Port to cel type

Author: sats-23

api/v1alpha1/nodereadinessrule_types.go

@@ -45,37 +45,6 @@ const (
 	TaintStatusAbsent TaintStatus = "Absent"
 )
 
-// TaintSpec defines the specific Taint (Key, Value, and Effect) to be managed.
-type TaintSpec struct {
-	// key is the taint key to be applied to a node.
-	//
-	// +required
-	// +kubebuilder:validation:MinLength=17
-	// +kubebuilder:validation:MaxLength=253
-	// +kubebuilder:validation:Pattern=`^readiness\.k8s\.io\/.*`
-	Key string `json:"key,omitempty"`
-
-	// value is the taint value corresponding to the taint key.
-	//
-	// +optional
-	// +kubebuilder:validation:MaxLength=63
-	Value *string `json:"value,omitempty"`
-
-	// effect is the effect of the taint on pods
-	// that do not tolerate the taint.
-	// Valid effects are NoSchedule, PreferNoSchedule and NoExecute.
-	//
-	// +required
-	// +kubebuilder:validation:Enum=NoSchedule;PreferNoSchedule;NoExecute
-	Effect corev1.TaintEffect `json:"effect,omitempty"`
-
-	// timeAdded represents the time at which the taint was added.
-	// It is only written for NoExecute taints.
-	//
-	// +optional
-	TimeAdded *metav1.Time `json:"timeAdded,omitempty"`
-}
-
 // NodeReadinessRuleSpec defines the desired state of NodeReadinessRule.
 type NodeReadinessRuleSpec struct {
 	// conditions contains a list of the Node conditions that defines the specific
@@ -101,7 +70,11 @@ type NodeReadinessRuleSpec struct {
 	// on Nodes that meet the defined condition criteria.
 	//
 	// +required
-	Taint TaintSpec `json:"taint,omitempty,omitzero"`
+	// +kubebuilder:validation:XValidation:rule="self.key.startsWith('readiness.k8s.io/')",message="taint key must start with 'readiness.k8s.io/'"
+	// +kubebuilder:validation:XValidation:rule="self.key.size() >= 17 && self.key.size() <= 253",message="taint key length must be between 17 and 253 characters"
+	// +kubebuilder:validation:XValidation:rule="!has(self.value) || self.value.size() <= 63",message="taint value length must be at most 63 characters"
+	// +kubebuilder:validation:XValidation:rule="self.effect in ['NoSchedule', 'PreferNoSchedule', 'NoExecute']",message="taint effect must be one of 'NoSchedule', 'PreferNoSchedule', 'NoExecute'"
+	Taint corev1.Taint `json:"taint,omitempty,omitzero"`
 
 	// nodeSelector limits the scope of this rule to a specific subset of Nodes.
 	//

api/v1alpha1/zz_generated.deepcopy.go

@@ -160,35 +160,35 @@ spec:
                 properties:
                   effect:
                     description: |-
-                      effect is the effect of the taint on pods
+                      Required. The effect of the taint on pods
                       that do not tolerate the taint.
                       Valid effects are NoSchedule, PreferNoSchedule and NoExecute.
-                    enum:
-                    - NoSchedule
-                    - PreferNoSchedule
-                    - NoExecute
                     type: string
                   key:
-                    description: key is the taint key to be applied to a node.
-                    maxLength: 253
-                    minLength: 17
-                    pattern: ^readiness\.k8s\.io\/.*
+                    description: Required. The taint key to be applied to a node.
                     type: string
                   timeAdded:
-                    description: |-
-                      timeAdded represents the time at which the taint was added.
-                      It is only written for NoExecute taints.
+                    description: TimeAdded represents the time at which the taint
+                      was added.
                     format: date-time
                     type: string
                   value:
-                    description: value is the taint value corresponding to the taint
-                      key.
-                    maxLength: 63
+                    description: The taint value corresponding to the taint key.
                     type: string
                 required:
                 - effect
                 - key
                 type: object
+                x-kubernetes-validations:
+                - message: taint key must start with 'readiness.k8s.io/'
+                  rule: self.key.startsWith('readiness.k8s.io/')
+                - message: taint key length must be between 17 and 253 characters
+                  rule: self.key.size() >= 17 && self.key.size() <= 253
+                - message: taint value length must be at most 63 characters
+                  rule: '!has(self.value) || self.value.size() <= 63'
+                - message: taint effect must be one of 'NoSchedule', 'PreferNoSchedule',
+                    'NoExecute'
+                  rule: self.effect in ['NoSchedule', 'PreferNoSchedule', 'NoExecute']
             required:
             - conditions
             - enforcementMode

config/crd/bases/readiness.node.x-k8s.io_nodereadinessrules.yaml

@@ -229,7 +229,7 @@ func (r *RuleReadinessController) getConditionStatus(node *corev1.Node, conditio
 }
 
