Merge branch 'main' into AddPDB

Author: vicentefb

api/v1alpha1/sandbox_types.go

@@ -85,11 +85,11 @@ type PodTemplate struct {
 }
 
 type PersistentVolumeClaimTemplate struct {
-	// Metadata is the Pod's metadata. Only labels and annotations are used.
+	// Metadata is the PVC's metadata.
 	// +kubebuilder:validation:Optional
 	EmbeddedObjectMetadata `json:"metadata" protobuf:"bytes,3,opt,name=metadata"`
 
-	// Spec is the Pod's spec
+	// Spec is the PVC's spec
 	// +kubebuilder:validation:Required
 	Spec corev1.PersistentVolumeClaimSpec `json:"spec" protobuf:"bytes,3,opt,name=spec"`
 }

controllers/sandbox_controller.go

@@ -41,7 +41,8 @@ import (
 )
 
 const (
-	sandboxLabel = "agents.x-k8s.io/sandbox-name-hash"
+	sandboxLabel                = "agents.x-k8s.io/sandbox-name-hash"
+	sandboxControllerFieldOwner = "sandbox-controller"
 )
 
 var (
@@ -100,7 +101,7 @@ func (r *SandboxReconciler) Reconcile(ctx context.Context, req ctrl.Request) (ct
 	oldStatus := sandbox.Status.DeepCopy()
 	var err error
 
-	expired, requeueAfter := r.checkSandboxExpiry(sandbox)
+	expired, requeueAfter := checkSandboxExpiry(sandbox)
 
 	// Check if sandbox has expired
 	if expired {
@@ -272,7 +273,7 @@ func (r *SandboxReconciler) reconcileService(ctx context.Context, sandbox *sandb
 		return nil, fmt.Errorf("SetControllerReference for Service failed: %w", err)
 	}
 
-	err := r.Create(ctx, service, client.FieldOwner("sandbox-controller"))
+	err := r.Create(ctx, service, client.FieldOwner(sandboxControllerFieldOwner))
 	if err != nil {
 		log.Error(err, "Failed to create", "Service.Namespace", service.Namespace, "Service.Name", service.Name)
 		return nil, err
@@ -357,7 +358,7 @@ func (r *SandboxReconciler) reconcilePod(ctx context.Context, sandbox *sandboxv1
 	if err := ctrl.SetControllerReference(sandbox, pod, r.Scheme); err != nil {
 		return nil, fmt.Errorf("SetControllerReference for Pod failed: %w", err)
 	}
-	if err := r.Create(ctx, pod, client.FieldOwner("sandbox-controller")); err != nil {
+	if err := r.Create(ctx, pod, client.FieldOwner(sandboxControllerFieldOwner)); err != nil {
 		log.Error(err, "Failed to create", "Pod.Namespace", pod.Namespace, "Pod.Name", pod.Name)
 		return nil, err
 	}
@@ -383,7 +384,7 @@ func (r *SandboxReconciler) reconcilePVCs(ctx context.Context, sandbox *sandboxv
 				if err := ctrl.SetControllerReference(sandbox, pvc, r.Scheme); err != nil {
 					return fmt.Errorf("SetControllerReference for PVC failed: %w", err)
 				}
-				if err := r.Create(ctx, pvc, client.FieldOwner("sandbox-controller")); err != nil {
+				if err := r.Create(ctx, pvc, client.FieldOwner(sandboxControllerFieldOwner)); err != nil {
 					log.Error(err, "Failed to create PVC", "PVC.Namespace", sandbox.Namespace, "PVC.Name", pvcName)
 					return err
 				}
@@ -436,7 +437,7 @@ func (r *SandboxReconciler) handleSandboxExpiry(ctx context.Context, sandbox *sa
 // checks if the sandbox has expired
 // returns true if expired, false otherwise
 // if not expired, also returns the duration to requeue after
-func (r *SandboxReconciler) checkSandboxExpiry(sandbox *sandboxv1alpha1.Sandbox) (bool, time.Duration) {
+func checkSandboxExpiry(sandbox *sandboxv1alpha1.Sandbox) (bool, time.Duration) {
 	if sandbox.Spec.ShutdownTime == nil {
 		return false, 0
 	}

controllers/sandbox_controller_test.go

@@ -17,6 +17,7 @@ package controllers
 import (
 	"errors"
 	"testing"
+	"time"
 
