From 52b0b6c88816f8185af9c53f776021a65951187b Mon Sep 17 00:00:00 2001
From: Marcin Skalski <skalskimarcin33@gmail.com>
Date: Fri, 24 Jan 2025 09:46:20 +0100
Subject: [PATCH 1/2] feat(kuma-cp): deprecate MeshSubset kind in top level
 targetRef

Fix: #12362
Signed-off-by: Marcin Skalski <skalskimarcin33@gmail.com>
---
 pkg/plugins/policies/core/jsonpatch/validators/validator.go | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/pkg/plugins/policies/core/jsonpatch/validators/validator.go b/pkg/plugins/policies/core/jsonpatch/validators/validator.go
index 02877f40251d..93495bd991aa 100644
--- a/pkg/plugins/policies/core/jsonpatch/validators/validator.go
+++ b/pkg/plugins/policies/core/jsonpatch/validators/validator.go
@@ -128,5 +128,10 @@ func TopLevelTargetRefDeprecations(targetRef *common_api.TargetRef) []string {
 			fmt.Sprintf("%s value for 'targetRef.kind' is deprecated, use %s with '%s' tag instead", common_api.MeshService, common_api.MeshSubset, mesh_proto.ServiceTag),
 		}
 	}
+	if targetRef.Kind == common_api.MeshSubset {
+		return []string{
+			fmt.Sprintf("%s value for 'targetRef.kind' is deprecated, use %s with labels instead", common_api.MeshSubset, common_api.Dataplane),
+		}
+	}
 	return nil
 }

From af7c3a87572605c738e2a079ef15471f4a364ed5 Mon Sep 17 00:00:00 2001
From: Marcin Skalski <skalskimarcin33@gmail.com>
Date: Tue, 28 Jan 2025 09:01:23 +0100
Subject: [PATCH 2/2] feat(kuma-cp): add test

Signed-off-by: Marcin Skalski <skalskimarcin33@gmail.com>
---
 ...n-global-mesh-subset.federated.golden.yaml | 15 ++++++++++++++
 ...igin-global-mesh-subset.global.golden.yaml |  8 ++++++++
 ...te_mt-origin-global-mesh-subset.input.yaml | 20 +++++++++++++++++++
 ...obal-mesh-subset.non-federated.golden.yaml |  8 ++++++++
 4 files changed, 51 insertions(+)
 create mode 100644 pkg/plugins/runtime/k8s/webhooks/testdata/validation/cli-user_create_mt-origin-global-mesh-subset.federated.golden.yaml
 create mode 100644 pkg/plugins/runtime/k8s/webhooks/testdata/validation/cli-user_create_mt-origin-global-mesh-subset.global.golden.yaml
 create mode 100644 pkg/plugins/runtime/k8s/webhooks/testdata/validation/cli-user_create_mt-origin-global-mesh-subset.input.yaml
 create mode 100644 pkg/plugins/runtime/k8s/webhooks/testdata/validation/cli-user_create_mt-origin-global-mesh-subset.non-federated.golden.yaml

diff --git a/pkg/plugins/runtime/k8s/webhooks/testdata/validation/cli-user_create_mt-origin-global-mesh-subset.federated.golden.yaml b/pkg/plugins/runtime/k8s/webhooks/testdata/validation/cli-user_create_mt-origin-global-mesh-subset.federated.golden.yaml
new file mode 100644
index 000000000000..f6525551e3e7
--- /dev/null
+++ b/pkg/plugins/runtime/k8s/webhooks/testdata/validation/cli-user_create_mt-origin-global-mesh-subset.federated.golden.yaml
@@ -0,0 +1,15 @@
+Patches: null
+allowed: false
+status:
+  code: 403
+  details:
+    causes:
+    - field: metadata.labels[kuma.io/origin]
+      message: cannot be empty
+      reason: FieldValueInvalid
+  message: Operation not allowed. Applying policies on Zone CP requires 'kuma.io/origin'
+    label to be set to 'zone'.
+  metadata: {}
+  reason: Forbidden
+  status: Failure
+uid: "12345"
diff --git a/pkg/plugins/runtime/k8s/webhooks/testdata/validation/cli-user_create_mt-origin-global-mesh-subset.global.golden.yaml b/pkg/plugins/runtime/k8s/webhooks/testdata/validation/cli-user_create_mt-origin-global-mesh-subset.global.golden.yaml
new file mode 100644
index 000000000000..f85dfae8b8fc
--- /dev/null
+++ b/pkg/plugins/runtime/k8s/webhooks/testdata/validation/cli-user_create_mt-origin-global-mesh-subset.global.golden.yaml
@@ -0,0 +1,8 @@
+Patches: null
+allowed: true
+status:
+  code: 200
+  metadata: {}
+uid: "12345"
+warnings:
+- MeshSubset value for 'targetRef.kind' is deprecated, use Dataplane with labels instead
diff --git a/pkg/plugins/runtime/k8s/webhooks/testdata/validation/cli-user_create_mt-origin-global-mesh-subset.input.yaml b/pkg/plugins/runtime/k8s/webhooks/testdata/validation/cli-user_create_mt-origin-global-mesh-subset.input.yaml
new file mode 100644
index 000000000000..41530fa24142
--- /dev/null
+++ b/pkg/plugins/runtime/k8s/webhooks/testdata/validation/cli-user_create_mt-origin-global-mesh-subset.input.yaml
@@ -0,0 +1,20 @@
+# user=cli-user,operation=CREATE,namespace=kuma-system
+apiVersion: kuma.io/v1alpha1
+kind: MeshTimeout
+metadata:
+  name: backend-v3
+  labels:
+    kuma.io/origin: global
+    kuma.io/mesh: default
+spec:
+  targetRef:
+    kind: MeshSubset
+    tags:
+      app: demo-app
+  to:
+    - targetRef:
+        kind: Mesh
+      default:
+        http:
+          requestTimeout: 19s
+          streamIdleTimeout: 1h
diff --git a/pkg/plugins/runtime/k8s/webhooks/testdata/validation/cli-user_create_mt-origin-global-mesh-subset.non-federated.golden.yaml b/pkg/plugins/runtime/k8s/webhooks/testdata/validation/cli-user_create_mt-origin-global-mesh-subset.non-federated.golden.yaml
new file mode 100644
index 000000000000..f85dfae8b8fc
--- /dev/null
+++ b/pkg/plugins/runtime/k8s/webhooks/testdata/validation/cli-user_create_mt-origin-global-mesh-subset.non-federated.golden.yaml
@@ -0,0 +1,8 @@
+Patches: null
+allowed: true
+status:
+  code: 200
+  metadata: {}
+uid: "12345"
+warnings:
+- MeshSubset value for 'targetRef.kind' is deprecated, use Dataplane with labels instead