Add CEL rules test suite

This patch adds several YAML test cases that check if the CEL rules
included in the CRDs are correctly working. Both validation rules and
transition rules are checked.

A shell script is provided to execute these tests.

client/hack/README.md

@@ -1,8 +1,10 @@
 # Scripts User Guide
 
 This README documents:
+
 * What update-crd.sh and update-generated-code.sh do
 * When and how to use them
+* The CRD CEL rules test suite
 
 ## update-generated-code.sh
 
@@ -104,3 +106,35 @@ Update the restoreSize property to use type string only:
 ```
 
 * Add the VolumeSnapshot namespace to the `additionalPrinterColumns` section in `client/config/crd/snapshot.storage.k8s.io_volumesnapshotcontents.yaml`. Refer https://github.com/kubernetes-csi/external-snapshotter/pull/535 for more details.
+
+## Test suite
+
+The `test-suite` directory contains several test cases that are useful to
+validate if the CEL rules that are included in the CRD definitions
+are correctly working.
+
+### Prerequisites
+
+- Kubectl access to a cluster with the installed CRDs
+- Kubernetes >= 1.29
+
+### How to use it
+
+```
+  ./hack/run-cel-tests.sh
+
+  cel-tests/volumegroupsnapshotcontent/vgsc-change-ref-namespace.post.yaml: SUCCESS
+  cel-tests/volumegroupsnapshotcontent/vgsc-source-volume-to-groupsnapshot.post.yaml: SUCCESS
+  cel-tests/volumegroupsnapshotcontent/vgsc-source-empty.yaml: SUCCEES (expected failure)
+  cel-tests/volumegroupsnapshotcontent/vgsc-change-ref-namespace.pre.yaml: SUCCESS
+  cel-tests/volumegroupsnapshotcontent/vgsc-ref-only-name.yaml: SUCCEES (expected failure)
+  [...]
+  cel-tests/volumegroupsnapshotcontent/vgsc-change-ref-namespace.pre.yaml -> cel-tests/volumegroupsnapshotcontent/vgsc-change-ref-namespace.post.yaml: SUCCEES (expected failure)
+  cel-tests/volumegroupsnapshotcontent/vgsc-source-volume-immutable.pre.yaml -> cel-tests/volumegroupsnapshotcontent/vgsc-source-volume-immutable.post.yaml: SUCCEES (expected failure)
+  cel-tests/volumegroupsnapshotcontent/vgsc-source-volume-to-groupsnapshot.pre.yaml -> cel-tests/volumegroupsnapshotcontent/vgsc-source-volume-to-groupsnapshot.post.yaml: SUCCEES (expected failure)
+  cel-tests/volumegroupsnapshotcontent/vgsc-source-groupsnapshot-immutable.pre.yaml -> cel-tests/volumegroupsnapshotcontent/vgsc-source-groupsnapshot-immutable.post.yaml: SUCCEES (expected failure)
+  [...]
+
+  SUCCESS: 90
+  FAILURES: 0
+```

client/hack/cel-tests/.gitignore

@@ -0,0 +1 @@
+*.out

client/hack/cel-tests/volumegroupsnapshot/vgs-class-empty-string.yaml

@@ -0,0 +1,11 @@
+---
+apiVersion: groupsnapshot.storage.k8s.io/v1alpha1
+kind: VolumeGroupSnapshot
+metadata:
+  name: new-groupsnapshot-demo
+spec:
+  source:
+    selector:
+      matchLabels:
+        app.kubernetes.io/name: postgresql
+  volumeGroupSnapshotClassName: ""

client/hack/cel-tests/volumegroupsnapshot/vgs-class-empty-string.yaml.err

@@ -0,0 +1 @@
+volumeGroupSnapshotClassName must not be the empty string when set

client/hack/cel-tests/volumegroupsnapshot/vgs-content-immutable.post.yaml

@@ -0,0 +1,9 @@
+---
+apiVersion: groupsnapshot.storage.k8s.io/v1alpha1
+kind: VolumeGroupSnapshot
+metadata:
+  name: new-groupsnapshot-demo
+spec:
+  source:
+    volumeGroupSnapshotContentName: this-test-changed
+  volumeGroupSnapshotClassName: csi-hostpath-groupsnapclass

client/hack/cel-tests/volumegroupsnapshot/vgs-content-immutable.post.yaml.tx_err

@@ -0,0 +1 @@
+volumeGroupSnapshotContentName is immutable

client/hack/cel-tests/volumegroupsnapshot/vgs-content-immutable.pre.yaml