 	"github.com/google/go-cmp/cmp"
 	"github.com/google/go-cmp/cmp/cmpopts"
@@ -607,3 +608,44 @@ func TestReconcilePod(t *testing.T) {
 		})
 	}
 }
+
+func TestSandboxExpiry(t *testing.T) {
+	testCases := []struct {
+		name         string
+		shutdownTime *metav1.Time
+		wantExpired  bool
+		wantRequeue  bool
+	}{
+		{
+			name:         "nil shutdown time",
+			shutdownTime: nil,
+			wantExpired:  false,
+			wantRequeue:  false,
+		},
+		{
+			name:         "shutdown time in future",
+			shutdownTime: ptr.To(metav1.NewTime(time.Now().Add(2 * time.Hour))),
+			wantExpired:  false,
+			wantRequeue:  true,
+		},
+		{
+			name:         "shutdown time in past",
+			shutdownTime: ptr.To(metav1.NewTime(time.Now().Add(-10 * time.Second))),
+			wantExpired:  true,
+			wantRequeue:  false,
+		},
+	}
+	for _, tc := range testCases {
+		t.Run(tc.name, func(t *testing.T) {
+			sandbox := &sandboxv1alpha1.Sandbox{}
+			sandbox.Spec.ShutdownTime = tc.shutdownTime
+			expired, requeueAfter := checkSandboxExpiry(sandbox)
+			require.Equal(t, tc.wantExpired, expired)
+			if tc.wantRequeue {
+				require.Greater(t, requeueAfter, time.Duration(0))
+			} else {
+				require.Equal(t, time.Duration(0), requeueAfter)
+			}
+		})
+	}
+}

dev/ci/presubmits/test-e2e

@@ -38,14 +38,13 @@ def main():
     if result.returncode != 0:
         return result.returncode
     result = subprocess.run([f"{repo_root}/dev/tools/test-e2e"])
-    if result.returncode != 0:
-        return result.returncode
-    
+
+    # Always create junit file whether tests pass or fail
     artifact_dir = os.getenv("ARTIFACTS")
     if artifact_dir:
         shutil.copy(f"{repo_root}/bin/e2e-junit.xml", f"{artifact_dir}/junit.xml")
 
-    return 0
+    return result.returncode
 
 
 if __name__ == "__main__":

examples/composing-sandbox-nw-policies/rgd.yaml

@@ -12,6 +12,8 @@ spec:
     group: custom.agents.x-k8s.io
     kind: AgenticSandbox
     # Spec fields that users can provide.
+    types:
+      egressRule: object
     spec:
       image: string | default="nginx"
       service:
@@ -21,7 +23,7 @@ spec:
         ingress:
           podLabels: "map[string]string"
           namespaceLabels: "map[string]string"
-        egress: object
+        egress: "[]egressRule"
       ingress:
         enabled: boolean | default=false
     status:

examples/vscode-sandbox/entrypoint.sh

@@ -0,0 +1,34 @@
+#!/bin/bash
+# Copyright 2025 The Kubernetes Authors.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+
+
+export GEMINI_API_KEY=`cat /tokens/gemini`
+
+set -x
+
+
+# protection against running gemini on an unpause
+# if gemini-promt.txt dont run gemini else create and run it
+if [ -f gemini-prompt.txt ]; then
+  echo "gemini-prompt.txt exists, skipping gemini generation"
+else
+  echo "gemini-prompt.txt does not exist, running gemini"
+  echo "$AGENT_PROMPT" > gemini-prompt.txt
+  gemini -y  -p  "$AGENT_PROMPT" > gemini-output.txt || true
+fi
+
+#/usr/local/bin/code-server-entrypoint
+/usr/bin/code-server --auth=none --bind-addr=0.0.0.0:13337

