Updating Gateway and HTTPRoute validation to share code across API

versions

Author: robscott

apis/v1alpha2/validation/gateway.go

@@ -17,30 +17,10 @@ limitations under the License.
 package validation
 
 import (
-	"fmt"
-
 	"k8s.io/apimachinery/pkg/util/validation/field"
 
 	gatewayv1a2 "sigs.k8s.io/gateway-api/apis/v1alpha2"
-	gatewayv1b1 "sigs.k8s.io/gateway-api/apis/v1beta1"
-	gatewayvalidationv1b1 "sigs.k8s.io/gateway-api/apis/v1beta1/validation"
-)
-
-var (
-	// set of protocols for which we need to validate that hostname is empty
-	protocolsHostnameInvalid = map[gatewayv1a2.ProtocolType]struct{}{
-		gatewayv1b1.TCPProtocolType: {},
-		gatewayv1b1.UDPProtocolType: {},
-	}
-
-	// ValidateTLSCertificateRefs validates the certificateRefs
-	// must be set and not empty when tls config is set and
-	// TLSModeType is terminate
-	validateTLSCertificateRefs = gatewayvalidationv1b1.ValidateTLSCertificateRefs
-
-	// validateListenerTLSConfig validates TLS config must be set when protocol is HTTPS or TLS,
-	// and TLS config shall not be present when protocol is HTTP, TCP or UDP
-	validateListenerTLSConfig = gatewayvalidationv1b1.ValidateListenerTLSConfig
+	gatewayv1b1validation "sigs.k8s.io/gateway-api/apis/v1beta1/validation"
 )
 
 // ValidateGateway validates gw according to the Gateway API specification.
@@ -51,40 +31,5 @@ var (
 // Validation that is not possible with CRD annotations may be added here in the future.
 // See https://github.com/kubernetes-sigs/gateway-api/issues/868 for more information.
 func ValidateGateway(gw *gatewayv1a2.Gateway) field.ErrorList {
-	return validateGatewaySpec(&gw.Spec, field.NewPath("spec"))
-}
-
-// validateGatewaySpec validates whether required fields of spec are set according to the
-// Gateway API specification.
-func validateGatewaySpec(spec *gatewayv1a2.GatewaySpec, path *field.Path) field.ErrorList {
-	var errs field.ErrorList
-	errs = append(errs, validateGatewayListeners(spec.Listeners, path.Child("listeners"))...)
-	return errs
-}
-
-// validateGatewayListeners validates whether required fields of listeners are set according
-// to the Gateway API specification.
-func validateGatewayListeners(listeners []gatewayv1a2.Listener, path *field.Path) field.ErrorList {
-	var errs field.ErrorList
-	errs = append(errs, validateListenerTLSConfig(listeners, path)...)
-	errs = append(errs, validateListenerHostname(listeners, path)...)
-	errs = append(errs, validateTLSCertificateRefs(listeners, path)...)
-	return errs
-}
-
-func isProtocolInSubset(protocol gatewayv1a2.ProtocolType, set map[gatewayv1a2.ProtocolType]struct{}) bool {
-	_, ok := set[protocol]
-	return ok
-}
-
-// validateListenerHostname validates each listener hostname
-// should be empty in case protocol is TCP or UDP
-func validateListenerHostname(listeners []gatewayv1a2.Listener, path *field.Path) field.ErrorList {
-	var errs field.ErrorList
-	for i, h := range listeners {
-		if isProtocolInSubset(h.Protocol, protocolsHostnameInvalid) && h.Hostname != nil {
-			errs = append(errs, field.Forbidden(path.Index(i).Child("hostname"), fmt.Sprintf("should be empty for protocol %v", h.Protocol)))
-		}
-	}
-	return errs
+	return gatewayv1b1validation.ValidateGatewaySpec(&gw.Spec, field.NewPath("spec"))
 }

