✨crd/marker: add AtLeastOneOf constraint (#1278)

* crd/marker: add AtLeastOneOf

* address comments

Author: shashankram

pkg/crd/markers/validation.go

@@ -34,6 +34,7 @@ const (
 
 	ValidationExactlyOneOfPrefix = validationPrefix + "ExactlyOneOf"
 	ValidationAtMostOneOfPrefix  = validationPrefix + "AtMostOneOf"
+	ValidationAtLeastOneOfPrefix = validationPrefix + "AtLeastOneOf"
 )
 
 // ValidationMarkers lists all available markers that affect CRD schema generation,
@@ -87,6 +88,8 @@ var TypeOnlyMarkers = []*definitionWithHelp{
 		WithHelp(markers.SimpleHelp("CRD validation", "specifies a list of field names that must conform to the AtMostOneOf constraint.")),
 	must(markers.MakeDefinition(ValidationExactlyOneOfPrefix, markers.DescribesType, ExactlyOneOf(nil))).
 		WithHelp(markers.SimpleHelp("CRD validation", "specifies a list of field names that must conform to the ExactlyOneOf constraint.")),
+	must(markers.MakeDefinition(ValidationAtLeastOneOfPrefix, markers.DescribesType, AtLeastOneOf(nil))).
+		WithHelp(markers.SimpleHelp("CRD validation", "specifies a list of field names that must conform to the AtLeastOneOf constraint.")),
 }
 
 // FieldOnlyMarkers list field-specific validation markers (i.e. those markers that don't make
@@ -381,6 +384,12 @@ type AtMostOneOf []string
 // This marker may be repeated to specify multiple ExactlyOneOf constraints that are mutually exclusive.
 type ExactlyOneOf []string
 
+// +controllertools:marker:generateHelp:category="CRD validation"
+// AtLeastOneOf adds a validation constraint that allows at least one of the specified fields.
+//
+// This marker may be repeated to specify multiple AtLeastOneOf constraints that are mutually exclusive.
+type AtLeastOneOf []string
+
 func (m Maximum) ApplyToSchema(schema *apiext.JSONSchemaProps) error {
 	if !hasNumericType(schema) {
 		return fmt.Errorf("must apply maximum to a numeric value, found %s", schema.Type)
@@ -699,8 +708,25 @@ func (fields ExactlyOneOf) ApplyToSchema(schema *apiext.JSONSchemaProps) error {
 }
 
 func (ExactlyOneOf) ApplyPriority() ApplyPriority {
-	// explicitly go after XValidation markers so that the ordering is deterministic
-	return XValidation{}.ApplyPriority() + 1
+	// explicitly go after AtMostOneOf markers so that the ordering is deterministic
+	return AtMostOneOf{}.ApplyPriority() + 1
+}
+
+func (fields AtLeastOneOf) ApplyToSchema(schema *apiext.JSONSchemaProps) error {
+	if len(fields) == 0 {
+		return nil
+	}
+	rule := fieldsToOneOfCelRuleStr(fields)
+	xvalidation := XValidation{
+		Rule:    fmt.Sprintf("%s >= 1", rule),
+		Message: fmt.Sprintf("at least one of the fields in %v must be set", fields),
+	}
+	return xvalidation.ApplyToSchema(schema)
+}
+
+func (AtLeastOneOf) ApplyPriority() ApplyPriority {
+	// explicitly go after ExactlyOneOf markers so that the ordering is deterministic
+	return ExactlyOneOf{}.ApplyPriority() + 1
 }
 
