Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

fix: fix the CEL definitions to allow policies that use target selectors without explicit targetRefs #3904

Merged
merged 1 commit into from
Jul 20, 2024
Merged

fix: fix the CEL definitions to allow policies that use target selectors without explicit targetRefs #3904

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion api/v1alpha1/backendtrafficpolicy_types.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -34,7 +34,7 @@ type BackendTrafficPolicy struct {
Status gwapiv1a2.PolicyStatus `json:"status,omitempty"`
}

// +kubebuilder:validation:XValidation:rule="(has(self.targetRef) && !has(self.targetRefs)) || (!has(self.targetRef) && has(self.targetRefs))", message="either targetRef or targetRefs must be used"
// +kubebuilder:validation:XValidation:rule="(has(self.targetRef) && !has(self.targetRefs)) || (!has(self.targetRef) && has(self.targetRefs)) || (has(self.targetSelectors) && self.targetSelectors.size() > 0) ", message="either targetRef or targetRefs must be used"
//
// +kubebuilder:validation:XValidation:rule="has(self.targetRef) ? self.targetRef.group == 'gateway.networking.k8s.io' : true ", message="this policy can only have a targetRef.group of gateway.networking.k8s.io"
// +kubebuilder:validation:XValidation:rule="has(self.targetRef) ? self.targetRef.kind in ['Gateway', 'HTTPRoute', 'GRPCRoute', 'UDPRoute', 'TCPRoute', 'TLSRoute'] : true", message="this policy can only have a targetRef.kind of Gateway/HTTPRoute/GRPCRoute/TCPRoute/UDPRoute/TLSRoute"
Expand Down
2 changes: 1 addition & 1 deletion api/v1alpha1/clienttrafficpolicy_types.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -34,7 +34,7 @@ type ClientTrafficPolicy struct {
Status gwapiv1a2.PolicyStatus `json:"status,omitempty"`
}

// +kubebuilder:validation:XValidation:rule="(has(self.targetRef) && !has(self.targetRefs)) || (!has(self.targetRef) && has(self.targetRefs))", message="either targetRef or targetRefs must be used"
// +kubebuilder:validation:XValidation:rule="(has(self.targetRef) && !has(self.targetRefs)) || (!has(self.targetRef) && has(self.targetRefs)) || (has(self.targetSelectors) && self.targetSelectors.size() > 0) ", message="either targetRef or targetRefs must be used"
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

does this mean a user can specify targetRefs and targetSelectors at the same time ?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes.

//
// +kubebuilder:validation:XValidation:rule="has(self.targetRef) ? self.targetRef.group == 'gateway.networking.k8s.io' : true", message="this policy can only have a targetRef.group of gateway.networking.k8s.io"
// +kubebuilder:validation:XValidation:rule="has(self.targetRef) ? self.targetRef.kind == 'Gateway' : true", message="this policy can only have a targetRef.kind of Gateway"
Expand Down
2 changes: 1 addition & 1 deletion api/v1alpha1/envoyextensionypolicy_types.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -32,7 +32,7 @@ type EnvoyExtensionPolicy struct {
Status gwapiv1a2.PolicyStatus `json:"status,omitempty"`
}

// +kubebuilder:validation:XValidation:rule="(has(self.targetRef) && !has(self.targetRefs)) || (!has(self.targetRef) && has(self.targetRefs))", message="either targetRef or targetRefs must be used"
// +kubebuilder:validation:XValidation:rule="(has(self.targetRef) && !has(self.targetRefs)) || (!has(self.targetRef) && has(self.targetRefs)) || (has(self.targetSelectors) && self.targetSelectors.size() > 0) ", message="either targetRef or targetRefs must be used"
//
// +kubebuilder:validation:XValidation:rule="has(self.targetRef) ? self.targetRef.group == 'gateway.networking.k8s.io' : true", message="this policy can only have a targetRef.group of gateway.networking.k8s.io"
// +kubebuilder:validation:XValidation:rule="has(self.targetRef) ? self.targetRef.kind in ['Gateway', 'HTTPRoute', 'GRPCRoute', 'UDPRoute', 'TCPRoute', 'TLSRoute'] : true", message="this policy can only have a targetRef.kind of Gateway/HTTPRoute/GRPCRoute/TCPRoute/UDPRoute/TLSRoute"
Expand Down
2 changes: 1 addition & 1 deletion api/v1alpha1/securitypolicy_types.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -33,7 +33,7 @@ type SecurityPolicy struct {
Status gwapiv1a2.PolicyStatus `json:"status,omitempty"`
}

