Skip to content

feat: Add CEL validation to OperatorConfig CRD #1911

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
bernot-dev wants to merge 4 commits into
base: main
Choose a base branch
from
Open

feat: Add CEL validation to OperatorConfig CRD #1911

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
e3d1f62
feat: implement CEL validations for OperatorConfig
google-labs-jules[bot] Apr 10, 2026
b81131b
fix: properly escape RFC 1123 dot in CEL matcher
google-labs-jules[bot] Apr 10, 2026
d946be1
refactor(operator): properly escape rfc 1123 dot in cel matcher
google-labs-jules[bot] Apr 10, 2026
64f16ce
refactor(operator): update commit messages
google-labs-jules[bot] Apr 10, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
25 changes: 25 additions & 0 deletions charts/operator/crds/monitoring.googleapis.com_operatorconfigs.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -86,6 +86,9 @@ spec:
data before being written to Google Cloud Monitoring or any other additional exports
specified in the OperatorConfig. The precedence behavior matches that of Prometheus.
type: object
x-kubernetes-validations:
- message: Invalid label key
rule: self.all(key, key.matches('^[a-zA-Z_][a-zA-Z0-9_]*$'))
filter:
description: Filter limits which metric data is sent to Cloud Monitoring
(it doesn't apply to additional exports).
Expand Down Expand Up @@ -157,6 +160,8 @@ spec:
description: The URL of the endpoint that supports Prometheus Remote
Write to export samples to.
type: string
x-kubernetes-validations:
- rule: self == '' || isURL(self)
required:
- url
type: object
Expand Down Expand Up @@ -237,6 +242,8 @@ spec:

If no URL is provided, Alertmanager will point to the Google Cloud Metric Explorer page.
type: string
x-kubernetes-validations:
- rule: self == '' || isURL(self)
type: object
metadata:
type: object
Expand Down Expand Up @@ -296,9 +303,13 @@ spec:
type: object
name:
description: Name of Endpoints object in Namespace.
maxLength: 63
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
type: string
namespace:
description: Namespace of Endpoints object.
maxLength: 63
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
type: string
pathPrefix:
description: Prefix for the HTTP path alerts are pushed
Expand All @@ -312,6 +323,9 @@ spec:
x-kubernetes-int-or-string: true
scheme:
description: Scheme to use when firing alerts.
enum:
- http
- https
type: string
timeout:
description: Timeout is a per-target Alertmanager timeout
Expand Down Expand Up @@ -456,6 +470,9 @@ spec:
- key
type: object
x-kubernetes-map-type: atomic
x-kubernetes-validations:
- rule: has(self.name) && self.name.matches('^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$')
&& size(self.name) <= 63
maxVersion:
description: |-
Maximum TLS version. Accepted values: TLS10 (TLS 1.0), TLS11 (TLS 1.1), TLS12 (TLS 1.2), TLS13 (TLS 1.3).
Expand Down Expand Up @@ -516,16 +533,24 @@ spec:
results and alerts produced by rules. The precedence behavior matches that
of Prometheus.
type: object
x-kubernetes-validations:
- message: Invalid label key
rule: self.all(key, key.matches('^[a-zA-Z_][a-zA-Z0-9_]*$'))
generatorUrl:
description: |-
The base URL used for the generator URL in the alert notification payload.
Should point to an instance of a query frontend that gives access to queryProjectID.
type: string
x-kubernetes-validations:
- rule: self == '' || isURL(self)
queryProjectID:
description: |-
QueryProjectID is the GCP project ID to evaluate rules against.
If left blank, the rule-evaluator will try attempt to infer the Project ID
from the environment.
maxLength: 30
minLength: 6
pattern: ^[a-z][a-z0-9-]*[a-z0-9]$
type: string
type: object
scaling:
Expand Down
24 changes: 24 additions & 0 deletions manifests/setup.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -1921,6 +1921,9 @@ spec:
data before being written to Google Cloud Monitoring or any other additional exports
specified in the OperatorConfig. The precedence behavior matches that of Prometheus.
type: object
x-kubernetes-validations:
- message: Invalid label key
rule: self.all(key, key.matches('^[a-zA-Z_][a-zA-Z0-9_]*$'))
filter:
description: Filter limits which metric data is sent to Cloud Monitoring (it doesn't apply to additional exports).
properties:
Expand Down Expand Up @@ -1990,6 +1993,8 @@ spec:
url:
description: The URL of the endpoint that supports Prometheus Remote Write to export samples to.
type: string
x-kubernetes-validations:
- rule: self == '' || isURL(self)
required:
- url
type: object
Expand Down Expand Up @@ -2067,6 +2072,8 @@ spec:

