From 72c5c53ea3df2eb4f09cf30a83034d02a8832dcc Mon Sep 17 00:00:00 2001 From: Adam Cattermole Date: Fri, 21 Jun 2024 11:39:56 +0100 Subject: [PATCH] Use LocalPolicyTargetReference Signed-off-by: Adam Cattermole --- api/v1alpha1/dnspolicy_types.go | 27 +-- api/v1alpha1/tlspolicy_types.go | 23 +-- api/v1alpha1/zz_generated.deepcopy.go | 4 +- api/v1beta2/authpolicy_types.go | 13 +- api/v1beta2/authpolicy_types_test.go | 69 +------ api/v1beta2/ratelimitpolicy_types.go | 12 +- api/v1beta2/ratelimitpolicy_types_test.go | 23 +-- api/v1beta2/zz_generated.deepcopy.go | 4 +- ...adrant-operator.clusterserviceversion.yaml | 2 +- .../manifests/kuadrant.io_authpolicies.yaml | 22 ++- bundle/manifests/kuadrant.io_dnspolicies.yaml | 12 +- bundle/manifests/kuadrant.io_kuadrants.yaml | 174 +++++++++++++++++- .../kuadrant.io_ratelimitpolicies.yaml | 10 - bundle/manifests/kuadrant.io_tlspolicies.yaml | 10 - .../crd/bases/kuadrant.io_authpolicies.yaml | 22 ++- config/crd/bases/kuadrant.io_dnspolicies.yaml | 12 +- config/crd/bases/kuadrant.io_kuadrants.yaml | 174 +++++++++++++++++- .../bases/kuadrant.io_ratelimitpolicies.yaml | 10 - config/crd/bases/kuadrant.io_tlspolicies.yaml | 10 - controllers/authpolicy_controller.go | 4 - .../authpolicy_istio_authorizationpolicy.go | 2 +- controllers/dnspolicy_controller.go | 6 - .../httprouteparentrefs_eventmapper.go | 8 +- controllers/ratelimitpolicy_controller.go | 4 - controllers/target_status_controller.go | 2 +- controllers/tlspolicy_controller.go | 8 +- controllers/tlspolicy_status_test.go | 2 +- doc/reference/authpolicy.md | 2 +- doc/reference/dnspolicy.md | 2 +- doc/reference/ratelimitpolicy.md | 2 +- doc/reference/tlspolicy.md | 2 +- pkg/library/gatewayapi/helper_test.go | 27 ++- pkg/library/gatewayapi/topology.go | 9 +- pkg/library/gatewayapi/types.go | 2 +- pkg/library/gatewayapi/types_test.go | 8 +- pkg/library/gatewayapi/utils.go | 4 +- .../apimachinery_status_conditions_test.go | 4 +- pkg/library/kuadrant/errors.go | 4 +- pkg/library/kuadrant/errors_test.go | 2 +- pkg/library/kuadrant/kuadrant.go | 4 +- pkg/library/kuadrant/kuadrant_test.go | 13 +- pkg/library/kuadrant/test_utils.go | 4 +- pkg/library/mappers/gateway_test.go | 2 +- pkg/library/mappers/httproute_test.go | 2 +- pkg/library/mappers/policy_to_gateway.go | 8 +- pkg/library/reconcilers/fetcher.go | 6 +- pkg/library/reconcilers/fetcher_test.go | 7 +- .../authpolicy/authpolicy_controller_test.go | 37 +--- .../ratelimitpolicy_controller_test.go | 23 +-- .../target_status_controller_test.go | 67 +++---- ...icy_controller_authorizationpolicy_test.go | 11 +- ...dor_cluster_envoyfilter_controller_test.go | 2 +- ...miting_istio_wasmplugin_controller_test.go | 35 ++-- 53 files changed, 510 insertions(+), 448 deletions(-) diff --git a/api/v1alpha1/dnspolicy_types.go b/api/v1alpha1/dnspolicy_types.go index dfeb07213..98b1ac02e 100644 --- a/api/v1alpha1/dnspolicy_types.go +++ b/api/v1alpha1/dnspolicy_types.go @@ -18,7 +18,6 @@ package v1alpha1 import ( "context" - "fmt" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" "k8s.io/utils/ptr" @@ -53,7 +52,7 @@ type DNSPolicySpec struct { // TargetRef identifies an API object to apply policy to. // +kubebuilder:validation:XValidation:rule="self.group == 'gateway.networking.k8s.io'",message="Invalid targetRef.group. The only supported value is 'gateway.networking.k8s.io'" // +kubebuilder:validation:XValidation:rule="self.kind == 'Gateway'",message="Invalid targetRef.kind. The only supported values are 'Gateway'" - TargetRef gatewayapiv1alpha2.NamespacedPolicyTargetReference `json:"targetRef"` + TargetRef gatewayapiv1alpha2.LocalPolicyTargetReference `json:"targetRef"` // +optional HealthCheck *v1alpha1.HealthCheckSpec `json:"healthCheck,omitempty"` @@ -173,7 +172,7 @@ func (p *DNSPolicy) GetRulesHostnames() []string { return make([]string, 0) } -func (p *DNSPolicy) GetTargetRef() gatewayapiv1alpha2.NamespacedPolicyTargetReference { +func (p *DNSPolicy) GetTargetRef() gatewayapiv1alpha2.LocalPolicyTargetReference { return p.Spec.TargetRef } @@ -214,16 +213,6 @@ func (p *DNSPolicy) DirectReferenceAnnotationName() string { return DNSPolicyDirectReferenceAnnotationName } -// Validate ensures the resource is valid. Compatible with the validating interface -// used by webhooks -func (p *DNSPolicy) Validate() error { - if p.Spec.TargetRef.Namespace != nil && string(*p.Spec.TargetRef.Namespace) != p.Namespace { - return fmt.Errorf("invalid targetRef.Namespace %s. Currently only supporting references to the same namespace", *p.Spec.TargetRef.Namespace) - } - - return nil -} - //+kubebuilder:object:root=true // DNSPolicyList contains a list of DNSPolicy @@ -259,7 +248,7 @@ func NewDNSPolicy(name, ns string) *DNSPolicy { } } -func (p *DNSPolicy) WithTargetRef(targetRef gatewayapiv1alpha2.NamespacedPolicyTargetReference) *DNSPolicy { +func (p *DNSPolicy) WithTargetRef(targetRef gatewayapiv1alpha2.LocalPolicyTargetReference) *DNSPolicy { p.Spec.TargetRef = targetRef return p } @@ -282,12 +271,10 @@ func (p *DNSPolicy) WithRoutingStrategy(strategy RoutingStrategy) *DNSPolicy { //TargetRef func (p *DNSPolicy) WithTargetGateway(gwName string) *DNSPolicy { - typedNamespace := gatewayapiv1.Namespace(p.GetNamespace()) - return p.WithTargetRef(gatewayapiv1alpha2.NamespacedPolicyTargetReference{ - Group: gatewayapiv1.GroupName, - Kind: "Gateway", - Name: gatewayapiv1.ObjectName(gwName), - Namespace: &typedNamespace, + return p.WithTargetRef(gatewayapiv1alpha2.LocalPolicyTargetReference{ + Group: gatewayapiv1.GroupName, + Kind: "Gateway", + Name: gatewayapiv1.ObjectName(gwName), }) } diff --git a/api/v1alpha1/tlspolicy_types.go b/api/v1alpha1/tlspolicy_types.go index 4f85151cf..d79d0c3d8 100644 --- a/api/v1alpha1/tlspolicy_types.go +++ b/api/v1alpha1/tlspolicy_types.go @@ -18,7 +18,6 @@ package v1alpha1 import ( "context" - "fmt" certmanv1 "github.com/cert-manager/cert-manager/pkg/apis/certmanager/v1" certmanmetav1 "github.com/cert-manager/cert-manager/pkg/apis/meta/v1" @@ -42,7 +41,7 @@ type TLSPolicySpec struct { // TargetRef identifies an API object to apply policy to. // +kubebuilder:validation:XValidation:rule="self.group == 'gateway.networking.k8s.io'",message="Invalid targetRef.group. The only supported value is 'gateway.networking.k8s.io'" // +kubebuilder:validation:XValidation:rule="self.kind == 'Gateway'",message="Invalid targetRef.kind. The only supported values are 'Gateway'" - TargetRef gatewayapiv1alpha2.NamespacedPolicyTargetReference `json:"targetRef"` + TargetRef gatewayapiv1alpha2.LocalPolicyTargetReference `json:"targetRef"` CertificateSpec `json:",inline"` } @@ -179,7 +178,7 @@ func (p *TLSPolicy) GetRulesHostnames() []string { return make([]string, 0) } -func (p *TLSPolicy) GetTargetRef() gatewayapiv1alpha2.NamespacedPolicyTargetReference { +func (p *TLSPolicy) GetTargetRef() gatewayapiv1alpha2.LocalPolicyTargetReference { return p.Spec.TargetRef } @@ -195,14 +194,6 @@ func (p *TLSPolicy) DirectReferenceAnnotationName() string { return TLSPolicyDirectReferenceAnnotationName } -func (p *TLSPolicy) Validate() error { - if p.Spec.TargetRef.Namespace != nil && string(*p.Spec.TargetRef.Namespace) != p.Namespace { - return fmt.Errorf("invalid targetRef.Namespace %s. Currently only supporting references to the same namespace", *p.Spec.TargetRef.Namespace) - } - - return nil -} - //+kubebuilder:object:root=true // TLSPolicyList contains a list of TLSPolicy @@ -239,12 +230,10 @@ func NewTLSPolicy(policyName, ns string) *TLSPolicy { } func (p *TLSPolicy) WithTargetGateway(gwName string) *TLSPolicy { - typedNamespace := gatewayapiv1.Namespace(p.GetNamespace()) - p.Spec.TargetRef = gatewayapiv1alpha2.NamespacedPolicyTargetReference{ - Group: gatewayapiv1.GroupName, - Kind: "Gateway", - Name: gatewayapiv1.ObjectName(gwName), - Namespace: &typedNamespace, + p.Spec.TargetRef = gatewayapiv1alpha2.LocalPolicyTargetReference{ + Group: gatewayapiv1.GroupName, + Kind: "Gateway", + Name: gatewayapiv1.ObjectName(gwName), } return p } diff --git a/api/v1alpha1/zz_generated.deepcopy.go b/api/v1alpha1/zz_generated.deepcopy.go index 4d26d5c5a..49c970a98 100644 --- a/api/v1alpha1/zz_generated.deepcopy.go +++ b/api/v1alpha1/zz_generated.deepcopy.go @@ -150,7 +150,7 @@ func (in *DNSPolicyList) DeepCopyObject() runtime.Object { // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *DNSPolicySpec) DeepCopyInto(out *DNSPolicySpec) { *out = *in - in.TargetRef.DeepCopyInto(&out.TargetRef) + out.TargetRef = in.TargetRef if in.HealthCheck != nil { in, out := &in.HealthCheck, &out.HealthCheck *out = new(apiv1alpha1.HealthCheckSpec) @@ -338,7 +338,7 @@ func (in *TLSPolicyList) DeepCopyObject() runtime.Object { // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *TLSPolicySpec) DeepCopyInto(out *TLSPolicySpec) { *out = *in - in.TargetRef.DeepCopyInto(&out.TargetRef) + out.TargetRef = in.TargetRef in.CertificateSpec.DeepCopyInto(&out.CertificateSpec) } diff --git a/api/v1beta2/authpolicy_types.go b/api/v1beta2/authpolicy_types.go index d51572255..0ba0c8338 100644 --- a/api/v1beta2/authpolicy_types.go +++ b/api/v1beta2/authpolicy_types.go @@ -2,7 +2,6 @@ package v1beta2 import ( "context" - "fmt" "github.com/go-logr/logr" "github.com/google/go-cmp/cmp" @@ -163,7 +162,7 @@ type AuthPolicySpec struct { // TargetRef identifies an API object to apply policy to. // +kubebuilder:validation:XValidation:rule="self.group == 'gateway.networking.k8s.io'",message="Invalid targetRef.group. The only supported value is 'gateway.networking.k8s.io'" // +kubebuilder:validation:XValidation:rule="self.kind == 'HTTPRoute' || self.kind == 'Gateway'",message="Invalid targetRef.kind. The only supported values are 'HTTPRoute' and 'Gateway'" - TargetRef gatewayapiv1alpha2.NamespacedPolicyTargetReference `json:"targetRef"` + TargetRef gatewayapiv1alpha2.LocalPolicyTargetReference `json:"targetRef"` // Defaults define explicit default values for this policy and for policies inheriting this policy. // Defaults are mutually exclusive with implicit defaults defined by AuthPolicyCommonSpec. @@ -273,15 +272,7 @@ func (ap *AuthPolicy) IsAtomicOverride() bool { return ap.Spec.Overrides != nil } -func (ap *AuthPolicy) Validate() error { - if ap.Spec.TargetRef.Namespace != nil && string(*ap.Spec.TargetRef.Namespace) != ap.Namespace { - return fmt.Errorf("invalid targetRef.Namespace %s. Currently only supporting references to the same namespace", *ap.Spec.TargetRef.Namespace) - } - - return nil -} - -func (ap *AuthPolicy) GetTargetRef() gatewayapiv1alpha2.NamespacedPolicyTargetReference { +func (ap *AuthPolicy) GetTargetRef() gatewayapiv1alpha2.LocalPolicyTargetReference { return ap.Spec.TargetRef } diff --git a/api/v1beta2/authpolicy_types_test.go b/api/v1beta2/authpolicy_types_test.go index fdc7fea7d..2bc108f51 100644 --- a/api/v1beta2/authpolicy_types_test.go +++ b/api/v1beta2/authpolicy_types_test.go @@ -6,7 +6,6 @@ import ( "reflect" "testing" - authorinoapi "github.com/kuadrant/authorino/api/v1beta2" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" "k8s.io/utils/ptr" gatewayapiv1 "sigs.k8s.io/gateway-api/apis/v1" @@ -71,7 +70,7 @@ func TestAuthPolicyGetRulesHostnames(t *testing.T) { Namespace: "my-namespace", }, Spec: AuthPolicySpec{ - TargetRef: gatewayapiv1alpha2.NamespacedPolicyTargetReference{ + TargetRef: gatewayapiv1alpha2.LocalPolicyTargetReference{ Group: gatewayapiv1.GroupName, Kind: "HTTPRoute", Name: "my-route", @@ -213,72 +212,6 @@ func TestAuthPolicyGetRulesHostnames(t *testing.T) { } } -func TestAuthPolicyValidate(t *testing.T) { - testCases := []struct { - name string - policy *AuthPolicy - valid bool - message string - }{ - { - name: "invalid targetRef namespace", - policy: &AuthPolicy{ - ObjectMeta: metav1.ObjectMeta{ - Name: "my-policy", - Namespace: "my-namespace", - }, - Spec: AuthPolicySpec{ - TargetRef: gatewayapiv1alpha2.NamespacedPolicyTargetReference{ - Group: gatewayapiv1.GroupName, - Kind: "HTTPRoute", - Name: "my-route", - Namespace: ptr.To(gatewayapiv1.Namespace("other-namespace")), - }, - AuthPolicyCommonSpec: AuthPolicyCommonSpec{ - AuthScheme: &AuthSchemeSpec{ - Authentication: map[string]AuthenticationSpec{ - "my-rule": { - AuthenticationSpec: authorinoapi.AuthenticationSpec{ - AuthenticationMethodSpec: authorinoapi.AuthenticationMethodSpec{ - AnonymousAccess: &authorinoapi.AnonymousAccessSpec{}, - }, - }, - CommonAuthRuleSpec: CommonAuthRuleSpec{ - RouteSelectors: []RouteSelector{ - { - Hostnames: []gatewayapiv1.Hostname{"*.foo.io"}, - Matches: []gatewayapiv1.HTTPRouteMatch{ - { - Path: &gatewayapiv1.HTTPPathMatch{ - Value: ptr.To("/foo"), - }, - }, - }, - }, - }, - }, - }, - }, - }, - }, - }, - }, - message: "invalid targetRef.Namespace other-namespace. Currently only supporting references to the same namespace", - }, - } - for _, tc := range testCases { - t.Run(tc.name, func(t *testing.T) { - result := tc.policy.Validate() - if tc.valid && result != nil { - t.Errorf("Expected policy to be valid, got %t", result) - } - if !tc.valid && result == nil { - t.Error("Expected