// +kubebuilder:validation:XValidation:rule="(has(self.targetRef) && !has(self.targetRefs)) || (!has(self.targetRef) && has(self.targetRefs))", message="either targetRef or targetRefs must be used"
// +kubebuilder:validation:XValidation:rule="(has(self.targetRef) && !has(self.targetRefs)) || (!has(self.targetRef) && has(self.targetRefs)) || (has(self.targetSelectors) && self.targetSelectors.size() > 0) ", message="either targetRef or targetRefs must be used"
//
// +kubebuilder:validation:XValidation:rule="has(self.targetRef) ? self.targetRef.group == 'gateway.networking.k8s.io' : true", message="this policy can only have a targetRef.group of gateway.networking.k8s.io"
// +kubebuilder:validation:XValidation:rule="has(self.targetRef) ? self.targetRef.kind in ['Gateway', 'HTTPRoute', 'GRPCRoute'] : true", message="this policy can only have a targetRef.kind of Gateway/HTTPRoute/GRPCRoute"
Expand Down
5 changes: 3 additions & 2 deletions charts/gateway-helm/crds/generated/gateway.envoyproxy.io_backendtrafficpolicies.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -1124,8 +1124,9 @@ spec:
type: object
x-kubernetes-validations:
- message: either targetRef or targetRefs must be used
rule: (has(self.targetRef) && !has(self.targetRefs)) || (!has(self.targetRef)
&& has(self.targetRefs))
rule: '(has(self.targetRef) && !has(self.targetRefs)) || (!has(self.targetRef)
&& has(self.targetRefs)) || (has(self.targetSelectors) && self.targetSelectors.size()
> 0) '
- message: this policy can only have a targetRef.group of gateway.networking.k8s.io
rule: 'has(self.targetRef) ? self.targetRef.group == ''gateway.networking.k8s.io''
: true '
Expand Down
5 changes: 3 additions & 2 deletions charts/gateway-helm/crds/generated/gateway.envoyproxy.io_clienttrafficpolicies.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -700,8 +700,9 @@ spec:
type: object
x-kubernetes-validations:
- message: either targetRef or targetRefs must be used
rule: (has(self.targetRef) && !has(self.targetRefs)) || (!has(self.targetRef)
&& has(self.targetRefs))
rule: '(has(self.targetRef) && !has(self.targetRefs)) || (!has(self.targetRef)
&& has(self.targetRefs)) || (has(self.targetSelectors) && self.targetSelectors.size()
> 0) '
- message: this policy can only have a targetRef.group of gateway.networking.k8s.io
rule: 'has(self.targetRef) ? self.targetRef.group == ''gateway.networking.k8s.io''
: true'
Expand Down
5 changes: 3 additions & 2 deletions charts/gateway-helm/crds/generated/gateway.envoyproxy.io_envoyextensionpolicies.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -521,8 +521,9 @@ spec:
type: object
x-kubernetes-validations:
- message: either targetRef or targetRefs must be used
rule: (has(self.targetRef) && !has(self.targetRefs)) || (!has(self.targetRef)
&& has(self.targetRefs))
rule: '(has(self.targetRef) && !has(self.targetRefs)) || (!has(self.targetRef)
&& has(self.targetRefs)) || (has(self.targetSelectors) && self.targetSelectors.size()
> 0) '
- message: this policy can only have a targetRef.group of gateway.networking.k8s.io
rule: 'has(self.targetRef) ? self.targetRef.group == ''gateway.networking.k8s.io''
: true'
Expand Down
5 changes: 3 additions & 2 deletions charts/gateway-helm/crds/generated/gateway.envoyproxy.io_securitypolicies.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -1129,8 +1129,9 @@ spec:
type: object
x-kubernetes-validations:
- message: either targetRef or targetRefs must be used
rule: (has(self.targetRef) && !has(self.targetRefs)) || (!has(self.targetRef)
&& has(self.targetRefs))
rule: '(has(self.targetRef) && !has(self.targetRefs)) || (!has(self.targetRef)
&& has(self.targetRefs)) || (has(self.targetSelectors) && self.targetSelectors.size()
> 0) '
- message: this policy can only have a targetRef.group of gateway.networking.k8s.io
rule: 'has(self.targetRef) ? self.targetRef.group == ''gateway.networking.k8s.io''
: true'
Expand Down
19 changes: 19 additions & 0 deletions test/cel-validation/backendtrafficpolicy_test.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -1134,6 +1134,25 @@ func TestBackendTrafficPolicyTarget(t *testing.T) {
" Invalid value: \"object\": either targetRef or targetRefs must be used",
},
},
{
desc: "target selectors without targetRefs or targetRef",
mutate: func(sp *egv1a1.BackendTrafficPolicy) {
sp.Spec = egv1a1.BackendTrafficPolicySpec{
PolicyTargetReferences: egv1a1.PolicyTargetReferences{
TargetSelectors: []egv1a1.TargetSelector{
{
Group: ptr.To(gwapiv1a2.Group("gateway.networking.k8s.io")),
Kind: "HTTPRoute",
MatchLabels: map[string]string{
"eg/namespace": "reference-apps",
},
},
},
},
}
},
wantErrors: []string{},
},
}

for _, tc := range cases {
Expand Down
19 changes: 19 additions & 0 deletions test/cel-validation/clienttrafficpolicy_test.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -445,6 +445,25 @@ func TestClientTrafficPolicyTarget(t *testing.T) {
},
wantErrors: []string{},
},
{
desc: "target selectors without targetRefs or targetRef",
mutate: func(sp *egv1a1.ClientTrafficPolicy) {
sp.Spec = egv1a1.ClientTrafficPolicySpec{
PolicyTargetReferences: egv1a1.PolicyTargetReferences{
TargetSelectors: []egv1a1.TargetSelector{
{
Group: ptr.To(gwapiv1a2.Group("gateway.networking.k8s.io")),
Kind: "HTTPRoute",
MatchLabels: map[string]string{
"eg/namespace": "reference-apps",
},
},
},
},
}
},
wantErrors: []string{},
},
}

for _, tc := range cases {
Expand Down
19 changes: 19 additions & 0 deletions test/cel-validation/envoyextensionpolicy_test.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -407,6 +407,25 @@ func TestEnvoyExtensionPolicyTarget(t *testing.T) {
"spec.extProc[0].processingMode.request.body: Unsupported value: \"not-a-body-mode\": supported values: \"Streamed\", \"Buffered\", \"BufferedPartial\"",
},
},
{
desc: "target selectors without targetRefs or targetRef",
mutate: func(sp *egv1a1.EnvoyExtensionPolicy) {
sp.Spec = egv1a1.EnvoyExtensionPolicySpec{
PolicyTargetReferences: egv1a1.PolicyTargetReferences{
TargetSelectors: []egv1a1.TargetSelector{
{
Group: ptr.To(gwapiv1a2.Group("gateway.networking.k8s.io")),
Kind: "HTTPRoute",
MatchLabels: map[string]string{
"eg/namespace": "reference-apps",
},
},
},
},
}
},
wantErrors: []string{},
},
}

for _, tc := range cases {
Expand Down
19 changes: 19 additions & 0 deletions test/cel-validation/securitypolicy_test.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -899,6 +899,25 @@ func TestSecurityPolicyTarget(t *testing.T) {
},
wantErrors: []string{},
},
{
desc: "target selectors without targetRefs or targetRef",
mutate: func(sp *egv1a1.SecurityPolicy) {
sp.Spec = egv1a1.SecurityPolicySpec{
PolicyTargetReferences: egv1a1.PolicyTargetReferences{
TargetSelectors: []egv1a1.TargetSelector{
{
Group: ptr.To(gwapiv1a2.Group("gateway.networking.k8s.io")),
Kind: "HTTPRoute",
MatchLabels: map[string]string{
"eg/namespace": "reference-apps",
},
},
},
},
}
},
wantErrors: []string{},
},
}

for _, tc := range cases {
Expand Down
Loading