feat(kgo): added ValidatingAdmissionPolicy and ValidatingAdmissionPol…

…icyBinding for validating DataPlane ports (#1215)

* feat(kgo): added ValidatingAdmissionPolicy and ValidatingAdmissionPolicyBinding for validating DataPlane ports

* chore: regenerate golden files

* chore: update the policy and add chartsnap tests

Makefile

@@ -80,7 +80,9 @@ export GOLDEN_TEST_FAILURE_MSG
 _chartsnap: _chartsnap.deps
 	helm chartsnap -c ./charts/$(CHART) -f ./charts/$(CHART)/ci/ $(CHARTSNAP_ARGS) \
 		-- \
-		--api-versions gateway.networking.k8s.io/v1
+		--api-versions gateway.networking.k8s.io/v1 \
+		--api-versions admissionregistration.k8s.io/v1/ValidatingAdmissionPolicy \
+		--api-versions admissionregistration.k8s.io/v1/ValidatingAdmissionPolicyBinding
 
 .PHONY: _chartsnap.deps
 _chartsnap.deps: chartsnap

charts/gateway-operator/CHANGELOG.md

@@ -1,5 +1,13 @@
 # Changelog
 
+## 0.4.3
+
+### Changes
+
+- Added `ValidatingAdmissionPolicy` and ``ValidatingAdmissionPolicyBinding` for
+  validating `DataPlane` ports.
+  [#1215](https://github.com/Kong/charts/pull/1215)
+
 ## 0.4.2
 
 ### Changes

charts/gateway-operator/Chart.yaml

@@ -8,7 +8,7 @@ maintainers:
 name: gateway-operator
 sources:
   - https://github.com/Kong/charts/tree/main/charts/gateway-operator
-version: 0.4.2
+version: 0.4.3
 appVersion: "1.4"
 annotations:
   artifacthub.io/prerelease: "false"

charts/gateway-operator/ci/__snapshots__/affinity-values.snap

@@ -694,7 +694,7 @@ kind: Deployment
 metadata:
   labels:
     app.kubernetes.io/name: gateway-operator
-    helm.sh/chart: gateway-operator-0.4.2
+    helm.sh/chart: gateway-operator-0.4.3
     app.kubernetes.io/instance: "chartsnap"
     app.kubernetes.io/version: "1.4"
     app.kubernetes.io/component: kgo
@@ -716,7 +716,7 @@ spec:
       labels:
         control-plane: controller-manager
         app.kubernetes.io/name: gateway-operator
-        helm.sh/chart: gateway-operator-0.4.2
+        helm.sh/chart: gateway-operator-0.4.3
         app.kubernetes.io/instance: "chartsnap"
         app.kubernetes.io/version: "1.4"
         app.kubernetes.io/component: kgo
@@ -808,3 +808,95 @@ spec:
       - name: chartsnap-gateway-operator-certs-dir
         emptyDir:
           sizeLimit: 256Mi
+---
+# Source: gateway-operator/templates/validation-policy-dataplane.yaml
+apiVersion: admissionregistration.k8s.io/v1
+kind: ValidatingAdmissionPolicy
+metadata:
+  name: ports.dataplane.gateway-operator.konghq.com
+  labels:
+    app.kubernetes.io/name: gateway-operator
+    helm.sh/chart: gateway-operator-0.4.3
+    app.kubernetes.io/instance: "chartsnap"
+    app.kubernetes.io/version: "1.4"
+spec:
+  matchConstraints:
+    resourceRules:
+    - apiGroups:
+      - "gateway-operator.konghq.com"
+      apiVersions:
+      - "v1beta1"
+      operations:
+      - "CREATE"
+      - "UPDATE"
+      resources:
+      - "dataplanes"
+  variables:
+  - name: network
+    expression: object.spec.network
+  - name: services
+    expression: variables.network.services
+  - name: ingressPorts
+    expression: variables.services.ingress.ports
+  - name: podTemplateSpec
+    expression: object.spec.deployment.podTemplateSpec
+  - name: proxyContainer
+    expression: |
+      variables.podTemplateSpec.spec.containers.exists(c, c.name == 'proxy') ?
+        variables.podTemplateSpec.spec.containers.filter(c, c.name == 'proxy')[0] :
+        null
+  - name: envFilteredPortMaps
+    expression: |
+      variables.proxyContainer.env.filter(e, e.name == "KONG_PORT_MAPS")
+  - name: envFilteredProxyListen
+    expression: |
+      variables.proxyContainer.env.filter(e, e.name == "KONG_PROXY_LISTEN")
+  - name: envPortMaps
+    expression: |
+      variables.envFilteredPortMaps.size() > 0 ? variables.envFilteredPortMaps[0].value : null
+  - name: envProxyListen
+    expression: |
+      variables.envFilteredProxyListen.size() > 0 ? variables.envFilteredProxyListen[0].value : null
+  # Using string functions from: https://pkg.go.dev/github.com/google/cel-go/ext
+  validations:
+  - messageExpression: "'Each port from spec.network.services.ingress.ports has to have an accompanying port in KONG_PORT_MAPS env'"
+    expression: |
+      !has(object.spec.network) ||
+      !has(object.spec.network.services) ||
+      variables.ingressPorts == null ||
+      variables.envPortMaps == null ||
+      variables.ingressPorts.all(p, variables.envPortMaps.
+                split(",").
+                exists(pm,
+                    pm.split(":")[1].trim() == string(p.targetPort)
+                    )
+                )
+    reason: Invalid
+  - messageExpression: "'Each port from spec.network.services.ingress.ports has to have an accompanying port in KONG_PROXY_LISTEN env'"
+    expression: |
+      !has(object.spec.network) ||
+      !has(object.spec.network.services) ||
+      variables.ingressPorts == null ||
+      variables.envProxyListen == null ||
+      variables.ingressPorts.all(p, variables.envProxyListen.
+                split(",").
+                exists(pm,
+                  pm.trim().split(" ")[0].split(":")[1].trim() == string(p.targetPort)
+                  )
+                )
+    reason: Invalid
+---
+# Source: gateway-operator/templates/validation-policy-dataplane.yaml
+apiVersion: admissionregistration.k8s.io/v1
+kind: ValidatingAdmissionPolicyBinding
+metadata:
+  name: binding-ports.dataplane.gateway-operator.konghq.com
+  labels:
+    app.kubernetes.io/name: gateway-operator
+    helm.sh/chart: gateway-operator-0.4.3
+    app.kubernetes.io/instance: "chartsnap"
+    app.kubernetes.io/version: "1.4"
+spec:
+  policyName: ports.dataplane.gateway-operator.konghq.com
+  validationActions:
+  - Deny

