Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add initial set of CEL validations for HTTPRoute #2253

Merged
merged 1 commit into from
Aug 4, 2023
Merged

Add initial set of CEL validations for HTTPRoute #2253

merged 1 commit into from
Aug 4, 2023

Conversation

gauravkghildiyal
Copy link
Member

@gauravkghildiyal gauravkghildiyal commented Jul 31, 2023
edited

What type of PR is this?

/kind feature

What this PR does / why we need it:

Add initial set of CEL validations for HTTPRoute.

This includes most (but not all) of the HTTPRoute validations offered by the webhook.

What remains?

Only 2 kinds of validations remain.

The validations which have not been ported along with the reason and details are available in https://github.com/gauravkghildiyal/gateway-api/blob/pending-httproute-validations/apis/v1beta1/validation/httproute.go. All validations which were successfully ported have been removed from this file.

1 "Namespace" is a reserved word in CEL.

Since namespace is a reserved word, a validation that involves a field named namespace seems to getting rejected. We need to figure out if there is a way around this.
image

2 Estimated cost limit exceeds threshold

CEL attempts to estimate the runtime cost of a validation. Validations that require O(n^2) algorithms on larger cardinality fields end up crossing the allowed threshold. One such place is within []gatewayv1b1.HTTPHeaderMatch where we want to ensure unique (case-insensitive) header names.

Which issue(s) this PR fixes:

Fixes #

Does this PR introduce a user-facing change?:

Introduce validations through CEL for HTTPRoute.

@k8s-ci-robot k8s-ci-robot added release-note Denotes a PR that will be considered when it comes time to generate release notes. kind/feature Categorizes issue or PR as related to a new feature. labels Jul 31, 2023
@k8s-ci-robot k8s-ci-robot added cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. size/XXL Denotes a PR that changes 1000+ lines, ignoring generated files. labels Jul 31, 2023
@gauravkghildiyal gauravkghildiyal force-pushed the cel-validation branch 2 times, most recently from 27f092f to a8ea615 Compare July 31, 2023 15:38
@linux-foundation-easycla
Copy link

linux-foundation-easycla bot commented Jul 31, 2023
edited

CLA Signed

The committers listed above are authorized under a signed CLA.

  • ✅ login: gauravkghildiyal / name: Gaurav Kumar Ghildiyal (a20f261)

@k8s-ci-robot k8s-ci-robot added cncf-cla: no Indicates the PR's author has not signed the CNCF CLA. and removed cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. labels Jul 31, 2023
@gauravkghildiyal
Copy link
Member Author

/check-cla

@k8s-ci-robot k8s-ci-robot added cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. and removed cncf-cla: no Indicates the PR's author has not signed the CNCF CLA. labels Jul 31, 2023
@robscott robscott mentioned this pull request Jul 31, 2023
Closed
@robscott robscott added this to the v0.8.0 milestone Aug 1, 2023
@gauravkghildiyal
Copy link
Member Author

Added another validation which was blocked on figuring out some regexp parsing behaviour. Now only two category of validations remain:

  1. Seems like CEL might consider namespace field to be a reserved word. This seems to be blocking validations that involve the any field named namespace
image
  1. The second category of validations remaining are still the "cost exceeded" kind.

(Will update the description with latest details)

@gauravkghildiyal
Copy link
Member Author

@jpbetz Offered some really GREAT insights into the problems we're facing.

robscott
robscott reviewed Aug 3, 2023
View reviewed changes
Copy link
Member

@robscott robscott left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks @gauravkghildiyal, this is really great! A few small nits, but overall both the validation and corresponding tests look remarkably thorough.

apis/v1beta1/object_reference_types.go Outdated
@@ -91,6 +91,8 @@ type SecretObjectReference struct {
// References to objects with invalid Group and Kind are not valid, and must
// be rejected by the implementation, with appropriate Conditions set
// on the containing object.
//
// +kubebuilder:validation:XValidation:message="Must have port for Service reference",rule="((!has(self.group) || size(self.group) == 0) && (!has(self.kind) || self.kind == 'Service')) ? has(self.port) : true"
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nit: In my experimenting I thought that defaults applied before CEL validation so it may be possible to simplify this. With that said, I could also be remembering wrong here. In any case this is not a blocker.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes you are absolutely right! Sorry didn't notice the defaults. Appreciate the closer look :)

hack/cel-validation/httproute_test.go Outdated
},
},
{
name: "invalid because multipler filters are repeated",
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
name: "invalid because multipler filters are repeated",
name: "invalid because multiple filters are repeated",

