add marker comment support for annotating cluster scopedness

pkg/generators/markers.go

@@ -61,6 +61,13 @@ func (c *CELTag) Validate() error {
  return nil
 }
 
+type KindScope string
+
+var (
+ KindScopeNamespaced KindScope = "Namespaced"
+ KindScopeCluster KindScope = "Cluster"
+)
+
 // commentTags represents the parsed comment tags for a given type. These types are then used to generate schema validations.
 // These only include the newer prefixed tags. The older tags are still supported,
 // but are not included in this struct. Comment Tags are transformed into a
@@ -77,7 +84,8 @@ func (c *CELTag) Validate() error {
 type commentTags struct {
  spec.SchemaProps
 
- CEL []CELTag `json:"cel,omitempty"`
+ CEL []CELTag `json:"cel,omitempty"`
+ Scope *KindScope `json:"scope,omitempty"`
 
  // Future markers can all be parsed into this centralized struct...
  // Optional bool `json:"optional,omitempty"`
@@ -91,9 +99,32 @@ func (c commentTags) ValidationSchema() (*spec.Schema, error) {
  SchemaProps: c.SchemaProps,
  }
 
- if len(c.CEL) > 0 {
+ celRules := c.CEL
+
+ if c.Scope != nil {
+ switch *c.Scope {
+ case KindScopeCluster:
+ celRules = append(celRules, CELTag{
+ Rule: "!has(self.metadata.__namespace__) || self.metadata.__namespace__.size() == 0",
+ Message: "not allowed on this type",
+ Reason: "FieldValueForbidden",
+ FieldPath: ".metadata.namespace",
+ })
+ case KindScopeNamespaced:
+ celRules = append(celRules, CELTag{
+ Rule: "has(self.metadata.__namespace__) && self.metadata.__namespace__.size() > 0",
+ Message: "",
+ Reason: "FieldValueRequired",
+ FieldPath: ".metadata.namespace",
+ })
+ default:
+ return nil, fmt.Errorf("invalid scope %q", *c.Scope)
+ }
+ }
+
+ if len(celRules) > 0 {
  // Convert the CELTag to a map[string]interface{} via JSON
- celTagJSON, err := json.Marshal(c.CEL)
+ celTagJSON, err := json.Marshal(celRules)
  if err != nil {
  return nil, fmt.Errorf("failed to marshal CEL tag: %w", err)
  }
@@ -164,6 +195,10 @@ func (c commentTags) Validate() error {
  err = errors.Join(err, fmt.Errorf("invalid CEL tag at index %d: %w", i, celError))
  }
 
+ if c.Scope != nil && *c.Scope != KindScopeNamespaced && *c.Scope != KindScopeCluster {
+ err = errors.Join(err, fmt.Errorf("invalid scope %q", *c.Scope))
+ }
+
  return err
 }
 
@@ -252,23 +287,48 @@ func ParseCommentTags(t *types.Type, comments []string, prefix string) (*spec.Sc
  return nil, fmt.Errorf("failed to marshal marker comments: %w", err)
  }
 
- var commentTags commentTags
- if err = json.Unmarshal(out, &commentTags); err != nil {
+ var parsed commentTags
+ if err = json.Unmarshal(out, &parsed); err != nil {
  return nil, fmt.Errorf("failed to unmarshal marker comments: %w", err)
  }
 
+ // isEmpty := reflect.DeepEqual(parsed, commentTags{})
+
+ // Take some defaults from non k8s:validation prefixed tags
+ // Only take defaults from non k8s:validation tags if there are other
+ // k8s:validation tags present on the type. This is to prevent a lot of ripple
+ // effects while this feature is still being tried out
+ if parsed.Scope == nil {
+ hasGenClient := false
+ hasGenClientNonNamespaced := false
+ for _, c := range comments {
+ c := strings.TrimSpace(c)
+ if c == "+genclient" {
+ hasGenClient = true
+ } else if c == "+genclient:nonNamespaced" {
+ hasGenClientNonNamespaced = true
+ }
+ }
+
+ if hasGenClientNonNamespaced {
+ parsed.Scope = &KindScopeCluster
+ } else if hasGenClient {
+ parsed.Scope = &KindScopeNamespaced
+ }
+ }
+
  // Validate the parsed comment tags
- validationErrors := commentTags.Validate()
+ validationErrors := parsed.Validate()
 
  if t != nil {
- validationErrors = errors.Join(validationErrors, commentTags.ValidateType(t))
+ validationErrors = errors.Join(validationErrors, parsed.ValidateType(t))
  }
 
  if validationErrors != nil {
  return nil, fmt.Errorf("invalid marker comments: %w", validationErrors)
  }
 
- return commentTags.ValidationSchema()
+ return parsed.ValidationSchema()
 }
 
 var (

pkg/generators/markers_test.go

@@ -494,6 +494,45 @@ func TestParseCommentTags(t *testing.T) {
  },
  expectedError: `failed to parse marker comments: concatenations to key 'cel[0]:message' must be consecutive with its assignment`,
  },
+ {
+ name: "namespaced scope",
+ t: structKind,
+ comments: []string{
+ `+k8s:validation:scope>Namespaced`,
+ },
+ expected: &spec.Schema{
+ VendorExtensible: spec.VendorExtensible{
+ Extensions: map[string]interface{}{
+ "x-kubernetes-validations": []interface{}{
+ map[string]interface{}{
+ "rule": "self.metadata.namespace.size() > 0",
+ "reason": "FieldValueRequired",
+ },
+ },
+ },
+ },
+ },
+ },
+ {
+ name: "cluster scope",
+ t: structKind,
+ comments: []string{
+ `+k8s:validation:scope>Cluster`,
+ },
+ expected: &spec.Schema{
+ VendorExtensible: spec.VendorExtensible{
+ Extensions: map[string]interface{}{
+ "x-kubernetes-validations": []interface{}{
+ map[string]interface{}{
+ "rule": "self.metadata.namespace.size() == 0",
+ "message": "not allowed on this type",
+ "reason": "FieldValueForbidden",
+ },
+ },
+ },
+ },
+ },
+ },
  }
 
  for _, tc := range cases {

test/integration/testdata/golden.v2.json

@@ -1285,6 +1285,11 @@
  {
  "message": "foo",
  "rule": "self == oldSelf"
+ },
+ {
+ "fieldPath": ".metadata.namespace",
+ "reason": "FieldValueRequired",
+ "rule": "has(self.metadata.__namespace__) \u0026\u0026 self.metadata.__namespace__.size() \u003e 0"
  }
  ]
  },

test/integration/testdata/golden.v3.json

@@ -1247,6 +1247,11 @@
  {
  "message": "foo",
  "rule": "self == oldSelf"
+ },
+ {
+ "fieldPath": ".metadata.namespace",
+ "reason": "FieldValueRequired",
+ "rule": "has(self.metadata.__namespace__) \u0026\u0026 self.metadata.__namespace__.size() \u003e 0"
  }
  ]
  },

test/integration/testdata/valuevalidation/alpha.go

@@ -14,6 +14,7 @@ import (
 // +k8s:openapi-gen=true
 // +k8s:validation:cel[0]:rule="self == oldSelf"
 // +k8s:validation:cel[0]:message="foo"
+// +k8s:validation:scope>Namespaced
 type Foo struct {
  // +k8s:validation:maxLength=5
  // +k8s:validation:minLength=1