test: Add update test helpers (#1162)

Previously there was no way to test transitions that would be
enforced via CEL. This commit fixes that and allows the testing
of CEL transition rules on update, which will be necessary for
some future handlers.

Author: jimmidyson

common/go.mod

@@ -19,6 +19,7 @@ require (
 	k8s.io/api v0.32.5
 	k8s.io/apiextensions-apiserver v0.32.5
 	k8s.io/apimachinery v0.32.5
+	k8s.io/apiserver v0.32.5
 	k8s.io/utils v0.0.0-20241104100929-3ea5e8cea738
 	sigs.k8s.io/cluster-api v1.10.2
 	sigs.k8s.io/cluster-api/test v1.10.2
@@ -85,7 +86,6 @@ require (
 	gopkg.in/evanphx/json-patch.v4 v4.12.0 // indirect
 	gopkg.in/inf.v0 v0.9.1 // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect
-	k8s.io/apiserver v0.32.5 // indirect
 	k8s.io/client-go v0.32.5 // indirect
 	k8s.io/cluster-bootstrap v0.32.3 // indirect
 	k8s.io/component-base v0.32.5 // indirect

common/pkg/testutils/capitest/variables.go

@@ -22,6 +22,7 @@ import (
 type VariableTestDef struct {
 	Name        string
 	Vals        any
+	OldVals     any
 	ExpectError bool
 }
 
@@ -65,14 +66,34 @@ func ValidateDiscoverVariables[T mutation.DiscoverVariables](
 			encodedVals, err := json.Marshal(tt.Vals)
 			g.Expect(err).NotTo(gomega.HaveOccurred())
 
-			validateErr := openapi.ValidateClusterVariable(
-				&clusterv1.ClusterVariable{
-					Name:  variableName,
-					Value: apiextensionsv1.JSON{Raw: encodedVals},
-				},
-				&variable,
-				field.NewPath(variableName),
-			).ToAggregate()
+			var validateErr error
+
+			switch {
+			case tt.OldVals != nil:
+				encodedOldVals, err := json.Marshal(tt.OldVals)
+				g.Expect(err).NotTo(gomega.HaveOccurred())
+				validateErr = openapi.ValidateClusterVariableUpdate(
+					&clusterv1.ClusterVariable{
+						Name:  variableName,
+						Value: apiextensionsv1.JSON{Raw: encodedVals},
+					},
+					&clusterv1.ClusterVariable{
+						Name:  variableName,
+						Value: apiextensionsv1.JSON{Raw: encodedOldVals},
+					},
+					&variable,
+					field.NewPath(variableName),
+				).ToAggregate()
+			default:
+				validateErr = openapi.ValidateClusterVariable(
+					&clusterv1.ClusterVariable{
+						Name:  variableName,
+						Value: apiextensionsv1.JSON{Raw: encodedVals},
+					},
+					&variable,
+					field.NewPath(variableName),
+				).ToAggregate()
+			}
 
 			if tt.ExpectError {
 				g.Expect(validateErr).To(gomega.HaveOccurred())

common/pkg/testutils/openapi/convert.go

@@ -208,5 +208,22 @@ func ConvertJSONSchemaPropsToAPIExtensions(
 		}
 	}
 
+	if schema.XValidations != nil {
+		props.XValidations = make([]apiextensions.ValidationRule, 0, len(schema.XValidations))
+		for _, v := range schema.XValidations {
+			var reason *apiextensions.FieldValueErrorReason
+			if v.Reason != "" {
+				reason = ptr.To(apiextensions.FieldValueErrorReason(v.Reason))
+			}
+			props.XValidations = append(props.XValidations, apiextensions.ValidationRule{
+				Rule:              v.Rule,
+				Message:           v.Message,
+				MessageExpression: v.MessageExpression,
+				Reason:            reason,
+				FieldPath:         v.FieldPath,
+			})
+		}
+	}
+
 	return props, allErrs
 }

common/pkg/testutils/openapi/validate.go

@@ -4,16 +4,19 @@
 package openapi
 
 import (
+	"context"
 	"encoding/json"
 	"fmt"
 	"strings"
 
