The committers listed above are authorized under a signed CLA.

• ✅ login: wazery / name: Wazery (48dcf3c, edef746)

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: wazery
Once this PR has been reviewed and has the lgtm label, please assign joelspeed for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Welcome @wazery!

It looks like this is your first PR to kubernetes-sigs/controller-tools 🎉. Please refer to our pull request process documentation to help your PR have a smooth ride to approval.

You will be prompted by a bot to use commands during the review process. Do not be afraid to follow the prompts! It is okay to experiment. Here is the bot commands documentation.

You can also check if kubernetes-sigs/controller-tools has its own contribution guidelines.

You may want to refer to our testing guide if you run into trouble with your tests not passing.

If you are having difficulty getting your pull request seen, please follow the recommended escalation practices. Also, for tips and tricks in the contribution process you may want to read the Kubernetes contributor cheat sheet. We want to make sure your contribution gets all the attention it needs!

Thank you, and welcome to Kubernetes. 😃

Hi @wazery. Thanks for your PR.

I'm waiting for a kubernetes-sigs member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

I'm keen to seen progress on this issue, thanks @wazery for starting the push forward.

Feature gating is complex when it comes to CRDs. I'd be keen to see if we can also work out a plan for how we will gate specific markers, is that something we can align on as a project before we move forward?

Specifically I've seen needs for feature gated different enum sets, different feature gated XValidations and different values for things like Min/Max items that are feature gated.

But perhaps we actually need to be able to support gating all of the various markers we support?

/ok-to-test

Thanks a lot Joel for your review, I truly appreciate it and learn much from it.

As you can see in the current implementation it's very initial, and allows only binary field inclusion so either the entire field is in or out. Yet we can enhance the implementation further to address your cases:

• Feature-gated enum values
• Feature-gated validation rules (XValidations)
• Feature-gated marker values (Min/MaxItems, etc.)
• Conditional marker application

For example:

Option A: Inline Feature Gate Syntax

// Feature-gated enum values
// +kubebuilder:validation:Enum=stable;production
// +kubebuilder:validation:Enum=alpha;beta;experimental,featureGate=alpha

// Feature-gated validation rules  
// +kubebuilder:validation:XValidation=rule="self.size > 0"
// +kubebuilder:validation:XValidation=rule="self.advanced == true",featureGate=alpha

// Feature-gated min/max values
// +kubebuilder:validation:MinItems=1
// +kubebuilder:validation:MinItems=5,featureGate=strict

Option B: Dedicated Feature Gate Markers

// +kubebuilder:validation:Enum=stable;production
// +kubebuilder:validation:Enum:featureGate=alpha,value=alpha;beta;experimental

// +kubebuilder:validation:XValidation=rule="self.size > 0"  
// +kubebuilder:validation:XValidation:featureGate=alpha,rule="self.advanced == true"

Option C: Block-based Feature Gating

// +kubebuilder:feature-gate:alpha
// +kubebuilder:validation:Enum=alpha;beta;experimental  
// +kubebuilder:validation:XValidation=rule="self.advanced == true"
// +kubebuilder:feature-gate:end

// +kubebuilder:validation:Enum=stable;production  // always applied

I love to hear your thoughts on how do you think we have to move forward on this PR, and truly appreciated your help 🙇.

From your suggestions, I'd be interested to see if we can move towards Option A, though I don't know how simple that is for markers where we currently don't have keyed values.

So for example, in XValidation, it's easy to add another value as it's already a multi-value marker. For the single value markers, adding an optional additional field isn't something I've looked into (not recently at least), but from the UX perspective sounds like the best IMO

Interested to see if other maintainers have opinions on this project @alvaroaleman @sbueringer (and @everettraven who is a colleague who helps me with API review at RH)

PR Summary

Scope: This PR implements comprehensive feature gate support across all controller-tools generators:

What's Supported:

• CRD generator: Field-level (+kubebuilder:featuregate) and type-level (+kubebuilder:featuregate) feature gates
• RBAC generator: Feature gates on RBAC markers for conditional permission generation
• Webhook generator: Feature gates for conditional webhook registration
• Centralized feature gate utility: Shared featuregate package with expression evaluation, parsing, and validation
• Addresses issue Support for a feature gate flag/marker when generating CRDs #600 by completing the missing type-level feature gate functionality while providing a unified feature gate system across all generators.

What's NOT Supported (Future Work):

While rewriting the PR to have a centralised utility for supporting feature gates, I found it would require modifying each validation marker definition and the schema generation logic - a significant undertaking that should be its own focused effort. IMHO we can do that in another follow up PR.

Feature-gated validation markers:

// These are NOT supported yet:
// +kubebuilder:validation:Enum=value1;value2,featureGate=alpha
// +kubebuilder:validation:MinItems=5,featureGate=strict  
// +kubebuilder:validation:XValidation=rule="...",featureGate=beta

Also in a follow up PR I can include the following features (a work in progress now)

• Output Segregation: Directory-based separation
• Advanced CLI Workflows: Multi-gate, multi-output generation patterns
• Validation Gate Support: Feature gates on validation markers

These feature requests are mentioned in the issue #1238

Looking forward to your reviews 🙇

While rewriting the PR to have a centralised utility for supporting feature gates, I found it would require modifying each validation marker definition and the schema generation logic - a significant undertaking that should be its own focused effort. IMHO we can do that in another follow up PR.

I'm currently working with the declarative validation folks and the API review folks upstream to work out what feature gating might look like in terms of markers there.

I think we may want to copy their pattern downstream which is slightly more general, and uses chaining. For example, the +k8s:ifEnabled(<option>) marker must take a "payload". The payload in this case is another marker. So, rather than changing our existing markers, we would need to work out how to support +k8s:ifEnabled(<option>):=+kubebuilder:validation:MinItems:=5

The syntax and behaviour upstream is not quite cemented yet but I'm hoping that during the 1.35 cycle it will be, and that will allow us to start thinking about how this might work in the world of custom resources