@@ -0,0 +1,9 @@
+---
+apiVersion: groupsnapshot.storage.k8s.io/v1alpha1
+kind: VolumeGroupSnapshot
+metadata:
+  name: new-groupsnapshot-demo
+spec:
+  source:
+    volumeGroupSnapshotContentName: this-test
+  volumeGroupSnapshotClassName: csi-hostpath-groupsnapclass

client/hack/cel-tests/volumegroupsnapshot/vgs-content-to-selector.post.yaml

@@ -0,0 +1,11 @@
+---
+apiVersion: groupsnapshot.storage.k8s.io/v1alpha1
+kind: VolumeGroupSnapshot
+metadata:
+  name: new-groupsnapshot-demo
+spec:
+  source:
+    selector:
+      matchLabels:
+        app.kubernetes.io/name: postgresql
+  volumeGroupSnapshotClassName: csi-hostpath-groupsnapclass

client/hack/cel-tests/volumegroupsnapshot/vgs-content-to-selector.post.yaml.tx_err

@@ -0,0 +1 @@
+volumeGroupSnapshotContentName is required once set

client/hack/cel-tests/volumegroupsnapshot/vgs-content-to-selector.pre.yaml

@@ -0,0 +1,9 @@
+---
+apiVersion: groupsnapshot.storage.k8s.io/v1alpha1
+kind: VolumeGroupSnapshot
+metadata:
+  name: new-groupsnapshot-demo
+spec:
+  source:
+    volumeGroupSnapshotContentName: this-test
+  volumeGroupSnapshotClassName: csi-hostpath-groupsnapclass

client/hack/cel-tests/volumegroupsnapshot/vgs-no-class.yaml

@@ -0,0 +1,10 @@
+---
+apiVersion: groupsnapshot.storage.k8s.io/v1alpha1
+kind: VolumeGroupSnapshot
+metadata:
+  name: new-groupsnapshot-demo
+spec:
+  source:
+    selector:
+      matchLabels:
+        app.kubernetes.io/name: postgresql

client/hack/cel-tests/volumegroupsnapshot/vgs-selector-immutable.post.yaml

@@ -0,0 +1,11 @@
+---
+apiVersion: groupsnapshot.storage.k8s.io/v1alpha1
+kind: VolumeGroupSnapshot
+metadata:
+  name: new-groupsnapshot-demo
+spec:
+  source:
+    selector:
+      matchLabels:
+        app.kubernetes.io/name: mysql
+  volumeGroupSnapshotClassName: csi-hostpath-groupsnapclass

client/hack/cel-tests/volumegroupsnapshot/vgs-selector-immutable.post.yaml.tx_err

@@ -0,0 +1 @@
+selector is immutable

client/hack/cel-tests/volumegroupsnapshot/vgs-selector-immutable.pre.yaml

@@ -0,0 +1,11 @@
+---
+apiVersion: groupsnapshot.storage.k8s.io/v1alpha1
+kind: VolumeGroupSnapshot
+metadata:
+  name: new-groupsnapshot-demo
+spec:
+  source:
+    selector:
+      matchLabels:
+        app.kubernetes.io/name: postgresql
+  volumeGroupSnapshotClassName: csi-hostpath-groupsnapclass

client/hack/cel-tests/volumegroupsnapshot/vgs-selector-to-content.post.yaml

@@ -0,0 +1,9 @@
+---
+apiVersion: groupsnapshot.storage.k8s.io/v1alpha1
+kind: VolumeGroupSnapshot
+metadata:
+  name: new-groupsnapshot-demo
+spec:
+  source:
+    volumeGroupSnapshotContentName: this-test
+  volumeGroupSnapshotClassName: csi-hostpath-groupsnapclass

client/hack/cel-tests/volumegroupsnapshot/vgs-selector-to-content.post.yaml.tx_err

@@ -0,0 +1 @@
+selector is required once set

client/hack/cel-tests/volumegroupsnapshot/vgs-selector-to-content.pre.yaml

@@ -0,0 +1,11 @@
+---
+apiVersion: groupsnapshot.storage.k8s.io/v1alpha1
+kind: VolumeGroupSnapshot
+metadata:
+  name: new-groupsnapshot-demo
+spec:
+  source:
+    selector:
+      matchLabels:
+        app.kubernetes.io/name: postgresql
+  volumeGroupSnapshotClassName: csi-hostpath-groupsnapclass

client/hack/cel-tests/volumegroupsnapshot/vgs-with-content.yaml

@@ -0,0 +1,9 @@
+---
+apiVersion: groupsnapshot.storage.k8s.io/v1alpha1
+kind: VolumeGroupSnapshot
+metadata:
+  name: new-groupsnapshot-demo
+spec:
+  source:
+    volumeGroupSnapshotContentName: this-test
+  volumeGroupSnapshotClassName: csi-hostpath-groupsnapclass

