Skip to content

Commit

Permalink
add CEL validation for BackendRef Group (#3557)
Browse files Browse the repository at this point in the history 
* helm: add envoy gateway addon helm chart support (#3470)

* initial dashboard addon helm chart

Signed-off-by: shawnh2 <shawnhxh@outlook.com>

* rename addon name and remove gateway-helm support

Signed-off-by: shawnh2 <shawnhxh@outlook.com>

* remove /charts from .helmignore

Signed-off-by: shawnh2 <shawnhxh@outlook.com>

* rename to gateway-addons-helm and keep one source of truth

Signed-off-by: shawnh2 <shawnhxh@outlook.com>

* restore examples values and fix comments

Signed-off-by: shawnh2 <shawnhxh@outlook.com>

* rewrite helm makefile

Signed-off-by: shawnh2 <shawnhxh@outlook.com>

---------

Signed-off-by: shawnh2 <shawnhxh@outlook.com>
Signed-off-by: phantooom <xiaorui.zou@gmail.com>

* chore: Remove namespace restriction for EnvoyProxy parametersRef resource

Signed-off-by: phantooom <xiaorui.zou@gmail.com>

* chore: add CEL validation for BackendRef Group

Signed-off-by: phantooom <xiaorui.zou@gmail.com>

* chore: add CEL validation for BackendRef Group

Signed-off-by: phantooom <xiaorui.zou@gmail.com>

---------

Signed-off-by: shawnh2 <shawnhxh@outlook.com>
Signed-off-by: phantooom <xiaorui.zou@gmail.com>
Co-authored-by: sh2 <shawnhxh@outlook.com>
Co-authored-by: zirain <zirain2009@gmail.com>
  • Loading branch information
@phantooom @shawnh2 @zirain
3 people authored Jun 18, 2024
1 parent 2c602d5 commit 94f818c
Show file tree
Hide file tree
Showing 7 changed files with 125 additions and 0 deletions.
5 changes: 5 additions & 0 deletions api/v1alpha1/accesslogging_types.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -11,6 +11,8 @@ type ProxyAccessLog struct {
// Settings defines accesslog settings for managed proxies.
// If unspecified, will send default format to stdout.
// +optional
// +kubebuilder:validation:MinItems=1
// +kubebuilder:validation:MaxItems=50
Settings []ProxyAccessLogSetting `json:"settings,omitempty"`
}

Expand All @@ -19,6 +21,7 @@ type ProxyAccessLogSetting struct {
Format ProxyAccessLogFormat `json:"format"`
// Sinks defines the sinks of accesslog.
// +kubebuilder:validation:MinItems=1
// +kubebuilder:validation:MaxItems=50
Sinks []ProxyAccessLogSink `json:"sinks"`
}

Expand Down Expand Up @@ -120,6 +123,7 @@ type ALSEnvoyProxyAccessLog struct {
// +kubebuilder:validation:MinItems=1
// +kubebuilder:validation:MaxItems=1
// +kubebuilder:validation:XValidation:message="BackendRefs only supports Service kind.",rule="self.all(f, f.kind == 'Service')"
// +kubebuilder:validation:XValidation:message="BackendRefs only supports Core group.",rule="self.all(f, f.group == '')"
BackendRefs []BackendRef `json:"backendRefs"`
// LogName defines the friendly name of the access log to be returned in
// StreamAccessLogsMessage.Identifier. This allows the access log server
Expand Down Expand Up @@ -176,6 +180,7 @@ type OpenTelemetryEnvoyProxyAccessLog struct {
// +optional
// +kubebuilder:validation:MaxItems=1
// +kubebuilder:validation:XValidation:message="only support Service kind.",rule="self.all(f, f.kind == 'Service')"
// +kubebuilder:validation:XValidation:message="BackendRefs only supports Core group.",rule="self.all(f, f.group == '')"
BackendRefs []BackendRef `json:"backendRefs,omitempty"`
// Resources is a set of labels that describe the source of a log entry, including envoy node info.
// It's recommended to follow [semantic conventions](https://opentelemetry.io/docs/reference/specification/resource/semantic_conventions/).
Expand Down
1 change: 1 addition & 0 deletions api/v1alpha1/envoyproxy_metric_types.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -75,6 +75,7 @@ type ProxyOpenTelemetrySink struct {
// +optional
// +kubebuilder:validation:MaxItems=1
// +kubebuilder:validation:XValidation:message="only support Service kind.",rule="self.all(f, f.kind == 'Service')"
// +kubebuilder:validation:XValidation:message="BackendRefs only supports Core group.",rule="self.all(f, f.group == '')"
BackendRefs []BackendRef `json:"backendRefs,omitempty"`

