Skip to content

Commit

Permalink
use CEL for validation
Browse files Browse the repository at this point in the history
use CEL to validate the CR
fields as it is having multiple
advantages over webhooks and also
it already beta in 1.25 onwards and
going to be GA in 1.29

More details about it at
https://kubernetes.io/blog/2022/09/29/\
enforce-immutability-using-cel/

Signed-off-by: Madhu Rajanna <[email protected]>
  • Loading branch information
Madhu-1 committed Sep 21, 2023
1 parent 7a8345b commit f63ea38
Show file tree
Hide file tree
Showing 12 changed files with 94 additions and 0 deletions.
4 changes: 4 additions & 0 deletions apis/csiaddons/v1alpha1/csiaddonsnode_types.go
Original file line number Diff line number Diff line change
Expand Up @@ -36,6 +36,8 @@ type CSIAddonsNodeDriver struct {
// This must be the same name returned by the CSI-Addons GetIdentity()
// call for that driver. The name of the driver is in the format:
// `example.csi.ceph.com`
// +kubebuilder:validation:Required
// +kubebuilder:validation:XValidation:rule="self == oldSelf",message="name is immutable"
Name string `json:"name"`

// EndPoint is url that contains the ip-address to which the CSI-Addons
Expand All @@ -44,6 +46,8 @@ type CSIAddonsNodeDriver struct {

// NodeID is the ID of the node to identify on which node the side-car
// is running.
// +kubebuilder:validation:Required
// +kubebuilder:validation:XValidation:rule="self == oldSelf",message="nodeID is immutable"
NodeID string `json:"nodeID"`
}

Expand Down
7 changes: 7 additions & 0 deletions apis/csiaddons/v1alpha1/networkfence_types.go
Original file line number Diff line number Diff line change
Expand Up @@ -40,20 +40,26 @@ const (
FencingOperationResultFailed FencingOperationResult = "Failed"
)

// +kubebuilder:validation:XValidation:rule="self == oldSelf",message="secret is immutable"
// SecretSpec defines the secrets to be used for the network fencing operation.
type SecretSpec struct {
// Name specifies the name of the secret.
// +kubebuilder:validation:Optional
// +kubebuilder:validation:XValidation:rule="self == oldSelf",message="name is immutable"
Name string `json:"name,omitempty"`

// Namespace specifies the namespace in which the secret
// is located.
// +kubebuilder:validation:Optional
// +kubebuilder:validation:XValidation:rule="self == oldSelf",message="namespace is immutable"
Namespace string `json:"namespace,omitempty"`
}

// NetworkFenceSpec defines the desired state of NetworkFence
type NetworkFenceSpec struct {
// Driver contains the name of CSI driver.
// +kubebuilder:validation:Required
// +kubebuilder:validation:XValidation:rule="self == oldSelf",message="driver is immutable"
Driver string `json:"driver"`

// FenceState contains the desired state for the CIDRs
Expand All @@ -71,6 +77,7 @@ type NetworkFenceSpec struct {
Secret SecretSpec `json:"secret,omitempty"`

// Parameters is used to pass additional parameters to the CSI driver.
// +kubebuilder:validation:XValidation:rule="self == oldSelf",message="parameters are immutable"
Parameters map[string]string `json:"parameters,omitempty"`
}

Expand Down
1 change: 1 addition & 0 deletions apis/csiaddons/v1alpha1/reclaimspacejob_types.go
Original file line number Diff line number Diff line change
Expand Up @@ -36,6 +36,7 @@ const (
// performed.
type TargetSpec struct {
// PersistentVolumeClaim specifies the target PersistentVolumeClaim name.
// +kubebuilder:validation:XValidation:rule="self == oldSelf",message="persistentVolumeClaim is immutable"
PersistentVolumeClaim string `json:"persistentVolumeClaim,omitempty"`
}

Expand Down
2 changes: 2 additions & 0 deletions apis/replication.storage/v1alpha1/volumereplication_types.go
Original file line number Diff line number Diff line change
Expand Up @@ -58,6 +58,7 @@ const (
type VolumeReplicationSpec struct {
// VolumeReplicationClass is the VolumeReplicationClass name for this VolumeReplication resource
// +kubebuilder:validation:Required
// +kubebuilder:validation:XValidation:rule="self == oldSelf",message="volumeReplicationClass is immutable"
VolumeReplicationClass string `json:"volumeReplicationClass"`

