[Add] CEL rules for validating App and PackageInstall Spec

This PR:
- Adds KB marker to ensure that either spec.ServiceAccount
  or spec.Cluster is present in App and PackageInstall CR.
- Bumps controller-tools to 0.12.1 to support CEL based
  validation marker. That is the latest version compatible with
  the k8s release the project is currently at.
- Adds test to validate the logic introduced with the kubebuilder
  marker.

Signed-off-by: Varsha Prasad Narsing <[email protected]>

Author: varshaprasad96

config/config/crds.yml

@@ -1434,6 +1434,9 @@ spec:
         required:
         - spec
         type: object
+        x-kubernetes-validations:
+        - message: Expected service account or cluster.
+          rule: has(self.spec.serviceAccountName) || has(self.spec.cluster)
     served: true
     storage: true
     subresources:
@@ -1594,6 +1597,9 @@ spec:
         required:
         - spec
         type: object
+        x-kubernetes-validations:
+        - message: Expected service account or cluster.
+          rule: has(self.spec.serviceAccountName) || has(self.spec.cluster)
     served: true
     storage: true
     subresources:

go.mod

@@ -3,7 +3,7 @@ module github.com/vmware-tanzu/carvel-kapp-controller
 go 1.21
 
 require (
-	github.com/fatih/color v1.13.0 // indirect
+	github.com/fatih/color v1.15.0 // indirect
 	github.com/gogo/protobuf v1.3.2
 	github.com/google/go-cmp v0.5.9 // indirect
 	github.com/prometheus/client_golang v1.15.1
@@ -21,7 +21,7 @@ require (
 	k8s.io/kube-aggregator v0.22.17
 	k8s.io/kube-openapi v0.0.0-20230501164219-8b0f38b5fd1f
 	sigs.k8s.io/controller-runtime v0.15.3
-	sigs.k8s.io/controller-tools v0.7.0
+	sigs.k8s.io/controller-tools v0.12.1
 	sigs.k8s.io/yaml v1.3.0
 )
 
@@ -30,7 +30,7 @@ require (
 	github.com/cppforlife/go-cli-ui v0.0.0-20220425131040-94f26b16bc14
 	github.com/go-logr/logr v1.2.4
 	github.com/k14s/semver/v4 v4.0.1-0.20210701191048-266d47ac6115
-	github.com/spf13/cobra v1.6.1
+	github.com/spf13/cobra v1.7.0
 	golang.org/x/sync v0.2.0
 	gopkg.in/yaml.v2 v2.4.0
 	k8s.io/component-base v0.27.7
@@ -62,7 +62,7 @@ require (
 	github.com/go-openapi/jsonpointer v0.19.6 // indirect
 	github.com/go-openapi/jsonreference v0.20.1 // indirect
 	github.com/go-openapi/swag v0.22.3 // indirect
-	github.com/gobuffalo/flect v0.2.3 // indirect
+	github.com/gobuffalo/flect v1.0.2 // indirect
 	github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da // indirect
 	github.com/golang/protobuf v1.5.3 // indirect
 	github.com/google/cel-go v0.12.7 // indirect
@@ -73,11 +73,11 @@ require (
 	github.com/grpc-ecosystem/grpc-gateway/v2 v2.7.0 // indirect
 	github.com/hashicorp/go-version v1.2.1 // indirect
 	github.com/imdario/mergo v0.3.12 // indirect
-	github.com/inconshreveable/mousetrap v1.0.1 // indirect
+	github.com/inconshreveable/mousetrap v1.1.0 // indirect
 	github.com/josharian/intern v1.0.0 // indirect
 	github.com/json-iterator/go v1.1.12 // indirect
 	github.com/mailru/easyjson v0.7.7 // indirect
-	github.com/mattn/go-colorable v0.1.12 // indirect
+	github.com/mattn/go-colorable v0.1.13 // indirect
 	github.com/mattn/go-isatty v0.0.17 // indirect
 	github.com/matttproud/golang_protobuf_extensions v1.0.4 // indirect
 	github.com/mitchellh/mapstructure v1.4.1 // indirect

go.sum

@@ -14,6 +14,7 @@ import (
 // +kubebuilder:printcolumn:name=Description,JSONPath=.status.friendlyDescription,description=Friendly description,type=string
 // +kubebuilder:printcolumn:name=Since-Deploy,JSONPath=.status.deploy.startedAt,description=Last time app started being deployed. Does not mean anything was changed.,type=date
 // +kubebuilder:printcolumn:name=Age,JSONPath=.metadata.creationTimestamp,description=Time since creation,type=date
+// +kubebuilder:validation:XValidation:rule="has(self.spec.serviceAccountName) || has(self.spec.cluster)", message="Expected service account or cluster."
 // +protobuf=false
 // An App is a set of Kubernetes resources. These resources could span any number of namespaces or could be cluster-wide (e.g. CRDs). An App is represented in kapp-controller using a App CR.
 // The App CR comprises of three main sections:

pkg/apis/kappctrl/v1alpha1/types.go

@@ -17,6 +17,7 @@ import (
 // +kubebuilder:printcolumn:name=Package version,JSONPath=.status.version,description=PackageMetadata version,type=string
 // +kubebuilder:printcolumn:name=Description,JSONPath=.status.friendlyDescription,description=Friendly description,type=string
 // +kubebuilder:printcolumn:name=Age,JSONPath=.metadata.creationTimestamp,description=Time since creation,type=date
+// +kubebuilder:validation:XValidation:rule="has(self.spec.serviceAccountName) || has(self.spec.cluster)", message="Expected service account or cluster."
 // A Package Install is an actual installation of a package and its underlying resources on a Kubernetes cluster.
 // It is represented in kapp-controller by a PackageInstall CR.
 // A PackageInstall CR must reference a Package CR.

pkg/apis/packaging/v1alpha1/package_install.go

@@ -4,9 +4,14 @@
 package e2e
 
 import (
+	"fmt"
 	"os"
 	"strings"
 	"testing"
+
+	"k8s.io/apimachinery/pkg/version"
+	"k8s.io/client-go/kubernetes"
+	"k8s.io/client-go/rest"
 )
 
 type Env struct {
@@ -40,3 +45,22 @@ func (e Env) Validate(t *testing.T) {
 		t.Fatalf("%s", strings.Join(errStrs, "\n"))
 	}
 }
+
+// GetServerVersion returns the cluster info. 
+func (e Env) GetServerVersion() (*version.Info, error) {
+	config, err := rest.InClusterConfig()
+	if err != nil {
+		return nil, err
+	}
+
+	clientset, err := kubernetes.NewForConfig(config)
+	if err != nil {
+		return nil, err
+	}
+
+	serverVersion, err := clientset.Discovery().ServerVersion()
+	if err != nil {
+		return nil, fmt.Errorf("Error getting server version: %v", err)
+	}
+	return serverVersion, nil
+}

test/e2e/env.go

@@ -0,0 +1,85 @@
+// Copyright 2021 VMware, Inc.
+// SPDX-License-Identifier: Apache-2.0
+
+package kappcontroller
+
+import (
+	"fmt"
+	"strings"
+	"testing"
+
+	"github.com/stretchr/testify/require"
+	"github.com/vmware-tanzu/carvel-kapp-controller/test/e2e"
+)
+
+// TestSAandClusterCELValidation tests packageInstall and App CR
+// to ensure that either SA or cluster is validated at admission.
+func TestSAandClusterCELValidation(t *testing.T) {
+	env := e2e.BuildEnv(t)
+	logger := e2e.Logger{}
+	kapp := e2e.Kapp{t, env.Namespace, logger}
+	kubectl := e2e.Kubectl{t, env.Namespace, logger}
+
+  // Check the Kubernetes version and skip the test if it's less than 1.26
+	kubeVersion, err := env.GetServerVersion()
+	if err != nil || kubeVersion == nil {
+		t.Fatalf("Error getting Kubernetes version: %v", err)
+	}
+
+	if kubeVersion.Major < "1" || (kubeVersion.Major == "1" && kubeVersion.Minor < "26") {
+		t.Skip("Skipping test for Kubernetes versions less than 1.26")
+	}
+
+	name := "incorrect-spec-without-sa-cluster"
+
+	appYAML := fmt.Sprintf(`
+---
+apiVersion: kappctrl.k14s.io/v1alpha1
+kind: App
+metadata:
+  name: %s
+  annotations:
+    kapp.k14s.io/change-group: kappctrl-e2e.k14s.io/apps
+spec:
+  fetch:
+    - inline:
+        paths:
+          file.yml: |
+            apiVersion: v1
+            kind: ConfigMap
+            metadata:
+              name: configmap
+  template:
+  - ytt: {}
+  deploy:
+    - kapp: {}
+`, name)
+
+	pkginstallYAML := fmt.Sprintf(`
+---
+apiVersion: packaging.carvel.dev/v1alpha1
+kind: PackageInstall
+metadata:
+  name: %[2]s
+  namespace: %[1]s
+  annotations:
+    kapp.k14s.io/change-group: kappctrl-e2e.k14s.io/packageinstalls
+spec:
+  packageRef:
+    refName: pkg.incorrect.carvel.dev
+    versionSelection:
+      constraints: 1.0.0
+`, env.Namespace, name)
+
+	logger.Section("Create App CR with kubectl", func() {
+		_, err := kubectl.RunWithOpts([]string{"apply", "-f", "-"}, e2e.RunOpts{StdinReader: strings.NewReader(appYAML), AllowError: true})
+		require.Error(t, err)
+		require.ErrorContains(t, err, "Expected service account or cluster.")
+	})
+
+	logger.Section("Create PackageInstall with kapp", func() {
+		_, err := kapp.RunWithOpts([]string{"deploy", "-a", name, "-f", "-"}, e2e.RunOpts{StdinReader: strings.NewReader(pkginstallYAML), AllowError: true})
+		require.Error(t, err)
+		require.ErrorContains(t, err, "Expected service account or cluster.")
+	})
+}