Product code review

Author: sjberman

apis/v1alpha1/observabilitypolicy_types.go

@@ -64,6 +64,7 @@ type Tracing struct {
 
 	// Ratio is the percentage of traffic that should be sampled. Integer from 0 to 100.
 	// By default, 100% of http requests are traced. Not applicable for parent-based tracing.
+	// If ratio is set to 0, tracing is disabled.
 	//
 	// +optional
 	// +kubebuilder:validation:Minimum=0

config/crd/bases/gateway.nginx.org_observabilitypolicies.yaml

@@ -108,6 +108,7 @@ spec:
                     description: |-
                       Ratio is the percentage of traffic that should be sampled. Integer from 0 to 100.
                       By default, 100% of http requests are traced. Not applicable for parent-based tracing.
+                      If ratio is set to 0, tracing is disabled.
                     format: int32
                     maximum: 100
                     minimum: 0

deploy/crds.yaml

@@ -890,6 +890,7 @@ spec:
                     description: |-
                       Ratio is the percentage of traffic that should be sampled. Integer from 0 to 100.
                       By default, 100% of http requests are traced. Not applicable for parent-based tracing.
+                      If ratio is set to 0, tracing is disabled.
                     format: int32
                     maximum: 100
                     minimum: 0

internal/framework/kinds/kinds.go

@@ -25,6 +25,8 @@ const (
 const (
 	// ClientSettingsPolicy is the ClientSettingsPolicy kind.
 	ClientSettingsPolicy = "ClientSettingsPolicy"
+	// ObservabilityPolicy is the ObservabilityPolicy kind.
+	ObservabilityPolicy = "ObservabilityPolicy"
 	// NginxProxy is the NginxProxy kind.
 	NginxProxy = "NginxProxy"
 )

internal/mode/static/policies/clientsettings/generator.go

@@ -37,7 +37,7 @@ keepalive_timeout {{ .KeepAlive.Timeout.Server }};
 `
 
 // Generate generates configuration as []byte for a ClientSettingsPolicy.
-func Generate(policy policies.Policy, _ *ngfAPI.NginxProxy) []byte {
+func Generate(policy policies.Policy, _ *policies.GlobalPolicySettings) []byte {
 	csp := helpers.MustCastObject[*ngfAPI.ClientSettingsPolicy](policy)
 
 	return helpers.MustExecuteTemplate(tmpl, csp.Spec)

internal/mode/static/policies/clientsettings/validator.go

@@ -1,11 +1,8 @@
 package clientsettings
 
 import (
-	"slices"
-
 	"k8s.io/apimachinery/pkg/util/validation/field"
 	gatewayv1 "sigs.k8s.io/gateway-api/apis/v1"
-	"sigs.k8s.io/gateway-api/apis/v1alpha2"
 
 	ngfAPI "github.com/nginxinc/nginx-gateway-fabric/apis/v1alpha1"
 	"github.com/nginxinc/nginx-gateway-fabric/internal/framework/conditions"
@@ -28,10 +25,12 @@ func NewValidator(genericValidator validation.GenericValidator) *Validator {
 }
 
 // Validate validates the spec of a ClientSettingsPolicy.
-func (v *Validator) Validate(policy policies.Policy, _ *policies.ValidationContext) []conditions.Condition {
+func (v *Validator) Validate(policy policies.Policy, _ *policies.GlobalPolicySettings) []conditions.Condition {
 	csp := helpers.MustCastObject[*ngfAPI.ClientSettingsPolicy](policy)
 
-	if err := validateTargetRef(csp.Spec.TargetRef); err != nil {
+	targetRefPath := field.NewPath("spec").Child("targetRef")
+	supportedKinds := []gatewayv1.Kind{kinds.Gateway, kinds.HTTPRoute, kinds.GRPCRoute}
+	if err := policies.ValidateTargetRef(csp.Spec.TargetRef, targetRefPath, supportedKinds); err != nil {
 		return []conditions.Condition{staticConds.NewPolicyInvalid(err.Error())}
 	}
 
@@ -79,34 +78,6 @@ func conflicts(a, b ngfAPI.ClientSettingsPolicySpec) bool {
 	return false
 }
 
