From 15922a4c04b548b253bdd4d5933877cab23eb84f Mon Sep 17 00:00:00 2001 From: bartoszmajsak Date: Wed, 25 Sep 2024 15:23:07 +0200 Subject: [PATCH] fix(crd): adds validation pattern and max length for ns fields This commit introduces a validation pattern and maximum length constraint to the `Namespace` fields in our structs. We have missed it in the early days. Validation rules ensure that namespace names does not exceed max length defined and are valid [RFC 1123 DNS labels](https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/#namespaces-and-dns). --- apis/infrastructure/v1/servicemesh_types.go | 4 ++++ .../dscinitialization.opendatahub.io_dscinitializations.yaml | 4 ++++ .../dscinitialization.opendatahub.io_dscinitializations.yaml | 4 ++++ docs/api-overview.md | 4 ++-- 4 files changed, 14 insertions(+), 2 deletions(-) diff --git a/apis/infrastructure/v1/servicemesh_types.go b/apis/infrastructure/v1/servicemesh_types.go index bfa81ec8b0f..659ee781aac 100644 --- a/apis/infrastructure/v1/servicemesh_types.go +++ b/apis/infrastructure/v1/servicemesh_types.go @@ -20,6 +20,8 @@ type ControlPlaneSpec struct { Name string `json:"name,omitempty"` // Namespace is a namespace where Service Mesh is deployed. Defaults to "istio-system". // +kubebuilder:default=istio-system + // +kubebuilder:validation:Pattern="^([a-z0-9]([-a-z0-9]*[a-z0-9])?)?$" + // +kubebuilder:validation:MaxLength=63 Namespace string `json:"namespace,omitempty"` // MetricsCollection specifies if metrics from components on the Mesh namespace // should be collected. Setting the value to "Istio" will collect metrics from the @@ -45,6 +47,8 @@ type GatewaySpec struct { type AuthSpec struct { // Namespace where it is deployed. If not provided, the default is to // use '-auth-provider' suffix on the ApplicationsNamespace of the DSCI. + // +kubebuilder:validation:Pattern="^([a-z0-9]([-a-z0-9]*[a-z0-9])?)?$" + // +kubebuilder:validation:MaxLength=63 Namespace string `json:"namespace,omitempty"` // Audiences is a list of the identifiers that the resource server presented // with the token identifies as. Audience-aware token authenticators will verify diff --git a/bundle/manifests/dscinitialization.opendatahub.io_dscinitializations.yaml b/bundle/manifests/dscinitialization.opendatahub.io_dscinitializations.yaml index 5cb7b2a2d2f..97b4bbbd4d0 100644 --- a/bundle/manifests/dscinitialization.opendatahub.io_dscinitializations.yaml +++ b/bundle/manifests/dscinitialization.opendatahub.io_dscinitializations.yaml @@ -126,6 +126,8 @@ spec: description: |- Namespace where it is deployed. If not provided, the default is to use '-auth-provider' suffix on the ApplicationsNamespace of the DSCI. + maxLength: 63 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?)?$ type: string type: object controlPlane: @@ -152,6 +154,8 @@ spec: default: istio-system description: Namespace is a namespace where Service Mesh is deployed. Defaults to "istio-system". + maxLength: 63 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?)?$ type: string type: object managementState: diff --git a/config/crd/bases/dscinitialization.opendatahub.io_dscinitializations.yaml b/config/crd/bases/dscinitialization.opendatahub.io_dscinitializations.yaml index edacd9cf82e..0bfe61be9ee 100644 --- a/config/crd/bases/dscinitialization.opendatahub.io_dscinitializations.yaml +++ b/config/crd/bases/dscinitialization.opendatahub.io_dscinitializations.yaml @@ -126,6 +126,8 @@ spec: description: |- Namespace where it is deployed. If not provided, the default is to use '-auth-provider' suffix on the ApplicationsNamespace of the DSCI. + maxLength: 63 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?)?$ type: string type: object controlPlane: @@ -152,6 +154,8 @@ spec: default: istio-system description: Namespace is a namespace where Service Mesh is deployed. Defaults to "istio-system". + maxLength: 63 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?)?$ type: string type: object managementState: diff --git a/docs/api-overview.md b/docs/api-overview.md index 0f0f7030595..1d915d31b24 100644 --- a/docs/api-overview.md +++ b/docs/api-overview.md @@ -347,7 +347,7 @@ _Appears in:_ | Field | Description | Default | Validation | | --- | --- | --- | --- | -| `namespace` _string_ | Namespace where it is deployed. If not provided, the default is to
use '-auth-provider' suffix on the ApplicationsNamespace of the DSCI. | | | +| `namespace` _string_ | Namespace where it is deployed. If not provided, the default is to
use '-auth-provider' suffix on the ApplicationsNamespace of the DSCI. | | MaxLength: 63
Pattern: `^([a-z0-9]([-a-z0-9]*[a-z0-9])?)?$`
| | `audiences` _string_ | Audiences is a list of the identifiers that the resource server presented
with the token identifies as. Audience-aware token authenticators will verify
that the token was intended for at least one of the audiences in this list.
If no audiences are provided, the audience will default to the audience of the
Kubernetes apiserver (kubernetes.default.svc). | [https://kubernetes.default.svc] | | @@ -443,7 +443,7 @@ _Appears in:_ | Field | Description | Default | Validation | | --- | --- | --- | --- | | `name` _string_ | Name is a name Service Mesh Control Plane. Defaults to "data-science-smcp". | data-science-smcp | | -| `namespace` _string_ | Namespace is a namespace where Service Mesh is deployed. Defaults to "istio-system". | istio-system | | +| `namespace` _string_ | Namespace is a namespace where Service Mesh is deployed. Defaults to "istio-system". | istio-system | MaxLength: 63
Pattern: `^([a-z0-9]([-a-z0-9]*[a-z0-9])?)?$`
| | `metricsCollection` _string_ | MetricsCollection specifies if metrics from components on the Mesh namespace
should be collected. Setting the value to "Istio" will collect metrics from the
control plane and any proxies on the Mesh namespace (like gateway pods). Setting
to "None" will disable metrics collection. | Istio | Enum: [Istio None]
|