remove backendrefs validation

Signed-off-by: Huabing Zhao <zhaohuabing@gmail.com>

api/v1alpha1/ext_auth_types.go

@@ -56,7 +56,6 @@ type ExtAuth struct {
 // The authorization request message is defined in
 // https://www.envoyproxy.io/docs/envoy/latest/api-v3/service/auth/v3/external_auth.proto
 // +kubebuilder:validation:XValidation:message="backendRef or backendRefs needs to be set",rule="has(self.backendRef) || self.backendRefs.size() > 0"
-// +kubebuilder:validation:XValidation:message="BackendRefs must be used, backendRef is not supported.",rule="!has(self.backendRef)"
 // +kubebuilder:validation:XValidation:message="BackendRefs only supports Service and Backend kind.",rule="has(self.backendRefs) ? self.backendRefs.all(f, f.kind == 'Service' || f.kind == 'Backend') : true"
 // +kubebuilder:validation:XValidation:message="BackendRefs only supports Core and gateway.envoyproxy.io group.",rule="has(self.backendRefs) ? (self.backendRefs.all(f, f.group == \"\" || f.group == 'gateway.envoyproxy.io')) : true"
 type GRPCExtAuthService struct {
@@ -67,7 +66,6 @@ type GRPCExtAuthService struct {
 // HTTPExtAuthService defines the HTTP External Authorization service
 //
 // +kubebuilder:validation:XValidation:message="backendRef or backendRefs needs to be set",rule="has(self.backendRef) || self.backendRefs.size() > 0"
-// +kubebuilder:validation:XValidation:message="BackendRefs must be used, backendRef is not supported.",rule="!has(self.backendRef)"
 // +kubebuilder:validation:XValidation:message="BackendRefs only supports Service and Backend kind.",rule="has(self.backendRefs) ? self.backendRefs.all(f, f.kind == 'Service' || f.kind == 'Backend') : true"
 // +kubebuilder:validation:XValidation:message="BackendRefs only supports Core and gateway.envoyproxy.io group.",rule="has(self.backendRefs) ? (self.backendRefs.all(f, f.group == \"\" || f.group == 'gateway.envoyproxy.io')) : true"
 type HTTPExtAuthService struct {

charts/gateway-helm/crds/generated/gateway.envoyproxy.io_securitypolicies.yaml

@@ -1204,8 +1204,6 @@ spec:
                     x-kubernetes-validations:
                     - message: backendRef or backendRefs needs to be set
                       rule: has(self.backendRef) || self.backendRefs.size() > 0
-                    - message: BackendRefs must be used, backendRef is not supported.
-                      rule: '!has(self.backendRef)'
                     - message: BackendRefs only supports Service and Backend kind.
                       rule: 'has(self.backendRefs) ? self.backendRefs.all(f, f.kind
                         == ''Service'' || f.kind == ''Backend'') : true'
@@ -2103,8 +2101,6 @@ spec:
                     x-kubernetes-validations:
                     - message: backendRef or backendRefs needs to be set
                       rule: has(self.backendRef) || self.backendRefs.size() > 0
-                    - message: BackendRefs must be used, backendRef is not supported.
-                      rule: '!has(self.backendRef)'
                     - message: BackendRefs only supports Service and Backend kind.
                       rule: 'has(self.backendRefs) ? self.backendRefs.all(f, f.kind
                         == ''Service'' || f.kind == ''Backend'') : true'

release-notes/current.yaml

@@ -15,6 +15,7 @@ new features: |
 # Fixes for bugs identified in previous versions.
 bug fixes: |
   Add a bug fix here
+  Fixed failed to update SecurityPolicy resources with the `backendRef` field specified
 
 # Enhancements that improve performance.
 performance improvements: |

test/cel-validation/securitypolicy_test.go

@@ -657,36 +657,6 @@ func TestSecurityPolicyTarget(t *testing.T) {
 				" BackendRefs only supports Core and gateway.envoyproxy.io group.",
 			},
 		},
-		{
-			desc: "http extAuth service invalid Kind",
-			mutate: func(sp *egv1a1.SecurityPolicy) {
-				sp.Spec = egv1a1.SecurityPolicySpec{
-					ExtAuth: &egv1a1.ExtAuth{
-						HTTP: &egv1a1.HTTPExtAuthService{
-							BackendCluster: egv1a1.BackendCluster{
-								BackendRef: &gwapiv1.BackendObjectReference{
-									Kind: ptr.To(gwapiv1.Kind("unsupported")),
-									Name: "http-auth-service",
-									Port: ptr.To(gwapiv1.PortNumber(15001)),
-								},
-							},
-						},
-					},
-					PolicyTargetReferences: egv1a1.PolicyTargetReferences{
-						TargetRef: &gwapiv1a2.LocalPolicyTargetReferenceWithSectionName{
-							LocalPolicyTargetReference: gwapiv1a2.LocalPolicyTargetReference{
-								Group: "gateway.networking.k8s.io",
-								Kind:  "Gateway",
-								Name:  "eg",
-							},
-						},
-					},
-				}
-			},
-			wantErrors: []string{
-				"BackendRefs must be used, backendRef is not supported.",
-			},
-		},
 		{
 			desc: "http extAuth service backendRefs invalid Kind",
 			mutate: func(sp *egv1a1.SecurityPolicy) {
@@ -753,36 +723,6 @@ func TestSecurityPolicyTarget(t *testing.T) {
 				"BackendRefs only supports Core and gateway.envoyproxy.io group.",
 			},
 		},
-		{
-			desc: "grpc extAuth service invalid Kind",
-			mutate: func(sp *egv1a1.SecurityPolicy) {
-				sp.Spec = egv1a1.SecurityPolicySpec{
-					ExtAuth: &egv1a1.ExtAuth{
-						GRPC: &egv1a1.GRPCExtAuthService{
-							BackendCluster: egv1a1.BackendCluster{
-								BackendRef: &gwapiv1.BackendObjectReference{
-									Kind: ptr.To(gwapiv1.Kind("unsupported")),
-									Name: "http-auth-service",
-									Port: ptr.To(gwapiv1.PortNumber(15001)),
-								},
-							},
-						},
-					},
-					PolicyTargetReferences: egv1a1.PolicyTargetReferences{
-						TargetRef: &gwapiv1a2.LocalPolicyTargetReferenceWithSectionName{
-							LocalPolicyTargetReference: gwapiv1a2.LocalPolicyTargetReference{
-								Group: "gateway.networking.k8s.io",
-								Kind:  "Gateway",
-								Name:  "eg",
-							},
-						},
-					},
-				}
-			},
-			wantErrors: []string{
-				"BackendRefs must be used, backendRef is not supported.",
-			},
-		},
 		{
 			desc: "grpc extAuth service backendRefs invalid Kind",
 			mutate: func(sp *egv1a1.SecurityPolicy) {