-func validateTargetRef(ref v1alpha2.LocalPolicyTargetReference) error {
-	basePath := field.NewPath("spec").Child("targetRef")
-
-	if ref.Group != gatewayv1.GroupName {
-		path := basePath.Child("group")
-
-		return field.NotSupported(
-			path,
-			ref.Group,
-			[]string{gatewayv1.GroupName},
-		)
-	}
-
-	supportedKinds := []gatewayv1.Kind{kinds.Gateway, kinds.HTTPRoute, kinds.GRPCRoute}
-
-	if !slices.Contains(supportedKinds, ref.Kind) {
-		path := basePath.Child("kind")
-
-		return field.NotSupported(
-			path,
-			ref.Kind,
-			supportedKinds,
-		)
-	}
-
-	return nil
-}
-
 // validateSettings performs validation on fields in the spec that are vulnerable to code injection.
 // For all other fields, we rely on the CRD validation.
 func (v *Validator) validateSettings(spec ngfAPI.ClientSettingsPolicySpec) error {

internal/mode/static/policies/clientsettings/validator_test.go

@@ -1,8 +1,6 @@
 package clientsettings_test
 
 import (
-	"fmt"
-	"strings"
 	"testing"
 
 	. "github.com/onsi/gomega"
@@ -11,11 +9,13 @@ import (
 	"sigs.k8s.io/gateway-api/apis/v1alpha2"
 
 	ngfAPI "github.com/nginxinc/nginx-gateway-fabric/apis/v1alpha1"
+	"github.com/nginxinc/nginx-gateway-fabric/internal/framework/conditions"
 	"github.com/nginxinc/nginx-gateway-fabric/internal/framework/helpers"
 	"github.com/nginxinc/nginx-gateway-fabric/internal/framework/kinds"
 	"github.com/nginxinc/nginx-gateway-fabric/internal/mode/static/nginx/config/validation"
 	"github.com/nginxinc/nginx-gateway-fabric/internal/mode/static/policies/clientsettings"
 	"github.com/nginxinc/nginx-gateway-fabric/internal/mode/static/policies/policiesfakes"
+	staticConds "github.com/nginxinc/nginx-gateway-fabric/internal/mode/static/state/conditions"
 )
 
 type policyModFunc func(policy *ngfAPI.ClientSettingsPolicy) *ngfAPI.ClientSettingsPolicy
@@ -54,33 +54,43 @@ func createModifiedPolicy(mod policyModFunc) *ngfAPI.ClientSettingsPolicy {
 
 func TestValidator_Validate(t *testing.T) {
 	tests := []struct {
-		name             string
-		policy           *ngfAPI.ClientSettingsPolicy
-		expErrSubstrings []string
+		name          string
+		policy        *ngfAPI.ClientSettingsPolicy
+		expConditions []conditions.Condition
 	}{
 		{
 			name: "invalid target ref; unsupported group",
 			policy: createModifiedPolicy(func(p *ngfAPI.ClientSettingsPolicy) *ngfAPI.ClientSettingsPolicy {
 				p.Spec.TargetRef.Group = "Unsupported"
 				return p
 			}),
-			expErrSubstrings: []string{"spec.targetRef.group"},
+			expConditions: []conditions.Condition{
+				staticConds.NewPolicyInvalid("spec.targetRef.group: Unsupported value: \"Unsupported\": " +
+					"supported values: \"gateway.networking.k8s.io\""),
+			},
 		},
 		{
 			name: "invalid target ref; unsupported kind",
 			policy: createModifiedPolicy(func(p *ngfAPI.ClientSettingsPolicy) *ngfAPI.ClientSettingsPolicy {
 				p.Spec.TargetRef.Kind = "Unsupported"
 				return p
 			}),
-			expErrSubstrings: []string{"spec.targetRef.kind"},
+			expConditions: []conditions.Condition{
+				staticConds.NewPolicyInvalid("spec.targetRef.kind: Unsupported value: \"Unsupported\": " +
+					"supported values: \"Gateway\", \"HTTPRoute\", \"GRPCRoute\""),
+			},
 		},
 		{
 			name: "invalid client max body size",
 			policy: createModifiedPolicy(func(p *ngfAPI.ClientSettingsPolicy) *ngfAPI.ClientSettingsPolicy {
 				p.Spec.Body.MaxSize = helpers.GetPointer[ngfAPI.Size]("invalid")
 				return p
 			}),
-			expErrSubstrings: []string{"spec.body.maxSize"},
+			expConditions: []conditions.Condition{
+				staticConds.NewPolicyInvalid("spec.body.maxSize: Invalid value: \"invalid\": ^\\d{1,4}(k|m|g)?$ " +
+					"(e.g. '1024',  or '8k',  or '20m',  or '1g', regex used for validation is 'must contain a number. " +
+					"May be followed by 'k', 'm', or 'g', otherwise bytes are assumed')"),
+			},
 		},
 		{
 			name: "invalid durations",
@@ -91,11 +101,14 @@ func TestValidator_Validate(t *testing.T) {
 				p.Spec.KeepAlive.Timeout.Header = helpers.GetPointer[ngfAPI.Duration]("invalid")
 				return p
 			}),
-			expErrSubstrings: []string{
-				"spec.body.timeout",
-				"spec.keepAlive.time",
-				"spec.keepAlive.timeout.server",
-				"spec.keepAlive.timeout.header",
+			expConditions: []conditions.Condition{
+				staticConds.NewPolicyInvalid("[spec.body.timeout: Invalid value: \"invalid\": \\d{1,4}(ms|s)? " +
+					"(e.g. '5ms',  or '10s', regex used for validation is 'must contain a number followed by 'ms' or 's''), " +
+					"spec.keepAlive.time: Invalid value: \"invalid\": \\d{1,4}(ms|s)? (e.g. '5ms',  or '10s', regex used for " +
+					"validation is 'must contain a number followed by 'ms' or 's''), spec.keepAlive.timeout.server: Invalid value: " +
+					"\"invalid\": \\d{1,4}(ms|s)? (e.g. '5ms',  or '10s', regex used for validation is 'must contain a number " +
+					"followed by 'ms' or 's''), spec.keepAlive.timeout.header: Invalid value: \"invalid\": \\d{1,4}(ms|s)? " +
+					"(e.g. '5ms',  or '10s', regex used for validation is 'must contain a number followed by 'ms' or 's'')]"),
 			},
 		},
 		{
@@ -104,12 +117,15 @@ func TestValidator_Validate(t *testing.T) {
 				p.Spec.KeepAlive.Timeout.Server = nil
 				return p
 			}),
-			expErrSubstrings: []string{"spec.keepAlive.timeout"},
+			expConditions: []conditions.Condition{
+				staticConds.NewPolicyInvalid("spec.keepAlive.timeout: Invalid value: \"null\": " +
+					"server timeout must be set if header timeout is set"),
+			},
 		},
 		{
-			name:             "valid",
-			policy:           createValidPolicy(),
-			expErrSubstrings: nil,
+			name:          "valid",
+			policy:        createValidPolicy(),
+			expConditions: nil,
 		},
 	}
 
