From 49eb8798acd612645d75e926cc1a0532c6feaec7 Mon Sep 17 00:00:00 2001 From: Takumi Sue Date: Sun, 23 Jul 2023 22:18:41 +0900 Subject: [PATCH 1/6] Send admission requests for Gateway API HTTPRoute to the policy-controller Fixes #11116 Signed-off-by: Takumi Sue --- charts/linkerd-control-plane/templates/destination-rbac.yaml | 5 +++++ cli/cmd/testdata/install_controlplane_tracing_output.golden | 5 +++++ cli/cmd/testdata/install_custom_domain.golden | 5 +++++ cli/cmd/testdata/install_custom_registry.golden | 5 +++++ cli/cmd/testdata/install_default.golden | 5 +++++ .../testdata/install_default_override_dst_get_nets.golden | 5 +++++ cli/cmd/testdata/install_default_token.golden | 5 +++++ cli/cmd/testdata/install_ha_output.golden | 5 +++++ cli/cmd/testdata/install_ha_with_overrides_output.golden | 5 +++++ cli/cmd/testdata/install_heartbeat_disabled_output.golden | 5 +++++ cli/cmd/testdata/install_helm_control_plane_output.golden | 5 +++++ cli/cmd/testdata/install_helm_control_plane_output_ha.golden | 5 +++++ cli/cmd/testdata/install_helm_output_ha_labels.golden | 5 +++++ .../install_helm_output_ha_namespace_selector.golden | 5 +++++ cli/cmd/testdata/install_no_init_container.golden | 5 +++++ cli/cmd/testdata/install_output.golden | 5 +++++ cli/cmd/testdata/install_proxy_ignores.golden | 5 +++++ cli/cmd/testdata/install_values_file.golden | 5 +++++ 18 files changed, 90 insertions(+) diff --git a/charts/linkerd-control-plane/templates/destination-rbac.yaml b/charts/linkerd-control-plane/templates/destination-rbac.yaml index 7da11806e10b6..1182b109ccbd6 100644 --- a/charts/linkerd-control-plane/templates/destination-rbac.yaml +++ b/charts/linkerd-control-plane/templates/destination-rbac.yaml @@ -179,6 +179,11 @@ webhooks: - meshtlsauthentications - serverauthorizations - servers + - operations: ["CREATE", "UPDATE"] + apiGroups: ["gateway.networking.k8s.io"] + apiVersions: ["v1alpha2", "v1beta1"] + resources: + - httproutes sideEffects: None --- apiVersion: rbac.authorization.k8s.io/v1 diff --git a/cli/cmd/testdata/install_controlplane_tracing_output.golden b/cli/cmd/testdata/install_controlplane_tracing_output.golden index c39773a66ff71..fc0535c8c6dfe 100644 --- a/cli/cmd/testdata/install_controlplane_tracing_output.golden +++ b/cli/cmd/testdata/install_controlplane_tracing_output.golden @@ -175,6 +175,11 @@ webhooks: - meshtlsauthentications - serverauthorizations - servers + - operations: ["CREATE", "UPDATE"] + apiGroups: ["gateway.networking.k8s.io"] + apiVersions: ["v1alpha2", "v1beta1"] + resources: + - httproutes sideEffects: None --- apiVersion: rbac.authorization.k8s.io/v1 diff --git a/cli/cmd/testdata/install_custom_domain.golden b/cli/cmd/testdata/install_custom_domain.golden index a544335ca603b..c770a81fb9c50 100644 --- a/cli/cmd/testdata/install_custom_domain.golden +++ b/cli/cmd/testdata/install_custom_domain.golden @@ -175,6 +175,11 @@ webhooks: - meshtlsauthentications - serverauthorizations - servers + - operations: ["CREATE", "UPDATE"] + apiGroups: ["gateway.networking.k8s.io"] + apiVersions: ["v1alpha2", "v1beta1"] + resources: + - httproutes sideEffects: None --- apiVersion: rbac.authorization.k8s.io/v1 diff --git a/cli/cmd/testdata/install_custom_registry.golden b/cli/cmd/testdata/install_custom_registry.golden index 4699524b09bad..37508f8f47066 100644 --- a/cli/cmd/testdata/install_custom_registry.golden +++ b/cli/cmd/testdata/install_custom_registry.golden @@ -175,6 +175,11 @@ webhooks: - meshtlsauthentications - serverauthorizations - servers + - operations: ["CREATE", "UPDATE"] + apiGroups: ["gateway.networking.k8s.io"] + apiVersions: ["v1alpha2", "v1beta1"] + resources: + - httproutes sideEffects: None --- apiVersion: rbac.authorization.k8s.io/v1 diff --git a/cli/cmd/testdata/install_default.golden b/cli/cmd/testdata/install_default.golden index a544335ca603b..c770a81fb9c50 100644 --- a/cli/cmd/testdata/install_default.golden +++ b/cli/cmd/testdata/install_default.golden @@ -175,6 +175,11 @@ webhooks: - meshtlsauthentications - serverauthorizations - servers + - operations: ["CREATE", "UPDATE"] + apiGroups: ["gateway.networking.k8s.io"] + apiVersions: ["v1alpha2", "v1beta1"] + resources: + - httproutes sideEffects: None --- apiVersion: rbac.authorization.k8s.io/v1 diff --git a/cli/cmd/testdata/install_default_override_dst_get_nets.golden b/cli/cmd/testdata/install_default_override_dst_get_nets.golden index b9a95a5f12c11..9700591f6fd42 100644 --- a/cli/cmd/testdata/install_default_override_dst_get_nets.golden +++ b/cli/cmd/testdata/install_default_override_dst_get_nets.golden @@ -175,6 +175,11 @@ webhooks: - meshtlsauthentications - serverauthorizations - servers + - operations: ["CREATE", "UPDATE"] + apiGroups: ["gateway.networking.k8s.io"] + apiVersions: ["v1alpha2", "v1beta1"] + resources: + - httproutes sideEffects: None --- apiVersion: rbac.authorization.k8s.io/v1 diff --git a/cli/cmd/testdata/install_default_token.golden b/cli/cmd/testdata/install_default_token.golden index 4611edecac7c0..eb2ecdc3041bf 100644 --- a/cli/cmd/testdata/install_default_token.golden +++ b/cli/cmd/testdata/install_default_token.golden @@ -175,6 +175,11 @@ webhooks: - meshtlsauthentications - serverauthorizations - servers + - operations: ["CREATE", "UPDATE"] + apiGroups: ["gateway.networking.k8s.io"] + apiVersions: ["v1alpha2", "v1beta1"] + resources: + - httproutes sideEffects: None --- apiVersion: rbac.authorization.k8s.io/v1 diff --git a/cli/cmd/testdata/install_ha_output.golden b/cli/cmd/testdata/install_ha_output.golden index 2563a6e62073f..272a842555528 100644 --- a/cli/cmd/testdata/install_ha_output.golden +++ b/cli/cmd/testdata/install_ha_output.golden @@ -175,6 +175,11 @@ webhooks: - meshtlsauthentications - serverauthorizations - servers + - operations: ["CREATE", "UPDATE"] + apiGroups: ["gateway.networking.k8s.io"] + apiVersions: ["v1alpha2", "v1beta1"] + resources: + - httproutes sideEffects: None --- apiVersion: rbac.authorization.k8s.io/v1 diff --git a/cli/cmd/testdata/install_ha_with_overrides_output.golden b/cli/cmd/testdata/install_ha_with_overrides_output.golden index 9d6ba2e7d6b7b..37b220024c208 100644 --- a/cli/cmd/testdata/install_ha_with_overrides_output.golden +++ b/cli/cmd/testdata/install_ha_with_overrides_output.golden @@ -175,6 +175,11 @@ webhooks: - meshtlsauthentications - serverauthorizations - servers + - operations: ["CREATE", "UPDATE"] + apiGroups: ["gateway.networking.k8s.io"] + apiVersions: ["v1alpha2", "v1beta1"] + resources: + - httproutes sideEffects: None --- apiVersion: rbac.authorization.k8s.io/v1 diff --git a/cli/cmd/testdata/install_heartbeat_disabled_output.golden b/cli/cmd/testdata/install_heartbeat_disabled_output.golden index ee62f5600b2ab..2b793a427defa 100644 --- a/cli/cmd/testdata/install_heartbeat_disabled_output.golden +++ b/cli/cmd/testdata/install_heartbeat_disabled_output.golden @@ -175,6 +175,11 @@ webhooks: - meshtlsauthentications - serverauthorizations - servers + - operations: ["CREATE", "UPDATE"] + apiGroups: ["gateway.networking.k8s.io"] + apiVersions: ["v1alpha2", "v1beta1"] + resources: + - httproutes sideEffects: None --- apiVersion: rbac.authorization.k8s.io/v1 diff --git a/cli/cmd/testdata/install_helm_control_plane_output.golden b/cli/cmd/testdata/install_helm_control_plane_output.golden index f09332165001f..0558920a80b0c 100644 --- a/cli/cmd/testdata/install_helm_control_plane_output.golden +++ b/cli/cmd/testdata/install_helm_control_plane_output.golden @@ -166,6 +166,11 @@ webhooks: - meshtlsauthentications - serverauthorizations - servers + - operations: ["CREATE", "UPDATE"] + apiGroups: ["gateway.networking.k8s.io"] + apiVersions: ["v1alpha2", "v1beta1"] + resources: + - httproutes sideEffects: None --- apiVersion: rbac.authorization.k8s.io/v1 diff --git a/cli/cmd/testdata/install_helm_control_plane_output_ha.golden b/cli/cmd/testdata/install_helm_control_plane_output_ha.golden index c7654d175b46a..6b9b16f1cc3c6 100644 --- a/cli/cmd/testdata/install_helm_control_plane_output_ha.golden +++ b/cli/cmd/testdata/install_helm_control_plane_output_ha.golden @@ -166,6 +166,11 @@ webhooks: - meshtlsauthentications - serverauthorizations - servers + - operations: ["CREATE", "UPDATE"] + apiGroups: ["gateway.networking.k8s.io"] + apiVersions: ["v1alpha2", "v1beta1"] + resources: + - httproutes sideEffects: None --- apiVersion: rbac.authorization.k8s.io/v1 diff --git a/cli/cmd/testdata/install_helm_output_ha_labels.golden b/cli/cmd/testdata/install_helm_output_ha_labels.golden index 39810b9ce1e44..262d09c81f80f 100644 --- a/cli/cmd/testdata/install_helm_output_ha_labels.golden +++ b/cli/cmd/testdata/install_helm_output_ha_labels.golden @@ -166,6 +166,11 @@ webhooks: - meshtlsauthentications - serverauthorizations - servers + - operations: ["CREATE", "UPDATE"] + apiGroups: ["gateway.networking.k8s.io"] + apiVersions: ["v1alpha2", "v1beta1"] + resources: + - httproutes sideEffects: None --- apiVersion: rbac.authorization.k8s.io/v1 diff --git a/cli/cmd/testdata/install_helm_output_ha_namespace_selector.golden b/cli/cmd/testdata/install_helm_output_ha_namespace_selector.golden index a79cc5aa4be36..04135fc33c902 100644 --- a/cli/cmd/testdata/install_helm_output_ha_namespace_selector.golden +++ b/cli/cmd/testdata/install_helm_output_ha_namespace_selector.golden @@ -166,6 +166,11 @@ webhooks: - meshtlsauthentications - serverauthorizations - servers + - operations: ["CREATE", "UPDATE"] + apiGroups: ["gateway.networking.k8s.io"] + apiVersions: ["v1alpha2", "v1beta1"] + resources: + - httproutes sideEffects: None --- apiVersion: rbac.authorization.k8s.io/v1 diff --git a/cli/cmd/testdata/install_no_init_container.golden b/cli/cmd/testdata/install_no_init_container.golden index 2c717f16878ed..61e3908ad6414 100644 --- a/cli/cmd/testdata/install_no_init_container.golden +++ b/cli/cmd/testdata/install_no_init_container.golden @@ -175,6 +175,11 @@ webhooks: - meshtlsauthentications - serverauthorizations - servers + - operations: ["CREATE", "UPDATE"] + apiGroups: ["gateway.networking.k8s.io"] + apiVersions: ["v1alpha2", "v1beta1"] + resources: + - httproutes sideEffects: None --- apiVersion: rbac.authorization.k8s.io/v1 diff --git a/cli/cmd/testdata/install_output.golden b/cli/cmd/testdata/install_output.golden index b16dfc354616b..df7aedc03a6ec 100644 --- a/cli/cmd/testdata/install_output.golden +++ b/cli/cmd/testdata/install_output.golden @@ -172,6 +172,11 @@ webhooks: - meshtlsauthentications - serverauthorizations - servers + - operations: ["CREATE", "UPDATE"] + apiGroups: ["gateway.networking.k8s.io"] + apiVersions: ["v1alpha2", "v1beta1"] + resources: + - httproutes sideEffects: None --- apiVersion: rbac.authorization.k8s.io/v1 diff --git a/cli/cmd/testdata/install_proxy_ignores.golden b/cli/cmd/testdata/install_proxy_ignores.golden index cd7c73c17999f..d28b1f1c89865 100644 --- a/cli/cmd/testdata/install_proxy_ignores.golden +++ b/cli/cmd/testdata/install_proxy_ignores.golden @@ -175,6 +175,11 @@ webhooks: - meshtlsauthentications - serverauthorizations - servers + - operations: ["CREATE", "UPDATE"] + apiGroups: ["gateway.networking.k8s.io"] + apiVersions: ["v1alpha2", "v1beta1"] + resources: + - httproutes sideEffects: None --- apiVersion: rbac.authorization.k8s.io/v1 diff --git a/cli/cmd/testdata/install_values_file.golden b/cli/cmd/testdata/install_values_file.golden index 4dcb9b7e3817f..86baefe436d05 100644 --- a/cli/cmd/testdata/install_values_file.golden +++ b/cli/cmd/testdata/install_values_file.golden @@ -175,6 +175,11 @@ webhooks: - meshtlsauthentications - serverauthorizations - servers + - operations: ["CREATE", "UPDATE"] + apiGroups: ["gateway.networking.k8s.io"] + apiVersions: ["v1alpha2", "v1beta1"] + resources: + - httproutes sideEffects: None --- apiVersion: rbac.authorization.k8s.io/v1 From 8c45c773c78ab9fe3b195d1943d8a25ed46c2303 Mon Sep 17 00:00:00 2001 From: Takumi Sue Date: Wed, 26 Jul 2023 22:58:21 +0900 Subject: [PATCH 2/6] Validate k8s_gateway_api::HttpRouteSpec Signed-off-by: Takumi Sue --- policy-controller/src/admission.rs | 103 +++++++++++++++++++++-------- 1 file changed, 76 insertions(+), 27 deletions(-) diff --git a/policy-controller/src/admission.rs b/policy-controller/src/admission.rs index 838c2b7045124..09515126bdb4f 100644 --- a/policy-controller/src/admission.rs +++ b/policy-controller/src/admission.rs @@ -123,6 +123,10 @@ impl Admission { return self.admit_spec::(req).await; } + if is_kind::(&req) { + return self.admit_spec::(req).await; + } + AdmissionResponse::invalid(format_args!