Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat: Add Match Conditions to the validation webhook #10554

Merged
merged 13 commits into from
Jan 13, 2025
Merged

feat: Add Match Conditions to the validation webhook #10554

merged 13 commits into from
Jan 13, 2025

Conversation

davidjumani
Copy link

@davidjumani davidjumani commented Jan 7, 2025
edited
Loading

Description

Adds support for match conditions (defined via Common Expression Language (CEL)) to the validating webhook to allow fine grained request filtering. They can be set via two new helm values :

  • gateway.validation.matchConditions on the Gloo webhook
  • gateway.validation.kubeCoreMatchConditions on the Kube webhook

API changes

Added the following helm values :

  • gateway.validation.matchConditions
  • gateway.validation.kubeCoreMatchConditions

Context

This feature is useful when the webhook failure policy needs to be Fail but excludes certain resources from validation so an unreachable gloo pod does not block resource deletion
Eg: The user wants to exclude validation of secrets or resources with the foo label :

    kubeCoreMatchConditions:
    - name: 'not-a-secret-or-secret-with-foo-label-key'
       expression: 'request.resource.resource != "secrets" || ("labels" in oldObject.metadata && "foo" in oldObject.metadata.labels)'

Testing steps

Added kubernetes e2e tests

  Gloo was successfully uninstalled.
--- PASS: TestValidationStrict (301.96s)
    --- PASS: TestValidationStrict/ValidationSplitWebhook (223.71s)
        --- PASS: TestValidationStrict/ValidationSplitWebhook/TestGlooFailurePolicyMatchConditions (85.60s)
        --- PASS: TestValidationStrict/ValidationSplitWebhook/TestKubeFailurePolicyMatchConditions (138.07s)
PASS

Checklist:

  • I have performed a self-review of my own code
  • I have commented my code, particularly in hard-to-understand areas
  • I have made corresponding changes to the documentation
  • I have added tests that prove my fix is effective or that my feature works

@davidjumani davidjumani requested a review from a team as a code owner January 7, 2025 18:19
@solo-changelog-bot
Copy link

Issues linked to changelog:
kgateway-dev#9828

@github-actions GitHub Actions
Copy link

github-actions bot commented Jan 7, 2025
edited
Loading

Visit the preview URL for this PR (updated for commit 4aa522e):

https://gloo-edge--pr10554-match-conditions-smxvgur6.web.app

(expires Sat, 18 Jan 2025 04:23:47 GMT)

🔥 via Firebase Hosting GitHub Action 🌎

Sign: 77c2b86e287749579b7ff9cadb81e099042ef677

jmhbh
jmhbh approved these changes Jan 10, 2025
View reviewed changes
Copy link

@jmhbh jmhbh left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@soloio-bulldozer soloio-bulldozer bot merged commit 898a84f into main Jan 13, 2025
20 checks passed
@soloio-bulldozer soloio-bulldozer bot deleted the match-conditions branch January 13, 2025 13:47
davidjumani added a commit that referenced this pull request Jan 13, 2025
@davidjumani @nfuden
feat: Add Match Conditions to the validation webhook (#10554)
3a1ad2f 
Co-authored-by: Nathan Fudenberg <[email protected]>
@davidjumani davidjumani mentioned this pull request Jan 13, 2025
Merged
4 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jmhbh jmhbh jmhbh approved these changes

@nfuden nfuden nfuden approved these changes

Assignees
No one assigned
Labels
keep pr updated needs-port-k8s
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@davidjumani @jmhbh @nfuden