 // hasTaintBySpec checks if a node has a specific taint.
-func (r *RuleReadinessController) hasTaintBySpec(node *corev1.Node, taintSpec readinessv1alpha1.TaintSpec) bool {
+func (r *RuleReadinessController) hasTaintBySpec(node *corev1.Node, taintSpec corev1.Taint) bool {
 	for _, taint := range node.Spec.Taints {
 		if taint.Key == taintSpec.Key && taint.Effect == taintSpec.Effect {
 			return true
@@ -239,23 +239,14 @@ func (r *RuleReadinessController) hasTaintBySpec(node *corev1.Node, taintSpec re
 }
 
 // addTaintBySpec adds a taint to a node.
-func (r *RuleReadinessController) addTaintBySpec(ctx context.Context, node *corev1.Node, taintSpec readinessv1alpha1.TaintSpec) error {
+func (r *RuleReadinessController) addTaintBySpec(ctx context.Context, node *corev1.Node, taintSpec corev1.Taint) error {
 	patch := client.StrategicMergeFrom(node.DeepCopy())
-	var value string
-	if taintSpec.Value != nil {
-		value = *taintSpec.Value
-	}
-	node.Spec.Taints = append(node.Spec.Taints, corev1.Taint{
-		Key:       taintSpec.Key,
-		Value:     value,
-		Effect:    taintSpec.Effect,
-		TimeAdded: taintSpec.TimeAdded,
-	})
+	node.Spec.Taints = append(node.Spec.Taints, taintSpec)
 	return r.Patch(ctx, node, patch)
 }
 
 // removeTaintBySpec removes a taint from a node.
-func (r *RuleReadinessController) removeTaintBySpec(ctx context.Context, node *corev1.Node, taintSpec readinessv1alpha1.TaintSpec) error {
+func (r *RuleReadinessController) removeTaintBySpec(ctx context.Context, node *corev1.Node, taintSpec corev1.Taint) error {
 	patch := client.StrategicMergeFrom(node.DeepCopy())
 	var newTaints []corev1.Taint
 	for _, taint := range node.Spec.Taints {

internal/controller/node_controller.go

@@ -153,7 +153,7 @@ var _ = Describe("Node Controller", func() {
 					Conditions: []nodereadinessiov1alpha1.ConditionRequirement{
 						{Type: conditionType, RequiredStatus: corev1.ConditionTrue},
 					},
-					Taint: nodereadinessiov1alpha1.TaintSpec{
+					Taint: corev1.Taint{
 						Key:    taintKey,
 						Effect: corev1.TaintEffectNoSchedule,
 					},
@@ -398,7 +398,7 @@ var _ = Describe("Node Controller", func() {
 					Conditions: []nodereadinessiov1alpha1.ConditionRequirement{
 						{Type: conditionType, RequiredStatus: corev1.ConditionTrue},
 					},
-					Taint: nodereadinessiov1alpha1.TaintSpec{
+					Taint: corev1.Taint{
 						Key:    taintKey,
 						Effect: corev1.TaintEffectNoSchedule,
 					},
@@ -566,10 +566,10 @@ var _ = Describe("Node Controller", func() {
 					Conditions: []nodereadinessiov1alpha1.ConditionRequirement{
 						{Type: "StatusTestCondition", RequiredStatus: corev1.ConditionTrue},
 					},
-					Taint: nodereadinessiov1alpha1.TaintSpec{
+					Taint: corev1.Taint{
 						Key:    "readiness.k8s.io/status-test-taint",
 						Effect: corev1.TaintEffectNoSchedule,
-						Value:  &val,
+						Value:  val,
 					},
 					NodeSelector: metav1.LabelSelector{
 						MatchLabels: map[string]string{"test-group": "status"},