// ReplicationState represents the replication operation to be performed on the volume.
Expand All @@ -67,6 +68,7 @@ type VolumeReplicationSpec struct {

// DataSource represents the object associated with the volume
// +kubebuilder:validation:Required
// +kubebuilder:validation:XValidation:rule="self == oldSelf",message="dataSource is immutable"
DataSource corev1.TypedLocalObjectReference `json:"dataSource"`

// AutoResync represents the volume to be auto resynced when
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -26,10 +26,12 @@ import (
type VolumeReplicationClassSpec struct {
// Provisioner is the name of storage provisioner
// +kubebuilder:validation:Required
// +kubebuilder:validation:XValidation:rule="self == oldSelf",message="provisioner is immutable"
Provisioner string `json:"provisioner"`
// Parameters is a key-value map with storage provisioner specific configurations for
// creating volume replicas
// +kubebuilder:validation:Optional
// +kubebuilder:validation:XValidation:rule="self == oldSelf",message="parameters are immutable"
Parameters map[string]string `json:"parameters,omitempty"`
}

Expand Down
6 changes: 6 additions & 0 deletions config/crd/bases/csiaddons.openshift.io_csiaddonsnodes.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -64,10 +64,16 @@ spec:
GetIdentity() call for that driver. The name of the driver is
in the format: `example.csi.ceph.com`'
type: string
x-kubernetes-validations:
- message: name is immutable
rule: self == oldSelf
nodeID:
description: NodeID is the ID of the node to identify on which
node the side-car is running.
type: string
x-kubernetes-validations:
- message: nodeID is immutable
rule: self == oldSelf
required:
- endpoint
- name
Expand Down
15 changes: 15 additions & 0 deletions config/crd/bases/csiaddons.openshift.io_networkfences.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -59,6 +59,9 @@ spec:
driver:
description: Driver contains the name of CSI driver.
type: string
x-kubernetes-validations:
- message: driver is immutable
rule: self == oldSelf
fenceState:
default: Fenced
description: FenceState contains the desired state for the CIDRs mentioned
Expand All @@ -73,18 +76,30 @@ spec:
description: Parameters is used to pass additional parameters to the
CSI driver.
type: object
x-kubernetes-validations:
- message: parameters are immutable
rule: self == oldSelf
secret:
description: Secret is a kubernetes secret, which is required to perform
the fence/unfence operation.
properties:
name:
description: Name specifies the name of the secret.
type: string
x-kubernetes-validations:
- message: name is immutable
rule: self == oldSelf
namespace:
description: Namespace specifies the namespace in which the secret
is located.
type: string
x-kubernetes-validations:
- message: namespace is immutable
rule: self == oldSelf
type: object
x-kubernetes-validations:
- message: secret is immutable
rule: self == oldSelf
required:
- cidrs
- driver
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -113,6 +113,9 @@ spec:
description: PersistentVolumeClaim specifies the target
PersistentVolumeClaim name.
type: string
x-kubernetes-validations:
- message: persistentVolumeClaim is immutable
rule: self == oldSelf
type: object
timeout:
description: Timeout specifies the timeout in seconds for
Expand Down
3 changes: 3 additions & 0 deletions config/crd/bases/csiaddons.openshift.io_reclaimspacejobs.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -79,6 +79,9 @@ spec:
description: PersistentVolumeClaim specifies the target PersistentVolumeClaim
name.
type: string
x-kubernetes-validations:
- message: persistentVolumeClaim is immutable
rule: self == oldSelf
type: object
timeout:
description: Timeout specifies the timeout in seconds for the grpc
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -49,9 +49,15 @@ spec:
description: Parameters is a key-value map with storage provisioner
specific configurations for creating volume replicas
type: object
x-kubernetes-validations:
- message: parameters are immutable
rule: self == oldSelf
provisioner:
description: Provisioner is the name of storage provisioner
type: string