@@ -120,23 +136,7 @@ func TestValidator_Validate(t *testing.T) {
 			g := NewWithT(t)
 
 			conds := v.Validate(test.policy, nil)
-
-			if len(test.expErrSubstrings) == 0 {
-				g.Expect(conds).To(BeEmpty())
-			} else {
-				g.Expect(conds).ToNot(BeEmpty())
-			}
-
-			for _, str := range test.expErrSubstrings {
-				var msg string
-				for _, cond := range conds {
-					if strings.Contains(cond.Message, str) {
-						msg = cond.Message
-						break
-					}
-				}
-				g.Expect(msg).To(ContainSubstring(str), fmt.Sprintf("error not found in %v", conds))
-			}
+			g.Expect(conds).To(Equal(test.expConditions))
 		})
 	}
 }

internal/mode/static/policies/manager.go

@@ -7,20 +7,19 @@ import (
 
 	"k8s.io/apimachinery/pkg/runtime/schema"
 
-	ngfAPI "github.com/nginxinc/nginx-gateway-fabric/apis/v1alpha1"
 	"github.com/nginxinc/nginx-gateway-fabric/internal/framework/conditions"
 	"github.com/nginxinc/nginx-gateway-fabric/internal/framework/kinds"
 )
 
 // GenerateFunc generates config as []byte for an NGF Policy.
-type GenerateFunc func(policy Policy, globalSettings *ngfAPI.NginxProxy) []byte
+type GenerateFunc func(policy Policy, globalSettings *GlobalPolicySettings) []byte
 
 // Validator validates an NGF Policy.
 //
 //counterfeiter:generate . Validator
 type Validator interface {
 	// Validate validates an NGF Policy.
-	Validate(policy Policy, policyValidationCtx *ValidationContext) []conditions.Condition
+	Validate(policy Policy, globalSettings *GlobalPolicySettings) []conditions.Condition
 	// Conflicts returns true if the two Policies conflict.
 	Conflicts(a, b Policy) bool
 }
@@ -63,7 +62,7 @@ func NewManager(
 }
 
 // Generate generates config for the policy as a byte array.
-func (m *Manager) Generate(policy Policy, globalSettings *ngfAPI.NginxProxy) []byte {
+func (m *Manager) Generate(policy Policy, globalSettings *GlobalPolicySettings) []byte {
 	gvk := m.mustExtractGVK(policy)
 
 	generate, ok := m.generators[gvk]
@@ -75,15 +74,15 @@ func (m *Manager) Generate(policy Policy, globalSettings *ngfAPI.NginxProxy) []b
 }
 