examples/vscode-sandbox/vscode-sandbox.yaml

@@ -13,14 +13,19 @@ spec:
           image: ghcr.io/coder/envbuilder
           env:
             # URL to the repository where the .devcontainer folder we want to load is located
+            # for a branch append "#refs/heads/branch-name"
             - name: ENVBUILDER_GIT_URL
               value: "https://github.com/kubernetes-sigs/agent-sandbox.git"
             - name: ENVBUILDER_DEVCONTAINER_DIR
               value: "examples/vscode-sandbox"
             - name: ENVBUILDER_GIT_CLONE_SINGLE_BRANCH
               value: "true"
             - name: ENVBUILDER_INIT_SCRIPT
-              value: "/usr/local/bin/code-server-entrypoint"
+              value: "examples/vscode-sandbox/entrypoint.sh"
+            - name: AGENT_PROMPT
+              value: "You are an expert kubernetes developer who is helping with code reviews. Please look at the most recent commit and provide a review feedback. Dont make any code changes. Would you approve it ?"
+            - name: ENVBUILDER_IGNORE_PATHS
+              value: "/var/run,/product_uuid,/product_name,/tokens"
           volumeMounts:
             - mountPath: /workspaces
               name: workspaces-pvc

test/e2e/framework/client.go

@@ -35,6 +35,17 @@ type ClusterClient struct {
 	client client.Client
 }
 
+// Update an object that already exists on the cluster.
+func (cl *ClusterClient) Update(ctx context.Context, obj client.Object) error {
+	cl.Helper()
+	nn := types.NamespacedName{Name: obj.GetName(), Namespace: obj.GetNamespace()}
+	cl.Logf("Updating object %T (%s)", obj, nn.String())
+	if err := cl.client.Update(ctx, obj); err != nil {
+		return fmt.Errorf("update %T (%s): %w", obj, nn.String(), err)
+	}
+	return nil
+}
+
 // CreateWithCleanup creates the specified object and cleans up the object after
 // the test completes.
 func (cl *ClusterClient) CreateWithCleanup(ctx context.Context, obj client.Object) error {
@@ -51,6 +62,9 @@ func (cl *ClusterClient) CreateWithCleanup(ctx context.Context, obj client.Objec
 		if err := cl.client.Delete(context.Background(), obj); err != nil && !k8serrors.IsNotFound(err) {
 			cl.Errorf("CreateWithCleanup %T (%s): %s", obj, nn.String(), err)
 		}
+		if err := cl.WaitForObjectNotFound(context.Background(), obj); err != nil {
+			cl.Errorf("CreateWithCleanup %T (%s): %s", obj, nn.String(), err)
+		}
 	})
 	return nil
 }
@@ -72,13 +86,35 @@ func (cl *ClusterClient) ValidateObject(ctx context.Context, obj client.Object,
 	return nil
 }
 
