CRD Validation for Etcd resource using CEL expressions (#995)

* validation markers without cron regex fix and update rules
* Added integration test framework for validating CRD fields
* used common function to generate etcd object for tests + consistent cron expression
* Upgraded env-test k8s version, and fixed corresponding bugs.
* Added `itTestEnv.StartManager()` to start the manager in `setupTestEnvironment()`.
* Upgraded teh env-test k8s version to `1.30`.
* Changed the timeout to `20s` in `assertReconcileSuspensionEventRecorded`
  to prevent the test timing out.
* Removed an unnecessary `time.Sleep` in `TestValidateSpecReplicas`.
* 1) reduced timeout to 10s
  2) added version compatibility docs
  3) reduced code reuse in specUpdate_test.go
Reverted the timeout value in test/it/helper.go which was increased to handle failure of prow jobs
1) Renamed "test/it/crd-validation" to "test/crdvalidation"
2) Removed Camel casing from the file names in test/crdvalidation/etcd
3) Changed version-compatibility matrix to 1.29 since CEL expressions are valid from this version onwards
4) Removed config/crd/bases/crd-druid.gardener.cloud_etcds.yaml
* generate both crds based on k8s version
1) make prepare-helm-charts now takes an additional parameter to deploy the crd either with or without the CEL expressions based on the k8s version.
2) modified api/hack/generate.sh to generate 2 versions of the etcd crd. One with and one without CEL expressions
3) added deploy.sh which is called when make deploy is called. Additional functionality: get k8s version and deploy accordingly.
* changed the crds API to accept a k8sversion and added unit test
* removed deploy.sh, changed Makefile targets and refactored prepare-chart-resources
* modified generate.sh to conditionally generate crd without cel validations
* added missing license headers
* changed it tests to skip test cases based on k8s version + removed validation for requests field in etcd
1) Changed the Makefile target for deploy to install the dependecies if not present
2) Removed existing validations for fields of type resources where the request field was mandatory.
3) reverted the cron expressions in examples/etcd/druid_v1alpha1_etcd_localstack.yaml
4) exported the kubernetes version variable.
5) removed duplicate variable in hack/tools.mk
6) Added path to etcd crd without CEL as a return type in assets.go if the k8s version is < 1.29. Added the function to get k8s version as well
7) Changes to test/it/controller/etcd/reconciler_test.go and test/it/crdvalidation/etcd/validation_test.go based on changes to test/it/assets/assets.go
8) Skip test cases based on k8s versions

* renamed function skipTestBasedOnK8SVersion to skipCELTestsForOlderK8sVersions + added comment(description) to exported function
* fixed incorrect invocation of prepare-chart-resources for e2e tests resulting in incorrect SANs
* Updated the version-compatibility-matrix to remove supported versions of k8s for v0.28
* prepare chart resources will regenerate PKI artifacts when namespace changes
* added check for unspecified k8s version
---------

Co-authored-by: Shreyas Rao <[email protected]>
Co-authored-by: Saketh Kalaga <[email protected]>
Co-authored-by: madhav bhargava <[email protected]>

Author: 4 people

Makefile

@@ -107,7 +107,7 @@ test-cov-clean:
 
 .PHONY: test-e2e
 test-e2e: $(KUBECTL) $(HELM) $(SKAFFOLD) $(KUSTOMIZE) $(GINKGO)
-	@$(HACK_DIR)/prepare-chart-resources.sh $(BUCKET_NAME) $(CERT_EXPIRY_DAYS)
+	@$(HACK_DIR)/prepare-chart-resources.sh -n $(BUCKET_NAME) -e $(CERT_EXPIRY_DAYS)
 	@VERSION=$(VERSION) GIT_SHA=$(GIT_SHA) $(HACK_DIR)/e2e-test/run-e2e-test.sh $(PROVIDERS)
 
 .PHONY: ci-e2e-kind
@@ -177,9 +177,15 @@ ifndef NAMESPACE
 override NAMESPACE = default
 endif
 
