Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Add and test single filter action per header restriction #1497

Merged
merged 4 commits into from
Nov 9, 2022

Conversation

rainest
Copy link
Contributor

@rainest rainest commented Oct 31, 2022

What type of PR is this?
/kind documentation

What this PR does / why we need it:

Documents restrictions on header filters and how implementations should handle invalid filters. Header filters cannot modify the same header twice. When users require multiple values for the same header, they must specify the comma-separated values in configuration.

Adds a conformance test confirming that invalid headers result in a false Accepted Condition with reason RouteReasonUnsupportedValue.

Adds a webhook rule that rejects header filters that violate the single action per header rule.

Which issue(s) this PR fixes:

Fix #480. Order of operations is a moot point if there is only one action for a given header, and there are no outcomes that actually require multiple actions.

Does this PR introduce a user-facing change?:

HTTPRequestHeaderFilter and HTTPResponseHeaderFilter forbid configuring multiple actions for the same header.

@k8s-ci-robot k8s-ci-robot added kind/documentation Categorizes issue or PR as related to documentation. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. labels Oct 31, 2022
@k8s-ci-robot k8s-ci-robot added needs-ok-to-test Indicates a PR that requires an org member to verify it is safe to test. size/M Denotes a PR that changes 30-99 lines, ignoring generated files. labels Oct 31, 2022
@k8s-ci-robot
Copy link
Contributor

Hi @rainest. Thanks for your PR.

I'm waiting for a kubernetes-sigs member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@rainest
Copy link
Contributor Author

rainest commented Oct 31, 2022

Kong/kubernetes-ingress-controller#3119 demonstrates a draft implementation in Kong's implementation. Not quite sure what the expected chicken-before-egg order is for demonstrating changes that aren't actually in the spec yet.

https://github.com/Kong/kubernetes-ingress-controller/actions/runs/3365550934/jobs/5581123044 is a simplified conformance run that runs this test only.

I originally included a test for multiple of the same action, but it turns out this is already forbidden by the schema. Something like:

    - type: RequestHeaderModifier
      requestHeaderModifier:
        set:
        - name: X-Header-Set
          value: one
        - name: X-Header-Set
          value: two

is rejected by the API server with

The HTTPRoute "invalid-request-header-modifier-same-action" is invalid: spec.rules[0].filters[0].requestHeaderModifier.set[1]: Duplicate value: map[string]interface {}{"name":"X-Header-Set"}

Copy link
Member

@robscott robscott left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for catching this @rainest!

apis/v1beta1/httproute_types.go Outdated Show resolved Hide resolved
conformance/tests/httproute-request-header-modifier.go Outdated Show resolved Hide resolved
Reason: string(v1beta1.RouteReasonUnsupportedValue),
}

kubernetes.HTTPRouteMustHaveCondition(t, suite.Client, suite.TimeoutConfig, route, gwNN, headerConflictCond)
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If we do solve this with webhook validation, we either may not need this conformance test, or we should explicitly require that conformance tests are run without the validating webhook present so we can ensure that controllers still behave well in its absence. I tend to think we should just start with webhook validation, but open to other opinions here.

/cc @youngnick

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I agree that we probably only want the webhook--we may as well avoid the additional implementation burden. I've updated the docstring to remove references to the condition as such, since these should never reach implementations.

@robscott
Copy link
Member

robscott commented Nov 1, 2022

/ok-to-test

@k8s-ci-robot k8s-ci-robot added ok-to-test Indicates a non-member PR verified by an org member that is safe to test. and removed needs-ok-to-test Indicates a PR that requires an org member to verify it is safe to test. labels Nov 1, 2022
@k8s-ci-robot k8s-ci-robot added size/L Denotes a PR that changes 100-499 lines, ignoring generated files. and removed size/M Denotes a PR that changes 30-99 lines, ignoring generated files. labels Nov 2, 2022
Add documentation for HTTPHeaderFilter establishing a single action per
header limit, with explanation and examples showing the expected CSV
format for multiple-value headers.
Add an HTTPRoute webhook validation rule for RequestHeaderModifier and
ResponseHeaderModifier filters. The rule rejects filters that contain
multiple actions for the same header name.
@rainest rainest requested review from robscott and removed request for mikemorris, keithmattix and youngnick November 2, 2022 22:17
Copy link
Member

@robscott robscott left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks @rainest!

apis/v1beta1/httproute_types.go Outdated Show resolved Hide resolved
apis/v1beta1/validation/httproute_test.go Show resolved Hide resolved
apis/v1beta1/validation/httproute_test.go Show resolved Hide resolved
Ignore case when checking to see if a header has multiple actions
defined.

Add tests for case insensitivity, valid header filters, and multiple of
the same action for the same header.
@youngnick
Copy link
Contributor

Aside from the minor change @robscott asked for, and the followups about clarifying the webhook's position, this LGTM.

@youngnick
Copy link
Contributor

Oops, I meant to approve, so I can leave the final LGTM to someone else.

/approve

@k8s-ci-robot k8s-ci-robot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Nov 8, 2022
@robscott
Copy link
Member

robscott commented Nov 9, 2022

Thanks @rainest!

/lgtm
/approve

@k8s-ci-robot k8s-ci-robot added the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Nov 9, 2022
@k8s-ci-robot
Copy link
Contributor

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: rainest, robscott, youngnick

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

# for free to join this conversation on GitHub. Already have an account? # to comment
Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. kind/documentation Categorizes issue or PR as related to documentation. lgtm "Looks good to me", indicates that a PR is ready to be merged. ok-to-test Indicates a non-member PR verified by an org member that is safe to test. size/L Denotes a PR that changes 100-499 lines, ignoring generated files.
Projects
None yet
Development

Successfully merging this pull request may close these issues.

HTTPRequestHeaderFilter should specify the order of operations
4 participants