Prevent quota reduction via CEL validation in StorageConsumer CRD

[OdedViner]

Added CEL validation to ensure StorageQuotaInGiB cannot be decreased via CR updates.

Tested manually:
1.Delete the old CRD, apply the new CRD, and verify that the CRD was created.

$ oc delete crd storageconsumers.ocs.openshift.io
customresourcedefinition.apiextensions.k8s.io "storageconsumers.ocs.openshift.io" deleted
$ oc get crd storageconsumers.ocs.openshift.io
Error from server (NotFound): customresourcedefinitions.apiextensions.k8s.io "storageconsumers.ocs.openshift.io" not found
$ oc apply -f config/crd/bases/ocs.openshift.io_storageconsumers.yaml
customresourcedefinition.apiextensions.k8s.io/storageconsumers.ocs.openshift.io created
$ oc get crd storageconsumers.ocs.openshift.io
NAME                                CREATED AT
storageconsumers.ocs.openshift.io   2025-04-28T09:07:44Z

2.Create a StorageConsumer Custom Resource

$ oc apply -f - <<EOF
apiVersion: ocs.openshift.io/v1alpha1
kind: StorageConsumer
metadata:
  name: test-consumer
  namespace: default
spec:
  enable: true
  storageQuotaInGiB: 100
EOF
storageconsumer.ocs.openshift.io/test-consumer created

$ oc get storageconsumers.ocs.openshift.io -n default -o yaml
apiVersion: v1
items:
- apiVersion: ocs.openshift.io/v1alpha1
  kind: StorageConsumer
  metadata:
    annotations:
      kubectl.kubernetes.io/last-applied-configuration: |
        {"apiVersion":"ocs.openshift.io/v1alpha1","kind":"StorageConsumer","metadata":{"annotations":{},"name":"test-consumer","namespace":"default"},"spec":{"enable":true,"storageQuotaInGiB":100}}
    creationTimestamp: "2025-04-28T09:08:53Z"
    generation: 1
    name: test-consumer
    namespace: default
    resourceVersion: "3132911"
    uid: 025bdade-85eb-46f9-a9b8-2169f6649f27
  spec:
    enable: true
    storageQuotaInGiB: 100
kind: List
metadata:
  resourceVersion: ""

3.Test: Decrease the storageQuotaInGiB from 100 → 50 (Expect Rejection)

$ oc patch storageconsumer test-consumer --type=merge -p '{"spec": {"storageQuotaInGiB": 50}}'
The StorageConsumer "test-consumer" is invalid: spec: Invalid value: "object": storageQuotaInGiB cannot be decreased on update

$ oc get storageconsumers.ocs.openshift.io -n default -o yaml
apiVersion: v1
items:
- apiVersion: ocs.openshift.io/v1alpha1
  kind: StorageConsumer
  metadata:
    annotations:
      kubectl.kubernetes.io/last-applied-configuration: |
        {"apiVersion":"ocs.openshift.io/v1alpha1","kind":"StorageConsumer","metadata":{"annotations":{},"name":"test-consumer","namespace":"default"},"spec":{"enable":true,"storageQuotaInGiB":100}}
    creationTimestamp: "2025-04-28T09:08:53Z"
    generation: 1
    name: test-consumer
    namespace: default
    resourceVersion: "3132911"
    uid: 025bdade-85eb-46f9-a9b8-2169f6649f27
  spec:
    enable: true
    storageQuotaInGiB: 100
kind: List
metadata:
  resourceVersion: ""

4. Test: Increase the storageQuotaInGiB from 100 → 110 (Expect Success)

$ oc patch storageconsumer test-consumer --type=merge -p '{"spec": {"storageQuotaInGiB": 110}}'
storageconsumer.ocs.openshift.io/test-consumer patched

$ oc get storageconsumers.ocs.openshift.io -n default -o yaml
apiVersion: v1
items:
- apiVersion: ocs.openshift.io/v1alpha1
  kind: StorageConsumer
  metadata:
    annotations:
      kubectl.kubernetes.io/last-applied-configuration: |
        {"apiVersion":"ocs.openshift.io/v1alpha1","kind":"StorageConsumer","metadata":{"annotations":{},"name":"test-consumer","namespace":"default"},"spec":{"enable":true,"storageQuotaInGiB":100}}
    creationTimestamp: "2025-04-28T09:08:53Z"
    generation: 2
    name: test-consumer
    namespace: default
    resourceVersion: "3134674"
    uid: 025bdade-85eb-46f9-a9b8-2169f6649f27
  spec:
    enable: true
    storageQuotaInGiB: 110
kind: List
metadata:
  resourceVersion: ""

