address comments

Signed-off-by: huabing zhao <zhaohuabing@gmail.com>
envoyproxy · May 23, 2024 · 9a366b8 · 9a366b8
1 parent 471a4d3
commit 9a366b8
Show file tree

Hide file tree

Showing 8 changed files with 25 additions and 10 deletions.
diff --git a/api/v1alpha1/authorization_types.go b/api/v1alpha1/authorization_types.go
@@ -50,7 +50,7 @@ type Principal struct {
 	// or the proxy protocol.
 	// You can use the `ClientIPDetection` or the `EnableProxyProtocol` field in
 	// the `ClientTrafficPolicy` to configure how the client IP is detected.
-	ClientCIDRs []string `json:"clientCIDRs,omitempty"`
+	ClientCIDRs []CIDR `json:"clientCIDRs,omitempty"`
 }
 
 // AuthorizationAction defines the action to be taken if a rule matches.

diff --git a/api/v1alpha1/shared_types.go b/api/v1alpha1/shared_types.go
@@ -446,3 +446,8 @@ type BackendRef struct {
 	// Only service Kind is supported for now.
 	gwapiv1.BackendObjectReference `json:",inline"`
 }
+
+// CIDR defines a CIDR Address range.
+// A CIDR can be an IPv4 address range such as "192.168.1.0/24" or an IPv6 address range such as "2001:0db8:11a3:09d7::/64".
+// +kubebuilder:validation:Pattern=`((25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\/([0-9]+))|((([0-9a-fA-F]{1,4}:){7,7}[0-9a-fA-F]{1,4}|([0-9a-fA-F]{1,4}:){1,7}:|([0-9a-fA-F]{1,4}:){1,6}:[0-9a-fA-F]{1,4}|([0-9a-fA-F]{1,4}:){1,5}(:[0-9a-fA-F]{1,4}){1,2}|([0-9a-fA-F]{1,4}:){1,4}(:[0-9a-fA-F]{1,4}){1,3}|([0-9a-fA-F]{1,4}:){1,3}(:[0-9a-fA-F]{1,4}){1,4}|([0-9a-fA-F]{1,4}:){1,2}(:[0-9a-fA-F]{1,4}){1,5}|[0-9a-fA-F]{1,4}:((:[0-9a-fA-F]{1,4}){1,6})|:((:[0-9a-fA-F]{1,4}){1,7}|:)|fe80:(:[0-9a-fA-F]{0,4}){0,4}%[0-9a-zA-Z]{1,}|::(ffff(:0{1,4}){0,1}:){0,1}((25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9])\.){3,3}(25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9])|([0-9a-fA-F]{1,4}:){1,4}:((25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9])\.){3,3}(25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9]))\/([0-9]+))`
+type CIDR string
diff --git a/api/v1alpha1/zz_generated.deepcopy.go b/api/v1alpha1/zz_generated.deepcopy.go
diff --git a/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_securitypolicies.yaml b/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_securitypolicies.yaml
@@ -99,6 +99,10 @@ spec:
                                 You can use the `ClientIPDetection` or the `EnableProxyProtocol` field in
                                 the `ClientTrafficPolicy` to configure how the client IP is detected.
                               items:
+                                description: |-
+                                  CIDR defines a CIDR Address range.
+                                  A CIDR can be an IPv4 address range such as "192.168.1.0/24" or an IPv6 address range such as "2001:0db8:11a3:09d7::/64".
+                                pattern: ((25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\/([0-9]+))|((([0-9a-fA-F]{1,4}:){7,7}[0-9a-fA-F]{1,4}|([0-9a-fA-F]{1,4}:){1,7}:|([0-9a-fA-F]{1,4}:){1,6}:[0-9a-fA-F]{1,4}|([0-9a-fA-F]{1,4}:){1,5}(:[0-9a-fA-F]{1,4}){1,2}|([0-9a-fA-F]{1,4}:){1,4}(:[0-9a-fA-F]{1,4}){1,3}|([0-9a-fA-F]{1,4}:){1,3}(:[0-9a-fA-F]{1,4}){1,4}|([0-9a-fA-F]{1,4}:){1,2}(:[0-9a-fA-F]{1,4}){1,5}|[0-9a-fA-F]{1,4}:((:[0-9a-fA-F]{1,4}){1,6})|:((:[0-9a-fA-F]{1,4}){1,7}|:)|fe80:(:[0-9a-fA-F]{0,4}){0,4}%[0-9a-zA-Z]{1,}|::(ffff(:0{1,4}){0,1}:){0,1}((25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9])\.){3,3}(25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9])|([0-9a-fA-F]{1,4}:){1,4}:((25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9])\.){3,3}(25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9]))\/([0-9]+))
                                 type: string
                               type: array
                           type: object

