split connection secret from group CEL validation

helderjs · helderjs · commit a8d33b004467 · 2025-10-30T11:47:30.000+01:00
diff --git a/tools/openapi2crd/config.yaml b/tools/openapi2crd/config.yaml
@@ -25,6 +25,7 @@ spec:
         - major_version
         - parameters
         - connection_secret
+        - mutual_exclusive_group
         - entry
         - status
         - sensitive_properties
@@ -61,17 +62,6 @@ spec:
               skipProperties:
                 - $.apiKey
                 - $.organization.links
-        - majorVersion: v20250312
-          openAPIRef:
-            name: v20250312
-          entry:
-            schema: "CreateOrganizationRequest"
-          status:
-            schema: "CreateOrganizationResponse"
-            filters:
-              skipProperties:
-                - $.apiKey
-                - $.organization.links
     - gvk:
         version: v1
         kind: Group
diff --git a/tools/openapi2crd/pkg/plugins/catalog.go b/tools/openapi2crd/pkg/plugins/catalog.go
@@ -136,12 +136,13 @@ func NewCatalog() *Catalog {
 			"mutual_exclusive_major_versions": &MutualExclusiveMajorVersions{},
 		},
 		mapping: map[string]MappingPlugin{
-			"major_version":     &MajorVersion{},
-			"parameters":        &Parameters{},
-			"entry":             &Entry{},
-			"status":            &Status{},
-			"references":        &References{},
-			"connection_secret": &ConnectionSecret{},
+			"major_version":          &MajorVersion{},
+			"parameters":             &Parameters{},
+			"entry":                  &Entry{},
+			"status":                 &Status{},
+			"references":             &References{},
+			"connection_secret":      &ConnectionSecret{},
+			"mutual_exclusive_group": &MutualExclusiveGroup{},
 		},
 		property: map[string]PropertyPlugin{
 			"sensitive_properties":  &SensitiveProperties{},
diff --git a/tools/openapi2crd/pkg/plugins/connection_secret.go b/tools/openapi2crd/pkg/plugins/connection_secret.go
@@ -25,11 +25,11 @@ import (
 // It requires the parameters and references plugins to be run first.
 type ConnectionSecret struct{}
 
-func (s *ConnectionSecret) Name() string {
+func (p *ConnectionSecret) Name() string {
 	return "connection_secret"
 }
 
-func (s *ConnectionSecret) Process(req *MappingProcessorRequest) error {
+func (p *ConnectionSecret) Process(req *MappingProcessorRequest) error {
 	specProps := req.CRD.Spec.Validation.OpenAPIV3Schema.Properties["spec"]
 
 	if _, exists := specProps.Properties["connectionSecretRef"]; !exists {
@@ -45,37 +45,22 @@ func (s *ConnectionSecret) Process(req *MappingProcessorRequest) error {
 		}
 	}
 
-	if specProps.XValidations == nil {
-		specProps.XValidations = apiextensions.ValidationRules{}
-	}
-
 	version := req.MappingConfig.MajorVersion
 	versionProps, ok := specProps.Properties[version]
 	if !ok {
 		return fmt.Errorf("version %s not found in spec", version)
 	}
 
-	_, gIDExists := versionProps.Properties["groupId"]
-	if gIDExists {
+	_, groupIDExists := versionProps.Properties["groupId"]
+	if groupIDExists {
+		if specProps.XValidations == nil {
+			specProps.XValidations = apiextensions.ValidationRules{}
+		}
 		specProps.XValidations = append(specProps.XValidations, apiextensions.ValidationRule{
 			Rule:    "(has(self." + version + ".groupId) && has(self.connectionSecretRef)) || (!has(self." + version + ".groupId))",
-			Message: "connectionSecretRef must be set if groupId is set for version " + version,
+			Message: fmt.Sprintf("spec.connectionSecretRef must be set if spec.%v.groupId is set.", version),
 		})
 	}
-
-	if versionProps.XValidations == nil {
-		versionProps.XValidations = apiextensions.ValidationRules{}
-	}
-
-	_, gRefExists := versionProps.Properties["groupRef"]
-	if gIDExists || gRefExists {
-		versionProps.XValidations = append(versionProps.XValidations, apiextensions.ValidationRule{
-			Rule:    "(has(self.groupId) && !has(self.groupRef)) || (!has(self.groupId) && has(self.groupRef))",
-			Message: "groupId and groupRef are mutually exclusive; only one of them can be set",
-		})
-	}
-
-	specProps.Properties[version] = versionProps
 	req.CRD.Spec.Validation.OpenAPIV3Schema.Properties["spec"] = specProps
 