5.Test: Decrease the storageQuotaInGiB from 100 → 0 (Expect Success)
When StorageQuotaInGiB=0, a ClusterResourceQuota is not created because the function checks if consumer.Spec.StorageQuotaInGiB > 0 before adding a quota resource.

ocs-operator/services/provider/server/server.go

Line 2060 in 91f2ec4

if consumer.Spec.StorageQuotaInGiB > 0 {

$  oc patch storageconsumer test-consumer --type=merge -p '{"spec": {"storageQuotaInGiB": 0}}'
storageconsumer.ocs.openshift.io/test-consumer patched

$ oc get storageconsumers.ocs.openshift.io -n default -o yaml
apiVersion: v1
items:
- apiVersion: ocs.openshift.io/v1alpha1
  kind: StorageConsumer
  metadata:
    annotations:
      kubectl.kubernetes.io/last-applied-configuration: |
        {"apiVersion":"ocs.openshift.io/v1alpha1","kind":"StorageConsumer","metadata":{"annotations":{},"name":"test-consumer","namespace":"default"},"spec":{"enable":true,"storageQuotaInGiB":100}}
    creationTimestamp: "2025-04-28T11:37:09Z"
    generation: 3
    name: test-consumer
    namespace: default
    resourceVersion: "3227178"
    uid: 7f2a32e1-6272-4840-83f8-fced2dcfa600
  spec:
    enable: true
    storageQuotaInGiB: 0
kind: List
metadata:
  resourceVersion: ""

6.Test: Increase the storageQuotaInGiB from 0 → 34 (Expect Success)

$  oc patch storageconsumer test-consumer --type=merge -p '{"spec": {"storageQuotaInGiB": 34}}'
storageconsumer.ocs.openshift.io/test-consumer patched

oviner~/DEV_REPOS/ocs-operator(cel_validate_quota_reduction)$ oc get storageconsumers.ocs.openshift.io -n default -o yaml
apiVersion: v1
items:
- apiVersion: ocs.openshift.io/v1alpha1
  kind: StorageConsumer
  metadata:
    annotations:
      kubectl.kubernetes.io/last-applied-configuration: |
        {"apiVersion":"ocs.openshift.io/v1alpha1","kind":"StorageConsumer","metadata":{"annotations":{},"name":"test-consumer","namespace":"default"},"spec":{"enable":true,"storageQuotaInGiB":100}}
    creationTimestamp: "2025-04-28T11:37:09Z"
    generation: 4
    name: test-consumer
    namespace: default
    resourceVersion: "3227976"
    uid: 7f2a32e1-6272-4840-83f8-fced2dcfa600
  spec:
    enable: true
    storageQuotaInGiB: 34
kind: List
metadata:
  resourceVersion: ""

[iamniting]

Lets keep the message and rule in different line if possible to have a better readibility.

[OdedViner]

controller-gen v0.16.1 does not support splitting rule and message across two XValidation: lines. It treats them as two separate markers, which is invalid.

$ ./bin/controller-gen --version
Version: v0.16.1

oviner~/DEV_REPOS/ocs-operator(cel_validate_quota_reduction)$ make gen-latest-csv
Ensuring operator-sdk
hack/ensure-operator-sdk.sh
Using operator-sdk CLI present at /home/oviner/DEV_REPOS/ocs-operator/bin/operator-sdk-v1.25.4
Using existing [email protected] at /home/oviner/DEV_REPOS/ocs-operator/bin/controller-gen
Updating generated manifests
/home/oviner/DEV_REPOS/ocs-operator/bin/controller-gen rbac:roleName=manager-role crd:generateEmbeddedObjectMeta=true,allowDangerousTypes=true paths=./api/... webhook paths="./..." output:crd:artifacts:config=config/crd/bases
/home/oviner/DEV_REPOS/ocs-operator/api/v1alpha1/storageconsumer_types.go:108:1: missing argument "rule" (at <input>:1:69)
/home/oviner/DEV_REPOS/ocs-operator/api/v1alpha1/storageconsumer_types.go:108:1: missing argument "rule" (at <input>:1:69)
/home/oviner/DEV_REPOS/ocs-operator/api/v1alpha1/storageconsumer_types.go:108:1: missing argument "rule" (at <input>:1:69)
/home/oviner/DEV_REPOS/ocs-operator/api/v1alpha1/storageconsumer_types.go:108:1: missing argument "rule" (at <input>:1:69)
Error: not all generators ran successfully
run `controller-gen rbac:roleName=manager-role crd:generateEmbeddedObjectMeta=true,allowDangerousTypes=true paths=./api/... webhook paths=./... output:crd:artifacts:config=config/crd/bases -w` to see all available markers, or `controller-gen rbac:roleName=manager-role crd:generateEmbeddedObjectMeta=true,allowDangerousTypes=true paths=./api/... webhook paths=./... output:crd:artifacts:config=config/crd/bases -h` for usage
make: *** [Makefile:139: manifests] Error 1

