breaking change: allow multiple deny rules

six-group · Apr 15, 2024 · 0548072 · 0548072
1 parent 0243937
commit 0548072
Show file tree

Hide file tree

Showing 11 changed files with 174 additions and 107 deletions.
diff --git a/.gitignore b/.gitignore
@@ -23,7 +23,7 @@ testbin/*
 go.work
 
 # Kubernetes Generated files - skip generated files, except for vendored files
-./config
+config
 !vendor/**/zz_generated.*
 
 # Editor and IDE paraphernalia

diff --git a/Makefile b/Makefile
@@ -0,0 +1,39 @@
+test: generate manifests golint helm-test unit-test
+
+manifests: controller-gen
+	$(CONTROLLER_GEN) crd rbac:roleName=manager-role webhook paths="./.../..." output:crd:artifacts:config=config/crd/bases
+	cp config/crd/bases/config.haproxy.com*.yaml helm/haproxy-operator/crds/
+
+generate: controller-gen
+	$(CONTROLLER_GEN) object:headerFile="hack\\boilerplate.go.txt" paths="./.../..."
+
+golint: colanci-lint-bin
+	$(GOLANGCI_LINT) run
+
+unit-test: ginkgo-bin
+	$(GINKGO) --no-color -r --randomize-all --randomize-suites --nodes=4 --compilers=4 --vet off
+
+helm-test:
+	helm lint helm/haproxy-operator
+	helm template chart helm/haproxy-operator > /dev/null
+
+CONTROLLER_GEN = bin/controller-gen
+controller-gen: ## Download controller-gen locally if necessary.
+	$(call go-get-tool,$(CONTROLLER_GEN),sigs.k8s.io/controller-tools/cmd/controller-gen@v0.12.0)
+
+GOLANGCI_LINT = ./bin/golangci-lint
+colanci-lint-bin:
+	$(call go-get-tool,$(GOLANGCI_LINT),github.com/golangci/golangci-lint/cmd/golangci-lint@v1.52.2)
+
+PROJECT_DIR := $(shell dirname $(abspath $(lastword $(MAKEFILE_LIST))))
+define go-get-tool
+@[ -f $(1) ] || { \
+set -e ;\
+echo "Downloading $(2)" ;\
+GOBIN=$(PROJECT_DIR)/bin go install $(2) ;\
+}
+endef
+
+GINKGO = ./bin/ginkgo
+ginkgo-bin:
+	$(call go-get-tool,$(GINKGO),github.com/onsi/ginkgo/v2/ginkgo@v2.15.0)
diff --git a/apis/config/v1alpha1/backend_types_test.go b/apis/config/v1alpha1/backend_types_test.go
@@ -123,14 +123,16 @@ var _ = Describe("Backend", Label("type"), func() {
 				Spec: configv1alpha1.BackendSpec{
 					BaseSpec: configv1alpha1.BaseSpec{
 						HTTPRequest: &configv1alpha1.HTTPRequestRules{
-							Deny: &configv1alpha1.Deny{
-								Rule: configv1alpha1.Rule{
-									ConditionType: "if",
-									Condition:     "{ var(my-ip) -m ip 127.0.0.0/8 10.0.0.0/8 }",
+							Deny: []configv1alpha1.Deny{
+								{
+									Rule: configv1alpha1.Rule{
+										ConditionType: "if",
+										Condition:     "{ var(my-ip) -m ip 127.0.0.0/8 10.0.0.0/8 }",
+									},
+									Enabled:    true,
+									DenyStatus: &notFound,
 								},
-								Enabled: true,
 							},
-							DenyStatus: &notFound,
 						},
 					},
 				},

diff --git a/apis/config/v1alpha1/common_types.go b/apis/config/v1alpha1/common_types.go
@@ -738,12 +738,7 @@ type HTTPRequestRules struct {
 	// Deny stops the evaluation of the rules and immediately rejects the request and emits an HTTP 403 error.
 	// Optionally the status code specified as an argument to deny_status.
 	// +optional
-	Deny *Deny `json:"deny,omitempty"`
-	// DenyStatus is the HTTP status code.
-	// +kubebuilder:validation:Minimum=200
-	// +kubebuilder:validation:Maximum=599
-	// +optional
-	DenyStatus *int64 `json:"denyStatus,omitempty"`
+	Deny []Deny `json:"deny,omitempty"`
 	// Return stops the evaluation of the rules and immediately returns a response.
 	Return *HTTPReturn `json:"return,omitempty"`
 }
@@ -794,14 +789,16 @@ func (h *HTTPRequestRules) Model() (models.HTTPRequestRules, error) {
 		})
 	}
 
-	if h.Deny != nil && h.Deny.Enabled {
-		model = append(model, &models.HTTPRequestRule{
-			DenyStatus: h.DenyStatus,
-			Index:      ptr.To(int64(0)),
-			Type:       "deny",
-			Cond:       h.Deny.ConditionType,
-			CondTest:   h.Deny.Condition,
-		})
+	for idx, deny := range h.Deny {
+		if deny.Enabled {
+			model = append(model, &models.HTTPRequestRule{
+				DenyStatus: deny.DenyStatus,
+				Index:      ptr.To(int64(idx)),
+				Type:       "deny",
+				Cond:       deny.ConditionType,
+				CondTest:   deny.Condition,
+			})
+		}
 	}
 
 	for idx, redirect := range h.Redirect {
@@ -973,6 +970,11 @@ type Deny struct {
 	Rule `json:",inline"`
 	// Enabled enables deny http request
 	Enabled bool `json:"enabled"`
+	// DenyStatus is the HTTP status code.
+	// +kubebuilder:validation:Minimum=200
+	// +kubebuilder:validation:Maximum=599
+	// +optional
+	DenyStatus *int64 `json:"denyStatus,omitempty"`
 }
 
 type Redirect struct {

diff --git a/apis/config/v1alpha1/zz_generated.deepcopy.go b/apis/config/v1alpha1/zz_generated.deepcopy.go
diff --git a/apis/proxy/v1alpha1/zz_generated.deepcopy.go b/apis/proxy/v1alpha1/zz_generated.deepcopy.go
diff --git a/controllers/instance/instance_controller_test.go b/controllers/instance/instance_controller_test.go
@@ -512,7 +512,6 @@ var _ = Describe("Reconcile", Label("controller"), func() {
 			Ω(result).ShouldNot(BeNil())
 
 			Ω(cli.Get(ctx, client.ObjectKeyFromObject(proxy), proxy)).ShouldNot(HaveOccurred())
-			fmt.Println(proxy.Status)
 			Ω(proxy.Status.Phase).Should(Equal(proxyv1alpha1.InstancePhaseRunning))
 			Ω(proxy.Status.Error).Should(BeEmpty())
 

diff --git a/helm/haproxy-operator/crds/config.haproxy.com_backends.yaml b/helm/haproxy-operator/crds/config.haproxy.com_backends.yaml
@@ -3,8 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   annotations:
-    controller-gen.kubebuilder.io/version: v0.10.0
-  creationTimestamp: null
+    controller-gen.kubebuilder.io/version: v0.12.0
   name: backends.config.haproxy.com
 spec:
   group: config.haproxy.com
@@ -519,29 +518,31 @@ spec:
                     description: Deny stops the evaluation of the rules and immediately
                       rejects the request and emits an HTTP 403 error. Optionally
                       the status code specified as an argument to deny_status.
-                    properties:
-                      condition:
-                        description: Condition is a condition composed of ACLs.
-                        type: string
-                      conditionType:
-                        description: ConditionType specifies the type of the condition
-                          matching ('if' or 'unless')
-                        enum:
-                        - if
-                        - unless
-                        type: string
-                      enabled:
-                        description: Enabled enables deny http request
-                        type: boolean
-                    required:
-                    - enabled
-                    type: object
-                  denyStatus:
-                    description: DenyStatus is the HTTP status code.
-                    format: int64
-                    maximum: 599
-                    minimum: 200
-                    type: integer
+                    items:
+                      properties:
+                        condition:
+                          description: Condition is a condition composed of ACLs.
+                          type: string
+                        conditionType:
+                          description: ConditionType specifies the type of the condition
+                            matching ('if' or 'unless')
+                          enum:
+                          - if
+                          - unless
+                          type: string
+                        denyStatus:
+                          description: DenyStatus is the HTTP status code.
+                          format: int64
+                          maximum: 599
+                          minimum: 200
+                          type: integer
+                        enabled:
+                          description: Enabled enables deny http request
+                          type: boolean
+                      required:
+                      - enabled
+                      type: object
+                    type: array
                   redirect:
                     description: Redirect performs an HTTP redirection based on a
                       redirect rule.

