kro-run
diff --git a/Diff for: ‎pkg/cel/cost.go
+58 b/Diff for: ‎pkg/cel/cost.go
+58
diff --git a/Diff for: ‎pkg/cel/cost_test.go
+184 b/Diff for: ‎pkg/cel/cost_test.go
+184
diff --git a/Diff for: ‎pkg/controller/instance/controller_reconcile.go
+10 b/Diff for: ‎pkg/controller/instance/controller_reconcile.go
+10
diff --git a/Diff for: ‎pkg/graph/builder.go
+4-1 b/Diff for: ‎pkg/graph/builder.go
+4-1
@@ -0,0 +1,58 @@
+package cel
+
+import (
+	"errors"
+	"fmt"
+	"strings"
+
+	"github.com/google/cel-go/cel"
+)
+
+const (
+	// PerCallLimit specifies the cost limit per individual CEL expression evaluation
+	// This gives roughly 0.1 second of execution time per expression evaluation
+	PerCallLimit = 1000000
+
+	// RuntimeCELCostBudget is the total cost budget allowed during a single
+	// ResourceGroup reconciliation cycle. This includes all expression evaluations
+	// across all resources defined in the ResourceGroup. The budget gives roughly
+	// 1 second of total execution time before being exceeded.
+	RuntimeCELCostBudget = 1000
+
+	// CheckFrequency configures the number of iterations within a comprehension to evaluate
+	// before checking whether the function evaluation has been interrupted
+	CheckFrequency = 100
+)
+
+var ErrCELBudgetExceeded = errors.New("CEL Cost budget exceeded")
+
+// IsCostLimitExceeded checks if the error is related to CEL cost limit exceeding
+func IsCostLimitExceeded(err error) bool {
+	if err == nil {
+		return false
+	}
+	return strings.Contains(err.Error(), "cost limit exceeded")
+}
+
+// WrapCostLimitExceeded wraps a CEL cost limit error with our standard ErrCELBudgetExceeded
+// If the error is not a cost limit error, it returns the original error
+func WrapCostLimitExceeded(err error, totalCost int64) error {
+	if err == nil {
+		return nil
+	}
+
+	if IsCostLimitExceeded(err) {
+		return errors.New(ErrCELBudgetExceeded.Error() + ": total CEL cost " +
+			fmt.Sprintf("%d", totalCost) + " exceeded budget of " +
+			fmt.Sprintf("%d", RuntimeCELCostBudget))
+	}
+
+	return err
+}
+
+func WithCostTracking(costLimit int64) []cel.ProgramOption {
+	return []cel.ProgramOption{
+		cel.CostLimit(uint64(costLimit)),
+		cel.EvalOptions(cel.OptTrackCost),
+	}
+}
@@ -0,0 +1,184 @@
+// Copyright 2025 The Kube Resource Orchestrator Authors.
+//
+// Licensed under the Apache License, Version 2.0 (the "License"). You may
+// not use this file except in compliance with the License. A copy of the
+// License is located at
+//
+//    http://www.apache.org/licenses/LICENSE-2.0
+//
+// or in the "license" file accompanying this file. This file is distributed
+// on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either
+// express or implied. See the License for the specific language governing
+// permissions and limitations under the License.
+
+package cel
+
+import (
+	"errors"
+	"fmt"
+	"testing"
+
+	"github.com/google/cel-go/cel"
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+)
+
+// TestOnlyCELBudgetValues sets up values for testing
+// These need to be much higher than normal to prevent test failures
+var (
+	TestOnlyRuntimeCELCostBudget = int64(100000000000) // 10B - very high for tests
+	TestOnlyPerCallLimit         = int64(10000000)     // 10M - high enough for any test expression
+)
+
+// WithTestBudget returns program options suitable for testing,
+// with much higher limits than production
+func WithTestBudget() []cel.ProgramOption {
+	return []cel.ProgramOption{
+		cel.CostLimit(uint64(TestOnlyPerCallLimit)),
+		cel.EvalOptions(cel.OptTrackCost),
+	}
+}
+
+func TestWithCostTracking(t *testing.T) {
+	//  WithCostTracking returns the expected number of options
+	opts := WithCostTracking(10000)
+	assert.Equal(t, 2, len(opts), "Expected 2 options to be returned")
+}
+
+func TestCELBudgetExceeded(t *testing.T) {
+	env, err := cel.NewEnv()
+	require.NoError(t, err)
+
+	ast, iss := env.Compile(`"test"`)
+	require.NoError(t, iss.Err())
+
+	// Testing with unlimited budget (should succeed)
+	opts := WithCostTracking(10000)
+	program, err := env.Program(ast, opts...)
+	require.NoError(t, err)
+
+	// Evaluating with sufficient budget
+	_, details, err := program.Eval(map[string]interface{}{})
+	require.NoError(t, err)
+	assert.NotNil(t, details)
+	assert.NotNil(t, details.ActualCost())
+
+	// Testing with minimal budget (still should pass for this trivial expression)
+	opts = WithCostTracking(1)
+	program, err = env.Program(ast, opts...)
+	require.NoError(t, err)
+
+	// Evaluating with minimal budget
+	_, details, err = program.Eval(map[string]interface{}{})
+	require.NoError(t, err)
+	assert.NotNil(t, details)
+	assert.NotNil(t, details.ActualCost())
+
+	// Testing with a more complex expression that will certainly exceed a 0 budget
+	ast, iss = env.Compile(`[1, 2, 3, 4, 5, 6, 7, 8, 9, 10].map(x, [1, 2, 3, 4, 5, 6, 7, 8, 9, 10].map(y, x * y)).filter(arr, arr.exists(e, e > 50))`)
+	require.NoError(t, iss.Err())
+
+	// Setting up a large budget that should allow the expression to complete
+	opts = WithCostTracking(1000000)
+	program, err = env.Program(ast, opts...)
+	require.NoError(t, err)
+
+	// Evaluating with large budget - should succeed
+	val, details, err := program.Eval(map[string]interface{}{})
+	if err == nil {
+		t.Logf("Success! Expression evaluated with result: %v, cost: %v", val, *details.ActualCost())
+	} else {
+		t.Logf("Actual error: %v", err)
+		require.Error(t, err)
+		errMsg := err.Error()
+		assert.Contains(t, errMsg, "cost limit exceeded", "Error should indicate cost limit exceeded")
+	}
+
+	// A tiny budget to ensure the test passes
+	opts = WithCostTracking(0)
+	program, err = env.Program(ast, opts...)
+	require.NoError(t, err)
+
+	// Evaluating with zero budget - should fail with budget exceeded
+	_, _, err = program.Eval(map[string]interface{}{})
+	require.Error(t, err)
+	t.Logf("Actual error: %v", err)
+
+	errMsg := err.Error()
+	assert.Contains(t, errMsg, "cost limit exceeded", "Error should indicate cost limit exceeded")
+}
+
+func TestIsCostLimitExceeded(t *testing.T) {
+	tests := []struct {
+		name     string
+		err      error
+		expected bool
+	}{
+		{
+			name:     "nil error",
+			err:      nil,
+			expected: false,
+		},
+		{
+			name:     "non-cost error",
+			err:      errors.New("some other error"),
+			expected: false,
+		},
+		{
+			name:     "cost limit error",
+			err:      errors.New("operation cancelled: actual cost limit exceeded"),
+			expected: true,
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			result := IsCostLimitExceeded(tt.err)
+			assert.Equal(t, tt.expected, result)
+		})
+	}
+}
+
+func TestWrapCostLimitExceeded(t *testing.T) {
+	tests := []struct {
+		name      string
+		err       error
+		totalCost int64
+		want      string
+		wantErr   bool
+	}{
+		{
+			name:      "nil error",
+			err:       nil,
+			totalCost: 0,
+			want:      "",
+			wantErr:   false,
+		},
+		{
+			name:      "non-cost error",
+			err:       errors.New("some other error"),
+			totalCost: 5000,
+			want:      "some other error",
+			wantErr:   true,
+		},
+		{
+			name:      "cost limit error",
+			err:       errors.New("operation cancelled: actual cost limit exceeded"),
+			totalCost: 15000,
+			want:      fmt.Sprintf("CEL Cost budget exceeded: total CEL cost 15000 exceeded budget of %d", RuntimeCELCostBudget),
+			wantErr:   true,
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			err := WrapCostLimitExceeded(tt.err, tt.totalCost)
+			if tt.wantErr {
+				assert.Error(t, err)
+				assert.Equal(t, tt.want, err.Error())
+			} else {
+				assert.NoError(t, err)
+			}
+		})
+	}
+}
@@ -15,6 +15,7 @@ package instance
 
