Update gatewayapi to v1.0.0

README.md

@@ -8,21 +8,23 @@
 The Operator to install and manage the lifecycle of the [Kuadrant](https://github.com/Kuadrant/) components deployments.
 
 <!--ts-->
-* [Overview](#overview)
-* [Architecture](#architecture)
-    * [Kuadrant components](#kuadrant-components)
-    * [Provided APIs](#provided-apis)
-* [Getting started](#getting-started)
-    * [Pre-requisites](#pre-requisites)
-    * [Installing Kuadrant](#installing-kuadrant)
-    * [Protect Your Service](#protect-your-service)
-      * [If you are an <em>API Provider</em>](#if-you-are-an-api-provider)
-      * [If you are a <em>Cluster Operator</em>](#if-you-are-a-cluster-operator)
-* [User guides](#user-guides)
-* [<a href="doc/rate-limiting.md">Kuadrant Rate Limiting</a>](#kuadrant-rate-limiting)
-* [Documentation](#documentation)
-* [Contributing](#contributing)
-* [Licensing](#licensing)
+- [Overview](#overview)
+- [Architecture](#architecture)
+  - [Kuadrant components](#kuadrant-components)
+  - [Provided APIs](#provided-apis)
+- [Getting started](#getting-started)
+  - [Pre-requisites](#pre-requisites)
+  - [Installing Kuadrant](#installing-kuadrant)
+    - [1. Install the Kuadrant Operator](#1-install-the-kuadrant-operator)
+    - [2. Request a Kuadrant instance](#2-request-a-kuadrant-instance)
+  - [Protect your service](#protect-your-service)
+    - [If you are an *API Provider*](#if-you-are-an-api-provider)
+    - [If you are a *Cluster Operator*](#if-you-are-a-cluster-operator)
+- [User guides](#user-guides)
+- [Kuadrant Rate Limiting](#kuadrant-rate-limiting)
+- [Documentation](#documentation)
+- [Contributing](#contributing)
+- [Licensing](#licensing)
 
 <!--te-->
 
@@ -144,15 +146,15 @@ EOF
 
 * Deploy the service/API to be protected ("Upstream")
 * Expose the service/API using the kubernetes Gateway API, ie
-  [HTTPRoute](https://gateway-api.sigs.k8s.io/v1alpha2/references/spec/#gateway.networking.k8s.io/v1beta1.HTTPRoute) object.
+  [HTTPRoute](https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.HTTPRoute) object.
 * Write and apply the Kuadrant's [RateLimitPolicy](doc/rate-limiting.md) and/or
   [AuthPolicy](doc/auth.md) custom resources targeting the HTTPRoute resource
   to have your API protected.
 
 #### If you are a *Cluster Operator*
 
 * (Optionally) deploy istio ingress gateway using the
-  [Gateway](https://gateway-api.sigs.k8s.io/v1alpha2/references/spec/#gateway.networking.k8s.io/v1beta1.Gateway) resource.
+  [Gateway](https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.Gateway) resource.
 * Write and apply the Kuadrant's [RateLimitPolicy](doc/rate-limiting.md) and/or
   [AuthPolicy](doc/auth.md) custom resources targeting the Gateway resource
   to have your gateway traffic protected.

api/v1beta2/authpolicy_types.go

@@ -7,8 +7,8 @@
 	"github.com/google/go-cmp/cmp"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"sigs.k8s.io/controller-runtime/pkg/client"
+	gatewayapiv1 "sigs.k8s.io/gateway-api/apis/v1"
 	gatewayapiv1alpha2 "sigs.k8s.io/gateway-api/apis/v1alpha2"
-	gatewayapiv1beta1 "sigs.k8s.io/gateway-api/apis/v1beta1"
 
 	authorinoapi "github.com/kuadrant/authorino/api/v1beta2"
 	"github.com/kuadrant/kuadrant-operator/pkg/common"
@@ -18,16 +18,19 @@
 	// Authentication configs.
 	// At least one config MUST evaluate to a valid identity object for the auth request to be successful.
 	// +optional
+	// +kubebuilder:validation:MaxProperties=14
 	Authentication map[string]AuthenticationSpec `json:"authentication,omitempty"`
 
