From c2b5c6042e0a5d6e6ca1b2c17e43147a972381dd Mon Sep 17 00:00:00 2001 From: Jon Cahill-Torre Date: Tue, 5 Dec 2023 14:35:28 +0000 Subject: [PATCH 01/13] fix: rewrite resource-validation --- site/content/overview/resource-validation.md | 167 +++++++------------ 1 file changed, 64 insertions(+), 103 deletions(-) diff --git a/site/content/overview/resource-validation.md b/site/content/overview/resource-validation.md index 5dbea20740..04a4e703d3 100644 --- a/site/content/overview/resource-validation.md +++ b/site/content/overview/resource-validation.md @@ -1,6 +1,5 @@ --- title: "Gateway API Resource Validation" -description: "Learn how NGINX Gateway Fabric validates Gateway API resources." weight: 800 toc: true docs: "DOCS-000" @@ -8,63 +7,17 @@ docs: "DOCS-000" ## Overview -There are several reasons why NGF validates Gateway API resources: +NGINX Gateway Fabric validates Gateway API resources for several reasons: -- *Robustness*: to gracefully handle invalid resources. -- *Security*: to prevent malicious input from propagating to the NGINX configuration. -- *Correctness*: to conform to the Gateway API specification for handling invalid resources. +- _Robustness_: to gracefully handle invalid resources. +- _Security_: to prevent malicious input from propagating to the NGINX configuration. +- _Correctness_: to conform to the Gateway API specification for handling invalid resources. -Ultimately, the goal is to ensure that NGINX continues to handle traffic even if invalid Gateway API resources were -created. +The process involves four different steps, explained in detail in this document, with the goal of making sure that NGINX continues to handle traffic even if invalid Gateway API resources were created. -A Gateway API resource (a new resource or an update for the existing one) is validated by the following steps: +## Step 1 - OpenAPI Scheme validation by Kubernetes API Server -### For Kubernetes 1.25+ - -1. OpenAPI schema validation by the Kubernetes API server. -2. CEL validation by the Kubernetes API server. -3. Webhook validation by NGF. -4. Validation by NGF. - -### For Kubernetes 1.23 and 1.24 - -1. OpenAPI schema validation by the Kubernetes API server. -2. Webhook validation by the Gateway API webhook. -3. Webhook validation by NGF. -4. Validation by NGF. - -To confirm that a resource is valid and accepted by NGF, check that the `Accepted` condition in the resource status -has the Status field set to `True`. For example, in a status of a valid HTTPRoute, if NGF accepts a parentRef, -the status of that parentRef will look like this: - -```text -Status: - Parents: - Conditions: - Last Transition Time: 2023-03-30T23:18:00Z - Message: The route is accepted - Observed Generation: 2 - Reason: Accepted - Status: True - Type: Accepted - Controller Name: gateway.nginx.org/nginx-gateway-controller - Parent Ref: - Group: gateway.networking.k8s.io - Kind: Gateway - Name: gateway - Namespace: default - Section Name: http -``` - -> Make sure the reported observed generation is the same as the resource generation. - -The remaining part of this document describes each step in detail with examples of how validation errors are reported. - -### Step 1 - OpenAPI Scheme Validation by Kubernetes API Server - -The Kubernetes API server validates Gateway API resources against the OpenAPI schema embedded in the Gateway API CRDs. -For example, if you create an HTTPRoute with an invalid hostname `cafe.!@#$%example.com`, the API server will reject it -with the following error: +The Kubernetes API server validates Gateway API resources against the OpenAPI schema embedded in the Gateway API CRDs. For example, if you create an HTTPRoute with an invalid hostname "cafe.!@#$%example.com", the API server will reject it with the following error: ```shell kubectl apply -f coffee-route.yaml @@ -74,53 +27,43 @@ kubectl apply -f coffee-route.yaml The HTTPRoute "coffee" is invalid: spec.hostnames[0]: Invalid value: "cafe.!@#$%example.com": spec.hostnames[0] in body should match '^(\*\.)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$' ``` -> While unlikely, bypassing this validation step is possible if the Gateway API CRDs are modified to remove the validation. -> If this happens, Step 4 will reject any invalid values (from NGINX perspective). +{{< note >}}While unlikely, bypassing this validation step is possible if the Gateway API CRDs are modified to remove the validation.If this happens, Step 4 will reject any invalid values (from NGINX perspective).