 import (
 	"context"
+	"errors"
 	"fmt"
 
 	"github.com/go-logr/logr"
@@ -25,6 +26,7 @@ import (
 	"k8s.io/apimachinery/pkg/types"
 	"k8s.io/client-go/dynamic"
 
+	krocel "github.com/kro-run/kro/pkg/cel"
 	"github.com/kro-run/kro/pkg/controller/instance/delta"
 	"github.com/kro-run/kro/pkg/metadata"
 	"github.com/kro-run/kro/pkg/requeue"
@@ -116,6 +118,14 @@ func (igr *instanceGraphReconciler) reconcileInstance(ctx context.Context) error
 
 		// Synchronize runtime state after each resource
 		if _, err := igr.runtime.Synchronize(); err != nil {
+			if errors.Is(err, krocel.ErrCELBudgetExceeded) {
+				resourceState := igr.state.ResourceStates[resourceID]
+				resourceState.State = "ERROR"
+				resourceState.Err = err
+				igr.state.State = "CELBudgetExceeded"
+				igr.state.ReconcileErr = err
+				return err
+			}
 			return fmt.Errorf("failed to synchronize reconciling resource %s: %w", resourceID, err)
 		}
 	}
 
@@ -625,7 +625,10 @@ func dryRunExpression(env *cel.Env, expression string, resources map[string]*Res
 	}
 
 	// TODO(a-hilaly): thinking about a creating a library to hide this...
-	program, err := env.Program(ast)
+
+	//adding cost tracking options
+	programOpts := krocel.WithCostTracking(krocel.PerCallLimit)
+	program, err := env.Program(ast, programOpts...)
 	if err != nil {
 		return nil, fmt.Errorf("failed to create program: %w", err)
 	}
Original file line number	Diff line number	Diff line change
`@@ -625,7 +625,10 @@ func dryRunExpression(env cel.Env, expression string, resources map[string]Res`
`625`	`625`	`}`
`626`	`626`
`627`	`627`	`// TODO(a-hilaly): thinking about a creating a library to hide this...`
`628`		`- program, err := env.Program(ast)`
	`628`	`+`
	`629`	`+ //adding cost tracking options`
	`630`	`+ programOpts := krocel.WithCostTracking(krocel.PerCallLimit)`
	`631`	`+ program, err := env.Program(ast, programOpts...)`
`629`	`632`	`if err != nil {`
`630`	`633`	`return nil, fmt.Errorf("failed to create program: %w", err)`
`631`	`634`	`}`