirror.cs Caches namespaces for selector evaluation and uses V1Namespace overloads for matching.
src/ES.Kubernetes.Reflector/Mirroring/Core/MirroringPropertiesExtensions.cs Parses new annotations, adds selector-aware matching, and implements label selector evaluation.
src/ES.Kubernetes.Reflector/Mirroring/Core/MirroringProperties.cs Adds properties for allowed/auto namespace label selectors.
src/ES.Kubernetes.Reflector/Mirroring/Core/Annotations.cs Adds constants for the new selector annotations.
src/ES.Kubernetes.Reflector/ES.Kubernetes.Reflector.csproj Adds InternalsVisibleTo to allow unit tests to access LabelSelectorMatch.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread src/ES.Kubernetes.Reflector/Mirroring/Core/ResourceMirror.cs Outdated
Comment thread tests/ES.Kubernetes.Reflector.Tests/LabelSelectorMatchTests.cs
Comment thread src/ES.Kubernetes.Reflector/Mirroring/Core/MirroringPropertiesExtensions.cs Outdated
Document the new reflection-allowed-namespaces-selector and
reflection-auto-namespaces-selector annotations from emberstack#620.
Invalid or degenerate selectors (e.g. ",", "!", "!=value") previously
produced no valid requirements or empty keys, causing LabelSelectorMatch
to return true and unintentionally allow reflection to all namespaces.
Now returns false when no requirements are parsed or a key is empty.
The namespace cache was only populated on Added events, so label changes
(Modified) left stale entries and deleted namespaces were never evicted.

- Handle Modified: update cache and reconcile auto-reflections (create
  if now matching, delete if no longer matching)
- Handle Deleted: evict cache entry and clean up auto-reflection tracking
Cover unbalanced parentheses, empty set-based expressions, and bare
operators to document that the parser fails closed on all of these.
@github-actions
Copy link
Copy Markdown

github-actions bot commented Apr 9, 2026

Automatically marked as stale due to no recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

@github-actions github-actions bot added the stale label Apr 9, 2026
@davidswimbird
Copy link
Copy Markdown
Author

Hey @winromulus. How's the review coming along? :)

@github-actions github-actions bot removed the stale label Apr 10, 2026
@winromulus
Copy link
Copy Markdown
Contributor

@davidswimbird a couple of comments left as pending. Can you check those please?

@davidswimbird
Copy link
Copy Markdown
Author

@winromulus resolved all comments. They had already been adressed, just didn't want to resolve comments without you having a look :)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Development

Successfully merging this pull request may close these issues.

3 participants