Implement Receiver resource filtering with CEL #948
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
@stefanprodan @matheuscscp I reworked it to filter the resources using CEL. I'm not quite sure that this is really that valuable, I suspect label filtering is also more efficient? There's some optimisation of the CEL that could be done within |
bigkevmcd
force-pushed
the
cel-resource-filtering
branch
from
4969c46 to
1fe996b
Compare
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
bigkevmcd
force-pushed
the
cel-resource-filtering
branch
3 times, most recently
from
d87dbfd to
b1c4e7e
Compare
stefanprodan
changed the title
bigkevmcd
force-pushed
the
cel-resource-filtering
branch
from
45bd724 to
1e6929c
Compare
bigkevmcd
force-pushed
the
cel-resource-filtering
branch
from
1e6929c to
d658d4a
Compare
matheuscscp
reviewed
Oct 17, 2024
There was a problem hiding this comment.
Thanks again for all the work here, @bigkevmcd! I'm very excited for this feature 😄
This is just a preliminary review. I will try to review this again soon.
bigkevmcd
force-pushed
the
cel-resource-filtering
branch
4 times, most recently
from
5a22c4f to
bddfd56
Compare
stefanprodan
approved these changes
Oct 28, 2024
matheuscscp
approved these changes
Oct 28, 2024
darkowlzz
reviewed
Oct 31, 2024
bigkevmcd
force-pushed
the
cel-resource-filtering
branch
6 times, most recently
from
8e892ef to
18c1f31
Compare
stefanprodan
reviewed
Nov 1, 2024
|
@bigkevmcd this is good to go, please signoff all your commits and force push. |
bigkevmcd
force-pushed
the
cel-resource-filtering
branch
from
8a9e435 to
57c36b0
Compare
That's 3MiB, I've definitely seen GitHub hook notifications that were > 1.5MiB. |
bigkevmcd
force-pushed
the
cel-resource-filtering
branch
from
757f96d to
1645796
Compare
bigkevmcd
force-pushed
the
cel-resource-filtering
branch
from
1645796 to
f79599e
Compare
This was referenced Jan 28, 2025
CEL for Receiver notification filtering This introduces CEL for filtering CEL resources in a Receiver. Users can define a CEL expression that is applied as a filter for resources that are identified for notification. A CEL expression that returns false means that a resource will not be annotated. Signed-off-by: Kevin McDermott <bigkevmcd@gmail.com>
This moves the JSON body to request.body from request to allow for future expansion with the headers. Add documentation for the CEL functionality to the receivers doc. Signed-off-by: Kevin McDermott <bigkevmcd@gmail.com>
Signed-off-by: Kevin McDermott <bigkevmcd@gmail.com>
Signed-off-by: Kevin McDermott <bigkevmcd@gmail.com>
Signed-off-by: Kevin McDermott <bigkevmcd@gmail.com>
Signed-off-by: Kevin McDermott <bigkevmcd@gmail.com>
Refactor to reduce duplication. Signed-off-by: Kevin McDermott <bigkevmcd@gmail.com>
If the .spec.resourceFilter is provided, and can't be parsed by the CEL environment, the resource will not be ready, and an appropriate error indicated. Signed-off-by: Kevin McDermott <bigkevmcd@gmail.com>
Signed-off-by: Kevin McDermott <bigkevmcd@gmail.com>
In the event of a CEL expresion error, this doesn't return the error to the controller-runtime reconciler mechanism. This means that the reconciliation will not be retried until there's a change to the resource. Signed-off-by: Kevin McDermott <bigkevmcd@gmail.com>
* Don't pass log through - get it from the context * Use ContextEval - need to set a timeout on the context that's passed Signed-off-by: Kevin McDermott <bigkevmcd@gmail.com>
This adds more testing for the CEL evaluation mechanism for resource filtering. Signed-off-by: Kevin McDermott <bigkevmcd@gmail.com>
Signed-off-by: Kevin McDermott <bigkevmcd@gmail.com>
bigkevmcd
force-pushed
the
cel-resource-filtering
branch
from
f79599e to
e438ca1
Compare
matheuscscp
reviewed
Jan 28, 2025
| @@ -67,6 +67,11 @@ type ReceiverSpec struct { | |||
| // +required | |||
| Resources []CrossNamespaceObjectReference `json:"resources"` | |||
|
|
|||
| // ResourceFilter is a CEL expression that is applied to each Resource | |||
| // referenced in the Resources. If the expression returns false then the | |||
There was a problem hiding this comment.
