Skip to content

Allow RGD resources to reference instance status fields #787

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Draft
wants to merge 4 commits into
base: main
Choose a base branch
from
Draft

Allow RGD resources to reference instance status fields #787

wants to merge 4 commits into from
+191 −12

Conversation

@bschaatsbergen
Copy link
Contributor

@bschaatsbergen bschaatsbergen commented Nov 10, 2025
edited
Loading

Closes #762

Currently we explicitly exclude schema.status fields from being referenced in CEL expressions on RGD resources. The getSchemaWithoutStatus function deletes the status property before validation, preventing schema.status.* references, as previously intended.

This does however block the ability to reference computed status values (like status.endpoint: ${service.status.loadBalancer.ingress[0].hostname}) in dependent resources, forcing users to duplicate expressions instead of implementing a cleaner dependency pattern.

This removes that restriction by renaming the function to getInstanceSchema and including schema.status alongside schema.spec and schema.metadata.

Quick question for the maintainers; what was the reasoning behind initially excluding the status fields? Understanding the background here would help me add more appropriate safeguards around including schema.status.

@k8s-ci-robot
Copy link
Contributor

k8s-ci-robot commented Nov 10, 2025

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: bschaatsbergen
Once this PR has been reviewed and has the lgtm label, please assign elmiko for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@linux-foundation-easycla
Copy link

linux-foundation-easycla bot commented Nov 10, 2025
edited
Loading

CLA Signed

The committers listed above are authorized under a signed CLA.

  • ✅ login: bschaatsbergen / name: Bruno Schaatsbergen (030a7b4)

@k8s-ci-robot
Copy link
Contributor

k8s-ci-robot commented Nov 10, 2025

Welcome @bschaatsbergen!

It looks like this is your first PR to kubernetes-sigs/kro 🎉. Please refer to our pull request process documentation to help your PR have a smooth ride to approval.

You will be prompted by a bot to use commands during the review process. Do not be afraid to follow the prompts! It is okay to experiment. Here is the bot commands documentation.

You can also check if kubernetes-sigs/kro has its own contribution guidelines.

You may want to refer to our testing guide if you run into trouble with your tests not passing.

If you are having difficulty getting your pull request seen, please follow the recommended escalation practices. Also, for tips and tricks in the contribution process you may want to read the Kubernetes contributor cheat sheet. We want to make sure your contribution gets all the attention it needs!

Thank you, and welcome to Kubernetes. 😃

@k8s-ci-robot k8s-ci-robot added the needs-ok-to-test Indicates a PR that requires an org member to verify it is safe to test. label Nov 10, 2025
@k8s-ci-robot
Copy link
Contributor

k8s-ci-robot commented Nov 10, 2025

Hi @bschaatsbergen. Thanks for your PR.

I'm waiting for a github.com member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

@k8s-ci-robot k8s-ci-robot added cncf-cla: no Indicates the PR's author has not signed the CNCF CLA. size/M Denotes a PR that changes 30-99 lines, ignoring generated files. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. and removed cncf-cla: no Indicates the PR's author has not signed the CNCF CLA. labels Nov 10, 2025
@bschaatsbergen
feat: allow RGD resources to reference instance status fields
4c718eb 
Removes restriction on `schema.status` field references in RGD CEL
expressions. Renames `getSchemaWithoutStatus` to `getInstanceSchema`
and includes status property alongside spec and metadata in the
validation schema.

Previously, the status field was explicitly deleted before CEL
validation, preventing references like `${schema.status.endpoint}`
or `${service.status.loadBalancer.ingress[0].hostname}` in dependent
resources.

Signed-off-by: Bruno Schaatsbergen <[email protected]>
@bschaatsbergen bschaatsbergen force-pushed the f/reference-instance-status branch from 70ebe3e to 4c718eb Compare November 10, 2025 11:08
jakobmoellerdev
jakobmoellerdev reviewed Nov 10, 2025
View reviewed changes
Copy link
Member

@jakobmoellerdev jakobmoellerdev left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hey there! thanks for the contrib. Mainly the limitations we must consider are:

  1. Status Objects are always optional and may or may not be present. Referencing should only be possible with optional value reference closures IMHO.
  2. Status Objects were previously unstructured so to get a proper setup, you would also need to replace usage here

    kro/pkg/graph/builder.go

    Line 572 in 548e4db

    func buildStatusSchema(

I think if you manage to get rid of dynamic status value computation on top of your change, this will be more "complete". Otherwise your RGD creation will have the schema but your cluster based instance will still not use this

@k8s-ci-robot k8s-ci-robot added size/L Denotes a PR that changes 100-499 lines, ignoring generated files. and removed size/M Denotes a PR that changes 30-99 lines, ignoring generated files. labels Nov 10, 2025
@bschaatsbergen
Copy link
Contributor Author

bschaatsbergen commented Nov 10, 2025
edited
Loading

Hey there! thanks for the contrib. Mainly the limitations we must consider are:

  1. Status Objects are always optional and may or may not be present. Referencing should only be possible with optional value reference closures IMHO.
  2. Status Objects were previously unstructured so to get a proper setup, you would also need to replace usage here

    kro/pkg/graph/builder.go

    Line 572 in 548e4db

    func buildStatusSchema(

I think if you manage to get rid of dynamic status value computation on top of your change, this will be more "complete". Otherwise your RGD creation will have the schema but your cluster based instance will still not use this

Thanks for the quick review, @jakobmoellerdev! Just to confirm my understanding; we should exclude status from required fields before type-checking the instance schema, so that CEL expressions in dependent resources can reference the instance’s status without validation errors when it’s still empty? Basically, clean up/unmark any status entry from the schema.Required list?

