From cbfa40e49c959192ca165d878b5919276a37a537 Mon Sep 17 00:00:00 2001 From: Bartosz Majsak Date: Wed, 25 Sep 2024 18:23:24 +0200 Subject: [PATCH] fix(crd): adds validation pattern and max length for ns fields (#1261) This commit introduces a validation pattern and maximum length constraint to the `Namespace` fields in our structs. We have missed it in the early days. Validation rules ensure that namespace names does not exceed max length defined and are valid [RFC 1123 DNS labels](https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/#namespaces-and-dns). (cherry picked from commit 5648ee9c95d2a43d3060b34188d03f626c2c1e62) --- apis/infrastructure/v1/servicemesh_types.go | 4 ++++ .../dscinitialization.opendatahub.io_dscinitializations.yaml | 4 ++++ .../dscinitialization.opendatahub.io_dscinitializations.yaml | 4 ++++ docs/api-overview.md | 4 ++-- 4 files changed, 14 insertions(+), 2 deletions(-) diff --git a/apis/infrastructure/v1/servicemesh_types.go b/apis/infrastructure/v1/servicemesh_types.go index bfa81ec8b0f..659ee781aac 100644 --- a/apis/infrastructure/v1/servicemesh_types.go +++ b/apis/infrastructure/v1/servicemesh_types.go @@ -20,6 +20,8 @@ type ControlPlaneSpec struct { Name string `json:"name,omitempty"` // Namespace is a namespace where Service Mesh is deployed. Defaults to "istio-system". // +kubebuilder:default=istio-system + // +kubebuilder:validation:Pattern="^([a-z0-9]([-a-z0-9]*[a-z0-9])?)?$" + // +kubebuilder:validation:MaxLength=63 Namespace string `json:"namespace,omitempty"` // MetricsCollection specifies if metrics from components on the Mesh namespace // should be collected. Setting the value to "Istio" will collect metrics from the @@ -45,6 +47,8 @@ type GatewaySpec struct { type AuthSpec struct { // Namespace where it is deployed. If not provided, the default is to // use '-auth-provider' suffix on the ApplicationsNamespace of the DSCI. + // +kubebuilder:validation:Pattern="^([a-z0-9]([-a-z0-9]*[a-z0-9])?)?$" + // +kubebuilder:validation:MaxLength=63 Namespace string `json:"namespace,omitempty"` // Audiences is a list of the identifiers that the resource server presented // with the token identifies as. Audience-aware token authenticators will verify diff --git a/bundle/manifests/dscinitialization.opendatahub.io_dscinitializations.yaml b/bundle/manifests/dscinitialization.opendatahub.io_dscinitializations.yaml index 7ab80a3d8ac..34de2179bac 100644 --- a/bundle/manifests/dscinitialization.opendatahub.io_dscinitializations.yaml +++ b/bundle/manifests/dscinitialization.opendatahub.io_dscinitializations.yaml @@ -126,6 +126,8 @@ spec: description: |- Namespace where it is deployed. If not provided, the default is to use '-auth-provider' suffix on the ApplicationsNamespace of the DSCI. + maxLength: 63 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?)?$ type: string type: object controlPlane: @@ -152,6 +154,8 @@ spec: default: istio-system description: Namespace is a namespace where Service Mesh is deployed. Defaults to "istio-system". + maxLength: 63 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?)?$ type: string type: object managementState: diff --git a/config/crd/bases/dscinitialization.opendatahub.io_dscinitializations.yaml b/config/crd/bases/dscinitialization.opendatahub.io_dscinitializations.yaml index fae3c846fda..eab175d0b05 100644 --- a/config/crd/bases/dscinitialization.opendatahub.io_dscinitializations.yaml +++ b/config/crd/bases/dscinitialization.opendatahub.io_dscinitializations.yaml @@ -126,6 +126,8 @@ spec: description: |- Namespace where it is deployed. If not provided, the default is to use '-auth-provider' suffix on the ApplicationsNamespace of the DSCI. + maxLength: 63 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?)?$ type: string type: object controlPlane: @@ -152,6 +154,8 @@ spec: default: istio-system description: Namespace is a namespace where Service Mesh is deployed. Defaults to "istio-system". + maxLength: 63 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?)?$ type: string type: object managementState: diff --git a/docs/api-overview.md b/docs/api-overview.md index 18d957750fb..026bcddd121 100644 --- a/docs/api-overview.md +++ b/docs/api-overview.md @@ -323,7 +323,7 @@ _Appears in:_ | Field | Description | Default | Validation | | --- | --- | --- | --- | -| `namespace` _string_ | Namespace where it is deployed. If not provided, the default is to
use '-auth-provider' suffix on the ApplicationsNamespace of the DSCI. | | | +| `namespace` _string_ | Namespace where it is deployed. If not provided, the default is to
use '-auth-provider' suffix on the ApplicationsNamespace of the DSCI. | | MaxLength: 63
Pattern: `^([a-z0-9]([-a-z0-9]*[a-z0-9])?)?$`
| | `audiences` _string_ | Audiences is a list of the identifiers that the resource server presented
with the token identifies as. Audience-aware token authenticators will verify
that the token was intended for at least one of the audiences in this list.
If no audiences are provided, the audience will default to the audience of the
Kubernetes apiserver (kubernetes.default.svc). | [https://kubernetes.default.svc] | | @@ -419,7 +419,7 @@ _Appears in:_ | Field | Description | Default | Validation | | --- | --- | --- | --- | | `name` _string_ | Name is a name Service Mesh Control Plane. Defaults to "data-science-smcp". | data-science-smcp | | -| `namespace` _string_ | Namespace is a namespace where Service Mesh is deployed. Defaults to "istio-system". | istio-system | | +| `namespace` _string_ | Namespace is a namespace where Service Mesh is deployed. Defaults to "istio-system". | istio-system | MaxLength: 63
Pattern: `^([a-z0-9]([-a-z0-9]*[a-z0-9])?)?$`
| | `metricsCollection` _string_ | MetricsCollection specifies if metrics from components on the Mesh namespace
should be collected. Setting the value to "Istio" will collect metrics from the
control plane and any proxies on the Mesh namespace (like gateway pods). Setting
to "None" will disable metrics collection. | Istio | Enum: [Istio None]
|