Suggested change
| // referenced in the Resources. If the expression returns false then the | |
| // referenced in the Resources field. If the expression returns false then the |
|
|
||
| To filter the resources that are reconciled you can use [Common Expression Language (CEL)](https://cel.dev/). | ||
|
|
||
| For example to trigger `ImageRepositories` on notifications from [Google Artifact Registry](https://cloud.google.com/artifact-registry/docs/configure-notifications#examples) you can define a receiver. |
There was a problem hiding this comment.
Suggested change
| For example to trigger `ImageRepositories` on notifications from [Google Artifact Registry](https://cloud.google.com/artifact-registry/docs/configure-notifications#examples) you can define a receiver. | |
| For example, to trigger `ImageRepositories` on notifications from [Google Artifact Registry](https://cloud.google.com/artifact-registry/docs/configure-notifications#examples) you can define the following receiver: |
matheuscscp
reviewed
Jan 29, 2025
docs/spec/v1/receivers.md
Outdated
Comment on lines
770
to
813
| There are a number of functions available to the CEL expressions beyond the basic CEL functionality. | ||
|
|
||
| The [Strings extension](https://github.com/google/cel-go/tree/master/ext#strings) is available. | ||
|
|
||
| In addition the notifications-controller CEL implementation provides the following functions: | ||
|
|
||
| #### first | ||
|
|
||
| Returns the first element of a CEL array expression. | ||
|
|
||
| ``` | ||
| <list<any>>.first() -> <any> | ||
| ``` | ||
|
|
||
| This is syntactic sugar for `['hello', 'mellow'][0]` | ||
|
|
||
| Examples: | ||
|
|
||
| ``` | ||
| ['hello', 'mellow'].first() // returns 'hello' | ||
| [].first() // returns nil | ||
| 'this/test'.split('/').first() // returns 'this' | ||
| ``` | ||
|
|
||
| #### last | ||
|
|
||
| Returns the last element of a CEL array expression. | ||
|
|
||
| ``` | ||
| <list<any>>.last() -> <any> | ||
| ``` | ||
|
|
||
| Examples: | ||
|
|
||
| ``` | ||
| ['hello', 'mellow'].last() // returns 'mellow' | ||
| [].last() // returns nil | ||
| 'this/test'.split('/').last() // returns 'test' | ||
| ``` | ||
|
|
||
| This is syntactic sugar for `['hello', 'mellow'][size(['hello, 'mellow'])-1]` | ||
|
|
||
| For zero-length array values, these will both return `nil`. | ||
|
|
There was a problem hiding this comment.
I think we can remove all of this since now these functions are in the upstream CEL library.
| if filter := obj.Spec.ResourceFilter; filter != "" { | ||
| err := server.ValidateCELExpression(filter) | ||
| if err != nil { | ||
| conditions.MarkFalse(obj, meta.ReadyCondition, apiv1.InvalidCELExpressionReason, "%s", err) |
internal/server/cel.go
Outdated
| // ValidateCELEXpression accepts a CEL expression and will parse and check that | ||
| // it's valid, if it's not valid an error is returned. | ||
| func ValidateCELExpression(s string) error { | ||
| _, err := newCELProgram(s) |
There was a problem hiding this comment.
Let's use the library as discussed (still needs to be merged/released, will happen soon):
| @@ -0,0 +1,194 @@ | |||
| /* | |||
There was a problem hiding this comment.
Most of this file can be removed in favor of fluxcd/pkg#858
| @@ -0,0 +1,131 @@ | |||
| package server | |||
There was a problem hiding this comment.
This test file can be removed in favor of fluxcd/pkg#858
|
@bigkevmcd we have released the
🙏 Edit: Like Stefan said below, just need to rebase. |
|
@bigkevmcd if you rebase with main, you'll find |
Co-authored-by: Matheus Pimenta <matheuscscp@gmail.com> Signed-off-by: Kevin McDermott <bigkevmcd@gmail.com>
bigkevmcd
force-pushed
the
cel-resource-filtering
branch
from
15d0f16 to
eb6f1ce
Compare
Co-authored-by: Matheus Pimenta <matheuscscp@gmail.com> Signed-off-by: Kevin McDermott <bigkevmcd@gmail.com> Strip out unnecessary documentation.
bigkevmcd
force-pushed
the
cel-resource-filtering
branch
from
7183c3c to
fc59218
Compare
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This implementation allows filtering of wildcarded resources for receivers using CEL expressions.
Closes: #491
Spec: #491 (comment)