( "unsupported resource type: {}.{}.{}", req.kind.group, req.kind.version, req.kind.kind @@ -422,36 +426,35 @@ impl Validate for Admission { } } -#[async_trait::async_trait] -impl Validate for Admission { - async fn validate(self, _ns: &str, _name: &str, spec: HttpRouteSpec) -> Result<()> { - use index::http_route; - - fn validate_match( - httproute::HttpRouteMatch { - path, - headers, - query_params, - method, - }: httproute::HttpRouteMatch, - ) -> Result<()> { - let _ = path.map(http_route::path_match).transpose()?; - let _ = method - .as_deref() - .map(core::http_route::Method::try_from) - .transpose()?; - - for q in query_params.into_iter().flatten() { - http_route::query_param_match(q)?; - } +use index::http_route; +fn validate_match( + httproute::HttpRouteMatch { + path, + headers, + query_params, + method, + }: httproute::HttpRouteMatch, +) -> Result<()> { + let _ = path.map(http_route::path_match).transpose()?; + let _ = method + .as_deref() + .map(core::http_route::Method::try_from) + .transpose()?; + + for q in query_params.into_iter().flatten() { + http_route::query_param_match(q)?; + } - for h in headers.into_iter().flatten() { - http_route::header_match(h)?; - } + for h in headers.into_iter().flatten() { + http_route::header_match(h)?; + } - Ok(()) - } + Ok(()) +} +#[async_trait::async_trait] +impl Validate for Admission { + async fn validate(self, _ns: &str, _name: &str, spec: HttpRouteSpec) -> Result<()> { fn validate_filter(filter: httproute::HttpRouteFilter) -> Result<()> { match filter { httproute::HttpRouteFilter::RequestHeaderModifier { @@ -516,3 +519,49 @@ impl Validate for Admission { Ok(()) } } + +#[async_trait::async_trait] +impl Validate for Admission { + async fn validate( + self, + _ns: &str, + _name: &str, + spec: k8s_gateway_api::HttpRouteSpec, + ) -> Result<()> { + fn validate_filter(filter: k8s_gateway_api::HttpRouteFilter) -> Result<()> { + match filter { + k8s_gateway_api::HttpRouteFilter::RequestHeaderModifier { + request_header_modifier, + } => http_route::header_modifier(request_header_modifier).map(|_| ()), + k8s_gateway_api::HttpRouteFilter::ResponseHeaderModifier { + response_header_modifier, + } => http_route::header_modifier(response_header_modifier).map(|_| ()), + k8s_gateway_api::HttpRouteFilter::RequestRedirect { request_redirect } => { + http_route::req_redirect(request_redirect).map(|_| ()) + } + k8s_gateway_api::HttpRouteFilter::RequestMirror { .. } => Ok(()), + k8s_gateway_api::HttpRouteFilter::URLRewrite { .. } => Ok(()), + k8s_gateway_api::HttpRouteFilter::ExtensionRef { .. } => Ok(()), + } + } + + // Validate the rules in this spec. + // This is essentially equivalent to the indexer's conversion function + // from `HttpRouteSpec` to `InboundRouteBinding`, except that we don't + // actually allocate stuff in order to return an `InboundRouteBinding`. + for k8s_gateway_api::HttpRouteRule { + filters, matches, .. + } in spec.rules.into_iter().flatten() + { + for m in matches.into_iter().flatten() { + validate_match(m)?; + } + + for f in filters.into_iter().flatten() { + validate_filter(f)?; + } + } + + Ok(()) + } +} From ac4a7db1eb67fd7e9433307c069523fc432a5546 Mon Sep 17 00:00:00 2001 From: Takumi Sue Date: Sat, 29 Jul 2023 17:27:59 +0900 Subject: [PATCH 3/6] Add tests Signed-off-by: Takumi Sue --- policy-test/tests/admit_http_route_gateway.rs | 169 ++++++++++++++++++ 1 file changed, 169 insertions(+) create mode 100644 policy-test/tests/admit_http_route_gateway.rs diff --git a/policy-test/tests/admit_http_route_gateway.rs b/policy-test/tests/admit_http_route_gateway.rs new file mode 100644 index 0000000000000..49fd503617e5c --- /dev/null +++ b/policy-test/tests/admit_http_route_gateway.rs @@ -0,0 +1,169 @@ +use k8s_gateway_api::BackendObjectReference; +use k8s_gateway_api::CommonRouteSpec; +use k8s_gateway_api::HttpPathMatch; +use k8s_gateway_api::HttpPathModifier; +use k8s_gateway_api::HttpRequestMirrorFilter; +use k8s_gateway_api::HttpRoute; +use k8s_gateway_api::HttpRouteFilter; +use k8s_gateway_api::HttpRouteMatch; +use k8s_gateway_api::HttpRouteRule; +use