validation

package
v1.18.0-rc3 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Dec 2, 2024 License: Apache-2.0 Imports: 5 Imported by: 0

README

Validation Feature

Overview

The validation feature is a suite of tests that validate the behavior of the validation webhook with invalid configurations. The tests are run against a Gloo Gateway installation with the validation webhook enabled with different settings.

The validation webhook settings are controlled by the validation field in the settings CRD and on the validation helm field. This includes values:

Field Type Description
alwaysAccept bool Always accept resources even if validation produced an error. Validation will still log the error and increment the validation.gateway.solo.io/resources_rejected stat. Currently defaults to true - must be set to false to prevent writing invalid resources to storage.
allowWarnings bool Accept resources if validation produced a warning (defaults to true). By setting to false, this means that validation will start rejecting resources that would result in warnings, rather than just those that would result in errors. Note that this setting has no impact on Kubernetes Gateway API validation, as warnings will always be allowed in that context.
warnMissingTlsSecret bool Treat a missing TLS secret referenced by an SslConfig or UpstreamSslConfig as a warning instead of error (defaults to true). By setting to false, this means that Gloo will start assigning errors to proxies generated from VirtualService and Upstream resources that reference a non-existent TLS secret, causing validation to fail.
warnRouteShortCircuiting bool Write a warning to route resources if validation produced a route ordering warning (defaults to false). By setting to true, this means that Gloo will start assigning warnings to resources that would result in route short-circuiting within a virtual host, for example: - prefix routes that make later routes unreachable - regex routes that make later routes unreachable - duplicate matchers.
disableTransformationValidation bool By default gloo will attempt to validate transformations by calling out to a local envoy binary in validate mode. Calling this local envoy binary can become slow when done many times during a single validation. Setting this to true will stop gloo from calling out to envoy to validate the transformations, which may speed up the validation time considerably, but may also cause the transformation config to fail after being sent to envoy. When disabling this, ensure that your transformations are valid prior to applying them.
serverEnabled bool By providing the validation field (parent of this object) the user is implicitly opting into validation. This field allows the user to opt out of the validation server, while still configuring pre-existing fields such as warn_route_short_circuiting and disable_transformation_validation. If not included, the validation server will be enabled.

The failurePolicy field on the gateway can configure the validation webhook configuration's failure policy. This determines when a Gateway cannot communicate with Gloo (e.g. Gloo is offline) if the resources will be rejected by default.

Test Combinations

The below table contains the combinations that are run in the test suite.

Setup Name Suites Run Description Run Location
strict validation validation_strict_warnings, validation_reject_invalid allowWarnings=false, alwaysAccept=false validation_strict_test.go
allow warnings validation validation_allow_warnings, validation_reject_invalid allowWarnings=true, alwaysAccept=false edge_gw_test.go
allow all validation validation_allow_warnings, validation_always_accept allowWarnings=true, alwaysAccept=true validation_always_accept_test.go
disable transformation validation transformation_validation_disabled disableTransformationValidation=true disabled_transformation_validation_test.go

When the validation webhook is enabled, the resource will not be able to be applied to the cluster if it is invalid. When invalid resources are accepted (alwaysAccept=true), a status should appear on the resource with the correct status state and message.

Documentation

Index

Constants

View Source
const (
	ExampleVsName                 = "example-vs"
	ExampleUpstreamName           = "nginx-upstream"
	SplitWebhookBasicUpstreamName = "json-upstream"

	ValidVsName   = "i-am-valid"
	InvalidVsName = "i-am-invalid"
)

Variables

View Source
var (
	// setup configs
	ExampleVS       = filepath.Join(util.MustGetThisDir(), "testdata", "example-vs.yaml")
	ExampleUpstream = filepath.Join(util.MustGetThisDir(), "testdata", "example-upstream.yaml")

	// Switch VirtualService configs (allow warnings)
	InvalidVS = filepath.Join(util.MustGetThisDir(), "testdata", "switch-vs", "invalid-vs.yaml")
	ValidVS   = filepath.Join(util.MustGetThisDir(), "testdata", "switch-vs", "valid-vs.yaml")
	SwitchVS  = filepath.Join(util.MustGetThisDir(), "testdata", "switch-vs", "switch-valid-invalid.yaml")

	// Secret Configs (allow warnings, strict tests)
	SecretVSTemplate = filepath.Join(util.MustGetThisDir(), "testdata", "secret-deletion", "vs-with-secret.yaml")
	UnusedSecret     = filepath.Join(util.MustGetThisDir(), "testdata", "secret-deletion", "unused-secret.yaml")
	Secret           = filepath.Join(util.MustGetThisDir(), "testdata", "secret-deletion", "secret.yaml")

	// Invalid resources (allow warnings, strict, allow all)
	InvalidUpstreamNoPort         = filepath.Join(util.MustGetThisDir(), "testdata", "invalid-resources", "invalid-upstream-no-port.yaml")
	InvalidGateway                = filepath.Join(util.MustGetThisDir(), "testdata", "invalid-resources", "gateway.yaml")
	InvalidVirtualServiceMatcher  = filepath.Join(util.MustGetThisDir(), "testdata", "invalid-resources", "vs-method-matcher.yaml")
	InvalidVirtualServiceTypo     = filepath.Join(util.MustGetThisDir(), "testdata", "invalid-resources", "vs-typo.yaml")
	InvalidVirtualMissingUpstream = filepath.Join(util.MustGetThisDir(), "testdata", "invalid-resources", "vs-no-upstream.yaml")
	InvalidRLC                    = filepath.Join(util.MustGetThisDir(), "testdata", "invalid-resources", "rlc.yaml")

	// transformation validation (allow warnings, server_enabled)
	VSTransformationExtractors    = filepath.Join(util.MustGetThisDir(), "testdata", "transformation", "vs-transform-extractors.yaml")
	VSTransformationHeaderText    = filepath.Join(util.MustGetThisDir(), "testdata", "transformation", "vs-transform-header-text.yaml")
	VSTransformationSingleReplace = filepath.Join(util.MustGetThisDir(), "testdata", "transformation", "vs-transform-single-replace.yaml")

	// Valid resources
	LargeConfiguration = filepath.Join(util.MustGetThisDir(), "testdata", "valid-resources", "large-configuration.yaml")

	// Split webhook validation
	BasicUpstream = filepath.Join(util.MustGetThisDir(), "testdata", "split-webhook", "basic-upstream.yaml")

	GlooFailurePolicyFailValues   = filepath.Join(util.MustGetThisDir(), "testdata", "split-webhook", "gloo-webhook-failure-policy-fail-values.yaml")
	KubeFailurePolicyFailValues   = filepath.Join(util.MustGetThisDir(), "testdata", "split-webhook", "kube-webhook-failure-policy-fail-values.yaml")
	GlooFailurePolicyIgnoreValues = filepath.Join(util.MustGetThisDir(), "testdata", "split-webhook", "gloo-webhook-failure-policy-ignore-values.yaml")
	KubeFailurePolicyIgnoreValues = filepath.Join(util.MustGetThisDir(), "testdata", "split-webhook", "kube-webhook-failure-policy-ignore-values.yaml")

	ExpectedUpstreamResp = &testmatchers.HttpResponse{
		StatusCode: http.StatusOK,
		Body:       gomega.ContainSubstring("Welcome to nginx!"),
	}
)

Functions

This section is empty.

Types

This section is empty.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL