api: tighten runtime CRD validation

[googs1025]

Summary

• add CRD schema/CEL validation for runtime session durations and ordering
• validate runtime target ports and path prefixes
• enforce non-negative CodeInterpreter warm pool size and add generated CRD schema tests

Test Plan

• GOCACHE=/private/tmp/agentcube-go-cache make gen-crd
• GOCACHE=/private/tmp/agentcube-go-cache go test -gcflags=all=-l ./pkg/apis/runtime/v1alpha1 ./pkg/workloadmanager -count=1

[volcano-sh-bot]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
Once this PR has been reviewed and has the lgtm label, please assign hzxuzhonghu for approval. For more information see the Kubernetes Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[Copilot]

Pull request overview

Note

Copilot was unable to run its full agentic suite in this review.

Adds/updates Kubebuilder CRD validations for runtime APIs (durations, ports, warm pool sizing, and cross-field constraints) and introduces a Go test to assert the generated CRD schemas contain the expected OpenAPI/CEL validation rules.

Changes:

• Add Format=duration and positive-duration CEL validations for sessionTimeout / maxSessionDuration.
• Add min/max/regex validations for ports, path prefix, and warm pool size; add cross-field sessionTimeout <= maxSessionDuration validations.
• Add tests that load the generated CRDs and assert the schema contains the expected validation constraints.

Reviewed changes

Copilot reviewed 5 out of 5 changed files in this pull request and generated 3 comments.

Show a summary per file

File	Description
pkg/apis/runtime/v1alpha1/crd_validation_test.go	New tests to verify generated CRD OpenAPI schema and CEL rules.
pkg/apis/runtime/v1alpha1/codeinterpreter_types.go	Adds Kubebuilder validation markers for CodeInterpreter spec fields and port fields.
pkg/apis/runtime/v1alpha1/agent_type.go	Adds Kubebuilder validation markers for AgentRuntime spec duration fields and cross-field constraint.
manifests/charts/base/crds/runtime.agentcube.volcano.sh_codeinterpreters.yaml	Regenerated CRD including the new schema constraints and CEL rules.
manifests/charts/base/crds/runtime.agentcube.volcano.sh_agentruntimes.yaml	Regenerated CRD including the new schema constraints and CEL rules.

[googs1025]

Done

[googs1025]

Done

[googs1025]

Done

[gemini-code-assist]

Code Review

This pull request adds OpenAPI validation rules and CEL validations to the AgentRuntime and CodeInterpreter CRDs, ensuring correct port ranges, path prefixes, and session duration limits, along with a test suite to verify the generated schemas. However, the CEL validation rules contain critical bugs: comparing metav1.Duration fields (which are serialized as strings) directly using operators like <= or > results in lexicographical string comparisons or runtime type mismatch errors. To fix this, all duration fields must be explicitly wrapped in the duration() function (e.g., duration(self)) in the Go API definitions, the generated YAML manifests, and the corresponding unit tests.

Important

The consumer version of Gemini Code Assist on GitHub is being sunset. Starting June 18, 2026, new organization installations will be blocked, and all code review activity will officially cease on July 17, 2026.
For more details on the timeline and next steps, please review the Help Documentation.

[gemini-code-assist]

In CEL, comparing string fields (which metav1.Duration is represented as in OpenAPI/JSON) directly using <= performs a lexicographical string comparison instead of a duration comparison. For example, "10h" <= "8h" would evaluate to true because "1" is lexicographically less than "8". To compare them correctly as durations, they must be parsed using the duration() function.

Suggested change

	// +kubebuilder:validation:XValidation:rule="self.sessionTimeout <= self.maxSessionDuration",message="sessionTimeout must be less than or equal to maxSessionDuration"
	// +kubebuilder:validation:XValidation:rule="duration(self.sessionTimeout) <= duration(self.maxSessionDuration)",message="sessionTimeout must be less than or equal to maxSessionDuration"

[googs1025]

Done

[gemini-code-assist]

Since self is a string representing the duration, comparing it directly with a duration object (duration('0s')) will cause a CEL type mismatch runtime error, which will reject all API requests. We must parse self using duration(self).

Suggested change

	// +kubebuilder:validation:XValidation:rule="self > duration('0s')",message="sessionTimeout must be greater than 0"
	// +kubebuilder:validation:XValidation:rule="duration(self) > duration('0s')",message="sessionTimeout must be greater than 0"

[googs1025]

Done

[gemini-code-assist]

Since self is a string representing the duration, comparing it directly with a duration object (duration('0s')) will cause a CEL type mismatch runtime error, which will reject all API requests. We must parse self using duration(self).