 	"k8s.io/apiextensions-apiserver/pkg/apis/apiextensions"
 	structuralschema "k8s.io/apiextensions-apiserver/pkg/apiserver/schema"
+	"k8s.io/apiextensions-apiserver/pkg/apiserver/schema/cel"
 	"k8s.io/apiextensions-apiserver/pkg/apiserver/schema/defaulting"
 	structuralpruning "k8s.io/apiextensions-apiserver/pkg/apiserver/schema/pruning"
 	"k8s.io/apiextensions-apiserver/pkg/apiserver/validation"
 	"k8s.io/apimachinery/pkg/util/validation/field"
+	celconfig "k8s.io/apiserver/pkg/apis/cel"
 	clusterv1 "sigs.k8s.io/cluster-api/api/v1beta1"
 )
 
@@ -26,62 +29,133 @@ func ValidateClusterVariable(
 	definition *clusterv1.ClusterClassVariable,
 	fldPath *field.Path,
 ) field.ErrorList {
+	validator, apiExtensionsSchema, structuralSchema, err := validatorAndSchemas(fldPath, definition)
+	if err != nil {
+		return field.ErrorList{err}
+	}
+
+	variableValue, err := unmarshalAndDefaultVariableValue(fldPath, value, structuralSchema)
+	if err != nil {
+		return field.ErrorList{err}
+	}
+
+	// Validate variable against the schema.
+	// NOTE: We're reusing a library func used in CRD validation.
+	if err := validation.ValidateCustomResource(fldPath, variableValue, validator); err != nil {
+		return err
+	}
+
+	// Validate variable against the schema using CEL.
+	if err := validateCEL(fldPath, variableValue, nil, structuralSchema); err != nil {
+		return err
+	}
+
+	return validateUnknownFields(fldPath, value, variableValue, apiExtensionsSchema)
+}
+
+func unmarshalAndDefaultVariableValue(
+	fldPath *field.Path,
+	value *clusterv1.ClusterVariable,
+	s *structuralschema.Structural,
+) (any, *field.Error) {
 	// Parse JSON value.
-	var variableValue interface{}
+	var variableValue any
 	// Only try to unmarshal the clusterVariable if it is not nil, otherwise the variableValue is nil.
 	// Note: A clusterVariable with a nil value is the result of setting the variable value to "null" via YAML.
 	if value.Value.Raw != nil {
 		if err := json.Unmarshal(value.Value.Raw, &variableValue); err != nil {
-			return field.ErrorList{field.Invalid(fldPath.Child("value"), string(value.Value.Raw),
-				fmt.Sprintf("variable %q could not be parsed: %v", value.Name, err))}
+			return nil, field.Invalid(
+				fldPath.Child("value"), string(value.Value.Raw),
+				fmt.Sprintf("variable %q could not be parsed: %v", value.Name, err),
+			)
 		}
 	}
 
+	defaulting.Default(variableValue, s)
+
+	return variableValue, nil
+}
+
+func validatorAndSchemas(
+	fldPath *field.Path, definition *clusterv1.ClusterClassVariable,
+) (validation.SchemaValidator, *apiextensions.JSONSchemaProps, *structuralschema.Structural, *field.Error) {
 	// Convert schema to Kubernetes APIExtensions Schema.
 	apiExtensionsSchema, allErrs := ConvertJSONSchemaPropsToAPIExtensions(
 		&definition.Schema.OpenAPIV3Schema, field.NewPath("schema"),
 	)
 	if len(allErrs) > 0 {
-		return field.ErrorList{field.InternalError(fldPath,
+		return nil, nil, nil, field.InternalError(
+			fldPath,
 			fmt.Errorf(
 				"failed to convert schema definition for variable %q; ClusterClass should be checked: %v",
 				definition.Name,
 				allErrs,
 			),
-		)}
+		)
 	}
 