x-kubernetes-validations:
- message: provisioner is immutable
rule: self == oldSelf
required:
- provisioner
type: object
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -78,6 +78,9 @@ spec:
- name
type: object
x-kubernetes-map-type: atomic
x-kubernetes-validations:
- message: dataSource is immutable
rule: self == oldSelf
replicationHandle:
description: replicationHandle represents an existing (but new) replication
id
Expand All @@ -95,6 +98,9 @@ spec:
description: VolumeReplicationClass is the VolumeReplicationClass
name for this VolumeReplication resource
type: string
x-kubernetes-validations:
- message: volumeReplicationClass is immutable
rule: self == oldSelf
required:
- autoResync
- dataSource
Expand Down
39 changes: 39 additions & 0 deletions deploy/controller/crds.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -63,10 +63,16 @@ spec:
GetIdentity() call for that driver. The name of the driver is
in the format: `example.csi.ceph.com`'
type: string
x-kubernetes-validations:
- message: name is immutable
rule: self == oldSelf
nodeID:
description: NodeID is the ID of the node to identify on which
node the side-car is running.
type: string
x-kubernetes-validations:
- message: nodeID is immutable
rule: self == oldSelf
required:
- endpoint
- name
Expand Down Expand Up @@ -161,6 +167,9 @@ spec:
driver:
description: Driver contains the name of CSI driver.
type: string
x-kubernetes-validations:
- message: driver is immutable
rule: self == oldSelf
fenceState:
default: Fenced
description: FenceState contains the desired state for the CIDRs mentioned
Expand All @@ -175,18 +184,30 @@ spec:
description: Parameters is used to pass additional parameters to the
CSI driver.
type: object
x-kubernetes-validations:
- message: parameters are immutable
rule: self == oldSelf
secret:
description: Secret is a kubernetes secret, which is required to perform
the fence/unfence operation.
properties:
name:
description: Name specifies the name of the secret.
type: string
x-kubernetes-validations:
- message: name is immutable
rule: self == oldSelf
namespace:
description: Namespace specifies the namespace in which the secret
is located.
type: string
x-kubernetes-validations:
- message: namespace is immutable
rule: self == oldSelf
type: object
x-kubernetes-validations:
- message: secret is immutable
rule: self == oldSelf
required:
- cidrs
- driver
Expand Down Expand Up @@ -394,6 +415,9 @@ spec:
description: PersistentVolumeClaim specifies the target
PersistentVolumeClaim name.
type: string
x-kubernetes-validations:
- message: persistentVolumeClaim is immutable
rule: self == oldSelf
type: object
timeout:
description: Timeout specifies the timeout in seconds for
Expand Down Expand Up @@ -573,6 +597,9 @@ spec:
description: PersistentVolumeClaim specifies the target PersistentVolumeClaim
name.
type: string
x-kubernetes-validations:
- message: persistentVolumeClaim is immutable
rule: self == oldSelf
type: object
timeout:
description: Timeout specifies the timeout in seconds for the grpc
Expand Down Expand Up @@ -739,9 +766,15 @@ spec:
description: Parameters is a key-value map with storage provisioner
specific configurations for creating volume replicas
type: object
x-kubernetes-validations:
- message: parameters are immutable
rule: self == oldSelf
provisioner:
description: Provisioner is the name of storage provisioner
type: string
x-kubernetes-validations:
- message: provisioner is immutable
rule: self == oldSelf
required:
- provisioner
type: object
Expand Down Expand Up @@ -836,6 +869,9 @@ spec:
- name
type: object
x-kubernetes-map-type: atomic
x-kubernetes-validations:
- message: dataSource is immutable
rule: self == oldSelf
replicationHandle:
description: replicationHandle represents an existing (but new) replication
id
Expand All @@ -853,6 +889,9 @@ spec:
description: VolumeReplicationClass is the VolumeReplicationClass
name for this VolumeReplication resource
type: string
x-kubernetes-validations:
- message: volumeReplicationClass is immutable
rule: self == oldSelf
required:
- autoResync
- dataSource
Expand Down

0 comments on commit f63ea38

Please sign in to comment.