envoyproxy / gateway

Manages Envoy Proxy as a Standalone or Kubernetes-based Application Gateway
https://gateway.envoyproxy.io
Apache License 2.0
1.63k stars 355 forks source link

Kubeconform can't validate gateway after 1.1.0 changes #4049

Open davem-git opened 3 months ago

davem-git commented 3 months ago

Description: We validate all of our workloads with kubeconform . It can take custom CDR which we have a script that generates it from finding all the CDR's in our workload directly. This used to work fine, it generated a validation for gateway. With the upgrade of v.1.1.0 it and the addition of https://github.com/envoyproxy/gateway/pull/4020/files#diff-85e94dab8d1c67629c15c4000ac7bcf1eb1a4c55f006ee5afc1d9c6ce69872d1R28-R31. this validation now fails.

When I generate the json validation from the CDR., it misses this. I can verify this is expected by looking at the CDR

https://github.com/envoyproxy/gateway/blob/release/v1.1.0/charts/gateway-helm/crds/gatewayapi-crds.yaml#L1219-L1478

its not in there. I do see it v1beta below, however, that's not what I'm using and it still works when I deploy it. And for some reason that isn't generating it for me either.

Is there some compatibility setup allowing me to use the feature even if it's not supported in the CDR?

gateway_v1.json gateway_v1beta1.json

Repro steps:

Include sample requests, environment, etc. All data and inputs run kubeconform on the deployment yaml files, and select CustomResourceDefinition -schema-location and select the scheme-location

Note: If there are privacy concerns, sanitize the data prior to

Environment:

gateway 1.1.0 proxy whatever comes with it

Logs:

stdin - Gateway gateway-envoy is invalid: problem validating schema. Check JSON formatting: jsonschema: '/spec/infrastructure' does not validate with file:///home/runner/work//tools/crd_json_schemas/gateway_v1.json#/properties/spec/properties/infrastructure/additionalProperties: additionalProperties 'parametersRef' not allowed

davem-git commented 3 months ago

we use https://github.com/instrumenta/openapi2jsonschema. to generate the schema you can do it for all of the CDR

zirain commented 3 months ago

is it a kubeconform issue rather than EGs? see https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io%2fv1.GatewayInfrastructure

davem-git commented 3 months ago

I don't think so. We generate that file from EG cdr. We don't use a global one. When you look at the cdr you can see it missing that part from the v1 section

zirain commented 3 months ago

Gateway CRD is directly copied from Gateway API project.

davem-git commented 3 months ago

How is parametersRef supported in 1.1.0 then? That's not something EG added?

arkodg commented 3 months ago

How is parametersRef supported in 1.1.0 then? That's not something EG added?

EG only implemented the API, the API field is added by upstream https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io%2fv1beta1.Gateway

davem-git commented 3 months ago

I see that it's only on the website for experimental CDR. Though I tried copying that locally and it still didn't fix the problem

https://github.com/kubernetes-sigs/gateway-api/blob/v1.1.0/config/crd/experimental/gateway.networking.k8s.io_gateways.yaml#L207-L220

github-actions[bot] commented 2 months ago

This issue has been automatically marked as stale because it has not had activity in the last 30 days.