 // fieldsToOneOfCelRuleStr converts a slice of field names to a string representation

pkg/crd/schema.go

@@ -419,6 +419,11 @@ func structToSchema(ctx *schemaContext, structType *ast.StructType) *apiext.JSON
 		ctx.pkg.AddError(loader.ErrFromNode(err, structType))
 		return props
 	}
+	atLeastOneOf, err := oneOfValuesToSet(ctx.info.Markers[crdmarkers.ValidationAtLeastOneOfPrefix])
+	if err != nil {
+		ctx.pkg.AddError(loader.ErrFromNode(err, structType))
+		return props
+	}
 
 	for _, field := range ctx.info.Fields {
 		// Skip if the field is not an inline field, ignoreUnexportedFields is true, and the field is not exported
@@ -461,7 +466,7 @@ func structToSchema(ctx *schemaContext, structType *ast.StructType) *apiext.JSON
 		case field.Markers.Get("kubebuilder:validation:Optional") != nil:
 			// explicitly optional - kubebuilder
 		case field.Markers.Get("kubebuilder:validation:Required") != nil:
-			if exactlyOneOf.Has(fieldName) || atMostOneOf.Has(fieldName) {
+			if exactlyOneOf.Has(fieldName) || atMostOneOf.Has(fieldName) || atLeastOneOf.Has(fieldName) {
 				ctx.pkg.AddError(loader.ErrFromNode(fmt.Errorf("field %s is part of OneOf constraint and cannot be marked as required", fieldName), structType))
 				return props
 			}
@@ -470,7 +475,7 @@ func structToSchema(ctx *schemaContext, structType *ast.StructType) *apiext.JSON
 		case field.Markers.Get("optional") != nil:
 			// explicitly optional - kubernetes
 		case field.Markers.Get("required") != nil:
-			if exactlyOneOf.Has(fieldName) || atMostOneOf.Has(fieldName) {
+			if exactlyOneOf.Has(fieldName) || atMostOneOf.Has(fieldName) || atLeastOneOf.Has(fieldName) {
 				ctx.pkg.AddError(loader.ErrFromNode(fmt.Errorf("field %s is part of OneOf constraint and cannot be marked as required", fieldName), structType))
 				return props
 			}
@@ -481,7 +486,7 @@ func structToSchema(ctx *schemaContext, structType *ast.StructType) *apiext.JSON
 		case defaultMode == "required":
 			// ...everything that's not inline / omitempty is required
 			if !inline && !omitEmpty {
-				if exactlyOneOf.Has(fieldName) || atMostOneOf.Has(fieldName) {
+				if exactlyOneOf.Has(fieldName) || atMostOneOf.Has(fieldName) || atLeastOneOf.Has(fieldName) {
 					ctx.pkg.AddError(loader.ErrFromNode(fmt.Errorf("field %s is part of OneOf constraint and must have omitempty tag", fieldName), structType))
 					return props
 				}
@@ -533,6 +538,11 @@ func oneOfValuesToSet(oneOfGroups []any) (sets.Set[string], error) {
 				return nil, fmt.Errorf("%s: %w", crdmarkers.ValidationAtMostOneOfPrefix, err)
 			}
 			set.Insert(vals...)
+		case crdmarkers.AtLeastOneOf:
+			if err := validateOneOfValues(vals...); err != nil {
+				return nil, fmt.Errorf("%s: %w", crdmarkers.ValidationAtLeastOneOfPrefix, err)
+			}
+			set.Insert(vals...)
 		default:
 			return nil, fmt.Errorf("expected ExactlyOneOf or AtMostOneOf, got %T", oneOf)
 		}

pkg/crd/testdata/oneof/types.go

@@ -32,6 +32,10 @@ type OneofSpec struct {
 
 	FirstTypeWithExactOneof  *TypeWithExactOneofs         `json:"firstTypeWithExactOneof,omitempty"`
 	SecondTypeWithExactOneof *TypeWithMultipleExactOneofs `json:"secondTypeWithExactOneof,omitempty"`
+
+	TypeWithMultipleAtLeastOneofs *TypeWithMultipleAtLeastOneofs `json:"typeWithMultipleAtLeastOneOf,omitempty"`
+
+	TypeWithAllOneOf *TypeWithAllOneofs `json:"typeWithAllOneOf,omitempty"`
 }
 