 	// Metadata sources.
 	// Authorino fetches auth metadata as JSON from sources specified in this config.
 	// +optional
+	// +kubebuilder:validation:MaxProperties=14
 	Metadata map[string]MetadataSpec `json:"metadata,omitempty"`
 
 	// Authorization policies.
 	// All policies MUST evaluate to "allowed = true" for the auth request be successful.
 	// +optional
+	// +kubebuilder:validation:MaxProperties=14
 	Authorization map[string]AuthorizationSpec `json:"authorization,omitempty"`
 
 	// Response items.
@@ -38,6 +41,7 @@
 	// Callback functions.
 	// Authorino sends callbacks at the end of the auth pipeline to the endpoints specified in this config.
 	// +optional
+	// +kubebuilder:validation:MaxProperties=14
 	Callbacks map[string]CallbackSpec `json:"callbacks,omitempty"`
 }
 
@@ -47,6 +51,7 @@
 	// At least one selected HTTPRoute rule must match to trigger the auth rule.
 	// If no route selectors are specified, the auth rule will be evaluated at all requests to the protected routes.
 	// +optional
+	// +kubebuilder:validation:MaxItems=15
 	RouteSelectors []RouteSelector `json:"routeSelectors,omitempty"`
 }
 
@@ -93,11 +98,13 @@
 type WrappedSuccessResponseSpec struct {
 	// Custom success response items wrapped as HTTP headers.
 	// For integration of Authorino via proxy, the proxy must use these settings to inject data in the request.
+	// +kubebuilder:validation:MaxProperties=14
 	Headers map[string]HeaderSuccessResponseSpec `json:"headers,omitempty"`
 
 	// Custom success response items wrapped as HTTP headers.
 	// For integration of Authorino via proxy, the proxy must use these settings to propagate dynamic metadata.
 	// See https://www.envoyproxy.io/docs/envoy/latest/configuration/advanced/well_known_dynamic_metadata
+	// +kubebuilder:validation:MaxProperties=14
 	DynamicMetadata map[string]SuccessResponseSpec `json:"dynamicMetadata,omitempty"`
 }
 
@@ -133,6 +140,7 @@
 	// At least one selected HTTPRoute rule must match to trigger the AuthPolicy.
 	// If no route selectors are specified, the AuthPolicy will be enforced at all requests to the protected routes.
 	// +optional
+	// +kubebuilder:validation:MaxItems=15
 	RouteSelectors []RouteSelector `json:"routeSelectors,omitempty"`
 
 	// Named sets of patterns that can be referred in `when` conditions and in pattern-matching authorization policy rules.
@@ -266,8 +274,8 @@
 	return ap.Spec.TargetRef
 }
 
-func (ap *AuthPolicy) GetWrappedNamespace() gatewayapiv1beta1.Namespace {
-	return gatewayapiv1beta1.Namespace(ap.Namespace)
+func (ap *AuthPolicy) GetWrappedNamespace() gatewayapiv1.Namespace {
+	return gatewayapiv1.Namespace(ap.Namespace)
 }
 
 // GetRulesHostnames returns all hostnames referenced in the route selectors of the policy.

api/v1beta2/authpolicy_types_test.go

@@ -8,8 +8,8 @@ import (
 
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/utils/ptr"
+	gatewayapiv1 "sigs.k8s.io/gateway-api/apis/v1"
 	gatewayapiv1alpha2 "sigs.k8s.io/gateway-api/apis/v1alpha2"
-	gatewayapiv1beta1 "sigs.k8s.io/gateway-api/apis/v1beta1"
 
 	authorinoapi "github.com/kuadrant/authorino/api/v1beta2"
 	"github.com/kuadrant/kuadrant-operator/pkg/common"
@@ -68,7 +68,7 @@ func TestAuthPolicyTargetKey(t *testing.T) {
 	}
 
