OpenAPI-based CEL type library

[jiahuif]

What type of PR is this?

/kind feature

What this PR does / why we need it:

• rewrite the CEL schema library to use kube-openapi, based on that of staging/src/k8s.io/apiextensions-apiserver/pkg/apiserver/schema/cel, which uses structural.Structural.
• two implementations of schema resolver, one using client-go OpenAPI v3 discovery mechanism, the other with compiled-in OpenAPI definitions. Compiled-in resolver can be useful for the API server itself while ongoing development of client side CEL evaluation needs the discovery resolver.
• create an adaptor between CRD Structural and OpenAPI schemas. This is to avoid recursive/deep conversion that takes an O(N) time where N is the depth of nesting in a schema.
• change existing library for CRDs to use the adaptor.
• add integration test for above

Special notes for your reviewer:

To limit the size of this PR, it does not include the part where the admission plugin uses the library.

Does this PR introduce a user-facing change?

NONE

Additional documentation e.g., KEPs (Kubernetes Enhancement Proposals), usage docs, etc.:

- [KEP]: https://github.com/kubernetes/enhancements/issues/3488

[cici37]

Note: I guess we don't need the compilation and validation files here(might cause confusion). And the code would be tested in #113314. Currently the conversion(between object and ref.Val) failed(possible reason of lacking ref resolver?). Will retest after changes are made. Thank you!

Maybe worth to also add builtin type tests in this PR?

[leilajal]

/triage accepted

[jpbetz]

Also add tests showing how this can be used with a native types?

[jpbetz]

Given that we primarily intend to support native types with this, should this instead be something like ObjectToVal(obj runtime.Object) ref.Val and we can have the implementation look up the schema and convert the runtime.Object to unstructured using DefaultUnstructuredConverter? This would allow us to change the implementation in the future (e.g. use a reflection based approach instead of conversion to unstructured) without changing the function signature.

[jiahuif]

Current implementation let the caller to specify the schema because eventually the schema needs to be cached. It's better for the caller to maintain the cache to avoid having to provide another set of schema cache invalidation.

[wenjiaswe]

/test pull-kubernetes-unit

[jpbetz]

Functionality looks good. The copy-if-changed looks right. The wrapper is nice. Just a few minor comments.

[jiahuif]

/cc @alexzielenski

[jpbetz]

/lgtm

[k8s-ci-robot]

LGTM label has been added.

Git tree hash: 6d4c70f11001bbb6888a57a3c0ce989f7a28681e

[jiahuif]

All comments addressed, could you take another look when available? @liggitt

[liggitt]

All comments addressed, could you take another look when available? @liggitt

ack, should be able to look later today

[liggitt]

/approve

Thanks for all the iterations on this. There are still a couple spots that would be good to be sure we have benchmarks exercising (we might already? I'm not sure), but I'm very happy to see the full deep copies and recursive conversions go away

[liggitt]

as a follow-up, it would be good to make sure we have benchmarks of validation-time calls that verify even this shallow-copy isn't problematic in terms of allocations

[liggitt]

same comment here about a follow-up benchmark that calls validate with a CRD and CR that ends up exercising this call so we have visibility to allocations

[k8s-ci-robot]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: jiahuif, liggitt

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• OWNERS [liggitt]
• staging/src/k8s.io/apiextensions-apiserver/OWNERS [liggitt]
• staging/src/k8s.io/apiserver/OWNERS [liggitt]
• test/integration/apiserver/OWNERS [liggitt]
• vendor/OWNERS [liggitt]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[k8s-triage-robot]

The Kubernetes project has merge-blocking tests that are currently too flaky to consistently pass.

This bot retests PRs for certain kubernetes repos according to the following rules:

• The PR does have any do-not-merge/* labels
• The PR does not have the needs-ok-to-test label
• The PR is mergeable (does not have a needs-rebase label)
• The PR is approved (has cncf-cla: yes, lgtm, approved labels)
• The PR is failing tests required for merge

You can:

• Review the full test history for this PR
• Prevent this bot from retesting with /lgtm cancel or /hold
• Help make our tests less flaky by following our Flaky Tests Guide

/retest