Skip to content

Commit 23400ed

Browse files
authored
Merge pull request #51 from datum-cloud/envoy-gateway-apis
Validation for Backends, BackendTrafficPolicies, HTTPRouteFilters, and SecurityPolicies.
2 parents 2d11c56 + a20d0b9 commit 23400ed

15 files changed

Lines changed: 1681 additions & 66 deletions

cmd/main.go

Lines changed: 3 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -265,17 +265,17 @@ func main() {
265265
os.Exit(1)
266266
}
267267

268-
if err = webhookgatewayv1alpha1.SetupBackendTrafficPolicyWebhookWithManager(mgr); err != nil {
268+
if err = webhookgatewayv1alpha1.SetupBackendTrafficPolicyWebhookWithManager(mgr, serverConfig); err != nil {
269269
setupLog.Error(err, "unable to create webhook", "webhook", "BackendTrafficPolicy")
270270
os.Exit(1)
271271
}
272272

273-
if err = webhookgatewayv1alpha1.SetupSecurityPolicyWebhookWithManager(mgr); err != nil {
273+
if err = webhookgatewayv1alpha1.SetupSecurityPolicyWebhookWithManager(mgr, serverConfig); err != nil {
274274
setupLog.Error(err, "unable to create webhook", "webhook", "SecurityPolicy")
275275
os.Exit(1)
276276
}
277277

278-
if err = webhookgatewayv1alpha1.SetupHTTPRouteFilterWebhookWithManager(mgr); err != nil {
278+
if err = webhookgatewayv1alpha1.SetupHTTPRouteFilterWebhookWithManager(mgr, serverConfig); err != nil {
279279
setupLog.Error(err, "unable to create webhook", "webhook", "HTTPRouteFilter")
280280
os.Exit(1)
281281
}

internal/config/config.go

Lines changed: 198 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -10,6 +10,7 @@ import (
1010
"time"
1111

1212
corev1 "k8s.io/api/core/v1"
13+
"k8s.io/apimachinery/pkg/api/resource"
1314
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
1415
"k8s.io/apimachinery/pkg/types"
1516
"k8s.io/client-go/rest"
@@ -357,6 +358,10 @@ type GatewayConfig struct {
357358
//
358359
// +default={"80": ["HTTP"], "443": ["HTTPS"]}
359360
ValidProtocolTypes map[int][]gatewayv1.ProtocolType `json:"validProtocolTypes,omitempty"`
361+
362+
// ExtensionAPIValidationOptions provides configuration for validation of
363+
// extension APIs used by the Gateway.
364+
ExtensionAPIValidationOptions ExtensionAPIValidationOptions `json:"extensionAPIValidationOptions,omitempty"`
360365
}
361366

362367
func (c *GatewayConfig) GatewayDNSAddress(gateway *gatewayv1.Gateway) string {
@@ -365,6 +370,199 @@ func (c *GatewayConfig) GatewayDNSAddress(gateway *gatewayv1.Gateway) string {
365370

