Skip to content

Commit fd42d64

Browse files
bernot-devbernot-dev
committed
test: validate podmonitorings with CEL
1 parent bb7fab8 commit fd42d64

17 files changed

+1080
-101
lines changed

.bingo/Variables.mk

Lines changed: 3 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -23,11 +23,11 @@ $(ADDLICENSE): $(BINGO_DIR)/addlicense.mod
2323
@echo "(re)installing $(GOBIN)/addlicense-v1.1.1"
2424
@cd $(BINGO_DIR) && GOWORK=off $(GO) build -mod=mod -modfile=addlicense.mod -o=$(GOBIN)/addlicense-v1.1.1 "github.com/google/addlicense"
2525

26-
CONTROLLER_GEN := $(GOBIN)/controller-gen-v0.17.1
26+
CONTROLLER_GEN := $(GOBIN)/controller-gen-v0.17.1-0.20250103184936-50893dee96da
2727
$(CONTROLLER_GEN): $(BINGO_DIR)/controller-gen.mod
2828
@# Install binary/ries using Go 1.14+ build command. This is using bwplotka/bingo-controlled, separate go module with pinned dependencies.
29-
@echo "(re)installing $(GOBIN)/controller-gen-v0.17.1"
30-
@cd $(BINGO_DIR) && GOWORK=off $(GO) build -mod=mod -modfile=controller-gen.mod -o=$(GOBIN)/controller-gen-v0.17.1 "sigs.k8s.io/controller-tools/cmd/controller-gen"
29+
@echo "(re)installing $(GOBIN)/controller-gen-v0.17.1-0.20250103184936-50893dee96da"
30+
@cd $(BINGO_DIR) && GOWORK=off $(GO) build -mod=mod -modfile=controller-gen.mod -o=$(GOBIN)/controller-gen-v0.17.1-0.20250103184936-50893dee96da "sigs.k8s.io/controller-tools/cmd/controller-gen"
3131

3232
GEN_CRD_API_REFERENCE_DOCS := $(GOBIN)/gen-crd-api-reference-docs-v0.3.0
3333
$(GEN_CRD_API_REFERENCE_DOCS): $(BINGO_DIR)/gen-crd-api-reference-docs.mod

.bingo/controller-gen.mod

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -2,4 +2,4 @@ module _ // Auto generated by https://github.com/bwplotka/bingo. DO NOT EDIT
22

33
go 1.23.0
44

5-
require sigs.k8s.io/controller-tools v0.17.1 // cmd/controller-gen
5+
require sigs.k8s.io/controller-tools v0.17.1-0.20250103184936-50893dee96da // cmd/controller-gen

.bingo/controller-gen.sum

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -113,6 +113,8 @@ k8s.io/utils v0.0.0-20241104100929-3ea5e8cea738 h1:M3sRQVHv7vB20Xc2ybTt7ODCeFj6J
113113
k8s.io/utils v0.0.0-20241104100929-3ea5e8cea738/go.mod h1:OLgZIPagt7ERELqWJFomSt595RzquPNLL48iOWgYOg0=
114114
sigs.k8s.io/controller-tools v0.17.0 h1:KaEQZbhrdY6J3zLBHplt+0aKUp8PeIttlhtF2UDo6bI=
115115
sigs.k8s.io/controller-tools v0.17.0/go.mod h1:SKoWY8rwGWDzHtfnhmOwljn6fViG0JF7/xmnxpklgjo=
116+
sigs.k8s.io/controller-tools v0.17.1-0.20250103184936-50893dee96da h1:CiJ4OwcleeP/Cal2PK/s1z9fORemjvH3fcE2BH4wxXY=
117+
sigs.k8s.io/controller-tools v0.17.1-0.20250103184936-50893dee96da/go.mod h1:SKoWY8rwGWDzHtfnhmOwljn6fViG0JF7/xmnxpklgjo=
116118
sigs.k8s.io/controller-tools v0.17.1 h1:bQ+dKCS7jY9AgpefenBDtm6geJZCHVKbegpLynxgyus=
117119
sigs.k8s.io/controller-tools v0.17.1/go.mod h1:3QXAdrmdxYuQ4MifvbCAFD9wLXn7jylnfBPYS4yVDdc=
118120
sigs.k8s.io/json v0.0.0-20241010143419-9aa6b5e7a4b3 h1:/Rv+M11QRah1itp8VhT6HoVx1Ray9eB4DBr+K+/sCJ8=

