istio
/
api
mirror of https://github.com/istio/api.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Fix over-correcting new SE CEL validation (#3320) 

Adds regression test and fixes the issue
This commit is contained in:
John Howard 2024-10-10 12:17:46 -07:00 committed by GitHub
parent 14aff11e9f
commit 2ee8e3cf06
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
6 changed files with 20 additions and 7 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
kubernetes/customresourcedefinitions.gen.yaml generated
View File

@ -7639,7 +7639,8 @@ spec:
- message: CIDR addresses are allowed only for NONE/STATIC resolution
types
rule: '!(has(self.addresses) && self.addresses.exists(k, k.contains(''/''))
&& (self.resolution != ''STATIC'' && self.resolution != ''NONE''))'
&& (has(self.resolution) && self.resolution != ''STATIC'' && self.resolution
!= ''NONE''))'
- message: NONE mode cannot set endpoints
rule: '(!has(self.resolution) || self.resolution == ''NONE'') ? !has(self.endpoints)
: true'
@ -7931,7 +7932,8 @@ spec:
- message: CIDR addresses are allowed only for NONE/STATIC resolution
types
rule: '!(has(self.addresses) && self.addresses.exists(k, k.contains(''/''))
&& (self.resolution != ''STATIC'' && self.resolution != ''NONE''))'
&& (has(self.resolution) && self.resolution != ''STATIC'' && self.resolution
!= ''NONE''))'
- message: NONE mode cannot set endpoints
rule: '(!has(self.resolution) || self.resolution == ''NONE'') ? !has(self.endpoints)
: true'
@ -8223,7 +8225,8 @@ spec:
- message: CIDR addresses are allowed only for NONE/STATIC resolution
types
rule: '!(has(self.addresses) && self.addresses.exists(k, k.contains(''/''))
&& (self.resolution != ''STATIC'' && self.resolution != ''NONE''))'
&& (has(self.resolution) && self.resolution != ''STATIC'' && self.resolution
!= ''NONE''))'
- message: NONE mode cannot set endpoints
rule: '(!has(self.resolution) || self.resolution == ''NONE'') ? !has(self.endpoints)
: true'

2
networking/v1/service_entry_alias.gen.go generated
View File

@ -35,7 +35,7 @@ import "istio.io/api/networking/v1alpha3"
// istiostatus-override: ServiceEntryStatus: istio.io/api/networking/v1alpha3
// -->
// +kubebuilder:validation:XValidation:message="only one of WorkloadSelector or Endpoints can be set",rule="(has(self.workloadSelector)?1:0)+(has(self.endpoints)?1:0)<=1"
// +kubebuilder:validation:XValidation:message="CIDR addresses are allowed only for NONE/STATIC resolution types",rule="!(has(self.addresses) && self.addresses.exists(k, k.contains('/')) && (self.resolution != 'STATIC' && self.resolution != 'NONE'))"
// +kubebuilder:validation:XValidation:message="CIDR addresses are allowed only for NONE/STATIC resolution types",rule="!(has(self.addresses) && self.addresses.exists(k, k.contains('/')) && (has(self.resolution) && self.resolution != 'STATIC' && self.resolution != 'NONE'))"
// +kubebuilder:validation:XValidation:message="NONE mode cannot set endpoints",rule="(!has(self.resolution) || self.resolution == 'NONE') ? !has(self.endpoints) : true"
// +kubebuilder:validation:XValidation:message="DNS_ROUND_ROBIN mode cannot have multiple endpoints",rule="(has(self.resolution) && self.resolution == 'DNS_ROUND_ROBIN') ? (!has(self.endpoints) || size(self.endpoints) == 1) : true"
type ServiceEntry = v1alpha3.ServiceEntry

