add support for CEL-based mutation steps in PublishedResources

On-behalf-of: @SAP christoph.mewes@sap.com

Author: xrstf

deploy/crd/kcp.io/syncagent.kcp.io_publishedresources.yaml

@@ -157,6 +157,16 @@ spec:
                     spec:
                       items:
                         properties:
+                          cel:
+                            properties:
+                              expression:
+                                type: string
+                              path:
+                                type: string
+                            required:
+                              - expression
+                              - path
+                            type: object
                           delete:
                             properties:
                               path:
@@ -193,6 +203,16 @@ spec:
                     status:
                       items:
                         properties:
+                          cel:
+                            properties:
+                              expression:
+                                type: string
+                              path:
+                                type: string
+                            required:
+                              - expression
+                              - path
+                            type: object
                           delete:
                             properties:
                               path:
@@ -396,6 +416,16 @@ spec:
                           spec:
                             items:
                               properties:
+                                cel:
+                                  properties:
+                                    expression:
+                                      type: string
+                                    path:
+                                      type: string
+                                  required:
+                                    - expression
+                                    - path
+                                  type: object
                                 delete:
                                   properties:
                                     path:
@@ -432,6 +462,16 @@ spec:
                           status:
                             items:
                               properties:
+                                cel:
+                                  properties:
+                                    expression:
+                                      type: string
+                                    path:
+                                      type: string
+                                  required:
+                                    - expression
+                                    - path
+                                  type: object
                                 delete:
                                   properties:
                                     path:

go.mod

@@ -14,6 +14,7 @@ require (
 	github.com/evanphx/json-patch/v5 v5.9.11
 	github.com/go-logr/logr v1.4.3
 	github.com/go-logr/zapr v1.3.0
+	github.com/google/cel-go v0.23.2
 	github.com/google/go-cmp v0.7.0
 	github.com/kcp-dev/api-syncagent/sdk v0.0.0-00010101000000-000000000000
 	github.com/kcp-dev/kcp v0.28.1
@@ -81,7 +82,6 @@ require (
 	github.com/gogo/protobuf v1.3.2 // indirect
 	github.com/golang/protobuf v1.5.4 // indirect
 	github.com/google/btree v1.1.3 // indirect
-	github.com/google/cel-go v0.23.2 // indirect
 	github.com/google/gnostic-models v0.6.9 // indirect
 	github.com/google/uuid v1.6.0 // indirect
 	github.com/grpc-ecosystem/go-grpc-prometheus v1.2.0 // indirect

internal/mutation/mutator.go

@@ -111,6 +111,12 @@ func createAggregatedTransformer(mutations []syncagentv1alpha1.ResourceMutation)
 				return nil, err
 			}
 
+		case mut.CEL != nil:
+			trans, err = transformer.NewCEL(mut.CEL)
+			if err != nil {
+				return nil, err
+			}
+
 		default:
 			return nil, errors.New("no valid mutation mechanism provided")
 		}

internal/mutation/transformer/cel.go

@@ -0,0 +1,94 @@
+/*
+Copyright 2025 The KCP Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package transformer
+
+import (
+	"fmt"
+
+	"github.com/google/cel-go/cel"
+	"github.com/google/cel-go/checker/decls"
+	"github.com/tidwall/gjson"
+	"github.com/tidwall/sjson"
+
+	syncagentv1alpha1 "github.com/kcp-dev/api-syncagent/sdk/apis/syncagent/v1alpha1"
+
+	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
+)
+
+type celTransformer struct {
+	path string
+	prg  cel.Program
+}
+
+func NewCEL(mut *syncagentv1alpha1.ResourceCELMutation) (*celTransformer, error) {
+	env, err := cel.NewEnv(cel.Declarations(
+		decls.NewVar("self", decls.Dyn),
+		decls.NewVar("other", decls.Dyn),
+		decls.NewVar("value", decls.Dyn),
+	))
+	if err != nil {
+		return nil, fmt.Errorf("failed to create CEL env: %w", err)
+	}
+
+	expr, issues := env.Compile(mut.Expression)
+	if issues != nil && issues.Err() != nil {
+		return nil, fmt.Errorf("failed to compile CEL expression: %w", issues.Err())
+	}
+
+	prg, err := env.Program(expr)
+	if err != nil {
+		return nil, fmt.Errorf("failed to create CEL program: %w", err)
+	}
+
+	return &celTransformer{
+		path: mut.Path,
+		prg:  prg,
+	}, nil
+}
+
+func (m *celTransformer) Apply(toMutate *unstructured.Unstructured, otherObj *unstructured.Unstructured) (*unstructured.Unstructured, error) {
+	encoded, err := EncodeObject(toMutate)
+	if err != nil {
+		return nil, fmt.Errorf("failed to JSON encode object: %w", err)
+	}
+
+	// get the current value at the path
+	current := gjson.Get(encoded, m.path)
+
+	input := map[string]any{
+		"value": current.Value(),
+		"self":  toMutate.Object,
+		"other": nil,
+	}
+	if otherObj != nil {
+		input["other"] = otherObj.Object
+	}
+
+	// evaluate the expression
+	out, _, err := m.prg.Eval(input)
+	if err != nil {
+		return nil, fmt.Errorf("failed to evaluate CEL expression: %w", err)
+	}
+
+	// update the object
+	updated, err := sjson.Set(encoded, m.path, out)
+	if err != nil {
+		return nil, fmt.Errorf("failed to set updated value: %w", err)
+	}
+
+	return DecodeObject(updated)
+}