.bingo/variables.env

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -10,7 +10,7 @@ fi
1010

1111
ADDLICENSE="${GOBIN}/addlicense-v1.1.1"
1212

13-
CONTROLLER_GEN="${GOBIN}/controller-gen-v0.17.1"
13+
CONTROLLER_GEN="${GOBIN}/controller-gen-v0.17.1-0.20250103184936-50893dee96da"
1414

1515
GEN_CRD_API_REFERENCE_DOCS="${GOBIN}/gen-crd-api-reference-docs-v0.3.0"
1616

charts/operator/crds/monitoring.googleapis.com_clusternodemonitorings.yaml

Lines changed: 25 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -15,7 +15,7 @@ apiVersion: apiextensions.k8s.io/v1
1515
kind: CustomResourceDefinition
1616
metadata:
1717
annotations:
18-
controller-gen.kubebuilder.io/version: v0.17.1
18+
controller-gen.kubebuilder.io/version: v0.17.1-0.20250103184936-50893dee96da
1919
name: clusternodemonitorings.monitoring.googleapis.com
2020
spec:
2121
group: monitoring.googleapis.com
@@ -90,7 +90,6 @@ spec:
9090
- hashmod
9191
- labeldrop
9292
- labelkeep
93-
format: relabel_action
9493
type: string
9594
modulus:
9695
description: Modulus to take of the hash of the source
@@ -100,7 +99,14 @@ spec:
10099
regex:
101100
description: Regular expression against which the extracted
102101
value is matched. Defaults to '(.*)'.
102+
maxLength: 100
103103
type: string
104+
x-kubernetes-validations:
105+
- rule: '!''project_id''.matches(self) && !''location''.matches(self)
106+
&& !''cluster''.matches(self) && !''namespace''.matches(self)
107+
&& !''instance''.matches(self) && !''top_level_controller''.matches(self)
108+
&& !''top_level_controller_type''.matches(self) &&
109+
!''__address__''.matches(self) && !''cluster''.matches(self)'
104110
replacement:
105111
description: |-
106112
Replacement value against which a regex replace is performed if the
@@ -116,18 +122,29 @@ spec:
116122
using the configured separator and matched against the configured regular expression
117123
for the replace, keep, and drop actions.
118124
items:
119-
format: labelname
120-
pattern: '[a-zA-Z_][a-zA-Z0-9_]*'
125+
pattern: ^[a-zA-Z_][a-zA-Z0-9_]*$
121126
type: string
127+
maxItems: 100
122128
type: array
123129
targetLabel:
124130
description: |-
125131
Label to which the resulting value is written in a replace action.
126132
It is mandatory for replace actions. Regex capture groups are available.
127-
format: labelname
128-
pattern: '[a-zA-Z_][a-zA-Z0-9_]*'
133+
pattern: ^[a-zA-Z_][a-zA-Z0-9_]*$
129134
type: string
135+
x-kubernetes-validations:
136+
- messageExpression: '''cannot relabel onto protected
137+
label "%s"''.format([self])'
138+
rule: self != 'project_id' && self != 'location' &&
139+
self != 'cluster' && self != 'namespace' && self !=
140+
'job' && self != 'instance' && self != 'top_level_controller'
141+
&& self != 'top_level_controller_type' && self !=
142+
'__address__'
130143
type: object
144+
x-kubernetes-validations:
145+
- rule: '!has(self.action) || self.action != ''labeldrop''
146+
|| has(self.regex)'
147+
maxItems: 50
131148
type: array
132149
params:
133150
additionalProperties:
@@ -156,6 +173,8 @@ spec:
156173
type: boolean
157174
type: object
158175
type: object
176+
maxItems: 100
177+
minItems: 1
159178
type: array
160179
limits:
161180
description: Limits to apply at scrape time.