If no URL is provided, Alertmanager will point to the Google Cloud Metric Explorer page.
type: string
x-kubernetes-validations:
- rule: self == '' || isURL(self)
type: object
metadata:
type: object
Expand Down Expand Up @@ -2121,9 +2128,13 @@ spec:
type: object
name:
description: Name of Endpoints object in Namespace.
maxLength: 63
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
type: string
namespace:
description: Namespace of Endpoints object.
maxLength: 63
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
type: string
pathPrefix:
description: Prefix for the HTTP path alerts are pushed to.
Expand All @@ -2136,6 +2147,9 @@ spec:
x-kubernetes-int-or-string: true
scheme:
description: Scheme to use when firing alerts.
enum:
- http
- https
type: string
timeout:
description: Timeout is a per-target Alertmanager timeout when pushing alerts.
Expand Down Expand Up @@ -2264,6 +2278,8 @@ spec:
- key
type: object
x-kubernetes-map-type: atomic
x-kubernetes-validations:
- rule: has(self.name) && self.name.matches('^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$') && size(self.name) <= 63
maxVersion:
description: |-
Maximum TLS version. Accepted values: TLS10 (TLS 1.0), TLS11 (TLS 1.1), TLS12 (TLS 1.2), TLS13 (TLS 1.3).
Expand Down Expand Up @@ -2323,16 +2339,24 @@ spec:
results and alerts produced by rules. The precedence behavior matches that
of Prometheus.
type: object
x-kubernetes-validations:
- message: Invalid label key
rule: self.all(key, key.matches('^[a-zA-Z_][a-zA-Z0-9_]*$'))
generatorUrl:
description: |-
The base URL used for the generator URL in the alert notification payload.
Should point to an instance of a query frontend that gives access to queryProjectID.
type: string
x-kubernetes-validations:
- rule: self == '' || isURL(self)
queryProjectID:
description: |-
QueryProjectID is the GCP project ID to evaluate rules against.
If left blank, the rule-evaluator will try attempt to infer the Project ID
from the environment.
maxLength: 30
minLength: 6
pattern: ^[a-z][a-z0-9-]*[a-z0-9]$
type: string
type: object
scaling:
Expand Down
14 changes: 14 additions & 0 deletions pkg/operator/apis/monitoring/v1/operator_types.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -146,13 +146,18 @@ type RuleEvaluatorSpec struct {
// ExternalLabels specifies external labels that are attached to any rule
// results and alerts produced by rules. The precedence behavior matches that
// of Prometheus.
// +kubebuilder:validation:XValidation:rule="self.all(key, key.matches('^[a-zA-Z_][a-zA-Z0-9_]*$'))",message="Invalid label key"
ExternalLabels map[string]string `json:"externalLabels,omitempty"`
// QueryProjectID is the GCP project ID to evaluate rules against.
// If left blank, the rule-evaluator will try attempt to infer the Project ID
// from the environment.
// +kubebuilder:validation:MinLength=6
// +kubebuilder:validation:MaxLength=30
// +kubebuilder:validation:Pattern=^[a-z][a-z0-9-]*[a-z0-9]$
QueryProjectID string `json:"queryProjectID,omitempty"`
// The base URL used for the generator URL in the alert notification payload.
// Should point to an instance of a query frontend that gives access to queryProjectID.
// +kubebuilder:validation:XValidation:rule="self == '' || isURL(self)"
GeneratorURL string `json:"generatorUrl,omitempty"`
// Alerting contains how the rule-evaluator configures alerting.
Alerting AlertingSpec `json:"alerting,omitempty"`
Expand All @@ -170,6 +175,7 @@ type CollectionSpec struct {
// ExternalLabels specifies external labels that are attached to all scraped
// data before being written to Google Cloud Monitoring or any other additional exports
// specified in the OperatorConfig. The precedence behavior matches that of Prometheus.
// +kubebuilder:validation:XValidation:rule="self.all(key, key.matches('^[a-zA-Z_][a-zA-Z0-9_]*$'))",message="Invalid label key"
ExternalLabels map[string]string `json:"externalLabels,omitempty"`
// Filter limits which metric data is sent to Cloud Monitoring (it doesn't apply to additional exports).
Filter ExportFilters `json:"filter,omitempty"`
Expand All @@ -187,6 +193,7 @@ type CollectionSpec struct {

type ExportSpec struct {
// The URL of the endpoint that supports Prometheus Remote Write to export samples to.
// +kubebuilder:validation:XValidation:rule="self == '' || isURL(self)"
URL string `json:"url"`
}

Expand Down Expand Up @@ -288,19 +295,25 @@ type ManagedAlertmanagerSpec struct {
// be derived automatically.
//
// If no URL is provided, Alertmanager will point to the Google Cloud Metric Explorer page.
// +kubebuilder:validation:XValidation:rule="self == '' || isURL(self)"
ExternalURL string `json:"externalURL,omitempty"`
}

// AlertmanagerEndpoints defines a selection of a single Endpoints object
// containing alertmanager IPs to fire alerts against.
type AlertmanagerEndpoints struct {
// Namespace of Endpoints object.
// +kubebuilder:validation:Pattern=^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
// +kubebuilder:validation:MaxLength=63
Namespace string `json:"namespace"`
// Name of Endpoints object in Namespace.
// +kubebuilder:validation:Pattern=^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
// +kubebuilder:validation:MaxLength=63
Name string `json:"name"`
// Port the Alertmanager API is exposed on.
Port intstr.IntOrString `json:"port"`
// Scheme to use when firing alerts.
// +kubebuilder:validation:Enum=http;https
Scheme string `json:"scheme,omitempty"`
// Prefix for the HTTP path alerts are pushed to.
PathPrefix string `json:"pathPrefix,omitempty"`
Expand Down Expand Up @@ -332,6 +345,7 @@ type TLSConfig struct {
// Struct containing the client cert file for the targets.
Cert *SecretOrConfigMap `json:"cert,omitempty"`
// Secret containing the client key file for the targets.
// +kubebuilder:validation:XValidation:rule="has(self.name) && self.name.matches('^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$') && size(self.name) <= 63"
KeySecret *corev1.SecretKeySelector `json:"keySecret,omitempty"`
// Used to verify the hostname for the targets.
ServerName string `json:"serverName,omitempty"`
Expand Down
Loading