apis/v1alpha2/validation/httproute.go

@@ -17,257 +17,15 @@ limitations under the License.
 package validation
 
 import (
-	"fmt"
-	"net/http"
-	"strings"
-
 	"k8s.io/apimachinery/pkg/util/validation/field"
 
 	gatewayv1a2 "sigs.k8s.io/gateway-api/apis/v1alpha2"
-	gatewayv1b1 "sigs.k8s.io/gateway-api/apis/v1beta1"
-)
-
-var (
-	// repeatableHTTPRouteFilters are filter types that can are allowed to be
-	// repeated multiple times in a rule.
-	repeatableHTTPRouteFilters = []gatewayv1a2.HTTPRouteFilterType{
-		gatewayv1b1.HTTPRouteFilterExtensionRef,
-	}
-
-	invalidPathSequences = []string{"//", "/./", "/../", "%2f", "%2F", "#"}
-	invalidPathSuffixes  = []string{"/..", "/."}
+	gatewayv1b1validation "sigs.k8s.io/gateway-api/apis/v1beta1/validation"
 )
 
 // ValidateHTTPRoute validates HTTPRoute according to the Gateway API specification.
 // For additional details of the HTTPRoute spec, refer to:
-// https://gateway-api.sigs.k8s.io/v1alpha2/references/spec/#gateway.networking.k8s.io/v1alpha2.HTTPRoute
+// https://gateway-api.sigs.k8s.io/v1beta1/references/spec/#gateway.networking.k8s.io/v1beta1.HTTPRoute
 func ValidateHTTPRoute(route *gatewayv1a2.HTTPRoute) field.ErrorList {
-	return validateHTTPRouteSpec(&route.Spec, field.NewPath("spec"))
-}
-
-// validateHTTPRouteSpec validates that required fields of spec are set according to the
-// HTTPRoute specification.
-func validateHTTPRouteSpec(spec *gatewayv1a2.HTTPRouteSpec, path *field.Path) field.ErrorList {
-	var errs field.ErrorList
-	for i, rule := range spec.Rules {
-		errs = append(errs, validateHTTPRouteFilters(rule.Filters, rule.Matches, path.Child("rules").Index(i))...)
-		for j, backendRef := range rule.BackendRefs {
-			errs = append(errs, validateHTTPRouteFilters(backendRef.Filters, rule.Matches, path.Child("rules").Index(i).Child("backendsrefs").Index(j))...)
-		}
-		for j, m := range rule.Matches {
-			matchPath := path.Child("rules").Index(i).Child("matches").Index(j)
-
-			if m.Path != nil {
-				errs = append(errs, validateHTTPPathMatch(m.Path, matchPath.Child("path"))...)
-			}
-			if len(m.Headers) > 0 {
-				errs = append(errs, validateHTTPHeaderMatches(m.Headers, matchPath.Child("headers"))...)
-			}
-			if len(m.QueryParams) > 0 {
-				errs = append(errs, validateHTTPQueryParamMatches(m.QueryParams, matchPath.Child("queryParams"))...)
-			}
-		}
-	}
-	errs = append(errs, validateHTTPRouteBackendServicePorts(spec.Rules, path.Child("rules"))...)
-	errs = append(errs, validateParentRefs(spec.ParentRefs, path.Child("spec"))...)
-	return errs
-}
-
-// validateHTTPRouteBackendServicePorts validates that v1.Service backends always have a port.
-func validateHTTPRouteBackendServicePorts(rules []gatewayv1a2.HTTPRouteRule, path *field.Path) field.ErrorList {
-	var errs field.ErrorList
-	path = path.Child("rules")
-
-	for i, rule := range rules {
-		for j, ref := range rule.BackendRefs {
-			errs = append(errs, validateBackendRefServicePort(&ref.BackendRef, path.Index(i).Child("backendRefs").Index(j))...)
-		}
-	}
-
-	return errs
-}
-
-// validateHTTPRouteFilters validates that a list of core and extended filters
-// is used at most once and that the filter type matches its value
