From 2709a74de2e386cfc1397416b96d27cb4fa2d8a6 Mon Sep 17 00:00:00 2001 From: Alice Wasko Date: Fri, 27 Oct 2023 16:05:54 -0700 Subject: [PATCH] add cel to forbid sectionName until it is supported Signed-off-by: Alice Wasko --- api/v1alpha1/backendtrafficpolicy_types.go | 6 ++---- api/v1alpha1/clienttrafficpolicy_types.go | 5 ++--- api/v1alpha1/securitypolicy_types.go | 4 +--- ....envoyproxy.io_backendtrafficpolicies.yaml | 7 ++++--- ...y.envoyproxy.io_clienttrafficpolicies.yaml | 2 ++ ...ateway.envoyproxy.io_securitypolicies.yaml | 2 ++ .../backendtrafficpolicy_test.go | 18 +++++++++++++++++ .../clienttrafficpolicy_test.go | 19 ++++++++++++++++++ test/cel-validation/securitypolicy_test.go | 20 +++++++++++++++++++ 9 files changed, 70 insertions(+), 13 deletions(-) diff --git a/api/v1alpha1/backendtrafficpolicy_types.go b/api/v1alpha1/backendtrafficpolicy_types.go index 86f7121d1261..c51624b269f3 100644 --- a/api/v1alpha1/backendtrafficpolicy_types.go +++ b/api/v1alpha1/backendtrafficpolicy_types.go @@ -27,8 +27,6 @@ type BackendTrafficPolicy struct { metav1.TypeMeta `json:",inline"` metav1.ObjectMeta `json:"metadata,omitempty"` - // +kubebuilder:validation:Required - // // spec defines the desired state of BackendTrafficPolicy. Spec BackendTrafficPolicySpec `json:"spec"` @@ -39,8 +37,8 @@ type BackendTrafficPolicy struct { // spec defines the desired state of BackendTrafficPolicy. type BackendTrafficPolicySpec struct { // +kubebuilder:validation:XValidation:rule="self.group == 'gateway.networking.k8s.io'", message="this policy can only have a targetRef.group of gateway.networking.k8s.io" - // +kubebuilder:validation:XValidation:rule="self.kind == 'Gateway' || self.kind == 'HTTPRoute' || self.kind == 'GRPCRoute' || self.kind == 'UDPRoute' || self.kind == 'TCPRoute' || self.kind == 'TLSRoute'", message="this policy can only have a targetRef.kind of Gateway/HTTPRoute/GRPCRoute/TCPRoute/UDPRoute/TLSRoute" - // +kubebuilder:validation:Required + // +kubebuilder:validation:XValidation:rule="self.kind in ['Gateway', 'HTTPRoute', 'GRPCRoute', 'UDPRoute', 'TCPRoute', 'TLSRoute']", message="this policy can only have a targetRef.kind of Gateway/HTTPRoute/GRPCRoute/TCPRoute/UDPRoute/TLSRoute" + // +kubebuilder:validation:XValidation:rule="!has(self.sectionName)",message="this policy does not yet support the sectionName field" // // targetRef is the name of the resource this policy // is being attached to. diff --git a/api/v1alpha1/clienttrafficpolicy_types.go b/api/v1alpha1/clienttrafficpolicy_types.go index 1fe1bd716cec..5c9490d3be0d 100644 --- a/api/v1alpha1/clienttrafficpolicy_types.go +++ b/api/v1alpha1/clienttrafficpolicy_types.go @@ -27,8 +27,6 @@ type ClientTrafficPolicy struct { metav1.TypeMeta `json:",inline"` metav1.ObjectMeta `json:"metadata,omitempty"` - // +kubebuilder:validation:Required - // // Spec defines the desired state of ClientTrafficPolicy. Spec ClientTrafficPolicySpec `json:"spec"` @@ -40,7 +38,8 @@ type ClientTrafficPolicy struct { type ClientTrafficPolicySpec struct { // +kubebuilder:validation:XValidation:rule="self.group == 'gateway.networking.k8s.io'", message="this policy can only have a targetRef.group of gateway.networking.k8s.io" // +kubebuilder:validation:XValidation:rule="self.kind == 'Gateway'", message="this policy can only have a targetRef.kind of Gateway" - // +kubebuilder:validation:Required + // +kubebuilder:validation:XValidation:rule="!has(self.sectionName)",message="this policy does not yet support the sectionName field" + // // TargetRef is the name of the Gateway resource this policy // is being attached to. // This Policy and the