// TODO: add support for customizing OpenTelemetry sink in https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/stat_sinks/open_telemetry/v3/open_telemetry.proto#envoy-v3-api-msg-extensions-stat-sinks-open-telemetry-v3-sinkconfig
Expand Down
2 changes: 2 additions & 0 deletions api/v1alpha1/ext_auth_types.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -71,6 +71,7 @@ type GRPCExtAuthService struct {
// +optional
// +kubebuilder:validation:MaxItems=1
// +kubebuilder:validation:XValidation:message="only support Service kind.",rule="self.all(f, f.kind == 'Service')"
// +kubebuilder:validation:XValidation:message="BackendRefs only supports Core group.",rule="self.all(f, f.group == '')"
BackendRefs []BackendRef `json:"backendRefs,omitempty"`
}

Expand All @@ -92,6 +93,7 @@ type HTTPExtAuthService struct {
// +optional
// +kubebuilder:validation:MaxItems=1
// +kubebuilder:validation:XValidation:message="only support Service kind.",rule="self.all(f, f.kind == 'Service')"
// +kubebuilder:validation:XValidation:message="BackendRefs only supports Core group.",rule="self.all(f, f.group == '')"
BackendRefs []BackendRef `json:"backendRefs,omitempty"`

// Path is the path of the HTTP External Authorization service.
Expand Down
1 change: 1 addition & 0 deletions api/v1alpha1/tracing_types.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -56,6 +56,7 @@ type TracingProvider struct {
// +optional
// +kubebuilder:validation:MaxItems=1
// +kubebuilder:validation:XValidation:message="only support Service kind.",rule="self.all(f, f.kind == 'Service')"
// +kubebuilder:validation:XValidation:message="BackendRefs only supports Core group.",rule="self.all(f, f.group == '')"
BackendRefs []BackendRef `json:"backendRefs,omitempty"`
}

