Add resource reference validation function (#8454)

Author: pdabelf5

internal/configs/virtualserver.go

@@ -17,6 +17,7 @@ import (
 	"github.com/nginx/kubernetes-ingress/internal/k8s/secrets"
 	nl "github.com/nginx/kubernetes-ingress/internal/logger"
 	"github.com/nginx/kubernetes-ingress/internal/nginx"
+	"github.com/nginx/kubernetes-ingress/internal/nsutils"
 	conf_v1 "github.com/nginx/kubernetes-ingress/pkg/apis/configuration/v1"
 	api_v1 "k8s.io/api/core/v1"
 	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
@@ -147,7 +148,7 @@ func GenerateEndpointsKey(
 
 // ParseServiceReference returns the namespace and name from a service reference.
 func ParseServiceReference(serviceRef, defaultNamespace string) (namespace, serviceName string) {
-	if strings.Contains(serviceRef, "/") {
+	if nsutils.HasNamespace(serviceRef) {
 		parts := strings.Split(serviceRef, "/")
 		if len(parts) == 2 {
 			return parts[0], parts[1]
@@ -552,7 +553,7 @@ func (vsc *virtualServerConfigurator) GenerateVirtualServerConfig(
 		// ignore routes that reference VirtualServerRoute
 		if r.Route != "" {
 			name := r.Route
-			if !strings.Contains(name, "/") {
+			if !nsutils.HasNamespace(name) {
 				name = fmt.Sprintf("%v/%v", vsEx.VirtualServer.Namespace, r.Route)
 			}
 
@@ -1732,8 +1733,7 @@ func (p *policiesCfg) addWAFConfig(
 
 	if waf.ApPolicy != "" {
 		apPolKey := waf.ApPolicy
-		hasNamespace := strings.Contains(apPolKey, "/")
-		if !hasNamespace {
+		if !nsutils.HasNamespace(apPolKey) {
 			apPolKey = fmt.Sprintf("%v/%v", polNamespace, apPolKey)
 		}
 
@@ -1768,7 +1768,7 @@ func (p *policiesCfg) addWAFConfig(
 
 			if loco.ApLogConf != "" {
 				logConfKey := loco.ApLogConf
-				if !strings.Contains(logConfKey, "/") {
+				if !nsutils.HasNamespace(logConfKey) {
 					logConfKey = fmt.Sprintf("%v/%v", polNamespace, logConfKey)
 				}
 				if logConfPath, ok := apResources.LogConfs[logConfKey]; ok {

internal/k8s/appprotect_waf.go

@@ -8,6 +8,7 @@ import (
 	"github.com/nginx/kubernetes-ingress/internal/k8s/appprotect"
 	"github.com/nginx/kubernetes-ingress/internal/k8s/appprotectcommon"
 	nl "github.com/nginx/kubernetes-ingress/internal/logger"
+	"github.com/nginx/kubernetes-ingress/internal/nsutils"
 	conf_v1 "github.com/nginx/kubernetes-ingress/pkg/apis/configuration/v1"
 	api_v1 "k8s.io/api/core/v1"
 	networking "k8s.io/api/networking/v1"
@@ -249,8 +250,7 @@ func getWAFPoliciesForAppProtectLogConf(pols []*conf_v1.Policy, key string) []*c
 }
 
 func isMatchingResourceRef(ownerNs, resRef, key string) bool {
-	hasNamespace := strings.Contains(resRef, "/")
-	if !hasNamespace {
+	if !nsutils.HasNamespace(resRef) {
 		resRef = fmt.Sprintf("%v/%v", ownerNs, resRef)
 	}
 	return resRef == key
@@ -269,7 +269,7 @@ func (lbc *LoadBalancerController) addWAFPolicyRefs(
 
 		if pol.Spec.WAF.ApPolicy != "" {
 			apPolKey := pol.Spec.WAF.ApPolicy
-			if !strings.Contains(pol.Spec.WAF.ApPolicy, "/") {
+			if !nsutils.HasNamespace(apPolKey) {
 				apPolKey = fmt.Sprintf("%v/%v", pol.Namespace, apPolKey)
 			}
 
