Add validation for duplicate targetRefs

bjee19 · bjee19 · commit 3327afee4636 · 2025-01-06T16:54:28.000-08:00
diff --git a/apis/v1alpha1/observabilitypolicy_types.go b/apis/v1alpha1/observabilitypolicy_types.go
@@ -47,10 +47,14 @@ type ObservabilityPolicySpec struct {
 	// Objects must be in the same namespace as the policy.
 	// Support: HTTPRoute, GRPCRoute.
 	//
+	// TargetRefs must be _distinct_. This means that the multi-part key defined by `kind` and `name` must
+	// be unique across all targetRef entries in the ObservabilityPolicy.
+	//
 	// +kubebuilder:validation:MinItems=1
 	// +kubebuilder:validation:MaxItems=16
 	// +kubebuilder:validation:XValidation:message="TargetRef Kind must be: HTTPRoute or GRPCRoute",rule="(self.exists(t, t.kind=='HTTPRoute') || self.exists(t, t.kind=='GRPCRoute'))"
-	// +kubebuilder:validation:XValidation:message="TargetRef Group must be gateway.networking.k8s.io.",rule="self.all(t, t.group=='gateway.networking.k8s.io')"
+	// +kubebuilder:validation:XValidation:message="TargetRef Group must be gateway.networking.k8s.io",rule="self.all(t, t.group=='gateway.networking.k8s.io')"
+	// +kubebuilder:validation:XValidation:message="TargetRef Kind and Name combination must be unique",rule="self.all(p1, self.exists_one(p2, (p1.name == p2.name) && (p1.kind == p2.kind)))"
 	//nolint:lll
 	TargetRefs []gatewayv1alpha2.LocalPolicyTargetReference `json:"targetRefs"`
 }
diff --git a/apis/v1alpha1/upstreamsettingspolicy_types.go b/apis/v1alpha1/upstreamsettingspolicy_types.go
@@ -55,10 +55,13 @@ type UpstreamSettingsPolicySpec struct {
 	// Objects must be in the same namespace as the policy.
 	// Support: Service
 	//
+	// TargetRefs must be _distinct_. The `name` field must be unique for all targetRef entries in the UpstreamSettingsPolicy.
+	//
 	// +kubebuilder:validation:MinItems=1
 	// +kubebuilder:validation:MaxItems=16
 	// +kubebuilder:validation:XValidation:message="TargetRefs Kind must be: Service",rule="self.all(t, t.kind=='Service')"
 	// +kubebuilder:validation:XValidation:message="TargetRefs Group must be core",rule="self.exists(t, t.group=='') || self.exists(t, t.group=='core')"
+	// +kubebuilder:validation:XValidation:message="TargetRef Name must be unique",rule="self.all(p1, self.exists_one(p2, p1.name == p2.name))"
 	//nolint:lll
 	TargetRefs []gatewayv1alpha2.LocalPolicyTargetReference `json:"targetRefs"`
 }
diff --git a/config/crd/bases/gateway.nginx.org_observabilitypolicies.yaml b/config/crd/bases/gateway.nginx.org_observabilitypolicies.yaml
@@ -55,6 +55,9 @@ spec:
                   TargetRefs identifies the API object(s) to apply the policy to.
                   Objects must be in the same namespace as the policy.
                   Support: HTTPRoute, GRPCRoute.
+
+                  TargetRefs must be _distinct_. This means that the multi-part key defined by `kind` and `name` must
+                  be unique across all targetRef entries in the ObservabilityPolicy.
                 items:
                   description: |-
                     LocalPolicyTargetReference identifies an API object to apply a direct or
@@ -90,8 +93,11 @@ spec:
                 x-kubernetes-validations:
                 - message: 'TargetRef Kind must be: HTTPRoute or GRPCRoute'
                   rule: (self.exists(t, t.kind=='HTTPRoute') || self.exists(t, t.kind=='GRPCRoute'))
-                - message: TargetRef Group must be gateway.networking.k8s.io.
+                - message: TargetRef Group must be gateway.networking.k8s.io
                   rule: self.all(t, t.group=='gateway.networking.k8s.io')
+                - message: TargetRef Kind and Name combination must be unique
+                  rule: self.all(p1, self.exists_one(p2, (p1.name == p2.name) && (p1.kind
+                    == p2.kind)))
               tracing:
                 description: Tracing allows for enabling and configuring tracing.
                 properties:
diff --git a/config/crd/bases/gateway.nginx.org_upstreamsettingspolicies.yaml b/config/crd/bases/gateway.nginx.org_upstreamsettingspolicies.yaml
@@ -90,6 +90,8 @@ spec:
                   TargetRefs identifies API object(s) to apply the policy to.
                   Objects must be in the same namespace as the policy.