+# While preparing helm charts, it will by default attempt to get the k8s version by invoking kubectl command assuming that you are already connected to a k8s cluster.
+# If you wish to specify a specific k8s version, then set K8S_VERSION environment variable to a value of your choice.
 .PHONY: prepare-helm-charts
 prepare-helm-charts:
-	@$(HACK_DIR)/prepare-chart-resources.sh $(NAMESPACE) $(CERT_EXPIRY_DAYS)
+ifeq ($(strip $(K8S_VERSION)),)
+	@$(HACK_DIR)/prepare-chart-resources.sh --namespce $(NAMESPACE) --cert-expiry $(CERT_EXPIRY_DAYS)
+else
+	@$(HACK_DIR)/prepare-chart-resources.sh --namespce $(NAMESPACE) --cert-expiry $(CERT_EXPIRY_DAYS) --k8s-version $(K8S_VERSION)
+endif
 
 .PHONY: deploy
 deploy: $(SKAFFOLD) $(HELM) prepare-helm-charts

api/core/crds/crd.go

@@ -5,22 +5,56 @@
 package crds
 
 import (
+	"k8s.io/apimachinery/pkg/util/version"
+
 	_ "embed"
 )
 
 var (
 	//go:embed druid.gardener.cloud_etcds.yaml
 	etcdCRD string
+	//go:embed druid.gardener.cloud_etcds_without_cel.yaml
+	etcdCRDWithoutCEL string
 	//go:embed druid.gardener.cloud_etcdcopybackupstasks.yaml
 	etcdCopyBackupsTaskCRD string
 )
 
-// GetEtcdCRD returns the etcd CRD.
-func GetEtcdCRD() string {
-	return etcdCRD
+const (
+	// KindEtcd is the kind of the etcd CRD.
+	KindEtcd = "Etcd"
+	// KindEtcdCopyBackupsTask is the kind of the etcd-copy-backup-task CRD.
+	KindEtcdCopyBackupsTask = "EtcdCopyBackupsTask"
+)
+
+// GetAll returns all CRDs for the given k8s version.
+// There are currently two sets of CRDs maintained.
+// 1. One set is for Kubernetes version 1.29 and above. These CRDs contain embedded CEL validation expressions. CEL expressions are only GA since Kubernetes 1.29 onwards.
+// 2. The other set is for Kubernetes versions below 1.29. These CRDs do not contain embedded CEL validation expressions.
+func GetAll(k8sVersion string) (map[string]string, error) {
+	k8sVersionAbove129, err := IsK8sVersionEqualToOrAbove129(k8sVersion)
+	if err != nil {
+		return nil, err
+	}
+	var selectedEtcdCRD string
+	if k8sVersionAbove129 {
+		selectedEtcdCRD = etcdCRD
+	} else {
+		selectedEtcdCRD = etcdCRDWithoutCEL
+	}
+	return map[string]string{
+		KindEtcd:                selectedEtcdCRD,
+		KindEtcdCopyBackupsTask: etcdCopyBackupsTaskCRD,
+	}, nil
 }
 
-// GetEtcdCopyBackupsTaskCRD returns the etcd-copy-backup-task CRD.
-func GetEtcdCopyBackupsTaskCRD() string {
-	return etcdCopyBackupsTaskCRD
+// IsK8sVersionEqualToOrAbove129 returns true if the K8s version is 1.29 or higher, otherwise false.
+func IsK8sVersionEqualToOrAbove129(k8sVersion string) (bool, error) {
+	v, err := version.ParseMajorMinor(k8sVersion)
+	if err != nil {
+		return false, err
+	}
+	if v.LessThan(version.MajorMinor(1, 29)) {
+		return false, nil
+	}
+	return true, nil
 }