+// ValidateObjectNotFound verifies the specified object does not exist.
+func (cl *ClusterClient) ValidateObjectNotFound(ctx context.Context, obj client.Object) error {
+	cl.Helper()
+	nn := types.NamespacedName{Name: obj.GetName(), Namespace: obj.GetNamespace()}
+	cl.Logf("ValidateObjectNotFound %T (%s)", obj, nn.String())
+	err := cl.client.Get(ctx, nn, obj)
+	if err == nil { // object still exists - error
+		return fmt.Errorf("ValidateObjectNotFound %T (%s): object still exists",
+			obj, nn.String())
+	} else if !k8serrors.IsNotFound(err) { // unexpected error
+		return fmt.Errorf("ValidateObjectNotFound %T (%s): %w",
+			obj, nn.String(), err)
+	}
+	return nil // happy path - object not found
+}
+
 // WaitForObject waits for the specified object to exist and satisfy the provided
 // predicates.
 func (cl *ClusterClient) WaitForObject(ctx context.Context, obj client.Object, p ...predicates.ObjectPredicate) error {
 	cl.Helper()
 	// Static 30 second timeout, this can be adjusted if needed
 	timeoutCtx, cancel := context.WithTimeout(ctx, 30*time.Second)
 	defer cancel()
+	start := time.Now()
+	nn := types.NamespacedName{Name: obj.GetName(), Namespace: obj.GetNamespace()}
+	defer func() {
+		cl.Helper()
+		cl.Logf("WaitForObject %T (%s) took %s", obj, nn, time.Since(start))
+	}()
 	var validationErr error
 	for {
 		select {
@@ -94,6 +130,33 @@ func (cl *ClusterClient) WaitForObject(ctx context.Context, obj client.Object, p
 	}
 }
 
+// WaitForObjectNotFound waits for the specified object to not exist.
+func (cl *ClusterClient) WaitForObjectNotFound(ctx context.Context, obj client.Object) error {
+	cl.Helper()
+	// Static 30 second timeout, this can be adjusted if needed
+	timeoutCtx, cancel := context.WithTimeout(ctx, 30*time.Second)
+	defer cancel()
+	start := time.Now()
+	nn := types.NamespacedName{Name: obj.GetName(), Namespace: obj.GetNamespace()}
+	defer func() {
+		cl.Helper()
+		cl.Logf("WaitForObjectNotFound %T (%s) took %s", obj, nn, time.Since(start))
+	}()
+	var validationErr error
+	for {
+		select {
+		case <-timeoutCtx.Done():
+			return fmt.Errorf("timed out waiting for object: %w", validationErr)
+		default:
+			if validationErr = cl.ValidateObjectNotFound(timeoutCtx, obj); validationErr == nil {
+				return nil
+			}
+			// Simple sleep for fixed duration (basic MVP)
+			time.Sleep(time.Second)
+		}
+	}
+}
+
 // validateAgentSandboxInstallation verifies agent-sandbox system components are
 // installed.
 func (cl *ClusterClient) validateAgentSandboxInstallation(ctx context.Context) error {

test/e2e/framework/context.go

@@ -70,6 +70,7 @@ func NewTestContext(t *testing.T) *TestContext {
 		client: cl,
 	}
 	t.Cleanup(func() {
+		t.Helper()
 		if err := th.afterEach(); err != nil {
 			t.Error(err)
 		}
@@ -82,10 +83,14 @@ func NewTestContext(t *testing.T) *TestContext {
 
 // beforeEach runs before each test case is executed.
 func (th *TestContext) beforeEach() error {
+	th.Helper()
 	return th.validateAgentSandboxInstallation(context.Background())
 }
 
 // afterEach runs after each test case is executed.
+//
+//nolint:unparam // remove nolint once this is implemented
 func (th *TestContext) afterEach() error {
+	th.Helper()
 	return nil // currently no-op, add functionality as needed
 }

test/e2e/framework/predicates/metadata.go

@@ -68,3 +68,17 @@ func HasOwnerReferences(want []metav1.OwnerReference) ObjectPredicate {
 		return nil
 	}
 }
+
+// NotDeleted verifies the object has no deletion timestamp
+func NotDeleted() ObjectPredicate {
+	return func(obj client.Object) error {
+		if obj == nil {
+			return fmt.Errorf("object is nil")
+		}
+		deletionTimestamp := obj.GetDeletionTimestamp()
+		if deletionTimestamp != nil {
+			return fmt.Errorf("unexpected deletionTimestamp: %s", deletionTimestamp)
+		}
+		return nil
+	}
+}