add: crd validation

kkk777-7 · kkk777-7 · commit edfe2d264d00 · 2026-04-27T22:12:51.000+09:00
Signed-off-by: kkk777-7 &lt;kota.kimura0725@gmail.com&gt;
diff --git a/api/v1alpha1/bandwidthlimit_types.go b/api/v1alpha1/bandwidthlimit_types.go
@@ -69,6 +69,7 @@ type BandwidthLimitResponseTrailers struct {
 	// "bandwidth-request-filter-delay-ms" is delay time in milliseconds in request stream transfer added by the filter.
 	// "bandwidth-response-filter-delay-ms" is delay time in milliseconds that added by the filter.
 	//
+	// +kubebuilder:validation:Pattern=`^[^\r\n\x00]*$`
 	// +optional
 	Prefix *string `json:"prefix,omitempty"`
 }
diff --git a/charts/gateway-crds-helm/templates/generated/gateway.envoyproxy.io_backendtrafficpolicies.yaml b/charts/gateway-crds-helm/templates/generated/gateway.envoyproxy.io_backendtrafficpolicies.yaml
@@ -135,6 +135,7 @@ spec:
                               including response body transfer time and the time added by the filter.
                               "bandwidth-request-filter-delay-ms" is delay time in milliseconds in request stream transfer added by the filter.
                               "bandwidth-response-filter-delay-ms" is delay time in milliseconds that added by the filter.
+                            pattern: ^[^\r\n\x00]*$
                             type: string
                         type: object
                     required:
diff --git a/charts/gateway-helm/charts/crds/crds/generated/gateway.envoyproxy.io_backendtrafficpolicies.yaml b/charts/gateway-helm/charts/crds/crds/generated/gateway.envoyproxy.io_backendtrafficpolicies.yaml
@@ -134,6 +134,7 @@ spec:
                               including response body transfer time and the time added by the filter.
                               "bandwidth-request-filter-delay-ms" is delay time in milliseconds in request stream transfer added by the filter.
                               "bandwidth-response-filter-delay-ms" is delay time in milliseconds that added by the filter.
+                            pattern: ^[^\r\n\x00]*$
                             type: string
                         type: object
                     required:
diff --git a/test/cel-validation/backendtrafficpolicy_test.go b/test/cel-validation/backendtrafficpolicy_test.go
@@ -3264,6 +3264,99 @@ func TestBackendTrafficPolicyTarget(t *testing.T) {
 			},
 			wantErrors: []string{},
 		},
+		{
+			desc: "invalid bandwidthLimit prefix with carriage return",
+			mutate: func(btp *egv1a1.BackendTrafficPolicy) {
+				btp.Spec = egv1a1.BackendTrafficPolicySpec{
+					PolicyTargetReferences: egv1a1.PolicyTargetReferences{
+						TargetRef: &gwapiv1.LocalPolicyTargetReferenceWithSectionName{
+							LocalPolicyTargetReference: gwapiv1.LocalPolicyTargetReference{
+								Group: "gateway.networking.k8s.io",
+								Kind:  "Gateway",
+								Name:  "eg",
+							},
+						},
+					},
+					BandwidthLimit: &egv1a1.BandwidthLimitSpec{
+						Response: &egv1a1.BandwidthLimitResponseConfig{
+							Limit: egv1a1.BandwidthLimitValue{
+								Value: resource.MustParse("10M"),
+								Unit:  egv1a1.BandwidthLimitUnitSecond,
+							},
+							ResponseTrailers: &egv1a1.BandwidthLimitResponseTrailers{
+								Prefix: new("x-eg\r"),
+							},
+						},
+					},
+				}
+			},
+			wantErrors: []string{
+				"spec.bandwidthLimit.response.responseTrailers.prefix",
+				"in body should match",
+			},
+		},
+		{
+			desc: "invalid bandwidthLimit prefix with newline",
+			mutate: func(btp *egv1a1.BackendTrafficPolicy) {
+				btp.Spec = egv1a1.BackendTrafficPolicySpec{
+					PolicyTargetReferences: egv1a1.PolicyTargetReferences{
+						TargetRef: &gwapiv1.LocalPolicyTargetReferenceWithSectionName{
+							LocalPolicyTargetReference: gwapiv1.LocalPolicyTargetReference{
+								Group: "gateway.networking.k8s.io",
+								Kind:  "Gateway",
+								Name:  "eg",
+							},
+						},
+					},
+					BandwidthLimit: &egv1a1.BandwidthLimitSpec{
+						Response: &egv1a1.BandwidthLimitResponseConfig{
+							Limit: egv1a1.BandwidthLimitValue{