 // +kubebuilder:validation:XValidation:message="only one of foo|bar may be set",rule="!(has(self.foo) && has(self.bar))"
@@ -67,6 +71,30 @@ type TypeWithMultipleExactOneofs struct {
 	D *string `json:"d,omitempty"`
 }
 
+// +kubebuilder:validation:AtLeastOneOf=a;b
+// +kubebuilder:validation:AtLeastOneOf=c;d
+type TypeWithMultipleAtLeastOneofs struct {
+	A *string `json:"a,omitempty"`
+	B *string `json:"b,omitempty"`
+
+	C *string `json:"c,omitempty"`
+	D *string `json:"d,omitempty"`
+}
+
+// +kubebuilder:validation:AtMostOneOf=a;b
+// +kubebuilder:validation:ExactlyOneOf=c;d
+// +kubebuilder:validation:AtLeastOneOf=e;f
+type TypeWithAllOneofs struct {
+	A *string `json:"a,omitempty"`
+	B *string `json:"b,omitempty"`
+
+	C *string `json:"c,omitempty"`
+	D *string `json:"d,omitempty"`
+
+	E *string `json:"e,omitempty"`
+	F *string `json:"f,omitempty"`
+}
+
 // Oneof is the Schema for the Oneof API
 type Oneof struct {
 	/*

pkg/crd/testdata/testdata.kubebuilder.io_oneofs.yaml

@@ -1,7 +1,6 @@
 apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
-  creationTimestamp: null
   name: oneofs.testdata.kubebuilder.io
 spec:
   group: testdata.kubebuilder.io
@@ -93,6 +92,44 @@ spec:
                   rule: '[has(self.a),has(self.b)].filter(x,x==true).size() <= 1'
                 - message: at most one of the fields in [c d] may be set
                   rule: '[has(self.c),has(self.d)].filter(x,x==true).size() <= 1'
+              typeWithAllOneOf:
+                properties:
+                  a:
+                    type: string
+                  b:
+                    type: string
+                  c:
+                    type: string
+                  d:
+                    type: string
+                  e:
+                    type: string
+                  f:
+                    type: string
+                type: object
+                x-kubernetes-validations:
+                - message: at most one of the fields in [a b] may be set
+                  rule: '[has(self.a),has(self.b)].filter(x,x==true).size() <= 1'
+                - message: exactly one of the fields in [c d] must be set
+                  rule: '[has(self.c),has(self.d)].filter(x,x==true).size() == 1'
+                - message: at least one of the fields in [e f] must be set
+                  rule: '[has(self.e),has(self.f)].filter(x,x==true).size() >= 1'
+              typeWithMultipleAtLeastOneOf:
+                properties:
+                  a:
+                    type: string
+                  b:
+                    type: string
+                  c:
+                    type: string
+                  d:
+                    type: string
+                type: object
+                x-kubernetes-validations:
+                - message: at least one of the fields in [a b] must be set
+                  rule: '[has(self.a),has(self.b)].filter(x,x==true).size() >= 1'
+                - message: at least one of the fields in [c d] must be set
+                  rule: '[has(self.c),has(self.d)].filter(x,x==true).size() >= 1'
             type: object
         required:
         - spec

pkg/crd/validation_test.go

@@ -111,6 +111,19 @@ spec:
 `,
 			wantErr: `spec.secondTypeWithExactOneof: Invalid value: "object": exactly one of the fields in [c d] must be set`,
 		},
+		{
+			name: "AtLeastOneOf constraint violated by not specifying field typeWithAllOneOf.e|f",
+			obj: `---
+kind: Oneof
+apiVersion: testdata.kubebuilder.io/v1beta1
+metadata:
+  name: test
+spec:
+  typeWithAllOneOf:
+    c: "c"
+`,
+			wantErr: `spec.typeWithAllOneOf: Invalid value: "object": at least one of the fields in [e f] must be set`,
+		},
 	}
 
 	validator, err := newValidator(t.Context(), "./testdata/testdata.kubebuilder.io_oneofs.yaml")