 	// targetRef with namespace
-	policy.Spec.TargetRef.Namespace = ptr.To(gatewayapiv1beta1.Namespace("route-namespace"))
+	policy.Spec.TargetRef.Namespace = ptr.To(gatewayapiv1.Namespace("route-namespace"))
 	expected = "route-namespace/my-route"
 	if result := policy.TargetKey().String(); result != expected {
 		t.Errorf("Expected target key %s, got %s", expected, result)
@@ -113,7 +113,7 @@ func TestAuthPolicyGetRulesHostnames(t *testing.T) {
 	}
 	policy.Spec.RouteSelectors = []RouteSelector{
 		{
-			Hostnames: []gatewayapiv1beta1.Hostname{"*.kuadrant.io", "toystore.kuadrant.io"},
+			Hostnames: []gatewayapiv1.Hostname{"*.kuadrant.io", "toystore.kuadrant.io"},
 		},
 	}
 	// 1 top-level route selectors with 2 hostnames
@@ -190,7 +190,7 @@ func TestAuthPolicyGetRulesHostnames(t *testing.T) {
 						CommonAuthRuleSpec: CommonAuthRuleSpec{
 							RouteSelectors: []RouteSelector{
 								{
-									Hostnames: []gatewayapiv1beta1.Hostname{"*.kuadrant.io", "toystore.kuadrant.io"},
+									Hostnames: []gatewayapiv1.Hostname{"*.kuadrant.io", "toystore.kuadrant.io"},
 								},
 							},
 						},
@@ -202,7 +202,7 @@ func TestAuthPolicyGetRulesHostnames(t *testing.T) {
 					CommonAuthRuleSpec: CommonAuthRuleSpec{
 						RouteSelectors: []RouteSelector{
 							{
-								Hostnames: []gatewayapiv1beta1.Hostname{"*.kuadrant.io"},
+								Hostnames: []gatewayapiv1.Hostname{"*.kuadrant.io"},
 							},
 						},
 					},
@@ -330,10 +330,10 @@ func TestAuthPolicyValidate(t *testing.T) {
 					},
 					RouteSelectors: []RouteSelector{
 						{
-							Hostnames: []gatewayapiv1beta1.Hostname{"*.foo.io"},
-							Matches: []gatewayapiv1beta1.HTTPRouteMatch{
+							Hostnames: []gatewayapiv1.Hostname{"*.foo.io"},
+							Matches: []gatewayapiv1.HTTPRouteMatch{
 								{
-									Path: &gatewayapiv1beta1.HTTPPathMatch{
+									Path: &gatewayapiv1.HTTPPathMatch{
 										Value: ptr.To("/foo"),
 									},
 								},
@@ -368,10 +368,10 @@ func TestAuthPolicyValidate(t *testing.T) {
 								CommonAuthRuleSpec: CommonAuthRuleSpec{
 									RouteSelectors: []RouteSelector{
 										{
-											Hostnames: []gatewayapiv1beta1.Hostname{"*.foo.io"},
-											Matches: []gatewayapiv1beta1.HTTPRouteMatch{
+											Hostnames: []gatewayapiv1.Hostname{"*.foo.io"},
+											Matches: []gatewayapiv1.HTTPRouteMatch{
 												{
-													Path: &gatewayapiv1beta1.HTTPPathMatch{
+													Path: &gatewayapiv1.HTTPPathMatch{
 														Value: ptr.To("/foo"),
 													},
 												},
@@ -398,7 +398,7 @@ func TestAuthPolicyValidate(t *testing.T) {
 						Group:     "gateway.networking.k8s.io",
 						Kind:      "HTTPRoute",
 						Name:      "my-route",
-						Namespace: ptr.To(gatewayapiv1beta1.Namespace("other-namespace")),
+						Namespace: ptr.To(gatewayapiv1.Namespace("other-namespace")),
 					},
 					AuthScheme: AuthSchemeSpec{
 						Authentication: map[string]AuthenticationSpec{
@@ -411,10 +411,10 @@ func TestAuthPolicyValidate(t *testing.T) {
 								CommonAuthRuleSpec: CommonAuthRuleSpec{
 									RouteSelectors: []RouteSelector{
 										{
-											Hostnames: []gatewayapiv1beta1.Hostname{"*.foo.io"},
-											Matches: []gatewayapiv1beta1.HTTPRouteMatch{
+											Hostnames: []gatewayapiv1.Hostname{"*.foo.io"},
+											Matches: []gatewayapiv1.HTTPRouteMatch{
 												{
-													Path: &gatewayapiv1beta1.HTTPPathMatch{
+													Path: &gatewayapiv1.HTTPPathMatch{
 														Value: ptr.To("/foo"),
 													},
 												},
@@ -445,10 +445,10 @@ func TestAuthPolicyValidate(t *testing.T) {
 