 	return nil
diff --git a/tools/openapi2crd/pkg/plugins/connection_secret_test.go b/tools/openapi2crd/pkg/plugins/connection_secret_test.go
@@ -21,6 +21,8 @@ import (
 
 	"github.com/stretchr/testify/assert"
 	"k8s.io/apiextensions-apiserver/pkg/apis/apiextensions"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/utils/ptr"
 )
 
 func TestConnectionSecretName(t *testing.T) {
@@ -30,10 +32,9 @@ func TestConnectionSecretName(t *testing.T) {
 
 func TestConnectionSecretProcess(t *testing.T) {
 	tests := map[string]struct {
-		request            *MappingProcessorRequest
-		expectedProperty   apiextensions.JSONSchemaProps
-		expectedValidation apiextensions.ValidationRules
-		expectedErr        error
+		request          *MappingProcessorRequest
+		expectedProperty apiextensions.JSONSchemaProps
+		expectedErr      error
 	}{
 		"add connectionSecretRef property and validations": {
 			request: mappingRequestWithReferences(t, groupBaseCRDWithParameters(t)),
@@ -67,18 +68,12 @@ func TestConnectionSecretProcess(t *testing.T) {
 								},
 							},
 						},
-						XValidations: apiextensions.ValidationRules{
-							apiextensions.ValidationRule{
-								Rule:    "(has(self.groupId) && !has(self.groupRef)) || (!has(self.groupId) && has(self.groupRef))",
-								Message: "groupId and groupRef are mutually exclusive; only one of them can be set",
-							},
-						},
 					},
 				},
 				XValidations: apiextensions.ValidationRules{
 					apiextensions.ValidationRule{
 						Rule:    "(has(self.v20250312.groupId) && has(self.connectionSecretRef)) || (!has(self.v20250312.groupId))",
-						Message: "connectionSecretRef must be set if groupId is set for version v20250312",
+						Message: "spec.connectionSecretRef must be set if spec.v20250312.groupId is set.",
 					},
 				},
 			},
@@ -115,12 +110,6 @@ func TestConnectionSecretProcess(t *testing.T) {
 								},
 							},
 						},
-						XValidations: apiextensions.ValidationRules{
-							apiextensions.ValidationRule{
-								Rule:    "(has(self.groupId) && !has(self.groupRef)) || (!has(self.groupId) && has(self.groupRef))",
-								Message: "groupId and groupRef are mutually exclusive; only one of them can be set",
-							},
-						},
 					},
 					"v20250219": {
 						Type:        "object",
@@ -138,22 +127,44 @@ func TestConnectionSecretProcess(t *testing.T) {
 								},
 							},
 						},
-						XValidations: apiextensions.ValidationRules{
-							apiextensions.ValidationRule{
-								Rule:    "(has(self.groupId) && !has(self.groupRef)) || (!has(self.groupId) && has(self.groupRef))",
-								Message: "groupId and groupRef are mutually exclusive; only one of them can be set",
-							},
-						},
 					},
 				},
 				XValidations: apiextensions.ValidationRules{
 					apiextensions.ValidationRule{
