feat: add EnvVarKeyDefaultsToName feature gate (KEP-5883)

When the EnvVarKeyDefaultsToName feature gate is enabled, the `key` field
in `configMapKeyRef` and `secretKeyRef` may be omitted. The kubelet then
defaults the lookup key to the enclosing `env[*].name` at runtime.

Changes:
- Register EnvVarKeyDefaultsToName feature gate (alpha, v1.35, default off)
- Update validateConfigMapKeySelector/validateSecretKeySelector to allow
  an empty key when the gate is on, validating that env var name is also
  a valid ConfigMap/Secret key
- Update makeEnvironmentVariables() in kubelet to default an empty key to
  env var name when the gate is on
- Add unit tests for both the validation and kubelet resolution paths

Ref: kubernetes#132195
KEP: kubernetes/enhancements#5955

Author: dap0am

pkg/apis/core/validation/validation.go

@@ -2790,11 +2790,11 @@ func validateEnvVarValueFrom(ev core.EnvVar, fldPath *field.Path, opts PodValida
 	}
 	if ev.ValueFrom.ConfigMapKeyRef != nil {
 		numSources++
-		allErrs = append(allErrs, validateConfigMapKeySelector(ev.ValueFrom.ConfigMapKeyRef, fldPath.Child("configMapKeyRef"))...)
+		allErrs = append(allErrs, validateConfigMapKeySelector(ev.ValueFrom.ConfigMapKeyRef, ev.Name, fldPath.Child("configMapKeyRef"))...)
 	}
 	if ev.ValueFrom.SecretKeyRef != nil {
 		numSources++
-		allErrs = append(allErrs, validateSecretKeySelector(ev.ValueFrom.SecretKeyRef, fldPath.Child("secretKeyRef"))...)
+		allErrs = append(allErrs, validateSecretKeySelector(ev.ValueFrom.SecretKeyRef, ev.Name, fldPath.Child("secretKeyRef"))...)
 	}
 
 	if ev.ValueFrom.FileKeyRef != nil {
@@ -2980,15 +2980,24 @@ func validateContainerResourceDivisor(rName string, divisor resource.Quantity, f
 	return allErrs
 }
 
-func validateConfigMapKeySelector(s *core.ConfigMapKeySelector, fldPath *field.Path) field.ErrorList {
+func validateConfigMapKeySelector(s *core.ConfigMapKeySelector, envVarName string, fldPath *field.Path) field.ErrorList {
 	allErrs := field.ErrorList{}
 
 	nameFn := ValidateNameFunc(ValidateSecretName)
 	for _, msg := range nameFn(s.Name, false) {
 		allErrs = append(allErrs, field.Invalid(fldPath.Child("name"), s.Name, msg))
 	}
 	if len(s.Key) == 0 {
-		allErrs = append(allErrs, field.Required(fldPath.Child("key"), ""))
+		if utilfeature.DefaultFeatureGate.Enabled(features.EnvVarKeyDefaultsToName) {
+			// key is omitted; it will default to envVarName at runtime.
+			// Validate that the env var name is also a valid ConfigMap key.
+			for _, msg := range validation.IsConfigMapKey(envVarName) {
+				allErrs = append(allErrs, field.Invalid(fldPath.Child("key"), envVarName,
+					"may not be omitted: env var name is not a valid ConfigMap key: "+msg))
+			}
+		} else {
+			allErrs = append(allErrs, field.Required(fldPath.Child("key"), ""))
+		}
 	} else {
 		for _, msg := range validation.IsConfigMapKey(s.Key) {
 			allErrs = append(allErrs, field.Invalid(fldPath.Child("key"), s.Key, msg))
@@ -2998,15 +3007,24 @@ func validateConfigMapKeySelector(s *core.ConfigMapKeySelector, fldPath *field.P
 	return allErrs
 }
 