+								Value: resource.MustParse("10M"),
+								Unit:  egv1a1.BandwidthLimitUnitSecond,
+							},
+							ResponseTrailers: &egv1a1.BandwidthLimitResponseTrailers{
+								Prefix: new("x-eg\n"),
+							},
+						},
+					},
+				}
+			},
+			wantErrors: []string{
+				"spec.bandwidthLimit.response.responseTrailers.prefix",
+				"in body should match",
+			},
+		},
+		{
+			desc: "invalid bandwidthLimit prefix with null byte",
+			mutate: func(btp *egv1a1.BackendTrafficPolicy) {
+				btp.Spec = egv1a1.BackendTrafficPolicySpec{
+					PolicyTargetReferences: egv1a1.PolicyTargetReferences{
+						TargetRef: &gwapiv1.LocalPolicyTargetReferenceWithSectionName{
+							LocalPolicyTargetReference: gwapiv1.LocalPolicyTargetReference{
+								Group: "gateway.networking.k8s.io",
+								Kind:  "Gateway",
+								Name:  "eg",
+							},
+						},
+					},
+					BandwidthLimit: &egv1a1.BandwidthLimitSpec{
+						Response: &egv1a1.BandwidthLimitResponseConfig{
+							Limit: egv1a1.BandwidthLimitValue{
+								Value: resource.MustParse("10M"),
+								Unit:  egv1a1.BandwidthLimitUnitSecond,
+							},
+							ResponseTrailers: &egv1a1.BandwidthLimitResponseTrailers{
+								Prefix: new("x-eg\x00"),
+							},
+						},
+					},
+				}
+			},
+			wantErrors: []string{
+				"spec.bandwidthLimit.response.responseTrailers.prefix",
+				"in body should match",
+			},
+		},
 		{
 			desc: "invalid bandwidthLimit with neither request nor response",
 			mutate: func(btp *egv1a1.BackendTrafficPolicy) {
diff --git a/test/helm/gateway-crds-helm/all.out.yaml b/test/helm/gateway-crds-helm/all.out.yaml
@@ -22662,6 +22662,7 @@ spec:
                               including response body transfer time and the time added by the filter.
                               "bandwidth-request-filter-delay-ms" is delay time in milliseconds in request stream transfer added by the filter.
                               "bandwidth-response-filter-delay-ms" is delay time in milliseconds that added by the filter.
+                            pattern: ^[^\r\n\x00]*$
                             type: string
                         type: object
                     required:
diff --git a/test/helm/gateway-crds-helm/e2e.out.yaml b/test/helm/gateway-crds-helm/e2e.out.yaml
@@ -635,6 +635,7 @@ spec:
                               including response body transfer time and the time added by the filter.
                               "bandwidth-request-filter-delay-ms" is delay time in milliseconds in request stream transfer added by the filter.
                               "bandwidth-response-filter-delay-ms" is delay time in milliseconds that added by the filter.
+                            pattern: ^[^\r\n\x00]*$
                             type: string
                         type: object
                     required:
diff --git a/test/helm/gateway-crds-helm/envoy-gateway-crds.out.yaml b/test/helm/gateway-crds-helm/envoy-gateway-crds.out.yaml
@@ -635,6 +635,7 @@ spec:
                               including response body transfer time and the time added by the filter.
                               "bandwidth-request-filter-delay-ms" is delay time in milliseconds in request stream transfer added by the filter.
                               "bandwidth-response-filter-delay-ms" is delay time in milliseconds that added by the filter.
+                            pattern: ^[^\r\n\x00]*$
                             type: string
                         type: object
                     required:

Original file line number	Diff line number	Diff line change
`@@ -69,6 +69,7 @@ type BandwidthLimitResponseTrailers struct {`
`69`	`69`	`// "bandwidth-request-filter-delay-ms" is delay time in milliseconds in request stream transfer added by the filter.`
`70`	`70`	`// "bandwidth-response-filter-delay-ms" is delay time in milliseconds that added by the filter.`
`71`	`71`	`//`
	`72`	+ // +kubebuilder:validation:Pattern=`^[^\r\n\x00]*$`
`72`	`73`	`// +optional`
`73`	`74`	Prefix *string `json:"prefix,omitempty"`
`74`	`75`	`}`