 						Rule:    "(has(self.v20250219.groupId) && has(self.connectionSecretRef)) || (!has(self.v20250219.groupId))",
-						Message: "connectionSecretRef must be set if groupId is set for version v20250219",
+						Message: "spec.connectionSecretRef must be set if spec.v20250219.groupId is set.",
 					},
 					apiextensions.ValidationRule{
 						Rule:    "(has(self.v20250312.groupId) && has(self.connectionSecretRef)) || (!has(self.v20250312.groupId))",
-						Message: "connectionSecretRef must be set if groupId is set for version v20250312",
+						Message: "spec.connectionSecretRef must be set if spec.v20250312.groupId is set.",
+					},
+				},
+			},
+		},
+		"version but not groupId in CRD mappings": {
+			request: mappingRequestWithReferences(t, orgBaseCRDWithParameters(t)),
+			expectedProperty: apiextensions.JSONSchemaProps{
+				Type:        "object",
+				Description: "Specification of the organization supporting the following versions:\n\n- v20250312\n\nAt most one versioned spec can be specified. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status",
+				Properties: map[string]apiextensions.JSONSchemaProps{
+					"connectionSecretRef": {
+						Type:        "object",
+						Description: "SENSITIVE FIELD\n\nReference to a secret containing the credentials to setup the connection to Atlas.",
+						Properties: map[string]apiextensions.JSONSchemaProps{
+							"name": {
+								Type:        "string",
+								Description: "Name of the secret containing the Atlas credentials.",
+							},
+						},
+					},
+					"v20250312": {
+						Type:        "object",
+						Description: "The spec of the organization resource for version v20250312.",
+						Properties: map[string]apiextensions.JSONSchemaProps{
+							"orgID": {
+								Type: "string",
+							},
+						},
 					},
 				},
 			},
@@ -228,7 +239,7 @@ func groupBaseCRDMultiVersionWithParameters(t *testing.T) *apiextensions.CustomR
 	spec.XValidations = apiextensions.ValidationRules{
 		apiextensions.ValidationRule{
 			Rule:    "(has(self.v20250219.groupId) && has(self.connectionSecretRef)) || (!has(self.v20250219.groupId))",
-			Message: "connectionSecretRef must be set if groupId is set for version v20250219",
+			Message: "spec.connectionSecretRef must be set if spec.v20250219.groupId is set.",
 		},
 	}
 	spec.Properties["v20250312"] = apiextensions.JSONSchemaProps{
@@ -264,14 +275,112 @@ func groupBaseCRDMultiVersionWithParameters(t *testing.T) *apiextensions.CustomR
 				},
 			},
 		},
-		XValidations: apiextensions.ValidationRules{
-			apiextensions.ValidationRule{
-				Rule:    "(has(self.groupId) && !has(self.groupRef)) || (!has(self.groupId) && has(self.groupRef))",
-				Message: "groupId and groupRef are mutually exclusive; only one of them can be set",
-			},
-		},
 	}
 	crd.Spec.Validation.OpenAPIV3Schema.Properties["spec"] = spec
 
