validator: validate HTTP rate limiting status code (#4857)

Adds logic to validate the HTTP status code is
among a list of status codes supported by Envoy.

Part of #2018

Signed-off-by: Shashank Ram <[email protected]>

Author: shashankram

pkg/validator/validators.go

@@ -8,6 +8,7 @@ import (
 	"strings"
 
 	mapset "github.com/deckarep/golang-set"
+	xds_type "github.com/envoyproxy/go-control-plane/envoy/type/v3"
 	"github.com/pkg/errors"
 	smiAccess "github.com/servicemeshinterface/smi-sdk-go/pkg/apis/access/v1alpha3"
 	smiSpecs "github.com/servicemeshinterface/smi-sdk-go/pkg/apis/specs/v1alpha4"
@@ -246,5 +247,22 @@ func (kc *policyValidator) upstreamTrafficSettingValidator(req *admissionv1.Admi
 		return nil, errors.Errorf("UpstreamTrafficSetting %s/%s conflicts with %s/%s since they have the same host %s", ns, upstreamTrafficSetting.ObjectMeta.GetName(), ns, matchingUpstreamTrafficSetting.ObjectMeta.GetName(), matchingUpstreamTrafficSetting.Spec.Host)
 	}
 
+	// Validate rate limiting config
+	rl := upstreamTrafficSetting.Spec.RateLimit
+	if rl != nil && rl.Local != nil && rl.Local.HTTP != nil {
+		if _, ok := xds_type.StatusCode_name[int32(rl.Local.HTTP.ResponseStatusCode)]; !ok {
+			return nil, errors.Errorf("Invalid responseStatusCode %d. See https://www.envoyproxy.io/docs/envoy/latest/api-v3/type/v3/http_status.proto#enum-type-v3-statuscode for allowed values",
+				rl.Local.HTTP.ResponseStatusCode)
+		}
+	}
+	for _, route := range upstreamTrafficSetting.Spec.HTTPRoutes {
+		if route.RateLimit != nil && route.RateLimit.Local != nil {
+			if _, ok := xds_type.StatusCode_name[int32(route.RateLimit.Local.ResponseStatusCode)]; !ok {
+				return nil, errors.Errorf("Invalid responseStatusCode %d. See https://www.envoyproxy.io/docs/envoy/latest/api-v3/type/v3/http_status.proto#enum-type-v3-statuscode for allowed values",
+					route.RateLimit.Local.ResponseStatusCode)
+			}
+		}
+	}
+
 	return nil, nil
 }

pkg/validator/validators_test.go

@@ -1147,6 +1147,126 @@ func TestUpstreamTrafficSettingValidator(t *testing.T) {
 			expResp:   nil,
 			expErrStr: "",
 		},
+		{
+			name: "UpstreamTrafficSetting with valid rate limiting config",
+			input: &admissionv1.AdmissionRequest{
+				Kind: metav1.GroupVersionKind{
+					Group:   "v1alpha1",
+					Version: "policy.openservicemesh.io",
+					Kind:    "UpstreamTrafficSetting",
+				},
+				Object: runtime.RawExtension{
+					Raw: []byte(`
+					{
+						"apiVersion": "policy.openservicemesh.io/v1alpha1",
+						"kind": "UpstreamTrafficSetting",
+						"metadata": {
+							"name": "httpbin",
+							"namespace": "test"
+						},
+						"spec": {
+							"host": "httpbin.test.svc.cluster.local",
+							"rateLimit": {
+								"local": {
+									"http": {
+										"responseStatusCode": 429
+									}
+								}
+							},
+							"httpRoutes": [
+								{
+								"rateLimit": {
+									"local": {
+										"responseStatusCode": 503
+									}
+								}
+								}
+							]
+						}
+					}
+					`),
+				},
+			},
+			expResp:   nil,
+			expErrStr: "",
+		},
+		{
+			name: "UpstreamTrafficSetting with invalid vhost rate limiting HTTP status code",
+			input: &admissionv1.AdmissionRequest{
+				Kind: metav1.GroupVersionKind{
+					Group:   "v1alpha1",
+					Version: "policy.openservicemesh.io",
+					Kind:    "UpstreamTrafficSetting",
+				},
+				Object: runtime.RawExtension{
+					Raw: []byte(`
+					{
+						"apiVersion": "policy.openservicemesh.io/v1alpha1",
+						"kind": "UpstreamTrafficSetting",
+						"metadata": {
+							"name": "httpbin",
+							"namespace": "test"
+						},
+						"spec": {
+							"host": "httpbin.test.svc.cluster.local",
+							"rateLimit": {
+								"local": {
+									"http": {
+										"responseStatusCode": 1
+									}
+								}
+							}
+						}
+					}
+					`),
+				},
+			},
+			expResp:   nil,
+			expErrStr: "Invalid responseStatusCode 1. See https://www.envoyproxy.io/docs/envoy/latest/api-v3/type/v3/http_status.proto#enum-type-v3-statuscode for allowed values",
+		},
+		{
+			name: "UpstreamTrafficSetting with invalid HTTP route rate limiting status code",
+			input: &admissionv1.AdmissionRequest{
+				Kind: metav1.GroupVersionKind{
+					Group:   "v1alpha1",
+					Version: "policy.openservicemesh.io",
+					Kind:    "UpstreamTrafficSetting",
+				},
+				Object: runtime.RawExtension{
+					Raw: []byte(`
+					{
+						"apiVersion": "policy.openservicemesh.io/v1alpha1",
+						"kind": "UpstreamTrafficSetting",
+						"metadata": {
+							"name": "httpbin",
+							"namespace": "test"
+						},
+						"spec": {
+							"host": "httpbin.test.svc.cluster.local",
+							"rateLimit": {
+								"local": {
+									"http": {
+										"responseStatusCode": 429
+									}
+								}
+							},
+							"httpRoutes": [
+								{
+								"rateLimit": {
+									"local": {
+										"responseStatusCode": 1
+									}
+								}
+								}
+							]
+						}
+					}
+					`),
+				},
+			},
+			expResp:   nil,
+			expErrStr: "Invalid responseStatusCode 1. See https://www.envoyproxy.io/docs/envoy/latest/api-v3/type/v3/http_status.proto#enum-type-v3-statuscode for allowed values",
+		},
 	}
 
 	for _, tc := range testCases {