From 223dcd0fda49f05b3d7beebc45cdb843caaefd3c Mon Sep 17 00:00:00 2001
From: Amanuel Engeda <74629455+engedaam@users.noreply.github.com>
Date: Mon, 23 Oct 2023 17:46:05 -0700
Subject: [PATCH] chore: CEL Vaildation Requirements Cleanup (#632)

---
 hack/validation/requirements.sh            | 8 ++++----
 pkg/apis/crds/karpenter.sh_nodeclaims.yaml | 4 ++--
 pkg/apis/crds/karpenter.sh_nodepools.yaml  | 4 ++--
 3 files changed, 8 insertions(+), 8 deletions(-)

diff --git a/hack/validation/requirements.sh b/hack/validation/requirements.sh
index a712012f8c..d5929190d3 100755
--- a/hack/validation/requirements.sh
+++ b/hack/validation/requirements.sh
@@ -7,9 +7,9 @@ yq eval '.spec.versions[0].schema.openAPIV3Schema.properties.spec.properties.req
 yq eval '.spec.versions[0].schema.openAPIV3Schema.properties.spec.properties.requirements.items.properties.key.pattern = "^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*(\/))?([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9]$"' -i pkg/apis/crds/karpenter.sh_nodeclaims.yaml 
 ## checking for restricted labels while filtering out well-known labels
 yq eval '.spec.versions[0].schema.openAPIV3Schema.properties.spec.properties.requirements.items.properties.key.x-kubernetes-validations += [
-    {"message": "label domain \"kubernetes.io\" is restricted", "rule": "self == \"beta.kubernetes.io/instance-type\" || self == \"failure-domain.beta.kubernetes.io/region\"|| self == \"beta.kubernetes.io/os\" || self == \"beta.kubernetes.io/arch\" || self == \"failure-domain.beta.kubernetes.io/zone\" || self.startsWith(\"node.kubernetes.io/\") || self.startsWith(\"node-restriction.kubernetes.io/\") || self == \"topology.kubernetes.io/zone\" || self == \"topology.kubernetes.io/region\" || self == \"node.kubernetes.io/instance-type\" || self == \"kubernetes.io/arch\"|| self == \"kubernetes.io/os\" || self ==  \"node.kubernetes.io/windows-build\" || !self.find(\"^([^/]+)\").endsWith(\"kubernetes.io\")"},
+    {"message": "label domain \"kubernetes.io\" is restricted", "rule": "self in [\"beta.kubernetes.io/instance-type\", \"failure-domain.beta.kubernetes.io/region\", \"beta.kubernetes.io/os\", \"beta.kubernetes.io/arch\", \"failure-domain.beta.kubernetes.io/zone\", \"topology.kubernetes.io/zone\", \"topology.kubernetes.io/region\", \"node.kubernetes.io/instance-type\", \"kubernetes.io/arch\", \"kubernetes.io/os\", \"node.kubernetes.io/windows-build\"] || self.startsWith(\"node.kubernetes.io/\") || self.startsWith(\"node-restriction.kubernetes.io/\") || !self.find(\"^([^/]+)\").endsWith(\"kubernetes.io\")"},
     {"message": "label domain \"k8s.io\" is restricted", "rule": "self.startsWith(\"kops.k8s.io/\") || !self.find(\"^([^/]+)\").endsWith(\"k8s.io\")"},
-    {"message": "label domain \"karpenter.sh\" is restricted", "rule": "self == \"karpenter.sh/capacity-type\"|| self == \"karpenter.sh/nodepool\" || !self.find(\"^([^/]+)\").endsWith(\"karpenter.sh\")"},
+    {"message": "label domain \"karpenter.sh\" is restricted", "rule": "self in [\"karpenter.sh/capacity-type\", \"karpenter.sh/nodepool\"] || !self.find(\"^([^/]+)\").endsWith(\"karpenter.sh\")"},
     {"message": "label \"kubernetes.io/hostname\" is restricted", "rule": "self != \"kubernetes.io/hostname\""}]' -i pkg/apis/crds/karpenter.sh_nodeclaims.yaml 
 ## operator enum values 
 yq eval '.spec.versions[0].schema.openAPIV3Schema.properties.spec.properties.requirements.items.properties.operator.enum += ["In","NotIn","Exists","DoesNotExist","Gt","Lt"]' -i pkg/apis/crds/karpenter.sh_nodeclaims.yaml
@@ -24,9 +24,9 @@ yq eval '.spec.versions[0].schema.openAPIV3Schema.properties.spec.properties.tem
 yq eval '.spec.versions[0].schema.openAPIV3Schema.properties.spec.properties.template.properties.spec.properties.requirements.items.properties.key.pattern = "^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*(\/))?([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9]$"' -i pkg/apis/crds/karpenter.sh_nodepools.yaml 
