Skip to content

Commit

Permalink
add cel to forbid sectionName until it is supported
Browse files Browse the repository at this point in the history
Signed-off-by: Alice Wasko <[email protected]>
  • Loading branch information
Alice Wasko committed Oct 27, 2023
1 parent 2521dfc commit 2709a74
Show file tree
Hide file tree
Showing 9 changed files with 70 additions and 13 deletions.
6 changes: 2 additions & 4 deletions api/v1alpha1/backendtrafficpolicy_types.go
Original file line number Diff line number Diff line change
Expand Up @@ -27,8 +27,6 @@ type BackendTrafficPolicy struct {
metav1.TypeMeta `json:",inline"`
metav1.ObjectMeta `json:"metadata,omitempty"`

// +kubebuilder:validation:Required
//
// spec defines the desired state of BackendTrafficPolicy.
Spec BackendTrafficPolicySpec `json:"spec"`

Expand All @@ -39,8 +37,8 @@ type BackendTrafficPolicy struct {
// spec defines the desired state of BackendTrafficPolicy.
type BackendTrafficPolicySpec struct {
// +kubebuilder:validation:XValidation:rule="self.group == 'gateway.networking.k8s.io'", message="this policy can only have a targetRef.group of gateway.networking.k8s.io"
// +kubebuilder:validation:XValidation:rule="self.kind == 'Gateway' || self.kind == 'HTTPRoute' || self.kind == 'GRPCRoute' || self.kind == 'UDPRoute' || self.kind == 'TCPRoute' || self.kind == 'TLSRoute'", message="this policy can only have a targetRef.kind of Gateway/HTTPRoute/GRPCRoute/TCPRoute/UDPRoute/TLSRoute"
// +kubebuilder:validation:Required
// +kubebuilder:validation:XValidation:rule="self.kind in ['Gateway', 'HTTPRoute', 'GRPCRoute', 'UDPRoute', 'TCPRoute', 'TLSRoute']", message="this policy can only have a targetRef.kind of Gateway/HTTPRoute/GRPCRoute/TCPRoute/UDPRoute/TLSRoute"
// +kubebuilder:validation:XValidation:rule="!has(self.sectionName)",message="this policy does not yet support the sectionName field"
//
// targetRef is the name of the resource this policy
// is being attached to.
Expand Down
5 changes: 2 additions & 3 deletions api/v1alpha1/clienttrafficpolicy_types.go
Original file line number Diff line number Diff line change
Expand Up @@ -27,8 +27,6 @@ type ClientTrafficPolicy struct {
metav1.TypeMeta `json:",inline"`
metav1.ObjectMeta `json:"metadata,omitempty"`

// +kubebuilder:validation:Required
//
// Spec defines the desired state of ClientTrafficPolicy.
Spec ClientTrafficPolicySpec `json:"spec"`

Expand All @@ -40,7 +38,8 @@ type ClientTrafficPolicy struct {
type ClientTrafficPolicySpec struct {
// +kubebuilder:validation:XValidation:rule="self.group == 'gateway.networking.k8s.io'", message="this policy can only have a targetRef.group of gateway.networking.k8s.io"
// +kubebuilder:validation:XValidation:rule="self.kind == 'Gateway'", message="this policy can only have a targetRef.kind of Gateway"
// +kubebuilder:validation:Required
// +kubebuilder:validation:XValidation:rule="!has(self.sectionName)",message="this policy does not yet support the sectionName field"
//
// TargetRef is the name of the Gateway resource this policy
// is being attached to.
// This Policy and the TargetRef MUST be in the same namespace
Expand Down
4 changes: 1 addition & 3 deletions api/v1alpha1/securitypolicy_types.go
Original file line number Diff line number Diff line change
Expand Up @@ -26,8 +26,6 @@ type SecurityPolicy struct {
metav1.TypeMeta `json:",inline"`
metav1.ObjectMeta `json:"metadata,omitempty"`

// +kubebuilder:validation:Required
//
// Spec defines the desired state of SecurityPolicy.
Spec SecurityPolicySpec `json:"spec"`

