KEP-3721: Support for env files (kubernetes#132626)

* Add FileKeyRef field and struct to the Pod API

* Add the implementation code in the kubelet.

* Add validation code

* Add basic functionality e2e tests

* add codes for drop disabled pod fields

* update go.mod

Author: HirazawaUi

api/openapi-spec/swagger.json

@@ -23,6 +23,7 @@ require (
 	github.com/coreos/go-oidc v2.3.0+incompatible
 	github.com/coreos/go-systemd/v22 v22.5.0
 	github.com/cpuguy83/go-md2man/v2 v2.0.6
+	github.com/cyphar/filepath-securejoin v0.4.1
 	github.com/distribution/reference v0.6.0
 	github.com/docker/go-units v0.5.0
 	github.com/emicklei/go-restful/v3 v3.12.2
@@ -142,7 +143,6 @@ require (
 	github.com/containerd/typeurl/v2 v2.2.2 // indirect
 	github.com/coredns/caddy v1.1.1 // indirect
 	github.com/coreos/go-semver v0.3.1 // indirect
-	github.com/cyphar/filepath-securejoin v0.4.1 // indirect
 	github.com/davecgh/go-spew v1.1.1 // indirect
 	github.com/dustin/go-humanize v1.0.1 // indirect
 	github.com/euank/go-kmsg-parser v2.0.0+incompatible // indirect

api/openapi-spec/v3/api__v1_openapi.json

@@ -432,6 +432,7 @@ func GetValidationOptionsFromPodSpecAndMeta(podSpec, oldPodSpec *api.PodSpec, po
 	// we must allow it
 	opts.AllowRelaxedEnvironmentVariableValidation = useRelaxedEnvironmentVariableValidation(podSpec, oldPodSpec)
 	opts.AllowRelaxedDNSSearchValidation = useRelaxedDNSSearchValidation(oldPodSpec)
+	opts.AllowEnvFilesValidation = useAllowEnvFilesValidation(oldPodSpec)
 
 	opts.AllowOnlyRecursiveSELinuxChangePolicy = useOnlyRecursiveSELinuxChangePolicy(oldPodSpec)
 
@@ -526,6 +527,44 @@ func hasDotOrUnderscore(searches []string) bool {
 	return false
 }
 
+func useAllowEnvFilesValidation(oldPodSpec *api.PodSpec) bool {
+	// Return true early if feature gate is enabled
+	if utilfeature.DefaultFeatureGate.Enabled(features.EnvFiles) {
+		return true
+	}
+
+	if oldPodSpec == nil {
+		return false
+	}
+
+	for _, container := range oldPodSpec.Containers {
+		if hasEnvFileKeyRef(container.Env) {
+			return true
+		}
+	}
+	for _, container := range oldPodSpec.InitContainers {
+		if hasEnvFileKeyRef(container.Env) {
+			return true
+		}
+	}
+	for _, container := range oldPodSpec.EphemeralContainers {
+		if hasEnvFileKeyRef(container.Env) {
+			return true
+		}
+	}
+
+	return false
+}
+
+func hasEnvFileKeyRef(envs []api.EnvVar) bool {
+	for _, env := range envs {
+		if env.ValueFrom != nil && env.ValueFrom.FileKeyRef != nil {
+			return true
+		}
+	}
+	return false
+}
+
 func gatherPodEnvVarNames(podSpec *api.PodSpec) sets.Set[string] {
 	podEnvVarNames := sets.Set[string]{}
 
@@ -725,12 +764,46 @@ func dropDisabledFields(
 		}
 	}
 
+	dropFileKeyRefInUse(podSpec, oldPodSpec)
 	dropPodLifecycleSleepAction(podSpec, oldPodSpec)
 	dropImageVolumes(podSpec, oldPodSpec)
 	dropSELinuxChangePolicy(podSpec, oldPodSpec)
 	dropContainerStopSignals(podSpec, oldPodSpec)
 }
 
+func dropFileKeyRefInUse(podSpec, oldPodSpec *api.PodSpec) {
+	if utilfeature.DefaultFeatureGate.Enabled(features.EnvFiles) || podFileKeyRefInUse(oldPodSpec) {
+		return
+	}
+
+	VisitContainers(podSpec, AllContainers, func(c *api.Container, _ ContainerType) bool {
+		for i := range c.Env {
+			if c.Env[i].ValueFrom != nil && c.Env[i].ValueFrom.FileKeyRef != nil {
+				c.Env[i].ValueFrom.FileKeyRef = nil
+			}
+		}
+		return true
+	})
+}
+
+func podFileKeyRefInUse(podSpec *api.PodSpec) bool {
+	if podSpec == nil {
+		return false
+	}
+
+	var inUse bool
+	VisitContainers(podSpec, AllContainers, func(c *api.Container, _ ContainerType) bool {
+		for _, env := range c.Env {
+			if env.ValueFrom != nil && env.ValueFrom.FileKeyRef != nil {
+				inUse = true
+				return false
+			}
+		}
+		return true
+	})
+	return inUse
+}
+
 func dropContainerStopSignals(podSpec, oldPodSpec *api.PodSpec) {
 	if utilfeature.DefaultFeatureGate.Enabled(features.ContainerStopSignals) || containerStopSignalsInUse(oldPodSpec) {
 		return