In b4128a9, I've ensured status fields remain optional before type-checking the instance schema.

@bschaatsbergen bschaatsbergen force-pushed the f/reference-instance-status branch from 93def8f to bdd37f7 Compare November 10, 2025 23:04
@bschaatsbergen
fix: remove status fields from the list of required fields before typ…
b4128a9 
…e-checking

Remove status from required fields before type-checking. This allows CEL expressions in dependent resources to reference instance status (e.g., `${schema.status.endpoint}`) without validation errors when the instance status hasn't been populated yet.

Signed-off-by: Bruno Schaatsbergen <[email protected]>
@bschaatsbergen bschaatsbergen force-pushed the f/reference-instance-status branch from bdd37f7 to b4128a9 Compare November 10, 2025 23:06
@jakobmoellerdev
Copy link
Member

jakobmoellerdev commented Nov 11, 2025

Before I push you further into any direction and you potentially have a waste of time, I want to have a conceptual guidance of @a-hilaly here as he wrote the original status schemaless logic. Expect a bit of turnaround due to kubecon please.

My understanding is that rgd resources should be able to FILL instance status fields, but not the other way around. an instance should aggregate status and we didnt have good cases yet in which the other way would have made sense.

@a-hilaly
Copy link
Member

a-hilaly commented Nov 12, 2025

/ok-to-test

@k8s-ci-robot k8s-ci-robot added ok-to-test Indicates a non-member PR verified by an org member that is safe to test. and removed needs-ok-to-test Indicates a PR that requires an org member to verify it is safe to test. labels Nov 12, 2025
@bschaatsbergen bschaatsbergen marked this pull request as draft November 12, 2025 21:04
@k8s-ci-robot k8s-ci-robot added the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Nov 12, 2025
@a-hilaly
Copy link
Member

a-hilaly commented Nov 12, 2025

/ok-to-test

@k8s-ci-robot
Copy link
Contributor

k8s-ci-robot commented Nov 14, 2025

@bschaatsbergen: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name Commit Details Required Rerun command
presubmits-integration-tests 030a7b4 link true /test presubmits-integration-tests
presubmits-verify-lint 030a7b4 link true /test presubmits-verify-lint

Full PR test history. Your PR dashboard. Please help us cut down on flakes by linking to an open issue when you hit one in your PR.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

@tjamet
Copy link
Contributor

tjamet commented Nov 19, 2025

First, I agree that, conceptually, we must be able to bubble up the resources status to the RGD instance the same way we cascade parameters down.

It is true that this brings a complexity when the status does not exist yet, but I think it is manageable and worth the effort

tjamet
tjamet reviewed Nov 19, 2025
View reviewed changes
pkg/graph/builder_test.go
"region": "string",
},
map[string]interface{}{
"vpcID": "${vpc.status.vpcID}",
Copy link
Contributor

@tjamet tjamet Nov 19, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We also need tests to ensure that:

  1. when the status field can't be resolved (i.e. vpc.status == nil) the instance can be reconciled without error
  2. when the status field exists (i.e. vpc.status.vpcID = "vpc-xzy"), after reconcile, the instance has status status.vpcID: vpc-xyz`

tjamet
tjamet reviewed Nov 19, 2025
View reviewed changes
pkg/graph/builder.go
Comment on lines +840 to +847
// Remove "status" from required fields if present
required := make([]string, 0, len(s.Required))
for _, field := range s.Required {
if field != "status" {
required = append(required, field)
}
}
s.Required = required
Copy link
Contributor

@tjamet tjamet Nov 19, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Would we gain readability on the intent using slices.DeleteFunc

Suggested change
// Remove "status" from required fields if present
required := make([]string, 0, len(s.Required))
for _, field := range s.Required {
if field != "status" {
required = append(required, field)
}
}
s.Required = required
s.Required = slices.DeleteFunc(s.Required, func(e string){
return e == "status"
})

@tjamet tjamet mentioned this pull request Nov 19, 2025
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@matthchr matthchr Awaiting requested review from matthchr

2 more reviewers

@tjamet tjamet tjamet left review comments

@jakobmoellerdev jakobmoellerdev jakobmoellerdev left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. ok-to-test Indicates a non-member PR verified by an org member that is safe to test. size/L Denotes a PR that changes 100-499 lines, ignoring generated files.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Support referencing instance status fields in RGD resources

5 participants

@bschaatsbergen @k8s-ci-robot @jakobmoellerdev @a-hilaly @tjamet