policy to be invalid, got no validation error") - } - }) - } -} - func testBuildRouteSelector() RouteSelector { return RouteSelector{ Hostnames: []gatewayapiv1.Hostname{"toystore.kuadrant.io"}, diff --git a/api/v1beta2/ratelimitpolicy_types.go b/api/v1beta2/ratelimitpolicy_types.go index 34f7ec4df..7443a78c2 100644 --- a/api/v1beta2/ratelimitpolicy_types.go +++ b/api/v1beta2/ratelimitpolicy_types.go @@ -132,7 +132,7 @@ type RateLimitPolicySpec struct { // TargetRef identifies an API object to apply policy to. // +kubebuilder:validation:XValidation:rule="self.group == 'gateway.networking.k8s.io'",message="Invalid targetRef.group. The only supported value is 'gateway.networking.k8s.io'" // +kubebuilder:validation:XValidation:rule="self.kind == 'HTTPRoute' || self.kind == 'Gateway'",message="Invalid targetRef.kind. The only supported values are 'HTTPRoute' and 'Gateway'" - TargetRef gatewayapiv1alpha2.NamespacedPolicyTargetReference `json:"targetRef"` + TargetRef gatewayapiv1alpha2.LocalPolicyTargetReference `json:"targetRef"` // Defaults define explicit default values for this policy and for policies inheriting this policy. // Defaults are mutually exclusive with implicit defaults defined by RateLimitPolicyCommonSpec. @@ -226,14 +226,6 @@ type RateLimitPolicy struct { var _ kuadrantgatewayapi.Policy = &RateLimitPolicy{} -func (r *RateLimitPolicy) Validate() error { - if r.Spec.TargetRef.Namespace != nil && string(*r.Spec.TargetRef.Namespace) != r.Namespace { - return fmt.Errorf("invalid targetRef.Namespace %s. Currently only supporting references to the same namespace", *r.Spec.TargetRef.Namespace) - } - - return nil -} - func (r *RateLimitPolicy) GetObservedGeneration() int64 { return r.Status.GetObservedGeneration() } func (r *RateLimitPolicy) SetObservedGeneration(o int64) { r.Status.SetObservedGeneration(o) } @@ -252,7 +244,7 @@ func (l *RateLimitPolicyList) GetItems() []kuadrant.Policy { }) } -func (r *RateLimitPolicy) GetTargetRef() gatewayapiv1alpha2.NamespacedPolicyTargetReference { +func (r *RateLimitPolicy) GetTargetRef() gatewayapiv1alpha2.LocalPolicyTargetReference { return r.Spec.TargetRef } diff --git a/api/v1beta2/ratelimitpolicy_types_test.go b/api/v1beta2/ratelimitpolicy_types_test.go index 90c6718bd..73605e161 100644 --- a/api/v1beta2/ratelimitpolicy_types_test.go +++ b/api/v1beta2/ratelimitpolicy_types_test.go @@ -3,7 +3,6 @@ package v1beta2 import ( - "strings" "testing" "gotest.tools/assert" @@ -25,7 +24,7 @@ func testBuildBasicRLP(name string, kind gatewayapiv1.Kind, mutateFn func(*RateL Namespace: "testNS", }, Spec: RateLimitPolicySpec{ - TargetRef: gatewayapiv1alpha2.NamespacedPolicyTargetReference{ + TargetRef: gatewayapiv1alpha2.LocalPolicyTargetReference{ Group: gatewayapiv1.GroupName, Kind: kind, Name: "some-name", @@ -44,26 +43,6 @@ func testBuildBasicHTTPRouteRLP(name string, mutateFn func(*RateLimitPolicy)) *R return testBuildBasicRLP(name, "HTTPRoute", mutateFn) } -// TestRateLimitPolicyValidation calls rlp.Validate() -// for a valid return value. -func TestRateLimitPolicyValidation(t *testing.T) { - name := "httproute-a" - - t.Run("Invalid - Different namespace", func(subT *testing.T) { - rlp := testBuildBasicHTTPRouteRLP(name, func(policy *RateLimitPolicy) { - otherNS := gatewayapiv1.Namespace(policy.GetNamespace() + "other") - policy.Spec.TargetRef.Namespace = &otherNS - }) - err := rlp.Validate() - if err == nil { - subT.Fatal(`rlp.Validate() did not return error and should`) - } - if !strings.Contains(err.Error(), "invalid targetRef.Namespace") { - subT.Fatalf(`rlp.Validate() did not return expected error. Instead: %v`, err) - } - }) -} - func TestRateLimitPolicyListGetItems(t *testing.T) { list := &RateLimitPolicyList{} if len(list.GetItems()) != 0 { diff --git a/api/v1beta2/zz_generated.deepcopy.go b/api/v1beta2/zz_generated.deepcopy.go index 754c8b45a..3ca4e42ef 100644 --- a/api/v1beta2/zz_generated.deepcopy.go +++ b/api/v1beta2/zz_generated.deepcopy.go @@ -139,7 +139,7 @@ func (in *AuthPolicyList) DeepCopyObject() runtime.Object { // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *AuthPolicySpec) DeepCopyInto(out *AuthPolicySpec) { *out = *in - in.TargetRef.DeepCopyInto(&out.TargetRef) + out.TargetRef = in.TargetRef if in.Defaults != nil { in, out := &in.Defaults, &out.Defaults *out = new(AuthPolicyCommonSpec) @@ -475,7 +475,7 @@ func (in *RateLimitPolicyList) DeepCopyObject() runtime.Object { // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *RateLimitPolicySpec) DeepCopyInto(out *RateLimitPolicySpec) { *out = *in - in.TargetRef.DeepCopyInto(&out.TargetRef) + out.TargetRef = in.TargetRef if in.Defaults != nil { in, out := &in.Defaults, &out.Defaults *out = new(RateLimitPolicyCommonSpec) diff --git a/bundle/manifests/kuadrant-operator.clusterserviceversion.yaml b/bundle/manifests/kuadrant-operator.clusterserviceversion.yaml index 7ec101439..c4b8eae8d 100644 --- a/bundle/manifests/kuadrant-operator.clusterserviceversion.yaml +++ b/bundle/manifests/kuadrant-operator.clusterserviceversion.yaml @@ -106,7 +106,7 @@ metadata: capabilities: Basic Install categories: Integration & Delivery containerImage: quay.io/kuadrant/kuadrant-operator:latest - createdAt: "2024-07-10T15:04:27Z" + createdAt: "2024-07-24T10:00:34Z" operators.operatorframework.io/builder: operator-sdk-v1.32.0 operators.operatorframework.io/project_layout: go.kubebuilder.io/v3 repository: https://github.com/Kuadrant/kuadrant-operator diff --git a/bundle/manifests/kuadrant.io_authpolicies.yaml b/bundle/manifests/kuadrant.io_authpolicies.yaml index 8b449f832..c99d08338 100644 --- a/bundle/manifests/kuadrant.io_authpolicies.yaml +++ b/bundle/manifests/kuadrant.io_authpolicies.yaml @@ -456,11 +456,13 @@ spec: items: type: string type: array + x-kubernetes-list-type: atomic required: - key - operator type: object type: array + x-kubernetes-list-type: atomic matchLabels: additionalProperties: type: string @@ -1046,11 +1048,13 @@ spec: items: type: string type: array + x-kubernetes-list-type: atomic required: - key - operator type: object type: array + x-kubernetes-list-type: atomic matchLabels: additionalProperties: type: string @@ -4758,11 +4762,13 @@ spec: items: type: string type: array + x-kubernetes-list-type: atomic required: - key - operator type: object type: array + x-kubernetes-list-type: atomic matchLabels: additionalProperties: type: string @@ -5348,11 +5354,13 @@ spec: items: type: string type: array + x-kubernetes-list-type: atomic required: - key - operator type: object type: array + x-kubernetes-list-type: atomic matchLabels: additionalProperties: type: string @@ -9052,11 +9060,13 @@ spec: items: type: string type: array + x-kubernetes-list-type: atomic required: - key - operator type: object type: array + x-kubernetes-list-type: atomic matchLabels: additionalProperties: type: string @@ -9639,11 +9649,13 @@ spec: items: type: string type: array + x-kubernetes-list-type: atomic required: - key - operator type: object type: array + x-kubernetes-list-type: atomic matchLabels: additionalProperties: type: string @@ -12917,16 +12929,6 @@ spec: maxLength: 253 minLength: 1 type: string - namespace: - description: |- - Namespace is the namespace of the referent. When unspecified, the local - namespace is inferred. Even when policy targets a resource in a different - namespace, it MUST only apply to traffic originating from the same - namespace as the policy. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string required: - group - kind diff --git a/bundle/manifests/kuadrant.io_dnspolicies.yaml b/bundle/manifests/kuadrant.io_dnspolicies.yaml index 920954751..e0551e322 100644 --- a/bundle/manifests/kuadrant.io_dnspolicies.yaml +++ b/bundle/manifests/kuadrant.io_dnspolicies.yaml @@ -156,11 +156,13 @@ spec: items: type: string type: array + x-kubernetes-list-type: atomic required: - key - operator type: object type: array + x-kubernetes-list-type: atomic matchLabels: additionalProperties: type: string @@ -227,16 +229,6 @@ spec: maxLength: 253 minLength: 1 type: string - namespace: - description: |- - Namespace is the namespace of the referent. When unspecified, the local - namespace is inferred. Even when policy targets a resource in a different - namespace, it MUST only apply to traffic originating from the same - namespace as the policy. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string required: - group - kind diff --git a/bundle/manifests/kuadrant.io_kuadrants.yaml b/bundle/manifests/kuadrant.io_kuadrants.yaml index e5fae6bb4..5cb5fd370 100644 --- a/bundle/manifests/kuadrant.io_kuadrants.yaml +++ b/bundle/manifests/kuadrant.io_kuadrants.yaml @@ -106,11 +106,13 @@ spec: items: type: string type: array + x-kubernetes-list-type: atomic required: - key - operator type: object type: array + x-kubernetes-list-type: atomic matchFields: description: A list of node selector requirements by node's fields. @@ -138,11 +140,13 @@ spec: items: type: string type: array + x-kubernetes-list-type: atomic required: - key - operator type: object type: array + x-kubernetes-list-type: atomic type: object x-kubernetes-map-type: atomic weight: @@ -155,6 +159,7 @@ spec: - weight type: object type: array + x-kubernetes-list-type: atomic requiredDuringSchedulingIgnoredDuringExecution: description: |- If the affinity requirements specified by this field are not met at @@ -199,11 +204,13 @@ spec: items: type: string type: array + x-kubernetes-list-type: atomic required: - key - operator type: object type: array + x-kubernetes-list-type: atomic matchFields: description: A list of node selector requirements by node's fields. @@ -231,14 +238,17 @@ spec: items: type: string type: array + x-kubernetes-list-type: atomic required: - key - operator type: object type: array + x-kubernetes-list-type: atomic type: object x-kubernetes-map-type: atomic type: array + x-kubernetes-list-type: atomic required: - nodeSelectorTerms type: object @@ -270,8 +280,9 @@ spec: with the corresponding weight. properties: labelSelector: - description: A label query over a set of resources, - in this case pods. + description: |- + A label query over a set of resources, in this case pods. + If it's null, this PodAffinityTerm matches with no Pods. properties: matchExpressions: description: matchExpressions is a list @@ -300,11 +311,13 @@ spec: items: type: string type: array + x-kubernetes-list-type: atomic required: - key - operator type: object type: array + x-kubernetes-list-type: atomic matchLabels: additionalProperties: type: string @@ -315,6 +328,36 @@ spec: type: object type: object x-kubernetes-map-type: atomic + matchLabelKeys: + description: |- + MatchLabelKeys is a set of pod label keys to select which pods will + be taken into consideration. The keys are used to lookup values from the + incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)` + to select the group of existing pods which pods will be taken into consideration + for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming + pod labels will be ignored. The default value is empty. + The same key is forbidden to exist in both matchLabelKeys and labelSelector. + Also, matchLabelKeys cannot be set when labelSelector isn't set. + This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. + items: + type: string + type: array + x-kubernetes-list-type: atomic + mismatchLabelKeys: + description: |- + MismatchLabelKeys is a set of pod label keys to select which pods will + be taken into consideration. The keys are used to lookup values from the + incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)` + to select the group of existing pods which pods will be taken into consideration + for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming + pod labels will be ignored. The default value is empty. + The same key is forbidden to exist in both mismatchLabelKeys and labelSelector. + Also, mismatchLabelKeys cannot be set when labelSelector isn't set. + This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. + items: + type: string + type: array + x-kubernetes-list-type: atomic namespaceSelector: description: |- A label query over the set of namespaces that the term applies to. @@ -350,11 +393,13 @@ spec: items: type: string type: array + x-kubernetes-list-type: atomic required: - key - operator type: object type: array + x-kubernetes-list-type: atomic matchLabels: additionalProperties: type: string @@ -374,6 +419,7 @@ spec: items: type: string type: array + x-kubernetes-list-type: atomic topologyKey: description: |- This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching @@ -396,6 +442,7 @@ spec: - weight type: object type: array + x-kubernetes-list-type: atomic requiredDuringSchedulingIgnoredDuringExecution: description: |- If the affinity requirements specified by this field are not met at @@ -415,8 +462,9 @@ spec: a pod of the set of pods is running properties: labelSelector: - description: A label query over a set of resources, - in this case pods. + description: |- + A label query over a set of resources, in