Skip to content

Reviewal and Proposal for CRD Validation #1562

@Joe-Bresee

Description

@Joe-Bresee

Audit of kustomize-controller CRD Validations

Related to: fluxcd/flux2#2993

This issue tracks the audit of kustomize-controller CRD validations. I plan on implementing the accepted changes once reviewed.


Initial Findings

I have grouped validations by struct. The first struct here is KustomizationSpec, and I will list annotations for each type in the struct. Then I review individual structs and reference types.


kustomization_types.go

KustomizationSpec

  • CommonMetadata: Ok
  • DependsOn: maxItems
  • Decryption: Ok
  • Interval: min 60s; Suggest XValidation: Interval >= 60s
  • RetryInterval: min 60s; Suggest XValidation: RetryInterval >= 60s
  • KubeConfig: Ok
  • Path: min/max length, path structure pattern matching
  • PostBuild: Ok
  • Prune: Ok
  • DeletionPolicy: Ok
  • HealthChecks: maxItems. Backed by meta.NamespacedObjectKindReference, which currently has no DNS-1123 validation. Flagged for potential follow-up in the shared meta API rather than addressing locally.
  • NamePrefix: maxLength, perhaps pattern matching later on to help with the full name matching DNS1123. Recommend removing +kubebuilder:validation:Optional because +optional is already included
  • NameSuffix: maxLength. Same as above
  • Patches: Ok. Maybe add maxItems
  • Images: Ok. Maybe add maxItems
  • ServiceAccountName: min/max string length, DNS-1123
  • SourceRef: Ok
    Suspend: Optional boolean defaults are inconsistent across the spec. Add default: false to all optional boolean fields for consistency and improved clarity in kubectl explain. This would make the default behavior explicit and observable at the API level and should be treated as an API change.
  • TargetNamespace: DNS-1123. Remove one of the +Optionals
  • Timeout: pattern for min/max timeout length, e.g., maximum 24h, or XValidation: Timeout >= 1s
  • Force: See Suspend note
  • Wait: See Suspend note
  • Components: maxItems
  • IgnoreMissingComponents: See Suspend note
  • HealthCheckExprs: maxItems

Individual Structs

CommonMetadata

  • Annotations and Labels: add maxProperties, matchLength on values/keys

Decryption

  • ServiceAccountName: add DNS-1123 and min/max length checks

PostBuild

  • Substitute: maxProperty validation
  • SubstituteFrom: maxItems

SubstituteReference

  • Name: DNS-1123
  • Optional: see Suspend note

reference_types.go

CrossNamespaceSourceReference

  • APIVersion: min/max length, pattern validation
  • Kind: Ok
  • Name, Namespace: DNS-1123, min/max length

DependencyReference

  • Name, Namespace: min/max length, DNS-1123
  • ReadyExpr: CEL pattern validation, min/max string length

Backwards Compatibility

  • No missing validations noticed from earlier api versions.

Below I'm going to organize these issues into low vs. high risk changes, i.e., low being most likely to implement without big consequences.

Low Risk

KustomizationSpec

  • DependsOn: maxItems
  • Interval: min 60s; Suggest XValidation: Interval >= 60s
  • RetryInterval: min 60s; Suggest XValidation: RetryInterval >= 60s
  • Path: min/max length only
  • HealthChecks: maxItems. Backed by meta.NamespacedObjectKindReference, noted for potential shared-type follow-up.
  • NamePrefix: maxLength. Remove +kubebuilder:validation:Optional (already optional)
  • NameSuffix: maxLength. Remove +kubebuilder:validation:Optional
  • Patches: maxItems
  • Images: maxItems
  • ServiceAccountName: min/max string length, DNS-1123
  • TargetNamespace: DNS-1123. Remove one of the +Optionals
  • Components: maxItems
  • IgnoreMissingComponents: See Suspend note (deferred for now)
  • HealthCheckExprs: maxItems

CommonMetadata

  • Annotations and Labels: add maxProperties, maxLength on keys, maxLength on values

Decryption

  • ServiceAccountName: add DNS-1123 and min/max length checks

PostBuild

  • Substitute: maxProperties validation
  • SubstituteFrom: maxItems

SubstituteReference

  • Name: DNS-1123
  • Optional: deferred (boolean default, high risk)

reference_types.go

CrossNamespaceSourceReference

  • APIVersion: min/max length
  • Kind: Ok
  • Name, Namespace: DNS-1123, min/max length

DependencyReference

  • Name, Namespace: min/max length, DNS-1123
  • ReadyExpr: CEL pattern validation, min/max string length

High Risk

  • Path: path structure pattern matching (regex)
  • meta.NamespacedObjectKindReference: DNS-1123 validation (shared-type issue; out of scope here)
  • Optional boolean defaults (Suspend, Force, Wait, IgnoreMissingComponents): would make defaults visible at API level and should be treated as an API change

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions