Skip to content

Commit

Permalink
Merge pull request #303 from Kuadrant/gh-297
Browse files Browse the repository at this point in the history 
refactor CEL validation on healthcheck specs
  • Loading branch information
@maleck13
maleck13 authored Nov 14, 2024
2 parents ee206a5 + 78b00da commit 47863b2
Show file tree
Hide file tree
Showing 12 changed files with 160 additions and 52 deletions.
16 changes: 12 additions & 4 deletions api/v1alpha1/dnshealthcheckprobe_types.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -28,29 +28,37 @@ type DNSHealthCheckProbeSpec struct {
// Port to connect to the host on. Must be either 80, 443 or 1024-49151
// +kubebuilder:validation:XValidation:rule="self in [80, 443] || (self >= 1024 && self <= 49151)",message="Only ports 80, 443, 1024-49151 are allowed"
Port int `json:"port,omitempty"`

// Hostname is the value sent in the host header, to route the request to the correct service
// +kubebuilder:validation:Pattern=`^[a-z][a-z0-9\-]+\.([a-z][a-z0-9\-]+\.)*[a-z][a-z0-9\-]+$`
// Represents a root host of the parent DNS Record.
Hostname string `json:"hostname,omitempty"`

// Address to connect to the host on (IP Address (A Record) or hostname (CNAME)).
// +kubebuilder:validation:Pattern=`^([1-9][0-9]?[0-9]?\.[0-9][0-9]?[0-9]?\.[0-9][0-9]?[0-9]?\.[0-9][0-9]?[0-9]?|[a-z][a-z0-9\-]+\.([a-z][a-z0-9\-]+\.)*[a-z][a-z0-9\-]+)?$`
Address string `json:"address,omitempty"`

// Path is the path to append to the host to reach the expected health check.
// Must start with "?" or "/", contain only valid URL characters and end with alphanumeric char or "/". For example "/" or "/healthz" are common
// +kubebuilder:validation:Pattern=`^(?:\?|\/)[\w\-.~:\/?#\[\]@!$&'()*+,;=]+(?:[a-zA-Z0-9]|\/){1}$`
Path string `json:"path,omitempty"`

// Protocol to use when connecting to the host, valid values are "HTTP" or "HTTPS"
// +kubebuilder:validation:XValidation:rule="self in ['HTTP','HTTPS']",message="Only HTTP or HTTPS protocols are allowed"
Protocol Protocol `json:"protocol,omitempty"`

// Interval defines how frequently this probe should execute
Interval metav1.Duration `json:"interval,omitempty"`
Interval *metav1.Duration `json:"interval,omitempty"`

// AdditionalHeadersRef refers to a secret that contains extra headers to send in the probe request, this is primarily useful if an authentication
// token is required by the endpoint.
// +optional
AdditionalHeadersRef *AdditionalHeadersRef `json:"additionalHeadersRef,omitempty"`

// FailureThreshold is a limit of consecutive failures that must occur for a host to be considered unhealthy
// +kubebuilder:validation:XValidation:rule="self > 0",message="Failure threshold must be greater than 0"
FailureThreshold int `json:"failureThreshold,omitempty"`

// AllowInsecureCertificate will instruct the health check probe to not fail on a self-signed or otherwise invalid SSL certificate
// this is primarily used in development or testing environments
// this is primarily used in development or testing environments and is set by the --insecure-health-checks flag
AllowInsecureCertificate bool `json:"allowInsecureCertificate,omitempty"`
}

Expand Down
17 changes: 15 additions & 2 deletions api/v1alpha1/dnsrecord_types.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -36,23 +36,36 @@ const HttpsProtocol Protocol = "HTTPS"
// the listeners assigned to the target gateway
type HealthCheckSpec struct {
// Port to connect to the host on. Must be either 80, 443 or 1024-49151
// Defaults to port 443
// +kubebuilder:validation:XValidation:rule="self in [80, 443] || (self >= 1024 && self <= 49151)",message="Only ports 80, 443, 1024-49151 are allowed"
// +kubebuilder:default=443
Port int `json:"port,omitempty"`

// Path is the path to append to the host to reach the expected health check.
// Must start with "?" or "/", contain only valid URL characters and end with alphanumeric char or "/". For example "/" or "/healthz" are common
// +kubebuilder:validation:Pattern=`^(?:\?|\/)[\w\-.~:\/?#\[\]@!$&'()*+,;=]+(?:[a-zA-Z0-9]|\/){1}$`
Path string `json:"path,omitempty"`

// Protocol to use when connecting to the host, valid values are "HTTP" or "HTTPS"
// Defaults to HTTPS
// +kubebuilder:validation:XValidation:rule="self in ['HTTP','HTTPS']",message="Only HTTP or HTTPS protocols are allowed"
// +kubebuilder:default=HTTPS
Protocol Protocol `json:"protocol,omitempty"`

// Interval defines how frequently this probe should execute
// +default:5m
Interval metav1.Duration `json:"interval,omitempty"`
// Defaults to 5 minutes
// +kubebuilder:default="5m"
Interval *metav1.Duration `json:"interval,omitempty"`

// AdditionalHeadersRef refers to a secret that contains extra headers to send in the probe request, this is primarily useful if an authentication
// token is required by the endpoint.
// +optional
AdditionalHeadersRef *AdditionalHeadersRef `json:"additionalHeadersRef,omitempty"`

// FailureThreshold is a limit of consecutive failures that must occur for a host to be considered unhealthy
// Defaults to 5
// +kubebuilder:validation:XValidation:rule="self > 0",message="Failure threshold must be greater than 0"
// +kubebuilder:default=5
FailureThreshold int `json:"failureThreshold,omitempty"`
}

Expand Down
12 changes: 10 additions & 2 deletions api/v1alpha1/zz_generated.deepcopy.go
View file

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

2 changes: 1 addition & 1 deletion bundle/manifests/dns-operator.clusterserviceversion.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -58,7 +58,7 @@ metadata:
capabilities: Basic Install
categories: Integration & Delivery
containerImage: quay.io/kuadrant/dns-operator:latest
createdAt: "2024-11-07T15:15:46Z"
createdAt: "2024-11-14T13:59:23Z"
description: A Kubernetes Operator to manage the lifecycle of DNS resources
operators.operatorframework.io/builder: operator-sdk-v1.33.0
operators.operatorframework.io/project_layout: go.kubebuilder.io/v4
Expand Down
9 changes: 4 additions & 5 deletions bundle/manifests/kuadrant.io_dnshealthcheckprobes.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -62,12 +62,11 @@ spec:
address:
description: Address to connect to the host on (IP Address (A Record)
or hostname (CNAME)).
pattern: ^([1-9][0-9]?[0-9]?\.[0-9][0-9]?[0-9]?\.[0-9][0-9]?[0-9]?\.[0-9][0-9]?[0-9]?|[a-z][a-z0-9\-]+\.([a-z][a-z0-9\-]+\.)*[a-z][a-z0-9\-]+)?$
type: string
allowInsecureCertificate:
description: |-
AllowInsecureCertificate will instruct the health check probe to not fail on a self-signed or otherwise invalid SSL certificate
this is primarily used in development or testing environments
this is primarily used in development or testing environments and is set by the --insecure-health-checks flag
type: boolean
failureThreshold:
description: FailureThreshold is a limit of consecutive failures that
Expand All @@ -77,9 +76,9 @@ spec:
- message: Failure threshold must be greater than 0
rule: self > 0
hostname:
description: Hostname is the value sent in the host header, to route
the request to the correct service
pattern: ^[a-z][a-z0-9\-]+\.([a-z][a-z0-9\-]+\.)*[a-z][a-z0-9\-]+$
description: |-
Hostname is the value sent in the host header, to route the request to the correct service
Represents a root host of the parent DNS Record.
type: string
interval:
description: Interval defines how frequently this probe should execute
Expand Down
24 changes: 16 additions & 8 deletions bundle/manifests/kuadrant.io_dnsrecords.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -109,15 +109,19 @@ spec:
- name
type: object
failureThreshold:
description: FailureThreshold is a limit of consecutive failures
that must occur for a host to be considered unhealthy
default: 5
description: |-
FailureThreshold is a limit of consecutive failures that must occur for a host to be considered unhealthy
Defaults to 5
type: integer
x-kubernetes-validations:
- message: Failure threshold must be greater than 0
rule: self > 0
interval:
description: Interval defines how frequently this probe should
execute
default: 5m
description: |-
Interval defines how frequently this probe should execute
Defaults to 5 minutes
type: string
path:
description: |-
Expand All @@ -126,15 +130,19 @@ spec:
pattern: ^(?:\?|\/)[\w\-.~:\/?#\[\]@!$&'()*+,;=]+(?:[a-zA-Z0-9]|\/){1}$
type: string
port:
description: Port to connect to the host on. Must be either 80,
443 or 1024-49151
default: 443
description: |-
Port to connect to the host on. Must be either 80, 443 or 1024-49151
Defaults to port 443
type: integer
x-kubernetes-validations:
- message: Only ports 80, 443, 1024-49151 are allowed
rule: self in [80, 443] || (self >= 1024 && self <= 49151)
protocol:
description: Protocol to use when connecting to the host, valid
values are "HTTP" or "HTTPS"
default: HTTPS
description: |-
Protocol to use when connecting to the host, valid values are "HTTP" or "HTTPS"
Defaults to HTTPS
type: string
x-kubernetes-validations:
- message: Only HTTP or HTTPS protocols are allowed
Expand Down
33 changes: 20 additions & 13 deletions charts/dns-operator/templates/manifests.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -63,12 +63,11 @@ spec:
address:
description: Address to connect to the host on (IP Address (A Record)
or hostname (CNAME)).
pattern: ^([1-9][0-9]?[0-9]?\.[0-9][0-9]?[0-9]?\.[0-9][0-9]?[0-9]?\.[0-9][0-9]?[0-9]?|[a-z][a-z0-9\-]+\.([a-z][a-z0-9\-]+\.)*[a-z][a-z0-9\-]+)?$
type: string
allowInsecureCertificate:
description: |-
AllowInsecureCertificate will instruct the health check probe to not fail on a self-signed or otherwise invalid SSL certificate
this is primarily used in development or testing environments
this is primarily used in development or testing environments and is set by the --insecure-health-checks flag
type: boolean
failureThreshold:
description: FailureThreshold is a limit of consecutive failures that
Expand All @@ -78,9 +77,9 @@ spec:
- message: Failure threshold must be greater than 0
rule: self > 0
hostname:
description: Hostname is the value sent in the host header, to route
the request to the correct service
pattern: ^[a-z][a-z0-9\-]+\.([a-z][a-z0-9\-]+\.)*[a-z][a-z0-9\-]+$
description: |-
