feat: add Istio VirtualService Requestmatch to UDS Operator (#129)

Author: jeff-mccoy

package-lock.json

@@ -1,6 +1,6 @@
 {
   "name": "uds-core",
-  "version": "0.2.0",
+  "version": "0.3.0",
   "description": "A collection of capabilities for UDS Core",
   "keywords": [
     "pepr",
@@ -10,7 +10,7 @@
     "security"
   ],
   "engines": {
-    "node": ">=18.0.0"
+    "node": ">=20.0.0"
   },
   "pepr": {
     "name": "UDS Core",

package.json

@@ -1,7 +1,7 @@
 import { K8s, Log } from "pepr";
 
 import { UDSConfig } from "../../../config";
-import { Gateway, Istio, UDSPackage, getOwnerRef } from "../../crd";
+import { Expose, Gateway, Istio, UDSPackage, getOwnerRef } from "../../crd";
 import { sanitizeResourceName } from "../utils";
 
 /**
@@ -22,10 +22,9 @@ export async function virtualService(pkg: UDSPackage, namespace: string) {
 
   // Iterate over each exposed service
   for (const expose of exposeList) {
-    const { gateway = Gateway.Tenant, host, port, service } = expose;
+    const { gateway = Gateway.Tenant, host, port, service, match } = expose;
 
-    // Ensure the resource name is valid
-    const name = sanitizeResourceName(`${pkgName}-${gateway}-${host}`);
+    const name = generateVSName(pkg, expose);
 
     // For the admin gateway, we need to add the path prefix
     const domain = (gateway === Gateway.Admin ? "admin." : "") + UDSConfig.domain;
@@ -34,7 +33,7 @@ export async function virtualService(pkg: UDSPackage, namespace: string) {
     const fqdn = `${host}.${domain}`;
 
     // Create the route to the service
-    const httpRoute: Istio.HTTPRoute[] = [
+    const route: Istio.HTTPRoute[] = [
       {
         destination: {
           // Use the service name as the host
@@ -62,7 +61,7 @@ export async function virtualService(pkg: UDSPackage, namespace: string) {
         // Map the gateway (admin, passthrough or tenant) to the VirtualService
         gateways: [`istio-${gateway}-gateway/${gateway}-gateway`],
         // Apply the route to the VirtualService
-        http: [{ route: httpRoute }],
+        http: [{ route, match }],
       },
     };
 
@@ -71,7 +70,7 @@ export async function virtualService(pkg: UDSPackage, namespace: string) {
       payload.spec!.tls = [
         {
           match: [{ port: 443, sniHosts: [fqdn] }],
-          route: httpRoute,
+          route,
         },
       ];
     }
@@ -104,3 +103,14 @@ export async function virtualService(pkg: UDSPackage, namespace: string) {
   // Return the list of generated VirtualServices
   return payloads;
 }
+
+export function generateVSName(pkg: UDSPackage, expose: Expose) {
+  const { gateway = Gateway.Tenant, host, port, service, match, description } = expose;
+
+  // Ensure the resource name is valid
+  const matchHash = match?.flatMap(m => m.name).join("-") || "";
+  const nameSuffix = description || `${host}-${port}-${service}-${matchHash}`;
+  const name = sanitizeResourceName(`${pkg.metadata!.name}-${gateway}-${nameSuffix}`);
+
+  return name;
+}

src/pepr/operator/controllers/istio/virtual-service.ts

@@ -88,6 +88,10 @@ export enum RemoteGenerated {
 }
 
 export interface Expose {
+  /**
+   * A description of this expose entry, this will become part of the VirtualService name
+   */
+  description?: string;
   /**
    * The name of the gateway to expose the service on (default: tenant)
    */
@@ -96,6 +100,11 @@ export interface Expose {
    * The hostname to expose the service on
    */
   host: string;
+  /**
+   * Match the incoming request based on custom rules. Not permitted when using the
+   * passthrough gateway.
+   */
+  match?: Match[];
   /**
    * Labels to match pods in the namespace to apply the policy to. Leave empty to apply to all
    * pods in the namespace
@@ -126,6 +135,50 @@ export enum Gateway {
   Tenant = "tenant",
 }
 
+export interface Match {
+  /**
+   * Flag to specify whether the URI matching should be case-insensitive.
+   */
+  ignoreUriCase?: boolean;
+  method?: Method;
+  /**
+   * The name assigned to a match.
+   */
+  name: string;
+  /**
+   * Query parameters for matching.
+   */
+  queryParams?: { [key: string]: QueryParam };
+  uri?: URI;
+}
+
+export interface Method {
+  exact?: string;
+  prefix?: string;
+  /**
+   * RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax).
+   */
+  regex?: string;
+}
+
+export interface QueryParam {
+  exact?: string;
+  prefix?: string;
+  /**
+   * RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax).
+   */
+  regex?: string;
+}
+
+export interface URI {
+  exact?: string;
+  prefix?: string;
+  /**
+   * RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax).
+   */
+  regex?: string;
+}
+
 export interface Status {
   endpoints?: string[];
   networkPolicyCount?: number;

src/pepr/operator/crd/generated/package-v1alpha1.ts

@@ -5,11 +5,12 @@ import { Package as UDSPackage } from "./generated/package-v1alpha1";
 export {
   Allow,
   Direction,
+  Expose,
   Gateway,
   Phase,
+  RemoteGenerated,
   Status,
   Package as UDSPackage,
-  RemoteGenerated,
 } from "./generated/package-v1alpha1";
 
 export * as Istio from "./generated/istio/virtualservice-v1beta1";

src/pepr/operator/crd/index.ts

@@ -0,0 +1,53 @@
+import { V1JSONSchemaProps } from "@kubernetes/client-node";
+
+const matchRequired = [{ required: ["exact"] }, { required: ["prefix"] }, { required: ["regex"] }];
+const matchTemplate = {
+  oneOf: [
+    {
+      not: {
+        anyOf: matchRequired,
+      },
+    },
+    ...matchRequired,
+  ],
+  properties: {
+    exact: {
+      type: "string",
+    },
+    prefix: {
+      type: "string",
+    },
+    regex: {
+      description: "RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax).",
+      type: "string",
+    },
+  },
+  type: "object",
+};
+
+export const virtualServiceHttpMatch: V1JSONSchemaProps = {
+  description:
+    "Match the incoming request based on custom rules. Not permitted when using the passthrough gateway.",
+  items: {
+    properties: {
+      ignoreUriCase: {
+        description: "Flag to specify whether the URI matching should be case-insensitive.",
+        type: "boolean",
+      },
+      method: matchTemplate,
+      name: {
+        description: "The name assigned to a match.",
+        type: "string",
+      },
+      queryParams: {
+        additionalProperties: matchTemplate,
+        description: "Query parameters for matching.",
+        type: "object",
+      },
+      uri: matchTemplate,
+    },
+    required: ["name"],
+    type: "object",
+  },
+  type: "array",
+};