@@ -283,7 +283,7 @@ func (lbc *LoadBalancerController) addWAFPolicyRefs(
 		if pol.Spec.WAF.SecurityLog != nil && pol.Spec.WAF.SecurityLogs == nil {
 			if pol.Spec.WAF.SecurityLog.ApLogConf != "" {
 				logConfKey := pol.Spec.WAF.SecurityLog.ApLogConf
-				if !strings.Contains(pol.Spec.WAF.SecurityLog.ApLogConf, "/") {
+				if !nsutils.HasNamespace(logConfKey) {
 					logConfKey = fmt.Sprintf("%v/%v", pol.Namespace, logConfKey)
 				}
 
@@ -299,7 +299,7 @@ func (lbc *LoadBalancerController) addWAFPolicyRefs(
 			for _, SecLog := range pol.Spec.WAF.SecurityLogs {
 				if SecLog.ApLogConf != "" {
 					logConfKey := SecLog.ApLogConf
-					if !strings.Contains(SecLog.ApLogConf, "/") {
+					if !nsutils.HasNamespace(logConfKey) {
 						logConfKey = fmt.Sprintf("%v/%v", pol.Namespace, logConfKey)
 					}
 

internal/k8s/appprotectcommon/app_protect_common_resources.go

@@ -3,6 +3,7 @@ package appprotectcommon
 import (
 	"strings"
 
+	"github.com/nginx/kubernetes-ingress/internal/nsutils"
 	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
 )
 
@@ -13,7 +14,7 @@ func GetNsName(obj *unstructured.Unstructured) string {
 
 // ParseResourceReferenceAnnotation returns a namespace/name string
 func ParseResourceReferenceAnnotation(ns, antn string) string {
-	if !strings.Contains(antn, "/") {
+	if !nsutils.HasNamespace(antn) {
 		return ns + "/" + antn
 	}
 	return antn

internal/k8s/appprotectdos/app_protect_dos_configuration.go

@@ -3,11 +3,11 @@ package appprotectdos
 import (
 	"errors"
 	"fmt"
-	"strings"
 
 	"github.com/nginx/kubernetes-ingress/internal/configs"
 	"github.com/nginx/kubernetes-ingress/internal/k8s/appprotectcommon"
 	nl "github.com/nginx/kubernetes-ingress/internal/logger"
+	"github.com/nginx/kubernetes-ingress/internal/nsutils"
 	"github.com/nginx/kubernetes-ingress/pkg/apis/dos/v1beta1"
 	"github.com/nginx/kubernetes-ingress/pkg/apis/dos/validation"
 	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
@@ -169,7 +169,7 @@ func (ci *Configuration) AddOrUpdateDosProtectedResource(protectedConf *v1beta1.
 	if protectedEx.Obj.Spec.ApDosPolicy != "" {
 		policyReference := protectedEx.Obj.Spec.ApDosPolicy
 		// if the policy reference does not have a namespace, use the dos protected' namespace
-		if !strings.Contains(policyReference, "/") {
+		if !nsutils.HasNamespace(policyReference) {
 			policyReference = protectedEx.Obj.Namespace + "/" + policyReference
 		}
 		_, err := ci.getPolicy(policyReference)
@@ -181,7 +181,7 @@ func (ci *Configuration) AddOrUpdateDosProtectedResource(protectedConf *v1beta1.
 	if protectedEx.Obj.Spec.DosSecurityLog != nil && protectedEx.Obj.Spec.DosSecurityLog.ApDosLogConf != "" {
 		logConfReference := protectedEx.Obj.Spec.DosSecurityLog.ApDosLogConf
 		// if the log conf reference does not have a namespace, use the dos protected' namespace
-		if !strings.Contains(logConfReference, "/") {
+		if !nsutils.HasNamespace(logConfReference) {
 			logConfReference = protectedEx.Obj.Namespace + "/" + logConfReference
 		}
 		_, err := ci.getLogConf(logConfReference)
@@ -243,7 +243,7 @@ func (ci *Configuration) GetValidDosEx(parentNamespace string, nsName string) (*
 	if protectedEx.Obj.Spec.ApDosPolicy != "" {
 		policyReference := protectedEx.Obj.Spec.ApDosPolicy
 		// if the policy reference does not have a namespace, use the dos protected' namespace
-		if !strings.Contains(policyReference, "/") {
+		if !nsutils.HasNamespace(policyReference) {
 			policyReference = protectedEx.Obj.Namespace + "/" + policyReference
 		}
 		pol, err := ci.getPolicy(policyReference)
@@ -255,7 +255,7 @@ func (ci *Configuration) GetValidDosEx(parentNamespace string, nsName string) (*
 	if protectedEx.Obj.Spec.DosSecurityLog != nil && protectedEx.Obj.Spec.DosSecurityLog.ApDosLogConf != "" {
 		logConfReference := protectedEx.Obj.Spec.DosSecurityLog.ApDosLogConf
 		// if the log conf reference does not have a namespace, use the dos protected' namespace
-		if !strings.Contains(logConfReference, "/") {
+		if !nsutils.HasNamespace(logConfReference) {
 			logConfReference = protectedEx.Obj.Namespace + "/" + logConfReference
 		}
 		log, err := ci.getLogConf(logConfReference)
@@ -268,7 +268,7 @@ func (ci *Configuration) GetValidDosEx(parentNamespace string, nsName string) (*
 }
 
