test: kubectl-validate manifests in presubmit

Signed-off-by: Ernest Wong <[email protected]>

Author: chewong

Makefile

@@ -354,13 +354,15 @@ ENVTEST ?= $(LOCALBIN)/setup-envtest
 GOLANGCI_LINT = $(LOCALBIN)/golangci-lint
 HELM = $(PROJECT_DIR)/bin/helm
 YQ = $(PROJECT_DIR)/bin/yq
+KUBECTL_VALIDATE = $(PROJECT_DIR)/bin/kubectl-validate
 
 ## Tool Versions
 KUSTOMIZE_VERSION ?= v5.4.3
 CONTROLLER_TOOLS_VERSION ?= v0.16.1
 ENVTEST_VERSION ?= release-0.19
 GOLANGCI_LINT_VERSION ?= v1.62.2
 HELM_VERSION ?= v3.17.1
+KUBECTL_VALIDATE_VERSION ?= v0.0.4
 
 .PHONY: kustomize
 kustomize: $(KUSTOMIZE) ## Download kustomize locally if necessary.
@@ -390,6 +392,11 @@ yq: ## Download yq locally if necessary.
 helm: ## Download helm locally if necessary.
 	GOBIN=$(PROJECT_DIR)/bin GO111MODULE=on go install helm.sh/helm/v3/cmd/helm@$(HELM_VERSION)
 
+.PHONY: kubectl-validate
+kubectl-validate: $(KUBECTL_VALIDATE) ## Download kubectl-validate locally if necessary.
+$(KUBECTL_VALIDATE): $(LOCALBIN)
+	$(call go-install-tool,$(KUBECTL_VALIDATE),sigs.k8s.io/kubectl-validate,$(KUBECTL_VALIDATE_VERSION))
+
 # go-install-tool will 'go install' any package with custom target and name of binary, if it doesn't exist
 # $1 - target path with name of binary
 # $2 - package url which can be installed

hack/verify-manifests.sh

@@ -0,0 +1,53 @@
+#!/bin/bash
+
+# Copyright 2025 The Kubernetes Authors.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+set -o errexit
+set -o nounset
+set -o pipefail
+
+SCRIPT_ROOT=$(dirname "${BASH_SOURCE}")/..
+GATEWAY_API_VERSION="${GATEWAY_API_VERSION:-v1.3.0}"
+GKE_GATEWAY_API_VERSION="${GKE_GATEWAY_API_VERSION:-v1.4.0}"
+ISTIO_VERSION="${ISTIO_VERSION:-1.26.2}"
+TEMP_DIR=$(mktemp -d)
+
+cleanup() {
+  rm -rf "${TEMP_DIR}" || true
+}
+trap cleanup EXIT
+
+fetch_crds() {
+  local url="$1"
+  curl -sL "${url}" -o "${TEMP_DIR}/$(basename "${url}")"
+}
+
+main() {
+  cp ${SCRIPT_ROOT}/config/crd/bases/* "${TEMP_DIR}/"
+
+  # Download external CRDs for validation
+  fetch_crds "https://raw.githubusercontent.com/kubernetes-sigs/gateway-api/refs/tags/${GATEWAY_API_VERSION}/config/crd/standard/gateway.networking.k8s.io_gateways.yaml"
+  fetch_crds "https://raw.githubusercontent.com/kubernetes-sigs/gateway-api/refs/tags/${GATEWAY_API_VERSION}/config/crd/standard/gateway.networking.k8s.io_httproutes.yaml"
+  fetch_crds "https://raw.githubusercontent.com/GoogleCloudPlatform/gke-gateway-api/refs/tags/${GKE_GATEWAY_API_VERSION}/config/crd/networking.gke.io_gcpbackendpolicies.yaml"
+  fetch_crds "https://raw.githubusercontent.com/GoogleCloudPlatform/gke-gateway-api/refs/tags/${GKE_GATEWAY_API_VERSION}/config/crd/networking.gke.io_healthcheckpolicies.yaml"
+  fetch_crds "https://raw.githubusercontent.com/istio/istio/refs/tags/${ISTIO_VERSION}/manifests/charts/base/files/crd-all.gen.yaml"
+
+  make kubectl-validate
+
+  ${SCRIPT_ROOT}/bin/kubectl-validate "${TEMP_DIR}"
+  ${SCRIPT_ROOT}/bin/kubectl-validate "${SCRIPT_ROOT}/config/manifests" --local-crds "${TEMP_DIR}"
+}
+
+main