{{< /note >}} -### Step 2 - For Kubernetes 1.25+ - CEL Validation by Kubernetes API Server +## Step 2 - CEL or Webhook validation by Kubernetes -The Kubernetes API server validates Gateway API resources using CEL validation embedded in the Gateway API CRDs. -It validates Gateway API resources using advanced rules unavailable in the OpenAPI schema validation. -For example, if you create a Gateway resource with a TCP listener that configures a hostname, the CEL validation will -reject it with the following error: +- **Kubernetes 1.25 and later - CEL validation by Kubernetes API Server** + The Kubernetes API server validates Gateway API resources using CEL validation embedded in the Gateway API CRDs. It validates Gateway API resources using advanced rules unavailable in the OpenAPI schema validation. For example, if you create a Gateway resource with a TCP listener that configures a hostname, the CEL validation will reject it with the following error: -```shell -kubectl apply -f some-gateway.yaml -``` + ```shell + kubectl apply -f some-gateway.yaml + ``` -```text -The Gateway "some-gateway" is invalid: spec.listeners: Invalid value: "array": hostname must not be specified for protocols ['TCP', 'UDP'] -``` + ```text + The Gateway "some-gateway" is invalid: spec.listeners: Invalid value: "array": hostname must not be specified for protocols ['TCP', 'UDP'] + ``` -More information on CEL in Kubernetes can be found [here](https://kubernetes.io/docs/reference/using-api/cel/). + More information on CEL in Kubernetes can be found [here](https://kubernetes.io/docs/reference/using-api/cel/). -### Step 2 - For Kubernetes 1.23 and 1.24 - Webhook Validation by Gateway API Webhook -The Gateway API comes with a validating webhook which is enabled by default in the Gateway API installation manifests. -It validates Gateway API resources using advanced rules unavailable in the OpenAPI schema validation. For example, if -you create a Gateway resource with a TCP listener that configures a hostname, the webhook will reject it with the -following error: +- **Kubernetes 1.23 and 1.24 - Webhook validation by Gateway API Webhook** -```shell -kubectl apply -f some-gateway.yaml -``` + The Gateway API comes with a validating webhook which is enabled by default in the Gateway API installation manifests. It validates Gateway API resources using advanced rules unavailable in the OpenAPI schema validation. For example, if you create a Gateway resource with a TCP listener that configures a hostname, the webhook will reject it with the following error: -```text -Error from server: error when creating "some-gateway.yaml": admission webhook "validate.gateway.networking.k8s.io" denied the request: spec.listeners[1].hostname: Forbidden: should be empty for protocol TCP -``` + ```shell + kubectl apply -f some-gateway.yaml + ``` -> Bypassing this validation step is possible if the webhook is not running in the cluster. -> If this happens, Step 3 will reject the invalid values. + ```text + Error from server: error when creating "some-gateway.yaml": admission webhook "validate.gateway.networking.k8s.io" denied the request: spec.listeners[1].hostname: Forbidden: should be empty for protocol TCP + ``` -### Step 3 - Webhook validation by NGF +{{< note >}}Bypassing this validation step is possible if the webhook is not running in the cluster. If this happens, Step 3 will reject the invalid values.{{< /note >}} -To ensure that the resources are validated with the webhook validation rules, even if the webhook is not running, -NGF performs the same validation. However, NGF performs the validation *after* the Kubernetes API server accepts -the resource. +## Step 3 - Webhook validation by NGINX Gateway Fabric +To ensure that the resources are validated with the webhook validation rules, even if the webhook is not running, NGINX Gateway Fabric performs the same validation. However, NGINX Gateway Fabric performs the validation *after* the Kubernetes API server accepts the resource. -Below is an example of how NGF rejects an invalid resource (a Gateway resource