feat: implement webhook feature gates

Add feature gate support to webhook generation allowing conditional
inclusion of webhooks based on enabled feature gates.

Key features:
- Single gate: featureGate=alpha
- OR logic: featureGate=alpha|beta (include if ANY gate enabled)
- AND logic: featureGate=alpha&beta (include if ALL gates enabled)
- CLI parameter: controller-gen webhook featureGates="alpha=true,beta=false"
- Expression validation with clear error messages
- Comprehensive test coverage

Maintains backward compatibility - webhooks without feature gates
are always included. Follows same patterns as RBAC feature gates
for API consistency.

Author: wazery

go.mod

@@ -10,6 +10,7 @@ require (
 	github.com/onsi/gomega v1.38.0
 	github.com/spf13/cobra v1.9.1
 	github.com/spf13/pflag v1.0.7
+	github.com/stretchr/testify v1.10.0
 	golang.org/x/tools v0.36.0
 	golang.org/x/tools/go/packages/packagestest v0.1.1-deprecated
 	gopkg.in/yaml.v2 v2.4.0
@@ -55,6 +56,7 @@ require (
 	github.com/modern-go/reflect2 v1.0.3-0.20250322232337-35a7c28c31ee // indirect
 	github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 // indirect
 	github.com/nxadm/tail v1.4.8 // indirect
+	github.com/pmezard/go-difflib v1.0.0 // indirect
 	github.com/prometheus/client_golang v1.22.0 // indirect
 	github.com/prometheus/client_model v0.6.1 // indirect
 	github.com/prometheus/common v0.62.0 // indirect

pkg/crd/featuregate_integration_test.go

@@ -17,28 +17,28 @@ limitations under the License.
 package crd_test
 
 import (
-"bytes"
-"io"
-"os"
-"path/filepath"
-
-"github.com/google/go-cmp/cmp"
-. "github.com/onsi/ginkgo"
-. "github.com/onsi/gomega"
-"sigs.k8s.io/controller-tools/pkg/crd"
-crdmarkers "sigs.k8s.io/controller-tools/pkg/crd/markers"
-"sigs.k8s.io/controller-tools/pkg/genall"
-"sigs.k8s.io/controller-tools/pkg/loader"
-"sigs.k8s.io/controller-tools/pkg/markers"
+	"bytes"
+	"io"
+	"os"
+	"path/filepath"
+
+	"github.com/google/go-cmp/cmp"
+	. "github.com/onsi/ginkgo"
+	. "github.com/onsi/gomega"
+	"sigs.k8s.io/controller-tools/pkg/crd"
+	crdmarkers "sigs.k8s.io/controller-tools/pkg/crd/markers"
+	"sigs.k8s.io/controller-tools/pkg/genall"
+	"sigs.k8s.io/controller-tools/pkg/loader"
+	"sigs.k8s.io/controller-tools/pkg/markers"
 )
 
 var _ = Describe("CRD Feature Gate Generation", func() {
 	var (
-ctx                *genall.GenerationContext
-out                *featureGateOutputRule
-featureGateDir     string
-originalWorkingDir string
-)
+		ctx                *genall.GenerationContext
+		out                *featureGateOutputRule
+		featureGateDir     string
+		originalWorkingDir string
+	)
 
 	BeforeEach(func() {
 		var err error

pkg/crd/markers/featuregate.go

@@ -24,7 +24,7 @@ import (
 
 // FeatureGate marks a field to be conditionally included based on feature gate enablement.
 // Fields marked with +kubebuilder:feature-gate will only be included in generated CRDs
-// when the specified feature gate is enabled via --feature-gates flag.
+// when the specified feature gate is enabled via the crd:featureGates parameter.
 type FeatureGate string
 
 // ApplyToSchema does nothing for feature gates - they are processed by the generator

pkg/rbac/advanced_feature_gates_test.go

@@ -5,10 +5,10 @@ import (
 	"testing"
 
 	"github.com/onsi/gomega"
+	rbacv1 "k8s.io/api/rbac/v1"
 	"sigs.k8s.io/controller-tools/pkg/genall"
 	"sigs.k8s.io/controller-tools/pkg/loader"
 	"sigs.k8s.io/controller-tools/pkg/markers"
-	rbacv1 "k8s.io/api/rbac/v1"
 )
 
 func TestAdvancedFeatureGates(t *testing.T) {
@@ -21,67 +21,67 @@ func TestAdvancedFeatureGates(t *testing.T) {
 	// Set up generation context
 	reg := &markers.Registry{}
 	g.Expect(reg.Register(RuleDefinition)).To(gomega.Succeed())
-	
+
 	ctx := &genall.GenerationContext{
 		Collector: &markers.Collector{Registry: reg},
 		Roots:     pkgs,
 	}
 
 	tests := []struct {
-		name           string
-		featureGates   string
-		expectedRules  int
-		shouldContain  []string
+		name             string
+		featureGates     string
+		expectedRules    int
+		shouldContain    []string
 		shouldNotContain []string
 	}{
 		{
-			name:         "OR logic - alpha enabled",
-			featureGates: "alpha=true,beta=false",
-			expectedRules: 3, // always-on + OR rule (alpha|beta)
-			shouldContain: []string{"pods", "configmaps", "secrets"},
+			name:             "OR logic - alpha enabled",
+			featureGates:     "alpha=true,beta=false",
+			expectedRules:    3, // always-on + OR rule (alpha|beta)
+			shouldContain:    []string{"pods", "configmaps", "secrets"},
 			shouldNotContain: []string{"services"},
 		},
 		{
-			name:         "OR logic - beta enabled",
-			featureGates: "alpha=false,beta=true",
-			expectedRules: 3, // always-on + OR rule (alpha|beta)
-			shouldContain: []string{"pods", "configmaps", "secrets"},
+			name:             "OR logic - beta enabled",
+			featureGates:     "alpha=false,beta=true",
+			expectedRules:    3, // always-on + OR rule (alpha|beta)
+			shouldContain:    []string{"pods", "configmaps", "secrets"},
 			shouldNotContain: []string{"services"},
 		},
 		{
-			name:         "OR logic - both enabled",
-			featureGates: "alpha=true,beta=true",
-			expectedRules: 4, // always-on + OR rule + AND rule
-			shouldContain: []string{"pods", "configmaps", "secrets", "services"},
+			name:             "OR logic - both enabled",
+			featureGates:     "alpha=true,beta=true",
+			expectedRules:    4, // always-on + OR rule + AND rule
+			shouldContain:    []string{"pods", "configmaps", "secrets", "services"},
 			shouldNotContain: []string{},
 		},
 		{
-			name:         "OR logic - neither enabled",
-			featureGates: "alpha=false,beta=false",
-			expectedRules: 2, // only always-on
-			shouldContain: []string{"pods", "configmaps"},
+			name:             "OR logic - neither enabled",
+			featureGates:     "alpha=false,beta=false",
+			expectedRules:    2, // only always-on
+			shouldContain:    []string{"pods", "configmaps"},
 			shouldNotContain: []string{"secrets", "services"},
 		},
 		{
-			name:         "AND logic - only alpha enabled",
-			featureGates: "alpha=true,beta=false",
-			expectedRules: 3, // always-on + OR rule (alpha|beta)
-			shouldContain: []string{"pods", "configmaps", "secrets"},
+			name:             "AND logic - only alpha enabled",
+			featureGates:     "alpha=true,beta=false",
+			expectedRules:    3, // always-on + OR rule (alpha|beta)
+			shouldContain:    []string{"pods", "configmaps", "secrets"},
 			shouldNotContain: []string{"services"},
 		},
 		{
-			name:         "AND logic - both enabled",
-			featureGates: "alpha=true,beta=true",
-			expectedRules: 4, // always-on + OR rule + AND rule
-			shouldContain: []string{"pods", "configmaps", "secrets", "services"},
+			name:             "AND logic - both enabled",
+			featureGates:     "alpha=true,beta=true",
+			expectedRules:    4, // always-on + OR rule + AND rule
+			shouldContain:    []string{"pods", "configmaps", "secrets", "services"},
 			shouldNotContain: []string{},
 		},
 	}
 
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
 			g := gomega.NewWithT(t)
-			
+
 			objs, err := GenerateRoles(ctx, "test-role", tt.featureGates)
 			g.Expect(err).NotTo(gomega.HaveOccurred())
 			g.Expect(objs).To(gomega.HaveLen(1))
@@ -97,7 +97,7 @@ func TestAdvancedFeatureGates(t *testing.T) {
 			}
 
 			for _, resource := range tt.shouldContain {
-				g.Expect(rulesStr).To(gomega.ContainSubstring(resource), 
+				g.Expect(rulesStr).To(gomega.ContainSubstring(resource),
 					"Expected resource %s to be present", resource)
 			}
 

pkg/rbac/feature_gates_test.go

@@ -5,10 +5,10 @@ import (
 	"testing"
 
 	"github.com/onsi/gomega"
+	rbacv1 "k8s.io/api/rbac/v1"
 	"sigs.k8s.io/controller-tools/pkg/genall"
 	"sigs.k8s.io/controller-tools/pkg/loader"
 	"sigs.k8s.io/controller-tools/pkg/markers"
-	rbacv1 "k8s.io/api/rbac/v1"
 )
 
 func TestFeatureGates(t *testing.T) {
@@ -21,60 +21,60 @@ func TestFeatureGates(t *testing.T) {
 	// Set up generation context
 	reg := &markers.Registry{}
 	g.Expect(reg.Register(RuleDefinition)).To(gomega.Succeed())
-	
+
 	ctx := &genall.GenerationContext{
 		Collector: &markers.Collector{Registry: reg},
 		Roots:     pkgs,
 	}
 
