fix: add CEL validation to require template field in RoleSpec

Add Kubernetes CEL (Common Expression Language) validation to ensure
that when Template is optional (pointer type), users cannot create
RoleBasedGroups without specifying a valid template.

The validation rule ensures:
1. The template field must be present (has(self.template))
2. The template must not be null (self.template != null)
3. The template must have at least one container
   (size(self.template.spec.containers) > 0)

This prevents runtime errors where Pods would be created without any
containers, which would fail to schedule.

The CEL validation runs at the Kubernetes API server level when CRDs
are applied, providing early feedback to users before the resource
reaches the controller.

Fixes the issue where Template pointer migration made the field optional
without corresponding validation, potentially allowing invalid resources.

Author: Likios

api/workloads/v1alpha1/rolebasedgroup_types.go

@@ -145,6 +145,7 @@ type RollingUpdate struct {
 }
 
 // RoleSpec defines the specification for a role in the group
+// +kubebuilder:validation:XValidation:rule="has(self.template) && self.template != null && size(self.template.spec.containers) > 0",message="template must be specified and must have at least one container"
 type RoleSpec struct {
 	// Unique identifier for the role
 	// +kubebuilder:validation:Required

config/crd/bases/workloads.x-k8s.io_rolebasedgroups.yaml

@@ -8925,6 +8925,11 @@ spec:
                   - name
                   - replicas
                   type: object
+                  x-kubernetes-validations:
+                  - message: template must be specified and must have at least one
+                      container
+                    rule: has(self.template) && self.template != null && size(self.template.spec.containers)
+                      > 0
                 minItems: 1
                 type: array
                 x-kubernetes-list-map-keys:

config/crd/bases/workloads.x-k8s.io_rolebasedgroupsets.yaml

@@ -9077,6 +9077,11 @@ spec:
                       - name
                       - replicas
                       type: object
+                      x-kubernetes-validations:
+                      - message: template must be specified and must have at least
+                          one container
+                        rule: has(self.template) && self.template != null && size(self.template.spec.containers)
+                          > 0
                     minItems: 1
                     type: array
                     x-kubernetes-list-map-keys:

deploy/helm/rbgs/crds/workloads.x-k8s.io_rolebasedgroups.yaml

@@ -8925,6 +8925,11 @@ spec:
                   - name
                   - replicas
                   type: object
+                  x-kubernetes-validations:
+                  - message: template must be specified and must have at least one
+                      container
+                    rule: has(self.template) && self.template != null && size(self.template.spec.containers)
+                      > 0
                 minItems: 1
                 type: array
                 x-kubernetes-list-map-keys:

deploy/helm/rbgs/crds/workloads.x-k8s.io_rolebasedgroupsets.yaml

@@ -9077,6 +9077,11 @@ spec:
                       - name
                       - replicas
                       type: object
+                      x-kubernetes-validations:
+                      - message: template must be specified and must have at least
+                          one container
+                        rule: has(self.template) && self.template != null && size(self.template.spec.containers)
+                          > 0
                     minItems: 1
                     type: array
                     x-kubernetes-list-map-keys: