Kube Gateway Policy Validation

[lgadban]

Description

Implements webhook validation for Gloo Gateway Policies in the context of Kubernetes Gateway API.
RouteOption and VirtualHostOption CRs will be hermetically validated to prevent admission for semantically incorrect resources. Referential errors (i.e. "warnings" in the Gloo Edge API) will not be checked.

Context

Validation is implemented in the existing webhook but does NOT do a full translation like the original Gloo Edge API validation. There are many challenges associated with performing a full translation (see design doc for more analysis).
This approach gives us semantic validation/rejection via a. webhook without needing a snapshot-based full translation.

Testing steps

Manually verified with resources such as:

apiVersion: gateway.solo.io/v1
kind: RouteOption
metadata:
  name: policy-attached
spec:
  targetRef:
    group: gateway.networking.k8s.io
    kind: HTTPRoute
    name: example-route
  options:
    faults:
      abort:
        percentage: 100
        # httpStatus: 500 <-- commented out to break plugin, this causes error

Error from server: error when creating "projects/gateway2/examples/example-http-route-with-attached-options.yaml": admission webhook "gloo.gloo-system.svc" denied the request: resource incompatible with current Gloo snapshot: [Validating *v1.RouteOption failed: 1 error occurred:
	* Validating *v1.RouteOption failed: validating *v1.RouteOption name:"policy-attached" namespace:"default": 1 error occurred:
	* Route Error: ProcessingError. Reason: *faultinjection.plugin: invalid abort status code '0', must be in range of [200,600). Route Name:

apiVersion: gateway.solo.io/v1
kind: VirtualHostOption
metadata:
  name: policy-attached
spec:
  targetRef:
    group: gateway.networking.k8s.io
    kind: Gateway
    name: gw
  options:
    bufferPerRoute:
      buffer: {}

Error from server: error when creating "projects/gateway2/examples/example-http-route-with-attached-vhost-options.yaml": admission webhook "gloo.gloo-system.svc" denied the request: resource incompatible with current Gloo snapshot: [Validating *v1.VirtualHostOption failed: 1 error occurred:
	* Validating *v1.VirtualHostOption failed: validating *v1.VirtualHostOption name:"policy-attached" namespace:"default": 1 error occurred:
	* VirtualHost Error: ProcessingError. Reason: invalid virtual host [vhost]: invalid BufferPerRoute.Buffer: embedded message failed validation | caused by: invalid Buffer.MaxRequestBytes: value is required and must not be nil.

Still exploring how we can test this in the new e2e testing framework

Checklist:

• I have performed a self-review of my own code
• I have commented my code, particularly in hard-to-understand areas
• I have made corresponding changes to the documentation
• I have added tests that prove my fix is effective or that my feature works

BOT NOTES:
resolves https://github.com/solo-io/solo-projects/issues/6063

[solo-changelog-bot]

Issues linked to changelog:
https://github.com/solo-io/solo-projects/issues/6063

[github-actions]

Visit the preview URL for this PR (updated for commit 79f32a6):

https://gloo-edge--pr9456-ggv2-validation-9fqddthj.web.app

_{(expires Thu, 23 May 2024 17:29:06 GMT)}

_{🔥 via Firebase Hosting GitHub Action 🌎}

_{Sign: 77c2b86e287749579b7ff9cadb81e099042ef677}

[sam-heilbron]

Looking great! I like the direction, accepting it as a viable solution in the short-term

[sam-heilbron]

LGTM!

[sam-heilbron]

Per standup, @jbohanon @npolshakova @sam-heilbron are happy to have this merge as is.

Sam is going to resolve the comments to allow the PR to merge

[npolshakova]

/kick build-bot