api/core/crds/crd_test.go

@@ -0,0 +1,81 @@
+// SPDX-FileCopyrightText: 2025 SAP SE or an SAP affiliate company and Gardener contributors
+//
+// SPDX-License-Identifier: Apache-2.0
+
+package crds
+
+import (
+	"testing"
+
+	. "github.com/onsi/gomega"
+)
+
+func TestGetAll(t *testing.T) {
+	testCases := []struct {
+		name         string
+		k8sVersion   string
+		expectedCRDs map[string]string
+	}{
+		{
+			name:       "k8s version is 1.29",
+			k8sVersion: "1.29",
+			expectedCRDs: map[string]string{
+				KindEtcd:                etcdCRD,
+				KindEtcdCopyBackupsTask: etcdCopyBackupsTaskCRD,
+			},
+		},
+		{
+			name:       "k8s version is v1.29.0",
+			k8sVersion: "v1.29.0",
+			expectedCRDs: map[string]string{
+				KindEtcd:                etcdCRD,
+				KindEtcdCopyBackupsTask: etcdCopyBackupsTaskCRD,
+			},
+		},
+		{
+			name:       "k8s version is below 1.29",
+			k8sVersion: "1.28",
+			expectedCRDs: map[string]string{
+				KindEtcd:                etcdCRDWithoutCEL,
+				KindEtcdCopyBackupsTask: etcdCopyBackupsTaskCRD,
+			},
+		},
+		{
+			name:       "k8s version is below v1.29",
+			k8sVersion: "v1.28.3",
+			expectedCRDs: map[string]string{
+				KindEtcd:                etcdCRDWithoutCEL,
+				KindEtcdCopyBackupsTask: etcdCopyBackupsTaskCRD,
+			},
+		},
+		{
+			name:       "k8s version is above 1.29",
+			k8sVersion: "1.30",
+			expectedCRDs: map[string]string{
+				KindEtcd:                etcdCRD,
+				KindEtcdCopyBackupsTask: etcdCopyBackupsTaskCRD,
+			},
+		},
+		{
+			name:       "k8s version is above v1.29",
+			k8sVersion: "v1.30.1",
+			expectedCRDs: map[string]string{
+				KindEtcd:                etcdCRD,
+				KindEtcdCopyBackupsTask: etcdCopyBackupsTaskCRD,
+			},
+		},
+	}
+
+	g := NewWithT(t)
+	t.Parallel()
+	for _, tc := range testCases {
+		t.Run(tc.name, func(t *testing.T) {
+			t.Parallel()
+			crds, err := GetAll(tc.k8sVersion)
+			g.Expect(err).To(BeNil())
+			g.Expect(crds).To(HaveLen(len(tc.expectedCRDs)))
+			g.Expect(crds).To(Equal(tc.expectedCRDs))
+		})
+	}
+
+}

