Change allowed_urls to endpoint_selectors (#573)

* update values.yaml and templates to use endpoint selectors * update values.yaml and helm template to use endpoint selectors over allowed urls * update operator bindings resource to use endpoint selectors * update poller and api call to use endpoint selectors * remove obsolete test * generated artifacts * bring back test * remove Allowed from BoundEndpointsSpec and then remove the denied status * remove references to Allowed/denied * Update README.md and values.schema.json with readme-generator-for-helm * generated artifacts --------- Co-authored-by: masonj5n <[email protected]>
ngrok · Jan 15, 2025 · 3ef67b6 · 3ef67b6
1 parent 91d1ccb
commit 3ef67b6
Show file tree

Hide file tree

Showing 15 changed files with 49 additions and 489 deletions.
diff --git a/api/bindings/v1alpha1/boundendpoint_types.go b/api/bindings/v1alpha1/boundendpoint_types.go
@@ -34,11 +34,6 @@ import (
 
 // BoundEndpointSpec defines the desired state of BoundEndpoint
 type BoundEndpointSpec struct {
-	// Allowed is a flag that determines if the BoundEndpoint is allowed to be projected into the cluster
-	// This is controlled by the KubernetesOperator CRD .spec.allowedURLs field
-	// +kubebuilder:validation:Required
-	Allowed bool `json:"allowed"`
-
 	// EndpointURI is the unique identifier
 	// representing the BoundEndpoint + its Endpoints
 	// Format: <scheme>://<service>.<namespace>:<port>
@@ -147,14 +142,12 @@ type BindingEndpoint struct {
 }
 
 // BindingEndpointStatus is an enum that represents the status of a BindingEndpoint
-// TODO(https://github.com/ngrok-private/ngrok/issues/32666)
-// +kubebuilder:validation:Enum=unknown;provisioning;denied;bound;error
+// +kubebuilder:validation:Enum=unknown;provisioning;bound;error
 type BindingEndpointStatus string
 
 const (
 	StatusUnknown      BindingEndpointStatus = "unknown"
 	StatusProvisioning BindingEndpointStatus = "provisioning"
-	StatusDenied       BindingEndpointStatus = "denied"
 	StatusBound        BindingEndpointStatus = "bound"
 	StatusError        BindingEndpointStatus = "error"
 )

diff --git a/api/ngrok/v1alpha1/kubernetesoperator_types.go b/api/ngrok/v1alpha1/kubernetesoperator_types.go
@@ -51,16 +51,9 @@ type KubernetesOperatorDeployment struct {
 }
 
 type KubernetesOperatorBinding struct {
-	// AllowedURLs is a list of URI patterns ([scheme://]<service-name>.<namespace-name>) thet determine which BoundEndpoints are allowed to be created by the operator
-	// You may specify a wildcard for:
-	//   - All endpoints: `*`
-	//   - All services in a namespace: `*.namespace`
-	//   - All namespaces: `*.*`
-	//   - Named service in all namespaces: `service.*`
-	// See: https://regex101.com/r/APbE3G/4
+	// EndpointSelectors is a list of cel expression that determine which kubernetes-bound Endpoints will be created by the operator
 	// +kubebuilder:validation:Required
-	// +kubebuilder:validation:items:Pattern=`^(([*]|(https?|tls|tcp)://)?([*]|([*]|[a-z]([-a-z0-9]{0,61}[a-z0-9])?)[.]([*]|[a-z]([-a-z0-9]{0,61}[a-z0-9])?)))$`
-	AllowedURLs []string `json:"allowedURLs,omitempty"`
+	EndpointSelectors []string `json:"endpointSelectors,omitempty"`
 
 	// The public ingress endpoint for this Kubernetes Operator
 	// +kubebuilder:validation:Optional

diff --git a/api/ngrok/v1alpha1/zz_generated.deepcopy.go b/api/ngrok/v1alpha1/zz_generated.deepcopy.go
diff --git a/cmd/api/main.go b/cmd/api/main.go
@@ -120,7 +120,7 @@ type managerOpts struct {
 	enableFeatureBindings bool
 
 	bindings struct {
-		allowedURLs        []string
+		endpointSelectors  []string
 		serviceAnnotations string
 		serviceLabels      string
 		ingressEndpoint    string
@@ -163,7 +163,7 @@ func cmd() *cobra.Command {
 	c.Flags().BoolVar(&opts.enableFeatureIngress, "enable-feature-ingress", true, "Enables the Ingress controller")
 	c.Flags().BoolVar(&opts.enableFeatureGateway, "enable-feature-gateway", false, "Enables the Gateway controller")
 	c.Flags().BoolVar(&opts.enableFeatureBindings, "enable-feature-bindings", false, "Enables the Endpoint Bindings controller")
-	c.Flags().StringSliceVar(&opts.bindings.allowedURLs, "bindings-allowed-urls", []string{"*"}, "Allowed URLs for Endpoint Bindings")
+	c.Flags().StringSliceVar(&opts.bindings.endpointSelectors, "bindings-endpoint-selectors", []string{"true"}, "Endpoint Selectors for Endpoint Bindings")
 	c.Flags().StringVar(&opts.bindings.serviceAnnotations, "bindings-service-annotations", "", "Service Annotations to propagate to the target service")
 	c.Flags().StringVar(&opts.bindings.serviceLabels, "bindings-service-labels", "", "Service Labels to propagate to the target service")
 	c.Flags().StringVar(&opts.bindings.ingressEndpoint, "bindings-ingress-endpoint", "", "The endpoint the bindings forwarder connects to")
@@ -626,7 +626,7 @@ func enableBindingsFeatureSet(_ context.Context, opts managerOpts, mgr ctrl.Mana
 		Recorder:                     mgr.GetEventRecorderFor("endpoint-binding-poller"),
 		Namespace:                    opts.namespace,
 		KubernetesOperatorConfigName: opts.releaseName,
-		AllowedURLs:                  opts.bindings.allowedURLs,
+		EndpointSelectors:            opts.bindings.endpointSelectors,
 		TargetServiceAnnotations:     targetServiceAnnotations,
 		TargetServiceLabels:          targetServiceLabels,
 		PollingInterval:              10 * time.Second,
@@ -669,8 +669,8 @@ func createKubernetesOperator(ctx context.Context, client client.Client, opts ma
 		if opts.enableFeatureBindings {
 			features = append(features, ngrokv1alpha1.KubernetesOperatorFeatureBindings)
 			k8sOperator.Spec.Binding = &ngrokv1alpha1.KubernetesOperatorBinding{
-				TlsSecretName: "ngrok-operator-default-tls",
-				AllowedURLs:   opts.bindings.allowedURLs,
+				TlsSecretName:     "ngrok-operator-default-tls",
+				EndpointSelectors: opts.bindings.endpointSelectors,
 			}
 			if opts.bindings.ingressEndpoint != "" {
 				k8sOperator.Spec.Binding.IngressEndpoint = &opts.bindings.ingressEndpoint