charts/gateway-operator/ci/__snapshots__/disable-gateway-controller-values.snap

@@ -694,7 +694,7 @@ kind: Deployment
 metadata:
   labels:
     app.kubernetes.io/name: gateway-operator
-    helm.sh/chart: gateway-operator-0.4.2
+    helm.sh/chart: gateway-operator-0.4.3
     app.kubernetes.io/instance: "chartsnap"
     app.kubernetes.io/version: "1.4"
     app.kubernetes.io/component: kgo
@@ -716,7 +716,7 @@ spec:
       labels:
         control-plane: controller-manager
         app.kubernetes.io/name: gateway-operator
-        helm.sh/chart: gateway-operator-0.4.2
+        helm.sh/chart: gateway-operator-0.4.3
         app.kubernetes.io/instance: "chartsnap"
         app.kubernetes.io/version: "1.4"
         app.kubernetes.io/component: kgo
@@ -800,3 +800,95 @@ spec:
       - name: chartsnap-gateway-operator-certs-dir
         emptyDir:
           sizeLimit: 256Mi
+---
+# Source: gateway-operator/templates/validation-policy-dataplane.yaml
+apiVersion: admissionregistration.k8s.io/v1
+kind: ValidatingAdmissionPolicy
+metadata:
+  name: ports.dataplane.gateway-operator.konghq.com
+  labels:
+    app.kubernetes.io/name: gateway-operator
+    helm.sh/chart: gateway-operator-0.4.3
+    app.kubernetes.io/instance: "chartsnap"
+    app.kubernetes.io/version: "1.4"
+spec:
+  matchConstraints:
+    resourceRules:
+    - apiGroups:
+      - "gateway-operator.konghq.com"
+      apiVersions:
+      - "v1beta1"
+      operations:
+      - "CREATE"
+      - "UPDATE"
+      resources:
+      - "dataplanes"
+  variables:
+  - name: network
+    expression: object.spec.network
+  - name: services
+    expression: variables.network.services
+  - name: ingressPorts
+    expression: variables.services.ingress.ports
+  - name: podTemplateSpec
+    expression: object.spec.deployment.podTemplateSpec
+  - name: proxyContainer
+    expression: |
+      variables.podTemplateSpec.spec.containers.exists(c, c.name == 'proxy') ?
+        variables.podTemplateSpec.spec.containers.filter(c, c.name == 'proxy')[0] :
+        null
+  - name: envFilteredPortMaps
+    expression: |
+      variables.proxyContainer.env.filter(e, e.name == "KONG_PORT_MAPS")
+  - name: envFilteredProxyListen
+    expression: |
+      variables.proxyContainer.env.filter(e, e.name == "KONG_PROXY_LISTEN")
+  - name: envPortMaps
+    expression: |
+      variables.envFilteredPortMaps.size() > 0 ? variables.envFilteredPortMaps[0].value : null
+  - name: envProxyListen
+    expression: |
+      variables.envFilteredProxyListen.size() > 0 ? variables.envFilteredProxyListen[0].value : null
+  # Using string functions from: https://pkg.go.dev/github.com/google/cel-go/ext
+  validations:
+  - messageExpression: "'Each port from spec.network.services.ingress.ports has to have an accompanying port in KONG_PORT_MAPS env'"
+    expression: |
+      !has(object.spec.network) ||
+      !has(object.spec.network.services) ||
+      variables.ingressPorts == null ||
+      variables.envPortMaps == null ||
+      variables.ingressPorts.all(p, variables.envPortMaps.
+                split(",").
+                exists(pm,
+                    pm.split(":")[1].trim() == string(p.targetPort)
+                    )
+                )
+    reason: Invalid
+  - messageExpression: "'Each port from spec.network.services.ingress.ports has to have an accompanying port in KONG_PROXY_LISTEN env'"
+    expression: |
+      !has(object.spec.network) ||
+      !has(object.spec.network.services) ||
+      variables.ingressPorts == null ||
+      variables.envProxyListen == null ||
+      variables.ingressPorts.all(p, variables.envProxyListen.
+                split(",").
+                exists(pm,
+                  pm.trim().split(" ")[0].split(":")[1].trim() == string(p.targetPort)
+                  )
+                )
+    reason: Invalid
+---
+# Source: gateway-operator/templates/validation-policy-dataplane.yaml
+apiVersion: admissionregistration.k8s.io/v1
+kind: ValidatingAdmissionPolicyBinding
+metadata:
+  name: binding-ports.dataplane.gateway-operator.konghq.com
+  labels:
+    app.kubernetes.io/name: gateway-operator
+    helm.sh/chart: gateway-operator-0.4.3
+    app.kubernetes.io/instance: "chartsnap"
+    app.kubernetes.io/version: "1.4"
+spec:
+  policyName: ports.dataplane.gateway-operator.konghq.com
+  validationActions:
+  - Deny