-func validateSecretKeySelector(s *core.SecretKeySelector, fldPath *field.Path) field.ErrorList {
+func validateSecretKeySelector(s *core.SecretKeySelector, envVarName string, fldPath *field.Path) field.ErrorList {
 	allErrs := field.ErrorList{}
 
 	nameFn := ValidateNameFunc(ValidateSecretName)
 	for _, msg := range nameFn(s.Name, false) {
 		allErrs = append(allErrs, field.Invalid(fldPath.Child("name"), s.Name, msg))
 	}
 	if len(s.Key) == 0 {
-		allErrs = append(allErrs, field.Required(fldPath.Child("key"), ""))
+		if utilfeature.DefaultFeatureGate.Enabled(features.EnvVarKeyDefaultsToName) {
+			// key is omitted; it will default to envVarName at runtime.
+			// Validate that the env var name is also a valid ConfigMap key.
+			for _, msg := range validation.IsConfigMapKey(envVarName) {
+				allErrs = append(allErrs, field.Invalid(fldPath.Child("key"), envVarName,
+					"may not be omitted: env var name is not a valid Secret key: "+msg))
+			}
+		} else {
+			allErrs = append(allErrs, field.Required(fldPath.Child("key"), ""))
+		}
 	} else {
 		for _, msg := range validation.IsConfigMapKey(s.Key) {
 			allErrs = append(allErrs, field.Invalid(fldPath.Child("key"), s.Key, msg))

pkg/apis/core/validation/validation_test.go

@@ -29433,3 +29433,143 @@ func TestValidateContainerStateTransition(t *testing.T) {
 		})
 	}
 }
+
+func TestValidateEnvVarKeyDefaultsToName(t *testing.T) {
+	testCases := []struct {
+		name           string
+		featureEnabled bool
+		envVar         core.EnvVar
+		expectError    bool
+		errorField     string
+	}{
+		{
+			name:           "configMapKeyRef: empty key accepted when gate is on",
+			featureEnabled: true,
+			envVar: core.EnvVar{
+				Name: "LOG_LEVEL",
+				ValueFrom: &core.EnvVarSource{
+					ConfigMapKeyRef: &core.ConfigMapKeySelector{
+						LocalObjectReference: core.LocalObjectReference{Name: "app-config"},
+						Key:                  "",
+					},
+				},
+			},
+			expectError: false,
+		},
+		{
+			name:           "secretKeyRef: empty key accepted when gate is on",
+			featureEnabled: true,
+			envVar: core.EnvVar{
+				Name: "DB_PASSWORD",
+				ValueFrom: &core.EnvVarSource{
+					SecretKeyRef: &core.SecretKeySelector{
+						LocalObjectReference: core.LocalObjectReference{Name: "db-secret"},
+						Key:                  "",
+					},
+				},
+			},
+			expectError: false,
+		},
+		{
+			name:           "configMapKeyRef: empty key rejected when gate is off",
+			featureEnabled: false,
+			envVar: core.EnvVar{
+				Name: "LOG_LEVEL",
+				ValueFrom: &core.EnvVarSource{
+					ConfigMapKeyRef: &core.ConfigMapKeySelector{
+						LocalObjectReference: core.LocalObjectReference{Name: "app-config"},
+						Key:                  "",
+					},
+				},
+			},
+			expectError: true,
+			errorField:  "valueFrom.configMapKeyRef.key",
+		},
+		{
+			name:           "secretKeyRef: empty key rejected when gate is off",
+			featureEnabled: false,
+			envVar: core.EnvVar{
+				Name: "DB_PASSWORD",
+				ValueFrom: &core.EnvVarSource{
+					SecretKeyRef: &core.SecretKeySelector{
+						LocalObjectReference: core.LocalObjectReference{Name: "db-secret"},
+						Key:                  "",
+					},
+				},
+			},
+			expectError: true,
+			errorField:  "valueFrom.secretKeyRef.key",
+		},
+		{
+			name:           "configMapKeyRef: env var name that is invalid as a ConfigMap key is rejected when gate is on",
+			featureEnabled: true,
+			envVar: core.EnvVar{
+				Name: "INVALID=NAME",
+				ValueFrom: &core.EnvVarSource{
+					ConfigMapKeyRef: &core.ConfigMapKeySelector{
+						LocalObjectReference: core.LocalObjectReference{Name: "app-config"},
+						Key:                  "",
+					},
+				},
+			},
+			expectError: true,
+			errorField:  "valueFrom.configMapKeyRef.key",
+		},
+		{
+			name:           "explicit key is always accepted when gate is on",
+			featureEnabled: true,
+			envVar: core.EnvVar{
+				Name: "MY_VAR",
+				ValueFrom: &core.EnvVarSource{
+					ConfigMapKeyRef: &core.ConfigMapKeySelector{
+						LocalObjectReference: core.LocalObjectReference{Name: "app-config"},
+						Key:                  "some-key",
+					},
+				},
+			},
+			expectError: false,
+		},
+		{
+			name:           "explicit key is always accepted when gate is off",
+			featureEnabled: false,
+			envVar: core.EnvVar{
+				Name: "MY_VAR",
+				ValueFrom: &core.EnvVarSource{
+					SecretKeyRef: &core.SecretKeySelector{
+						LocalObjectReference: core.LocalObjectReference{Name: "db-secret"},
+						Key:                  "explicit-key",
+					},
+				},
+			},
+			expectError: false,
+		},
+	}
+
+	for _, tc := range testCases {
+		t.Run(tc.name, func(t *testing.T) {
+			featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, features.EnvVarKeyDefaultsToName, tc.featureEnabled)
+
+			opts := PodValidationOptions{}
+			errs := validateEnvVarValueFrom(tc.envVar, field.NewPath("valueFrom"), opts)
+
+			if tc.expectError && len(errs) == 0 {
+				t.Errorf("expected validation error for field %q, got none", tc.errorField)
+			}
+			if !tc.expectError && len(errs) > 0 {
+				t.Errorf("expected no validation errors, got: %v", errs)
+			}
+			if tc.expectError && tc.errorField != "" && len(errs) > 0 {
+				found := false
+				for _, e := range errs {
+					if e.Field == tc.errorField {
+						found = true
+						break
+					}
+				}
+				if !found {
+					t.Errorf("expected error on field %q, got errors on: %v", tc.errorField, errs)
+				}
+			}
+		})
+	}
+}