                   Support: Service
+
+                  TargetRefs must be _distinct_. The `name` field must be unique for all targetRef entries in the UpstreamSettingsPolicy.
                 items:
                   description: |-
                     LocalPolicyTargetReference identifies an API object to apply a direct or
@@ -127,6 +129,8 @@ spec:
                   rule: self.all(t, t.kind=='Service')
                 - message: TargetRefs Group must be core
                   rule: self.exists(t, t.group=='') || self.exists(t, t.group=='core')
+                - message: TargetRef Name must be unique
+                  rule: self.all(p1, self.exists_one(p2, p1.name == p2.name))
               zoneSize:
                 description: |-
                   ZoneSize is the size of the shared memory zone used by the upstream. This memory zone is used to share
diff --git a/deploy/crds.yaml b/deploy/crds.yaml
@@ -874,6 +874,9 @@ spec:
                   TargetRefs identifies the API object(s) to apply the policy to.
                   Objects must be in the same namespace as the policy.
                   Support: HTTPRoute, GRPCRoute.
+
+                  TargetRefs must be _distinct_. This means that the multi-part key defined by `kind` and `name` must
+                  be unique across all targetRef entries in the ObservabilityPolicy.
                 items:
                   description: |-
                     LocalPolicyTargetReference identifies an API object to apply a direct or
@@ -909,8 +912,11 @@ spec:
                 x-kubernetes-validations:
                 - message: 'TargetRef Kind must be: HTTPRoute or GRPCRoute'
                   rule: (self.exists(t, t.kind=='HTTPRoute') || self.exists(t, t.kind=='GRPCRoute'))
-                - message: TargetRef Group must be gateway.networking.k8s.io.
+                - message: TargetRef Group must be gateway.networking.k8s.io
                   rule: self.all(t, t.group=='gateway.networking.k8s.io')
+                - message: TargetRef Kind and Name combination must be unique
+                  rule: self.all(p1, self.exists_one(p2, (p1.name == p2.name) && (p1.kind
+                    == p2.kind)))
               tracing:
                 description: Tracing allows for enabling and configuring tracing.
                 properties:
@@ -1574,6 +1580,8 @@ spec:
                   TargetRefs identifies API object(s) to apply the policy to.
                   Objects must be in the same namespace as the policy.
                   Support: Service
+
+                  TargetRefs must be _distinct_. The `name` field must be unique for all targetRef entries in the UpstreamSettingsPolicy.
                 items:
                   description: |-
                     LocalPolicyTargetReference identifies an API object to apply a direct or
@@ -1611,6 +1619,8 @@ spec:
                   rule: self.all(t, t.kind=='Service')
                 - message: TargetRefs Group must be core
                   rule: self.exists(t, t.group=='') || self.exists(t, t.group=='core')
+                - message: TargetRef Name must be unique
+                  rule: self.all(p1, self.exists_one(p2, p1.name == p2.name))
               zoneSize:
                 description: |-
                   ZoneSize is the size of the shared memory zone used by the upstream. This memory zone is used to share
diff --git a/site/content/reference/api.md b/site/content/reference/api.md
@@ -465,6 +465,8 @@ Tracing
 <p>TargetRefs identifies the API object(s) to apply the policy to.
 Objects must be in the same namespace as the policy.
 Support: HTTPRoute, GRPCRoute.</p>
+<p>TargetRefs must be <em>distinct</em>. This means that the multi-part key defined by <code>kind</code> and <code>name</code> must
+be unique across all targetRef entries in the ObservabilityPolicy.</p>
 </td>
 </tr>
 </table>
@@ -683,6 +685,7 @@ UpstreamKeepAlive
 <p>TargetRefs identifies API object(s) to apply the policy to.
 Objects must be in the same namespace as the policy.
 Support: Service</p>
+<p>TargetRefs must be <em>distinct</em>. The <code>name</code> field must be unique for all targetRef entries in the UpstreamSettingsPolicy.</p>
 </td>
 </tr>
 </table>
@@ -1530,6 +1533,8 @@ Tracing
 <p>TargetRefs identifies the API object(s) to apply the policy to.
 Objects must be in the same namespace as the policy.
 Support: HTTPRoute, GRPCRoute.</p>
+<p>TargetRefs must be <em>distinct</em>. This means that the multi-part key defined by <code>kind</code> and <code>name</code> must
+be unique across all targetRef entries in the ObservabilityPolicy.</p>
 </td>
 </tr>
 </tbody>
@@ -2290,6 +2295,7 @@ UpstreamKeepAlive
 <p>TargetRefs identifies API object(s) to apply the policy to.
 Objects must be in the same namespace as the policy.
 Support: Service</p>
+<p>TargetRefs must be <em>distinct</em>. The <code>name</code> field must be unique for all targetRef entries in the UpstreamSettingsPolicy.</p>
 </td>
 </tr>
 </tbody>