with a TCP listener that configures a -hostname) with a Kubernetes event: +Below is an example of how NGINX Gateway Fabric rejects an invalid resource (a Gateway resource with a TCP listener that configures a hostname) with a Kubernetes event: ```shell kubectl describe gateway some-gateway @@ -131,28 +74,21 @@ kubectl describe gateway some-gateway Events: Type Reason Age From Message ---- ------ ---- ---- ------- - Warning Rejected 6s nginx-gateway-fabric-nginx the resource failed webhook validation, however the Gateway API webhook failed to reject it with the error; make sure the webhook is installed and running correctly; validation error: spec.listeners[1].hostname: Forbidden: should be empty for protocol TCP; NGF will delete any existing NGINX configuration that corresponds to the resource + Warning Rejected 6s nginx-gateway-fabric-nginx the resource failed webhook validation, however the Gateway API webhook failed to reject it with the error; make sure the webhook is installed and running correctly; validation error: spec.listeners[1].hostname: Forbidden: should be empty for protocol TCP; NGINX Gateway Fabric will delete any existing NGINX configuration that corresponds to the resource ``` -> This validation step always runs and cannot be bypassed. -> NGF will ignore any resources that fail the webhook validation, like in the example above. -> If the resource previously existed, NGF will remove any existing NGINX configuration for that resource. +{{< note >}}This validation step always runs and cannot be bypassed. NGINX Gateway Fabric will ignore any resources that fail the webhook validation, like in the example above. If the resource previously existed, NGINX Gateway Fabric will remove any existing NGINX configuration for that resource.{{< /note >}} -### Step 4 - Validation by NGF +## Step 4 - Validation by NGINX Gateway Fabric This step catches the following cases of invalid values: -- Valid values from the Gateway API perspective but not supported by NGF yet. For example, a feature in an - HTTPRoute routing rule. Note: for the list of supported features, - see [Gateway API Compatibility](gateway-api-compatibility.md) doc. -- Valid values from the Gateway API perspective, but invalid for NGINX, because NGINX has stricter validation - requirements for certain fields. Such values will cause NGINX to fail to reload or operate erroneously. -- Invalid values (both from the Gateway API and NGINX perspectives) that were not rejected because Step 1 was bypassed. - Similarly to the previous case, such values will cause NGINX to fail to reload or operate erroneously. -- Malicious values that inject unrestricted NGINX config into the NGINX configuration (similar to an SQL injection - attack). +- Valid values from the Gateway API perspective but not supported by NGINX Gateway Fabric yet. For example, a feature in an HTTPRoute routing rule. For the list of supported features see [Gateway API Compatibility](gateway-api-compatibility.md) doc. +- Valid values from the Gateway API perspective, but invalid for NGINX, because NGINX has stricter validation requirements for certain fields. These values will cause NGINX to fail to reload or operate erroneously. +- Invalid values (both from the Gateway API and NGINX perspectives) that were not rejected because Step 1 was bypassed. Similar to the previous case, these values will cause NGINX to fail to reload or operate erroneously. +- Malicious values that inject unrestricted NGINX config into the NGINX configuration (similar to an SQL injection attack). -Below is an example of how NGF rejects an invalid resource. The validation error is reported via the status: +Below is an example of how NGINX Gateway Fabric rejects an invalid resource. The validation error is reported via the status: ```shell kubectl describe httproutes.gateway.networking.k8s.io coffee @@ -178,4 +114,29 @@ Status: Section Name: http ``` -> This validation step always runs and cannot be bypassed. +{{< note >}}This validation step always runs and cannot be bypassed.{{< /note >}} + +## Confirm validation + +To confirm that a resource is valid and accepted by NGINX Gateway Fabric, check that the **Accepted** condition in the resource status has the Status field set to **True**. For example, in a status of a valid HTTPRoute, if NGINX Gateway Fabric accepts a parentRef, the status of that parentRef will look like this: + +```text +Status: + Parents: + Conditions: + Last Transition Time: 2023-03-30T23:18:00Z + Message: The route is accepted + Observed Generation: 2 + Reason: Accepted + Status: True + Type: Accepted + Controller Name: gateway.nginx.org/nginx-gateway-controller + Parent Ref: + Group: gateway.networking.k8s.io + Kind: Gateway + Name: gateway + Namespace: default + Section Name: http +``` + +{{< note>}}Make sure the reported observed generation is the same as the resource generation.{{< /note >}} \ No newline at end of file From 19bac963156d661ebf18e3b247e018eed6b7c484 Mon Sep 17 00:00:00 2001 From: Jon Cahill-Torre Date: Tue, 5 Dec 2023 14:41:32 +0000 Subject: [PATCH 02/13] fix: add blank line --- site/content/overview/resource-validation.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/site/content/overview/resource-validation.md b/site/content/overview/resource-validation.md index 04a4e703d3..55370a4d1d 100644 --- a/site/content/overview/resource-validation.md +++ b/site/content/overview/resource-validation.md @@ -139,4 +139,4 @@ Status: Section Name: http ``` -{{< note>}}Make sure the reported observed generation is the same as the resource generation.{{< /note >}} \ No newline at end of file +{{< note>}}Make sure the reported observed generation is the same as the resource generation.{{< /note >}} From 978f8bdbb4e97f38ef7f835d9018432e43c62b53 Mon Sep 17 00:00:00 2001 From: Jon Cahill-Torre Date: Tue, 5 Dec 2023 14:45:37 +0000 Subject: [PATCH 03/13] fix: update mdlint config --- site/content/overview/resource-validation.md | 3 ++- site/mdlint_conf.json | 3 ++- 2 files changed, 4 insertions(+), 2 deletions(-) diff --git a/site/content/overview/resource-validation.md b/site/content/overview/resource-validation.md index 55370a4d1d..a67a21b039 100644 --- a/site/content/overview/resource-validation.md +++ b/site/content/overview/resource-validation.md @@ -61,7 +61,8 @@ The HTTPRoute "coffee" is invalid: spec.hostnames[0]: Invalid value: "cafe.!@#$% {{< note >}}Bypassing this validation step is possible if the webhook is not running in the cluster. If this happens, Step 3 will reject the invalid values.{{< /note >}} ## Step 3 - Webhook validation by NGINX Gateway Fabric -To ensure that the resources are validated with the webhook validation rules, even if the webhook is not running, NGINX Gateway Fabric performs the same validation. However, NGINX Gateway Fabric performs the validation *after* the Kubernetes API server accepts the resource. + +To ensure that the resources are validated with the webhook validation rules, even if the webhook is not running, NGINX Gateway Fabric performs the same validation. However, NGINX Gateway Fabric performs the validation __after_ the Kubernetes API server accepts the resource. Below is an example of how NGINX Gateway Fabric rejects an invalid resource (a Gateway resource with a TCP listener that configures a hostname) with a Kubernetes event: diff --git a/site/mdlint_conf.json b/site/mdlint_conf.json index c35d58405b..09b44658c5 100644 --- a/site/mdlint_conf.json +++ b/site/mdlint_conf.json @@ -15,5 +15,6 @@ "siblings_only": true }, "MD046": false, - "MD001": false + "MD001": false, + "MD049": false } From 5717ba7f55360560991718776922f4f5f9c0e12d Mon Sep 17 00:00:00 2001 From: Alan Dooley Date: Wed, 6 Dec 2023 11:23:33 +0000 Subject: [PATCH 04/13] Apply suggestions from code review Co-authored-by: Kate Osborn <50597707+kate-osborn@users.noreply.github.com> --- site/content/overview/resource-validation.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/site/content/overview/resource-validation.md b/site/content/overview/resource-validation.md index a67a21b039..77ce20e290 100644 --- a/site/content/overview/resource-validation.md +++ b/site/content/overview/resource-validation.md @@ -27,7 +27,7 @@ kubectl apply -f coffee-route.yaml The HTTPRoute "coffee" is invalid: spec.hostnames[0]: Invalid value: "cafe.!@#$%example.com": spec.hostnames[0] in body should match '^(\*\.)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$' ``` -{{< note >}}While unlikely, bypassing this validation step is possible if the Gateway API CRDs are modified to remove the validation.If this happens, Step 4 will reject any invalid values (from NGINX perspective).