Runtime CRs should be validated to assure they're correct

[Disper]

Description

• Take the ADR that defines the contract

• Have a test that will identify CRs with invalid values (e.g. shoot.kubernetes.kubeAPIServer.oidcConfig.clientID, and shoot.kubernetes.kubeAPIServer.oidcConfig.issuerURL should not be empty, there should be at least one workers pool)

• Ensure required fields will be added with default values

  1. KIM will store the default values for some fields in our RuntimeCR (e.g. oidcConfig)
  2. We will have a few fields in the RuntimeCR , which won't be necessarily provided by KEB but have to be filled out with default values by KIM (<< having them in the RuntimeCR included is helpful for later operational actions applied by SRE - they will sometimes have to adjust these values when major cluster-upgrades are applied)
  3. It's KIMs responsibility, to check for each creation/update of a RuntimeCR instance, that missing fields will be added to this CR with their default values (could be done by an webhook executed before KIM starts processing the values etc.)

  Right now, we know two fields, which have to be filled out with default-values by KIM if KEB is not providing them:

  • oidcConfig (<< will be filled out with default Kyma-OIDC provider if nothing else is provided by KEB)
  • additionalOidcConfigs (<< if list is empty, KIM has to add one entry to the list - as soon as the list is not empty, nothing has to be checked by KIM)

AC:

• Implement CR validation (using JSON schema validation)
• Support setting of default values for missing fields (these fields cannot be set to be mandatory in the contract as it's allowed for KEB to leave them out, but before the Shoot-spec get created, these values have to be defined in the RuntimeCR).
  • oidcConfig has to be set if KEB is not providing it
  • oidcConfiguration list is not allowed to be empty, if empty one entry has to be added by KIM