DRPolicy: Add CEL and remove webhook

[rakeshgm]

Remove DRPolicy Webhook and add CEL immutability validation for DRPolicy

[nirs]

Looks like we add the same information twice - once in the kubebuilder comment, and once here. Can we have this only once? What happens if the rule and message are different in both places?

Also this looks really magical - can you link to the docs describing this special syntax?

[rakeshgm]

we only add the comment in the API file and operator-sdk generates/updates this YAML when we run make. This is the general practice as far as I know.
check the link here: CEL Immutability

[nirs]

Can we do the same for drpc?

[rakeshgm]

yes, that is the plan. I am planning to send different PRs for each CR, it's just that removal of webhook code is more than adding CEL so, I plan to take one CR at a time so that we don't break ramen. :)

[raghavendra-talur]

Do we even need this file now? Can this be removed?

[raghavendra-talur]

I think we need to keep it as it is part of the scaffolding.

[ShyamsundarR]

Is this and config/crd/patches/cainjection_in_drpolicies.yaml needed though, I am not seeing the scaffolding requirement here?

[rakeshgm]

so, this file was created when the ramen operator was scaffolded initially. I was just trying to revert the changes that we did when adding webhooks and this line was the only change. I tested now by deleting the file. It does not matter. we can safely delete the file I believe.

[raghavendra-talur]

I think we need to keep it as it is part of the scaffolding.

[ShyamsundarR]

I think the pattern we need to use is Immutability upon object creation

For example with the current scheme a user would be allowed to set an empty value to begin with and then be allowed to modify it to a valid value, the immutability starts here and prevents further modification.

What we want is immutable post creation, so if the policy started with an empty value it should remain so.

[rakeshgm]

updated the code with Immutability upon object creation pattern for schedulingInterval and drclusters only.

[ShyamsundarR]

Tested the DRPolicy PR out and here is what I see...

Initial DRPolicy created on a kind cluster extended with the CRD from the PR:

$ kubectl get drpolicy -A -o yaml
apiVersion: v1
items:
- apiVersion: ramendr.openshift.io/v1alpha1
  kind: DRPolicy
  metadata:
    annotations:
      kubectl.kubernetes.io/last-applied-configuration: |
        {"apiVersion":"ramendr.openshift.io/v1alpha1","kind":"DRPolicy","metadata":{"annotations":{},"name":"drpolicy-sample"},"spec":{"drClusters":["east","west"],"schedulingInterval":"5m"}}
    creationTimestamp: "2024-03-12T22:19:00Z"
    generation: 1
    name: drpolicy-sample
    resourceVersion: "950"
    uid: e59bd15b-5178-476f-bbe7-de8af997831d
  spec:
    drClusters:
    - east
    - west
    schedulingInterval: 5m

Look at last-applied-configuration, does not have replicationClassSelector

Now changed the DRPolicy YAML to add a replicationClassSelector and applied it, and it was successful, and here is the get after that:

$ kubectl apply -f ./drp.yaml 
drpolicy.ramendr.openshift.io/drpolicy-sample configured

$ kubectl get drpolicy -A -o yaml
apiVersion: v1
items:
- apiVersion: ramendr.openshift.io/v1alpha1
  kind: DRPolicy
  metadata:
    annotations:
      kubectl.kubernetes.io/last-applied-configuration: |
        {"apiVersion":"ramendr.openshift.io/v1alpha1","kind":"DRPolicy","metadata":{"annotations":{},"name":"drpolicy-sample"},"spec":{"drClusters":["east","west"],"replicationClassSelector":{"matchLabels":{"class":"ramen"}},"schedulingInterval":"5m"}}
    creationTimestamp: "2024-03-12T22:19:00Z"
    generation: 2
    name: drpolicy-sample
    resourceVersion: "967"
    uid: e59bd15b-5178-476f-bbe7-de8af997831d
  spec:
    drClusters:
    - east
    - west
    replicationClassSelector:
      matchLabels:
        class: ramen
    schedulingInterval: 5m
kind: List
metadata:
  resourceVersion: ""

IOW, if we start wit a YAML that has no replicationClassSelector, and then add it later then it is allowed, which we should not allow.