 // Validate validates the policy.
-func (m *Manager) Validate(policy Policy, policyValidationCtx *ValidationContext) []conditions.Condition {
+func (m *Manager) Validate(policy Policy, globalSettings *GlobalPolicySettings) []conditions.Condition {
 	gvk := m.mustExtractGVK(policy)
 
 	validator, ok := m.validators[gvk]
 	if !ok {
 		panic(fmt.Sprintf("no validator registered for policy %T", policy))
 	}
 
-	return validator.Validate(policy, policyValidationCtx)
+	return validator.Validate(policy, globalSettings)
 }
 
 // Conflicts returns true if the policies conflict.

internal/mode/static/policies/manager_test.go

@@ -6,7 +6,6 @@ import (
 	"k8s.io/apimachinery/pkg/runtime/schema"
 	"sigs.k8s.io/controller-runtime/pkg/client"
 
-	ngfAPI "github.com/nginxinc/nginx-gateway-fabric/apis/v1alpha1"
 	"github.com/nginxinc/nginx-gateway-fabric/internal/framework/conditions"
 	"github.com/nginxinc/nginx-gateway-fabric/internal/mode/static/policies"
 	"github.com/nginxinc/nginx-gateway-fabric/internal/mode/static/policies/policiesfakes"
@@ -43,24 +42,24 @@ var _ = Describe("Policy Manager", func() {
 		mustExtractGVK,
 		policies.ManagerConfig{
 			Validator: &policiesfakes.FakeValidator{
-				ValidateStub: func(_ policies.Policy, _ *policies.ValidationContext) []conditions.Condition {
+				ValidateStub: func(_ policies.Policy, _ *policies.GlobalPolicySettings) []conditions.Condition {
 					return []conditions.Condition{staticConds.NewPolicyInvalid("apple error")}
 				},
 				ConflictsStub: func(_ policies.Policy, _ policies.Policy) bool { return true },
 			},
-			Generator: func(_ policies.Policy, _ *ngfAPI.NginxProxy) []byte {
+			Generator: func(_ policies.Policy, _ *policies.GlobalPolicySettings) []byte {
 				return []byte("apple")
 			},
 			GVK: appleGVK,
 		},
 		policies.ManagerConfig{
 			Validator: &policiesfakes.FakeValidator{
-				ValidateStub: func(_ policies.Policy, _ *policies.ValidationContext) []conditions.Condition {
+				ValidateStub: func(_ policies.Policy, _ *policies.GlobalPolicySettings) []conditions.Condition {
 					return []conditions.Condition{staticConds.NewPolicyInvalid("orange error")}
 				},
 				ConflictsStub: func(_ policies.Policy, _ policies.Policy) bool { return false },
 			},
-			Generator: func(_ policies.Policy, _ *ngfAPI.NginxProxy) []byte {
+			Generator: func(_ policies.Policy, _ *policies.GlobalPolicySettings) []byte {
 				return []byte("orange")
 			},
 			GVK: orangeGVK,

internal/mode/static/policies/observability/generator.go

@@ -31,7 +31,7 @@ otel_span_attr "{{ $attr.Key }}" "{{ $attr.Value }}";
 `
 
 // Generate generates configuration as []byte for an ObservabilityPolicy.
-func Generate(policy policies.Policy, globalSettings *ngfAPI.NginxProxy) []byte {
+func Generate(policy policies.Policy, globalSettings *policies.GlobalPolicySettings) []byte {
 	obs := helpers.MustCastObject[*ngfAPI.ObservabilityPolicy](policy)
 
 	var strategy string
@@ -54,8 +54,8 @@ func Generate(policy policies.Policy, globalSettings *ngfAPI.NginxProxy) []byte
 	}
 
 	var spanAttributes []ngfAPI.SpanAttribute
-	if globalSettings != nil && globalSettings.Spec.Telemetry != nil {
-		spanAttributes = globalSettings.Spec.Telemetry.SpanAttributes
+	if globalSettings != nil {
+		spanAttributes = globalSettings.TracingSpanAttributes
 	}
 
 	fields := map[string]interface{}{
@@ -73,5 +73,5 @@ func CreateRatioVarName(policy *ngfAPI.ObservabilityPolicy) string {
 	namespace := strings.ReplaceAll(policy.GetNamespace(), "-", "_")
 	name := strings.ReplaceAll(policy.GetName(), "-", "_")
 
-	return fmt.Sprintf("$ratio_%s_%s", namespace, name)
+	return fmt.Sprintf("$ratio_ns_%s_name_%s", namespace, name)
 }