api/core/crds/druid.gardener.cloud_etcds.yaml

@@ -162,12 +162,13 @@ spec:
                   deltaSnapshotPeriod:
                     description: DeltaSnapshotPeriod defines the period after which
                       delta snapshots will be taken
+                    pattern: ^([0-9]+([.][0-9]+)?h)?([0-9]+([.][0-9]+)?m)?([0-9]+([.][0-9]+)?s)?([0-9]+([.][0-9]+)?d)?$
                     type: string
                   deltaSnapshotRetentionPeriod:
                     description: |-
                       DeltaSnapshotRetentionPeriod defines the duration for which delta snapshots will be retained, excluding the latest snapshot set.
                       The value should be a string formatted as a duration (e.g., '1s', '2m', '3h', '4d')
-                    pattern: ^([0-9][0-9]*([.][0-9]+)?(s|m|h|d))+$
+                    pattern: ^([0-9]+([.][0-9]+)?h)?([0-9]+([.][0-9]+)?m)?([0-9]+([.][0-9]+)?s)?([0-9]+([.][0-9]+)?d)?$
                     type: string
                   enableProfiling:
                     description: EnableProfiling defines if profiling should be enabled
@@ -176,14 +177,17 @@ spec:
                   etcdSnapshotTimeout:
                     description: EtcdSnapshotTimeout defines the timeout duration
                       for etcd FullSnapshot operation
+                    pattern: ^([0-9]+([.][0-9]+)?h)?([0-9]+([.][0-9]+)?m)?([0-9]+([.][0-9]+)?s)?([0-9]+([.][0-9]+)?d)?$
                     type: string
                   fullSnapshotSchedule:
                     description: FullSnapshotSchedule defines the cron standard schedule
                       for full snapshots.
+                    pattern: ^(\*|[1-5]?[0-9]|[1-5]?[0-9]-[1-5]?[0-9]|(?:[1-9]|[1-4][0-9]|5[0-9])\/(?:[1-9]|[1-4][0-9]|5[0-9]|60)|\*\/(?:[1-9]|[1-4][0-9]|5[0-9]|60))\s+(\*|[0-9]|1[0-9]|2[0-3]|[0-9]-(?:[0-9]|1[0-9]|2[0-3])|1[0-9]-(?:1[0-9]|2[0-3])|2[0-3]-2[0-3]|(?:[1-9]|1[0-9]|2[0-3])\/(?:[1-9]|1[0-9]|2[0-4])|\*\/(?:[1-9]|1[0-9]|2[0-4]))\s+(\*|[1-9]|[12][0-9]|3[01]|[1-9]-(?:[1-9]|[12][0-9]|3[01])|[12][0-9]-(?:[12][0-9]|3[01])|3[01]-3[01]|(?:[1-9]|[12][0-9]|30)\/(?:[1-9]|[12][0-9]|3[01])|\*\/(?:[1-9]|[12][0-9]|3[01]))\s+(\*|[1-9]|1[0-2]|[1-9]-(?:[1-9]|1[0-2])|1[0-2]-1[0-2]|(?:[1-9]|1[0-2])\/(?:[1-9]|1[0-2])|\*\/(?:[1-9]|1[0-2]))\s+(\*|[1-7]|[1-6]-[1-7]|[1-6]\/[1-7]|\*\/[1-7])$
                     type: string
                   garbageCollectionPeriod:
                     description: GarbageCollectionPeriod defines the period for garbage
                       collecting old backups
+                    pattern: ^([0-9]+([.][0-9]+)?h)?([0-9]+([.][0-9]+)?m)?([0-9]+([.][0-9]+)?s)?([0-9]+([.][0-9]+)?d)?$
                     type: string
                   garbageCollectionPolicy:
                     description: GarbageCollectionPolicy defines the policy for garbage
@@ -202,10 +206,12 @@ spec:
                       etcdConnectionTimeout:
                         description: EtcdConnectionTimeout defines the timeout duration
                           for etcd client connection during leader election.
+                        pattern: ^([0-9]+([.][0-9]+)?h)?([0-9]+([.][0-9]+)?m)?([0-9]+([.][0-9]+)?s)?([0-9]+([.][0-9]+)?d)?$
                         type: string
                       reelectionPeriod:
                         description: ReelectionPeriod defines the Period after which
                           leadership status of corresponding etcd is checked.
+                        pattern: ^([0-9]+([.][0-9]+)?h)?([0-9]+([.][0-9]+)?m)?([0-9]+([.][0-9]+)?s)?([0-9]+([.][0-9]+)?d)?$
                         type: string
                     type: object
                   maxBackupsLimitBasedGC:
@@ -366,6 +372,11 @@ spec:
                     - tlsCASecretRef
                     type: object
                 type: object
+                x-kubernetes-validations:
+                - message: etcd.spec.backup.garbageCollectionPeriod must be greater
+                    than etcd.spec.backup.deltaSnapshotPeriod
+                  rule: '!(has(self.deltaSnapshotPeriod) && has(self.garbageCollectionPeriod))
+                    || duration(self.deltaSnapshotPeriod).getSeconds() < duration(self.garbageCollectionPeriod).getSeconds()'
               etcd:
                 description: EtcdConfig defines the configuration for the etcd cluster
                   to be deployed.
@@ -470,14 +481,17 @@ spec:
                   defragmentationSchedule:
                     description: DefragmentationSchedule defines the cron standard
                       schedule for defragmentation of etcd.