this case pods. + If it's null, this PodAffinityTerm matches with no Pods. properties: matchExpressions: description: matchExpressions is a list of label @@ -445,11 +493,13 @@ spec: items: type: string type: array + x-kubernetes-list-type: atomic required: - key - operator type: object type: array + x-kubernetes-list-type: atomic matchLabels: additionalProperties: type: string @@ -460,6 +510,36 @@ spec: type: object type: object x-kubernetes-map-type: atomic + matchLabelKeys: + description: |- + MatchLabelKeys is a set of pod label keys to select which pods will + be taken into consideration. The keys are used to lookup values from the + incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)` + to select the group of existing pods which pods will be taken into consideration + for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming + pod labels will be ignored. The default value is empty. + The same key is forbidden to exist in both matchLabelKeys and labelSelector. + Also, matchLabelKeys cannot be set when labelSelector isn't set. + This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. + items: + type: string + type: array + x-kubernetes-list-type: atomic + mismatchLabelKeys: + description: |- + MismatchLabelKeys is a set of pod label keys to select which pods will + be taken into consideration. The keys are used to lookup values from the + incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)` + to select the group of existing pods which pods will be taken into consideration + for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming + pod labels will be ignored. The default value is empty. + The same key is forbidden to exist in both mismatchLabelKeys and labelSelector. + Also, mismatchLabelKeys cannot be set when labelSelector isn't set. + This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. + items: + type: string + type: array + x-kubernetes-list-type: atomic namespaceSelector: description: |- A label query over the set of namespaces that the term applies to. @@ -495,11 +575,13 @@ spec: items: type: string type: array + x-kubernetes-list-type: atomic required: - key - operator type: object type: array + x-kubernetes-list-type: atomic matchLabels: additionalProperties: type: string @@ -519,6 +601,7 @@ spec: items: type: string type: array + x-kubernetes-list-type: atomic topologyKey: description: |- This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching @@ -531,6 +614,7 @@ spec: - topologyKey type: object type: array + x-kubernetes-list-type: atomic type: object podAntiAffinity: description: Describes pod anti-affinity scheduling rules @@ -558,8 +642,9 @@ spec: with the corresponding weight. properties: labelSelector: - description: A label query over a set of resources, - in this case pods. + description: |- + A label query over a set of resources, in this case pods. + If it's null, this PodAffinityTerm matches with no Pods. properties: matchExpressions: description: matchExpressions is a list @@ -588,11 +673,13 @@ spec: items: type: string type: array + x-kubernetes-list-type: atomic required: - key - operator type: object type: array + x-kubernetes-list-type: atomic matchLabels: additionalProperties: type: string @@ -603,6 +690,36 @@ spec: type: object type: object x-kubernetes-map-type: atomic + matchLabelKeys: + description: |- + MatchLabelKeys is a set of pod label keys to select which pods will + be taken into consideration. The keys are used to lookup values from the + incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)` + to select the group of existing pods which pods will be taken into consideration + for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming + pod labels will be ignored. The default value is empty. + The same key is forbidden to exist in both matchLabelKeys and labelSelector. + Also, matchLabelKeys cannot be set when labelSelector isn't set. + This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. + items: + type: string + type: array + x-kubernetes-list-type: atomic + mismatchLabelKeys: + description: |- + MismatchLabelKeys is a set of pod label keys to select which pods will + be taken into consideration. The keys are used to lookup values from the + incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)` + to select the group of existing pods which pods will be taken into consideration + for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming + pod labels will be ignored. The default value is empty. + The same key is forbidden to exist in both mismatchLabelKeys and labelSelector. + Also, mismatchLabelKeys cannot be set when labelSelector isn't set. + This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. + items: + type: string + type: array + x-kubernetes-list-type: atomic namespaceSelector: description: |- A label query over the set of namespaces that the term applies to. @@ -638,11 +755,13 @@ spec: items: type: string type: array + x-kubernetes-list-type: atomic required: - key - operator type: object type: array + x-kubernetes-list-type: atomic matchLabels: additionalProperties: type: string @@ -662,6 +781,7 @@ spec: items: type: string type: array + x-kubernetes-list-type: atomic topologyKey: description: |- This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching @@ -684,6 +804,7 @@ spec: - weight type: object type: array + x-kubernetes-list-type: atomic requiredDuringSchedulingIgnoredDuringExecution: description: |- If the anti-affinity requirements specified by this field are not met at @@ -703,8 +824,9 @@ spec: a pod of the set of pods is running properties: labelSelector: - description: A label query over a set of resources, - in this case pods. + description: |- + A label query over a set of resources, in this case pods. + If it's null, this PodAffinityTerm matches with no Pods. properties: matchExpressions: description: matchExpressions is a list of label @@ -733,11 +855,13 @@ spec: items: type: string type: array + x-kubernetes-list-type: atomic required: - key - operator type: object type: array + x-kubernetes-list-type: atomic matchLabels: additionalProperties: type: string @@ -748,6 +872,36 @@ spec: type: object type: object x-kubernetes-map-type: atomic + matchLabelKeys: + description: |- + MatchLabelKeys is a set of pod label keys to select which pods will + be taken into consideration. The keys are used to lookup values from the + incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)` + to select the group of existing pods which pods will be taken into consideration + for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming + pod labels will be ignored. The default value is empty. + The same key is forbidden to exist in both matchLabelKeys and labelSelector. + Also, matchLabelKeys cannot be set when labelSelector isn't set. + This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. + items: + type: string + type: array + x-kubernetes-list-type: atomic + mismatchLabelKeys: + description: |- + MismatchLabelKeys is a set of pod label keys to select which pods will + be taken into consideration. The keys are used to lookup values from the + incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)` + to select the group of existing pods which pods will be taken into consideration + for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming + pod labels will be ignored. The default value is empty. + The same key is forbidden to exist in both mismatchLabelKeys and labelSelector. + Also, mismatchLabelKeys cannot be set when labelSelector isn't set. + This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. + items: + type: string + type: array + x-kubernetes-list-type: atomic namespaceSelector: description: |- A label query over the set of namespaces that the term applies to. @@ -783,11 +937,13 @@ spec: items: type: string type: array + x-kubernetes-list-type: atomic required: - key - operator type: object type: array + x-kubernetes-list-type: atomic matchLabels: additionalProperties: type: string @@ -807,6 +963,7 @@ spec: items: type: string type: array + x-kubernetes-list-type: atomic topologyKey: description: |- This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching @@ -819,6 +976,7 @@ spec: - topologyKey type: object type: array + x-kubernetes-list-type: atomic type: object type: object pdb: diff --git a/bundle/manifests/kuadrant.io_ratelimitpolicies.yaml b/bundle/manifests/kuadrant.io_ratelimitpolicies.yaml index 76884d89f..dfa90662a 100644 --- a/bundle/manifests/kuadrant.io_ratelimitpolicies.yaml +++ b/bundle/manifests/kuadrant.io_ratelimitpolicies.yaml @@ -1260,16 +1260,6 @@ spec: maxLength: 253 minLength: 1 type: string - namespace: - description: |- - Namespace is the namespace of the referent. When unspecified, the local - namespace is inferred. Even when policy targets a resource in a different - namespace, it MUST only apply to traffic originating from the same - namespace as the policy. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string required: - group - kind diff --git a/bundle/manifests/kuadrant.io_tlspolicies.yaml b/bundle/manifests/kuadrant.io_tlspolicies.yaml index 6121cf16c..7635d670a 100644 --- a/bundle/manifests/kuadrant.io_tlspolicies.yaml +++ b/bundle/manifests/kuadrant.io_tlspolicies.yaml @@ -195,16 +195,6 @@ spec: maxLength: 253 minLength: 1 type: string - namespace: - description: |- - Namespace is the namespace of the referent. When unspecified, the local - namespace is inferred. Even when policy targets a resource in a different - namespace, it MUST only apply to traffic originating from the same - namespace as the policy. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string required: - group - kind diff --git a/config/crd/bases/kuadrant.io_authpolicies.yaml b/config/crd/bases/kuadrant.io_authpolicies.yaml index fc4dd9104..bec979ade 100644 --- a/config/crd/bases/kuadrant.io_authpolicies.yaml +++ b/config/crd/bases/kuadrant.io_authpolicies.yaml @@ -455,11 +455,13 @@ spec: items: type: string type: array + x-kubernetes-list-type: atomic required: - key - operator type: object type: array + x-kubernetes-list-type: atomic matchLabels: additionalProperties: type: string @@ -1045,11 +1047,13 @@ spec: items: type: string type: array + x-kubernetes-list-type: atomic required: - key - operator type: object type: array + x-kubernetes-list-type: atomic matchLabels: additionalProperties: type: string @@ -4757,11 +4761,13 @@ spec: items: type: string type: array + x-kubernetes-list-type: atomic required: - key - operator type: object type: array + x-kubernetes-list-type: atomic matchLabels: additionalProperties: type: string @@ -5347,11 +5353,13 @@ spec: items: type: string type: array + x-kubernetes-list-type: atomic required: - key - operator type: object type: array + x-kubernetes-list-type: atomic matchLabels: additionalProperties: type: string @@ -9051,11 +9059,13 @@ spec: items: type: string type: array + x-kubernetes-list-type: atomic required: - key - operator type: object type: array + x-kubernetes-list-type: atomic matchLabels: additionalProperties: type: string @@ -9638,11 +9648,13 @@ spec: items: type: string type: array + x-kubernetes-list-type: atomic required: - key - operator type: object type: array + x-kubernetes-list-type: atomic matchLabels: additionalProperties: type: string @@ -12916,16 +12928,6 @@ spec: maxLength: 253 minLength: 1 type: string - namespace: - description: |- - Namespace is the namespace of the referent. When unspecified, the local - namespace is inferred. Even when policy targets a resource in a different - namespace, it MUST only apply to traffic originating from the same - namespace as the policy. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string required: - group - kind diff --git a/config/crd/bases/kuadrant.io_dnspolicies.yaml b/config/crd/bases/kuadrant.io_dnspolicies.yaml index d1b90a10f..5da7009e2 100644 --- a/config/crd/bases/kuadrant.io_dnspolicies.yaml +++ b/config/crd/bases/kuadrant.io_dnspolicies.yaml @@ -155,11 +155,13 @@ spec: items: type: string type: array + x-kubernetes-list-type: atomic required: - key - operator type: object type: array + x-kubernetes-list-type: atomic matchLabels: additionalProperties: type: string @@ -226,16 +228,6 @@ spec: maxLength: 253 minLength: 1 type: string - namespace: - description: |- - Namespace is the namespace of the referent. When unspecified, the local - namespace is inferred. Even when policy targets a resource in a different - namespace, it MUST only apply to traffic originating from the same - namespace as the policy. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string required: - group - kind diff --git a/config/crd/bases/kuadrant.io_kuadrants.yaml b/config/crd/bases/kuadrant.io_kuadrants.yaml index 44c899c15..3a8aa044b 100644 --- a/config/crd/bases/kuadrant.io_kuadrants.yaml +++ b/config/crd/bases/kuadrant.io_kuadrants.yaml @@ -104,11 +104,13 @@ spec: items: type: string type: array + x-kubernetes-list-type: atomic required: - key - operator type: object type: array + x-kubernetes-list-type: atomic matchFields: description: A list of node selector requirements by node's fields. @@ -136,11 +138,13 @@ spec: items: type: string type: array + x-kubernetes-list-type: atomic required: - key - operator type: object type: array + x-kubernetes-list-type: atomic type: object x-kubernetes-map-type: atomic weight: @@ -153,6 +157,7 @@ spec: - weight type: object type: array + x-kubernetes-list-type: atomic requiredDuringSchedulingIgnoredDuringExecution: description: |- If the affinity requirements specified by this field are not met at @@ -197,11 +202,13 @@ spec: items: type: string type: array + x-kubernetes-list-type: atomic required: - key - operator type: object type: array + x-kubernetes-list-type: atomic matchFields: description: A list of node selector requirements by node's fields. @@ -229,14 +236,17 @@ spec: items: type: string type: array + x-kubernetes-list-type: atomic required: - key - operator type: object type: array + x-kubernetes-list-type: atomic type: object x-kubernetes-map-type: atomic type: array + x-kubernetes-list-type: atomic required: - nodeSelectorTerms type: object @@ -268,8 +278,9 @@ spec: with the corresponding weight. properties: labelSelector: - description: A label query over a set of resources, - in this case pods. + description: |- + A label query over a set of resources, in this case pods. + If it's null, this PodAffinityTerm matches with no Pods. properties: matchExpressions: description: matchExpressions is a list @@ -298,11 +309,13 @@ spec: items: type: string type: array + x-kubernetes-list-type: atomic required: - key - operator type: object type: array + x-kubernetes-list-type: atomic matchLabels: additionalProperties: type: string @@ -313,6 +326,36 @@ spec: type: object type: object x-kubernetes-map-type: atomic + matchLabelKeys: + description: |- + MatchLabelKeys is a set of pod label keys to select which pods will + be taken into consideration. The keys are used to lookup values from the + incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)` + to select the group of existing pods which pods will be taken into consideration + for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming + pod labels will be ignored. The default value is empty. + The same key is forbidden to exist in both matchLabelKeys and labelSelector. + Also, matchLabelKeys cannot be set when labelSelector isn't set. + This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. + items: + type: string + type: array + x-kubernetes-list-type: atomic + mismatchLabelKeys: + description: |- + MismatchLabelKeys is a set of pod label keys to select which pods will + be taken into consideration. The keys are used to lookup values from the + incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)` + to select the group of existing pods which pods will be taken into consideration + for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming + pod labels will be ignored. The default value is empty. + The same key is forbidden to exist in both mismatchLabelKeys and labelSelector. + Also, mismatchLabelKeys cannot be set when labelSelector isn't set. + This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. + items: + type: string + type: array + x-kubernetes-list-type: atomic namespaceSelector: description: |- A label query over the set of namespaces that the term applies to. @@ -348,11 +391,13 @@ spec: items: type: string type: array + x-kubernetes-list-type: atomic required: - key - operator type: object type: array + x-kubernetes-list-type: atomic matchLabels: additionalProperties: type: string @@ -372,6 +417,7 @@ spec: items: type: string type: array + x-kubernetes-list-type: atomic topologyKey: description: |- This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching @@ -394,6 +440,7 @@ spec: - weight type: object type: array + x-kubernetes-list-type: atomic requiredDuringSchedulingIgnoredDuringExecution: description: |- If the affinity requirements specified by this field are not met at @@ -413,8 +460,9 @@ spec: a pod of the set of pods is running properties: labelSelector: - description: A label query over a set of resources, - in this case pods. + description: |- + A label query over a set of resources, in this case pods. + If it's null, this PodAffinityTerm matches with no Pods. properties: matchExpressions: description: matchExpressions is a list of label @@ -443,11 +491,13 @@ spec: items: type: string type: array + x-kubernetes-list-type: atomic required: - key - operator type: object type: array + x-kubernetes-list-type: atomic matchLabels: additionalProperties: type: string @@ -458,6 +508,36 @@ spec: type: object type: object x-kubernetes-map-type: atomic + matchLabelKeys: + description: |- + MatchLabelKeys is a set of pod label keys to select which pods will + be taken into consideration. The keys are used to lookup values from the + incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)` + to select the group of existing pods which pods will be taken into consideration + for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming + pod labels will be ignored. The default value is empty. + The same key is forbidden to exist in both matchLabelKeys and labelSelector. + Also, matchLabelKeys cannot be set when labelSelector isn't set. + This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. + items: + type: string + type: array + x-kubernetes-list-type: atomic + mismatchLabelKeys: + description: |- + MismatchLabelKeys is a set of pod label keys to select which pods will + be taken into consideration. The keys are used to lookup values from the + incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)` + to select the group of existing pods which pods will be taken into consideration + for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming + pod labels will be ignored. The default value is empty. + The same key is forbidden to exist in both mismatchLabelKeys and labelSelector. + Also, mismatchLabelKeys cannot be set when labelSelector isn't set. + This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. + items: + type: string + type: array + x-kubernetes-list-type: atomic namespaceSelector: description: |- A label query over the set of namespaces that the term applies to. @@ -493,11 +573,13 @@ spec: items: type: string type: array + x-kubernetes-list-type: atomic required: - key - operator type: object type: array + x-kubernetes-list-type: atomic matchLabels: additionalProperties: type: string @@ -517,6 +599,7 @@ spec: items: type: string type: array + x-kubernetes-list-type: atomic topologyKey: description: |- This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching @@ -529,6 +612,7 @@ spec: - topologyKey type: object type: array + x-kubernetes-list-type: atomic type: object podAntiAffinity: description: Describes pod anti-affinity scheduling rules @@ -556,8 +640,9 @@ spec: with the corresponding weight. properties: labelSelector: - description: A label query over a set of resources, - in this case pods. + description: |- + A label query over a set of resources, in this case pods. + If it's null, this PodAffinityTerm matches with no Pods. properties: matchExpressions: description: matchExpressions is a list @@ -586,11 +671,13 @@ spec: items: type: string type: array + x-kubernetes-list-type: atomic required: - key - operator type: object type: array + x-kubernetes-list-type: atomic matchLabels: additionalProperties: type: string @@ -601,6 +688,36 @@ spec: type: object type: object x-kubernetes-map-type: atomic + matchLabelKeys: + description: |- + MatchLabelKeys is a set of pod label keys to select which pods will + be taken into consideration. The keys are used to lookup values from the + incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)` + to select the group of existing pods which pods will be taken into consideration + for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming + pod labels will be ignored. The default value is empty. + The same key is forbidden to exist in both matchLabelKeys and labelSelector. + Also, matchLabelKeys cannot be set when labelSelector isn't set. + This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. + items: + type: string + type: array + x-kubernetes-list-type: atomic + mismatchLabelKeys: + description: |- + MismatchLabelKeys is a set of pod label keys to select which pods will + be taken into consideration. The keys are used to lookup values from the + incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)` + to select the group of existing pods which pods will be taken into consideration + for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming + pod labels will be ignored. The default value is empty. + The same key is forbidden to exist in both mismatchLabelKeys and labelSelector. + Also, mismatchLabelKeys cannot be set when labelSelector isn't set. + This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. + items: + type: string + type: array + x-kubernetes-list-type: atomic namespaceSelector: description: |- A label query over the set of namespaces that the term applies to. @@ -636,11 +753,13 @@ spec: items: type: string type: array + x-kubernetes-list-type: atomic required: - key - operator type: object type: array + x-kubernetes-list-type: atomic matchLabels: additionalProperties: type: string @@ -660,6 +779,7 @@ spec: items: type: string type: array + x-kubernetes-list-type: atomic topologyKey: description: |- This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching @@ -682,6 +802,7 @@ spec: - weight type: object type: array + x-kubernetes-list-type: atomic requiredDuringSchedulingIgnoredDuringExecution: description: |- If the anti-affinity requirements specified by this field are not met at @@ -701,8 +822,9 @@ spec: a pod of the set of pods is running properties: labelSelector: - description: A label query over a set of resources, - in this case pods. + description: |- + A label query over a set of resources, in this case pods. + If it's null, this PodAffinityTerm matches with no Pods. properties: matchExpressions: description: matchExpressions is a list of label @@ -731,11 +853,13 @@ spec: items: type: string type: array + x-kubernetes-list-type: atomic required: - key - operator type: object type: array + x-kubernetes-list-type: atomic matchLabels: additionalProperties: type: string @@ -746,6 +870,36 @@ spec: type: object type: object x-kubernetes-map-type: atomic + matchLabelKeys: + description: |- + MatchLabelKeys is a set of pod label keys to select which pods will + be taken into consideration. The keys are used to lookup values from the + incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)` + to select the group of existing pods which pods will be taken into consideration + for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming + pod labels will be ignored. The default value is empty. + The same key is forbidden to exist in both matchLabelKeys and labelSelector. + Also, matchLabelKeys cannot be set when labelSelector isn't set. + This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. + items: + type: string + type: array + x-kubernetes-list-type: atomic + mismatchLabelKeys: + description: |- + MismatchLabelKeys is a set of pod label keys to select which pods will + be taken into consideration. The keys are used to lookup values from the + incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)` + to select the group of existing pods which pods will be taken into consideration + for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming + pod labels will be ignored. The default value is empty. + The same key is forbidden to exist in both mismatchLabelKeys and labelSelector. + Also, mismatchLabelKeys cannot be set when labelSelector isn't set. + This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. + items: + type: string + type: array + x-kubernetes-list-type: atomic namespaceSelector: description: |- A label query over the set of namespaces that the term applies to. @@ -781,11 +935,13 @@ spec: items: type: string type: array + x-kubernetes-list-type: atomic required: - key - operator type: object type: array + x-kubernetes-list-type: atomic matchLabels: additionalProperties: type: string @@ -805,6 +961,7 @@ spec: items: type: string type: array + x-kubernetes-list-type: atomic topologyKey: description: |- This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching @@ -817,6 +974,7 @@ spec: - topologyKey type: object type: array + x-kubernetes-list-type: atomic type: object type: object pdb: diff --git a/config/crd/bases/kuadrant.io_ratelimitpolicies.yaml b/config/crd/bases/kuadrant.io_ratelimitpolicies.yaml index 95cebf811..35a23e824 100644 --- a/config/crd/bases/kuadrant.io_ratelimitpolicies.yaml +++ b/config/crd/bases/kuadrant.io_ratelimitpolicies.yaml @@ -1259,16 +1259,6 @@ spec: maxLength: 253 minLength: 1 type: string - namespace: - description: |- - Namespace is the namespace of the referent. When unspecified, the local - namespace is inferred. Even when policy targets a resource in a different - namespace, it MUST only apply to traffic originating from the same - namespace as the policy. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string required: - group - kind diff --git a/config/crd/bases/kuadrant.io_tlspolicies.yaml b/config/crd/bases/kuadrant.io_tlspolicies.yaml index f49c41b8e..a26086554 100644 --- a/config/crd/bases/kuadrant.io_tlspolicies.yaml +++ b/config/crd/bases/kuadrant.io_tlspolicies.yaml @@ -194,16 +194,6 @@ spec: maxLength: 253 minLength: 1 type: string - namespace: - description: |- - Namespace is the namespace of the referent. When unspecified, the local - namespace is inferred. Even when policy targets a resource in a different - namespace, it MUST only apply to traffic originating from the same - namespace as the policy. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string required: - group - kind diff --git a/controllers/authpolicy_controller.go b/controllers/authpolicy_controller.go index f1f48b4f7..98947593e 100644 --- a/controllers/authpolicy_controller.go +++ b/controllers/authpolicy_controller.go @@ -139,10 +139,6 @@ func (r *AuthPolicyReconciler) Reconcile(eventCtx context.Context, req ctrl.Requ // validate performs validation before proceeding with the reconcile loop, returning a common.ErrInvalid on any failing validation func (r *AuthPolicyReconciler) validate(ap *api.AuthPolicy, targetNetworkObject client.Object) error { - if err := ap.Validate(); err != nil { - return kuadrant.NewErrInvalid(ap.Kind(), err) - } - if err := kuadrant.ValidateHierarchicalRules(ap, targetNetworkObject); err != nil { return kuadrant.NewErrInvalid(ap.Kind(), err) } diff --git a/controllers/authpolicy_istio_authorizationpolicy.go b/controllers/authpolicy_istio_authorizationpolicy.go index a713e171c..14ff12b16 100644 --- a/controllers/authpolicy_istio_authorizationpolicy.go +++ b/controllers/authpolicy_istio_authorizationpolicy.go @@ -170,7 +170,7 @@ func (r *AuthPolicyReconciler) istioAuthorizationPolicy(ctx context.Context, ap } // IstioAuthorizationPolicyName generates the name of an AuthorizationPolicy. -func IstioAuthorizationPolicyName(gwName string, targetRef gatewayapiv1alpha2.NamespacedPolicyTargetReference) string { +func IstioAuthorizationPolicyName(gwName string, targetRef gatewayapiv1alpha2.LocalPolicyTargetReference) string { switch targetRef.Kind { case "Gateway": return fmt.Sprintf("on-%s", gwName) // Without this, IAP will be named: on--using-; diff --git a/controllers/dnspolicy_controller.go b/controllers/dnspolicy_controller.go index d4712c335..5f07f96fb 100644 --- a/controllers/dnspolicy_controller.go +++ b/controllers/dnspolicy_controller.go @@ -129,12 +129,6 @@ func (r *DNSPolicyReconciler) Reconcile(ctx context.Context, req ctrl.Request) ( } func (r *DNSPolicyReconciler) reconcileResources(ctx context.Context, dnsPolicy *v1alpha1.DNSPolicy, targetNetworkObject client.Object) error { - // validate - err := dnsPolicy.Validate() - if err != nil { - return err - } - // reconcile based on gateway diffs gatewayDiffObj, err := reconcilers.ComputeGatewayDiffs(ctx, r.Client(), dnsPolicy, targetNetworkObject) if err != nil { diff --git a/controllers/httprouteparentrefs_eventmapper.go b/controllers/httprouteparentrefs_eventmapper.go index d533ea6ce..410b43882 100644 --- a/controllers/httprouteparentrefs_eventmapper.go +++ b/controllers/httprouteparentrefs_eventmapper.go @@ -5,6 +5,7 @@ import ( "fmt" "github.com/go-logr/logr" + "k8s.io/utils/ptr" "sigs.k8s.io/controller-runtime/pkg/client" "sigs.k8s.io/controller-runtime/pkg/reconcile" gatewayapiv1 "sigs.k8s.io/gateway-api/apis/v1" @@ -69,11 +70,8 @@ func (m *HTTPRouteParentRefsEventMapper) mapToPolicyRequest(obj client.Object, p if !kuadrantgatewayapi.IsTargetRefGateway(targetRef) { continue } - targetRefNamespace := targetRef.Namespace - if targetRefNamespace == nil { - ns := gatewayapiv1.Namespace(policy.GetNamespace()) - targetRefNamespace = &ns - } + targetRefNamespace := ptr.To(policy.GetWrappedNamespace()) + if *parentRefNamespace == *targetRefNamespace && parentRef.Name == targetRef.Name { obj, _ := policy.(client.Object) requests = append(requests, reconcile.Request{NamespacedName: client.ObjectKeyFromObject(obj)}) diff --git a/controllers/ratelimitpolicy_controller.go b/controllers/ratelimitpolicy_controller.go index 1cbd2efea..44dd477c6 100644 --- a/controllers/ratelimitpolicy_controller.go +++ b/controllers/ratelimitpolicy_controller.go @@ -154,10 +154,6 @@ func (r *RateLimitPolicyReconciler) Reconcile(eventCtx context.Context, req ctrl // validate performs validation before proceeding with the reconcile loop, returning a common.ErrInvalid on failing validation func (r *RateLimitPolicyReconciler) validate(rlp *kuadrantv1beta2.RateLimitPolicy, targetNetworkObject client.Object) error { - if err := rlp.Validate(); err != nil { - return kuadrant.NewErrInvalid(rlp.Kind(), err) - } - if err := kuadrant.ValidateHierarchicalRules(rlp, targetNetworkObject); err != nil { return kuadrant.NewErrInvalid(rlp.Kind(), err) } diff --git a/controllers/target_status_controller.go b/controllers/target_status_controller.go index 03ffbb44d..4e65693c9 100644 --- a/controllers/target_status_controller.go +++ b/controllers/target_status_controller.go @@ -427,5 +427,5 @@ func PolicyAffectedConditionType(policyKind string) string { func targetRefKey(policy kuadrantgatewayapi.Policy) string { targetRef := policy.GetTargetRef() - return fmt.Sprintf("%s.%s/%s/%s", targetRef.Group, targetRef.Kind, ptr.Deref(targetRef.Namespace, gatewayapiv1.Namespace(policy.GetNamespace())), targetRef.Name) + return fmt.Sprintf("%s.%s/%s/%s", targetRef.Group, targetRef.Kind, gatewayapiv1.Namespace(policy.GetNamespace()), targetRef.Name) } diff --git a/controllers/tlspolicy_controller.go b/controllers/tlspolicy_controller.go index d310e7252..d43328b01 100644 --- a/controllers/tlspolicy_controller.go +++ b/controllers/tlspolicy_controller.go @@ -135,13 +135,7 @@ func (r *TLSPolicyReconciler) Reconcile(ctx context.Context, req ctrl.Request) ( } func (r *TLSPolicyReconciler) reconcileResources(ctx context.Context, tlsPolicy *v1alpha1.TLSPolicy, targetNetworkObject client.Object) error { - // validate - err := tlsPolicy.Validate() - if err != nil { - return err - } - - err = validateIssuer(ctx, r.Client(), tlsPolicy) + err := validateIssuer(ctx, r.Client(), tlsPolicy) if err != nil { return err } diff --git a/controllers/tlspolicy_status_test.go b/controllers/tlspolicy_status_test.go index 717132e02..3e11ea699 100644 --- a/controllers/tlspolicy_status_test.go +++ b/controllers/tlspolicy_status_test.go @@ -55,7 +55,7 @@ func TestTLSPolicyReconciler_enforcedCondition(t *testing.T) { Name: issuerName, }, }, - TargetRef: gatewayapiv1alpha2.NamespacedPolicyTargetReference{ + TargetRef: gatewayapiv1alpha2.LocalPolicyTargetReference{ Name: gwName, }, }, diff --git a/doc/reference/authpolicy.md b/doc/reference/authpolicy.md index 3717c3afb..4006617a2 100644 --- a/doc/reference/authpolicy.md +++ b/doc/reference/authpolicy.md @@ -27,7 +27,7 @@ | **Field** | **Type** | **Required** | **Description** | |------------------|---------------------------------------------------------------------------------------------------------------------------------------------|--------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| -| `targetRef` | [NamespacedPolicyTargetReference](https://gateway-api.sigs.k8s.io/v1alpha2/references/spec/#gateway.networking.k8s.io/v1alpha2.NamespacedPolicyTargetReference) | Yes | Reference to a Kubernetes resource that the policy attaches to | +| `targetRef` | [LocalPolicyTargetReference](https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1alpha2.LocalPolicyTargetReference) | Yes | Reference to a Kubernetes resource that the policy attaches to | | `rules` | [AuthScheme](#authscheme) | No | Implicit default authentication/authorization rules | | `routeSelectors` | [][RouteSelector](route-selectors.md#routeselector) | No | List of implicit default selectors of HTTPRouteRules whose matching rules activate the policy. At least one HTTPRouteRule must be selected to activate the policy. If omitted, all HTTPRouteRules of the targeted HTTPRoute activate the policy. Do not use it in policies targeting a Gateway. | | `patterns` | Map | No | Implicit default named patterns of lists of `selector`, `operator` and `value` tuples, to be reused in `when` conditions and pattern-matching authorization rules. | diff --git a/doc/reference/dnspolicy.md b/doc/reference/dnspolicy.md index b6d4cb16a..f778bd28f 100644 --- a/doc/reference/dnspolicy.md +++ b/doc/reference/dnspolicy.md @@ -21,7 +21,7 @@ | **Field** | **Type** | **Required** | **Description** | |-------------------|-----------------------------------------------------------------------------------------------------------------------------------|:----------------------:|---------------------------------------------------------------------------| -| `targetRef` | [Gateway API NamespacedPolicyTargetReference](https://gateway-api.sigs.k8s.io/geps/gep-713) | Yes | Reference to a Kubernetes resource that the policy attaches to | +| `targetRef` | [Gateway API LocalPolicyTargetReference](https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1alpha2.LocalPolicyTargetReference) | Yes | Reference to a Kubernetes resource that the policy attaches to | | `healthCheck` | [HealthCheckSpec](#healthcheckspec) | No | HealthCheck spec | | `loadBalancing` | [LoadBalancingSpec](#loadbalancingspec) | Yes(loadbalanced only) | LoadBalancing Spec, required when routingStrategy is "loadbalanced" | | `routingStrategy` | String (immutable) | Yes | **Immutable!** Routing Strategy to use, one of "simple" or "loadbalanced" | diff --git a/doc/reference/ratelimitpolicy.md b/doc/reference/ratelimitpolicy.md index 0967ceb03..6a6c98744 100644 --- a/doc/reference/ratelimitpolicy.md +++ b/doc/reference/ratelimitpolicy.md @@ -20,7 +20,7 @@ | **Field** | **Type** | **Required** | **Description** | |-------------|---------------------------------------------------------------------------------------------------------------------------------------------|--------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| -| `targetRef` | [NamespacedPolicyTargetReference](https://gateway-api.sigs.k8s.io/v1alpha2/references/spec/#gateway.networking.k8s.io/v1alpha2.NamespacedPolicyTargetReference) | Yes | Reference to a Kubernetes resource that the policy attaches to | +| `targetRef` | [LocalPolicyTargetReference](https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1alpha2.LocalPolicyTargetReference) | Yes | Reference to a Kubernetes resource that the policy attaches to | | `defaults` | [RateLimitPolicyCommonSpec](#rateLimitPolicyCommonSpec) | No | Default limit definitions. This field is mutually exclusive with the `limits` field | | `overrides` | [RateLimitPolicyCommonSpec](#rateLimitPolicyCommonSpec) | No | Overrides limit definitions. This field is mutually exclusive with the `limits` field and `defaults` field. This field is only allowed for policies targeting `Gateway` in `targetRef.kind` | | `limits` | Map | No | Limit definitions. This field is mutually exclusive with the [`defaults`](#rateLimitPolicyCommonSpec) field | diff --git a/doc/reference/tlspolicy.md b/doc/reference/tlspolicy.md index ecde46f1c..6541a00e3 100644 --- a/doc/reference/tlspolicy.md +++ b/doc/reference/tlspolicy.md @@ -15,7 +15,7 @@ | **Field** | **Type** | **Required** | **Description** | |------------------------|----------------------------------------------------------------------------------------------------------------------------------------------|:------------:|--------------------------------------------------------------------------------------------------------------------------------------------------| -| `targetRef` | [Gateway API NamespacedPolicyTargetReference](https://gateway-api.sigs.k8s.io/geps/gep-713) | Yes | Reference to a Kuberentes resource that the policy attaches to | +| `targetRef` | [Gateway API LocalPolicyTargetReference](https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1alpha2.LocalPolicyTargetReference) | Yes | Reference to a Kuberentes resource that the policy attaches to | | `issuerRef` | [CertManager meta/v1.ObjectReference](https://cert-manager.io/v1.13-docs/reference/api-docs/#meta.cert-manager.io/v1.ObjectReference) | Yes | IssuerRef is a reference to the issuer for the created certificate | | `commonName` | String | No | CommonName is a common name to be used on the created certificate | | `duration` | [Kubernetes meta/v1.Duration](https://pkg.go.dev/k8s.io/apimachinery/pkg/apis/meta/v1#Duration) | No | The requested 'duration' (i.e. lifetime) of the created certificate. | diff --git a/pkg/library/gatewayapi/helper_test.go b/pkg/library/gatewayapi/helper_test.go index ef956953c..fdde24b1f 100644 --- a/pkg/library/gatewayapi/helper_test.go +++ b/pkg/library/gatewayapi/helper_test.go @@ -95,11 +95,10 @@ func testBasicGatewayPolicy(name, namespace string, gateway *gatewayapiv1.Gatewa Namespace: namespace, Name: name, }, - TargetRef: gatewayapiv1alpha2.NamespacedPolicyTargetReference{ - Group: gatewayapiv1.Group(gatewayapiv1.GroupName), - Kind: gatewayapiv1.Kind("Gateway"), - Namespace: ptr.To(gatewayapiv1.Namespace(gateway.Namespace)), - Name: gatewayapiv1.ObjectName(gateway.Name), + TargetRef: gatewayapiv1alpha2.LocalPolicyTargetReference{ + Group: gatewayapiv1.Group(gatewayapiv1.GroupName), + Kind: gatewayapiv1.Kind("Gateway"), + Name: gatewayapiv1.ObjectName(gateway.Name), }, } } @@ -114,11 +113,10 @@ func testBasicRoutePolicy(name, namespace string, route *gatewayapiv1.HTTPRoute) Namespace: namespace, Name: name, }, - TargetRef: gatewayapiv1alpha2.NamespacedPolicyTargetReference{ - Group: gatewayapiv1.Group(gatewayapiv1.GroupName), - Kind: gatewayapiv1.Kind("HTTPRoute"), - Namespace: ptr.To(gatewayapiv1.Namespace(route.Namespace)), - Name: gatewayapiv1.ObjectName(route.Name), + TargetRef: gatewayapiv1alpha2.LocalPolicyTargetReference{ + Group: gatewayapiv1.Group(gatewayapiv1.GroupName), + Kind: gatewayapiv1.Kind("HTTPRoute"), + Name: gatewayapiv1.ObjectName(route.Name), }, } } @@ -133,11 +131,10 @@ func testStandalonePolicy(name, namespace string) Policy { Namespace: namespace, Name: name, }, - TargetRef: gatewayapiv1alpha2.NamespacedPolicyTargetReference{ - Group: gatewayapiv1.Group(gatewayapiv1.GroupName), - Kind: gatewayapiv1.Kind("Gateway"), - Namespace: ptr.To(gatewayapiv1.Namespace("unknown")), - Name: gatewayapiv1.ObjectName("unknown"), + TargetRef: gatewayapiv1alpha2.LocalPolicyTargetReference{ + Group: gatewayapiv1.Group(gatewayapiv1.GroupName), + Kind: gatewayapiv1.Kind("Gateway"), + Name: gatewayapiv1.ObjectName("unknown"), }, } } diff --git a/pkg/library/gatewayapi/topology.go b/pkg/library/gatewayapi/topology.go index 4cd46b605..29422d87d 100644 --- a/pkg/library/gatewayapi/topology.go +++ b/pkg/library/gatewayapi/topology.go @@ -6,7 +6,6 @@ import ( "github.com/go-logr/logr" "k8s.io/apimachinery/pkg/api/meta" - "k8s.io/utils/ptr" "sigs.k8s.io/controller-runtime/pkg/client" gatewayapiv1 "sigs.k8s.io/gateway-api/apis/v1" @@ -347,12 +346,12 @@ func buildDAGEdges(opts *topologyOptions, gateways []gatewayDAGNode, routes []ht group := p.GetTargetRef().Group kind := p.GetTargetRef().Kind name := p.GetTargetRef().Name - namespace := ptr.Deref(p.GetTargetRef().Namespace, gatewayapiv1.Namespace(p.GetNamespace())) + namespace := p.GetNamespace() return group == gatewayapiv1.GroupName && kind == "HTTPRoute" && name == gatewayapiv1.ObjectName(route.Name) && - namespace == gatewayapiv1.Namespace(route.Namespace) + namespace == route.Namespace }) for _, attachedPolicy := range attachedPolicies { @@ -366,12 +365,12 @@ func buildDAGEdges(opts *topologyOptions, gateways []gatewayDAGNode, routes []ht group := p.GetTargetRef().Group kind := p.GetTargetRef().Kind name := p.GetTargetRef().Name - namespace := ptr.Deref(p.GetTargetRef().Namespace, gatewayapiv1.Namespace(p.GetNamespace())) + namespace := p.GetNamespace() return group == gatewayapiv1.GroupName && kind == "Gateway" && name == gatewayapiv1.ObjectName(g.Name) && - namespace == gatewayapiv1.Namespace(g.Namespace) + namespace == g.Namespace }) for _, attachedPolicy := range attachedPolicies { diff --git a/pkg/library/gatewayapi/types.go b/pkg/library/gatewayapi/types.go index 358d405e1..dd4137692 100644 --- a/pkg/library/gatewayapi/types.go +++ b/pkg/library/gatewayapi/types.go @@ -20,7 +20,7 @@ const ( type Policy interface { client.Object PolicyClass() PolicyClass - GetTargetRef() gatewayapiv1alpha2.NamespacedPolicyTargetReference + GetTargetRef() gatewayapiv1alpha2.LocalPolicyTargetReference GetStatus() PolicyStatus List(context.Context, client.Client, string) []Policy Kind() string diff --git a/pkg/library/gatewayapi/types_test.go b/pkg/library/gatewayapi/types_test.go index a74aac4be..162c67ec1 100644 --- a/pkg/library/gatewayapi/types_test.go +++ b/pkg/library/gatewayapi/types_test.go @@ -28,8 +28,8 @@ type TestPolicy struct { metav1.TypeMeta `json:",inline"` metav1.ObjectMeta `json:"metadata,omitempty"` - TargetRef gatewayapiv1alpha2.NamespacedPolicyTargetReference `json:"targetRef"` - Status FakePolicyStatus `json:"status"` + TargetRef gatewayapiv1alpha2.LocalPolicyTargetReference `json:"targetRef"` + Status FakePolicyStatus `json:"status"` } func (p *TestPolicy) Kind() string { @@ -52,7 +52,7 @@ func (p *TestPolicy) PolicyClass() PolicyClass { return DirectPolicy } -func (p *TestPolicy) GetTargetRef() gatewayapiv1alpha2.NamespacedPolicyTargetReference { +func (p *TestPolicy) GetTargetRef() gatewayapiv1alpha2.LocalPolicyTargetReference { return p.TargetRef } @@ -291,7 +291,7 @@ func createTestPolicy(name string, creationTime time.Time, mutateFn ...func(p *T func withTargetRefKind(targetRefKind string) func(p *TestPolicy) { return func(p *TestPolicy) { - p.TargetRef = gatewayapiv1alpha2.NamespacedPolicyTargetReference{Kind: gatewayapiv1.Kind(targetRefKind)} + p.TargetRef = gatewayapiv1alpha2.LocalPolicyTargetReference{Kind: gatewayapiv1.Kind(targetRefKind)} } } diff --git a/pkg/library/gatewayapi/utils.go b/pkg/library/gatewayapi/utils.go index 537605614..c1fa51c62 100644 --- a/pkg/library/gatewayapi/utils.go +++ b/pkg/library/gatewayapi/utils.go @@ -20,11 +20,11 @@ import ( "github.com/kuadrant/kuadrant-operator/pkg/library/utils" ) -func IsTargetRefHTTPRoute(targetRef gatewayapiv1alpha2.NamespacedPolicyTargetReference) bool { +func IsTargetRefHTTPRoute(targetRef gatewayapiv1alpha2.LocalPolicyTargetReference) bool { return targetRef.Group == (gatewayapiv1.GroupName) && targetRef.Kind == ("HTTPRoute") } -func IsTargetRefGateway(targetRef gatewayapiv1alpha2.NamespacedPolicyTargetReference) bool { +func IsTargetRefGateway(targetRef gatewayapiv1alpha2.LocalPolicyTargetReference) bool { return targetRef.Group == (gatewayapiv1.GroupName) && targetRef.Kind == ("Gateway") } diff --git a/pkg/library/kuadrant/apimachinery_status_conditions_test.go b/pkg/library/kuadrant/apimachinery_status_conditions_test.go index cf906b24a..52fa41204 100644 --- a/pkg/library/kuadrant/apimachinery_status_conditions_test.go +++ b/pkg/library/kuadrant/apimachinery_status_conditions_test.go @@ -147,7 +147,7 @@ func TestAcceptedCondition(t *testing.T) { name: "target not found reason", args: args{ policy: &FakePolicy{}, - err: NewErrTargetNotFound("FakePolicy", gatewayapiv1alpha2.NamespacedPolicyTargetReference{ + err: NewErrTargetNotFound("FakePolicy", gatewayapiv1alpha2.LocalPolicyTargetReference{ Group: gatewayapiv1.GroupName, Kind: "HTTPRoute", Name: "my-target-ref", @@ -164,7 +164,7 @@ func TestAcceptedCondition(t *testing.T) { name: "target not found reason with err", args: args{ policy: &FakePolicy{}, - err: NewErrTargetNotFound("FakePolicy", gatewayapiv1alpha2.NamespacedPolicyTargetReference{ + err: NewErrTargetNotFound("FakePolicy", gatewayapiv1alpha2.LocalPolicyTargetReference{ Group: gatewayapiv1.GroupName, Kind: "HTTPRoute", Name: "my-target-ref", diff --git a/pkg/library/kuadrant/errors.go b/pkg/library/kuadrant/errors.go index 70695d96e..e3602f8a8 100644 --- a/pkg/library/kuadrant/errors.go +++ b/pkg/library/kuadrant/errors.go @@ -18,7 +18,7 @@ var _ PolicyError = ErrTargetNotFound{} type ErrTargetNotFound struct { Kind string - TargetRef gatewayapiv1alpha2.NamespacedPolicyTargetReference + TargetRef gatewayapiv1alpha2.LocalPolicyTargetReference Err error } @@ -34,7 +34,7 @@ func (e ErrTargetNotFound) Reason() gatewayapiv1alpha2.PolicyConditionReason { return gatewayapiv1alpha2.PolicyReasonTargetNotFound } -func NewErrTargetNotFound(kind string, targetRef gatewayapiv1alpha2.NamespacedPolicyTargetReference, err error) ErrTargetNotFound { +func NewErrTargetNotFound(kind string, targetRef gatewayapiv1alpha2.LocalPolicyTargetReference, err error) ErrTargetNotFound { return ErrTargetNotFound{ Kind: kind, TargetRef: targetRef, diff --git a/pkg/library/kuadrant/errors_test.go b/pkg/library/kuadrant/errors_test.go index 44c5d6dab..88d019ac2 100644 --- a/pkg/library/kuadrant/errors_test.go +++ b/pkg/library/kuadrant/errors_test.go @@ -17,7 +17,7 @@ func TestIsTargetNotFound(t *testing.T) { }{ { name: "err is NewErrTargetNotFound", - err: NewErrTargetNotFound("foo", gatewayapiv1alpha2.NamespacedPolicyTargetReference{}, errors.New("bar")), + err: NewErrTargetNotFound("foo", gatewayapiv1alpha2.LocalPolicyTargetReference{}, errors.New("bar")), want: true, }, { diff --git a/pkg/library/kuadrant/kuadrant.go b/pkg/library/kuadrant/kuadrant.go index 5518ea94c..6d42c86ba 100644 --- a/pkg/library/kuadrant/kuadrant.go +++ b/pkg/library/kuadrant/kuadrant.go @@ -45,12 +45,12 @@ func IsKuadrantManaged(obj client.Object) bool { func GetKuadrantNamespaceFromPolicyTargetRef(ctx context.Context, cli client.Client, policy Policy) (string, error) { targetRef := policy.GetTargetRef() - gwNamespacedName := types.NamespacedName{Namespace: string(ptr.Deref(targetRef.Namespace, policy.GetWrappedNamespace())), Name: string(targetRef.Name)} + gwNamespacedName := types.NamespacedName{Namespace: policy.GetNamespace(), Name: string(targetRef.Name)} if kuadrantgatewayapi.IsTargetRefHTTPRoute(targetRef) { route := &gatewayapiv1.HTTPRoute{} if err := cli.Get( ctx, - types.NamespacedName{Namespace: string(ptr.Deref(targetRef.Namespace, policy.GetWrappedNamespace())), Name: string(targetRef.Name)}, + types.NamespacedName{Namespace: policy.GetNamespace(), Name: string(targetRef.Name)}, route, ); err != nil { return "", err diff --git a/pkg/library/kuadrant/kuadrant_test.go b/pkg/library/kuadrant/kuadrant_test.go index 6aa0ef4f0..2cea354b2 100644 --- a/pkg/library/kuadrant/kuadrant_test.go +++ b/pkg/library/kuadrant/kuadrant_test.go @@ -725,11 +725,10 @@ func TestGetKuadrantNamespaceFromPolicyTargetRef(t *testing.T) { Namespace: "my-ns", }, }, - targetRef: gatewayapiv1alpha2.NamespacedPolicyTargetReference{ - Group: gatewayapiv1.GroupName, - Kind: "HTTPRoute", - Name: "my-httproute", - Namespace: ptr.To[gatewayapiv1.Namespace](gatewayapiv1.Namespace("my-ns")), + targetRef: gatewayapiv1alpha2.LocalPolicyTargetReference{ + Group: gatewayapiv1.GroupName, + Kind: "HTTPRoute", + Name: "my-httproute", }, }, "my-ns", @@ -768,7 +767,7 @@ func TestGetKuadrantNamespaceFromPolicyTargetRef(t *testing.T) { Namespace: "my-ns", }, }, - targetRef: gatewayapiv1alpha2.NamespacedPolicyTargetReference{ + targetRef: gatewayapiv1alpha2.LocalPolicyTargetReference{ Group: gatewayapiv1.GroupName, Kind: "HTTPRoute", Name: "my-httproute", @@ -809,7 +808,7 @@ func TestGetKuadrantNamespaceFromPolicyTargetRef(t *testing.T) { Namespace: "my-ns", }, }, - targetRef: gatewayapiv1alpha2.NamespacedPolicyTargetReference{ + targetRef: gatewayapiv1alpha2.LocalPolicyTargetReference{ Group: gatewayapiv1.GroupName, Kind: "HTTPRoute", Name: "my-httproute", diff --git a/pkg/library/kuadrant/test_utils.go b/pkg/library/kuadrant/test_utils.go index 3b178bf58..2b185a541 100644 --- a/pkg/library/kuadrant/test_utils.go +++ b/pkg/library/kuadrant/test_utils.go @@ -36,10 +36,10 @@ const ( type FakePolicy struct { client.Object Hosts []string - targetRef gatewayapiv1alpha2.NamespacedPolicyTargetReference + targetRef gatewayapiv1alpha2.LocalPolicyTargetReference } -func (p *FakePolicy) GetTargetRef() gatewayapiv1alpha2.NamespacedPolicyTargetReference { +func (p *FakePolicy) GetTargetRef() gatewayapiv1alpha2.LocalPolicyTargetReference { return p.targetRef } diff --git a/pkg/library/mappers/gateway_test.go b/pkg/library/mappers/gateway_test.go index 48777bc33..ef564a9b3 100644 --- a/pkg/library/mappers/gateway_test.go +++ b/pkg/library/mappers/gateway_test.go @@ -39,7 +39,7 @@ func TestNewGatewayEventMapper(t *testing.T) { } spec := kuadrantv1beta2.AuthPolicySpec{ - TargetRef: gatewayapiv1alpha2.NamespacedPolicyTargetReference{ + TargetRef: gatewayapiv1alpha2.LocalPolicyTargetReference{ Group: "gateway.networking.k8s.io", Kind: "Gateway", Name: "test-gw", diff --git a/pkg/library/mappers/httproute_test.go b/pkg/library/mappers/httproute_test.go index 7774cd4b5..0a38ac3ba 100644 --- a/pkg/library/mappers/httproute_test.go +++ b/pkg/library/mappers/httproute_test.go @@ -41,7 +41,7 @@ func TestNewHTTPRouteEventMapper(t *testing.T) { } spec := kuadrantv1beta2.AuthPolicySpec{ - TargetRef: gatewayapiv1alpha2.NamespacedPolicyTargetReference{ + TargetRef: gatewayapiv1alpha2.LocalPolicyTargetReference{ Group: "gateway.networking.k8s.io", Kind: "HTTPRoute", Name: "test-route", diff --git a/pkg/library/mappers/policy_to_gateway.go b/pkg/library/mappers/policy_to_gateway.go index ba98adaa8..7814848f8 100644 --- a/pkg/library/mappers/policy_to_gateway.go +++ b/pkg/library/mappers/policy_to_gateway.go @@ -6,7 +6,6 @@ import ( apierrors "k8s.io/apimachinery/pkg/api/errors" "k8s.io/apimachinery/pkg/types" - "k8s.io/utils/ptr" "sigs.k8s.io/controller-runtime/pkg/client" "sigs.k8s.io/controller-runtime/pkg/reconcile" gatewayapiv1 "sigs.k8s.io/gateway-api/apis/v1" @@ -35,17 +34,14 @@ func (k *PolicyToParentGatewaysEventMapper) Map(ctx context.Context, obj client. } if