k8s_gateway_api::HttpRouteSpec; +use k8s_gateway_api::HttpUrlRewriteFilter; +use k8s_gateway_api::LocalObjectReference; +use k8s_gateway_api::ParentReference; +use linkerd_policy_controller_k8s_api::{self as api}; +use linkerd_policy_test::admission; + +#[tokio::test(flavor = "current_thread")] +async fn accepts_valid() { + admission::accepts(|ns| HttpRoute { + metadata: meta(&ns), + spec: HttpRouteSpec { + inner: CommonRouteSpec { + parent_refs: Some(vec![server_parent_ref(ns)]), + }, + hostnames: None, + rules: Some(rules()), + }, + status: None, + }) + .await; +} + +#[tokio::test(flavor = "current_thread")] +async fn accepts_not_implemented_requestmirror() { + admission::accepts(|ns| HttpRoute { + metadata: meta(&ns), + spec: HttpRouteSpec { + inner: CommonRouteSpec { + parent_refs: Some(vec![server_parent_ref(ns)]), + }, + hostnames: None, + rules: Some(vec![HttpRouteRule { + matches: Some(vec![HttpRouteMatch { + path: Some(HttpPathMatch::Exact { + value: "/foo".to_string(), + }), + ..HttpRouteMatch::default() + }]), + filters: Some(vec![HttpRouteFilter::RequestMirror { + request_mirror: HttpRequestMirrorFilter { + backend_ref: BackendObjectReference { + group: None, + kind: None, + namespace: Some("foo".to_string()), + name: "foo".to_string(), + port: Some(80), + }, + }, + }]), + backend_refs: None, + }]), + }, + status: None, + }) + .await; +} + +#[tokio::test(flavor = "current_thread")] +async fn accepts_not_implemented_urlrewrite() { + admission::accepts(|ns| HttpRoute { + metadata: api::ObjectMeta { + namespace: Some(ns.clone()), + name: Some("test".to_string()), + ..Default::default() + }, + spec: HttpRouteSpec { + inner: CommonRouteSpec { + parent_refs: Some(vec![server_parent_ref(ns)]), + }, + hostnames: None, + rules: Some(vec![HttpRouteRule { + matches: Some(vec![HttpRouteMatch { + path: Some(HttpPathMatch::Exact { + value: "/foo".to_string(), + }), + ..HttpRouteMatch::default() + }]), + filters: Some(vec![HttpRouteFilter::URLRewrite { + url_rewrite: HttpUrlRewriteFilter { + hostname: Some("foo".to_string()), + path: Some(HttpPathModifier::ReplaceFullPath { + replace_full_path: "baz".to_string(), + }), + }, + }]), + backend_refs: None, + }]), + }, + status: None, + }) + .await; +} + +#[tokio::test(flavor = "current_thread")] +async fn accepts_not_implemented_extensionref() { + admission::accepts(|ns| HttpRoute { + metadata: api::ObjectMeta { + namespace: Some(ns.clone()), + name: Some("test".to_string()), + ..Default::default() + }, + spec: HttpRouteSpec { + inner: CommonRouteSpec { + parent_refs: Some(vec![server_parent_ref(ns)]), + }, + hostnames: None, + rules: Some(vec![HttpRouteRule { + matches: Some(vec![HttpRouteMatch { + path: Some(HttpPathMatch::Exact { + value: "/foo".to_string(), + }), + ..HttpRouteMatch::default() + }]), + filters: Some(vec![HttpRouteFilter::ExtensionRef { + extension_ref: LocalObjectReference { + group: "".to_string(), + kind: "Service".to_string(), + name: "foo".to_string(), + }, + }]), + backend_refs: None, + }]), + }, + status: None, + }) + .await; +} + +fn server_parent_ref(ns: impl ToString) -> ParentReference { + ParentReference { + group: Some("policy.linkerd.io".to_string()), + kind: Some("Server".to_string()), + namespace: Some(ns.to_string()), + name: "my-server".to_string(), + section_name: None, + port: None, + } +} + +fn meta(ns: impl ToString) -> api::ObjectMeta { + api::ObjectMeta { + namespace: Some(ns.to_string()), + name: Some("test".to_string()), + ..Default::default() + } +} + +fn rules() -> Vec { + vec![HttpRouteRule { + matches: Some(vec![HttpRouteMatch { + path: Some(HttpPathMatch::Exact { + value: "/foo".to_string(), + }), + ..HttpRouteMatch::default() + }]), + filters: None, + backend_refs: None, + }] +} From 7636ae1f3a2eb012af503a76b8b9706deaa9327b Mon Sep 17 00:00:00 2001 From: Takumi Sue Date: Sat, 29 Jul 2023 18:39:58 +0900 Subject: [PATCH 4/6] Add tests Signed-off-by: Takumi Sue --- policy-test/tests/admit_http_route_gateway.rs | 61 +++++++++++++++++++ 1 file changed, 61 insertions(+) diff --git a/policy-test/tests/admit_http_route_gateway.rs b/policy-test/tests/admit_http_route_gateway.rs index 