Hostname is the value sent in the host header, to route the request to the correct service
Represents a root host of the parent DNS Record.
type: string
interval:
description: Interval defines how frequently this probe should execute
Expand Down Expand Up @@ -241,15 +240,19 @@ spec:
- name
type: object
failureThreshold:
description: FailureThreshold is a limit of consecutive failures
that must occur for a host to be considered unhealthy
default: 5
description: |-
FailureThreshold is a limit of consecutive failures that must occur for a host to be considered unhealthy
Defaults to 5
type: integer
x-kubernetes-validations:
- message: Failure threshold must be greater than 0
rule: self > 0
interval:
description: Interval defines how frequently this probe should
execute
default: 5m
description: |-
Interval defines how frequently this probe should execute
Defaults to 5 minutes
type: string
path:
description: |-
Expand All @@ -258,15 +261,19 @@ spec:
pattern: ^(?:\?|\/)[\w\-.~:\/?#\[\]@!$&'()*+,;=]+(?:[a-zA-Z0-9]|\/){1}$
type: string
port:
description: Port to connect to the host on. Must be either 80,
443 or 1024-49151
default: 443
description: |-
Port to connect to the host on. Must be either 80, 443 or 1024-49151
Defaults to port 443
type: integer
x-kubernetes-validations:
- message: Only ports 80, 443, 1024-49151 are allowed
rule: self in [80, 443] || (self >= 1024 && self <= 49151)
protocol:
description: Protocol to use when connecting to the host, valid
values are "HTTP" or "HTTPS"
default: HTTPS
description: |-
Protocol to use when connecting to the host, valid values are "HTTP" or "HTTPS"
Defaults to HTTPS
type: string
x-kubernetes-validations:
- message: Only HTTP or HTTPS protocols are allowed
Expand Down
9 changes: 4 additions & 5 deletions config/crd/bases/kuadrant.io_dnshealthcheckprobes.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -62,12 +62,11 @@ spec:
address:
description: Address to connect to the host on (IP Address (A Record)
or hostname (CNAME)).
pattern: ^([1-9][0-9]?[0-9]?\.[0-9][0-9]?[0-9]?\.[0-9][0-9]?[0-9]?\.[0-9][0-9]?[0-9]?|[a-z][a-z0-9\-]+\.([a-z][a-z0-9\-]+\.)*[a-z][a-z0-9\-]+)?$
type: string
allowInsecureCertificate:
description: |-
AllowInsecureCertificate will instruct the health check probe to not fail on a self-signed or otherwise invalid SSL certificate
this is primarily used in development or testing environments
this is primarily used in development or testing environments and is set by the --insecure-health-checks flag
type: boolean
failureThreshold:
description: FailureThreshold is a limit of consecutive failures that
Expand All @@ -77,9 +76,9 @@ spec:
- message: Failure threshold must be greater than 0
rule: self > 0
hostname:
description: Hostname is the value sent in the host header, to route
the request to the correct service
pattern: ^[a-z][a-z0-9\-]+\.([a-z][a-z0-9\-]+\.)*[a-z][a-z0-9\-]+$
description: |-
Hostname is the value sent in the host header, to route the request to the correct service
Represents a root host of the parent DNS Record.
type: string
interval:
description: Interval defines how frequently this probe should execute
Expand Down
24 changes: 16 additions & 8 deletions config/crd/bases/kuadrant.io_dnsrecords.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -109,15 +109,19 @@ spec:
- name
type: object
failureThreshold:
description: FailureThreshold is a limit of consecutive failures
that must occur for a host to be considered unhealthy
default: 5
description: |-
FailureThreshold is a limit of consecutive failures that must occur for a host to be considered unhealthy
Defaults to 5
type: integer
x-kubernetes-validations:
- message: Failure threshold must be greater than 0
rule: self > 0
interval:
description: Interval defines how frequently this probe should
execute
default: 5m
description: |-
Interval defines how frequently this probe should execute
Defaults to 5 minutes
type: string
path:
description: |-
Expand All @@ -126,15 +130,19 @@ spec:
pattern: ^(?:\?|\/)[\w\-.~:\/?#\[\]@!$&'()*+,;=]+(?:[a-zA-Z0-9]|\/){1}$
type: string
port:
description: Port to connect to the host on. Must be either 80,
443 or 1024-49151
default: 443
description: |-
Port to connect to the host on. Must be either 80, 443 or 1024-49151
Defaults to port 443
type: integer
x-kubernetes-validations:
- message: Only ports 80, 443, 1024-49151 are allowed
rule: self in [80, 443] || (self >= 1024 && self <= 49151)
protocol:
description: Protocol to use when connecting to the host, valid
values are "HTTP" or "HTTPS"
default: HTTPS
description: |-
Protocol to use when connecting to the host, valid values are "HTTP" or "HTTPS"
Defaults to HTTPS
type: string
x-kubernetes-validations:
- message: Only HTTP or HTTPS protocols are allowed
Expand Down
Loading

0 comments on commit 47863b2

Please sign in to comment.