 ## checking for restricted labels while filtering out well-known labels
 yq eval '.spec.versions[0].schema.openAPIV3Schema.properties.spec.properties.template.properties.spec.properties.requirements.items.properties.key.x-kubernetes-validations  += [
-    {"message": "label domain \"kubernetes.io\" is restricted", "rule": "self == \"beta.kubernetes.io/instance-type\" || self == \"failure-domain.beta.kubernetes.io/region\"|| self == \"beta.kubernetes.io/os\" || self == \"beta.kubernetes.io/arch\" || self == \"failure-domain.beta.kubernetes.io/zone\" || self.startsWith(\"node.kubernetes.io/\") || self.startsWith(\"node-restriction.kubernetes.io/\") || self == \"topology.kubernetes.io/zone\" || self == \"topology.kubernetes.io/region\" || self == \"node.kubernetes.io/instance-type\" || self == \"kubernetes.io/arch\"|| self == \"kubernetes.io/os\" || self ==  \"node.kubernetes.io/windows-build\" || !self.find(\"^([^/]+)\").endsWith(\"kubernetes.io\")"},
+    {"message": "label domain \"kubernetes.io\" is restricted", "rule": "self in [\"beta.kubernetes.io/instance-type\", \"failure-domain.beta.kubernetes.io/region\", \"beta.kubernetes.io/os\", \"beta.kubernetes.io/arch\", \"failure-domain.beta.kubernetes.io/zone\", \"topology.kubernetes.io/zone\", \"topology.kubernetes.io/region\", \"node.kubernetes.io/instance-type\", \"kubernetes.io/arch\", \"kubernetes.io/os\", \"node.kubernetes.io/windows-build\"] || self.startsWith(\"node.kubernetes.io/\") || self.startsWith(\"node-restriction.kubernetes.io/\") || !self.find(\"^([^/]+)\").endsWith(\"kubernetes.io\")"},
     {"message": "label domain \"k8s.io\" is restricted", "rule": "self.startsWith(\"kops.k8s.io/\") || !self.find(\"^([^/]+)\").endsWith(\"k8s.io\")"},
-    {"message": "label domain \"karpenter.sh\" is restricted", "rule": "self == \"karpenter.sh/capacity-type\"|| self == \"karpenter.sh/nodepool\" || !self.find(\"^([^/]+)\").endsWith(\"karpenter.sh\")"},
+    {"message": "label domain \"karpenter.sh\" is restricted", "rule": "self in [\"karpenter.sh/capacity-type\", \"karpenter.sh/nodepool\"] || !self.find(\"^([^/]+)\").endsWith(\"karpenter.sh\")"},
     {"message": "label \"karpenter.sh/nodepool\" is restricted", "rule": "self != \"karpenter.sh/nodepool\""},
     {"message": "label \"kubernetes.io/hostname\" is restricted", "rule": "self != \"kubernetes.io/hostname\""}]' -i pkg/apis/crds/karpenter.sh_nodepools.yaml 
 ## operator enum values 
diff --git a/pkg/apis/crds/karpenter.sh_nodeclaims.yaml b/pkg/apis/crds/karpenter.sh_nodeclaims.yaml
index 4854f84ee4..5f624480d1 100644
--- a/pkg/apis/crds/karpenter.sh_nodeclaims.yaml
+++ b/pkg/apis/crds/karpenter.sh_nodeclaims.yaml
@@ -186,11 +186,11 @@ spec:
                         pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*(\/))?([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9]$
                         x-kubernetes-validations:
                           - message: label domain "kubernetes.io" is restricted
-                            rule: self == "beta.kubernetes.io/instance-type" || self == "failure-domain.beta.kubernetes.io/region"|| self == "beta.kubernetes.io/os" || self == "beta.kubernetes.io/arch" || self == "failure-domain.beta.kubernetes.io/zone" || self.startsWith("node.kubernetes.io/") || self.startsWith("node-restriction.kubernetes.io/") || self == "topology.kubernetes.io/zone" || self == "topology.kubernetes.io/region" || self == "node.kubernetes.io/instance-type" || self == "kubernetes.io/arch"|| self == "kubernetes.io/os" || self ==  "node.kubernetes.io/windows-build" || !self.find("^([^/]+)").endsWith("kubernetes.io")