charts/gateway-operator/ci/__snapshots__/env-and-args-values.snap

@@ -694,7 +694,7 @@ kind: Deployment
 metadata:
   labels:
     app.kubernetes.io/name: gateway-operator
-    helm.sh/chart: gateway-operator-0.4.2
+    helm.sh/chart: gateway-operator-0.4.3
     app.kubernetes.io/instance: "chartsnap"
     app.kubernetes.io/version: "1.4"
     app.kubernetes.io/component: kgo
@@ -716,7 +716,7 @@ spec:
       labels:
         control-plane: controller-manager
         app.kubernetes.io/name: gateway-operator
-        helm.sh/chart: gateway-operator-0.4.2
+        helm.sh/chart: gateway-operator-0.4.3
         app.kubernetes.io/instance: "chartsnap"
         app.kubernetes.io/version: "1.4"
         app.kubernetes.io/component: kgo
@@ -800,3 +800,95 @@ spec:
       - name: chartsnap-gateway-operator-certs-dir
         emptyDir:
           sizeLimit: 256Mi
+---
+# Source: gateway-operator/templates/validation-policy-dataplane.yaml
+apiVersion: admissionregistration.k8s.io/v1
+kind: ValidatingAdmissionPolicy
+metadata:
+  name: ports.dataplane.gateway-operator.konghq.com
+  labels:
+    app.kubernetes.io/name: gateway-operator
+    helm.sh/chart: gateway-operator-0.4.3
+    app.kubernetes.io/instance: "chartsnap"
+    app.kubernetes.io/version: "1.4"
+spec:
+  matchConstraints:
+    resourceRules:
+    - apiGroups:
+      - "gateway-operator.konghq.com"
+      apiVersions:
+      - "v1beta1"
+      operations:
+      - "CREATE"
+      - "UPDATE"
+      resources:
+      - "dataplanes"
+  variables:
+  - name: network
+    expression: object.spec.network
+  - name: services
+    expression: variables.network.services
+  - name: ingressPorts
+    expression: variables.services.ingress.ports
+  - name: podTemplateSpec
+    expression: object.spec.deployment.podTemplateSpec
+  - name: proxyContainer
+    expression: |
+      variables.podTemplateSpec.spec.containers.exists(c, c.name == 'proxy') ?
+        variables.podTemplateSpec.spec.containers.filter(c, c.name == 'proxy')[0] :
+        null
+  - name: envFilteredPortMaps
+    expression: |
+      variables.proxyContainer.env.filter(e, e.name == "KONG_PORT_MAPS")
+  - name: envFilteredProxyListen
+    expression: |
+      variables.proxyContainer.env.filter(e, e.name == "KONG_PROXY_LISTEN")
+  - name: envPortMaps
+    expression: |
+      variables.envFilteredPortMaps.size() > 0 ? variables.envFilteredPortMaps[0].value : null
+  - name: envProxyListen
+    expression: |
+      variables.envFilteredProxyListen.size() > 0 ? variables.envFilteredProxyListen[0].value : null
+  # Using string functions from: https://pkg.go.dev/github.com/google/cel-go/ext
+  validations:
+  - messageExpression: "'Each port from spec.network.services.ingress.ports has to have an accompanying port in KONG_PORT_MAPS env'"
+    expression: |
+      !has(object.spec.network) ||
+      !has(object.spec.network.services) ||
+      variables.ingressPorts == null ||
+      variables.envPortMaps == null ||
+      variables.ingressPorts.all(p, variables.envPortMaps.
+                split(",").
+                exists(pm,
+                    pm.split(":")[1].trim() == string(p.targetPort)
+                    )
+                )
+    reason: Invalid
+  - messageExpression: "'Each port from spec.network.services.ingress.ports has to have an accompanying port in KONG_PROXY_LISTEN env'"
+    expression: |
+      !has(object.spec.network) ||
+      !has(object.spec.network.services) ||
+      variables.ingressPorts == null ||
+      variables.envProxyListen == null ||
+      variables.ingressPorts.all(p, variables.envProxyListen.
+                split(",").
+                exists(pm,
+                  pm.trim().split(" ")[0].split(":")[1].trim() == string(p.targetPort)
+                  )
+                )
+    reason: Invalid
+---
+# Source: gateway-operator/templates/validation-policy-dataplane.yaml
+apiVersion: admissionregistration.k8s.io/v1
+kind: ValidatingAdmissionPolicyBinding
+metadata:
+  name: binding-ports.dataplane.gateway-operator.konghq.com
+  labels:
+    app.kubernetes.io/name: gateway-operator
+    helm.sh/chart: gateway-operator-0.4.3
+    app.kubernetes.io/instance: "chartsnap"
+    app.kubernetes.io/version: "1.4"
+spec:
+  policyName: ports.dataplane.gateway-operator.konghq.com
+  validationActions:
+  - Deny