 func testBuildRouteSelector() RouteSelector {
 	return RouteSelector{
-		Hostnames: []gatewayapiv1beta1.Hostname{"toystore.kuadrant.io"},
-		Matches: []gatewayapiv1beta1.HTTPRouteMatch{
+		Hostnames: []gatewayapiv1.Hostname{"toystore.kuadrant.io"},
+		Matches: []gatewayapiv1.HTTPRouteMatch{
 			{
-				Path: &gatewayapiv1beta1.HTTPPathMatch{
+				Path: &gatewayapiv1.HTTPPathMatch{
 					Value: ptr.To("/toy"),
 				},
 			},

api/v1beta2/ratelimitpolicy_types.go

@@ -24,8 +24,8 @@
 	"github.com/kuadrant/kuadrant-operator/pkg/common"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"sigs.k8s.io/controller-runtime/pkg/client"
+	gatewayapiv1 "sigs.k8s.io/gateway-api/apis/v1"
 	gatewayapiv1alpha2 "sigs.k8s.io/gateway-api/apis/v1alpha2"
-	gatewayapiv1beta1 "sigs.k8s.io/gateway-api/apis/v1beta1"
 )
 
 // EDIT THIS FILE!  THIS IS SCAFFOLDING FOR YOU TO OWN!
@@ -70,7 +70,7 @@
 }
 
 // RouteSelector defines semantics for matching an HTTP request based on conditions
-// https://gateway-api.sigs.k8s.io/v1alpha2/references/spec/#gateway.networking.k8s.io/v1beta1.HTTPRouteSpec
+// https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.HTTPRouteSpec
 type WhenCondition struct {
 	// Selector defines one item from the well known selectors
 	// TODO Document properly "Well-known selector" https://github.com/Kuadrant/architecture/blob/main/rfcs/0001-rlp-v2.md#well-known-selectors
@@ -88,6 +88,7 @@
 type Limit struct {
 	// RouteSelectors defines semantics for matching an HTTP request based on conditions
 	// +optional
+	// +kubebuilder:validation:MaxItems=15
 	RouteSelectors []RouteSelector `json:"routeSelectors,omitempty"`
 
 	// When holds the list of conditions for the policy to be enforced.
@@ -119,6 +120,7 @@
 
 	// Limits holds the struct of limits indexed by a unique name
 	// +optional
+	// +kubebuilder:validation:MaxProperties=14
 	Limits map[string]Limit `json:"limits,omitempty"`
 }
 