366371
// +k8s:deepcopy-gen=true
367372

373+
type ExtensionAPIValidationOptions struct {
374+
// BackendTrafficPolicies specifies validation options for BackendTrafficPolicy resources.
375+
BackendTrafficPolicies BackendTrafficPolicyValidationOptions `json:"backendTrafficPolicies"`
376+
377+
// HTTPRouteFilters specifies validation options for HTTPRouteFilter resources.
378+
HTTPRouteFilters HTTPRouteFilterValidationOptions `json:"httpRouteFilters"`
379+
380+
// SecurityPolicies specifies validation options for SecurityPolicy resources.
381+
SecurityPolicies SecurityPolicyValidationOptions `json:"securityPolicies"`
382+
}
383+
384+
// +k8s:deepcopy-gen=true
385+
386+
type BackendTrafficPolicyValidationOptions struct {
387+
ClusterSettings ClusterSettingsValidationOptions
388+
}
389+
390+
// +k8s:deepcopy-gen=true
391+
392+
type ClusterSettingsValidationOptions struct {
393+
// Minimum amount for the total number of unacknowledged probes to send before
394+
// deciding the connection is dead.
395+
//
396+
// +default=9
397+
TCPKeepaliveMinProbes uint32
398+
399+
// Minimum amount for the duration a connection needs to be idle before
400+
// keep-alive probes start being sent.
401+
//
402+
// +default="5m"
403+
TCPKeepaliveMinIdleTime *metav1.Duration
404+
405+
// Minimum amount for the duration between keep-alive probes.
406+
//
407+
// +default="30s"
408+
TCPKeepaliveMinInterval *metav1.Duration
409+
410+
// Maximum time allowed for a connection timeout
411+
//
412+
// +default="10s"
413+
TCPMaxConnectionTimeout *metav1.Duration
414+
415+
// Maximum amount for the duration a connection can be idle.
416+
//
417+
// +default="1h"
418+
HTTPMaxConnectionIdleTimeout *metav1.Duration
419+
420+
// Maximum amount for the duration of a connection.
421+
//
422+
// +default="1h"
423+
HTTPMaxConnectionDuration *metav1.Duration
424+
425+
// Maximum amount for the duration until an entire request is received by the
426+
// upstream.
427+
//
428+
// +default="1h"
429+
HTTPMaxRequestTimeout *metav1.Duration
430+
431+
// Maximum size for upstream connection buffers
432+
//
433+
// +default="512Ki"
434+
ConnectionMaxBufferLimit *resource.Quantity
435+
436+
// Minimum amount for the duration between DNS refreshes.
437+
//
438+
// +default="30s"
439+
DNSMinRefreshRate *metav1.Duration
440+
441+
// Maximum size for the initial stream window size for HTTP/2 connections.
442+
//
443+
// +default="64Ki"
444+
HTTP2MaxInitialStreamWindowSize *resource.Quantity
445+
446+
// Maximum size for the initial connection window size for HTTP/2 connections.
447+
//
448+
// +default="1Mi"
449+
HTTP2MaxInitialConnectionWindowSize *resource.Quantity
450+
451+
// Maximum number of concurrent streams for HTTP/2 connections.
452+
//
453+
// +default=1024
454+
HTTP2MaxConcurrentStreams uint32
455+
}
456+
457+
type HTTPRouteFilterValidationOptions struct {
458+
// MaxInlineBodySize is the maximum allowed size for an inline body in a
459+
// direct response filter.
460+
//
461+
// +default=1024
462+
MaxInlineBodySize int
463+
}
464+
465+
// +k8s:deepcopy-gen=true
466+
467+
type SecurityPolicyValidationOptions struct {
468+
// APIKeyAuth specifies validation options for API key authentication
469+
APIKeyAuth APIKeyAuthValidationOptions
470+
471+
// CORS specifies validation options for CORS
472+
CORS CORSValidationOptions
473+
474+
// JWTProvider specifies validation options for JWT providers
475+
JWTProvider JWTProviderValidationOptions
476+
477+
// OIDC specifies validation options for OIDC
478+
OIDC OIDCValidationOptions
479+
480+
// Authorization specifies validation options for authorization
481+
Authorization AuthorizationValidationOptions
482+
483+
// ClusterSettings specifies validation options for cluster settings used
484+
// within security policies.
485+
ClusterSettings ClusterSettingsValidationOptions
486+
}
487+
488+
type APIKeyAuthValidationOptions struct {
489+
// MaxCredentialRefs is the maximum number of credential references per
490+
// SecurityPolicy.
491+
//
492+
// +default=5
493+
MaxCredentialRefs int
494+
495+
// MaxExtractFrom is the maximum number of extractFrom entries per SecurityPolicy
496+
//
497+
// +default=5
498+
MaxExtractFrom int
499+
500+
// MaxExtractFromFieldLength is the maximum length of each field in an
501+
// extractFrom entry.
502+
//
503+
// +default=10
504+
MaxExtractFromFieldLength int
505+
506+
// MaxForwardClientIDHeaderLength is the maximum length for the name of the
507+
// header to use when forwarding the client identity to the upstream service.
508+
//
509+
// +default=256
510+
MaxForwardClientIDHeaderLength int
511+
}
512+
513+
type CORSValidationOptions struct {
514+
// MaxFieldLength is the maximum length for each field in a CORS policy.
515+
//
516+
// +default=10
517+
MaxFieldLength int
518+
}
519+
520+
type JWTProviderValidationOptions struct {
521+
// MaxClaimToHeaders is the maximum number of claim to header mappings per
522+
// JWT provider.
523+
//
524+
// +default=5
525+
MaxClaimToHeaders int
526+
527+
// MaxExtractorLength is the maximum length of each extractor field.
528+
//
529+
// +default=5
530+
MaxExtractorLength int
531+
}
532+
533+
// +k8s:deepcopy-gen=true
534+
535+
type OIDCValidationOptions struct {
536+
// MaxScopes is the maximum number of scopes per OIDC configuration.
537+
//
538+
// +default=5
539+
MaxScopes int
540+
541+
// MaxResources is the maximum number of resources per OIDC configuration.
542+
//
543+
// +default=5
544+
MaxResources int
545+
546+
// MinRefreshTokenTTL is the minimum allowed TTL for refresh tokens.
547+
//
548+
// +default="5m"
549+
MinRefreshTokenTTL *metav1.Duration
550+
}
551+
552+
type AuthorizationValidationOptions struct {
553+
// MaxRules is the maximum number of authorization rules per SecurityPolicy.
554+
//
555+
// +default=20
556+
MaxRules int
557+
558+
// MaxClientCIDRs is the maximum number of client CIDRs per authorization rule.
559+
//
560+
// +default=5
561+
MaxClientCIDRs int
562+
}
563+
564+
// +k8s:deepcopy-gen=true
565+
368566
type GatewayResourceReplicatorConfig struct {
369567
// Resources lists the upstream resource types that should be mirrored into
370568
// the downstream control plane.

0 commit comments

Comments
 (0)