kuadrantgatewayapi.IsTargetRefGateway(policy.GetTargetRef()) { - namespace := string(ptr.Deref(policy.GetTargetRef().Namespace, gatewayapiv1.Namespace(policy.GetNamespace()))) - - nn := types.NamespacedName{Name: string(policy.GetTargetRef().Name), Namespace: namespace} + nn := types.NamespacedName{Name: string(policy.GetTargetRef().Name), Namespace: policy.GetNamespace()} logger.V(1).Info("map", " gateway", nn) return []reconcile.Request{{NamespacedName: nn}} } if kuadrantgatewayapi.IsTargetRefHTTPRoute(policy.GetTargetRef()) { - namespace := string(ptr.Deref(policy.GetTargetRef().Namespace, gatewayapiv1.Namespace(policy.GetNamespace()))) - routeKey := client.ObjectKey{Name: string(policy.GetTargetRef().Name), Namespace: namespace} + routeKey := client.ObjectKey{Name: string(policy.GetTargetRef().Name), Namespace: policy.GetNamespace()} route := &gatewayapiv1.HTTPRoute{} if err := k.opts.Client.Get(ctx, routeKey, route); err != nil { if apierrors.IsNotFound(err) { diff --git a/pkg/library/reconcilers/fetcher.go b/pkg/library/reconcilers/fetcher.go index a91c46bcb..dbf00c73b 100644 --- a/pkg/library/reconcilers/fetcher.go +++ b/pkg/library/reconcilers/fetcher.go @@ -13,12 +13,8 @@ import ( ) // FetchTargetRefObject fetches the target reference object and checks the status is valid -func FetchTargetRefObject(ctx context.Context, k8sClient client.Reader, targetRef gatewayapiv1alpha2.NamespacedPolicyTargetReference, defaultNs string, fetchOnlyProgrammedGateways bool) (client.Object, error) { +func FetchTargetRefObject(ctx context.Context, k8sClient client.Reader, targetRef gatewayapiv1alpha2.LocalPolicyTargetReference, defaultNs string, fetchOnlyProgrammedGateways bool) (client.Object, error) { ns := defaultNs - if targetRef.Namespace != nil { - ns = string(*targetRef.Namespace) - } - objKey := client.ObjectKey{Name: string(targetRef.Name), Namespace: ns} switch targetRef.Kind { diff --git a/pkg/library/reconcilers/fetcher_test.go b/pkg/library/reconcilers/fetcher_test.go index 606e7309d..5a741ab65 100644 --- a/pkg/library/reconcilers/fetcher_test.go +++ b/pkg/library/reconcilers/fetcher_test.go @@ -41,13 +41,13 @@ func TestFetchTargetRefObject(t *testing.T) { t.Fatal(err) } - routeTargetRef := gatewayapiv1alpha2.NamespacedPolicyTargetReference{ + routeTargetRef := gatewayapiv1alpha2.LocalPolicyTargetReference{ Group: gatewayapiv1.GroupName, Kind: "HTTPRoute", Name: gatewayapiv1.ObjectName(routeName), } - gatewayTargetRef := gatewayapiv1alpha2.NamespacedPolicyTargetReference{ + gatewayTargetRef := gatewayapiv1alpha2.LocalPolicyTargetReference{ Group: gatewayapiv1.GroupName, Kind: "Gateway", Name: gatewayapiv1.ObjectName(gatewayName), @@ -176,8 +176,7 @@ func TestFetchTargetRefObject(t *testing.T) { }) t.Run("unknown network resource", func(subT *testing.T) { - ns := gatewayapiv1.Namespace(namespace) - targetRef := gatewayapiv1alpha2.NamespacedPolicyTargetReference{Kind: "Service", Name: "my-sv", Namespace: &ns} + targetRef := gatewayapiv1alpha2.LocalPolicyTargetReference{Kind: "Service", Name: "my-sv"} clientAPIReader := clientFactory() res, err := FetchTargetRefObject(ctx, clientAPIReader, targetRef, namespace, true) assert.Error(subT, err, fmt.Sprintf("FetchValidTargetRef: targetRef (%v) to unknown network resource", targetRef)) diff --git a/tests/common/authpolicy/authpolicy_controller_test.go b/tests/common/authpolicy/authpolicy_controller_test.go index 0bd4e1e6b..5bbffea07 100644 --- a/tests/common/authpolicy/authpolicy_controller_test.go +++ b/tests/common/authpolicy/authpolicy_controller_test.go @@ -93,11 +93,10 @@ var _ = Describe("AuthPolicy controller (Serial)", Serial, func() { Namespace: testNamespace, }, Spec: api.AuthPolicySpec{ - TargetRef: gatewayapiv1alpha2.NamespacedPolicyTargetReference{ - Group: gatewayapiv1.GroupName, - Kind: "HTTPRoute", - Name: TestHTTPRouteName, - Namespace: ptr.To(gatewayapiv1.Namespace(testNamespace)), + TargetRef: gatewayapiv1alpha2.LocalPolicyTargetReference{ + Group: gatewayapiv1.GroupName, + Kind: "HTTPRoute", + Name: TestHTTPRouteName, }, Defaults: &api.AuthPolicyCommonSpec{ AuthScheme: testBasicAuthScheme(), @@ -175,11 +174,10 @@ var _ = Describe("AuthPolicy controller", func() { Namespace: testNamespace, }, Spec: api.AuthPolicySpec{ - TargetRef: gatewayapiv1alpha2.NamespacedPolicyTargetReference{ - Group: gatewayapiv1.GroupName, - Kind: "HTTPRoute", - Name: TestHTTPRouteName, - Namespace: ptr.To(gatewayapiv1.Namespace(testNamespace)), + TargetRef: gatewayapiv1alpha2.LocalPolicyTargetReference{ + Group: gatewayapiv1.GroupName, + Kind: "HTTPRoute", + Name: TestHTTPRouteName, }, Defaults: &api.AuthPolicyCommonSpec{ AuthScheme: testBasicAuthScheme(), @@ -1084,21 +1082,6 @@ var _ = Describe("AuthPolicy controller", func() { fmt.Sprintf("AuthPolicy is conflicted by %[1]v/toystore: the gateway.networking.k8s.io/v1, Kind=HTTPRoute target %[1]v/toystore-route is already referenced by policy %[1]v/toystore", testNamespace), )).WithContext(ctx).Should(BeTrue()) }, testTimeOut) - - It("Invalid reason", func(ctx SpecContext) { - otherNamespace := tests.CreateNamespace(ctx, testClient()) - defer tests.DeleteNamespaceCallback(ctx, testClient(), otherNamespace)() - - policy := policyFactory(func(policy *api.AuthPolicy) { - policy.Namespace = otherNamespace // create the policy in a different namespace than the target - policy.Spec.TargetRef.Kind = "Gateway" - policy.Spec.TargetRef.Name = gatewayapiv1.ObjectName(TestGatewayName) - policy.Spec.TargetRef.Namespace = ptr.To(gatewayapiv1.Namespace(testNamespace)) - }) - Expect(k8sClient.Create(ctx, policy)).To(Succeed()) - - Eventually(assertAcceptedCondFalseAndEnforcedCondNil(ctx, policy, string(gatewayapiv1alpha2.PolicyReasonInvalid), fmt.Sprintf("AuthPolicy target is invalid: invalid targetRef.Namespace %s. Currently only supporting references to the same namespace", testNamespace))).WithContext(ctx).Should(BeTrue()) - }, testTimeOut) }) Context("AuthPolicy enforced condition reasons", func() { @@ -1423,7 +1406,7 @@ var _ = Describe("AuthPolicy CEL Validations", func() { Namespace: testNamespace, }, Spec: api.AuthPolicySpec{ - TargetRef: gatewayapiv1alpha2.NamespacedPolicyTargetReference{ + TargetRef: gatewayapiv1alpha2.LocalPolicyTargetReference{ Group: gatewayapiv1.GroupName, Kind: "HTTPRoute", Name: "my-target", @@ -1582,7 +1565,7 @@ var _ = Describe("AuthPolicy CEL Validations", func() { Namespace: testNamespace, }, Spec: api.AuthPolicySpec{ - TargetRef: gatewayapiv1alpha2.NamespacedPolicyTargetReference{ + TargetRef: gatewayapiv1alpha2.LocalPolicyTargetReference{ Group: gatewayapiv1.GroupName, Kind: "Gateway", Name: "my-gw", diff --git a/tests/common/ratelimitpolicy/ratelimitpolicy_controller_test.go b/tests/common/ratelimitpolicy/ratelimitpolicy_controller_test.go index c48d4c0be..904514b87 100644 --- a/tests/common/ratelimitpolicy/ratelimitpolicy_controller_test.go +++ b/tests/common/ratelimitpolicy/ratelimitpolicy_controller_test.go @@ -51,7 +51,7 @@ var _ = Describe("RateLimitPolicy controller (Serial)", Serial, func() { Namespace: testNamespace, }, Spec: kuadrantv1beta2.RateLimitPolicySpec{ - TargetRef: gatewayapiv1alpha2.NamespacedPolicyTargetReference{ + TargetRef: gatewayapiv1alpha2.LocalPolicyTargetReference{ Group: gatewayapiv1.GroupName, Kind: "HTTPRoute", Name: gatewayapiv1.ObjectName(routeName), @@ -171,7 +171,7 @@ var _ = Describe("RateLimitPolicy controller", func() { Namespace: testNamespace, }, Spec: kuadrantv1beta2.RateLimitPolicySpec{ - TargetRef: gatewayapiv1alpha2.NamespacedPolicyTargetReference{ + TargetRef: gatewayapiv1alpha2.LocalPolicyTargetReference{ Group: gatewayapiv1.GroupName, Kind: "HTTPRoute", Name: gatewayapiv1.ObjectName(routeName), @@ -313,7 +313,7 @@ var _ = Describe("RateLimitPolicy controller", func() { Namespace: testNamespace, }, Spec: kuadrantv1beta2.RateLimitPolicySpec{ - TargetRef: gatewayapiv1alpha2.NamespacedPolicyTargetReference{ + TargetRef: gatewayapiv1alpha2.LocalPolicyTargetReference{ Group: gatewayapiv1.Group("gateway.networking.k8s.io"), Kind: "Gateway", Name: gatewayapiv1.ObjectName(TestGatewayName), @@ -846,21 +846,6 @@ var _ = Describe("RateLimitPolicy controller", func() { fmt.Sprintf("RateLimitPolicy is conflicted by %[1]v/toystore-rlp: the gateway.networking.k8s.io/v1, Kind=HTTPRoute target %[1]v/toystore-route is already referenced by policy %[1]v/toystore-rlp", testNamespace)), ).WithContext(ctx).Should(Succeed()) }, testTimeOut) - - It("Invalid reason", func(ctx SpecContext) { - otherNamespace := tests.CreateNamespace(ctx, testClient()) - defer tests.DeleteNamespaceCallback(ctx, testClient(), otherNamespace)() - - policy := policyFactory(func(policy *kuadrantv1beta2.RateLimitPolicy) { - policy.Namespace = otherNamespace // create the policy in a different namespace than the target - policy.Spec.TargetRef.Kind = "Gateway" - policy.Spec.TargetRef.Name = gatewayapiv1.ObjectName(gateway.Name) - policy.Spec.TargetRef.Namespace = ptr.To(gatewayapiv1.Namespace(testNamespace)) - }) - Expect(k8sClient.Create(ctx, policy)).To(Succeed()) - - Eventually(assertAcceptedConditionFalse(ctx, policy, string(gatewayapiv1alpha2.PolicyReasonInvalid), fmt.Sprintf("RateLimitPolicy target is invalid: invalid targetRef.Namespace %s. Currently only supporting references to the same namespace", testNamespace))).WithContext(ctx).Should(Succeed()) - }, testTimeOut) }) Context("When RLP switches target from one HTTPRoute to another HTTPRoute", func() { @@ -1446,7 +1431,7 @@ var _ = Describe("RateLimitPolicy CEL Validations", func() { Namespace: testNamespace, }, Spec: kuadrantv1beta2.RateLimitPolicySpec{ - TargetRef: gatewayapiv1alpha2.NamespacedPolicyTargetReference{ + TargetRef: gatewayapiv1alpha2.LocalPolicyTargetReference{ Group: gatewayapiv1.GroupName, Kind: "HTTPRoute", Name: "my-target", diff --git a/tests/common/targetstatus/target_status_controller_test.go b/tests/common/targetstatus/target_status_controller_test.go index 73c62be71..90aa83804 100644 --- a/tests/common/targetstatus/target_status_controller_test.go +++ b/tests/common/targetstatus/target_status_controller_test.go @@ -115,7 +115,7 @@ var _ = Describe("Target status reconciler", func() { return condition.Status == metav1.ConditionFalse && strings.Contains(condition.Message, policyKey.String()) } - targetsAffected := func(ctx context.Context, policyKey client.ObjectKey, conditionType string, targetRef gatewayapiv1alpha2.NamespacedPolicyTargetReference, routeNames ...string) bool { + targetsAffected := func(ctx context.Context, policyKey client.ObjectKey, conditionType string, targetRef gatewayapiv1alpha2.LocalPolicyTargetReference, routeNames ...string) bool { switch string(targetRef.Kind) { case "Gateway": if !gatewayAffected(ctx, string(targetRef.Name), conditionType, policyKey) { @@ -149,11 +149,10 @@ var _ = Describe("Target status reconciler", func() { Namespace: testNamespace, }, Spec: v1beta2.AuthPolicySpec{ - TargetRef: gatewayapiv1alpha2.NamespacedPolicyTargetReference{ - Group: gatewayapiv1.GroupName, - Kind: "HTTPRoute", - Name: TestHTTPRouteName, - Namespace: ptr.To(gatewayapiv1.Namespace(testNamespace)), + TargetRef: gatewayapiv1alpha2.LocalPolicyTargetReference{ + Group: gatewayapiv1.GroupName, + Kind: "HTTPRoute", + Name: TestHTTPRouteName, }, Defaults: &v1beta2.AuthPolicyCommonSpec{ AuthScheme: &v1beta2.AuthSchemeSpec{ @@ -255,11 +254,10 @@ var _ = Describe("Target status reconciler", func() { It("adds PolicyAffected status condition to the targeted gateway and routes", func(ctx SpecContext) { policy := policyFactory(func(policy *v1beta2.AuthPolicy) { policy.Name = "gateway-auth" - policy.Spec.TargetRef = gatewayapiv1alpha2.NamespacedPolicyTargetReference{ - Group: gatewayapiv1.GroupName, - Kind: "Gateway", - Name: TestGatewayName, - Namespace: ptr.To(gatewayapiv1.Namespace(testNamespace)), + policy.Spec.TargetRef = gatewayapiv1alpha2.LocalPolicyTargetReference{ + Group: gatewayapiv1.GroupName, + Kind: "Gateway", + Name: TestGatewayName, } }) Expect(k8sClient.Create(ctx, policy)).To(Succeed()) @@ -269,11 +267,10 @@ var _ = Describe("Target status reconciler", func() { It("removes PolicyAffected status condition from the targeted gateway and routes when the policy is deleted", func(ctx SpecContext) { policy := policyFactory(func(policy *v1beta2.AuthPolicy) { policy.Name = "gateway-auth" - policy.Spec.TargetRef = gatewayapiv1alpha2.NamespacedPolicyTargetReference{ - Group: gatewayapiv1.GroupName, - Kind: "Gateway", - Name: TestGatewayName, - Namespace: ptr.To(gatewayapiv1.Namespace(testNamespace)), + policy.Spec.TargetRef = gatewayapiv1alpha2.LocalPolicyTargetReference{ + Group: gatewayapiv1.GroupName, + Kind: "Gateway", + Name: TestGatewayName, } }) Expect(k8sClient.Create(ctx, policy)).To(Succeed()) @@ -309,11 +306,10 @@ var _ = Describe("Target status reconciler", func() { gatewayPolicy := policyFactory(func(policy *v1beta2.AuthPolicy) { policy.Name = "gateway-auth" - policy.Spec.TargetRef = gatewayapiv1alpha2.NamespacedPolicyTargetReference{ - Group: gatewayapiv1.GroupName, - Kind: "Gateway", - Name: TestGatewayName, - Namespace: ptr.To(gatewayapiv1.Namespace(testNamespace)), + policy.Spec.TargetRef = gatewayapiv1alpha2.LocalPolicyTargetReference{ + Group: gatewayapiv1.GroupName, + Kind: "Gateway", + Name: TestGatewayName, } }) Expect(k8sClient.Create(ctx, gatewayPolicy)).To(Succeed()) @@ -345,7 +341,7 @@ var _ = Describe("Target status reconciler", func() { Namespace: testNamespace, }, Spec: v1beta2.RateLimitPolicySpec{ - TargetRef: gatewayapiv1alpha2.NamespacedPolicyTargetReference{ + TargetRef: gatewayapiv1alpha2.LocalPolicyTargetReference{ Group: gatewayapiv1.GroupName, Kind: "HTTPRoute", Name: gatewayapiv1.ObjectName(TestHTTPRouteName), @@ -408,11 +404,10 @@ var _ = Describe("Target status reconciler", func() { It("adds PolicyAffected status condition to the targeted gateway and routes", func(ctx SpecContext) { policy := policyFactory(func(policy *v1beta2.RateLimitPolicy) { policy.Name = "gateway-rlp" - policy.Spec.TargetRef = gatewayapiv1alpha2.NamespacedPolicyTargetReference{ - Group: gatewayapiv1.GroupName, - Kind: "Gateway", - Name: TestGatewayName, - Namespace: ptr.To(gatewayapiv1.Namespace(testNamespace)), + policy.Spec.TargetRef = gatewayapiv1alpha2.LocalPolicyTargetReference{ + Group: gatewayapiv1.GroupName, + Kind: "Gateway", + Name: TestGatewayName, } }) Expect(k8sClient.Create(ctx, policy)).To(Succeed()) @@ -422,11 +417,10 @@ var _ = Describe("Target status reconciler", func() { It("removes PolicyAffected status condition from the targeted gateway and routes when the policy is deleted", func(ctx SpecContext) { policy := policyFactory(func(policy *v1beta2.RateLimitPolicy) { policy.Name = "gateway-rlp" - policy.Spec.TargetRef = gatewayapiv1alpha2.NamespacedPolicyTargetReference{ - Group: gatewayapiv1.GroupName, - Kind: "Gateway", - Name: TestGatewayName, - Namespace: ptr.To(gatewayapiv1.Namespace(testNamespace)), + policy.Spec.TargetRef = gatewayapiv1alpha2.LocalPolicyTargetReference{ + Group: gatewayapiv1.GroupName, + Kind: "Gateway", + Name: TestGatewayName, } }) Expect(k8sClient.Create(ctx, policy)).To(Succeed()) @@ -462,11 +456,10 @@ var _ = Describe("Target status reconciler", func() { gatewayPolicy := policyFactory(func(policy *v1beta2.RateLimitPolicy) { policy.Name = "gateway-rlp" - policy.Spec.TargetRef = gatewayapiv1alpha2.NamespacedPolicyTargetReference{ - Group: gatewayapiv1.GroupName, - Kind: "Gateway", - Name: TestGatewayName, - Namespace: ptr.To(gatewayapiv1.Namespace(testNamespace)), + policy.Spec.TargetRef = gatewayapiv1alpha2.LocalPolicyTargetReference{ + Group: gatewayapiv1.GroupName, + Kind: "Gateway", + Name: TestGatewayName, } }) Expect(k8sClient.Create(ctx, gatewayPolicy)).To(Succeed()) diff --git a/tests/istio/authpolicy_controller_authorizationpolicy_test.go b/tests/istio/authpolicy_controller_authorizationpolicy_test.go index e4c1b7e63..d903fb13b 100644 --- a/tests/istio/authpolicy_controller_authorizationpolicy_test.go +++ b/tests/istio/authpolicy_controller_authorizationpolicy_test.go @@ -65,11 +65,10 @@ var _ = Describe("AuthPolicy controller managing authorization policy", func() { Namespace: testNamespace, }, Spec: kuadrantv1beta2.AuthPolicySpec{ - TargetRef: gatewayapiv1alpha2.NamespacedPolicyTargetReference{ - Group: gatewayapiv1.GroupName, - Kind: "HTTPRoute", - Name: TestHTTPRouteName, - Namespace: ptr.To(gatewayapiv1.Namespace(testNamespace)), + TargetRef: gatewayapiv1alpha2.LocalPolicyTargetReference{ + Group: gatewayapiv1.GroupName, + Kind: "HTTPRoute", + Name: TestHTTPRouteName, }, Defaults: &kuadrantv1beta2.AuthPolicyCommonSpec{ AuthScheme: testBasicAuthScheme(), @@ -125,6 +124,7 @@ var _ = Describe("AuthPolicy controller managing authorization policy", func() { }).WithContext(ctx).Should(BeTrue()) // has the correct target ref + Expect(iap.Spec.TargetRef).To(Not(BeNil())) Expect(iap.Spec.TargetRef.Group).To(Equal("gateway.networking.k8s.io")) Expect(iap.Spec.TargetRef.Kind).To(Equal("Gateway")) Expect(iap.Spec.TargetRef.Name).To(Equal(TestGatewayName)) @@ -174,6 +174,7 @@ var _ = Describe("AuthPolicy controller managing authorization policy", func() { }).WithContext(ctx).Should(BeTrue()) // has the correct target ref + Expect(iap.Spec.TargetRef).To(Not(BeNil())) Expect(iap.Spec.TargetRef.Group).To(Equal("gateway.networking.k8s.io")) Expect(iap.Spec.TargetRef.Kind).To(Equal("Gateway")) Expect(iap.Spec.TargetRef.Name).To(Equal(TestGatewayName)) diff --git a/tests/istio/limitador_cluster_envoyfilter_controller_test.go b/tests/istio/limitador_cluster_envoyfilter_controller_test.go index 545204eca..3de996083 100644 --- a/tests/istio/limitador_cluster_envoyfilter_controller_test.go +++ b/tests/istio/limitador_cluster_envoyfilter_controller_test.go @@ -89,7 +89,7 @@ var _ = Describe("Limitador Cluster EnvoyFilter controller", func() { Namespace: testNamespace, }, Spec: kuadrantv1beta2.RateLimitPolicySpec{ - TargetRef: gatewayapiv1alpha2.NamespacedPolicyTargetReference{ + TargetRef: gatewayapiv1alpha2.LocalPolicyTargetReference{ Group: gatewayapiv1.GroupName, Kind: "Gateway", Name: gatewayapiv1.ObjectName(TestGatewayName), diff --git a/tests/istio/rate_limiting_istio_wasmplugin_controller_test.go b/tests/istio/rate_limiting_istio_wasmplugin_controller_test.go index 0ea2995ba..482d39d70 100644 --- a/tests/istio/rate_limiting_istio_wasmplugin_controller_test.go +++ b/tests/istio/rate_limiting_istio_wasmplugin_controller_test.go @@ -88,7 +88,7 @@ var _ = Describe("Rate Limiting WasmPlugin controller", func() { }, ObjectMeta: metav1.ObjectMeta{Name: rlpName, Namespace: testNamespace}, Spec: kuadrantv1beta2.RateLimitPolicySpec{ - TargetRef: gatewayapiv1alpha2.NamespacedPolicyTargetReference{ + TargetRef: gatewayapiv1alpha2.LocalPolicyTargetReference{ Group: gatewayapiv1.GroupName, Kind: "HTTPRoute", Name: gatewayapiv1.ObjectName(routeName), @@ -121,6 +121,7 @@ var _ = Describe("Rate Limiting WasmPlugin controller", func() { // must exist Expect(err).ToNot(HaveOccurred()) // has the correct target ref + Expect(existingWasmPlugin.Spec.TargetRef).To(Not(BeNil())) Expect(existingWasmPlugin.Spec.TargetRef.Group).To(Equal("gateway.networking.k8s.io")) Expect(existingWasmPlugin.Spec.TargetRef.Kind).To(Equal("Gateway")) Expect(existingWasmPlugin.Spec.TargetRef.Name).To(Equal(gateway.Name)) @@ -215,7 +216,7 @@ var _ = Describe("Rate Limiting WasmPlugin controller", func() { Namespace: testNamespace, }, Spec: kuadrantv1beta2.RateLimitPolicySpec{ - TargetRef: gatewayapiv1alpha2.NamespacedPolicyTargetReference{ + TargetRef: gatewayapiv1alpha2.LocalPolicyTargetReference{ Group: gatewayapiv1.GroupName, Kind: "HTTPRoute", Name: gatewayapiv1.ObjectName(routeName), @@ -395,7 +396,7 @@ var _ = Describe("Rate Limiting WasmPlugin controller", func() { }, ObjectMeta: metav1.ObjectMeta{Name: rlpName, Namespace: testNamespace}, Spec: kuadrantv1beta2.RateLimitPolicySpec{ - TargetRef: gatewayapiv1alpha2.NamespacedPolicyTargetReference{ + TargetRef: gatewayapiv1alpha2.LocalPolicyTargetReference{ Group: gatewayapiv1.GroupName, Kind: "Gateway", Name: gatewayapiv1.ObjectName(TestGatewayName), @@ -495,7 +496,7 @@ var _ = Describe("Rate Limiting WasmPlugin controller", func() { }, ObjectMeta: metav1.ObjectMeta{Name: rlpName, Namespace: testNamespace}, Spec: kuadrantv1beta2.RateLimitPolicySpec{ - TargetRef: gatewayapiv1alpha2.NamespacedPolicyTargetReference{ + TargetRef: gatewayapiv1alpha2.LocalPolicyTargetReference{ Group: gatewayapiv1.GroupName, Kind: "Gateway", Name: gatewayapiv1.ObjectName(TestGatewayName), @@ -563,7 +564,7 @@ var _ = Describe("Rate Limiting WasmPlugin controller", func() { }, ObjectMeta: metav1.ObjectMeta{Name: rlpName, Namespace: testNamespace}, Spec: kuadrantv1beta2.RateLimitPolicySpec{ - TargetRef: gatewayapiv1alpha2.NamespacedPolicyTargetReference{ + TargetRef: gatewayapiv1alpha2.LocalPolicyTargetReference{ Group: gatewayapiv1.GroupName, Kind: "HTTPRoute", Name: gatewayapiv1.ObjectName(routeName), @@ -637,7 +638,7 @@ var _ = Describe("Rate Limiting WasmPlugin controller", func() { }, ObjectMeta: metav1.ObjectMeta{Name: rlpAName, Namespace: testNamespace}, Spec: kuadrantv1beta2.RateLimitPolicySpec{ - TargetRef: gatewayapiv1alpha2.NamespacedPolicyTargetReference{ + TargetRef: gatewayapiv1alpha2.LocalPolicyTargetReference{ Group: gatewayapiv1.GroupName, Kind: "Gateway", Name: gatewayapiv1.ObjectName(TestGatewayName), @@ -689,7 +690,7 @@ var _ = Describe("Rate Limiting WasmPlugin controller", func() { }, ObjectMeta: metav1.ObjectMeta{Name: rlpBName, Namespace: testNamespace}, Spec: kuadrantv1beta2.RateLimitPolicySpec{ - TargetRef: gatewayapiv1alpha2.NamespacedPolicyTargetReference{ + TargetRef: gatewayapiv1alpha2.LocalPolicyTargetReference{ Group: gatewayapiv1.GroupName, Kind: "HTTPRoute", Name: gatewayapiv1.ObjectName(routeCName), @@ -835,7 +836,7 @@ var _ = Describe("Rate Limiting WasmPlugin controller", func() { }, ObjectMeta: metav1.ObjectMeta{Name: rlpName, Namespace: testNamespace}, Spec: kuadrantv1beta2.RateLimitPolicySpec{ - TargetRef: gatewayapiv1alpha2.NamespacedPolicyTargetReference{ + TargetRef: gatewayapiv1alpha2.LocalPolicyTargetReference{ Group: gatewayapiv1.GroupName, Kind: "Gateway", Name: gatewayapiv1.ObjectName(TestGatewayName), @@ -1044,7 +1045,7 @@ var _ = Describe("Rate Limiting WasmPlugin controller", func() { }, ObjectMeta: metav1.ObjectMeta{Name: rlpName, Namespace: testNamespace}, Spec: kuadrantv1beta2.RateLimitPolicySpec{ - TargetRef: gatewayapiv1alpha2.NamespacedPolicyTargetReference{ + TargetRef: gatewayapiv1alpha2.LocalPolicyTargetReference{ Group: gatewayapiv1.GroupName, Kind: "HTTPRoute", Name: gatewayapiv1.ObjectName(routeName), @@ -1341,7 +1342,7 @@ var _ = Describe("Rate Limiting WasmPlugin controller", func() { }, ObjectMeta: metav1.ObjectMeta{Name: rlpName, Namespace: testNamespace}, Spec: kuadrantv1beta2.RateLimitPolicySpec{ - TargetRef: gatewayapiv1alpha2.NamespacedPolicyTargetReference{ + TargetRef: gatewayapiv1alpha2.LocalPolicyTargetReference{ Group: gatewayapiv1.GroupName, Kind: "HTTPRoute", Name: gatewayapiv1.ObjectName(routeAName), @@ -1576,7 +1577,7 @@ var _ = Describe("Rate Limiting WasmPlugin controller", func() { }, ObjectMeta: metav1.ObjectMeta{Name: rlp1Name, Namespace: testNamespace}, Spec: kuadrantv1beta2.RateLimitPolicySpec{ - TargetRef: gatewayapiv1alpha2.NamespacedPolicyTargetReference{ + TargetRef: gatewayapiv1alpha2.LocalPolicyTargetReference{ Group: gatewayapiv1.GroupName, Kind: "Gateway", Name: gatewayapiv1.ObjectName(TestGatewayName), @@ -1680,7 +1681,7 @@ var _ = Describe("Rate Limiting WasmPlugin controller", func() { }, ObjectMeta: metav1.ObjectMeta{Name: rlp2Name, Namespace: testNamespace}, Spec: kuadrantv1beta2.RateLimitPolicySpec{ - TargetRef: gatewayapiv1alpha2.NamespacedPolicyTargetReference{ + TargetRef: gatewayapiv1alpha2.LocalPolicyTargetReference{ Group: gatewayapiv1.GroupName, Kind: "HTTPRoute", Name: gatewayapiv1.ObjectName(routeAName), @@ -1839,7 +1840,7 @@ var _ = Describe("Rate Limiting WasmPlugin controller", func() { }, ObjectMeta: metav1.ObjectMeta{Name: rlp1Name, Namespace: testNamespace}, Spec: kuadrantv1beta2.RateLimitPolicySpec{ - TargetRef: gatewayapiv1alpha2.NamespacedPolicyTargetReference{ + TargetRef: gatewayapiv1alpha2.LocalPolicyTargetReference{ Group: gatewayapiv1.GroupName, Kind: "Gateway", Name: gatewayapiv1.ObjectName(TestGatewayName), @@ -1870,7 +1871,7 @@ var _ = Describe("Rate Limiting WasmPlugin controller", func() { }, ObjectMeta: metav1.ObjectMeta{Name: rlp2Name, Namespace: testNamespace}, Spec: kuadrantv1beta2.RateLimitPolicySpec{ - TargetRef: gatewayapiv1alpha2.NamespacedPolicyTargetReference{ + TargetRef: gatewayapiv1alpha2.LocalPolicyTargetReference{ Group: gatewayapiv1.GroupName, Kind: "HTTPRoute", Name: gatewayapiv1.ObjectName(routeAName), @@ -2127,7 +2128,7 @@ var _ = Describe("Rate Limiting WasmPlugin controller", func() { }, ObjectMeta: metav1.ObjectMeta{Name: rlpName, Namespace: testNamespace}, Spec: kuadrantv1beta2.RateLimitPolicySpec{ - TargetRef: gatewayapiv1alpha2.NamespacedPolicyTargetReference{ + TargetRef: gatewayapiv1alpha2.LocalPolicyTargetReference{ Group: gatewayapiv1.GroupName, Kind: "HTTPRoute", Name: gatewayapiv1.ObjectName(routeName), @@ -2284,7 +2285,7 @@ var _ = Describe("Rate Limiting WasmPlugin controller", func() { }, ObjectMeta: metav1.ObjectMeta{Name: gwRLPName, Namespace: testNamespace}, Spec: kuadrantv1beta2.RateLimitPolicySpec{ - TargetRef: gatewayapiv1alpha2.NamespacedPolicyTargetReference{ + TargetRef: gatewayapiv1alpha2.LocalPolicyTargetReference{ Group: gatewayapiv1.GroupName, Kind: "Gateway", Name: gatewayapiv1.ObjectName(TestGatewayName), @@ -2325,7 +2326,7 @@ var _ = Describe("Rate Limiting WasmPlugin controller", func() { }, ObjectMeta: metav1.ObjectMeta{Name: routeRLPName, Namespace: testNamespace}, Spec: kuadrantv1beta2.RateLimitPolicySpec{ - TargetRef: gatewayapiv1alpha2.NamespacedPolicyTargetReference{ + TargetRef: gatewayapiv1alpha2.LocalPolicyTargetReference{ Group: gatewayapiv1.GroupName, Kind: "HTTPRoute", Name: gatewayapiv1.ObjectName(routeName),