-func validateHTTPRouteFilters(filters []gatewayv1a2.HTTPRouteFilter, matches []gatewayv1a2.HTTPRouteMatch, path *field.Path) field.ErrorList {
-	var errs field.ErrorList
-	counts := map[gatewayv1a2.HTTPRouteFilterType]int{}
-
-	for i, filter := range filters {
-		counts[filter.Type]++
-		if filter.RequestRedirect != nil && filter.RequestRedirect.Path != nil {
-			errs = append(errs, validateHTTPPathModifier(*filter.RequestRedirect.Path, matches, path.Index(i).Child("requestRedirect", "path"))...)
-		}
-		if filter.URLRewrite != nil && filter.URLRewrite.Path != nil {
-			errs = append(errs, validateHTTPPathModifier(*filter.URLRewrite.Path, matches, path.Index(i).Child("urlRewrite", "path"))...)
-		}
-		errs = append(errs, validateHTTPRouteFilterTypeMatchesValue(filter, path.Index(i))...)
-	}
-	// custom filters don't have any validation
-	for _, key := range repeatableHTTPRouteFilters {
-		delete(counts, key)
-	}
-
-	if counts[gatewayv1b1.HTTPRouteFilterRequestRedirect] > 0 && counts[gatewayv1b1.HTTPRouteFilterURLRewrite] > 0 {
-		errs = append(errs, field.Invalid(path.Child("filters"), gatewayv1b1.HTTPRouteFilterRequestRedirect, "may specify either httpRouteFilterRequestRedirect or httpRouteFilterRequestRewrite, but not both"))
-	}
-
-	for filterType, count := range counts {
-		if count > 1 {
-			errs = append(errs, field.Invalid(path.Child("filters"), filterType, "cannot be used multiple times in the same rule"))
-		}
-	}
-	return errs
-}
-
-// webhook validation of HTTPPathMatch
-func validateHTTPPathMatch(path *gatewayv1a2.HTTPPathMatch, fldPath *field.Path) field.ErrorList {
-	allErrs := field.ErrorList{}
-
-	if path.Type == nil {
-		return append(allErrs, field.Required(fldPath.Child("type"), "must be specified"))
-	}
-
-	if path.Value == nil {
-		return append(allErrs, field.Required(fldPath.Child("value"), "must be specified"))
-	}
-
-	switch *path.Type {
-	case gatewayv1b1.PathMatchExact, gatewayv1b1.PathMatchPathPrefix:
-		if !strings.HasPrefix(*path.Value, "/") {
-			allErrs = append(allErrs, field.Invalid(fldPath.Child("value"), *path.Value, "must be an absolute path"))
-		}
-		if len(*path.Value) > 0 {
-			for _, invalidSeq := range invalidPathSequences {
-				if strings.Contains(*path.Value, invalidSeq) {
-					allErrs = append(allErrs, field.Invalid(fldPath.Child("value"), *path.Value, fmt.Sprintf("must not contain %q", invalidSeq)))
-				}
-			}
-
-			for _, invalidSuff := range invalidPathSuffixes {
-				if strings.HasSuffix(*path.Value, invalidSuff) {
-					allErrs = append(allErrs, field.Invalid(fldPath.Child("value"), *path.Value, fmt.Sprintf("cannot end with '%s'", invalidSuff)))
-				}
-			}
-		}
-	case gatewayv1b1.PathMatchRegularExpression:
-	default:
-		pathTypes := []string{string(gatewayv1b1.PathMatchExact), string(gatewayv1b1.PathMatchPathPrefix), string(gatewayv1b1.PathMatchRegularExpression)}
-		allErrs = append(allErrs, field.NotSupported(fldPath.Child("type"), *path.Type, pathTypes))
-	}
-	return allErrs
-}
-
-// validateHTTPHeaderMatches validates that no header name
-// is matched more than once (case-insensitive).
-func validateHTTPHeaderMatches(matches []gatewayv1a2.HTTPHeaderMatch, path *field.Path) field.ErrorList {
-	var errs field.ErrorList
-	counts := map[string]int{}
-