49fd503617e5c..dd49854dbc324 100644 --- a/policy-test/tests/admit_http_route_gateway.rs +++ b/policy-test/tests/admit_http_route_gateway.rs @@ -3,6 +3,7 @@ use k8s_gateway_api::CommonRouteSpec; use k8s_gateway_api::HttpPathMatch; use k8s_gateway_api::HttpPathModifier; use k8s_gateway_api::HttpRequestMirrorFilter; +use k8s_gateway_api::HttpRequestRedirectFilter; use k8s_gateway_api::HttpRoute; use k8s_gateway_api::HttpRouteFilter; use k8s_gateway_api::HttpRouteMatch; @@ -136,6 +137,66 @@ async fn accepts_not_implemented_extensionref() { .await; } +#[tokio::test(flavor = "current_thread")] +async fn rejects_relative_path_match() { + admission::rejects(|ns| HttpRoute { + metadata: meta(&ns), + spec: HttpRouteSpec { + inner: CommonRouteSpec { + parent_refs: Some(vec![server_parent_ref(ns)]), + }, + hostnames: None, + rules: Some(vec![HttpRouteRule { + matches: Some(vec![HttpRouteMatch { + path: Some(HttpPathMatch::Exact { + value: "foo/bar".to_string(), + }), + ..HttpRouteMatch::default() + }]), + filters: None, + backend_refs: None, + }]), + }, + status: None, + }) + .await; +} + +#[tokio::test(flavor = "current_thread")] +async fn rejects_relative_redirect_path() { + admission::rejects(|ns| HttpRoute { + metadata: meta(&ns), + spec: HttpRouteSpec { + inner: CommonRouteSpec { + parent_refs: Some(vec![server_parent_ref(ns)]), + }, + hostnames: None, + rules: Some(vec![HttpRouteRule { + matches: Some(vec![HttpRouteMatch { + path: Some(HttpPathMatch::Exact { + value: "/foo".to_string(), + }), + ..HttpRouteMatch::default() + }]), + filters: Some(vec![HttpRouteFilter::RequestRedirect { + request_redirect: HttpRequestRedirectFilter { + scheme: None, + hostname: None, + path: Some(HttpPathModifier::ReplaceFullPath { + replace_full_path: "foo/bar".to_string(), + }), + port: None, + status_code: None, + }, + }]), + backend_refs: None, + }]), + }, + status: None, + }) + .await; +} + fn server_parent_ref(ns: impl ToString) -> ParentReference { ParentReference { group: Some("policy.linkerd.io".to_string()), From a4cd64a54a1bc38cd357f4a524cf68ddd4b34437 Mon Sep 17 00:00:00 2001 From: Alejandro Pedraza Date: Mon, 25 Sep 2023 17:07:52 -0500 Subject: [PATCH 5/6] Use wildcard in apiVersions --- charts/linkerd-control-plane/templates/destination-rbac.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/charts/linkerd-control-plane/templates/destination-rbac.yaml b/charts/linkerd-control-plane/templates/destination-rbac.yaml index 1182b109ccbd6..88135a1c3b52d 100644 --- a/charts/linkerd-control-plane/templates/destination-rbac.yaml +++ b/charts/linkerd-control-plane/templates/destination-rbac.yaml @@ -181,7 +181,7 @@ webhooks: - servers - operations: ["CREATE", "UPDATE"] apiGroups: ["gateway.networking.k8s.io"] - apiVersions: ["v1alpha2", "v1beta1"] + apiVersions: ["*"] resources: - httproutes sideEffects: None From 8d47992e2ff7f58e932b8e741d966f9caeb10606 Mon Sep 17 00:00:00 2001 From: Alejandro Pedraza Date: Mon, 25 Sep 2023 17:17:14 -0500 Subject: [PATCH 6/6] Update golden files --- cli/cmd/testdata/install_controlplane_tracing_output.golden | 2 +- cli/cmd/testdata/install_custom_domain.golden | 2 +- cli/cmd/testdata/install_custom_registry.golden | 2 +- cli/cmd/testdata/install_default.golden | 2 +- cli/cmd/testdata/install_default_override_dst_get_nets.golden | 2 +- cli/cmd/testdata/install_default_token.golden | 2 +- cli/cmd/testdata/install_ha_output.golden | 2 +- cli/cmd/testdata/install_ha_with_overrides_output.golden | 2 +- cli/cmd/testdata/install_heartbeat_disabled_output.golden | 2 +- cli/cmd/testdata/install_helm_control_plane_output.golden | 2 +- cli/cmd/testdata/install_helm_control_plane_output_ha.golden | 2 +- cli/cmd/testdata/install_helm_output_ha_labels.golden | 2 +- .../testdata/install_helm_output_ha_namespace_selector.golden | 2 +- cli/cmd/testdata/install_no_init_container.golden | 2 +- cli/cmd/testdata/install_output.golden | 2 +- cli/cmd/testdata/install_proxy_ignores.golden | 2 +- cli/cmd/testdata/install_values_file.golden | 2 +- 17 files changed, 17 insertions(+), 17 deletions(-) diff --git a/cli/cmd/testdata/install_controlplane_tracing_output.golden