 	tests := []struct {
-		name           string
-		featureGates   string
-		expectedRules  int
-		shouldContain  []string
+		name             string
+		featureGates     string
+		expectedRules    int
+		shouldContain    []string
 		shouldNotContain []string
 	}{
 		{
-			name:         "no feature gates",
-			featureGates: "",
-			expectedRules: 2, // only always-on rules
-			shouldContain: []string{"pods", "configmaps"},
+			name:             "no feature gates",
+			featureGates:     "",
+			expectedRules:    2, // only always-on rules
+			shouldContain:    []string{"pods", "configmaps"},
 			shouldNotContain: []string{"deployments", "ingresses"},
 		},
 		{
-			name:         "alpha enabled",
-			featureGates: "alpha=true",
-			expectedRules: 3, // always-on + alpha
-			shouldContain: []string{"pods", "configmaps", "deployments"},
+			name:             "alpha enabled",
+			featureGates:     "alpha=true",
+			expectedRules:    3, // always-on + alpha
+			shouldContain:    []string{"pods", "configmaps", "deployments"},
 			shouldNotContain: []string{"ingresses"},
 		},
 		{
-			name:         "beta enabled", 
-			featureGates: "beta=true",
-			expectedRules: 3, // always-on + beta
-			shouldContain: []string{"pods", "configmaps", "ingresses"},
+			name:             "beta enabled",
+			featureGates:     "beta=true",
+			expectedRules:    3, // always-on + beta
+			shouldContain:    []string{"pods", "configmaps", "ingresses"},
 			shouldNotContain: []string{"deployments"},
 		},
 		{
-			name:         "both enabled",
-			featureGates: "alpha=true,beta=true",
-			expectedRules: 4, // all rules
-			shouldContain: []string{"pods", "configmaps", "deployments", "ingresses"},
+			name:             "both enabled",
+			featureGates:     "alpha=true,beta=true",
+			expectedRules:    4, // all rules
+			shouldContain:    []string{"pods", "configmaps", "deployments", "ingresses"},
 			shouldNotContain: []string{},
 		},
 		{
-			name:         "alpha enabled beta disabled",
-			featureGates: "alpha=true,beta=false",
-			expectedRules: 3, // always-on + alpha
-			shouldContain: []string{"pods", "configmaps", "deployments"},
+			name:             "alpha enabled beta disabled",
+			featureGates:     "alpha=true,beta=false",
+			expectedRules:    3, // always-on + alpha
+			shouldContain:    []string{"pods", "configmaps", "deployments"},
 			shouldNotContain: []string{"ingresses"},
 		},
 	}
 
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
 			g := gomega.NewWithT(t)
-			
+
 			objs, err := GenerateRoles(ctx, "test-role", tt.featureGates)
 			g.Expect(err).NotTo(gomega.HaveOccurred())
 			g.Expect(objs).To(gomega.HaveLen(1))
@@ -90,7 +90,7 @@ func TestFeatureGates(t *testing.T) {
 			}
 
 			for _, resource := range tt.shouldContain {
-				g.Expect(rulesStr).To(gomega.ContainSubstring(resource), 
+				g.Expect(rulesStr).To(gomega.ContainSubstring(resource),
 					"Expected resource %s to be present", resource)
 			}
 

pkg/rbac/parser.go

@@ -223,9 +223,10 @@ func validateFeatureGateExpression(expr string) error {
 
 	// Check for invalid characters (only allow alphanumeric, hyphens, underscores, &, |)
 	for _, char := range expr {
-		if !((char >= 'a' && char <= 'z') || (char >= 'A' && char <= 'Z') || 
-			 (char >= '0' && char <= '9') || char == '-' || char == '_' || 
-			 char == '&' || char == '|') {
+		//nolint:staticcheck // De Morgan's law suggestion ignored for readability
+		if !((char >= 'a' && char <= 'z') || (char >= 'A' && char <= 'Z') ||
+			(char >= '0' && char <= '9') || char == '-' || char == '_' ||
+			char == '&' || char == '|') {
 			return fmt.Errorf("invalid character '%c' in feature gate expression: %s", char, expr)
 		}
 	}
@@ -296,17 +297,17 @@ func GenerateRoles(ctx *genall.GenerationContext, roleName string, featureGates
 		// group RBAC markers by namespace and separate by resource
 		for _, markerValue := range markerSet[RuleDefinition.Name] {
 			rule := markerValue.(Rule)
-			
+
 			// Validate feature gate expression syntax
 			if err := validateFeatureGateExpression(rule.FeatureGate); err != nil {
 				return nil, fmt.Errorf("invalid feature gate expression in RBAC rule: %w", err)
 			}
-			
+
 			// Apply feature gate filtering
 			if !shouldIncludeRule(&rule, enabledGates) {
 				continue
 			}
-			
+
 			if len(rule.Resources) == 0 {
 				// Add a rule without any resource if Resources is empty.
 				r := Rule{