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: OdedViner
Once this PR has been reviewed and has the lgtm label, please ask for approval from iamniting. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[iamniting]

Why do you need a not condition, instead you can use the >

[iamniting]

@OdedViner Have you tested this new rule? Is it working as expected?

[OdedViner]

@OdedViner Have you tested this new rule? Is it working as expected?

yes, I changed the PR description with new test #3185 (comment)

[iamniting]

@OdedViner Have you tested this new rule? Is it working as expected?

I saw the latest results in the description. Can you also test to delete it or move it to 0 and adjust the rule accordingly?

FYR https://issues.redhat.com/browse/DFBUGS-1301?focusedId=27054192&page=com.atlassian.jira.plugin.system.issuetabpanels%3Acomment-tabpanel#comment-27054192

[OdedViner]

@OdedViner Have you tested this new rule? Is it working as expected?

I saw the latest results in the description. Can you also test to delete it or move it to 0 and adjust the rule accordingly?

FYR https://issues.redhat.com/browse/DFBUGS-1301?focusedId=27054192&page=com.atlassian.jira.plugin.system.issuetabpanels%3Acomment-tabpanel#comment-27054192

I saw the latest results in the description. Can you also test to delete it or move it to 0 and adjust the rule accordingly?

Hi @iamniting ,

I updated the rule to:
self.storageQuotaInGiB == 0 || self.storageQuotaInGiB >= oldSelf.storageQuotaInGiB
and added two additional steps (steps 5 and 6) to my manual test procedure to cover these cases.
#3185 (comment)

Thanks for the review!

[iamniting]

@OdedViner Have you tested this new rule? Is it working as expected?

I saw the latest results in the description. Can you also test to delete it or move it to 0 and adjust the rule accordingly?
FYR https://issues.redhat.com/browse/DFBUGS-1301?focusedId=27054192&page=com.atlassian.jira.plugin.system.issuetabpanels%3Acomment-tabpanel#comment-27054192

I saw the latest results in the description. Can you also test to delete it or move it to 0 and adjust the rule accordingly?

Hi @iamniting ,

I updated the rule to: self.storageQuotaInGiB == 0 || self.storageQuotaInGiB >= oldSelf.storageQuotaInGiB and added two additional steps (steps 5 and 6) to my manual test procedure to cover these cases. #3185 (comment)

Thanks for the review!

Can you also check if this allows you to delete the field?

[OdedViner]

Can you also check if this allows you to delete the field?

@iamniting Is this the expected behavior?

$ oc patch storageconsumer test-consumer -n default --type=json -p='[{"op": "remove", "path": "/spec/storageQuotaInGiB"}]'
The StorageConsumer "test-consumer" is invalid: spec: Invalid value: "object": no such key: storageQuotaInGiB evaluating rule: storageQuotaInGiB cannot be decreased unless setting to 0

[OdedViner]

@OdedViner: The following test failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name Commit Details Required Rerun command
ci/prow/ocs-operator-bundle-e2e-aws a650d4b link true /test ocs-operator-bundle-e2e-aws
Full PR test history. Your PR dashboard.

@iamniting Is this a temp issue?

[iamniting]

Can you also check if this allows you to delete the field?

@iamniting Is this the expected behavior?

$ oc patch storageconsumer test-consumer -n default --type=json -p='[{"op": "remove", "path": "/spec/storageQuotaInGiB"}]'
The StorageConsumer "test-consumer" is invalid: spec: Invalid value: "object": no such key: storageQuotaInGiB evaluating rule: storageQuotaInGiB cannot be decreased unless setting to 0

Can you try doing the same thing with oc edit?

[iamniting]

/test ocs-operator-bundle-e2e-aws

[openshift-ci]

@OdedViner: The following test failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/prow/ocs-operator-bundle-e2e-aws	a650d4b	link	true	/test ocs-operator-bundle-e2e-aws

Full PR test history. Your PR dashboard.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.