b/cli/cmd/testdata/install_controlplane_tracing_output.golden index fc0535c8c6dfe..1d5a59757b776 100644 --- a/cli/cmd/testdata/install_controlplane_tracing_output.golden +++ b/cli/cmd/testdata/install_controlplane_tracing_output.golden @@ -177,7 +177,7 @@ webhooks: - servers - operations: ["CREATE", "UPDATE"] apiGroups: ["gateway.networking.k8s.io"] - apiVersions: ["v1alpha2", "v1beta1"] + apiVersions: ["*"] resources: - httproutes sideEffects: None diff --git a/cli/cmd/testdata/install_custom_domain.golden b/cli/cmd/testdata/install_custom_domain.golden index c770a81fb9c50..923cd57320fe9 100644 --- a/cli/cmd/testdata/install_custom_domain.golden +++ b/cli/cmd/testdata/install_custom_domain.golden @@ -177,7 +177,7 @@ webhooks: - servers - operations: ["CREATE", "UPDATE"] apiGroups: ["gateway.networking.k8s.io"] - apiVersions: ["v1alpha2", "v1beta1"] + apiVersions: ["*"] resources: - httproutes sideEffects: None diff --git a/cli/cmd/testdata/install_custom_registry.golden b/cli/cmd/testdata/install_custom_registry.golden index 37508f8f47066..d528c7b97031c 100644 --- a/cli/cmd/testdata/install_custom_registry.golden +++ b/cli/cmd/testdata/install_custom_registry.golden @@ -177,7 +177,7 @@ webhooks: - servers - operations: ["CREATE", "UPDATE"] apiGroups: ["gateway.networking.k8s.io"] - apiVersions: ["v1alpha2", "v1beta1"] + apiVersions: ["*"] resources: - httproutes sideEffects: None diff --git a/cli/cmd/testdata/install_default.golden b/cli/cmd/testdata/install_default.golden index c770a81fb9c50..923cd57320fe9 100644 --- a/cli/cmd/testdata/install_default.golden +++ b/cli/cmd/testdata/install_default.golden @@ -177,7 +177,7 @@ webhooks: - servers - operations: ["CREATE", "UPDATE"] apiGroups: ["gateway.networking.k8s.io"] - apiVersions: ["v1alpha2", "v1beta1"] + apiVersions: ["*"] resources: - httproutes sideEffects: None diff --git a/cli/cmd/testdata/install_default_override_dst_get_nets.golden b/cli/cmd/testdata/install_default_override_dst_get_nets.golden index 9700591f6fd42..2cbdf97459ac6 100644 --- a/cli/cmd/testdata/install_default_override_dst_get_nets.golden +++ b/cli/cmd/testdata/install_default_override_dst_get_nets.golden @@ -177,7 +177,7 @@ webhooks: - servers - operations: ["CREATE", "UPDATE"] apiGroups: ["gateway.networking.k8s.io"] - apiVersions: ["v1alpha2", "v1beta1"] + apiVersions: ["*"] resources: - httproutes sideEffects: None diff --git a/cli/cmd/testdata/install_default_token.golden b/cli/cmd/testdata/install_default_token.golden index eb2ecdc3041bf..5cc88e4e779d7 100644 --- a/cli/cmd/testdata/install_default_token.golden +++ b/cli/cmd/testdata/install_default_token.golden @@ -177,7 +177,7 @@ webhooks: - servers - operations: ["CREATE", "UPDATE"] apiGroups: ["gateway.networking.k8s.io"] - apiVersions: ["v1alpha2", "v1beta1"] + apiVersions: ["*"] resources: - httproutes sideEffects: None diff --git a/cli/cmd/testdata/install_ha_output.golden b/cli/cmd/testdata/install_ha_output.golden index 272a842555528..7533616cf35f5 100644 --- a/cli/cmd/testdata/install_ha_output.golden +++ b/cli/cmd/testdata/install_ha_output.golden @@ -177,7 +177,7 @@ webhooks: - servers - operations: ["CREATE", "UPDATE"] apiGroups: ["gateway.networking.k8s.io"] - apiVersions: ["v1alpha2", "v1beta1"] + apiVersions: ["*"] resources: - httproutes sideEffects: None diff --git a/cli/cmd/testdata/install_ha_with_overrides_output.golden b/cli/cmd/testdata/install_ha_with_overrides_output.golden index 37b220024c208..c5d1a6e2670a5 100644 --- a/cli/cmd/testdata/install_ha_with_overrides_output.golden +++ b/cli/cmd/testdata/install_ha_with_overrides_output.golden @@ -177,7 +177,7 @@ webhooks: - servers - operations: ["CREATE", "UPDATE"] apiGroups: ["gateway.networking.k8s.io"] - apiVersions: ["v1alpha2", "v1beta1"] + apiVersions: ["*"] resources: - httproutes sideEffects: None diff --git a/cli/cmd/testdata/install_heartbeat_disabled_output.golden b/cli/cmd/testdata/install_heartbeat_disabled_output.golden index 2b793a427defa..7b4294a9f59e7 100644 --- a/cli/cmd/testdata/install_heartbeat_disabled_output.golden +++ b/cli/cmd/testdata/install_heartbeat_disabled_output.golden @@ -177,7 +177,7 @@ webhooks: - servers - operations: ["CREATE", "UPDATE"] apiGroups: ["gateway.networking.k8s.io"] - apiVersions: ["v1alpha2", "v1beta1"] + apiVersions: ["*"] resources: - httproutes sideEffects: None diff --git a/cli/cmd/testdata/install_helm_control_plane_output.golden b/cli/cmd/testdata/install_helm_control_plane_output.golden index 0558920a80b0c..96a23a0c0b948 100644 --- a/cli/cmd/testdata/install_helm_control_plane_output.golden +++ b/cli/cmd/testdata/install_helm_control_plane_output.golden @@ -168,7 +168,7 @@ webhooks: - servers - operations: ["CREATE", "UPDATE"] apiGroups: ["gateway.networking.k8s.io"] - apiVersions: ["v1alpha2", "v1beta1"] + apiVersions: ["*"] resources: - httproutes sideEffects: None diff --git a/cli/cmd/testdata/install_helm_control_plane_output_ha.golden b/cli/cmd/testdata/install_helm_control_plane_output_ha.golden index 6b9b16f1cc3c6..7aa9d3934aadc 100644 --- a/cli/cmd/testdata/install_helm_control_plane_output_ha.golden +++ b/cli/cmd/testdata/install_helm_control_plane_output_ha.golden @@ -168,7 +168,7 @@ webhooks: - servers - operations: ["CREATE", "UPDATE"] apiGroups: ["gateway.networking.k8s.io"] - apiVersions: ["v1alpha2", "v1beta1"] + apiVersions: ["*"] resources: - httproutes sideEffects: None diff --git a/cli/cmd/testdata/install_helm_output_ha_labels.golden b/cli/cmd/testdata/install_helm_output_ha_labels.golden index 262d09c81f80f..24cc048aed763 100644 --- a/cli/cmd/testdata/install_helm_output_ha_labels.golden +++ b/cli/cmd/testdata/install_helm_output_ha_labels.golden @@ -168,7 +168,7 @@ webhooks: - servers - operations: ["CREATE", "UPDATE"] apiGroups: ["gateway.networking.k8s.io"] - apiVersions: ["v1alpha2", "v1beta1"] + apiVersions: ["*"] resources: - httproutes sideEffects: None diff --git a/cli/cmd/testdata/install_helm_output_ha_namespace_selector.golden b/cli/cmd/testdata/install_helm_output_ha_namespace_selector.golden index 04135fc33c902..b31c23b6debb3 100644 --- a/cli/cmd/testdata/install_helm_output_ha_namespace_selector.golden +++ b/cli/cmd/testdata/install_helm_output_ha_namespace_selector.golden @@ -168,7 +168,7 @@ webhooks: - servers - operations: ["CREATE", "UPDATE"] apiGroups: ["gateway.networking.k8s.io"] - apiVersions: ["v1alpha2", "v1beta1"] + apiVersions: ["*"] resources: - httproutes sideEffects: None diff --git a/cli/cmd/testdata/install_no_init_container.golden b/cli/cmd/testdata/install_no_init_container.golden index 61e3908ad6414..c9028670b899f 100644 --- a/cli/cmd/testdata/install_no_init_container.golden +++ b/cli/cmd/testdata/install_no_init_container.golden @@ -177,7 +177,7 @@ webhooks: - servers - operations: ["CREATE", "UPDATE"] apiGroups: ["gateway.networking.k8s.io"] - apiVersions: ["v1alpha2", "v1beta1"] + apiVersions: ["*"] resources: - httproutes sideEffects: None diff --git a/cli/cmd/testdata/install_output.golden b/cli/cmd/testdata/install_output.golden index df7aedc03a6ec..23b36fd9667f7 100644 --- a/cli/cmd/testdata/install_output.golden +++ b/cli/cmd/testdata/install_output.golden @@ -174,7 +174,7 @@ webhooks: - servers - operations: ["CREATE", "UPDATE"] apiGroups: ["gateway.networking.k8s.io"] - apiVersions: ["v1alpha2", "v1beta1"] + apiVersions: ["*"] resources: - httproutes sideEffects: None diff --git a/cli/cmd/testdata/install_proxy_ignores.golden b/cli/cmd/testdata/install_proxy_ignores.golden index d28b1f1c89865..99a49fa7715dc 100644 --- a/cli/cmd/testdata/install_proxy_ignores.golden +++ b/cli/cmd/testdata/install_proxy_ignores.golden @@ -177,7 +177,7 @@ webhooks: - servers - operations: ["CREATE", "UPDATE"] apiGroups: ["gateway.networking.k8s.io"] - apiVersions: ["v1alpha2", "v1beta1"] + apiVersions: ["*"] resources: - httproutes sideEffects: None diff --git a/cli/cmd/testdata/install_values_file.golden b/cli/cmd/testdata/install_values_file.golden index 86baefe436d05..29457737c61c4 100644 --- a/cli/cmd/testdata/install_values_file.golden +++ b/cli/cmd/testdata/install_values_file.golden @@ -177,7 +177,7 @@ webhooks: - servers - operations: ["CREATE", "UPDATE"] apiGroups: ["gateway.networking.k8s.io"] - apiVersions: ["v1alpha2", "v1beta1"] + apiVersions: ["*"] resources: - httproutes sideEffects: None