internal/controller/node_controller_test.go

@@ -89,7 +89,7 @@ var _ = Describe("NodeReadinessRule Controller", func() {
 							"node-role.kubernetes.io/worker": "",
 						},
 					},
-					Taint: nodereadinessiov1alpha1.TaintSpec{
+					Taint: corev1.Taint{
 						Key:    "readiness.k8s.io/test-taint",
 						Effect: corev1.TaintEffectNoSchedule,
 					},
@@ -132,7 +132,7 @@ var _ = Describe("NodeReadinessRule Controller", func() {
 							"node-role.kubernetes.io/worker": "",
 						},
 					},
-					Taint: nodereadinessiov1alpha1.TaintSpec{
+					Taint: corev1.Taint{
 						Key:    "readiness.k8s.io/test-taint",
 						Effect: corev1.TaintEffectNoSchedule,
 					},
@@ -175,7 +175,7 @@ var _ = Describe("NodeReadinessRule Controller", func() {
 							"node-role.kubernetes.io/worker": "",
 						},
 					},
-					Taint: nodereadinessiov1alpha1.TaintSpec{
+					Taint: corev1.Taint{
 						Key:    "readiness.k8s.io/test-taint",
 						Effect: corev1.TaintEffectNoSchedule,
 					},
@@ -236,7 +236,7 @@ var _ = Describe("NodeReadinessRule Controller", func() {
 					Conditions: []nodereadinessiov1alpha1.ConditionRequirement{
 						{Type: "TestCondition", RequiredStatus: corev1.ConditionTrue},
 					},
-					Taint: nodereadinessiov1alpha1.TaintSpec{
+					Taint: corev1.Taint{
 						Key:    "readiness.k8s.io/immediate-test-taint",
 						Effect: corev1.TaintEffectNoSchedule,
 					},
@@ -298,7 +298,7 @@ var _ = Describe("NodeReadinessRule Controller", func() {
 							"node-role.kubernetes.io/worker": "",
 						},
 					},
-					Taint: nodereadinessiov1alpha1.TaintSpec{
+					Taint: corev1.Taint{
 						Key:    "readiness.k8s.io/dry-run-taint",
 						Effect: corev1.TaintEffectNoSchedule,
 					},
@@ -368,7 +368,7 @@ var _ = Describe("NodeReadinessRule Controller", func() {
 					Conditions: []nodereadinessiov1alpha1.ConditionRequirement{
 						{Type: "Ready", RequiredStatus: corev1.ConditionTrue},
 					},
-					Taint: nodereadinessiov1alpha1.TaintSpec{
+					Taint: corev1.Taint{
 						Key:    "readiness.k8s.io/node-test-taint",
 						Effect: corev1.TaintEffectNoSchedule,
 					},
@@ -429,7 +429,7 @@ var _ = Describe("NodeReadinessRule Controller", func() {
 				},
 			}
 
-			taintSpec := nodereadinessiov1alpha1.TaintSpec{
+			taintSpec := corev1.Taint{
 				Key:    "readiness.k8s.io/test-key",
 				Effect: corev1.TaintEffectNoSchedule,
 			}
@@ -438,7 +438,7 @@ var _ = Describe("NodeReadinessRule Controller", func() {
 			Expect(hasTaint).To(BeTrue())
 
