feat: Add CEL-based conditional function execution (#4388)#4391
Closed
SurbhiAgarwal1 wants to merge 61 commits intokptdev:mainfrom
Closed
feat: Add CEL-based conditional function execution (#4388)#4391SurbhiAgarwal1 wants to merge 61 commits intokptdev:mainfrom
SurbhiAgarwal1 wants to merge 61 commits intokptdev:mainfrom
Conversation
SurbhiAgarwal1
requested review from
efiacor,
kispaljr and
mozesl-nokia
as code owners
✅ Deploy Preview for kptdocs ready!
To edit notification comments on pull requests, go to your Netlify project configuration. |
SurbhiAgarwal1
force-pushed
the
feat/cel-conditional-execution
branch
from
32fe3c0 to
3d2bde5
Compare
liamfallon
reviewed
Feb 16, 2026
.agent/github_comment_4382.md
Outdated
Contributor
There was a problem hiding this comment.
Did you mean to post these files on the issue rather than on the PR? It looks like AI generated content.
nagygergo
suggested changes
Feb 16, 2026
Contributor
nagygergo
left a comment
nagygergo
left a comment
There was a problem hiding this comment.
Hey, good to see a new contributor.
Some general comments:
- Clean up AI instructions.
- Add e2e tests.
- Add documentation.
Some specific comments are inline.
| "github.com/stretchr/testify/require" | ||
| "sigs.k8s.io/kustomize/kyaml/yaml" | ||
| ) | ||
|
|
Contributor
There was a problem hiding this comment.
Add a testcase that makes sure that the cel functions can't mutate the resourcelist that is the input. The function signature can allow for it, as it hands over the *yaml.RNode list.
Contributor
Author
There was a problem hiding this comment.
Hi @nagygergo! Done! I've added TestEvaluateCondition_Immutability that verifies CEL functions can't mutate the input resource list.
The test creates a ConfigMap, stores the original YAML, evaluates a CEL condition, then compares before/after to ensure no mutation. Even though the function signature accepts *yaml.RNode list (which could be mutated), CEL only receives converted map[string]interface{} copies, so the original RNodes remain unchanged.
SurbhiAgarwal1
force-pushed
the
feat/cel-conditional-execution
branch
from
5f1dce7 to
98ac05d
Compare
Contributor
Author
|
Thanks @nagygergo for the detailed review! I've addressed all the feedback: Changes Made:1. Cleaned up AI-generated files
2. Added CEL protection
3. Reuse CEL environment
4. Added context parameter
5. Removed unnecessary nil check
6. Added immutability test
7. Updated all tests
8. Added documentation
9. Resource serialization
10. fnResult/fnResults in tests
All review comments have been addressed. Let me know if you need any other changes! |
SurbhiAgarwal1
force-pushed
the
feat/cel-conditional-execution
branch
from
cce25d3 to
e0c5faa
Compare
Contributor
|
@SurbhiAgarwal1 please fix the build issues. I'll get back to reviewing it after the build and tests are passing. |
SurbhiAgarwal1
force-pushed
the
feat/cel-conditional-execution
branch
from
155590a to
fc9326d
Compare
dosubot
bot
added
the
size:XXL
- Run go mod tidy to drop k8s.io/apiserver (was causing docker/podman CI failure) - Fix celeval_test.go: correct import path to github.com/kptdev/kpt/pkg/lib/runneroptions - Update tests to use new EvaluateCondition(ctx, condition, resources) API Signed-off-by: Surbhi <agarwalsurbhi1807@gmail.com>
Fix 1: ensure kind/apiVersion/metadata always present in CEL resource map - resourceToMap now guarantees these keys exist so CEL expressions like r.kind == 'Deployment' return false instead of 'no such key' error Fix 2: add .krmignore to condition test dirs - .expected/ was being picked up by kpt fn render as a KRM resource - .krmignore with '.expected' excludes it, matching all other test cases Signed-off-by: Surbhi <agarwalsurbhi1807@gmail.com>
Signed-off-by: Surbhi <agarwalsurbhi1807@gmail.com>
- Switch condition testdata from set-labels to no-op function so diff.patch hashes are deterministic and don't depend on container output - Fix diff.patch files with correct git blob hashes for before/after Kptfile - Update config.yaml expected stderr to match no-op function output - Add comment in celenv.go explaining why k8s.io/apiserver CEL extensions are excluded (binary size / CI build failures) while cel-go built-ins suffice Signed-off-by: Surbhi <agarwalsurbhi1807@gmail.com>
Signed-off-by: Surbhi <agarwalsurbhi1807@gmail.com>
…, SemVer) Re-add k8s.io/apiserver dependency to include k8s-specific CEL validators. Maintainer confirmed these should be included despite the build time increase. Signed-off-by: Surbhi <agarwalsurbhi1807@gmail.com>
Signed-off-by: Surbhi <agarwalsurbhi1807@gmail.com>
- celeval.go: fix type alias comment (no import cycle, just convenience) - celenv.go: default metadata.name and metadata.namespace to empty string so CEL expressions like r.metadata.name never error on missing keys - runner.go: return error when condition is set but CELEnvironment is nil - types.go: clarify Condition doc - evaluated against selected resources (after Selectors/Exclude), not the full package resource list - celeval_test.go: add TestEvaluateCondition_MissingMetadata to verify conditions don't error on resources with missing metadata fields Signed-off-by: Surbhi <agarwalsurbhi1807@gmail.com>
