Remove duplicate Go validators covered by CRD schema validation#12150
Open
caseydavenport wants to merge 4 commits intomasterfrom
Open
Remove duplicate Go validators covered by CRD schema validation#12150caseydavenport wants to merge 4 commits intomasterfrom
caseydavenport wants to merge 4 commits intomasterfrom
Conversation
Add a new cel validator package that compiles x-kubernetes-validations rules from embedded CRD schemas into Go-executable CEL programs at init time, using the K8s apiextensions-apiserver CEL libraries. Wire it into the existing v3 Validate() function so CEL rules are enforced regardless of datastore backend. In Kubernetes mode the API server already enforces these via CRDs, but in etcd mode there's no API server — so without this, CEL validations were simply not checked. Both Go struct validation errors and CEL errors are now collected and returned together in a single ErrorValidation.
- Move CEL validation from separate cel package into validator/v3 as crd_validation.go - Add OpenAPI schema validation alongside CEL (enforces enum, minItems, maxLength, pattern, etc. from CRD schemas) - Find storage version instead of assuming Versions[0] - Infer Kind from Go type when TypeMeta isn't set - Use logrus directly instead of aliasing as log - Consolidate var block, use init() instead of sync.Once - Replace custom contains helpers with strings.Contains - Restructure tests as per-Kind top-level tests with shared crdTestCase runner
Remove 22 pure-regex/enum validators from validator.go that are now enforced by the CRD OpenAPI schema and CEL rules in crd_validation.go. These include action, ipIpMode, vxlanMode, logLevel, bpfLogLevel, datastoreType, iptablesBackend, filterAction, matchOperator, and others. The remaining no-op registrations prevent go-playground/validator from panicking on struct tags that reference removed validators. Tests that previously passed sub-objects (Rule, FelixConfigurationSpec, etc.) are updated to pass full CRD resources, matching how the validator is actually called in production. A few tests that were stricter than the CRD (case-sensitive log levels, case-sensitive action names) are updated to match the CRD's case-insensitive behavior, which is what the API server enforces. createDefaultHostEndpoint is kept as a real validator because the KubeControllersConfiguration CRD lacks an enum constraint on that field.
caseydavenport
added
docs-not-required
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Follow-up to #11973. Removes 22 pure-regex/enum Go struct validators from
validator.gothat are now enforced by the CRD OpenAPI schema and CEL rules incrd_validation.go. These includeaction,ipIpMode,vxlanMode,logLevel,bpfLogLevel,datastoreType,iptablesBackend,filterAction,matchOperator, and others.The go-playground/validator library panics on unknown struct tags, so the removed validators are registered as no-ops to keep things working until the API struct tags are cleaned up separately.
Tests that previously passed sub-objects (
Rule,FelixConfigurationSpec,BGPFilterRuleV4, etc.) are updated to pass full CRD resources, which is how the validator is called in production. A few tests that were stricter than the CRD (case-sensitive log levels, case-sensitive action names) are updated to match the CRD's case-insensitive behavior.createDefaultHostEndpointis kept as a real validator because theKubeControllersConfigurationCRD lacks an enum constraint on that field.