fix: replace trim() CEL rule with Pattern annotation to avoid cost budget error

AlinsRan · AlinsRan · commit 3cbb4ca91e59 · 2026-05-12T14:17:24.000+08:00
trim() in CEL has O(n) cost; without maxLength the estimator assumed unbounded
string length and rejected the rule with '100x budget exceeded'.

Split the concern into two zero-cost constraints:
- CEL XValidation: 'self.scope == Path || size(self.name) &gt; 0'  (O(1), unchanged)
- Pattern: '^$|.*\S.*'  (OpenAPI schema level, no CEL cost)
  rejects whitespace-only names while allowing empty string (Path scope)
diff --git a/api/v2/apisixroute_types.go b/api/v2/apisixroute_types.go
@@ -411,7 +411,7 @@ type ApisixRouteAuthenticationLDAPAuth struct {
 }
 
 // ApisixRouteHTTPMatchExprSubject describes the subject of a route matching expression.
-// +kubebuilder:validation:XValidation:rule="self.scope == 'Path' || size(self.name.trim()) > 0",message="name is required and must not be blank when scope is not Path"
+// +kubebuilder:validation:XValidation:rule="self.scope == 'Path' || size(self.name) > 0",message="name is required when scope is not Path"
 type ApisixRouteHTTPMatchExprSubject struct {
 	// Scope specifies the subject scope.
 	// Supported values: `Header`, `Query`, `Path`, `Cookie`, `Variable`, `Body`.
@@ -425,6 +425,7 @@ type ApisixRouteHTTPMatchExprSubject struct {
 	// parameter name, cookie name, Nginx variable name, or body field name (dot-notation
 	// JSON path supported for Body scope). Optional when Scope is Path.
 	// +kubebuilder:validation:Optional
+	// +kubebuilder:validation:Pattern=`^$|.*\S.*`
 	Name string `json:"name,omitempty" yaml:"name,omitempty"`
 }
 
diff --git a/api/v2/apisixroute_types_test.go b/api/v2/apisixroute_types_test.go
@@ -90,16 +90,16 @@ func TestApisixRoute_BodyScope_EmptyName(t *testing.T) {
 	v := loadApisixRouteSchema(t)
 	err := v.Validate(t, newRouteWithBodyExpr("apisix", "", "login"))
 	require.Error(t, err)
-	assert.Contains(t, err.Error(), "name is required and must not be blank when scope is not Path")
+	assert.Contains(t, err.Error(), "name is required when scope is not Path")
 }
 
 // TestApisixRoute_BodyScope_WhitespaceName verifies that a Body scope expr with
-// a whitespace-only name is rejected (trim() prevents blank names from passing).
+// a whitespace-only name is rejected by the Pattern constraint on the name field.
 func TestApisixRoute_BodyScope_WhitespaceName(t *testing.T) {
 	v := loadApisixRouteSchema(t)
 	err := v.Validate(t, newRouteWithBodyExpr("apisix", "   ", "login"))
 	require.Error(t, err)
-	assert.Contains(t, err.Error(), "name is required and must not be blank when scope is not Path")
+	assert.Contains(t, err.Error(), "name")
 }
 
 // TestApisixRoute_PathScope_EmptyName verifies that Path scope without a name
diff --git a/config/crd/bases/apisix.apache.org_apisixroutes.yaml b/config/crd/bases/apisix.apache.org_apisixroutes.yaml
@@ -210,6 +210,7 @@ spec:
                                       Name is the name of the subject within the given scope: the header name, query
                                       parameter name, cookie name, Nginx variable name, or body field name (dot-notation
                                       JSON path supported for Body scope). Optional when Scope is Path.
+                                    pattern: ^$|.*\S.*
                                     type: string
                                   scope:
                                     description: |-
@@ -231,10 +232,9 @@ spec:
                                 - scope
                                 type: object
                                 x-kubernetes-validations:
-                                - message: name is required and must not be blank
-                                    when scope is not Path
-                                  rule: self.scope == 'Path' || size(self.name.trim())
-                                    > 0
+                                - message: name is required when scope is not Path
+                                  rule: self.scope == 'Path' || size(self.name) >
+                                    0
                               value:
                                 description: |-
                                   Value defines a single value to compare against the subject.

Original file line number	Diff line number	Diff line change
`@@ -411,7 +411,7 @@ type ApisixRouteAuthenticationLDAPAuth struct {`
`411`	`411`	`}`
`412`	`412`
`413`	`413`	`// ApisixRouteHTTPMatchExprSubject describes the subject of a route matching expression.`
`414`		`-// +kubebuilder:validation:XValidation:rule="self.scope == 'Path' \|\| size(self.name.trim()) > 0",message="name is required and must not be blank when scope is not Path"`
	`414`	`+// +kubebuilder:validation:XValidation:rule="self.scope == 'Path' \|\| size(self.name) > 0",message="name is required when scope is not Path"`
`415`	`415`	`type ApisixRouteHTTPMatchExprSubject struct {`
`416`	`416`	`// Scope specifies the subject scope.`
`417`	`417`	// Supported values: `Header`, `Query`, `Path`, `Cookie`, `Variable`, `Body`.
`@@ -425,6 +425,7 @@ type ApisixRouteHTTPMatchExprSubject struct {`
`425`	`425`	`// parameter name, cookie name, Nginx variable name, or body field name (dot-notation`
`426`	`426`	`// JSON path supported for Body scope). Optional when Scope is Path.`
`427`	`427`	`// +kubebuilder:validation:Optional`
	`428`	+ // +kubebuilder:validation:Pattern=`^$\|.\S.`
`428`	`429`	Name string `json:"name,omitempty" yaml:"name,omitempty"`
`429`	`430`	`}`
`430`	`431`