client/hack/cel-tests/volumegroupsnapshot/vgs-with-no-selector-no-content.yaml

@@ -0,0 +1,8 @@
+---
+apiVersion: groupsnapshot.storage.k8s.io/v1alpha1
+kind: VolumeGroupSnapshot
+metadata:
+  name: new-groupsnapshot-demo
+spec:
+  source: {}
+  volumeGroupSnapshotClassName: csi-hostpath-groupsnapclass

client/hack/cel-tests/volumegroupsnapshot/vgs-with-no-selector-no-content.yaml.err

@@ -0,0 +1 @@
+exactly one of selector and volumeGroupSnapshotContentName must be set

client/hack/cel-tests/volumegroupsnapshot/vgs-with-selector-and-content.yaml

@@ -0,0 +1,12 @@
+---
+apiVersion: groupsnapshot.storage.k8s.io/v1alpha1
+kind: VolumeGroupSnapshot
+metadata:
+  name: new-groupsnapshot-demo
+spec:
+  source:
+    selector:
+      matchLabels:
+        app.kubernetes.io/name: postgresql
+    volumeGroupSnapshotContentName: this-test
+  volumeGroupSnapshotClassName: csi-hostpath-groupsnapclass

client/hack/cel-tests/volumegroupsnapshot/vgs-with-selector-and-content.yaml.err

@@ -0,0 +1 @@
+exactly one of selector and volumeGroupSnapshotContentName must be set

client/hack/cel-tests/volumegroupsnapshot/vgs-with-selector.yaml

@@ -0,0 +1,11 @@
+---
+apiVersion: groupsnapshot.storage.k8s.io/v1alpha1
+kind: VolumeGroupSnapshot
+metadata:
+  name: new-groupsnapshot-demo
+spec:
+  source:
+    selector:
+      matchLabels:
+        app.kubernetes.io/name: postgresql
+  volumeGroupSnapshotClassName: csi-hostpath-groupsnapclass

client/hack/cel-tests/volumegroupsnapshotcontent/vgsc-change-ref-name.post.yaml

@@ -0,0 +1,14 @@
+---
+apiVersion: groupsnapshot.storage.k8s.io/v1alpha1
+kind: VolumeGroupSnapshotContent
+metadata:
+  name: new-groupsnapshotcontent-demo
+spec:
+  volumeGroupSnapshotRef:
+    name: new-groupsnapshot-demo-changed
+    namespace: default
+  driver: hostpath.csi.k8s.io
+  source:
+    volumeHandles:
+    - handles
+  deletionPolicy: Retain

client/hack/cel-tests/volumegroupsnapshotcontent/vgsc-change-ref-name.post.yaml.tx_err

@@ -0,0 +1 @@
+volumeGroupSnapshotRef is immutable

client/hack/cel-tests/volumegroupsnapshotcontent/vgsc-change-ref-name.pre.yaml

@@ -0,0 +1,14 @@
+---
+apiVersion: groupsnapshot.storage.k8s.io/v1alpha1
+kind: VolumeGroupSnapshotContent
+metadata:
+  name: new-groupsnapshotcontent-demo
+spec:
+  volumeGroupSnapshotRef:
+    name: new-groupsnapshot-demo
+    namespace: default
+  driver: hostpath.csi.k8s.io
+  source:
+    volumeHandles:
+    - handles
+  deletionPolicy: Retain

client/hack/cel-tests/volumegroupsnapshotcontent/vgsc-change-ref-namespace.post.yaml

@@ -0,0 +1,14 @@
+---
+apiVersion: groupsnapshot.storage.k8s.io/v1alpha1
+kind: VolumeGroupSnapshotContent
+metadata:
+  name: new-groupsnapshotcontent-demo
+spec:
+  volumeGroupSnapshotRef:
+    name: new-groupsnapshot-demo
+    namespace: default-changed
+  driver: hostpath.csi.k8s.io
+  source:
+    volumeHandles:
+    - handles
+  deletionPolicy: Retain

client/hack/cel-tests/volumegroupsnapshotcontent/vgsc-change-ref-namespace.post.yaml.tx_err

@@ -0,0 +1 @@
+volumeGroupSnapshotRef is immutable

client/hack/cel-tests/volumegroupsnapshotcontent/vgsc-change-ref-namespace.pre.yaml

@@ -0,0 +1,14 @@
+---
+apiVersion: groupsnapshot.storage.k8s.io/v1alpha1
+kind: VolumeGroupSnapshotContent
+metadata:
+  name: new-groupsnapshotcontent-demo
+spec:
+  volumeGroupSnapshotRef:
+    name: new-groupsnapshot-demo
+    namespace: default
+  driver: hostpath.csi.k8s.io
+  source:
+    volumeHandles:
+    - handles
+  deletionPolicy: Retain

client/hack/cel-tests/volumegroupsnapshotcontent/vgsc-ok.yaml

@@ -0,0 +1,14 @@
+---
