Skip to content

Commit a54582a

Browse files
snorwincandita
snorwin
and
candita
authored
Add CEL for BackendTLSPolicy targetRefs (#3496)
* Add CEL for BackendTLSPolicy targetRefs Signed-off-by: Norwin Schnyder <[email protected]> * Additional test cases with different groups and kinds for BackendTLSPolicy CEL validation Signed-off-by: Norwin Schnyder <[email protected]> * Increase number of targetRefs in BackenTLSPolicy CEL tests Signed-off-by: Norwin Schnyder <[email protected]> * Add godoc for targetRef CEL validation in BackendTLSPolicy Signed-off-by: Norwin Schnyder <[email protected]> * Apply PR suggestions Co-authored-by: Candace Holman <[email protected]> --------- Signed-off-by: Norwin Schnyder <[email protected]> Co-authored-by: Candace Holman <[email protected]>
1 parent 77c8d47 commit a54582a

File tree

4 files changed

+267
-27
lines changed

4 files changed

+267
-27
lines changed

apis/v1alpha3/backendtlspolicy_types.go

+10
Original file line numberDiff line numberDiff line change
@@ -65,12 +65,22 @@ type BackendTLSPolicySpec struct {
6565
// by default, but this default may change in the future to provide
6666
// a more granular application of the policy.
6767
//
68+
// TargetRefs must be _distinct_. This means either that:
69+
//
70+
// * They select different targets. If this is the case, then targetRef
71+
// entries are distinct. In terms of fields, this means that the
72+
// multi-part key defined by `group`, `kind`, and `name` must
73+
// be unique across all targetRef entries in the BackendTLSPolicy.
74+
// * They select different sectionNames in the same target.
75+
//
6876
// Support: Extended for Kubernetes Service
6977
//
7078
// Support: Implementation-specific for any other resource
7179
//
7280
// +kubebuilder:validation:MinItems=1
7381
// +kubebuilder:validation:MaxItems=16
82+
// +kubebuilder:validation:XValidation:message="sectionName must be specified when targetRefs includes 2 or more references to the same target",rule="self.all(p1, self.all(p2, p1.group == p2.group && p1.kind == p2.kind && p1.name == p2.name ? ((!has(p1.sectionName) || p1.sectionName == '') == (!has(p2.sectionName) || p2.sectionName == '')) : true))"
83+
// +kubebuilder:validation:XValidation:message="sectionName must be unique when targetRefs includes 2 or more references to the same target",rule="self.all(p1, self.exists_one(p2, p1.group == p2.group && p1.kind == p2.kind && p1.name == p2.name && (((!has(p1.sectionName) || p1.sectionName == '') && (!has(p2.sectionName) || p2.sectionName == '')) || (has(p1.sectionName) && has(p2.sectionName) && p1.sectionName == p2.sectionName))))"
7484
TargetRefs []v1alpha2.LocalPolicyTargetReferenceWithSectionName `json:"targetRefs"`
7585

7686
// Validation contains backend TLS validation configuration.

config/crd/experimental/gateway.networking.k8s.io_backendtlspolicies.yaml

+22
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

pkg/generated/openapi/zz_generated.openapi.go

+1-1
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

0 commit comments

Comments
 (0)