-	for _, match := range matches {
-		// Header names are case-insensitive.
-		counts[strings.ToLower(string(match.Name))]++
-	}
-
-	for name, count := range counts {
-		if count > 1 {
-			errs = append(errs, field.Invalid(path, http.CanonicalHeaderKey(name), "cannot match the same header multiple times in the same rule"))
-		}
-	}
-
-	return errs
-}
-
-// validateHTTPQueryParamMatches validates that no query param name
-// is matched more than once (case-sensitive).
-func validateHTTPQueryParamMatches(matches []gatewayv1a2.HTTPQueryParamMatch, path *field.Path) field.ErrorList {
-	var errs field.ErrorList
-	counts := map[string]int{}
-
-	for _, match := range matches {
-		// Query param names are case-sensitive.
-		counts[string(match.Name)]++
-	}
-
-	for name, count := range counts {
-		if count > 1 {
-			errs = append(errs, field.Invalid(path, name, "cannot match the same query parameter multiple times in the same rule"))
-		}
-	}
-
-	return errs
-}
-
-// validateHTTPRouteFilterTypeMatchesValue validates that only the expected fields are
-// set for the specified filter type.
-func validateHTTPRouteFilterTypeMatchesValue(filter gatewayv1a2.HTTPRouteFilter, path *field.Path) field.ErrorList {
-	var errs field.ErrorList
-	if filter.ExtensionRef != nil && filter.Type != gatewayv1b1.HTTPRouteFilterExtensionRef {
-		errs = append(errs, field.Invalid(path, filter.ExtensionRef, "must be nil if the HTTPRouteFilter.Type is not ExtensionRef"))
-	}
-	if filter.ExtensionRef == nil && filter.Type == gatewayv1b1.HTTPRouteFilterExtensionRef {
-		errs = append(errs, field.Required(path, "filter.ExtensionRef must be specified for ExtensionRef HTTPRouteFilter.Type"))
-	}
-	if filter.RequestHeaderModifier != nil && filter.Type != gatewayv1b1.HTTPRouteFilterRequestHeaderModifier {
-		errs = append(errs, field.Invalid(path, filter.RequestHeaderModifier, "must be nil if the HTTPRouteFilter.Type is not RequestHeaderModifier"))
-	}
-	if filter.RequestHeaderModifier == nil && filter.Type == gatewayv1b1.HTTPRouteFilterRequestHeaderModifier {
-		errs = append(errs, field.Required(path, "filter.RequestHeaderModifier must be specified for RequestHeaderModifier HTTPRouteFilter.Type"))
-	}
-	if filter.RequestMirror != nil && filter.Type != gatewayv1b1.HTTPRouteFilterRequestMirror {
-		errs = append(errs, field.Invalid(path, filter.RequestMirror, "must be nil if the HTTPRouteFilter.Type is not RequestMirror"))
-	}
-	if filter.RequestMirror == nil && filter.Type == gatewayv1b1.HTTPRouteFilterRequestMirror {
-		errs = append(errs, field.Required(path, "filter.RequestMirror must be specified for RequestMirror HTTPRouteFilter.Type"))
-	}
-	if filter.RequestRedirect != nil && filter.Type != gatewayv1b1.HTTPRouteFilterRequestRedirect {
-		errs = append(errs, field.Invalid(path, filter.RequestRedirect, "must be nil if the HTTPRouteFilter.Type is not RequestRedirect"))
-	}
-	if filter.RequestRedirect == nil && filter.Type == gatewayv1b1.HTTPRouteFilterRequestRedirect {
-		errs = append(errs, field.Required(path, "filter.RequestRedirect must be specified for RequestRedirect HTTPRouteFilter.Type"))
-	}
-	if filter.URLRewrite != nil && filter.Type != gatewayv1b1.HTTPRouteFilterURLRewrite {
