fix permission claim label not updated when selector changes

olamilekan000 · olamilekan000 · commit 75499270aa57 · 2025-11-09T01:36:51.000+01:00
Signed-off-by: olalekan odukoya &lt;odukoyaonline@gmail.com&gt;
diff --git a/pkg/reconciler/apis/permissionclaimlabel/permissionclaimlabel_reconcile.go b/pkg/reconciler/apis/permissionclaimlabel/permissionclaimlabel_reconcile.go
@@ -84,8 +84,11 @@ func (c *controller) reconcile(ctx context.Context, apiBinding *apisv1alpha2.API
 	}
 
 	appliedClaims := sets.New[string]()
+	appliedClaimsMap := make(map[string]apisv1alpha2.ScopedPermissionClaim)
 	for _, claim := range apiBinding.Status.AppliedPermissionClaims {
-		appliedClaims.Insert(setKeyForClaim(claim.PermissionClaim))
+		key := setKeyForClaim(claim.PermissionClaim)
+		appliedClaims.Insert(key)
+		appliedClaimsMap[key] = claim
 	}
 
 	expectedClaims := exportedClaims.Intersection(acceptedClaims)
@@ -94,6 +97,20 @@ func (c *controller) reconcile(ctx context.Context, apiBinding *apisv1alpha2.API
 	needToRemove := appliedClaims.Difference(acceptedClaims)
 	allChanges := needToApply.Union(needToRemove)
 
+	for key := range expectedClaims {
+		if acceptedClaims.Has(key) && appliedClaims.Has(key) {
+			acceptedClaim := acceptedClaimsMap[key]
+			appliedClaim := appliedClaimsMap[key]
+			if !selectorsEqual(acceptedClaim.Selector, appliedClaim.Selector) {
+				allChanges.Insert(key)
+
+				logger.V(4).Info("detected selector change for claim", "claim", key,
+					"oldSelector", appliedClaim.Selector,
+					"newSelector", acceptedClaim.Selector)
+			}
+		}
+	}
+
 	logger.V(4).Info("claim set details",
 		"expected", expectedClaims,
 		"unexpected", unexpectedClaims,
@@ -289,3 +306,65 @@ func (c *controller) patchGenericObject(ctx context.Context, obj metav1.Object,
 	}
 	return nil
 }
+
+// selectorsEqual compares two PermissionClaimSelector objects to determine if they are equal.
+// This is needed to detect when only the selector changes (not the claim key).
+func selectorsEqual(a, b apisv1alpha2.PermissionClaimSelector) bool {
+	// Compare MatchAll first
+	if a.MatchAll != b.MatchAll {
+		return false
+	}
+
+	// If both are MatchAll, they're equal
+	if a.MatchAll && b.MatchAll {
+		return true
+	}
+
+	// Compare MatchLabels
+	if len(a.MatchLabels) != len(b.MatchLabels) {
+		return false
+	}
+	for k, v := range a.MatchLabels {
+		if b.MatchLabels[k] != v {
+			return false
+		}
+	}
+
+	// Compare MatchExpressions
+	if len(a.MatchExpressions) != len(b.MatchExpressions) {
+		return false
+	}
+	// Compare each expression individually
+	aExprs := make(map[string]metav1.LabelSelectorRequirement)
+	for _, expr := range a.MatchExpressions {
+		key := fmt.Sprintf("%s:%s", expr.Key, string(expr.Operator))
+		aExprs[key] = expr
+	}
+	for _, expr := range b.MatchExpressions {
+		key := fmt.Sprintf("%s:%s", expr.Key, string(expr.Operator))
+		if aExpr, ok := aExprs[key]; !ok {
+			return false
+		} else if !matchExpressionEqual(aExpr, expr) {
+			return false
+		}
+	}
+
+	return true
+}
+
+// matchExpressionEqual compares two LabelSelectorRequirement objects.
+func matchExpressionEqual(a, b metav1.LabelSelectorRequirement) bool {
+	if a.Key != b.Key {
+		return false
+	}
+	if a.Operator != b.Operator {
+		return false
+	}
+	if len(a.Values) != len(b.Values) {
+		return false
+	}
+	// Compare values as sets (order doesn't matter)
+	aValues := sets.New(a.Values...)
+	bValues := sets.New(b.Values...)
+	return aValues.Equal(bValues)
+}