charts/operator/crds/monitoring.googleapis.com_clusterpodmonitorings.yaml

Lines changed: 76 additions & 16 deletions
Original file line numberDiff line numberDiff line change
@@ -15,7 +15,7 @@ apiVersion: apiextensions.k8s.io/v1
1515
kind: CustomResourceDefinition
1616
metadata:
1717
annotations:
18-
controller-gen.kubebuilder.io/version: v0.17.1
18+
controller-gen.kubebuilder.io/version: v0.17.1-0.20250103184936-50893dee96da
1919
name: clusterpodmonitorings.monitoring.googleapis.com
2020
spec:
2121
group: monitoring.googleapis.com
@@ -95,6 +95,10 @@ spec:
9595
Type is the authentication type. Defaults to Bearer.
9696
Basic will cause an error, as the BasicAuth object should be used instead.
9797
type: string
98+
x-kubernetes-validations:
99+
- message: authorization type cannot be set to "basic",
100+
use "basic_auth" instead
101+
rule: self != 'Basic'
98102
type: object
99103
basicAuth:
100104
description: BasicAuth is the HTTP basic authentication credentials
@@ -132,7 +136,6 @@ spec:
132136
description: Interval at which to scrape metrics. Must be a
133137
valid Prometheus duration.
134138
format: duration
135-
pattern: ^((([0-9]+)y)?(([0-9]+)w)?(([0-9]+)d)?(([0-9]+)h)?(([0-9]+)m)?(([0-9]+)s)?(([0-9]+)ms)?|0)$
136139
type: string
137140
metricRelabeling:
138141
description: |-
@@ -158,7 +161,6 @@ spec:
158161
- hashmod
159162
- labeldrop
160163
- labelkeep
161-
format: relabel_action
162164
type: string
163165
modulus:
164166
description: Modulus to take of the hash of the source
@@ -168,7 +170,14 @@ spec:
168170
regex:
169171
description: Regular expression against which the extracted
170172
value is matched. Defaults to '(.*)'.
173+
maxLength: 100
171174
type: string
175+
x-kubernetes-validations:
176+
- rule: '!''project_id''.matches(self) && !''location''.matches(self)
177+
&& !''cluster''.matches(self) && !''namespace''.matches(self)
178+
&& !''instance''.matches(self) && !''top_level_controller''.matches(self)
179+
&& !''top_level_controller_type''.matches(self) &&
180+
!''__address__''.matches(self) && !''cluster''.matches(self)'
172181
replacement:
173182
description: |-
174183
Replacement value against which a regex replace is performed if the
@@ -184,18 +193,29 @@ spec:
184193
using the configured separator and matched against the configured regular expression
185194
for the replace, keep, and drop actions.
186195
items:
187-
format: labelname
188-
pattern: '[a-zA-Z_][a-zA-Z0-9_]*'
196+
pattern: ^[a-zA-Z_][a-zA-Z0-9_]*$
189197
type: string
198+
maxItems: 100
190199
type: array
191200
targetLabel:
192201
description: |-
193202
Label to which the resulting value is written in a replace action.
194203
It is mandatory for replace actions. Regex capture groups are available.
195-
format: labelname
196-
pattern: '[a-zA-Z_][a-zA-Z0-9_]*'
204+
pattern: ^[a-zA-Z_][a-zA-Z0-9_]*$
197205
type: string
206+
x-kubernetes-validations:
207+
- messageExpression: '''cannot relabel onto protected
208+
label "%s"''.format([self])'
209+
rule: self != 'project_id' && self != 'location' &&
210+
self != 'cluster' && self != 'namespace' && self !=
211+
'job' && self != 'instance' && self != 'top_level_controller'
212+
&& self != 'top_level_controller_type' && self !=
213+
'__address__'
198214
type: object
215+
x-kubernetes-validations:
216+
- rule: '!has(self.action) || self.action != ''labeldrop''
217+
|| has(self.regex)'
218+
maxItems: 50
199219
type: array
200220
oauth2:
201221
description: OAuth2 is the OAuth2 client credentials used to
@@ -240,7 +260,10 @@ spec:
240260
ProxyURL is the HTTP proxy server to use to connect to the targets.
241261
242262
Encoded passwords are not supported.
263+
maxLength: 2000
243264
type: string
265+
x-kubernetes-validations:
266+
- rule: isURL(self) && !self.matches('@')
244267
scopes:
245268
description: Scopes represents the scopes for the token
246269
request.
@@ -337,6 +360,11 @@ spec:
337360
338361
If unset, Prometheus will use Go default minimum version, which is TLS 1.2.
339362
See MinVersion in https://pkg.go.dev/crypto/tls#Config.
363+
enum:
364+
- TLS10
365+
- TLS11
366+