diff --git a/internal/gatewayapi/securitypolicy.go b/internal/gatewayapi/securitypolicy.go
@@ -879,7 +879,7 @@ func (t *Translator) buildAuthorization(policy *egv1a1.SecurityPolicy) (*ir.Auth
 		principal := ir.Principal{}
 
 		for _, cidr := range rule.Principal.ClientCIDRs {
-			cidrMatch, err := parseCIDR(cidr)
+			cidrMatch, err := parseCIDR(string(cidr))
 			if err != nil {
 				return nil, fmt.Errorf("unable to translate authorization rule: %w", err)
 			}

diff --git a/internal/gatewayapi/testdata/securitypolicy-with-authoriztion.in.yaml b/internal/gatewayapi/testdata/securitypolicy-with-authoriztion.in.yaml
@@ -77,7 +77,6 @@ securityPolicies:
   metadata:
     namespace: envoy-gateway
     name: policy-for-gateway  # This policy should attach httproute-2
-    uid: b8284d0f-de82-4c65-b204-96a0d3f258a1
   spec:
     targetRef:
       group: gateway.networking.k8s.io
@@ -96,7 +95,6 @@ securityPolicies:
   metadata:
     namespace: default
     name: policy-for-http-route-1   # This policy should attach httproute-1
-    uid: 08335a80-83ba-4592-888f-6ac0bba44ce4
   spec:
     targetRef:
       group: gateway.networking.k8s.io
@@ -122,7 +120,6 @@ securityPolicies:
   metadata:
     namespace: default
     name: policy-for-http-route-3   # This policy should attach httproute-3
-    uid: 08335a80-83ba-4592-888f-6ac0bba44ce4
   spec:
     targetRef:
       group: gateway.networking.k8s.io

diff --git a/internal/gatewayapi/testdata/securitypolicy-with-authoriztion.out.yaml b/internal/gatewayapi/testdata/securitypolicy-with-authoriztion.out.yaml
@@ -177,7 +177,6 @@ securityPolicies:
     creationTimestamp: null
     name: policy-for-http-route-1
     namespace: default
-    uid: 08335a80-83ba-4592-888f-6ac0bba44ce4
   spec:
     authorization:
       defaultAction: Allow
@@ -219,7 +218,6 @@ securityPolicies:
     creationTimestamp: null
     name: policy-for-http-route-3
     namespace: default
-    uid: 08335a80-83ba-4592-888f-6ac0bba44ce4
   spec:
     authorization:
       defaultAction: null
@@ -248,7 +246,6 @@ securityPolicies:
     creationTimestamp: null
     name: policy-for-gateway
     namespace: envoy-gateway
-    uid: b8284d0f-de82-4c65-b204-96a0d3f258a1
   spec:
     authorization:
       defaultAction: Deny

diff --git a/site/content/en/latest/api/extension_types.md b/site/content/en/latest/api/extension_types.md
@@ -455,6 +455,18 @@ _Appears in:_
 | `Replace` | Replace replaces the default bootstrap with the provided one.<br /> | 
 
 
+#### CIDR
+
+_Underlying type:_ _string_
+
+CIDR defines a CIDR Address range.
+A CIDR can be an IPv4 address range such as "192.168.1.0/24" or an IPv6 address range such as "2001:0db8:11a3:09d7::/64".
+
+_Appears in:_
+- [Principal](#principal)
+
+
+
 #### CORS
 
 
@@ -2444,7 +2456,7 @@ _Appears in:_
 
 | Field | Type | Required | Description |
 | ---   | ---  | ---      | ---         |
-| `clientCIDRs` | _string array_ |  true  | ClientCIDRs are the IP CIDR ranges of the client.<br />Valid examples are "192.168.1.0/24" or "2001:db8::/64"<br /><br />The client IP is inferred from the x-forwarder-for header, a custom header,<br />or the proxy protocol.<br />You can use the `ClientIPDetection` or the `EnableProxyProtocol` field in<br />the `ClientTrafficPolicy` to configure how the client IP is detected. |
+| `clientCIDRs` | _[CIDR](#cidr) array_ |  true  | ClientCIDRs are the IP CIDR ranges of the client.<br />Valid examples are "192.168.1.0/24" or "2001:db8::/64"<br /><br />The client IP is inferred from the x-forwarder-for header, a custom header,<br />or the proxy protocol.<br />You can use the `ClientIPDetection` or the `EnableProxyProtocol` field in<br />the `ClientTrafficPolicy` to configure how the client IP is detected. |
 
 
 #### ProcessingModeOptions