CEL rules extension #269
CEL rules extension #269
Conversation
Signed-off-by: lsviben <[email protected]>
Signed-off-by: lsviben <[email protected]>
Signed-off-by: lsviben <[email protected]>
Signed-off-by: lsviben <[email protected]>
|
Discussed this internally with @turkenh and there is another approach that we could consider, but it has some tradeoffs. The idea is to just scope the CEL rule on the nested struct itself, this way we wouldnt need to check if all the previous arrays are filled out or not. In practice that would make: From this To this: Which means that we actually dont need to use CEL rules for nested structs at all and we can just keep them The tradeoff is that in this case, we will need to resign from merging initProvider to forProvider nested structs. Instead we would just append them. Because each struct will need to be valid by itself, we cant have a required field in An example for that (autoscaler), would be now invalid as the initProvider:
tags:
someTag: tag
forceUpdateVersion: false
scalingConfig:
- desiredSize: 1
forProvider:
clusterNameRef:
name: sample-eks-cluster
nodeRoleArnRef:
name: sample-node-role
region: us-west-1
scalingConfig:
- maxSize: 4
minSize: 1Instead we would need to set all of them in either initProvider:
tags:
someTag: tag
forceUpdateVersion: false
scalingConfig:
- desiredSize: 1
- maxSize: 4
- minSize: 1
forProvider:
clusterNameRef:
name: sample-eks-cluster
nodeRoleArnRef:
name: sample-node-role
region: us-west-1We could already see that this could be an issue if we would like to change just All in all, our conclusion was that for now we dont have a good solution for the nested structs validation, and that for now it is not pressing to have that, so we could consider dropping this for now until we need it or think of a better solution. |
I agree. |
Description of your changes
Disclaimer⚠️
I am not entirely happy with this solution and am wondering if we should merge this. Putting it out for discussion and explaining my thought process below
Intro
In #237 we made all non-init fields optional, so that they
can be set either in
spec.forProviderorspec.initProvider. For top level fields, we replaced the "required" validation withCEL rules. Such as:
// +kubebuilder:validation:XValidation:rule="!('*' in self.managementPolicies || 'Create' in self.managementPolicies || 'Update' in self.managementPolicies) || has(self.forProvider.title) || has(self.initProvider.title)",message="title is a required parameter"But we didn't have a solution for the nested fields. So the purpose of this PR is to add CEL validation for nested fields that should be required.
This proved to be tricky due to 2 factors:
Starting this task I had expected to generate something like:
But I was very wrong 😰 .
Problem explanation
Firstly, we generate almost every nested struct as an array. Even though the resource expects and needs only one element of that array. I think its due to how terraform schemas are translated into our types, as they mark all of the nested structs as lists of nested structs. I didn't go too deep into this as it's highly unlikely that we would make some changes there and break our API.
Example from upbound/provider-gcp Cluster:
Secondly, it is how CEL works:
Scope
For the scope, it basically means that as we want to reach both
forProviderandinitProvider, the CEL rule has to be defined onspec. We cannot define a rule in a nested field as it wont have access toinitProviderand vice-versa. Otherwise this would be very handy and we wouldn't have a problem with field selection as we could just set the rule on the nested struct in question.Field selection
On the other hand, we have the problem of how to actually get through to the field we want to check if it is set. There are multiple ways.
Lets imagine we have the following resource:
The CEL rule can look like this if we want to check just if the first element exists. For most cases this is ok as we expect only one element. For those that are truly lists we miss
has(self.forProvider.someList[0].reqField) || has(self.initProvider.someList[0].reqField)CEL also provides an
all,exists,exists_onemacros that could be helpful:self.forProvider.someList.all(e, has(e.reqField)) || self.initProvider.someList.all(e, has(e.reqField))The problem here is that the check will not work well with true lists, as we could have some elements in initProvider, and some in forProvider, which is narrow edge case, but still worth to keep in mind. If we use
existswe come back to a similar solution as using[0].Example where all wont work well.
So lets say that we use the solution with
[0]:has(self.forProvider.someList[0].reqField) || has(self.initProvider.someList[0].reqField)What if
someListis optional? The fieldreqFieldis only required ifsomeListactually exists. With the above rule, we would force users to usesomeList. Thats why we could add:!has(self.forProvider.someList) || has(self.forProvider.someList[0].reqField) || has(self.initProvider.someList[0].reqField)And as resources have required fields few levels deep, we can get things like this(example is from GCP Provider AccessLevel):
which becomes unreadable, but works.
As I said in the beginning, not sure if we should include this. Maybe somebody will see a better solution. The current PR implements the above.
Fixes #239
I have:
make reviewableto ensure this PR is ready for review.backport release-x.ylabels to auto-backport this PR if necessary.How has this code been tested
Tested with https://github.com/upbound/provider-gcp/. Ran
make generatewith myupjet. Created the/apis/accesscontextmanager/v1beta1/zz_accesslevel_types.goCRD in a local kind cluster and tested with a few examples:Resulting CEL rules:
Minimal passing validation:
Result: PASSES
Description: contains the 3 required top level fields
Minimal not passing validation
Result: FAILS
Description:
Nested validation - one level
Result: PASSES
Description: sets just
basic[0].conditions[0].devicePolicy[0]. Does not go further intoosConstraints[]