/*
Copyright 2025 The Kubernetes Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
package validation
import (
"fmt"
"k8s.io/apimachinery/pkg/util/validation/field"
"k8s.io/klog/v2"
fldtest "k8s.io/apimachinery/pkg/util/validation/field/testing"
validationmetrics "k8s.io/component-base/metrics/prometheus/validation"
)
// createErrorKey generates a string key for bucketing errors based on type, field, and origin
func createErrorKey(err *field.Error) string {
return fmt.Sprintf("%s|%s|%s", err.Type, err.Field, err.Origin)
}
// gatherDeclarativeValidationMismatches compares imperative and declarative validation errors
// and returns detailed information about any mismatches found. Errors are compared via type, field, and origin
func gatherDeclarativeValidationMismatches(imperativeErrs, declarativeErrs field.ErrorList) []string {
// Only compare imperative errors that are actually CoveredByDeclarative.
coveredImperative := make(field.ErrorList, 0, len(imperativeErrs))
for _, err := range imperativeErrs {
if err.CoveredByDeclarative {
coveredImperative = append(coveredImperative, err)
}
}
matcher := fldtest.ErrorMatcher{}.ByType().ByField().ByOrigin().RequireOriginWhenInvalid()
// Create map of declarative errors by key for faster lookup
// Map to indices rather than errors themselves to allow for matcher to be called
declarativeByKey := make(map[string][]int)
for i := range declarativeErrs {
key := createErrorKey(declarativeErrs[i])
declarativeByKey[key] = append(declarativeByKey[key], i)
}
// Track which declarative errors have been matched
matchedDeclarative := make([]bool, len(declarativeErrs))
var mismatchDetails []string
// Check each imperative error
for _, iErr := range coveredImperative {
key := createErrorKey(iErr)
// Look for a match in the corresponding bucket
foundMatch := false
if indices, exists := declarativeByKey[key]; exists {
// Only check errors that share the same key values
for _, idx := range indices {
if !matchedDeclarative[idx] && matcher.Matches(iErr, declarativeErrs[idx]) {
matchedDeclarative[idx] = true
foundMatch = true
break
}
}
}
if !foundMatch {
mismatchDetails = append(mismatchDetails,
fmt.Sprintf(
"Imperative validation error marked as CoveredByDeclarative but missing from declarative validation: %s",
matcher.Render(iErr),
),
)
}
}
// Check for unmatched declarative errors
for j, dErr := range declarativeErrs {
if !matchedDeclarative[j] {
mismatchDetails = append(mismatchDetails,
fmt.Sprintf(
"Extra error in declarative validation not found among imperative errors marked as CoveredByDeclarative: %s",
matcher.Render(dErr),
),
)
}
}
return mismatchDetails
}
// CompareDeclarativeErrorsAndEmitMismatches checks for mismatches between imperative and declarative validation
// and logs + emits metrics when inconsistencies are found
func CompareDeclarativeErrorsAndEmitMismatches(imperativeErrs, declarativeErrs field.ErrorList) {
mismatchDetails := gatherDeclarativeValidationMismatches(imperativeErrs, declarativeErrs)
// Only proceed if there's a mismatch
if len(mismatchDetails) > 0 {
// Log information about the mismatch
for _, detail := range mismatchDetails {
klog.Warning(detail)
}
// Emit the metric
validationmetrics.Metrics.EmitDeclarativeValidationMismatchMetric()
}
}