internal/mutation/transformer/cel_test.go

@@ -0,0 +1,140 @@
+/*
+Copyright 2025 The KCP Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package transformer
+
+import (
+	"testing"
+
+	"github.com/kcp-dev/api-syncagent/internal/test/diff"
+	syncagentv1alpha1 "github.com/kcp-dev/api-syncagent/sdk/apis/syncagent/v1alpha1"
+	"github.com/kcp-dev/api-syncagent/test/utils"
+
+	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
+)
+
+func TestCEL(t *testing.T) {
+	commonInputObject := utils.YAMLToUnstructured(t, `
+apiVersion: kcp.example.com/v1
+kind: CronTab
+metadata:
+  namespace: default
+  name: my-crontab
+spec:
+  cronSpec: '* * *'
+  image: ubuntu:latest
+`)
+
+	testcases := []struct {
+		name      string
+		inputData *unstructured.Unstructured
+		otherObj  *unstructured.Unstructured
+		mutation  syncagentv1alpha1.ResourceCELMutation
+		expected  *unstructured.Unstructured
+	}{
+		{
+			name:      "replace value at path with a fixed value of the same type",
+			inputData: commonInputObject,
+			mutation: syncagentv1alpha1.ResourceCELMutation{
+				Path:       "spec.cronSpec",
+				Expression: `"hei verden"`,
+			},
+			expected: utils.YAMLToUnstructured(t, `
+apiVersion: kcp.example.com/v1
+kind: CronTab
+metadata:
+  namespace: default
+  name: my-crontab
+spec:
+  cronSpec: "hei verden"
+  image: ubuntu:latest
+`),
+		},
+		{
+			name:      "replace value at path with a fixed value of other type",
+			inputData: commonInputObject,
+			mutation: syncagentv1alpha1.ResourceCELMutation{
+				Path:       "spec.cronSpec",
+				Expression: `42`,
+			},
+			expected: utils.YAMLToUnstructured(t, `
+apiVersion: kcp.example.com/v1
+kind: CronTab
+metadata:
+  namespace: default
+  name: my-crontab
+spec:
+  cronSpec: 42
+  image: ubuntu:latest
+`),
+		},
+		{
+			name:      "access the current value at the path",
+			inputData: commonInputObject,
+			mutation: syncagentv1alpha1.ResourceCELMutation{
+				Path:       "spec.cronSpec",
+				Expression: `value + "foo"`,
+			},
+			expected: utils.YAMLToUnstructured(t, `
+apiVersion: kcp.example.com/v1
+kind: CronTab
+metadata:
+  namespace: default
+  name: my-crontab
+spec:
+  cronSpec: '* * *foo'
+  image: ubuntu:latest
+`),
+		},
+		{
+			name:      "access value from the object from the other side",
+			inputData: commonInputObject,
+			otherObj:  commonInputObject,
+			mutation: syncagentv1alpha1.ResourceCELMutation{
+				Path:       "spec.cronSpec",
+				Expression: `other.spec.image`,
+			},
+			expected: utils.YAMLToUnstructured(t, `
+apiVersion: kcp.example.com/v1
+kind: CronTab
+metadata:
+  namespace: default
+  name: my-crontab
+spec:
+  cronSpec: ubuntu:latest
+  image: ubuntu:latest
+`),
+		},
+	}
+
+	for _, testcase := range testcases {
+		t.Run(testcase.name, func(t *testing.T) {
+			transformer, err := NewCEL(&testcase.mutation)
+			if err != nil {
+				t.Fatalf("Failed to create transformer: %v", err)
+			}
+
+			transformed, err := transformer.Apply(testcase.inputData, testcase.otherObj)
+			if err != nil {
+				t.Fatalf("Failed to transform: %v", err)
+			}
+
+			if changes := diff.ObjectDiff(testcase.expected, transformed); changes != "" {
+				t.Errorf("Did not get expected object:\n\n%s", changes)
+			}
+		})
+	}
+}

sdk/apis/syncagent/v1alpha1/published_resource.go

@@ -169,6 +169,7 @@ type ResourceMutation struct {
 	Delete   *ResourceDeleteMutation   `json:"delete,omitempty"`
 	Regex    *ResourceRegexMutation    `json:"regex,omitempty"`
 	Template *ResourceTemplateMutation `json:"template,omitempty"`
+	CEL      *ResourceCELMutation      `json:"cel,omitempty"`
 }
 
 type ResourceDeleteMutation struct {
@@ -188,6 +189,11 @@ type ResourceTemplateMutation struct {
 	Template string `json:"template"`
 }
 
+type ResourceCELMutation struct {
+	Path       string `json:"path"`
+	Expression string `json:"expression"`
+}
+
 type RelatedResourceOrigin string
 
 const (