TargetRef MUST be in the same namespace diff --git a/api/v1alpha1/securitypolicy_types.go b/api/v1alpha1/securitypolicy_types.go index 4c84d742adee..a6a742060d78 100644 --- a/api/v1alpha1/securitypolicy_types.go +++ b/api/v1alpha1/securitypolicy_types.go @@ -26,8 +26,6 @@ type SecurityPolicy struct { metav1.TypeMeta `json:",inline"` metav1.ObjectMeta `json:"metadata,omitempty"` - // +kubebuilder:validation:Required - // // Spec defines the desired state of SecurityPolicy. Spec SecurityPolicySpec `json:"spec"` @@ -39,7 +37,7 @@ type SecurityPolicy struct { type SecurityPolicySpec struct { // +kubebuilder:validation:XValidation:rule="self.group == 'gateway.networking.k8s.io'", message="this policy can only have a targetRef.group of gateway.networking.k8s.io" // +kubebuilder:validation:XValidation:rule="self.kind == 'Gateway'", message="this policy can only have a targetRef.kind of Gateway" - // +kubebuilder:validation:Required + // +kubebuilder:validation:XValidation:rule="!has(self.sectionName)",message="this policy does not yet support the sectionName field" // // TargetRef is the name of the Gateway resource this policy // is being attached to. diff --git a/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_backendtrafficpolicies.yaml b/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_backendtrafficpolicies.yaml index 1278178631f9..63193a09de61 100644 --- a/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_backendtrafficpolicies.yaml +++ b/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_backendtrafficpolicies.yaml @@ -267,9 +267,10 @@ spec: - message: this policy can only have a targetRef.group of gateway.networking.k8s.io rule: self.group == 'gateway.networking.k8s.io' - message: this policy can only have a targetRef.kind of Gateway/HTTPRoute/GRPCRoute/TCPRoute/UDPRoute/TLSRoute - rule: self.kind == 'Gateway' || self.kind == 'HTTPRoute' || self.kind - == 'GRPCRoute' || self.kind == 'UDPRoute' || self.kind == 'TCPRoute' - || self.kind == 'TLSRoute' + rule: self.kind in ['Gateway', 'HTTPRoute', 'GRPCRoute', 'UDPRoute', + 'TCPRoute', 'TLSRoute'] + - message: this policy does not yet support the sectionName field + rule: '!has(self.sectionName)' required: - targetRef type: object diff --git a/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_clienttrafficpolicies.yaml b/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_clienttrafficpolicies.yaml index f63b69f16ba0..4870f6c4e445 100644 --- a/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_clienttrafficpolicies.yaml +++ b/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_clienttrafficpolicies.yaml @@ -96,6 +96,8 @@ spec: rule: self.group == 'gateway.networking.k8s.io' - message: this policy can only have a targetRef.kind of Gateway rule: self.kind == 'Gateway' + - message: this policy does not yet support the sectionName field + rule: '!has(self.sectionName)' tcpKeepalive: description: TcpKeepalive settings associated with the downstream client connection. If defined, sets SO_KEEPALIVE on the listener diff --git a/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_securitypolicies.yaml b/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_securitypolicies.yaml index b92b34d63c91..489c96ffee0f 100644 --- a/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_securitypolicies.yaml +++ b/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_securitypolicies.yaml @@ -238,6 +238,8 @@ spec: rule: self.group == 'gateway.networking.k8s.io' - message: this policy can only have a targetRef.kind of Gateway rule: self.kind == 'Gateway' + - message: this policy does not yet support the sectionName field + rule: '!has(self.sectionName)' required: - targetRef type: object diff --git a/test/cel-validation/backendtrafficpolicy_test.go b/test/cel-validation/backendtrafficpolicy_test.go index 522d89a69953..b49870c0dc7f 100644 --- a/test/cel-validation/backendtrafficpolicy_test.go +++ b/test/cel-validation/backendtrafficpolicy_test.go @@ -133,6 +133,24 @@ func TestBackendTrafficPolicyTarget(t *testing.T) { "spec.targetRef: Invalid value: \"object\": this policy can only have a targetRef.kind of Gateway/HTTPRoute/GRPCRoute/TCPRoute/UDPRoute/TLSRoute", }, }, + { + desc: "sectionName disabled until supported", + mutate: func(btp *egv1a1.BackendTrafficPolicy) { + btp.Spec = egv1a1.BackendTrafficPolicySpec{ + TargetRef: gwapiv1a2.PolicyTargetReferenceWithSectionName{ + PolicyTargetReference: gwapiv1a2.PolicyTargetReference{ + Group: gwapiv1a2.Group("gateway.networking.k8s.io"), + Kind: gwapiv1a2.Kind("Gateway"), + Name: gwapiv1a2.ObjectName("eg"), + }, + SectionName: §ionName, + }, + } + }, + wantErrors: []string{ + "spec.targetRef: Invalid value: \"object\": this policy does not yet support the sectionName field", + }, + }, } for _, tc := range cases { diff --git a/test/cel-validation/clienttrafficpolicy_test.go b/test/cel-validation/clienttrafficpolicy_test.go index 14c32cfb8659..b0449b78f51a 100644 --- a/test/cel-validation/clienttrafficpolicy_test.go +++ b/test/cel-validation/clienttrafficpolicy_test.go @@ -31,6 +31,8 @@ func TestClientTrafficPolicyTarget(t *testing.T) { Spec: egv1a1.ClientTrafficPolicySpec{}, } + sectionName := gwapiv1a2.SectionName("foo") + cases := []struct { desc string mutate func(ctp *egv1a1.ClientTrafficPolicy) @@ -116,6 +118,23 @@ func TestClientTrafficPolicyTarget(t *testing.T) { "spec.targetRef: Invalid value: \"object\": this policy can only have a targetRef.kind of Gateway", }, }, + { + desc: "sectionName disabled until supported", + mutate: func(ctp *egv1a1.ClientTrafficPolicy) { + ctp.Spec = egv1a1.ClientTrafficPolicySpec{ + TargetRef: gwapiv1a2.PolicyTargetReferenceWithSectionName{ + PolicyTargetReference: gwapiv1a2.PolicyTargetReference{ + Group: gwapiv1a2.Group("gateway.networking.k8s.io"), + Kind: gwapiv1a2.Kind("Gateway"), + }, + SectionName: §ionName, + }, + } + }, + wantErrors: []string{ + "spec.targetRef: Invalid value: \"object\": this policy does not yet support the sectionName field", + }, + }, } for _, tc := range cases { diff --git a/test/cel-validation/securitypolicy_test.go b/test/cel-validation/securitypolicy_test.go index 89959a292dac..7b634f2f1e51 100644 --- a/test/cel-validation/securitypolicy_test.go +++ b/test/cel-validation/securitypolicy_test.go @@ -31,6 +31,8 @@ func TestSecurityPolicyTarget(t *testing.T) { Spec: egv1a1.SecurityPolicySpec{}, } + sectionName := gwapiv1a2.SectionName("foo") + cases := []struct { desc string mutate func(sp *egv1a1.SecurityPolicy) @@ -116,6 +118,24 @@ func TestSecurityPolicyTarget(t *testing.T) { "spec.targetRef: Invalid value: \"object\": this policy can only have a targetRef.kind of Gateway", }, }, + { + desc: "sectionName disabled until supported", + mutate: func(sp *egv1a1.SecurityPolicy) { + sp.Spec = egv1a1.SecurityPolicySpec{ + TargetRef: gwapiv1a2.PolicyTargetReferenceWithSectionName{ + PolicyTargetReference: gwapiv1a2.PolicyTargetReference{ + Group: gwapiv1a2.Group("gateway.networking.k8s.io"), + Kind: gwapiv1a2.Kind("Gateway"), + Name: gwapiv1a2.ObjectName("eg"), + }, + SectionName: §ionName, + }, + } + }, + wantErrors: []string{ + "spec.targetRef: Invalid value: \"object\": this policy does not yet support the sectionName field", + }, + }, } for _, tc := range cases {