linkerd
/
linkerd2
mirror of https://github.com/linkerd/linkerd2.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Improve server-side validation for ExternalWorkload (#11900) 

We introduced an ExternalWorkload CRD along with bindings for mesh
expansion. Currently, the CRD allows users to create ExternalWorkload
resources without adding a meshTls strategy.

This change adds some more validation restrictions to the CRD definition
(i.e. server side validation). When a meshTls strategy is used, we
require both identity and serverName to be present. We also mark meshTls
as the only required field in the spec. Every ExternalWorkload regardless
of the direction of its traffic must have it set.

WorkloadIPs and ports now become optional to allow resources to be
created only to configure outbound discovery (VM to workload)
and inbound policy discovery (VM).

---------

Signed-off-by: Matei David <matei@buoyant.io>
This commit is contained in:
Matei David 2024-01-11 10:04:39 +00:00 committed by GitHub
parent 743c1da8bd
commit 3f4925bfdb
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
6 changed files with 46 additions and 28 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
charts/linkerd-crds/templates/workload/external-workload.yaml
View File

@ -65,12 +65,14 @@ spec:
minLength: 1
maxLength: 253
type: object
required:
- identity
- serverName
ports:
type: array
description: ports describes a list of ports exposed by the
workload
items:
type: object
properties:
name:
type: string
@ -87,6 +89,9 @@ spec:
TCP. Defaults to TCP.
type: string
default: "TCP"
type: object
required:
- port
workloadIPs:
type: array
description: workloadIPs contains a list of IP addresses that
@ -98,8 +103,7 @@ spec:
type: string
type: object
required:
- ports
- workloadIPs
- meshTls
status:
type: object
properties:

10
cli/cmd/testdata/install_crds.golden generated vendored
View File

@ -10293,12 +10293,14 @@ spec:
minLength: 1
maxLength: 253
type: object
required:
- identity
- serverName
ports:
type: array
description: ports describes a list of ports exposed by the
workload
items:
type: object
properties:
name:
type: string
@ -10315,6 +10317,9 @@ spec:
TCP. Defaults to TCP.
type: string
default: "TCP"
type: object
required:
- port
workloadIPs:
type: array
description: workloadIPs contains a list of IP addresses that
@ -10326,8 +10331,7 @@ spec:
type: string
type: object
required:
- ports
- workloadIPs
- meshTls
status:
type: object
properties:

10
cli/cmd/testdata/install_helm_crds_output.golden generated vendored
View File

@ -10311,12 +10311,14 @@ spec:
minLength: 1
maxLength: 253
type: object
required:
- identity
- serverName
ports:
type: array
description: ports describes a list of ports exposed by the
workload
items:
type: object
properties:
name:
type: string
@ -10333,6 +10335,9 @@ spec:
TCP. Defaults to TCP.
type: string
default: "TCP"
type: object
required:
- port
workloadIPs:
type: array
description: workloadIPs contains a list of IP addresses that
@ -10344,8 +10349,7 @@ spec:
type: string
type: object
required:
- ports
- workloadIPs
- meshTls
status:
type: object
properties:

10
cli/cmd/testdata/install_helm_crds_output_ha.golden generated vendored
View File

@ -10311,12 +10311,14 @@ spec:
minLength: 1
maxLength: 253
type: object
required:
- identity
- serverName
ports:
type: array
description: ports describes a list of ports exposed by the
workload
items:
type: object
properties:
name:
type: string
@ -10333,6 +10335,9 @@ spec:
TCP. Defaults to TCP.
type: string
default: "TCP"
type: object
required:
- port
workloadIPs:
type: array
description: workloadIPs contains a list of IP addresses that
@ -10344,8 +10349,7 @@ spec:
type: string
type: object
required:
- ports
- workloadIPs
- meshTls
status:
type: object
properties:

14
controller/gen/apis/externalworkload/v1alpha1/types.go
View File

@ -46,24 +46,26 @@ type ExternalWorkloadList struct {
// ExternalWorkloadSpec represents the desired state of an external workload
type ExternalWorkloadSpec struct {
// MeshTls describes TLS settings associated with an external workload
MeshTls MeshTls `json:"meshTls"`
// Ports describes a set of ports exposed by the workload
//
// +optional
MeshTls MeshTls `json:"meshTls,omitempty"`
// Ports describes a set of ports exposed by the workload
Ports []PortSpec `json:"ports"`
Ports []PortSpec `json:"ports,omitempty"`
// List of IP addresses that can be used to send traffic to an external
// workload
WorkloadIPs []WorkloadIP `json:"workloadIPs"`
//
// +optional
WorkloadIPs []WorkloadIP `json:"workloadIPs,omitempty"`
}
// MeshTls describes TLS settings associated with an external workload
type MeshTls struct {
// Identity associated with the workload. Used by peers to perform
// verification in the mTLS handshake
Identity string `json:"identity,omitempty"`
Identity string `json:"identity"`
// ServerName is the DNS formatted name associated with the workload. Used
// to terminate TLS using the SNI extension.
ServerName string `json:"serverName,omitempty"`
ServerName string `json:"serverName"`
}
// PortSpec represents a network port in a single workload.

20
policy-controller/k8s/api/src/external_workload.rs
View File

@ -17,13 +17,13 @@ use serde::{Deserialize, Serialize};
pub struct ExternalWorkloadSpec {
/// MeshTls describes TLS settings associated with an external workload
#[serde(rename = "meshTls")]
pub mesh_tls: Option<MeshTls>,
pub mesh_tls: MeshTls,
/// Ports describes a set of ports exposed by the workload
pub ports: Vec<PortSpec>,
pub ports: Option<Vec<PortSpec>>,
/// List of IP addresses that can be used to send traffic to an external
/// workload
#[serde(rename = "workloadIPs")]
pub workload_ips: Vec<WorkloadIP>,
pub workload_ips: Option<Vec<WorkloadIP>>,
}
/// MeshTls describes TLS settings associated with an external workload
@ -31,11 +31,11 @@ pub struct ExternalWorkloadSpec {
pub struct MeshTls {
/// Identity associated with the workload. Used by peers to perform
/// verification in the mTLS handshake
pub identity: Option<String>,
pub identity: String,
/// ServerName is the DNS formatted name associated with the workload. Used
/// to terminate TLS using the SNI extension.
#[serde(rename = "serverName")]
pub server_name: Option<String>,
pub server_name: String,
}
/// PortSpec represents a network port in a single workload.
@ -54,17 +54,17 @@ pub struct PortSpec {
pub protocol: Option<String>,
}
#[derive(Clone, Debug, PartialEq, Eq, Deserialize, Serialize, JsonSchema)]
pub struct ExternalWorkloadStatus {
pub conditions: Vec<Condition>,
}
/// WorkloadIPs contains a list of IP addresses exposed by an ExternalWorkload
#[derive(Clone, Debug, PartialEq, Eq, Deserialize, Serialize, JsonSchema)]
pub struct WorkloadIP {
pub ip: String,
}
#[derive(Clone, Debug, PartialEq, Eq, Deserialize, Serialize, JsonSchema)]
pub struct ExternalWorkloadStatus {
pub conditions: Vec<Condition>,
}
/// WorkloadCondition represents the service state of an ExternalWorkload
#[derive(Clone, Debug, PartialEq, Eq, Deserialize, Serialize, JsonSchema)]
#[serde(rename_all = "camelCase")]