WIP CEl stuff, but need to stop because it seems to be kube 1.33+ only

xrstf · xrstf · commit 43024a567bd7 · 2025-12-08T12:07:34.000+01:00
On-behalf-of: @SAP christoph.mewes@sap.com
diff --git a/internal/mutation/mutator.go b/internal/mutation/mutator.go
@@ -111,6 +111,12 @@ func createAggregatedTransformer(mutations []syncagentv1alpha1.ResourceMutation)
 				return nil, err
 			}
 
+		case mut.ApplyConfiguration != nil:
+			trans, err = transformer.NewApplyConfiguration(mut.ApplyConfiguration)
+			if err != nil {
+				return nil, err
+			}
+
 		default:
 			return nil, errors.New("no valid mutation mechanism provided")
 		}
diff --git a/internal/mutation/transformer/applyconfig.go b/internal/mutation/transformer/applyconfig.go
@@ -0,0 +1,106 @@
+/*
+Copyright 2025 The KCP Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package transformer
+
+import (
+	"bytes"
+	"fmt"
+	"html/template"
+	"strings"
+
+	"github.com/tidwall/gjson"
+	"github.com/tidwall/sjson"
+
+	syncagentv1alpha1 "github.com/kcp-dev/api-syncagent/sdk/apis/syncagent/v1alpha1"
+	plugincel "k8s.io/apiserver/pkg/admission/plugin/cel"
+	"k8s.io/apiserver/pkg/admission/plugin/policy/mutating/patch"
+
+	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
+	"k8s.io/apiserver/pkg/cel/environment"
+)
+
+type applyConfigTransformer struct {
+	path string
+	tpl  *template.Template
+}
+
+func NewApplyConfiguration(mut *syncagentv1alpha1.ResourceApplyConfigurationMutation) (*applyConfigTransformer, error) {
+	opts := plugincel.OptionalVariableDeclarations{HasParams: false, StrictCost: true, HasAuthorizer: true}
+	compiler, err := plugincel.NewCompositedCompiler(environment.MustBaseEnvSet(environment.DefaultCompatibilityVersion(), true))
+	if err != nil {
+		return nil, fmt.Errorf("failed to initialize CEL compiler: %w", err)
+	}
+
+	// Compile and store variables
+	compiler.CompileAndStoreVariables(convertv1alpha1Variables(policy.Spec.Variables), opts, environment.StoredExpressions)
+
+	accessor := &patch.ApplyConfigurationCondition{Expression: m.ApplyConfiguration.Expression}
+	compileResult := compiler.CompileMutatingEvaluator(accessor, patchOptions, environment.StoredExpressions)
+	patcher := patch.NewApplyConfigurationPatcher(compileResult)
+
+	return &applyConfigTransformer{
+		path: mut.Path,
+		tpl:  tpl,
+	}, nil
+}
+
+func (m *applyConfigTransformer) Apply(toMutate *unstructured.Unstructured, otherObj *unstructured.Unstructured) (*unstructured.Unstructured, error) {
+	encoded, err := EncodeObject(toMutate)
+	if err != nil {
+		return nil, fmt.Errorf("failed to JSON encode object: %w", err)
+	}
+
+	ctx := templateMutationContext{
+		Value:       gjson.Get(encoded, m.path),
+		LocalObject: toMutate.Object,
+	}
+
+	if otherObj != nil {
+		ctx.RemoteObject = otherObj.Object
+	}
+
+	var buf bytes.Buffer
+	if err := m.tpl.Execute(&buf, ctx); err != nil {
+		return nil, fmt.Errorf("failed to execute template: %w", err)
+	}
+
+	replacement := strings.TrimSpace(buf.String())
+
+	updated, err := sjson.Set(encoded, m.path, replacement)
+	if err != nil {
+		return nil, fmt.Errorf("failed to set updated value: %w", err)
+	}
+
+	return DecodeObject(updated)
+}
+
+// type rawGoVariable struct {
+// 	name       string
+// 	expression string
+// }
+
+// func (t *rawGoVariable) GetExpression() string {
+// 	return t.expression
+// }
+
+// func (t *rawGoVariable) ReturnTypes() []*cel.Type {
+// 	return []*cel.Type{cel.AnyType}
+// }
+
+// func (t *rawGoVariable) GetName() string {
+// 	return t.name
+// }
diff --git a/sdk/apis/syncagent/v1alpha1/published_resource.go b/sdk/apis/syncagent/v1alpha1/published_resource.go
@@ -160,9 +160,10 @@ type ResourceMutation struct {
 	// Must use exactly one of these options, never more, never fewer.
 	// TODO: Add validation code for this somewhere.
 
-	Delete   *ResourceDeleteMutation   `json:"delete,omitempty"`
-	Regex    *ResourceRegexMutation    `json:"regex,omitempty"`
-	Template *ResourceTemplateMutation `json:"template,omitempty"`
+	Delete             *ResourceDeleteMutation             `json:"delete,omitempty"`
+	Regex              *ResourceRegexMutation              `json:"regex,omitempty"`
+	Template           *ResourceTemplateMutation           `json:"template,omitempty"`
+	ApplyConfiguration *ResourceApplyConfigurationMutation `json:"applyConfig,omitempty"`
 }
 
 type ResourceDeleteMutation struct {
@@ -182,6 +183,10 @@ type ResourceTemplateMutation struct {
 	Template string `json:"template"`
 }
 
+type ResourceApplyConfigurationMutation struct {
+	Expression string `json:"expression"`
+}
+
 type RelatedResourceOrigin string
 
 const (

Original file line number	Diff line number	Diff line change
`@@ -111,6 +111,12 @@ func createAggregatedTransformer(mutations []syncagentv1alpha1.ResourceMutation)`
`111`	`111`	`return nil, err`
`112`	`112`	`}`
`113`	`113`
	`114`	`+ case mut.ApplyConfiguration != nil:`
	`115`	`+ trans, err = transformer.NewApplyConfiguration(mut.ApplyConfiguration)`
	`116`	`+ if err != nil {`
	`117`	`+ return nil, err`
	`118`	`+ }`
	`119`	`+`
`114`	`120`	`default:`
`115`	`121`	`return nil, errors.New("no valid mutation mechanism provided")`
`116`	`122`	`}`