Skip to content

fix: default TPP paranoiaLevels so CRD applies#258

Merged
ecv merged 2 commits into
mainfrom
fix/257-paranoia-default
Jul 13, 2026
Merged

fix: default TPP paranoiaLevels so CRD applies#258
ecv merged 2 commits into
mainfrom
fix/257-paranoia-default

Conversation

@ecv

@ecv ecv commented Jul 12, 2026

Copy link
Copy Markdown
Contributor

Fixes #257.

Problem

The trafficprotectionpolicies CRD is rejected at apply time, so kubectl apply of the CRD fails and every branch's e2e "Prepare e2e" step goes red regardless of its own changes (e.g. #255):

The CustomResourceDefinition "trafficprotectionpolicies.networking.datumapis.com" is invalid:
spec...properties[ruleSets].items.properties[owaspCoreRuleSet].properties[paranoiaLevels].default:
Invalid value: "object": no such key: detection
evaluating rule: detection paranoia level must be greater than or equal to blocking paranoia level

Root cause

Regression from #251 (fix for #250). It added a struct CEL rule on ParanoiaLevels (self.detection >= self.blocking) but the field kept +kubebuilder:default={}. The apiserver validates a schema node's structural default against that node's x-kubernetes-validations; the default {} has no detection/blocking keys (per-field defaults are not injected before the parent default is CEL-checked), so self.detection is no such key and CRD registration fails.

Fix

Set the field default to {blocking:1,detection:1} so it satisfies 1 >= 1. Per-field defaults are unchanged and #251's rule still rejects inverted user-supplied values. CRD manifest regenerated via make manifests.

Regression guard

Adds an envtest suite (test/crd/) that installs the generated CRDs against a real apiserver and creates a defaulted TPP. The whole suite uses the fake client, which never sees schema/defaults/CEL — that is exactly why #251 slipped through. envtest reproduces the apiserver's default-vs-CEL validation, so an invalid default fails at CRD install. Verified: reverting the default to {} fails the suite with the exact error above.

The ParanoiaLevels struct gained an XValidation rule
(self.detection >= self.blocking) in #251, but the field kept an empty
default. The apiserver validates a schema node's structural default against
its own CEL rules, and the default {} has no detection/blocking keys — so
CRD registration fails with "no such key: detection" and kubectl apply of
the CRD is rejected, breaking every branch's e2e "Prepare e2e" step.

Set the field default to {blocking:1,detection:1} so it satisfies the rule
(1 >= 1). Per-field defaults are unchanged and #251's rule still rejects
inverted user-supplied values. CRD manifest regenerated.

Closes #257
@ecv ecv marked this pull request as draft July 12, 2026 22:23
Add an envtest suite that installs the generated CRDs against a real
apiserver and creates a defaulted TrafficProtectionPolicy. The apiserver
validates a schema node's structural default against that node's own CEL
rules at CRD registration, so an invalid default is rejected during envtest
start — the fake client the rest of the suite uses never sees schema,
defaults, or CEL, which is why the #257 regression went undetected.

The suite skips when KUBEBUILDER_ASSETS is unset (plain go test) and runs
under `make test`, which provisions the assets.

Key checks:
- TPP CRD installs and a policy created with only its required targetRef
  defaults paranoiaLevels to a pair satisfying detection>=blocking.
- An inverted user-supplied pair is still rejected, so the default fix did
  not loosen the #251 rule it depends on.

Part of #257.
@ecv ecv marked this pull request as ready for review July 12, 2026 23:04
@ecv ecv enabled auto-merge July 13, 2026 01:59
@ecv ecv merged commit 017f788 into main Jul 13, 2026
10 of 11 checks passed
@ecv ecv deleted the fix/257-paranoia-default branch July 13, 2026 01:59

@aflor024 aflor024 left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Approved

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

TrafficProtectionPolicy CRD rejected: paranoiaLevels default {} violates detection>=blocking CEL rule

3 participants