 func getNsName(defaultNamespace string, name string) string {
-	if !strings.Contains(name, "/") {
+	if !nsutils.HasNamespace(name) {
 		return defaultNamespace + "/" + name
 	}
 	return name

internal/k8s/configuration.go

@@ -4,11 +4,11 @@ import (
 	"fmt"
 	"reflect"
 	"sort"
-	"strings"
 	"sync"
 
 	"github.com/nginx/kubernetes-ingress/internal/configs"
 	nl "github.com/nginx/kubernetes-ingress/internal/logger"
+	"github.com/nginx/kubernetes-ingress/internal/nsutils"
 	internalValidation "github.com/nginx/kubernetes-ingress/internal/validation"
 	conf_v1 "github.com/nginx/kubernetes-ingress/pkg/apis/configuration/v1"
 	"github.com/nginx/kubernetes-ingress/pkg/apis/configuration/validation"
@@ -1660,7 +1660,7 @@ func (c *Configuration) buildVirtualServerRoutes(vs *conf_v1.VirtualServer) ([]*
 		vsrKey := r.Route
 
 		// if route is defined without a namespace, use the namespace of VirtualServer.
-		if !strings.Contains(r.Route, "/") {
+		if !nsutils.HasNamespace(vsrKey) {
 			vsrKey = fmt.Sprintf("%s/%s", vs.Namespace, r.Route)
 		}
 

internal/nsutils/utils.go

@@ -0,0 +1,10 @@
+package nsutils
+
+import (
+	"strings"
+)
+
+// HasNamespace checks if the given string is a resource reference with a namespace (i.e., has a '/' character).
+func HasNamespace(s string) bool {
+	return strings.Contains(s, "/")
+}

internal/nsutils/utils_test.go

@@ -0,0 +1,39 @@
+package nsutils
+
+import "testing"
+
+func TestHasNamespace(t *testing.T) {
+	tests := []struct {
+		resource      string
+		withNamespace bool
+		description   string
+	}{
+		{
+			resource:      "my-resource",
+			withNamespace: false,
+			description:   "resource name without namespace",
+		},
+		{
+			resource:      "custom/my-resource",
+			withNamespace: true,
+			description:   "resource name with namespace",
+		},
+		{
+			resource:      "default/my-resource",
+			withNamespace: true,
+			description:   "resource name with default namespace",
+		},
+		{
+			resource:      "",
+			withNamespace: false,
+			description:   "empty resource name",
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.description, func(t *testing.T) {
+			if r := HasNamespace(tt.resource); r != tt.withNamespace {
+				t.Errorf("HasNamespace() = %v, want %v", r, tt.withNamespace)
+			}
+		})
+	}
+}

pkg/apis/configuration/validation/virtualserver.go

@@ -8,6 +8,7 @@ import (
 
 	"github.com/dlclark/regexp2"
 	"github.com/nginx/kubernetes-ingress/internal/configs"
+	"github.com/nginx/kubernetes-ingress/internal/nsutils"
 	internalValidation "github.com/nginx/kubernetes-ingress/internal/validation"
 	v1 "github.com/nginx/kubernetes-ingress/pkg/apis/configuration/v1"
 	"k8s.io/apimachinery/pkg/util/sets"
@@ -737,7 +738,7 @@ func validateServiceName(name string, fieldPath *field.Path) field.ErrorList {
 
 // validateVirtualServerServiceName checks if a namespaced service name is valid for VirtualServer upstreams.
 func validateVirtualServerServiceName(name string, fieldPath *field.Path) field.ErrorList {
-	if strings.Contains(name, "/") {
+	if nsutils.HasNamespace(name) {
 		parts := strings.Split(name, "/")
 		if len(parts) != 2 {
 			return field.ErrorList{field.Invalid(fieldPath, name, " service reference must be in the format namespace/service-name")}