Add CEL rules test suite

This patch adds several YAML test cases that check if the CEL rules
included in the CRDs are correctly working. Both validation rules and
transition rules are checked.

A shell script is provided to execute these tests.

Author: leonardoce

client/hack/README.md

@@ -1,8 +1,10 @@
 # Scripts User Guide
 
 This README documents:
+
 * What update-crd.sh and update-generated-code.sh do
 * When and how to use them
+* The CRD CEL rules test suite
 
 ## update-generated-code.sh
 
@@ -104,3 +106,35 @@ Update the restoreSize property to use type string only:
 ```
 
 * Add the VolumeSnapshot namespace to the `additionalPrinterColumns` section in `client/config/crd/snapshot.storage.k8s.io_volumesnapshotcontents.yaml`. Refer https://github.com/kubernetes-csi/external-snapshotter/pull/535 for more details.
+
+## Test suite
+
+The `test-suite` directory contains several test cases that are useful to
+validate if the CEL rules that are included in the CRD definitions
+are correctly working.
+
+### Prerequisites
+
+- Kubectl access to a cluster with the installed CRDs
+- Kubernetes >= 1.29
+
+### How to use it
+
+```
+  ./hack/run-cel-tests.sh
+
+  cel-tests/volumegroupsnapshotcontent/vgsc-change-ref-namespace.post.yaml: SUCCESS
+  cel-tests/volumegroupsnapshotcontent/vgsc-source-volume-to-groupsnapshot.post.yaml: SUCCESS
+  cel-tests/volumegroupsnapshotcontent/vgsc-source-empty.yaml: SUCCEES (expected failure)
+  cel-tests/volumegroupsnapshotcontent/vgsc-change-ref-namespace.pre.yaml: SUCCESS
+  cel-tests/volumegroupsnapshotcontent/vgsc-ref-only-name.yaml: SUCCEES (expected failure)
+  [...]
+  cel-tests/volumegroupsnapshotcontent/vgsc-change-ref-namespace.pre.yaml -> cel-tests/volumegroupsnapshotcontent/vgsc-change-ref-namespace.post.yaml: SUCCEES (expected failure)
+  cel-tests/volumegroupsnapshotcontent/vgsc-source-volume-immutable.pre.yaml -> cel-tests/volumegroupsnapshotcontent/vgsc-source-volume-immutable.post.yaml: SUCCEES (expected failure)
+  cel-tests/volumegroupsnapshotcontent/vgsc-source-volume-to-groupsnapshot.pre.yaml -> cel-tests/volumegroupsnapshotcontent/vgsc-source-volume-to-groupsnapshot.post.yaml: SUCCEES (expected failure)
+  cel-tests/volumegroupsnapshotcontent/vgsc-source-groupsnapshot-immutable.pre.yaml -> cel-tests/volumegroupsnapshotcontent/vgsc-source-groupsnapshot-immutable.post.yaml: SUCCEES (expected failure)
+  [...]
+
+  SUCCESS: 90
+  FAILURES: 0
+```

client/hack/cel-tests/.gitignore

@@ -0,0 +1 @@
+*.out

client/hack/cel-tests/volumegroupsnapshot/vgs-class-empty-string.yaml

@@ -0,0 +1,11 @@
+---
+apiVersion: groupsnapshot.storage.k8s.io/v1alpha1
+kind: VolumeGroupSnapshot
+metadata:
+  name: new-groupsnapshot-demo
+spec:
+  source:
+    selector:
+      matchLabels:
+        app.kubernetes.io/name: postgresql
+  volumeGroupSnapshotClassName: ""

client/hack/cel-tests/volumegroupsnapshot/vgs-class-empty-string.yaml.err

@@ -0,0 +1 @@
+volumeGroupSnapshotClassName must not be the empty string when set

client/hack/cel-tests/volumegroupsnapshot/vgs-content-immutable.post.yaml

@@ -0,0 +1,9 @@
+---
+apiVersion: groupsnapshot.storage.k8s.io/v1alpha1
+kind: VolumeGroupSnapshot
+metadata:
+  name: new-groupsnapshot-demo
+spec:
+  source:
+    volumeGroupSnapshotContentName: this-test-changed
+  volumeGroupSnapshotClassName: csi-hostpath-groupsnapclass

client/hack/cel-tests/volumegroupsnapshot/vgs-content-immutable.post.yaml.tx_err

@@ -0,0 +1 @@
+volumeGroupSnapshotContentName is immutable

client/hack/cel-tests/volumegroupsnapshot/vgs-content-immutable.pre.yaml

@@ -0,0 +1,9 @@
+---
+apiVersion: groupsnapshot.storage.k8s.io/v1alpha1
+kind: VolumeGroupSnapshot
+metadata:
+  name: new-groupsnapshot-demo
+spec:
+  source:
+    volumeGroupSnapshotContentName: this-test
+  volumeGroupSnapshotClassName: csi-hostpath-groupsnapclass

client/hack/cel-tests/volumegroupsnapshot/vgs-content-to-selector.post.yaml

@@ -0,0 +1,11 @@
+---
+apiVersion: groupsnapshot.storage.k8s.io/v1alpha1
+kind: VolumeGroupSnapshot
+metadata:
+  name: new-groupsnapshot-demo
+spec:
+  source:
+    selector:
+      matchLabels:
+        app.kubernetes.io/name: postgresql
+  volumeGroupSnapshotClassName: csi-hostpath-groupsnapclass

client/hack/cel-tests/volumegroupsnapshot/vgs-content-to-selector.post.yaml.tx_err

@@ -0,0 +1 @@
+volumeGroupSnapshotContentName is required once set

client/hack/cel-tests/volumegroupsnapshot/vgs-content-to-selector.pre.yaml

@@ -0,0 +1,9 @@
+---
+apiVersion: groupsnapshot.storage.k8s.io/v1alpha1
+kind: VolumeGroupSnapshot
+metadata:
+  name: new-groupsnapshot-demo
+spec:
+  source:
+    volumeGroupSnapshotContentName: this-test
+  volumeGroupSnapshotClassName: csi-hostpath-groupsnapclass