+                            rule: self in ["beta.kubernetes.io/instance-type", "failure-domain.beta.kubernetes.io/region", "beta.kubernetes.io/os", "beta.kubernetes.io/arch", "failure-domain.beta.kubernetes.io/zone", "topology.kubernetes.io/zone", "topology.kubernetes.io/region", "node.kubernetes.io/instance-type", "kubernetes.io/arch", "kubernetes.io/os", "node.kubernetes.io/windows-build"] || self.startsWith("node.kubernetes.io/") || self.startsWith("node-restriction.kubernetes.io/") || !self.find("^([^/]+)").endsWith("kubernetes.io")
                           - message: label domain "k8s.io" is restricted
                             rule: self.startsWith("kops.k8s.io/") || !self.find("^([^/]+)").endsWith("k8s.io")
                           - message: label domain "karpenter.sh" is restricted
-                            rule: self == "karpenter.sh/capacity-type"|| self == "karpenter.sh/nodepool" || !self.find("^([^/]+)").endsWith("karpenter.sh")
+                            rule: self in ["karpenter.sh/capacity-type", "karpenter.sh/nodepool"] || !self.find("^([^/]+)").endsWith("karpenter.sh")
                           - message: label "kubernetes.io/hostname" is restricted
                             rule: self != "kubernetes.io/hostname"
                       operator:
diff --git a/pkg/apis/crds/karpenter.sh_nodepools.yaml b/pkg/apis/crds/karpenter.sh_nodepools.yaml
index 62cc8aa462..dbc9acbbea 100644
--- a/pkg/apis/crds/karpenter.sh_nodepools.yaml
+++ b/pkg/apis/crds/karpenter.sh_nodepools.yaml
@@ -222,11 +222,11 @@ spec:
                                 pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*(\/))?([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9]$
                                 x-kubernetes-validations:
                                   - message: label domain "kubernetes.io" is restricted
-                                    rule: self == "beta.kubernetes.io/instance-type" || self == "failure-domain.beta.kubernetes.io/region"|| self == "beta.kubernetes.io/os" || self == "beta.kubernetes.io/arch" || self == "failure-domain.beta.kubernetes.io/zone" || self.startsWith("node.kubernetes.io/") || self.startsWith("node-restriction.kubernetes.io/") || self == "topology.kubernetes.io/zone" || self == "topology.kubernetes.io/region" || self == "node.kubernetes.io/instance-type" || self == "kubernetes.io/arch"|| self == "kubernetes.io/os" || self ==  "node.kubernetes.io/windows-build" || !self.find("^([^/]+)").endsWith("kubernetes.io")
+                                    rule: self in ["beta.kubernetes.io/instance-type", "failure-domain.beta.kubernetes.io/region", "beta.kubernetes.io/os", "beta.kubernetes.io/arch", "failure-domain.beta.kubernetes.io/zone", "topology.kubernetes.io/zone", "topology.kubernetes.io/region", "node.kubernetes.io/instance-type", "kubernetes.io/arch", "kubernetes.io/os", "node.kubernetes.io/windows-build"] || self.startsWith("node.kubernetes.io/") || self.startsWith("node-restriction.kubernetes.io/") || !self.find("^([^/]+)").endsWith("kubernetes.io")
                                   - message: label domain "k8s.io" is restricted
                                     rule: self.startsWith("kops.k8s.io/") || !self.find("^([^/]+)").endsWith("k8s.io")
                                   - message: label domain "karpenter.sh" is restricted
-                                    rule: self == "karpenter.sh/capacity-type"|| self == "karpenter.sh/nodepool" || !self.find("^([^/]+)").endsWith("karpenter.sh")
+                                    rule: self in ["karpenter.sh/capacity-type", "karpenter.sh/nodepool"] || !self.find("^([^/]+)").endsWith("karpenter.sh")
                                   - message: label "karpenter.sh/nodepool" is restricted
                                     rule: self != "karpenter.sh/nodepool"
                                   - message: label "kubernetes.io/hostname" is restricted