pkg/features/kube_features.go

@@ -295,6 +295,13 @@ const (
 	// from the specified file in the emptyDir volume, without mounting the file.
 	EnvFiles featuregate.Feature = "EnvFiles"
 
+	// owner: @dap0am
+	// kep: http://kep.k8s.io/5883
+	//
+	// Allow the `key` field in `configMapKeyRef` and `secretKeyRef` to be
+	// omitted, defaulting to the enclosing env var's `name` at runtime.
+	EnvVarKeyDefaultsToName featuregate.Feature = "EnvVarKeyDefaultsToName"
+
 	// owner: @harche
 	// kep: http://kep.k8s.io/3386
 	//
@@ -1218,6 +1225,9 @@ var defaultVersionedKubernetesFeatureGates = map[featuregate.Feature]featuregate
 	EnvFiles: {
 		{Version: version.MustParse("1.34"), Default: false, PreRelease: featuregate.Alpha},
 	},
+	EnvVarKeyDefaultsToName: {
+		{Version: version.MustParse("1.35"), Default: false, PreRelease: featuregate.Alpha},
+	},
 	EventedPLEG: {
 		{Version: version.MustParse("1.26"), Default: false, PreRelease: featuregate.Alpha},
 	},
@@ -2089,6 +2099,8 @@ var defaultKubernetesFeatureGateDependencies = map[featuregate.Feature][]feature
 
 	EnvFiles: {},
 
+	EnvVarKeyDefaultsToName: {},
+
 	EventedPLEG: {},
 
 	ExecProbeTimeout: {},

pkg/kubelet/kubelet_pods.go

@@ -866,6 +866,9 @@ func (kl *Kubelet) makeEnvironmentVariables(pod *v1.Pod, container *v1.Container
 				cm := envVar.ValueFrom.ConfigMapKeyRef
 				name := cm.Name
 				key := cm.Key
+				if key == "" && utilfeature.DefaultFeatureGate.Enabled(features.EnvVarKeyDefaultsToName) {
+					key = envVar.Name
+				}
 				optional := cm.Optional != nil && *cm.Optional
 				configMap, ok := configMaps[name]
 				if !ok {
@@ -893,6 +896,9 @@ func (kl *Kubelet) makeEnvironmentVariables(pod *v1.Pod, container *v1.Container
 				s := envVar.ValueFrom.SecretKeyRef
 				name := s.Name
 				key := s.Key
+				if key == "" && utilfeature.DefaultFeatureGate.Enabled(features.EnvVarKeyDefaultsToName) {
+					key = envVar.Name
+				}
 				optional := s.Optional != nil && *s.Optional
 				secret, ok := secrets[name]
 				if !ok {