+apiVersion: groupsnapshot.storage.k8s.io/v1alpha1
+kind: VolumeGroupSnapshotContent
+metadata:
+  name: new-groupsnapshotcontent-demo
+spec:
+  volumeGroupSnapshotRef:
+    name: new-groupsnapshot-demo
+    namespace: default
+  driver: hostpath.csi.k8s.io
+  source:
+    volumeHandles:
+    - handles
+  deletionPolicy: Retain

client/hack/cel-tests/volumegroupsnapshotcontent/vgsc-ref-only-name.yaml

@@ -0,0 +1,13 @@
+---
+apiVersion: groupsnapshot.storage.k8s.io/v1alpha1
+kind: VolumeGroupSnapshotContent
+metadata:
+  name: new-groupsnapshotcontent-demo
+spec:
+  volumeGroupSnapshotRef:
+    name: new-groupsnapshot-demo
+  driver: hostpath.csi.k8s.io
+  source:
+    volumeHandles:
+    - handles
+  deletionPolicy: Retain

client/hack/cel-tests/volumegroupsnapshotcontent/vgsc-ref-only-name.yaml.err

@@ -0,0 +1 @@
+both volumeGroupSnapshotRef.name and volumeGroupSnapshotRef.namespace must be set

client/hack/cel-tests/volumegroupsnapshotcontent/vgsc-ref-only-namespace.yaml

@@ -0,0 +1,13 @@
+---
+apiVersion: groupsnapshot.storage.k8s.io/v1alpha1
+kind: VolumeGroupSnapshotContent
+metadata:
+  name: new-groupsnapshotcontent-demo
+spec:
+  volumeGroupSnapshotRef:
+    namespace: default
+  driver: hostpath.csi.k8s.io
+  source:
+    volumeHandles:
+    - handles
+  deletionPolicy: Retain

client/hack/cel-tests/volumegroupsnapshotcontent/vgsc-ref-only-namespace.yaml.err

@@ -0,0 +1 @@
+both volumeGroupSnapshotRef.name and volumeGroupSnapshotRef.namespace must be set

client/hack/cel-tests/volumegroupsnapshotcontent/vgsc-source-both-volume-and-groupsnapshot.yaml

@@ -0,0 +1,19 @@
+---
+apiVersion: groupsnapshot.storage.k8s.io/v1alpha1
+kind: VolumeGroupSnapshotContent
+metadata:
+  name: new-groupsnapshotcontent-demo
+spec:
+  volumeGroupSnapshotRef:
+    name: new-groupsnapshot-demo
+    namespace: default
+  driver: hostpath.csi.k8s.io
+  source:
+    volumeHandles:
+    - handles
+    groupSnapshotHandles:
+      volumeGroupSnapshotHandle: this-handle
+      volumeSnapshotHandles:
+      - handle
+      - another-handle
+  deletionPolicy: Retain

client/hack/cel-tests/volumegroupsnapshotcontent/vgsc-source-both-volume-and-groupsnapshot.yaml.err

@@ -0,0 +1 @@
+exactly one of volumeHandles and groupSnapshotHandles must be set

client/hack/cel-tests/volumegroupsnapshotcontent/vgsc-source-empty.yaml

@@ -0,0 +1,12 @@
+---
+apiVersion: groupsnapshot.storage.k8s.io/v1alpha1
+kind: VolumeGroupSnapshotContent
+metadata:
+  name: new-groupsnapshotcontent-demo
+spec:
+  volumeGroupSnapshotRef:
+    name: new-groupsnapshot-demo
+    namespace: default
+  driver: hostpath.csi.k8s.io
+  source: {}
+  deletionPolicy: Retain

client/hack/cel-tests/volumegroupsnapshotcontent/vgsc-source-empty.yaml.err

@@ -0,0 +1 @@
+exactly one of volumeHandles and groupSnapshotHandles must be set

client/hack/cel-tests/volumegroupsnapshotcontent/vgsc-source-groupsnapshot-immutable.post.yaml

@@ -0,0 +1,18 @@
+---
+apiVersion: groupsnapshot.storage.k8s.io/v1alpha1
+kind: VolumeGroupSnapshotContent
+metadata:
+  name: new-groupsnapshotcontent-demo
+spec:
+  volumeGroupSnapshotRef:
+    name: new-groupsnapshot-demo
+    namespace: default
+  driver: hostpath.csi.k8s.io
+  source:
+    groupSnapshotHandles:
+      volumeGroupSnapshotHandle: this-handle
+      volumeSnapshotHandles:
+      - handle
+      - another-handle
+      - changed-handle
+  deletionPolicy: Retain

client/hack/cel-tests/volumegroupsnapshotcontent/vgsc-source-groupsnapshot-immutable.post.yaml.tx_err

@@ -0,0 +1 @@
+groupSnapshotHandles is immutable