 			// Test non-existent taint
-			nonExistentTaint := nodereadinessiov1alpha1.TaintSpec{
+			nonExistentTaint := corev1.Taint{
 				Key:    "readiness.k8s.io/missing-key",
 				Effect: corev1.TaintEffectNoSchedule,
 			}
@@ -534,7 +534,7 @@ var _ = Describe("NodeReadinessRule Controller", func() {
 				},
 				Spec: nodereadinessiov1alpha1.NodeReadinessRuleSpec{
 					Conditions:      []nodereadinessiov1alpha1.ConditionRequirement{{Type: "DBReady", RequiredStatus: corev1.ConditionTrue}},
-					Taint:           nodereadinessiov1alpha1.TaintSpec{Key: "readiness.k8s.io/db-unready", Effect: corev1.TaintEffectNoSchedule},
+					Taint:           corev1.Taint{Key: "readiness.k8s.io/db-unready", Effect: corev1.TaintEffectNoSchedule},
 					EnforcementMode: nodereadinessiov1alpha1.EnforcementModeContinuous,
 					NodeSelector:    metav1.LabelSelector{MatchLabels: map[string]string{"app": "backend"}},
 				},
@@ -590,7 +590,7 @@ var _ = Describe("NodeReadinessRule Controller", func() {
 				},
 				Spec: nodereadinessiov1alpha1.NodeReadinessRuleSpec{
 					Conditions:      []nodereadinessiov1alpha1.ConditionRequirement{{Type: "TestReady", RequiredStatus: corev1.ConditionTrue}},
-					Taint:           nodereadinessiov1alpha1.TaintSpec{Key: "readiness.k8s.io/test-unready", Effect: corev1.TaintEffectNoSchedule},
+					Taint:           corev1.Taint{Key: "readiness.k8s.io/test-unready", Effect: corev1.TaintEffectNoSchedule},
 					EnforcementMode: nodereadinessiov1alpha1.EnforcementModeContinuous,
 					NodeSelector:    metav1.LabelSelector{MatchLabels: map[string]string{"node-group": "new-workers"}},
 				},
@@ -679,7 +679,7 @@ var _ = Describe("NodeReadinessRule Controller", func() {
 				Spec: nodereadinessiov1alpha1.NodeReadinessRuleSpec{
 					Conditions:      []nodereadinessiov1alpha1.ConditionRequirement{{Type: "TestReady", RequiredStatus: corev1.ConditionTrue}},
 					NodeSelector:    metav1.LabelSelector{MatchLabels: map[string]string{"kubernetes.io/hostname": "cleanup-test-node"}},
-					Taint:           nodereadinessiov1alpha1.TaintSpec{Key: "readiness.k8s.io/cleanup-taint", Effect: corev1.TaintEffectNoSchedule},
+					Taint:           corev1.Taint{Key: "readiness.k8s.io/cleanup-taint", Effect: corev1.TaintEffectNoSchedule},
 					EnforcementMode: nodereadinessiov1alpha1.EnforcementModeContinuous,
 				},
 			}
@@ -767,7 +767,7 @@ var _ = Describe("NodeReadinessRule Controller", func() {
 							},
 						},
 					},
-					Taint:           nodereadinessiov1alpha1.TaintSpec{Key: "readiness.k8s.io/unready", Effect: corev1.TaintEffectNoSchedule},
+					Taint:           corev1.Taint{Key: "readiness.k8s.io/unready", Effect: corev1.TaintEffectNoSchedule},
 					EnforcementMode: nodereadinessiov1alpha1.EnforcementModeContinuous,
 				},
 			}
@@ -868,7 +868,7 @@ var _ = Describe("NodeReadinessRule Controller", func() {
 					Conditions: []nodereadinessiov1alpha1.ConditionRequirement{
 						{Type: "TestReady", RequiredStatus: corev1.ConditionTrue},
 					},
-					Taint:           nodereadinessiov1alpha1.TaintSpec{Key: selectorChangeTaintKey, Effect: corev1.TaintEffectNoSchedule},
+					Taint:           corev1.Taint{Key: selectorChangeTaintKey, Effect: corev1.TaintEffectNoSchedule},
 					EnforcementMode: nodereadinessiov1alpha1.EnforcementModeContinuous,
 					NodeSelector: metav1.LabelSelector{
 						MatchLabels: map[string]string{"env": "prod"},

internal/controller/nodereadinessrule_controller_test.go

@@ -19,7 +19,9 @@ package webhook
 import (
 	"context"
 	"fmt"
+	"strings"
 
+	corev1 "k8s.io/api/core/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/runtime"
 	"k8s.io/apimachinery/pkg/util/validation/field"
@@ -93,9 +95,36 @@ func (w *NodeReadinessRuleWebhook) validateSpec(spec readinessv1alpha1.NodeReadi
 	taintField := specField.Child("taint")
 	if spec.Taint.Key == "" {
 		allErrs = append(allErrs, field.Required(taintField.Child("key"), "taint key cannot be empty"))
+	} else {
+		// Validate key prefix
+		if !strings.HasPrefix(spec.Taint.Key, "readiness.k8s.io/") {
+			allErrs = append(allErrs, field.Invalid(taintField.Child("key"), spec.Taint.Key, "taint key must start with 'readiness.k8s.io/'"))
+		}
+		// Validate key length
+		if len(spec.Taint.Key) < 17 || len(spec.Taint.Key) > 253 {
+			allErrs = append(allErrs, field.Invalid(taintField.Child("key"), spec.Taint.Key, "taint key length must be between 17 and 253 characters"))
+		}
 	}
+
 	if spec.Taint.Effect == "" {
 		allErrs = append(allErrs, field.Required(taintField.Child("effect"), "taint effect cannot be empty"))
+	} else {
+		// Validate effect
+		switch spec.Taint.Effect {
+		case corev1.TaintEffectNoSchedule, corev1.TaintEffectPreferNoSchedule, corev1.TaintEffectNoExecute:
+			// valid
+		default:
+			allErrs = append(allErrs, field.NotSupported(taintField.Child("effect"), spec.Taint.Effect, []string{
+				string(corev1.TaintEffectNoSchedule),
+				string(corev1.TaintEffectPreferNoSchedule),
+				string(corev1.TaintEffectNoExecute),
+			}))
+		}
+	}
+
+	// Validate value length
+	if len(spec.Taint.Value) > 63 {
+		allErrs = append(allErrs, field.Invalid(taintField.Child("value"), spec.Taint.Value, "taint value length must be at most 63 characters"))
 	}
 
 	// Validate enforcement mode