diff --git a/helm/haproxy-operator/crds/config.haproxy.com_frontends.yaml b/helm/haproxy-operator/crds/config.haproxy.com_frontends.yaml
@@ -3,8 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   annotations:
-    controller-gen.kubebuilder.io/version: v0.10.0
-  creationTimestamp: null
+    controller-gen.kubebuilder.io/version: v0.12.0
   name: frontends.config.haproxy.com
 spec:
   group: config.haproxy.com
@@ -770,29 +769,31 @@ spec:
                     description: Deny stops the evaluation of the rules and immediately
                       rejects the request and emits an HTTP 403 error. Optionally
                       the status code specified as an argument to deny_status.
-                    properties:
-                      condition:
-                        description: Condition is a condition composed of ACLs.
-                        type: string
-                      conditionType:
-                        description: ConditionType specifies the type of the condition
-                          matching ('if' or 'unless')
-                        enum:
-                        - if
-                        - unless
-                        type: string
-                      enabled:
-                        description: Enabled enables deny http request
-                        type: boolean
-                    required:
-                    - enabled
-                    type: object
-                  denyStatus:
-                    description: DenyStatus is the HTTP status code.
-                    format: int64
-                    maximum: 599
-                    minimum: 200
-                    type: integer
+                    items:
+                      properties:
+                        condition:
+                          description: Condition is a condition composed of ACLs.
+                          type: string
+                        conditionType:
+                          description: ConditionType specifies the type of the condition
+                            matching ('if' or 'unless')
+                          enum:
+                          - if
+                          - unless
+                          type: string
+                        denyStatus:
+                          description: DenyStatus is the HTTP status code.
+                          format: int64
+                          maximum: 599
+                          minimum: 200
+                          type: integer
+                        enabled:
+                          description: Enabled enables deny http request
+                          type: boolean
+                      required:
+                      - enabled
+                      type: object
+                    type: array
                   redirect:
                     description: Redirect performs an HTTP redirection based on a
                       redirect rule.

diff --git a/helm/haproxy-operator/crds/config.haproxy.com_listens.yaml b/helm/haproxy-operator/crds/config.haproxy.com_listens.yaml
@@ -3,8 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   annotations:
-    controller-gen.kubebuilder.io/version: v0.10.0
-  creationTimestamp: null
+    controller-gen.kubebuilder.io/version: v0.12.0
   name: listens.config.haproxy.com
 spec:
   group: config.haproxy.com
@@ -877,29 +876,31 @@ spec:
                     description: Deny stops the evaluation of the rules and immediately
                       rejects the request and emits an HTTP 403 error. Optionally
                       the status code specified as an argument to deny_status.
-                    properties:
-                      condition:
-                        description: Condition is a condition composed of ACLs.
-                        type: string
-                      conditionType:
-                        description: ConditionType specifies the type of the condition
-                          matching ('if' or 'unless')
-                        enum:
-                        - if
-                        - unless
-                        type: string
-                      enabled:
-                        description: Enabled enables deny http request
-                        type: boolean
-                    required:
-                    - enabled
-                    type: object
-                  denyStatus:
-                    description: DenyStatus is the HTTP status code.
-                    format: int64
-                    maximum: 599
-                    minimum: 200
-                    type: integer
+                    items:
+                      properties:
+                        condition:
+                          description: Condition is a condition composed of ACLs.
+                          type: string
+                        conditionType:
+                          description: ConditionType specifies the type of the condition
+                            matching ('if' or 'unless')
+                          enum:
+                          - if
+                          - unless
+                          type: string
+                        denyStatus:
+                          description: DenyStatus is the HTTP status code.
+                          format: int64
+                          maximum: 599
+                          minimum: 200
+                          type: integer
+                        enabled:
+                          description: Enabled enables deny http request
+                          type: boolean
+                      required:
+                      - enabled
+                      type: object
+                    type: array
                   redirect:
                     description: Redirect performs an HTTP redirection based on a
                       redirect rule.