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks! Changed.

hack/cel-validation/httproute_test.go Outdated
},
},
{
name: "valie ReplacePrefixMatch",
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
name: "valie ReplacePrefixMatch",
name: "valid ReplacePrefixMatch",

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks! Changed

config/crd/experimental/gateway.networking.k8s.io_httproutes.yaml Outdated
Comment on lines 3335 to 3336
- message: filter.RequestHeaderModifier must be nil
if the HTTPRouteFilter.Type is not RequestHeaderModifier
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't think we've been very consistent with this, but we should try to match the upstream pattern here where field names/paths match what a user would see when using YAML. For example, look at the core validation here: https://github.com/kubernetes/kubernetes/blob/2c6c4566eff972d6c1320b5f8ad795f88c822d09/pkg/apis/core/validation/validation.go#L1041-L1045.

This comment applies throughout the PR, but will not repeat it everywhere to reduce noise.

Suggested change
- message: filter.RequestHeaderModifier must be nil
if the HTTPRouteFilter.Type is not RequestHeaderModifier
- message: filter.requestHeaderModifier must be nil
if the HTTPRouteFilter.Type is not RequestHeaderModifier

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Sure can do! I've changed all such occurrences. The places which are still kept capitalized have the intent of referring to the enum (like RequestRedirect) instead of the field (requestRedirect). If in some place, the intent is not clear enough, I can try and reframe the statement.

gauravkghildiyal
gauravkghildiyal commented Aug 4, 2023
View reviewed changes
Copy link
Member Author

@gauravkghildiyal gauravkghildiyal left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Appreciate the thorough reviews!

hack/cel-validation/httproute_test.go Outdated
},
},
{
name: "valie ReplacePrefixMatch",
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks! Changed

hack/cel-validation/httproute_test.go Outdated
},
},
{
name: "invalid because multipler filters are repeated",
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks! Changed.

apis/v1beta1/object_reference_types.go Outdated
@@ -91,6 +91,8 @@ type SecretObjectReference struct {
// References to objects with invalid Group and Kind are not valid, and must
// be rejected by the implementation, with appropriate Conditions set
// on the containing object.
//
// +kubebuilder:validation:XValidation:message="Must have port for Service reference",rule="((!has(self.group) || size(self.group) == 0) && (!has(self.kind) || self.kind == 'Service')) ? has(self.port) : true"
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes you are absolutely right! Sorry didn't notice the defaults. Appreciate the closer look :)

config/crd/experimental/gateway.networking.k8s.io_httproutes.yaml Outdated
Comment on lines 3335 to 3336
- message: filter.RequestHeaderModifier must be nil
if the HTTPRouteFilter.Type is not RequestHeaderModifier
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Sure can do! I've changed all such occurrences. The places which are still kept capitalized have the intent of referring to the enum (like RequestRedirect) instead of the field (requestRedirect). If in some place, the intent is not clear enough, I can try and reframe the statement.

robscott
robscott reviewed Aug 4, 2023
View reviewed changes
Copy link
Member

@robscott robscott left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks @gauravkghildiyal!

/lgtm
/approve

@k8s-ci-robot k8s-ci-robot added the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Aug 4, 2023
@k8s-ci-robot
Copy link
Contributor

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: gauravkghildiyal, robscott

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@k8s-ci-robot k8s-ci-robot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Aug 4, 2023
@k8s-ci-robot k8s-ci-robot merged commit f638d3f into kubernetes-sigs:main Aug 4, 2023
8 of 9 checks passed
@gauravkghildiyal gauravkghildiyal deleted the cel-validation branch August 4, 2023 23:10
@guicassolato guicassolato mentioned this pull request Oct 31, 2023
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@robscott robscott robscott left review comments

@shaneutt shaneutt Awaiting requested review from shaneutt

Assignees

@robscott robscott

Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. kind/feature Categorizes issue or PR as related to a new feature. lgtm "Looks good to me", indicates that a PR is ready to be merged. release-note Denotes a PR that will be considered when it comes time to generate release notes. size/XXL Denotes a PR that changes 1000+ lines, ignoring generated files.
Projects
None yet
Milestone
v0.8.0
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@gauravkghildiyal @k8s-ci-robot @robscott