feat: add CEL validation rules to the CRDs

[Joibel]

Follow up to #15009 and benefitting from #15003

Motivation

With full CRDs we can benefit from using CEL to validate workflows (and Cron/WFT/CWFT).

Modifications

Implement some of the simpler rules from validate.go as CEL rules too. Also implemented a few rules which seemed obvious from reading through the CRD go spec.

This is not intended as a comprehensive go at this, just a good starting point.

Template Reference Exclusivity:

• exactly one of template, inline, or templateRef must be specified in WorkflowStep and DAGTask.

Mutual Exclusivity Rules:

• only one template type per template
• only one of withItems/withParam/withSequence
• only one of sequence count/end
• only one of manifest/manifestFrom
• cannot use both depends and dependencies in DAG tasks.

DAG Task Constraints:

• task names cannot start with digit when using depends/dependencies
• cannot use continueOn with depends.

Timeout on Non-Leaf Templates:

• Timeout cannot be set on steps or dag templates (only on leaf templates).

Cron Schedule Format:

• CronWorkflow schedules must be valid 5-field cron expressions, specialdescriptors (@Yearly, @hourly, etc.), or interval format (@every).

Metric Validation:

• metric and label names validation
• help and value fields required
• real-time gauges cannot use resourcesDuration metrics

Artifact Mode Validation:

• Artifact.Mode must be between 0 and 511 (0777 octal) for file permissions.

Enum Validations:

• PodGC strategy
• ConcurrencyPolicy
• RetryPolicy
• GaugeOperation
• Resource action
• MergeStrategy
  all have restricted allowed values.

Name Pattern Constraints:

• Template/Step/Task names: max 128 chars, pattern ^[a-zA-Z0-9][-a-zA-Z0-9]*$;
• Parameter/Artifact names: pattern ^[a-zA-Z0-9_][-a-zA-Z0-9_]*$.

Minimum Array Sizes:

• Template.Steps requires at least one step group
• Parameter.Enum requires at least one value
• CronWorkflow.Schedules requires at least one schedule
• DAG.Tasks requires at least one task.

Numeric Constraints:

• Parallelism minimum 1
• StartingDeadlineSeconds minimum 0.

Verification

The #15009 test already validates all our yaml against these rules.

I deliberately violated some rules locally to prove they worked for me.

Documentation

Added comprehensive feature note

[Copilot]

Pull Request Overview

This PR adds Common Expression Language (CEL) validation rules to Kubernetes Custom Resource Definitions (CRDs) for Argo Workflows. These validations implement some of the simpler validation rules from the existing Go validation code directly in the CRD schema, enabling Kubernetes to reject invalid resources at admission time rather than requiring application-level validation.

Key changes:

• Added CEL validation rules for template reference exclusivity, mutual exclusivity constraints, and various field validations
• Implemented validation for naming patterns, numeric constraints, and enum values
• Added format validation for cron schedules and metric configurations

Reviewed Changes

Copilot reviewed 19 out of 20 changed files in this pull request and generated 5 comments.

Show a summary per file

File	Description
pkg/apis/workflow/v1alpha1/workflow_types.go	Added CEL validation annotations to core workflow type definitions
pkg/apis/workflow/v1alpha1/generated.proto	Added CEL validation annotations to protobuf definitions
pkg/apis/workflow/v1alpha1/cron_workflow_types.go	Added validation for CronWorkflow schedules and concurrency policy
pkg/plugins/executor/swagger.yml	Added CEL validations to plugin executor swagger spec
manifests/*.yaml	Generated CRD manifests with CEL validation rules applied

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[MasonM]

Looks good, but I found a few edge cases that these new validation rules would disallow