Expand All @@ -39,7 +37,7 @@ type SecurityPolicy struct {
type SecurityPolicySpec struct {
// +kubebuilder:validation:XValidation:rule="self.group == 'gateway.networking.k8s.io'", message="this policy can only have a targetRef.group of gateway.networking.k8s.io"
// +kubebuilder:validation:XValidation:rule="self.kind == 'Gateway'", message="this policy can only have a targetRef.kind of Gateway"
// +kubebuilder:validation:Required
// +kubebuilder:validation:XValidation:rule="!has(self.sectionName)",message="this policy does not yet support the sectionName field"
//
// TargetRef is the name of the Gateway resource this policy
// is being attached to.
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -267,9 +267,10 @@ spec:
- message: this policy can only have a targetRef.group of gateway.networking.k8s.io
rule: self.group == 'gateway.networking.k8s.io'
- message: this policy can only have a targetRef.kind of Gateway/HTTPRoute/GRPCRoute/TCPRoute/UDPRoute/TLSRoute
rule: self.kind == 'Gateway' || self.kind == 'HTTPRoute' || self.kind
== 'GRPCRoute' || self.kind == 'UDPRoute' || self.kind == 'TCPRoute'
|| self.kind == 'TLSRoute'
rule: self.kind in ['Gateway', 'HTTPRoute', 'GRPCRoute', 'UDPRoute',
'TCPRoute', 'TLSRoute']
- message: this policy does not yet support the sectionName field
rule: '!has(self.sectionName)'
required:
- targetRef
type: object
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -96,6 +96,8 @@ spec:
rule: self.group == 'gateway.networking.k8s.io'
- message: this policy can only have a targetRef.kind of Gateway
rule: self.kind == 'Gateway'
- message: this policy does not yet support the sectionName field
rule: '!has(self.sectionName)'
tcpKeepalive:
description: TcpKeepalive settings associated with the downstream
client connection. If defined, sets SO_KEEPALIVE on the listener
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -238,6 +238,8 @@ spec:
rule: self.group == 'gateway.networking.k8s.io'
- message: this policy can only have a targetRef.kind of Gateway
rule: self.kind == 'Gateway'
- message: this policy does not yet support the sectionName field
rule: '!has(self.sectionName)'
required:
- targetRef
type: object
Expand Down
18 changes: 18 additions & 0 deletions test/cel-validation/backendtrafficpolicy_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -133,6 +133,24 @@ func TestBackendTrafficPolicyTarget(t *testing.T) {
"spec.targetRef: Invalid value: \"object\": this policy can only have a targetRef.kind of Gateway/HTTPRoute/GRPCRoute/TCPRoute/UDPRoute/TLSRoute",
},
},
{
desc: "sectionName disabled until supported",
mutate: func(btp *egv1a1.BackendTrafficPolicy) {
btp.Spec = egv1a1.BackendTrafficPolicySpec{
TargetRef: gwapiv1a2.PolicyTargetReferenceWithSectionName{
PolicyTargetReference: gwapiv1a2.PolicyTargetReference{
Group: gwapiv1a2.Group("gateway.networking.k8s.io"),
Kind: gwapiv1a2.Kind("Gateway"),
Name: gwapiv1a2.ObjectName("eg"),
},
SectionName: &sectionName,
},
}
},
wantErrors: []string{
"spec.targetRef: Invalid value: \"object\": this policy does not yet support the sectionName field",
},
},
}

for _, tc := range cases {
Expand Down
19 changes: 19 additions & 0 deletions test/cel-validation/clienttrafficpolicy_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -31,6 +31,8 @@ func TestClientTrafficPolicyTarget(t *testing.T) {
Spec: egv1a1.ClientTrafficPolicySpec{},
}

sectionName := gwapiv1a2.SectionName("foo")

cases := []struct {
desc string
mutate func(ctp *egv1a1.ClientTrafficPolicy)
Expand Down Expand Up @@ -116,6 +118,23 @@ func TestClientTrafficPolicyTarget(t *testing.T) {
"spec.targetRef: Invalid value: \"object\": this policy can only have a targetRef.kind of Gateway",
},
},
{
desc: "sectionName disabled until supported",
mutate: func(ctp *egv1a1.ClientTrafficPolicy) {
ctp.Spec = egv1a1.ClientTrafficPolicySpec{
TargetRef: gwapiv1a2.PolicyTargetReferenceWithSectionName{
PolicyTargetReference: gwapiv1a2.PolicyTargetReference{
Group: gwapiv1a2.Group("gateway.networking.k8s.io"),
Kind: gwapiv1a2.Kind("Gateway"),
},
SectionName: &sectionName,
},
}
},
wantErrors: []string{
"spec.targetRef: Invalid value: \"object\": this policy does not yet support the sectionName field",
},
},
}

for _, tc := range cases {
Expand Down
20 changes: 20 additions & 0 deletions test/cel-validation/securitypolicy_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -31,6 +31,8 @@ func TestSecurityPolicyTarget(t *testing.T) {
Spec: egv1a1.SecurityPolicySpec{},
}

sectionName := gwapiv1a2.SectionName("foo")

cases := []struct {
desc string
mutate func(sp *egv1a1.SecurityPolicy)
Expand Down Expand Up @@ -116,6 +118,24 @@ func TestSecurityPolicyTarget(t *testing.T) {
"spec.targetRef: Invalid value: \"object\": this policy can only have a targetRef.kind of Gateway",
},
},
{
desc: "sectionName disabled until supported",
mutate: func(sp *egv1a1.SecurityPolicy) {
sp.Spec = egv1a1.SecurityPolicySpec{
TargetRef: gwapiv1a2.PolicyTargetReferenceWithSectionName{
PolicyTargetReference: gwapiv1a2.PolicyTargetReference{
Group: gwapiv1a2.Group("gateway.networking.k8s.io"),
Kind: gwapiv1a2.Kind("Gateway"),
Name: gwapiv1a2.ObjectName("eg"),
},
SectionName: &sectionName,
},
}
},
wantErrors: []string{
"spec.targetRef: Invalid value: \"object\": this policy does not yet support the sectionName field",
},
},
}

for _, tc := range cases {
Expand Down

0 comments on commit 2709a74

Please sign in to comment.