 	return crd
 }
+
+func orgBaseCRDWithParameters(t *testing.T) *apiextensions.CustomResourceDefinition {
+	t.Helper()
+
+	return &apiextensions.CustomResourceDefinition{
+		ObjectMeta: metav1.ObjectMeta{
+			Name: "groups.atlas.generated.mongodb.com",
+		},
+		Spec: apiextensions.CustomResourceDefinitionSpec{
+			Group: "atlas.generated.mongodb.com",
+			Names: apiextensions.CustomResourceDefinitionNames{
+				Kind:       "Organization",
+				ListKind:   "OrganizationList",
+				Plural:     "Organizations",
+				Singular:   "organization",
+				ShortNames: []string{"ao"},
+				Categories: []string{"atlas"},
+			},
+			Scope: apiextensions.NamespaceScoped,
+			Versions: []apiextensions.CustomResourceDefinitionVersion{
+				{
+					Name:    "v1",
+					Served:  true,
+					Storage: true,
+				},
+			},
+			PreserveUnknownFields: ptr.To(false),
+			Validation: &apiextensions.CustomResourceValidation{
+				OpenAPIV3Schema: &apiextensions.JSONSchemaProps{
+					Type:        "object",
+					Description: "A organization, managed by the MongoDB Kubernetes Atlas Operator.",
+					Properties: map[string]apiextensions.JSONSchemaProps{
+						"spec": {
+							Type:        "object",
+							Description: "Specification of the organization supporting the following versions:\n\n- v20250312\n\nAt most one versioned spec can be specified. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status",
+							Properties: map[string]apiextensions.JSONSchemaProps{
+								"v20250312": {
+									Type:        "object",
+									Description: "The spec of the organization resource for version v20250312.",
+									Properties: map[string]apiextensions.JSONSchemaProps{
+										"orgID": {
+											Type: "string",
+										},
+									},
+								},
+							},
+						},
+						"status": {
+							Type:        "object",
+							Description: `Most recently observed read-only status of the organization for the specified resource version. This data may not be up to date and is populated by the system. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status`,
+							Properties: map[string]apiextensions.JSONSchemaProps{
+								"conditions": {
+									Type:        "array",
+									Description: "Represents the latest available observations of a resource's current state.",
+									Items: &apiextensions.JSONSchemaPropsOrArray{
+										Schema: &apiextensions.JSONSchemaProps{
+											Type: "object",
+											Properties: map[string]apiextensions.JSONSchemaProps{
+												"type": {
+													Type:        "string",
+													Description: "Type of condition.",
+												},
+												"status": {
+													Type:        "string",
+													Description: "Status of the condition, one of True, False, Unknown.",
+												},
+												"lastTransitionTime": {
+													Type:        "string",
+													Format:      "date-time",
+													Description: "Last time the condition transitioned from one status to another.",
+												},
+												"reason": {
+													Type:        "string",
+													Description: "The reason for the condition's last transition.",
+												},
+												"message": {
+													Type:        "string",
+													Description: "A human readable message indicating details about the transition.",
+												},
+												"observedGeneration": {
+													Type:        "integer",
+													Description: "observedGeneration represents the .metadata.generation that the condition was set based upon.",
+												},
+											},
+											Required: []string{"type", "status"},
+										},
+									},
+									XListMapKeys: []string{"type"},
+									XListType:    ptr.To("map"),
+								},
+							},
+						},
+					},
+				},
+			},
+			Subresources: &apiextensions.CustomResourceSubresources{
+				Status: &apiextensions.CustomResourceSubresourceStatus{},
+			},
+		},
+		Status: apiextensions.CustomResourceDefinitionStatus{
+			StoredVersions: []string{"v1"},
+		},
+	}
+}
diff --git a/tools/openapi2crd/pkg/plugins/mutual_exclusive_group.go b/tools/openapi2crd/pkg/plugins/mutual_exclusive_group.go
@@ -0,0 +1,34 @@
+package plugins
+
+import (
+	"fmt"
+
+	"k8s.io/apiextensions-apiserver/pkg/apis/apiextensions"
+)
+
+type MutualExclusiveGroup struct{}
+
+func (p *MutualExclusiveGroup) Name() string {
+	return "mutual_exclusive_group"
+}
+
+func (p *MutualExclusiveGroup) Process(req *MappingProcessorRequest) error {
+	version := req.MappingConfig.MajorVersion
+	if _, ok := req.CRD.Spec.Validation.OpenAPIV3Schema.Properties["spec"].Properties[version]; !ok {
+		return fmt.Errorf("version %s not found in spec properties", version)
+	}
+
+	versionProps := req.CRD.Spec.Validation.OpenAPIV3Schema.Properties["spec"].Properties[version]
+	_, groupIDExists := versionProps.Properties["groupId"]
+	_, groupRefExists := versionProps.Properties["groupRef"]
+	if groupIDExists || groupRefExists {
+		versionProps.XValidations = append(versionProps.XValidations, apiextensions.ValidationRule{
+			Rule:    "(has(self.groupId) && !has(self.groupRef)) || (!has(self.groupId) && has(self.groupRef))",
+			Message: "groupId and groupRef are mutually exclusive; only one of them can be set",
+		})
+	}
+
+	req.CRD.Spec.Validation.OpenAPIV3Schema.Properties["spec"].Properties[version] = versionProps
+
+	return nil
+}
diff --git a/tools/openapi2crd/pkg/plugins/mutual_exclusive_group_test.go b/tools/openapi2crd/pkg/plugins/mutual_exclusive_group_test.go