Expand Down
13 changes: 13 additions & 0 deletions charts/gateway-helm/crds/generated/gateway.envoyproxy.io_envoyproxies.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -10373,6 +10373,9 @@ spec:
- message: BackendRefs only supports Service
kind.
rule: self.all(f, f.kind == 'Service')
- message: BackendRefs only supports Core
group.
rule: self.all(f, f.group == '')
http:
description: HTTP defines additional configuration
specific to HTTP access logs.
Expand Down Expand Up @@ -10522,6 +10525,9 @@ spec:
x-kubernetes-validations:
- message: only support Service kind.
rule: self.all(f, f.kind == 'Service')
- message: BackendRefs only supports Core
group.
rule: self.all(f, f.group == '')
host:
description: |-
Host define the extension service hostname.
Expand Down Expand Up @@ -10568,12 +10574,15 @@ spec:
openTelemetry field needs to be set.
rule: 'self.type == ''OpenTelemetry'' ? has(self.openTelemetry)
: !has(self.openTelemetry)'
maxItems: 50
minItems: 1
type: array
required:
- format
- sinks
type: object
maxItems: 50
minItems: 1
type: array
type: object
metrics:
Expand Down Expand Up @@ -10748,6 +10757,8 @@ spec:
x-kubernetes-validations:
- message: only support Service kind.
rule: self.all(f, f.kind == 'Service')
- message: BackendRefs only supports Core group.
rule: self.all(f, f.group == '')
host:
description: |-
Host define the service hostname.
Expand Down Expand Up @@ -10944,6 +10955,8 @@ spec:
x-kubernetes-validations:
- message: only support Service kind.
rule: self.all(f, f.kind == 'Service')
- message: BackendRefs only supports Core group.
rule: self.all(f, f.group == '')
host:
description: |-
Host define the provider service hostname.
Expand Down
4 changes: 4 additions & 0 deletions charts/gateway-helm/crds/generated/gateway.envoyproxy.io_securitypolicies.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -424,6 +424,8 @@ spec:
x-kubernetes-validations:
- message: only support Service kind.
rule: self.all(f, f.kind == 'Service')
- message: BackendRefs only supports Core group.
rule: self.all(f, f.group == '')
type: object
x-kubernetes-validations:
- message: backendRef or backendRefs needs to be set
Expand Down Expand Up @@ -618,6 +620,8 @@ spec:
x-kubernetes-validations:
- message: only support Service kind.
rule: self.all(f, f.kind == 'Service')
- message: BackendRefs only supports Core group.
rule: self.all(f, f.group == '')
headersToBackend:
description: |-
HeadersToBackend are the authorization response headers that will be added
Expand Down
99 changes: 99 additions & 0 deletions test/cel-validation/envoyproxy_test.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -587,6 +587,42 @@ func TestEnvoyProxyProvider(t *testing.T) {
},
wantErrors: []string{"BackendRefs only supports Service Kind."},
},
{
desc: "invalid-accesslog-ALS-backendrefs-group",
mutate: func(envoy *egv1a1.EnvoyProxy) {
envoy.Spec = egv1a1.EnvoyProxySpec{
Telemetry: &egv1a1.ProxyTelemetry{
AccessLog: &egv1a1.ProxyAccessLog{
Settings: []egv1a1.ProxyAccessLogSetting{
{
Format: egv1a1.ProxyAccessLogFormat{
Type: "Text",
Text: ptr.To("[%START_TIME%]"),
},
Sinks: []egv1a1.ProxyAccessLogSink{
{
Type: egv1a1.ProxyAccessLogSinkTypeALS,
ALS: &egv1a1.ALSEnvoyProxyAccessLog{
BackendRefs: []egv1a1.BackendRef{
{
BackendObjectReference: gwapiv1.BackendObjectReference{
Name: "fake-service",
Group: ptr.To(gwapiv1.Group("foo")),
},
},
},
Type: egv1a1.ALSEnvoyProxyAccessLogTypeHTTP,
},
},
},
},
},
},
},
}
},
wantErrors: []string{"BackendRefs only supports Core group."},
},
{
desc: "invalid-accesslog-ALS-no-backendrefs",
mutate: func(envoy *egv1a1.EnvoyProxy) {
Expand Down Expand Up @@ -749,6 +785,41 @@ func TestEnvoyProxyProvider(t *testing.T) {
},
wantErrors: []string{"only support Service Kind."},
},
{
desc: "invalid-accesslog-backendref-group",
mutate: func(envoy *egv1a1.EnvoyProxy) {
envoy.Spec = egv1a1.EnvoyProxySpec{
Telemetry: &egv1a1.ProxyTelemetry{
AccessLog: &egv1a1.ProxyAccessLog{
Settings: []egv1a1.ProxyAccessLogSetting{
{
Format: egv1a1.ProxyAccessLogFormat{
Type: "Text",
Text: ptr.To("[%START_TIME%]"),
},
Sinks: []egv1a1.ProxyAccessLogSink{
{
Type: egv1a1.ProxyAccessLogSinkTypeOpenTelemetry,
OpenTelemetry: &egv1a1.OpenTelemetryEnvoyProxyAccessLog{
BackendRefs: []egv1a1.BackendRef{
{
BackendObjectReference: gwapiv1.BackendObjectReference{
Name: "fake-service",
Group: ptr.To(gwapiv1.Group("foo")),
},
},
},
},
},
},
},
},
},
},
}
},
wantErrors: []string{"BackendRefs only supports Core group."},
},
{
desc: "accesslog-backendref",
mutate: func(envoy *egv1a1.EnvoyProxy) {
Expand Down Expand Up @@ -1058,6 +1129,34 @@ func TestEnvoyProxyProvider(t *testing.T) {
},
wantErrors: []string{"only support Service Kind."},
},
{
desc: "ProxyMetrics-sinks-invalid-backendref-group",
mutate: func(envoy *egv1a1.EnvoyProxy) {
envoy.Spec = egv1a1.EnvoyProxySpec{
Telemetry: &egv1a1.ProxyTelemetry{
Metrics: &egv1a1.ProxyMetrics{
Sinks: []egv1a1.ProxyMetricSink{
{
Type: egv1a1.MetricSinkTypeOpenTelemetry,
OpenTelemetry: &egv1a1.ProxyOpenTelemetrySink{
BackendRefs: []egv1a1.BackendRef{
{
BackendObjectReference: gwapiv1.BackendObjectReference{
Name: "fake-service",
Group: ptr.To(gwapiv1.Group("foo")),
Port: ptr.To(gwapiv1.PortNumber(8080)),
},
},
},
},
},
},
},
},
}
},
wantErrors: []string{"BackendRefs only supports Core group."},
},
{
desc: "invalid-tracing-backendref-invalid-kind",
mutate: func(envoy *egv1a1.EnvoyProxy) {
Expand Down

0 comments on commit 94f818c

Please sign in to comment.