 	// Create validator for schema.
 	validator, _, err := validation.NewSchemaValidator(apiExtensionsSchema)
 	if err != nil {
-		return field.ErrorList{field.InternalError(fldPath,
+		return nil, nil, nil, field.InternalError(
+			fldPath,
 			fmt.Errorf(
 				"failed to create schema validator for variable %q; ClusterClass should be checked: %v",
-				value.Name,
+				definition.Name,
 				err,
 			),
-		)}
+		)
 	}
 
 	s, err := structuralschema.NewStructural(apiExtensionsSchema)
 	if err != nil {
-		return field.ErrorList{field.InternalError(fldPath,
+		return nil, nil, nil, field.InternalError(
+			fldPath,
 			fmt.Errorf(
 				"failed to create structural schema for variable %q; ClusterClass should be checked: %v",
-				value.Name,
+				definition.Name,
 				err,
 			),
-		)}
+		)
 	}
-	defaulting.Default(variableValue, s)
 
-	// Validate variable against the schema.
-	// NOTE: We're reusing a library func used in CRD validation.
-	if err := validation.ValidateCustomResource(fldPath, variableValue, validator); err != nil {
-		return err
+	return validator, apiExtensionsSchema, s, nil
+}
+
+func validateCEL(
+	fldPath *field.Path,
+	variableValue, oldVariableValue any,
+	structuralSchema *structuralschema.Structural,
+) field.ErrorList {
+	// Note: k/k CR validation also uses celconfig.PerCallLimit when creating the validator for a custom resource.
+	// The current PerCallLimit gives roughly 0.1 second for each expression validation call.
+	celValidator := cel.NewValidator(structuralSchema, false, celconfig.PerCallLimit)
+	// celValidation will be nil if there are no CEL validations specified in the schema
+	// under `x-kubernetes-validations`.
+	if celValidator == nil {
+		return nil
 	}
 
-	return validateUnknownFields(fldPath, value, variableValue, apiExtensionsSchema)
+	// Note: k/k CRD validation also uses celconfig.RuntimeCELCostBudget for the Validate call.
+	// The current RuntimeCELCostBudget gives roughly 1 second for the validation of a variable value.
+	if validationErrors, _ := celValidator.Validate(
+		context.Background(),
+		fldPath.Child("value"),
+		structuralSchema,
+		variableValue,
+		oldVariableValue,
+		celconfig.RuntimeCELCostBudget,
+	); len(validationErrors) > 0 {
+		var allErrs field.ErrorList
+		for _, validationError := range validationErrors {
+			// Set correct value in the field error. ValidateCustomResource sets the type instead of the value.
+			validationError.BadValue = variableValue
+			allErrs = append(allErrs, validationError)
+		}
+		return allErrs
+	}
+
+	return nil
 }
 
 // validateUnknownFields validates the given variableValue for unknown fields.
@@ -140,3 +214,38 @@ func validateUnknownFields(
 
 	return nil
 }
+
+// ValidateClusterVariable validates an update to a clusterVariable.
+func ValidateClusterVariableUpdate(
+	value, oldValue *clusterv1.ClusterVariable,
+	definition *clusterv1.ClusterClassVariable,
+	fldPath *field.Path,
+) field.ErrorList {
+	validator, apiExtensionsSchema, structuralSchema, err := validatorAndSchemas(fldPath, definition)
+	if err != nil {
+		return field.ErrorList{err}
+	}
+
+	variableValue, err := unmarshalAndDefaultVariableValue(fldPath, value, structuralSchema)
+	if err != nil {
+		return field.ErrorList{err}
+	}
+
+	oldVariableValue, err := unmarshalAndDefaultVariableValue(fldPath, oldValue, structuralSchema)
+	if err != nil {
+		return field.ErrorList{err}
+	}
+
+	// Validate variable against the schema.
+	// NOTE: We're reusing a library func used in CRD validation.
+	if err := validation.ValidateCustomResourceUpdate(fldPath, variableValue, oldVariableValue, validator); err != nil {
+		return err
+	}
+
+	// Validate variable against the schema using CEL.
+	if err := validateCEL(fldPath, variableValue, oldVariableValue, structuralSchema); err != nil {
+		return err
+	}
+
+	return validateUnknownFields(fldPath, value, variableValue, apiExtensionsSchema)
+}