OperatorConfig CEL Validation

[bernot-dev]

Adds kubebuilder CEL validations to OperatorConfig fields based on the migration away from webhook validation.

• Validates prometheus label keys in externalLabels
• Validates queryProjectID constraints (length and regex pattern)
• Adds isURL checks for generatorUrl, exports.url, externalURL
• Implements RFC 1123 label constraints for AlertmanagerEndpoints namespace and name
• Validates TLSConfig KeySecret name
• Enforces HTTP/HTTPS scheme for AlertmanagerEndpoints

[gemini-code-assist]

Code Review

This pull request introduces various OpenAPI and CEL validation constraints to the OperatorConfig CRD definitions and adds corresponding end-to-end validation tests. The reviewer identified several critical issues: the use of the non-existent CEL function isURL which will cause CRD application failures, and a MinLength constraint on queryProjectID that incorrectly prevents it from being left blank. Additionally, the reviewer noted a duplicate import of k8s.io/api/core/v1 under different aliases in the test file, recommending the consistent use of the existing v1 alias.

[bernot-dev]

/gemini review

[gemini-code-assist]

Code Review

This pull request introduces declarative CEL validations and kubebuilder constraints to OperatorConfig CRD fields, ensuring stricter validation for URLs, GCP project IDs, external labels, and secret names directly at the API level. Corresponding end-to-end tests were updated to clean up test resources and verify these new validation rules. The review feedback suggests further strengthening the validations by enforcing mutual exclusivity between the secret and configMap fields in SecretOrConfigMap, as well as adding DNS subdomain validation for the configMap name.

[bernot-dev]

/gemini review

[gemini-code-assist]

Code Review

This pull request adds robust OpenAPI v3 and CEL validation rules to the OperatorConfig CRD and its Go definitions, along with a new differential fuzz test to align CRD-level validations with the Go webhook. While these changes significantly improve validation coverage, the reviewer identified several missing constraints that should be added for completeness. Specifically, CEL validation rules should be implemented for queryProjectID format constraints, AlertmanagerEndpoints fields, and externalLabels keys to ensure valid Prometheus label names. Additionally, the reviewer advised restoring the enum validation for CompressionType (including an empty string option) to prevent invalid inputs, and adding name validation for ConfigMap selectors for consistency.

[gemini-code-assist]

Removing the +kubebuilder:validation:Enum=none;gzip validation marker allows arbitrary invalid strings (e.g., '0', 'tar') to be accepted by the CRD validation, which can lead to runtime failures or silent misconfigurations. If the goal is to allow an empty string as a default or unset value, we should keep the enum validation but include the empty string, or use a CEL validation rule.

Suggested change

	// CompressionType is the compression type.
	// +kubebuilder:validation:Enum=none;gzip
	type CompressionType string
	// CompressionType is the compression type.
	// +kubebuilder:validation:Enum="";none;gzip
	type CompressionType string

[gemini-code-assist]

For completeness and consistency with the Secret field validation, we should also validate that the ConfigMap name is not empty when a ConfigMapKeySelector is provided.

	// ConfigMap containing data to use for the targets.
	// +kubebuilder:validation:XValidation:rule="has(self.name) && self.name != ''",message="missing configmap key selector name"
	ConfigMap *corev1.ConfigMapKeySelector `json:"configMap,omitempty"`