- TLS12
367+
- TLS13
340368
type: string
341369
minVersion:
342370
description: |-
@@ -345,6 +373,11 @@ spec:
345373
346374
If unset, Prometheus will use Go default minimum version, which is TLS 1.2.
347375
See MinVersion in https://pkg.go.dev/crypto/tls#Config.
376+
enum:
377+
- TLS10
378+
- TLS11
379+
- TLS12
380+
- TLS13
348381
type: string
349382
serverName:
350383
description: ServerName is used to verify the hostname
@@ -377,13 +410,22 @@ spec:
377410
Name or number of the port to scrape.
378411
The container metadata label is only populated if the port is referenced by name
379412
because port numbers are not unique across containers.
413+
maxLength: 253
414+
minLength: 1
415+
pattern: ^[a-z0-9]([a-z0-9-]{0,251}[a-z0-9])?$
380416
x-kubernetes-int-or-string: true
417+
x-kubernetes-validations:
418+
- message: Port is required
419+
rule: self != 0
381420
proxyUrl:
382421
description: |-
383422
ProxyURL is the HTTP proxy server to use to connect to the targets.
384423
385424
Encoded passwords are not supported.
425+
maxLength: 2000
386426
type: string
427+
x-kubernetes-validations:
428+
- rule: isURL(self) && !self.matches('@')
387429
scheme:
388430
description: Protocol scheme to use to scrape.
389431
enum:
@@ -395,7 +437,6 @@ spec:
395437
Timeout for metrics scrapes. Must be a valid Prometheus duration.
396438
Must not be larger than the scrape interval.
397439
format: duration
398-
pattern: ^((([0-9]+)y)?(([0-9]+)w)?(([0-9]+)d)?(([0-9]+)h)?(([0-9]+)m)?(([0-9]+)s)?(([0-9]+)ms)?|0)$
399440
type: string
400441
tls:
401442
description: TLS configures the scrape request's TLS settings.
@@ -487,6 +528,11 @@ spec:
487528
488529
If unset, Prometheus will use Go default minimum version, which is TLS 1.2.
489530
See MinVersion in https://pkg.go.dev/crypto/tls#Config.
531+
enum:
532+
- TLS10
533+
- TLS11
534+
- TLS12
535+
- TLS13
490536
type: string
491537
minVersion:
492538
description: |-
@@ -495,6 +541,11 @@ spec:
495541
496542
If unset, Prometheus will use Go default minimum version, which is TLS 1.2.
497543
See MinVersion in https://pkg.go.dev/crypto/tls#Config.
544+
enum:
545+
- TLS10
546+
- TLS11
547+
- TLS12
548+
- TLS13
498549
type: string
499550
serverName:
500551
description: ServerName is used to verify the hostname for
@@ -506,13 +557,16 @@ spec:
506557
when either is provided
507558
rule: has(self.cert) == has(self.key)
508559
required:
560+
- interval
509561
- port
510562
type: object
511563
x-kubernetes-validations:
512-
- messageExpression: '''"scrape timeout " + self.timeout + "must
513-
not be greater than scrape interval" + self.interval'''
514-
rule: '!has(self.interval) || !has(self.timeout) || self.interval
515-
<= self.timeout'
564+
- messageExpression: '''scrape timeout (%s) must not be greater
565+
than scrape interval (%s)''.format([self.timeout, self.interval])'
566+
rule: '!has(self.timeout) || self.timeout <= self.interval'
567+
- rule: '((has(self.authorization) ? 1 : 0) + (has(self.basicAuth)
568+
? 1 : 0) + (has(self.oauth2) ? 1 : 0)) <= 1'
569+
maxItems: 100
516570
minItems: 1
517571
type: array
518572
filterRunning:
@@ -626,19 +680,25 @@ spec:
626680
properties:
627681
from:
628682
description: Kubernetes resource label to remap.
629-
format: labelname
630-
pattern: '[a-zA-Z_][a-zA-Z0-9_]*'
683+
pattern: ^[a-zA-Z_][a-zA-Z0-9_]*$
631684
type: string
632685
to:
633686
description: |-
634687
Remapped Prometheus target label.
635688
Defaults to the same name as `From`.
636-
format: labelname
637-
pattern: '[a-zA-Z_][a-zA-Z0-9_]*'
689+
pattern: ^[a-zA-Z_][a-zA-Z0-9_]*$
638690
type: string
691+
x-kubernetes-validations:
692+
- messageExpression: '''cannot relabel onto protected label
693+
"%s"''.format([self])'
694+
rule: self != 'project_id' && self != 'location' && self
695+
!= 'cluster' && self != 'namespace' && self != 'job'
696+
&& self != 'instance' && self != 'top_level_controller'
697+
&& self != 'top_level_controller_type' && self != '__address__'
639698
required:
640699
- from
641700
type: object
701+
maxItems: 100
642702
type: array
643703
metadata:
644704
description: |-