Another test I did was to create a policy with empty list of DRClusters (as below) and it passed. This is a new test case though as older code also allowed this to pass through:

$ kubectl get drpolicy -A -o yaml
apiVersion: v1
items:
- apiVersion: ramendr.openshift.io/v1alpha1
  kind: DRPolicy
  metadata:
    annotations:
      kubectl.kubernetes.io/last-applied-configuration: |
        {"apiVersion":"ramendr.openshift.io/v1alpha1","kind":"DRPolicy","metadata":{"annotations":{},"name":"drpolicy-sample"},"spec":{"drClusters":[],"replicationClassSelector":{"matchLabels":{"class":"ramen"}},"schedulingInterval":"5m"}}
    creationTimestamp: "2024-03-12T22:22:18Z"
    generation: 1
    name: drpolicy-sample
    resourceVersion: "1208"
    uid: 6755a4cb-cdfc-42f2-bb2e-e6a86fee267f
  spec:
    drClusters: []
    replicationClassSelector:
      matchLabels:
        class: ramen
    schedulingInterval: 5m
kind: List
metadata:
  resourceVersion: ""

Overall I think the CEL rules should be amended as below, such that we do not allow the above modifications:

diff --git a/api/v1alpha1/drpolicy_types.go b/api/v1alpha1/drpolicy_types.go
index c5fecea..ff7e80b 100644
--- a/api/v1alpha1/drpolicy_types.go
+++ b/api/v1alpha1/drpolicy_types.go
@@ -8,11 +8,7 @@ import (
 )
 
 // DRPolicySpec defines the desired state of DRPolicy
-// +kubebuilder:validation:XValidation:rule="!has(oldSelf.replicationClassSelector) || has(self.replicationClassSelector)", message="replicationClassSelector is required once set"
-// +kubebuilder:validation:XValidation:rule="!has(oldSelf.volumeSnapshotClassSelector) || has(self.volumeSnapshotClassSelector)", message="volumeSnapshotClassSelector is required once set"
 type DRPolicySpec struct {
-	// Important: Run "make" to regenerate code after modifying this file
-
 	// scheduling Interval for replicating Persistent Volume
 	// data to a peer cluster. Interval is typically in the
 	// form <num><m,h,d>. Here <num> is a number, 'm' means
@@ -25,19 +21,20 @@ type DRPolicySpec struct {
 	// Label selector to identify all the VolumeReplicationClasses.
 	// This selector is assumed to be the same for all subscriptions that
 	// need DR protection. It will be passed in to the VRG when it is created
-	// +kubebuilder:validation:Optional
+	// +kubebuilder:validation:Required
 	// +kubebuilder:validation:XValidation:rule="self == oldSelf", message="replicationClassSelector is immutable"
-	ReplicationClassSelector metav1.LabelSelector `json:"replicationClassSelector,omitempty"`
+	ReplicationClassSelector metav1.LabelSelector `json:"replicationClassSelector"`
 
 	// Label selector to identify all the VolumeSnapshotClasses.
 	// This selector is assumed to be the same for all subscriptions that
 	// need DR protection. It will be passed in to the VRG when it is created
-	// +kubebuilder:validation:Optional
+	// +kubebuilder:validation:Required
 	// +kubebuilder:validation:XValidation:rule="self == oldSelf", message="volumeSnapshotClassSelector is immutable"
-	VolumeSnapshotClassSelector metav1.LabelSelector `json:"volumeSnapshotClassSelector,omitempty"`
+	VolumeSnapshotClassSelector metav1.LabelSelector `json:"volumeSnapshotClassSelector"`
 
 	// List of DRCluster resources that are governed by this policy
 	// +kubebuilder:validation:Required
+	// +kubebuilder:validation:XValidation:rule="size(self) == 2", message="drClusters requires a list of 2 clusters"
 	// +kubebuilder:validation:XValidation:rule="self == oldSelf", message="drClusters is immutable"
 	DRClusters []string `json:"drClusters"`
 }

For the tests, unfortunately as it uses a go struct for the DRPolicy, it is able to write out initial configuration with empty values, and so when we use YAML this is working differently.

I am not sure yet how to test with YAML and envtest, so that is unfortunate. We could test it in a kind cluster though and ensure that CEL rules are adhered to. I just used hack/setup-kind-cluster.sh to get a kind cluster, extended the CRD for DRPolicy and then tested with various YAMLs as above.

[rakeshgm]

Thanks for the detail input. I have pushed the changes.