Merge pull request #2276 from robscott/cel-httproute

Adding channel-based CEL validation

Author: k8s-ci-robot

Makefile

@@ -82,7 +82,7 @@ vet:
 
 # Run go test against code
 test:
-	go test -race -cover ./pkg/... ./apis/... ./conformance/utils/...
+	go test -race -cover ./pkg/admission/... ./apis/... ./conformance/utils/...
 
 # Run conformance tests against controller implementation
 .PHONY: conformance

apis/v1beta1/shared_types.go

@@ -201,6 +201,8 @@ type CommonRouteSpec struct {
 	//
 	// +optional
 	// +kubebuilder:validation:MaxItems=32
+	// <gateway:standard:validation:XValidation:message="sectionName must be unique when parentRefs includes 2 or more references to the same parent",rule="self.all(p1, self.exists_one(p2, p1.group == p2.group && p1.kind == p2.kind && ((!has(p1.__namespace__) && !has(p2.__namespace__)) || (!has(p1.__namespace__) && p2.__namespace__ == '') || (p1.__namespace__ == '' && !has(p2.__namespace__)) || (p1.__namespace__ == p2.__namespace__)) && p1.name == p2.name && ((!has(p1.sectionName) && !has(p2.sectionName)) || (!has(p1.sectionName) && p2.sectionName == '') || (p1.sectionName == '' && !has(p2.sectionName)) || (p1.sectionName == p2.sectionName))))">
+	// <gateway:experimental:validation:XValidation:message="sectionName or port must be unique when parentRefs includes 2 or more references to the same parent",rule="self.all(p1, self.exists_one(p2, p1.group == p2.group && p1.kind == p2.kind && ((!has(p1.__namespace__) && !has(p2.__namespace__)) || (!has(p1.__namespace__) && p2.__namespace__ == '') || (p1.__namespace__ == '' && !has(p2.__namespace__)) || (p1.__namespace__ == p2.__namespace__)) && p1.name == p2.name && ((!has(p1.sectionName) && !has(p2.sectionName)) || (!has(p1.sectionName) && p2.sectionName == '') || (p1.sectionName == '' && !has(p2.sectionName)) || (p1.sectionName == p2.sectionName)) && ((!has(p1.port) && !has(p2.port)) || (!has(p1.port) && p2.port == 0) || (p1.port == 0 && !has(p2.port)) || (p1.port == p2.port))))">
 	ParentRefs []ParentReference `json:"parentRefs,omitempty"`
 }
 

config/crd/experimental/gateway.networking.k8s.io_grpcroutes.yaml

@@ -61,7 +61,7 @@ for CHANNEL in experimental standard; do
   kubectl apply -f "config/crd/${CHANNEL}/gateway*.yaml"
 
   # Run tests.
-  go test -timeout=120s -count=1 sigs.k8s.io/gateway-api/hack/cel-validation
+  go test -timeout=120s -count=1 --tags ${CHANNEL} sigs.k8s.io/gateway-api/pkg/test/cel
 
   # Delete CRDs to reset environment.
   kubectl delete -f "config/crd/${CHANNEL}/gateway*.yaml"

config/crd/experimental/gateway.networking.k8s.io_httproutes.yaml

@@ -175,18 +175,44 @@ func gatewayTweaks(channel string, props map[string]apiext.JSONSchemaProps) map[
 			jsonProps.Type = "string"
 		}
 
-		if channel == "experimental" && strings.Contains(jsonProps.Description, "<gateway:experimental:validation:") {
-			validationRe := regexp.MustCompile(`<gateway:experimental:validation:Enum=([A-Za-z;]*)>`)
-			match := validationRe.FindStringSubmatch(jsonProps.Description)
-			if len(match) != 2 {
-				log.Fatalf("Invalid gateway:experimental:validation tag for %s", name)
+		validationPrefix := fmt.Sprintf("<gateway:%s:validation:", channel)
+		numExpressions := strings.Count(jsonProps.Description, validationPrefix)
+		numValid := 0
+		if numExpressions > 0 {
+			enumRe := regexp.MustCompile(validationPrefix + "Enum=([A-Za-z;]*)>")
+			enumMatches := enumRe.FindAllStringSubmatch(jsonProps.Description, 64)
+			for _, enumMatch := range enumMatches {
+				if len(enumMatch) != 2 {
+					log.Fatalf("Invalid %s Enum tag for %s", validationPrefix, name)
+				}
+
+				numValid++
+				jsonProps.Enum = []apiext.JSON{}
+				for _, val := range strings.Split(enumMatch[1], ";") {
+					jsonProps.Enum = append(jsonProps.Enum, apiext.JSON{Raw: []byte("\"" + val + "\"")})
+				}
 			}
-			jsonProps.Enum = []apiext.JSON{}
-			for _, val := range strings.Split(match[1], ";") {
-				jsonProps.Enum = append(jsonProps.Enum, apiext.JSON{Raw: []byte("\"" + val + "\"")})
+
+			celRe := regexp.MustCompile(validationPrefix + "XValidation:message=\"([^\"]*)\",rule=\"([^\"]*)\">")
+			celMatches := celRe.FindAllStringSubmatch(jsonProps.Description, 64)
+			for _, celMatch := range celMatches {
+				if len(celMatch) != 3 {
+					log.Fatalf("Invalid %s CEL tag for %s", validationPrefix, name)
+				}
+
+				numValid++
+				jsonProps.XValidations = append(jsonProps.XValidations, apiext.ValidationRule{
+					Message: celMatch[1],
+					Rule:    celMatch[2],
+				})
 			}
 		}
 
+		if numValid < numExpressions {
+			fmt.Printf("Description: %s\n", jsonProps.Description)
+			log.Fatalf("Found %d Gateway validation expressions, but only %d were valid", numExpressions, numValid)
+		}
+
 		gatewayRe := regexp.MustCompile(`<gateway:.*>`)
 		jsonProps.Description = gatewayRe.ReplaceAllLiteralString(jsonProps.Description, "")