charts/operator/crds/monitoring.googleapis.com_clusterrules.yaml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -15,7 +15,7 @@ apiVersion: apiextensions.k8s.io/v1
1515
kind: CustomResourceDefinition
1616
metadata:
1717
annotations:
18-
controller-gen.kubebuilder.io/version: v0.17.1
18+
controller-gen.kubebuilder.io/version: v0.17.1-0.20250103184936-50893dee96da
1919
name: clusterrules.monitoring.googleapis.com
2020
spec:
2121
group: monitoring.googleapis.com

charts/operator/crds/monitoring.googleapis.com_globalrules.yaml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -15,7 +15,7 @@ apiVersion: apiextensions.k8s.io/v1
1515
kind: CustomResourceDefinition
1616
metadata:
1717
annotations:
18-
controller-gen.kubebuilder.io/version: v0.17.1
18+
controller-gen.kubebuilder.io/version: v0.17.1-0.20250103184936-50893dee96da
1919
name: globalrules.monitoring.googleapis.com
2020
spec:
2121
group: monitoring.googleapis.com

charts/operator/crds/monitoring.googleapis.com_operatorconfigs.yaml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -15,7 +15,7 @@ apiVersion: apiextensions.k8s.io/v1
1515
kind: CustomResourceDefinition
1616
metadata:
1717
annotations:
18-
controller-gen.kubebuilder.io/version: v0.17.1
18+
controller-gen.kubebuilder.io/version: v0.17.1-0.20250103184936-50893dee96da
1919
name: operatorconfigs.monitoring.googleapis.com
2020
spec:
2121
group: monitoring.googleapis.com

0 commit comments

Comments
 (0)