+                    pattern: ^(\*|[1-5]?[0-9]|[1-5]?[0-9]-[1-5]?[0-9]|(?:[1-9]|[1-4][0-9]|5[0-9])\/(?:[1-9]|[1-4][0-9]|5[0-9]|60)|\*\/(?:[1-9]|[1-4][0-9]|5[0-9]|60))\s+(\*|[0-9]|1[0-9]|2[0-3]|[0-9]-(?:[0-9]|1[0-9]|2[0-3])|1[0-9]-(?:1[0-9]|2[0-3])|2[0-3]-2[0-3]|(?:[1-9]|1[0-9]|2[0-3])\/(?:[1-9]|1[0-9]|2[0-4])|\*\/(?:[1-9]|1[0-9]|2[0-4]))\s+(\*|[1-9]|[12][0-9]|3[01]|[1-9]-(?:[1-9]|[12][0-9]|3[01])|[12][0-9]-(?:[12][0-9]|3[01])|3[01]-3[01]|(?:[1-9]|[12][0-9]|30)\/(?:[1-9]|[12][0-9]|3[01])|\*\/(?:[1-9]|[12][0-9]|3[01]))\s+(\*|[1-9]|1[0-2]|[1-9]-(?:[1-9]|1[0-2])|1[0-2]-1[0-2]|(?:[1-9]|1[0-2])\/(?:[1-9]|1[0-2])|\*\/(?:[1-9]|1[0-2]))\s+(\*|[1-7]|[1-6]-[1-7]|[1-6]\/[1-7]|\*\/[1-7])$
                     type: string
                   etcdDefragTimeout:
                     description: EtcdDefragTimeout defines the timeout duration for
                       etcd defrag call
+                    pattern: ^([0-9]+([.][0-9]+)?h)?([0-9]+([.][0-9]+)?m)?([0-9]+([.][0-9]+)?s)?([0-9]+([.][0-9]+)?d)?$
                     type: string
                   heartbeatDuration:
                     description: HeartbeatDuration defines the duration for members
                       to send heartbeats. The default value is 10s.
+                    pattern: ^([0-9]+([.][0-9]+)?h)?([0-9]+([.][0-9]+)?m)?([0-9]+([.][0-9]+)?s)?$
                     type: string
                   image:
                     description: Image defines the etcd container image and tag
@@ -634,6 +648,9 @@ spec:
               replicas:
                 format: int32
                 type: integer
+                x-kubernetes-validations:
+                - message: Replicas can either be increased or be downscaled to 0.
+                  rule: 'self==0 ? true : self < oldSelf ? false : true'
               schedulingConstraints:
                 description: |-
                   SchedulingConstraints defines the different scheduling constraints that must be applied to the
@@ -1753,6 +1770,7 @@ spec:
                   selector is a label query over pods that should match the replica count.
                   It must match the pod template's labels.
                   More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#label-selectors
+                  Deprecated: this field will be removed in the future.
                 properties:
                   matchExpressions:
                     description: matchExpressions is a list of label selector requirements.
@@ -1822,22 +1840,39 @@ spec:
                 description: StorageCapacity defines the size of persistent volume.
                 pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
                 x-kubernetes-int-or-string: true
+                x-kubernetes-validations:
+                - message: etcd.spec.storageCapacity is an immutable field
+                  rule: self == oldSelf
               storageClass:
                 description: |-
                   StorageClass defines the name of the StorageClass required by the claim.
                   More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#class-1
                 type: string
+                x-kubernetes-validations:
+                - message: etcd.spec.storageClass is an immutable field
+                  rule: self == oldSelf
               volumeClaimTemplate:
                 description: VolumeClaimTemplate defines the volume claim template
                   to be created
                 type: string
+                x-kubernetes-validations:
+                - message: etcd.spec.VolumeClaimTemplate is an immutable field
+                  rule: self == oldSelf
             required:
             - backup
             - etcd
             - labels
             - replicas
-            - selector
             type: object
+            x-kubernetes-validations:
+            - message: If backups are enabled, then value of etcd.spec.storageCapacity
+                must be 3 times the value of etcd.spec.etcd.quota or more. If backups
+                are disabled, then value of etcd.spec.storageCapacity must be the
+                value of etcd.spec.etcd.quota or more.
+              rule: 'has(self.storageCapacity) && has(self.etcd.quota) ? (has(self.backup.store)
+                ? ((quantity(self.storageCapacity).isLessThan(quantity(self.etcd.quota).add(quantity(self.etcd.quota)).add(quantity(self.etcd.quota)))
+                ) ? false : true): (quantity(self.storageCapacity).isLessThan(quantity(self.etcd.quota))
+                ? false : true)  ): true'
           status:
             description: EtcdStatus defines the observed state of Etcd.
             properties: