[feature] add cel validation for module values (#592)

Signed-off-by: Stepan Paksashvili <stepan.paksashvili@flant.com>
Signed-off-by: Pavel Okhlopkov <pavel.okhlopkov@flant.com>
Co-authored-by: Pavel Okhlopkov <pavel.okhlopkov@flant.com>

Author: ipaqsa

go.mod

@@ -18,12 +18,14 @@ require (
 	github.com/go-openapi/validate v0.19.12
 	github.com/goccy/go-graphviz v0.2.9
 	github.com/gofrs/uuid/v5 v5.3.2
+	github.com/google/cel-go v0.17.8
 	github.com/hashicorp/go-multierror v1.1.1
 	github.com/kennygrant/sanitize v1.2.4
 	github.com/onsi/gomega v1.37.0
 	github.com/pkg/errors v0.9.1
 	github.com/stretchr/testify v1.10.0
 	github.com/tidwall/gjson v1.14.4
+	google.golang.org/protobuf v1.36.5
 	gopkg.in/alecthomas/kingpin.v2 v2.2.6
 	gopkg.in/yaml.v3 v3.0.1
 	helm.sh/helm/v3 v3.15.4
@@ -50,6 +52,7 @@ require (
 	github.com/Masterminds/squirrel v1.5.4 // indirect
 	github.com/alecthomas/template v0.0.0-20190718012654-fb15b899a751 // indirect
 	github.com/alecthomas/units v0.0.0-20211218093645-b94a6e3cc137 // indirect
+	github.com/antlr/antlr4/runtime/Go/antlr/v4 v4.0.0-20230305170008-8188dc5388df // indirect
 	github.com/asaskevich/govalidator v0.0.0-20200428143746-21a406dcc535 // indirect
 	github.com/aymanbagabas/go-osc52/v2 v2.0.1 // indirect
 	github.com/beorn7/perks v1.0.1 // indirect
@@ -153,6 +156,7 @@ require (
 	github.com/spf13/cast v1.5.0 // indirect
 	github.com/spf13/cobra v1.8.1 // indirect
 	github.com/spf13/pflag v1.0.5 // indirect
+	github.com/stoewer/go-strcase v1.2.0 // indirect
 	github.com/tetratelabs/wazero v1.8.1 // indirect
 	github.com/tidwall/match v1.1.1 // indirect
 	github.com/tidwall/pretty v1.2.0 // indirect
@@ -176,9 +180,9 @@ require (
 	golang.org/x/term v0.30.0 // indirect
 	golang.org/x/text v0.23.0 // indirect
 	golang.org/x/time v0.11.0 // indirect
+	google.golang.org/genproto/googleapis/api v0.0.0-20231120223509-83a465c0220f // indirect
 	google.golang.org/genproto/googleapis/rpc v0.0.0-20240701130421-f6361c86f094 // indirect
 	google.golang.org/grpc v1.59.0 // indirect
-	google.golang.org/protobuf v1.36.5 // indirect
 	gopkg.in/inf.v0 v0.9.1 // indirect
 	gopkg.in/robfig/cron.v2 v2.0.0-20150107220207-be2e0b0deed5 // indirect
 	gopkg.in/yaml.v2 v2.4.0 // indirect

go.sum

@@ -36,6 +36,8 @@ github.com/alecthomas/units v0.0.0-20151022065526-2efee857e7cf/go.mod h1:ybxpYRF
 github.com/alecthomas/units v0.0.0-20211218093645-b94a6e3cc137 h1:s6gZFSlWYmbqAuRjVTiNNhvNRfY2Wxp9nhfyel4rklc=
 github.com/alecthomas/units v0.0.0-20211218093645-b94a6e3cc137/go.mod h1:OMCwj8VM1Kc9e19TLln2VL61YJF0x1XFtfdL4JdbSyE=
 github.com/andreyvit/diff v0.0.0-20170406064948-c7f18ee00883/go.mod h1:rCTlJbsFo29Kk6CurOXKm700vrz8f0KW0JNfpkRJY/8=
+github.com/antlr/antlr4/runtime/Go/antlr/v4 v4.0.0-20230305170008-8188dc5388df h1:7RFfzj4SSt6nnvCPbCqijJi1nWCd+TqAT3bYCStRC18=
+github.com/antlr/antlr4/runtime/Go/antlr/v4 v4.0.0-20230305170008-8188dc5388df/go.mod h1:pSwJ0fSY5KhvocuWSx4fz3BA8OrA1bQn+K1Eli3BRwM=
 github.com/armon/go-socks5 v0.0.0-20160902184237-e75332964ef5 h1:0CwZNZbxp69SHPdPJAN/hZIm0C4OItdklCFmMRWYpio=
 github.com/armon/go-socks5 v0.0.0-20160902184237-e75332964ef5/go.mod h1:wHh0iHkYZB8zMSxRWpUBQtwG5a7fFgvEO+odwuTv2gs=
 github.com/asaskevich/govalidator v0.0.0-20180720115003-f9ffefc3facf/go.mod h1:lB+ZfQJz7igIIfQNfa7Ml4HSf2uFQQRzpGGRXenZAgY=
@@ -276,6 +278,8 @@ github.com/golang/protobuf v1.5.4/go.mod h1:lnTiLA8Wa4RWRcIUkrtSVa5nRhsEGBg48fD6
 github.com/golang/snappy v0.0.1/go.mod h1:/XxbfmMg8lxefKM7IXC3fBNl/7bRcc72aCRzEWrmP2Q=
 github.com/google/btree v1.0.1 h1:gK4Kx5IaGY9CD5sPJ36FHiBJ6ZXl0kilRiiCj+jdYp4=
 github.com/google/btree v1.0.1/go.mod h1:xXMiIv4Fb/0kKde4SpL7qlzvu5cMJDRkFDxJfI9uaxA=
+github.com/google/cel-go v0.17.8 h1:j9m730pMZt1Fc4oKhCLUHfjj6527LuhYcYw0Rl8gqto=
+github.com/google/cel-go v0.17.8/go.mod h1:HXZKzB0LXqer5lHHgfWAnlYwJaQBDKMjxjulNQzhwhY=
 github.com/google/gnostic-models v0.6.8 h1:yo/ABAfM5IMRsS1VnXjTBvUb61tFIHozhlYvRgGre9I=
 github.com/google/gnostic-models v0.6.8/go.mod h1:5n7qKqH0f5wFt+aWF8CW6pZLLNOfYuF5OpfBSENuI8U=
 github.com/google/go-cmp v0.2.0/go.mod h1:oXzfMopK8JAjlY9xF4vHSVASa0yLyX7SntLO5aqRK0M=
@@ -541,6 +545,8 @@ github.com/spf13/cobra v1.8.1/go.mod h1:wHxEcudfqmLYa8iTfL+OuZPbBZkmvliBWKIezN3k
 github.com/spf13/pflag v1.0.3/go.mod h1:DYY7MBk1bdzusC3SYhjObp+wFpr4gzcvqqNjLnInEg4=
 github.com/spf13/pflag v1.0.5 h1:iy+VFUOCP1a+8yFto/drg2CJ5u0yRoB7fZw3DKv/JXA=
 github.com/spf13/pflag v1.0.5/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg=
+github.com/stoewer/go-strcase v1.2.0 h1:Z2iHWqGXH00XYgqDmNgQbIBxf3wrNq0F3feEy0ainaU=
+github.com/stoewer/go-strcase v1.2.0/go.mod h1:IBiWB2sKIp3wVVQ3Y035++gc+knqhUQag1KpM8ahLw8=
 github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
 github.com/stretchr/objx v0.1.1/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
 github.com/stretchr/objx v0.2.0/go.mod h1:qt09Ya8vawLte6SNmTgCsAVtYtaKzEcn8ATUoHMkEqE=
@@ -761,7 +767,6 @@ google.golang.org/appengine v1.4.0/go.mod h1:xpcJRLb0r/rnEns0DIKYYv+WjYCduHsrkT7
 google.golang.org/genproto v0.0.0-20180817151627-c66870c02cf8/go.mod h1:JiN7NxoALGmiZfu7CAH4rXhgtRTLTxftemlI0sWmxmc=
 google.golang.org/genproto v0.0.0-20190819201941-24fa4b261c55/go.mod h1:DMBHOl98Agz4BDEuKkezgsaosCRResVns1a3J2ZsMNc=
 google.golang.org/genproto v0.0.0-20200526211855-cb27e3aa2013/go.mod h1:NbSheEEYHJ7i3ixzK3sjbqSGDJWnxyFXZblF3eUsNvo=
-google.golang.org/genproto v0.0.0-20231211222908-989df2bf70f3 h1:1hfbdAfFbkmpg41000wDVqr7jUpK/Yo+LPnIxxGzmkg=
 google.golang.org/genproto/googleapis/api v0.0.0-20231120223509-83a465c0220f h1:2yNACc1O40tTnrsbk9Cv6oxiW8pxI/pXj0wRtdlYmgY=
 google.golang.org/genproto/googleapis/api v0.0.0-20231120223509-83a465c0220f/go.mod h1:Uy9bTZJqmfrw2rIBxgGLnamc78euZULUBrLZ9XTITKI=
 google.golang.org/genproto/googleapis/rpc v0.0.0-20240701130421-f6361c86f094 h1:BwIjyKYGsK9dMCBOorzRri8MQwmi7mT9rGHsCEinZkA=

pkg/values/validation/cel/cel.go

@@ -0,0 +1,91 @@
+package cel
+
+import (
+	"errors"
+	"fmt"
+	"strings"
+
+	"github.com/go-openapi/spec"
+	"github.com/google/cel-go/cel"
+	"google.golang.org/protobuf/types/known/structpb"
+)
+
+const ruleKey = "x-deckhouse-validations"
+
+type rule struct {
+	Expression string `json:"expression" yaml:"expression"`
+	Message    string `json:"message" yaml:"message"`
+}
+
+// Validate validates config values against x-deckhouse-validation rules in schema
+func Validate(schema *spec.Schema, values map[string]interface{}) error {
+	env, err := cel.NewEnv(cel.Variable("self", cel.MapType(cel.StringType, cel.DynType)))
+	if err != nil {
+		return fmt.Errorf("create CEL env: %w", err)
+	}
+
+	raw, found := schema.Extensions[ruleKey]
+	if !found {
+		return nil
+	}
+
+	var rules []rule
+	switch v := raw.(type) {
+	case []interface{}:
+		for _, entry := range v {
+			mapEntry, ok := entry.(map[string]interface{})
+			if !ok || len(mapEntry) == 0 {
+				return fmt.Errorf("x-deckhouse-validations invalid")
+			}
+
+			if val, ok := mapEntry["expression"]; !ok || len(val.(string)) == 0 {
+				return fmt.Errorf("x-deckhouse-validations invalid: missing expression")
+			}
+			if val, ok := mapEntry["message"]; !ok || len(val.(string)) == 0 {
+				return fmt.Errorf("x-deckhouse-validations invalid: missing message")
+			}
+
+			rules = append(rules, rule{
+				Expression: mapEntry["expression"].(string),
+				Message:    mapEntry["message"].(string),
+			})
+		}
+	default:
+		return fmt.Errorf("x-deckhouse-validations invalid")
+	}
+
+	obj, err := structpb.NewStruct(values)
+	if err != nil {
+		return fmt.Errorf("convert values to struct: %w", err)
+	}
+
+	for _, r := range rules {
+		ast, issues := env.Compile(r.Expression)
+		if issues.Err() != nil {
+			return fmt.Errorf("compile the '%s' rule: %w", r.Expression, issues.Err())
+		}
+
+		prg, err := env.Program(ast)
+		if err != nil {
+			return fmt.Errorf("create program for the '%s' rule: %w", r.Expression, err)
+		}
+
+		out, _, err := prg.Eval(map[string]interface{}{"self": obj})
+		if err != nil {
+			if strings.Contains(err.Error(), "no such key:") {
+				continue
+			}
+			return fmt.Errorf("evaluate the '%s' rule: %w", r.Expression, err)
+		}
+
+		pass, ok := out.Value().(bool)
+		if !ok {
+			return errors.New("rule should return boolean")
+		}
+		if !pass {
+			return errors.New(r.Message)
+		}
+	}
+
+	return nil
+}

pkg/values/validation/schemas.go

@@ -17,6 +17,7 @@ import (
 	"sigs.k8s.io/yaml"
 
 	"github.com/flant/addon-operator/pkg/utils"
+	"github.com/flant/addon-operator/pkg/values/validation/cel"
 	"github.com/flant/addon-operator/pkg/values/validation/schema"
 )
 
@@ -130,6 +131,13 @@ func validateObject(dataObj interface{}, s *spec.Schema, rootName string) error
 		return fmt.Errorf("validated data object have to be utils.Values or map[string]interface{}, got %v instead", reflect.TypeOf(v))
 	}
 
+	// Validate values against x-deckhouse-validation rules.
+	if values, ok := dataObj.(map[string]interface{}); ok {
+		if err := cel.Validate(s, values); err != nil {
+			return err
+		}
+	}
+
 	result := validator.Validate(dataObj)
 	if result.IsValid() {
 		return nil

pkg/values/validation/validator_test.go

@@ -196,3 +196,34 @@ properties:
 	mErr := valuesStorage.GetSchemaStorage().ValidateConfigValues("moduleName", moduleValues)
 	g.Expect(mErr).ShouldNot(HaveOccurred())
 }
+
+func Test_ValidateConfigValues_CEL(t *testing.T) {
+	g := NewWithT(t)
+
+	// Prepare module values that violate the CEL rule
+	values, err := utils.NewValuesFromBytes([]byte(`
+moduleName:
+  replicas: 1
+`))
+	g.Expect(err).ShouldNot(HaveOccurred())
+
+	// Schema with a CEL validation: replicas must be > 0
+	schema := `
+type: object
+properties:
+  replicas:
+    type: integer
+x-deckhouse-validations:
+  - expression: "self.ignoredField == 'Ignored'"
+    message: "ignore not existing field"
+  - expression: "self.replicas < 1"
+    message: "replicas must be greater than 1"
+`
+
+	vs, err := modules.NewValuesStorage("moduleName", nil, []byte(schema), nil)
+	g.Expect(err).ShouldNot(HaveOccurred())
+
+	err = vs.GetSchemaStorage().ValidateConfigValues("moduleName", values)
+	g.Expect(err).Should(HaveOccurred(), "expected CEL validation error")
+	g.Expect(err.Error()).Should(ContainSubstring("replicas must be greater than 1"))
+}