Suggested change

	// +kubebuilder:validation:XValidation:rule="self > duration('0s')",message="maxSessionDuration must be greater than 0"
	// +kubebuilder:validation:XValidation:rule="duration(self) > duration('0s')",message="maxSessionDuration must be greater than 0"

[googs1025]

Done

[gemini-code-assist]

In CEL, comparing string fields (which metav1.Duration is represented as in OpenAPI/JSON) directly using <= performs a lexicographical string comparison instead of a duration comparison. To compare them correctly as durations, they must be parsed using the duration() function.

Suggested change

	// +kubebuilder:validation:XValidation:rule="!has(self.sessionTimeout) || !has(self.maxSessionDuration) || self.sessionTimeout <= self.maxSessionDuration",message="sessionTimeout must be less than or equal to maxSessionDuration"
	// +kubebuilder:validation:XValidation:rule="!has(self.sessionTimeout) || !has(self.maxSessionDuration) || duration(self.sessionTimeout) <= duration(self.maxSessionDuration)",message="sessionTimeout must be less than or equal to maxSessionDuration"

[googs1025]

Done

[gemini-code-assist]

Since self is a string representing the duration, comparing it directly with a duration object (duration('0s')) will cause a CEL type mismatch runtime error, which will reject all API requests. We must parse self using duration(self).

Suggested change

	// +kubebuilder:validation:XValidation:rule="self > duration('0s')",message="sessionTimeout must be greater than 0"
	// +kubebuilder:validation:XValidation:rule="duration(self) > duration('0s')",message="sessionTimeout must be greater than 0"

[googs1025]

Done

[gemini-code-assist]

In CEL, comparing string fields directly using <= performs a lexicographical string comparison instead of a duration comparison. To compare them correctly as durations, they must be parsed using the duration() function.

                duration(self.sessionTimeout) <= duration(self.maxSessionDuration)'

[googs1025]

Done

[gemini-code-assist]

Update the expected validation rule to match the correct duration-based comparison.

Suggested change

	rule: "self.sessionTimeout <= self.maxSessionDuration",
	rule: "duration(self.sessionTimeout) <= duration(self.maxSessionDuration)",

[googs1025]

Done

[gemini-code-assist]

Update the expected validation rule to match the correct duration-based comparison.

Suggested change

	rule: "!has(self.sessionTimeout) || !has(self.maxSessionDuration) || self.sessionTimeout <= self.maxSessionDuration",
	rule: "!has(self.sessionTimeout) || !has(self.maxSessionDuration) || duration(self.sessionTimeout) <= duration(self.maxSessionDuration)",

[googs1025]

Done

[gemini-code-assist]

Update the expected validation rule to match the correct duration-based comparison.

Suggested change

	assertHasValidationRule(t, sessionTimeoutSchema, "self > duration('0s')")
	assertHasValidationRule(t, sessionTimeoutSchema, "duration(self) > duration('0s')")

[googs1025]

Done

[gemini-code-assist]

Update the expected validation rule to match the correct duration-based comparison.

Suggested change

	assertHasValidationRule(t, maxSessionDurationSchema, "self > duration('0s')")
	assertHasValidationRule(t, maxSessionDurationSchema, "duration(self) > duration('0s')")

[googs1025]

Done

[codecov-commenter]

⚠️ Please install the to ensure uploads and comments are reliably processed by Codecov.

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 57.96%. Comparing base (524e55e) to head (311d738).
⚠️ Report is 121 commits behind head on main.
❗ Your organization needs to install the Codecov GitHub app to enable full functionality.

Additional details and impacted files

@@             Coverage Diff             @@
##             main     #382       +/-   ##
===========================================
+ Coverage   47.57%   57.96%   +10.39%     
===========================================
  Files          30       34        +4     
  Lines        2819     3181      +362     
===========================================
+ Hits         1341     1844      +503     
+ Misses       1338     1153      -185     
- Partials      140      184       +44     

Flag	Coverage Δ
unittests	57.96% <ø> (+10.39%)	⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Harness.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[Copilot]

Pull request overview

Copilot reviewed 6 out of 6 changed files in this pull request and generated 2 comments.

[googs1025]

Done

[googs1025]

Done