-		errs = append(errs, field.Invalid(path, filter.URLRewrite, "must be nil if the HTTPRouteFilter.Type is not URLRewrite"))
-	}
-	if filter.URLRewrite == nil && filter.Type == gatewayv1b1.HTTPRouteFilterURLRewrite {
-		errs = append(errs, field.Required(path, "filter.URLRewrite must be specified for URLRewrite HTTPRouteFilter.Type"))
-	}
-	return errs
-}
-
-// validateHTTPPathModifier validates that only the expected fields are set in a
-// path modifier.
-func validateHTTPPathModifier(modifier gatewayv1a2.HTTPPathModifier, matches []gatewayv1a2.HTTPRouteMatch, path *field.Path) field.ErrorList {
-	var errs field.ErrorList
-	if modifier.ReplaceFullPath != nil && modifier.Type != gatewayv1b1.FullPathHTTPPathModifier {
-		errs = append(errs, field.Invalid(path, modifier.ReplaceFullPath, "must be nil if the HTTPRouteFilter.Type is not ReplaceFullPath"))
-	}
-	if modifier.ReplaceFullPath == nil && modifier.Type == gatewayv1b1.FullPathHTTPPathModifier {
-		errs = append(errs, field.Invalid(path, modifier.ReplaceFullPath, "must not be nil if the HTTPRouteFilter.Type is ReplaceFullPath"))
-	}
-	if modifier.ReplacePrefixMatch != nil && modifier.Type != gatewayv1b1.PrefixMatchHTTPPathModifier {
-		errs = append(errs, field.Invalid(path, modifier.ReplacePrefixMatch, "must be nil if the HTTPRouteFilter.Type is not ReplacePrefixMatch"))
-	}
-	if modifier.ReplacePrefixMatch == nil && modifier.Type == gatewayv1b1.PrefixMatchHTTPPathModifier {
-		errs = append(errs, field.Invalid(path, modifier.ReplacePrefixMatch, "must not be nil if the HTTPRouteFilter.Type is ReplacePrefixMatch"))
-	}
-
-	if modifier.Type == gatewayv1b1.PrefixMatchHTTPPathModifier && modifier.ReplacePrefixMatch != nil {
-		if !hasExactlyOnePrefixMatch(matches) {
-			errs = append(errs, field.Invalid(path, modifier.ReplacePrefixMatch, "exactly one PathPrefix match must be specified to use this path modifier"))
-		}
-	}
-	return errs
-}
-
-func hasExactlyOnePrefixMatch(matches []gatewayv1a2.HTTPRouteMatch) bool {
-	if len(matches) != 1 || matches[0].Path == nil {
-		return false
-	}
-	pathMatchType := matches[0].Path.Type
-	if *pathMatchType != gatewayv1b1.PathMatchPathPrefix {
-		return false
-	}
-
-	return true
+	return gatewayv1b1validation.ValidateHTTPRouteSpec(&route.Spec, field.NewPath("spec"))
 }

apis/v1beta1/validation/gateway.go

@@ -51,12 +51,12 @@ var (
 // Validation that is not possible with CRD annotations may be added here in the future.
 // See https://github.com/kubernetes-sigs/gateway-api/issues/868 for more information.
 func ValidateGateway(gw *gatewayv1b1.Gateway) field.ErrorList {
-	return validateGatewaySpec(&gw.Spec, field.NewPath("spec"))
+	return ValidateGatewaySpec(&gw.Spec, field.NewPath("spec"))
 }
 
-// validateGatewaySpec validates whether required fields of spec are set according to the
+// ValidateGatewaySpec validates whether required fields of spec are set according to the
 // Gateway API specification.
-func validateGatewaySpec(spec *gatewayv1b1.GatewaySpec, path *field.Path) field.ErrorList {
+func ValidateGatewaySpec(spec *gatewayv1b1.GatewaySpec, path *field.Path) field.ErrorList {
 	var errs field.ErrorList
 	errs = append(errs, validateGatewayListeners(spec.Listeners, path.Child("listeners"))...)
 	return errs