✨ Add conversions + CEL transformations for APIResourceSchemas

[ncdc]

Summary

Add support for CEL-based conversions for APIResourceSchemas.

Currently implemented:

• Added a new APIConversion resource
• Its name must match the name of an APIResourceSchema exactly
• When an APIBinding is processed, if any of the APIResourceSchemas it's binding to have APIConversions, the controller creates a copy of each APIConversion in system:bound-crds
  • The name of the APIConversion is set to the name of the corresponding CRD (which matches the UID of the APIResourceSchema)
• Here is an example APIConversion. These are the only supported features in this PR (we can iterate in future PRs):

apiVersion: apis.kcp.dev/v1alpha1
kind: APIConversion
metadata:
  name: rev0002.widgets.example.io
spec:
  conversions:
  - from: v1
    to: v2
    rules:
    - field: .spec.firstName
      destination: .spec.name.first
    - field: .spec.lastName
      destination: .spec.name.last
      transformation: self
    - field: .spec.lastName
      destination: .spec.name.lastUpper
      transformation: self.upperAscii()
  - from: v2
    to: v1
    rules:
    - field: .spec.name.first
      destination: .spec.firstName
    - field: .spec.name.last
      destination: .spec.lastName
    preserve:
    - .spec.someNewField

• When an APIConversion is created or updated, admission compiles every CEL expression, rejecting upon any errors
  • We need to decide if we want to allow updates; I just realized updates are not carried forward to the copy in system:bound-crds

Possible follow-ups in separate PRs:

• Figure out how to support indexing in maps and lists in CEL rules
• Figure out how to support indexing in maps and lists in "to" fields
• See if we can identify invalid evolutions and reject them
• What happens if a field's type changes / can we support that?
• Fully spec out preserve fields annotation-based flows

Related issue(s)

Fixes #

Requires kcp-dev/kubernetes#104

Part of #1671

[ncdc]

Nice to see that I at least didn't break anything in the e2es, even if the conversion code isn't being exercised yet 😄

[ncdc]

/test all

[ncdc]

Pushed an update based on refactoring in kcp-dev/kubernetes#104

[stevekuznetsov]

How are conversion compilation errors surfaced to the user?

[stevekuznetsov]

Totally unrelated question - I have recently hacked cluster name into admission attributes, necessary for webhook plubming. Can we rally around that and not need this "genericapirequest" stuff?

[ncdc]

Sure thing

[ncdc]

@stevekuznetsov I see that our generic webhook admission impl sets the cluster in the attrs, but I don't see it happening anywhere else. Do we need to plumb this in to the various handlers e.g. createHandler upstream?

[sttts]

what about the inverse, remove the getters from the attributes? Am not a big fan of changing an upstream interface.

[stevekuznetsov]

If we don't have it up there, we have to refactor the entire call-chain to pass it through for generic webhook admission.

[ncdc]

If needed, will do in a follow-up

[ncdc]

#2621 to track

[stevekuznetsov]

Part of #2014

[ncdc]

@stevekuznetsov

How are conversion compilation errors surfaced to the user?

Directly, as errors, implemented via admission

[vincepri]

~ Half way through

[vincepri]

/lgtm

[ncdc]

/approve

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: ncdc, vincepri

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• OWNERS [ncdc]
• config/crds/OWNERS [ncdc]
• pkg/admission/OWNERS [ncdc]
• pkg/apis/OWNERS [ncdc]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[vincepri]

/lgtm

[vincepri]

/lgtm