2
networking/v1alpha3/service_entry.pb.go generated
View File

@ -595,7 +595,7 @@ func (ServiceEntry_Resolution) EnumDescriptor() ([]byte, []int) {
// istiostatus-override: ServiceEntryStatus: istio.io/api/networking/v1alpha3
// -->
// +kubebuilder:validation:XValidation:message="only one of WorkloadSelector or Endpoints can be set",rule="(has(self.workloadSelector)?1:0)+(has(self.endpoints)?1:0)<=1"
// +kubebuilder:validation:XValidation:message="CIDR addresses are allowed only for NONE/STATIC resolution types",rule="!(has(self.addresses) && self.addresses.exists(k, k.contains('/')) && (self.resolution != 'STATIC' && self.resolution != 'NONE'))"
// +kubebuilder:validation:XValidation:message="CIDR addresses are allowed only for NONE/STATIC resolution types",rule="!(has(self.addresses) && self.addresses.exists(k, k.contains('/')) && (has(self.resolution) && self.resolution != 'STATIC' && self.resolution != 'NONE'))"
// +kubebuilder:validation:XValidation:message="NONE mode cannot set endpoints",rule="(!has(self.resolution) || self.resolution == 'NONE') ? !has(self.endpoints) : true"
// +kubebuilder:validation:XValidation:message="DNS_ROUND_ROBIN mode cannot have multiple endpoints",rule="(has(self.resolution) && self.resolution == 'DNS_ROUND_ROBIN') ? (!has(self.endpoints) || size(self.endpoints) == 1) : true"
type ServiceEntry struct {

2
networking/v1alpha3/service_entry.proto
View File

@ -438,7 +438,7 @@ option go_package = "istio.io/api/networking/v1alpha3";
// istiostatus-override: ServiceEntryStatus: istio.io/api/networking/v1alpha3
// -->
// +kubebuilder:validation:XValidation:message="only one of WorkloadSelector or Endpoints can be set",rule="(has(self.workloadSelector)?1:0)+(has(self.endpoints)?1:0)<=1"
// +kubebuilder:validation:XValidation:message="CIDR addresses are allowed only for NONE/STATIC resolution types",rule="!(has(self.addresses) && self.addresses.exists(k, k.contains('/')) && (self.resolution != 'STATIC' && self.resolution != 'NONE'))"
// +kubebuilder:validation:XValidation:message="CIDR addresses are allowed only for NONE/STATIC resolution types",rule="!(has(self.addresses) && self.addresses.exists(k, k.contains('/')) && (has(self.resolution) && self.resolution != 'STATIC' && self.resolution != 'NONE'))"
// +kubebuilder:validation:XValidation:message="NONE mode cannot set endpoints",rule="(!has(self.resolution) || self.resolution == 'NONE') ? !has(self.endpoints) : true"
// +kubebuilder:validation:XValidation:message="DNS_ROUND_ROBIN mode cannot have multiple endpoints",rule="(has(self.resolution) && self.resolution == 'DNS_ROUND_ROBIN') ? (!has(self.endpoints) || size(self.endpoints) == 1) : true"
message ServiceEntry {

2
networking/v1beta1/service_entry_alias.gen.go generated
View File

@ -35,7 +35,7 @@ import "istio.io/api/networking/v1alpha3"
// istiostatus-override: ServiceEntryStatus: istio.io/api/networking/v1alpha3
// -->
// +kubebuilder:validation:XValidation:message="only one of WorkloadSelector or Endpoints can be set",rule="(has(self.workloadSelector)?1:0)+(has(self.endpoints)?1:0)<=1"
// +kubebuilder:validation:XValidation:message="CIDR addresses are allowed only for NONE/STATIC resolution types",rule="!(has(self.addresses) && self.addresses.exists(k, k.contains('/')) && (self.resolution != 'STATIC' && self.resolution != 'NONE'))"
// +kubebuilder:validation:XValidation:message="CIDR addresses are allowed only for NONE/STATIC resolution types",rule="!(has(self.addresses) && self.addresses.exists(k, k.contains('/')) && (has(self.resolution) && self.resolution != 'STATIC' && self.resolution != 'NONE'))"
// +kubebuilder:validation:XValidation:message="NONE mode cannot set endpoints",rule="(!has(self.resolution) || self.resolution == 'NONE') ? !has(self.endpoints) : true"
// +kubebuilder:validation:XValidation:message="DNS_ROUND_ROBIN mode cannot have multiple endpoints",rule="(has(self.resolution) && self.resolution == 'DNS_ROUND_ROBIN') ? (!has(self.endpoints) || size(self.endpoints) == 1) : true"
type ServiceEntry = v1alpha3.ServiceEntry

10
tests/testdata/serviceentry-valid.yaml vendored
View File

@ -50,3 +50,13 @@ metadata:
name: partial-wildcard
spec:
hosts: ["*x"]
---
# Weird case but we allow it
apiVersion: networking.istio.io/v1alpha3
kind: ServiceEntry
metadata:
name: none-cidr
spec:
hosts: ["example.com"]
addresses:
- 1.1.1.1/32