@@ -226,15 +228,15 @@
 	return r.Spec.TargetRef
 }
 
-func (r *RateLimitPolicy) GetWrappedNamespace() gatewayapiv1beta1.Namespace {
-	return gatewayapiv1beta1.Namespace(r.Namespace)
+func (r *RateLimitPolicy) GetWrappedNamespace() gatewayapiv1.Namespace {
+	return gatewayapiv1.Namespace(r.Namespace)
 }
 
 func (r *RateLimitPolicy) GetRulesHostnames() (ruleHosts []string) {
 	ruleHosts = make([]string, 0)
 	for _, limit := range r.Spec.Limits {
 		for _, routeSelector := range limit.RouteSelectors {
-			convertHostnamesToString := func(gwHostnames []gatewayapiv1beta1.Hostname) []string {
+			convertHostnamesToString := func(gwHostnames []gatewayapiv1.Hostname) []string {
 				hostnames := make([]string, 0, len(gwHostnames))
 				for _, gwHostName := range gwHostnames {
 					hostnames = append(hostnames, string(gwHostName))

api/v1beta2/ratelimitpolicy_types_test.go

@@ -7,13 +7,13 @@ import (
 	"testing"
 
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	gatewayapiv1 "sigs.k8s.io/gateway-api/apis/v1"
 	gatewayapiv1alpha2 "sigs.k8s.io/gateway-api/apis/v1alpha2"
-	gatewayapiv1beta1 "sigs.k8s.io/gateway-api/apis/v1beta1"
 
 	"github.com/kuadrant/kuadrant-operator/pkg/common"
 )
 
-func testBuildBasicRLP(name string, kind gatewayapiv1beta1.Kind) *RateLimitPolicy {
+func testBuildBasicRLP(name string, kind gatewayapiv1.Kind) *RateLimitPolicy {
 	return &RateLimitPolicy{
 		TypeMeta: metav1.TypeMeta{
 			Kind:       "RateLimitPolicy",
@@ -34,11 +34,11 @@ func testBuildBasicRLP(name string, kind gatewayapiv1beta1.Kind) *RateLimitPolic
 }
 
 func testBuildBasicGatewayRLP(name string) *RateLimitPolicy {
-	return testBuildBasicRLP(name, gatewayapiv1beta1.Kind("Gateway"))
+	return testBuildBasicRLP(name, gatewayapiv1.Kind("Gateway"))
 }
 
 func testBuildBasicHTTPRouteRLP(name string) *RateLimitPolicy {
-	return testBuildBasicRLP(name, gatewayapiv1beta1.Kind("HTTPRoute"))
+	return testBuildBasicRLP(name, gatewayapiv1.Kind("HTTPRoute"))
 }
 
 // TestRateLimitPolicyValidation calls rlp.Validate()
@@ -62,7 +62,7 @@ func TestRateLimitPolicyValidation(t *testing.T) {
 
 	// invalid group
 	rlp = testBuildBasicHTTPRouteRLP(name)
-	rlp.Spec.TargetRef.Group = gatewayapiv1beta1.Group("foo.example.com")
+	rlp.Spec.TargetRef.Group = gatewayapiv1.Group("foo.example.com")
 	err = rlp.Validate()
 	if err == nil {
 		t.Fatal(`rlp.Validate() did not return error and should`)
@@ -73,7 +73,7 @@ func TestRateLimitPolicyValidation(t *testing.T) {
 
 	// invalid kind
 	rlp = testBuildBasicHTTPRouteRLP(name)
-	rlp.Spec.TargetRef.Kind = gatewayapiv1beta1.Kind("Foo")
+	rlp.Spec.TargetRef.Kind = gatewayapiv1.Kind("Foo")
 	err = rlp.Validate()
 	if err == nil {
 		t.Fatal(`rlp.Validate() did not return error and should`)
@@ -84,7 +84,7 @@ func TestRateLimitPolicyValidation(t *testing.T) {
 
 	// Different namespace
 	rlp = testBuildBasicHTTPRouteRLP(name)
-	otherNS := gatewayapiv1beta1.Namespace(rlp.GetNamespace() + "other")
+	otherNS := gatewayapiv1.Namespace(rlp.GetNamespace() + "other")
 	rlp.Spec.TargetRef.Namespace = &otherNS
 	err = rlp.Validate()
 	if err == nil {