validate the path with PathSeparatedPrefix? #1044
Description
current gateway supports config match path with PathSeparatedPrefix, but does not validate in the gateway, when config path with invalid value like end with /, the gateway and envoy recv the dynamic route will occur error.
HTTPRoute config
apiVersion: gateway.networking.k8s.io/v1beta1
kind: HTTPRoute
metadata:
name: backendxx
spec:
parentRefs:
- name: eg
rules:
- backendRefs:
- group: ""
kind: Service
name: backend
port: 3000
weight: 1
matches:
- path:
type: PathPrefix
value: /backend/gateway log
2023-02-15 13:29:15 2023-02-15T05:29:15.921Z INFO cache/logrwrapper.go:29 Got a new request, response_nonce 2, nodeID envoy-default-eg-64656661-7db8b55db6-gttln, node_version v1.26.0 {"runner": "xds-server"}
2023-02-15 13:29:15 2023-02-15T05:29:15.921Z INFO cache/logrwrapper.go:29 handling v3 xDS resource request, response_nonce 2, nodeID envoy-default-eg-64656661-7db8b55db6-gttln, node_version v1.26.0, resource_names_subscribe [], resource_names_unsubscribe [], type_url type.googleapis.com/envoy.config.route.v3.RouteConfiguration, errorCode 13, errorMessage Proto constraint validation failed (RouteConfigurationValidationError.VirtualHosts[0]: embedded message failed validation | caused by VirtualHostValidationError.Routes[0]: embedded message failed validation | caused by RouteValidationError.Match: embedded message failed validation | caused by RouteMatchValidationError.PathSeparatedPrefix: value does not match regex pattern "^[^?#]+[^?#/]$"): name: "default-eg-http"
2023-02-15 13:29:15 virtual_hosts {
2023-02-15 13:29:15 name: "default-eg-http"
2023-02-15 13:29:15 domains: "*"
2023-02-15 13:29:15 routes {
2023-02-15 13:29:15 match {
2023-02-15 13:29:15 path_separated_prefix: "/backend/"
2023-02-15 13:29:15 }
2023-02-15 13:29:15 route {
2023-02-15 13:29:15 cluster: "default-backendxx-rule-0-match-0-*"
2023-02-15 13:29:15 }
2023-02-15 13:29:15 }
2023-02-15 13:29:15 }
2023-02-15 13:29:15 {"runner": "xds-server"}envoy log
2023-02-15 13:29:15 [2023-02-15 05:29:15.920][1][warning][config] [source/common/config/new_delta_subscription_state.cc:288] delta config for type.googleapis.com/envoy.config.route.v3.RouteConfiguration rejected: Proto constraint validation failed (RouteConfigurationValidationError.VirtualHosts[0]: embedded message failed validation | caused by VirtualHostValidationError.Routes[0]: embedded message failed validation | caused by RouteValidationError.Match: embedded message failed validation | caused by RouteMatchValidationError.PathSeparatedPrefix: value does not match regex pattern "^[^?#]+[^?#/]$"): name: "default-eg-http"
2023-02-15 13:29:15 virtual_hosts {
2023-02-15 13:29:15 name: "default-eg-http"
2023-02-15 13:29:15 domains: "*"
2023-02-15 13:29:15 routes {
2023-02-15 13:29:15 match {
2023-02-15 13:29:15 path_separated_prefix: "/backend/"
2023-02-15 13:29:15 }
2023-02-15 13:29:15 route {
2023-02-15 13:29:15 cluster: "default-backendxx-rule-0-match-0-*"
2023-02-15 13:29:15 }
2023-02-15 13:29:15 }
2023-02-15 13:29:15 }
2023-02-15 13:29:15
2023-02-15 13:29:15 [2023-02-15 05:29:15.920][1][warning][config] [source/common/config/grpc_subscription_impl.cc:128] gRPC config for type.googleapis.com/envoy.config.route.v3.RouteConfiguration rejected: Proto constraint validation failed (RouteConfigurationValidationError.VirtualHosts[0]: embedded message failed validation | caused by VirtualHostValidationError.Routes[0]: embedded message failed validation | caused by RouteValidationError.Match: embedded message failed validation | caused by RouteMatchValidationError.PathSeparatedPrefix: value does not match regex pattern "^[^?#]+[^?#/]$"): name: "default-eg-http"
2023-02-15 13:29:15 virtual_hosts {
2023-02-15 13:29:15 name: "default-eg-http"
2023-02-15 13:29:15 domains: "*"
2023-02-15 13:29:15 routes {
2023-02-15 13:29:15 match {
2023-02-15 13:29:15 path_separated_prefix: "/backend/"
2023-02-15 13:29:15 }
2023-02-15 13:29:15 route {
2023-02-15 13:29:15 cluster: "default-backendxx-rule-0-match-0-*"
2023-02-15 13:29:15 }
2023-02-15 13:29:15 }
2023-02-15 13:29:15 }
2023-02-15 13:29:15but the route is accepted
apiVersion: gateway.networking.k8s.io/v1beta1
kind: HTTPRoute
metadata:
annotations:
kubectl.kubernetes.io/last-applied-configuration: |
{"apiVersion":"gateway.networking.k8s.io/v1beta1","kind":"HTTPRoute","metadata":{"annotations":{},"name":"backendxx","namespace":"default"},"spec":{"parentRefs":[{"name":"eg"}],"rules":[{"backendRefs":[{"group":"","kind":"Service","name":"backend","port":3000,"weight":1}],"matches":[{"path":{"type":"PathPrefix","value":"/backend/"}}]}]}}
creationTimestamp: "2023-02-15T05:28:38Z"
generation: 2
name: backendxx
namespace: default
resourceVersion: "209201"
uid: abffbeb8-e808-46ca-80ad-0dad38802d65
spec:
parentRefs:
- group: gateway.networking.k8s.io
kind: Gateway
name: eg
rules:
- backendRefs:
- group: ""
kind: Service
name: backend
port: 3000
weight: 1
matches:
- path:
type: PathPrefix
value: /backend/
status:
parents:
- conditions:
- lastTransitionTime: "2023-02-15T05:29:15Z"
message: Route is accepted
observedGeneration: 2
reason: Accepted
status: "True"
type: Accepted
controllerName: gateway.envoyproxy.io/gatewayclass-controller
parentRef:
group: gateway.networking.k8s.io
kind: Gateway
name: egI think that we should validate the PathSeparatedPrefix with an invalid path value and reject the route.