- Remove unnecessary type alias file (internal/fnruntime/celeval.go)
Use *runneroptions.CELEnvironment directly in runner.go
- Group CEL constants in const() block in celenv.go
- Replace interface{} with any throughout celenv.go for modern Go style
- Remove panic from InitDefaults, add separate InitCELEnvironment() method
Callers can now handle CEL initialization errors gracefully
- Fix error message for exec-based functions when condition is set
Now uses f.Exec as fallback when f.Image is empty
- Fix go.mod: mark k8s.io/apiserver as direct dependency (not indirect)
- Add InitCELEnvironment() calls after all InitDefaults() calls:
* commands/fn/render/cmdrender.go
* thirdparty/cmdconfig/commands/cmdeval/cmdeval.go
* internal/util/get/get.go
* pkg/lib/kptops/fs_test.go
* pkg/lib/kptops/render_test.go
Addresses review comments from:
- mozesl-nokia (type alias, const grouping, panic removal, any vs interface{})
- Copilot (error messages, go.mod dependency marking)
Signed-off-by: Surbhi <agarwalsurbhi1807@gmail.com>
… specified When users explicitly pass '.' as the destination directory, kpt pkg get now places files directly in the current directory, matching the behavior of 'git clone' and 'kpt cfg set'. Changes: - Modified parse.GitParseArgs() to track if destination was explicitly provided - Updated getDest() to use current directory directly when explicitly specified - Modified get.Run() to allow using existing empty directories - Preserved default behavior: when no destination is provided, still creates a subdirectory with the package name Fixes kptdev#1407 Signed-off-by: Ciaran Johnston <ciaran.johnston@ericsson.com>
Signed-off-by: Ciaran Johnston <ciaran.johnston@ericsson.com>
…tions - Changed getDest() to check cleaned path (v) instead of originalV for '.' comparison - Updated tests to expect current directory when './' or '.' is explicitly passed - Fixed TestCmdMainBranch_execute to not pass './' explicitly - Fixed TestCmd_fail to use non-existent destination directory Signed-off-by: Ciaran Johnston <ciaran.johnston@ericsson.com>
Signed-off-by: Ciaran Johnston <ciaran.johnston@ericsson.com>
Signed-off-by: Ciaran Johnston <ciaran.johnston@ericsson.com>
* Replace the image registry from gcr.io to ghcr.io Signed-off-by: aravind.est <aravindhan.a@est.tech> * Fix the wasm build failure New WASM images published. It's a manual process now. Fix Go 1.21+ wasm compatibility by renaming the import module from go to gojs in the nodejs JS glue code. The wasmexec library used by the wasmtime runtime has the same issue but requires a separate upstream fix. Signed-off-by: aravind.est <aravindhan.a@est.tech> --------- Signed-off-by: aravind.est <aravindhan.a@est.tech>
Signed-off-by: Michael Greaves <michael.greaves@nokia.com>
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> Signed-off-by: Michael Greaves <michael.greaves@nokia.com>
Signed-off-by: Michael Greaves <michael.greaves@nokia.com>
CI failure due to renderstatus merge fixed. Env variable to use nodejs as wasm env moved to Makefile from Github workflow Signed-off-by: aravind.est <aravindhan.a@est.tech>
…king (kptdev#4437) * Add renderstatus to the kptfile Signed-off-by: aravind.est <aravindhan.a@est.tech> * Address copilot review comments Signed-off-by: Aravindhan Ayyanathan <aravindhan.a@est.tech> --------- Signed-off-by: aravind.est <aravindhan.a@est.tech> Signed-off-by: Aravindhan Ayyanathan <aravindhan.a@est.tech>
Signed-off-by: Mózes László Máté <laszlo.mozes@nokia.com>
Signed-off-by: Mózes László Máté <laszlo.mozes@nokia.com>
Signed-off-by: SurbhiAgarwal1 <agarwalsurbhi1807@gmail.com>
- Remove krm-functions-catalog submodule (causing netlify docs build failure) - Remove temporary files: output.txt, e2e_output.txt, PR_REVIEW_SUMMARY.md - Update test expectations to include renderStatus field in Kptfile API - condition-not-met: empty mutationSteps array (function skipped) - condition-met: mutationSteps with exitCode 0 (function executed) Addresses review feedback from efiacor Signed-off-by: SurbhiAgarwal1 <agarwalsurbhi1807@gmail.com>
When condition is not met and function is skipped, mutationSteps is empty so renderStatus is omitted entirely (omitempty). Remove the empty mutationSteps from the expected diff.patch. Signed-off-by: SurbhiAgarwal1 <agarwalsurbhi1807@gmail.com>
Replace unused parameters r and w with _ in filter.Run mock function to satisfy revive linter unused-parameter rule. Signed-off-by: SurbhiAgarwal1 <agarwalsurbhi1807@gmail.com>
Filter() calls printer.FromContextOrDie() which panics if printer is not set in context. Add printer.WithContext() to test setup. Signed-off-by: SurbhiAgarwal1 <agarwalsurbhi1807@gmail.com>
Contributor
Author
|
Closing this PR in favor of a clean rebase. The branch had accumulated 61 commits including upstream commits from other contributors, making it messy to review. All the feedback from this review has been addressed in the new PR which has a single clean commit:
Thank you all for the thorough review! |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Implements #4388
Changes
conditionfield to Function schema for CEL expressionsExample Usage