CEL Validation: permit hashing object fields to form object name

lavalamp commented 2 years ago

Scenario: My CRD has fields x, y, and z. I want to ensure that within a given namespace, no two instances of this CRD have the same set of values for those fields.

Solution 1: Require that .metadata.name be x+y+z. (Add a x-kubernetes-validations to the root of the object, and do something like "[self.metadata.name] == self.spec.x + self.spec.y + self.spec.z") Problem 1: The fields might be too long, or not match the rules about names (contain "/" characters, etc)

Solution 2: Require that name be of the form sanitized_fields(x,y,z)+unique_hash(x,y,z). Where:

sanitized_fields produces a string which contains as much of the given fields as possible, while removing forbidden characters and capping the length. This is to make the name human readable.
unique_hash is some hash function which produces a fixed-length hash to ensure that the name is unique even if the sanitized_fields function collides.

The request here is to add a function or set of functions callable from CEL to do this sanitizing/hashing. Ideally we would like the code to be known ASAP so that people can use them in validating webhooks today and move to CEL when it is available.

For bonus points we would like to default the name to the correct value if it is blank, since it may be hard for clients to determine the correct value. (I suspect this isn't possible with our defaulting stack, but maybe I'm wrong.)

We need the error message to report the expected name, so that at least clients could e.g. send a dry-run POST request to figure out the correct name and then use it in the real request.

/sig api-machinery

lavalamp commented 2 years ago

cc @jpbetz @apelisse