{{< /note >}} +{{< note >}}While unlikely, bypassing this validation step is possible if the Gateway API CRDs are modified to remove the validation. If this happens, Step 4 will reject any invalid values (from NGINX perspective).{{< /note >}} ## Step 2 - CEL or Webhook validation by Kubernetes @@ -62,7 +62,7 @@ The HTTPRoute "coffee" is invalid: spec.hostnames[0]: Invalid value: "cafe.!@#$% ## Step 3 - Webhook validation by NGINX Gateway Fabric -To ensure that the resources are validated with the webhook validation rules, even if the webhook is not running, NGINX Gateway Fabric performs the same validation. However, NGINX Gateway Fabric performs the validation __after_ the Kubernetes API server accepts the resource. +To ensure that the resources are validated with the webhook validation rules, even if the webhook is not running, NGINX Gateway Fabric performs the same validation. However, NGINX Gateway Fabric performs the validation _after_ the Kubernetes API server accepts the resource. Below is an example of how NGINX Gateway Fabric rejects an invalid resource (a Gateway resource with a TCP listener that configures a hostname) with a Kubernetes event: From 09235a3b1622423429989f3649cb917bb079ab4e Mon Sep 17 00:00:00 2001 From: Jon Torre <78599298+Jcahilltorre@users.noreply.github.com> Date: Tue, 12 Dec 2023 13:54:07 +0000 Subject: [PATCH 05/13] Update site/content/overview/resource-validation.md reverting change that it's linked to code --- site/content/overview/resource-validation.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/site/content/overview/resource-validation.md b/site/content/overview/resource-validation.md index 77ce20e290..27e3eb12c6 100644 --- a/site/content/overview/resource-validation.md +++ b/site/content/overview/resource-validation.md @@ -75,7 +75,7 @@ kubectl describe gateway some-gateway Events: Type Reason Age From Message ---- ------ ---- ---- ------- - Warning Rejected 6s nginx-gateway-fabric-nginx the resource failed webhook validation, however the Gateway API webhook failed to reject it with the error; make sure the webhook is installed and running correctly; validation error: spec.listeners[1].hostname: Forbidden: should be empty for protocol TCP; NGINX Gateway Fabric will delete any existing NGINX configuration that corresponds to the resource + Warning Rejected 6s nginx-gateway-fabric-nginx the resource failed webhook validation, however the Gateway API webhook failed to reject it with the error; make sure the webhook is installed and running correctly; validation error: spec.listeners[1].hostname: Forbidden: should be empty for protocol TCP; NGF will delete any existing NGINX configuration that corresponds to the resource ``` {{< note >}}This validation step always runs and cannot be bypassed. NGINX Gateway Fabric will ignore any resources that fail the webhook validation, like in the example above. If the resource previously existed, NGINX Gateway Fabric will remove any existing NGINX configuration for that resource.{{< /note >}} From 595441a2320ea1760a6c007540f0f0a80f896688 Mon Sep 17 00:00:00 2001 From: Jon Torre <78599298+Jcahilltorre@users.noreply.github.com> Date: Tue, 12 Dec 2023 13:54:26 +0000 Subject: [PATCH 06/13] Apply suggestions from code review Co-authored-by: Saylor Berman --- site/content/overview/resource-validation.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/site/content/overview/resource-validation.md b/site/content/overview/resource-validation.md index 27e3eb12c6..4be222e4b9 100644 --- a/site/content/overview/resource-validation.md +++ b/site/content/overview/resource-validation.md @@ -84,7 +84,7 @@ Events: This step catches the following cases of invalid values: -- Valid values from the Gateway API perspective but not supported by NGINX Gateway Fabric yet. For example, a feature in an HTTPRoute routing rule. For the list of supported features see [Gateway API Compatibility](gateway-api-compatibility.md) doc. +- Valid values from the Gateway API perspective but not supported by NGINX Gateway Fabric yet. For example, a feature in an HTTPRoute routing rule. For the list of supported features see [Gateway API Compatibility](gateway-api-compatibility.md) doc. - Valid values from the Gateway API perspective, but invalid for NGINX, because NGINX has stricter validation requirements for certain fields. These values will cause NGINX to fail to reload or operate erroneously. - Invalid values (both from the Gateway API and NGINX perspectives) that were not rejected because Step 1 was bypassed. Similar to the previous case, these values will cause NGINX to fail to reload or operate erroneously. - Malicious values that inject unrestricted NGINX config into the NGINX configuration (similar to an SQL injection attack). From f510e82755b433c49b8495d994ea5611d06c788e Mon Sep 17 00:00:00 2001 From: Jon Torre <78599298+Jcahilltorre@users.noreply.github.com> Date: Tue, 12 Dec 2023 13:55:42 +0000 Subject: [PATCH 07/13] Update site/content/overview/resource-validation.md Co-authored-by: Kate Osborn <50597707+kate-osborn@users.noreply.github.com> --- site/content/overview/resource-validation.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/site/content/overview/resource-validation.md b/site/content/overview/resource-validation.md index 4be222e4b9..f8c1b59cd3 100644 --- a/site/content/overview/resource-validation.md +++ b/site/content/overview/resource-validation.md @@ -48,7 +48,7 @@ The HTTPRoute "coffee" is invalid: spec.hostnames[0]: Invalid value: "cafe.!@#$% - **Kubernetes 1.23 and 1.24 - Webhook validation by Gateway API Webhook** - The Gateway API comes with a validating webhook which is enabled by default in the Gateway API installation manifests. It validates Gateway API resources using advanced rules unavailable in the OpenAPI schema validation. For example, if you create a Gateway resource with a TCP listener that configures a hostname, the webhook will reject it with the following error: + The validating webhook must be installed for these Kubernetes versions {{link to installation doc}}. It validates Gateway API resources using advanced rules unavailable in the OpenAPI schema validation. For example, if you create a Gateway resource with a TCP listener that configures a hostname, the webhook will reject it with the following error: ```shell kubectl apply -f some-gateway.yaml From 28c0f0a18bb4130f632dca20c3b8e476727896a3 Mon Sep 17 00:00:00 2001 From: Jon Cahill-Torre Date: Tue, 12 Dec 2023 17:48:13 +0000 Subject: [PATCH 08/13] fix: update NGF naming --- internal/mode/static/state/store.go | 2 +- site/content/overview/resource-validation.md | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/internal/mode/static/state/store.go b/internal/mode/static/state/store.go index 351717c244..7943eb140d 100644 --- a/internal/mode/static/state/store.go +++ b/internal/mode/static/state/store.go @@ -286,7 +286,7 @@ func (u *validatingUpsertUpdater) Upsert(obj client.Object) { obj, apiv1.EventTypeWarning, "Rejected", - "%s; NGF will delete any existing NGINX configuration that corresponds to the resource", + "%s; NGINX Management Suite will delete any existing NGINX configuration that corresponds to the resource", err.Error(), ) diff --git a/site/content/overview/resource-validation.md b/site/content/overview/resource-validation.md index f8c1b59cd3..a6996aad7c 100644 --- a/site/content/overview/resource-validation.md +++ b/site/content/overview/resource-validation.md @@ -75,7 +75,7 @@ kubectl describe gateway some-gateway Events: Type Reason Age From Message ---- ------ ---- ---- ------- - Warning Rejected 6s nginx-gateway-fabric-nginx the resource failed webhook validation, however the Gateway API webhook failed to reject it with the error; make sure the webhook is installed and running correctly; validation error: spec.listeners[1].hostname: Forbidden: should be empty for protocol TCP; NGF will delete any existing NGINX configuration that corresponds to the resource + Warning Rejected 6s nginx-gateway-fabric-nginx the resource failed webhook validation, however the Gateway API webhook failed to reject it with the error; make sure the webhook is installed and running correctly; validation error: spec.listeners[1].hostname: Forbidden: should be empty for protocol TCP; NGINX Management Suite will delete any existing NGINX configuration that corresponds to the resource ``` {{< note >}}This validation step always runs and cannot be bypassed. NGINX Gateway Fabric will ignore any resources that fail the webhook validation, like in the example above. If the resource previously existed, NGINX Gateway Fabric will remove any existing NGINX configuration for that resource.{{< /note >}} From 71b9f51ff128f0423a495f871a1426c07166860a Mon Sep 17 00:00:00 2001 From: Jon Torre <78599298+Jcahilltorre@users.noreply.github.com> Date: Tue, 12 Dec 2023 17:52:34 +0000 Subject: [PATCH 09/13] Update site/content/overview/resource-validation.md --- site/content/overview/resource-validation.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/site/content/overview/resource-validation.md b/site/content/overview/resource-validation.md index a6996aad7c..827b660d8b 100644 --- a/site/content/overview/resource-validation.md +++ b/site/content/overview/resource-validation.md @@ -48,7 +48,7 @@ The HTTPRoute "coffee" is invalid: spec.hostnames[0]: Invalid value: "cafe.!@#$% - **Kubernetes 1.23 and 1.24 - Webhook validation by Gateway API Webhook** - The validating webhook must be installed for these Kubernetes versions {{link to installation doc}}. It validates Gateway API resources using advanced rules unavailable in the OpenAPI schema validation. For example, if you create a Gateway resource with a TCP listener that configures a hostname, the webhook will reject it with the following error: + The validating webhook must be [installed for these Kubernetes versions]({{}}. It validates Gateway API resources using advanced rules unavailable in the OpenAPI schema validation. For example, if you create a Gateway resource with a TCP listener that configures a hostname, the webhook will reject it with the following error: ```shell kubectl apply -f some-gateway.yaml From 72eb33d4bfe35acc546b2522ff6047403f28cf97 Mon Sep 17 00:00:00 2001 From: Jon Torre <78599298+Jcahilltorre@users.noreply.github.com> Date: Tue, 12 Dec 2023 17:53:07 +0000 Subject: [PATCH 10/13] Update internal/mode/static/state/store.go Co-authored-by: Kate Osborn <50597707+kate-osborn@users.noreply.github.com> --- internal/mode/static/state/store.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/internal/mode/static/state/store.go b/internal/mode/static/state/store.go index 7943eb140d..d288e44cb2 100644 --- a/internal/mode/static/state/store.go +++ b/internal/mode/static/state/store.go @@ -286,7 +286,7 @@ func (u *validatingUpsertUpdater) Upsert(obj client.Object) { obj, apiv1.EventTypeWarning, "Rejected", - "%s; NGINX Management Suite will delete any existing NGINX configuration that corresponds to the resource", + "%s; NGINX Gateway Fabric will delete any existing NGINX configuration that corresponds to the resource", err.Error(), ) From 988a0278c0524212922229b2e30d6c233ce43b6a Mon Sep 17 00:00:00 2001 From: Jon Torre <78599298+Jcahilltorre@users.noreply.github.com> Date: Tue, 12 Dec 2023 17:54:16 +0000 Subject: [PATCH 11/13] Update site/content/overview/resource-validation.md Co-authored-by: Kate Osborn <50597707+kate-osborn@users.noreply.github.com> --- site/content/overview/resource-validation.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/site/content/overview/resource-validation.md b/site/content/overview/resource-validation.md index 827b660d8b..dba266a54f 100644 --- a/site/content/overview/resource-validation.md +++ b/site/content/overview/resource-validation.md @@ -75,7 +75,7 @@ kubectl describe gateway some-gateway Events: Type Reason Age From Message ---- ------ ---- ---- ------- - Warning Rejected 6s nginx-gateway-fabric-nginx the resource failed webhook validation, however the Gateway API webhook failed to reject it with the error; make sure the webhook is installed and running correctly; validation error: spec.listeners[1].hostname: Forbidden: should be empty for protocol TCP; NGINX Management Suite will delete any existing NGINX configuration that corresponds to the resource + Warning Rejected 6s nginx-gateway-fabric-nginx the resource failed webhook validation, however the Gateway API webhook failed to reject it with the error; make sure the webhook is installed and running correctly; validation error: spec.listeners[1].hostname: Forbidden: should be empty for protocol TCP; NGINX Gateway Fabric will delete any existing NGINX configuration that corresponds to the resource ``` {{< note >}}This validation step always runs and cannot be bypassed. NGINX Gateway Fabric will ignore any resources that fail the webhook validation, like in the example above. If the resource previously existed, NGINX Gateway Fabric will remove any existing NGINX configuration for that resource.{{< /note >}} From 905bf9be7065863f46f7cc04b90e0ad52bd25930 Mon Sep 17 00:00:00 2001 From: Jon Torre <78599298+Jcahilltorre@users.noreply.github.com> Date: Tue, 12 Dec 2023 18:01:03 +0000 Subject: [PATCH 12/13] Update site/content/overview/resource-validation.md Co-authored-by: Kate Osborn <50597707+kate-osborn@users.noreply.github.com> --- site/content/overview/resource-validation.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/site/content/overview/resource-validation.md b/site/content/overview/resource-validation.md index dba266a54f..3bfbf40e20 100644 --- a/site/content/overview/resource-validation.md +++ b/site/content/overview/resource-validation.md @@ -48,7 +48,7 @@ The HTTPRoute "coffee" is invalid: spec.hostnames[0]: Invalid value: "cafe.!@#$% - **Kubernetes 1.23 and 1.24 - Webhook validation by Gateway API Webhook** - The validating webhook must be [installed for these Kubernetes versions]({{}}. It validates Gateway API resources using advanced rules unavailable in the OpenAPI schema validation. For example, if you create a Gateway resource with a TCP listener that configures a hostname, the webhook will reject it with the following error: + The validating webhook must be [installed for these Kubernetes versions]({{}}). It validates Gateway API resources using advanced rules unavailable in the OpenAPI schema validation. For example, if you create a Gateway resource with a TCP listener that configures a hostname, the webhook will reject it with the following error: ```shell kubectl apply -f some-gateway.yaml From ee73749f418d3b14474186f19386d534165903d8 Mon Sep 17 00:00:00 2001 From: Jon Cahill-Torre Date: Tue, 12 Dec 2023 18:51:07 +0000 Subject: [PATCH 13/13] fix: fix link --- site/content/overview/resource-validation.md | 2 +- site/go.mod | 2 +- site/go.sum | 2 ++ 3 files changed, 4 insertions(+), 2 deletions(-) diff --git a/site/content/overview/resource-validation.md b/site/content/overview/resource-validation.md index 3bfbf40e20..d77b747bc4 100644 --- a/site/content/overview/resource-validation.md +++ b/site/content/overview/resource-validation.md @@ -48,7 +48,7 @@ The HTTPRoute "coffee" is invalid: spec.hostnames[0]: Invalid value: "cafe.!@#$% - **Kubernetes 1.23 and 1.24 - Webhook validation by Gateway API Webhook** - The validating webhook must be [installed for these Kubernetes versions]({{}}). It validates Gateway API resources using advanced rules unavailable in the OpenAPI schema validation. For example, if you create a Gateway resource with a TCP listener that configures a hostname, the webhook will reject it with the following error: + The validating webhook must be [installed for these Kubernetes versions]({{< relref "installation/installing-ngf/helm.md#installing-the-gateway-api-resources" >}}). It validates Gateway API resources using advanced rules unavailable in the OpenAPI schema validation. For example, if you create a Gateway resource with a TCP listener that configures a hostname, the webhook will reject it with the following error: ```shell kubectl apply -f some-gateway.yaml diff --git a/site/go.mod b/site/go.mod index 36179c78da..005575c5ed 100644 --- a/site/go.mod +++ b/site/go.mod @@ -2,4 +2,4 @@ module github.com/nginxinc/nginx-gateway-fabric/site go 1.21 -require github.com/nginxinc/nginx-hugo-theme v0.40.0 // indirect +require github.com/nginxinc/nginx-hugo-theme v0.40.1 // indirect diff --git a/site/go.sum b/site/go.sum index ef95ed80dc..74448ef93c 100644 --- a/site/go.sum +++ b/site/go.sum @@ -4,3 +4,5 @@ github.com/nginxinc/nginx-hugo-theme v0.39.0 h1:P1hOPpityVUOM5OyIpQZa1UJyuUunGSm github.com/nginxinc/nginx-hugo-theme v0.39.0/go.mod h1:DPNgSS5QYxkjH/BfH4uPDiTfODqWJ50NKZdorguom8M= github.com/nginxinc/nginx-hugo-theme v0.40.0 h1:YP0I0+bRKcJ5WEb1s/OWcnlcvNvIcKscagJkCzsa+Vs= github.com/nginxinc/nginx-hugo-theme v0.40.0/go.mod h1:DPNgSS5QYxkjH/BfH4uPDiTfODqWJ50NKZdorguom8M= +github.com/nginxinc/nginx-hugo-theme v0.40.1 h1:1Q94uFYegNvjvwDV1py9VlYmh62AF1gh1oPGqjNmtis= +github.com/nginxinc/nginx-hugo-theme v0.40.1/go.mod h1:DPNgSS5QYxkjH/BfH4uPDiTfODqWJ50NKZdorguom8M=