From 9808c359603adb702272efae64ec82ed118a91a4 Mon Sep 17 00:00:00 2001 From: Dmitry Dodzin Date: Wed, 29 Jan 2025 14:01:17 +0200 Subject: [PATCH 01/15] Naive Implementation --- mirrord/operator/src/crd/policy.rs | 23 +++++++++++++++++++++++ 1 file changed, 23 insertions(+) diff --git a/mirrord/operator/src/crd/policy.rs b/mirrord/operator/src/crd/policy.rs index cf712606d3c..dcffef7c0a1 100644 --- a/mirrord/operator/src/crd/policy.rs +++ b/mirrord/operator/src/crd/policy.rs @@ -100,6 +100,9 @@ pub struct MirrordClusterPolicySpec { /// the user config. #[serde(default)] pub fs: FsPolicy, + + #[serde(default)] + pub network: NetworkPolicy, } /// Policy for controlling environment variables access from mirrord instances. @@ -150,6 +153,26 @@ pub struct FsPolicy { pub not_found: HashSet, } +#[derive(Clone, Default, Debug, Deserialize, Eq, PartialEq, Serialize, JsonSchema)] +#[serde(rename_all = "camelCase")] +pub struct NetworkPolicy { + #[serde(default)] + pub incoming: IncomingNetworkPolicy, +} + +#[derive(Clone, Default, Debug, Deserialize, Eq, PartialEq, Serialize, JsonSchema)] +#[serde(rename_all = "camelCase")] +pub struct IncomingNetworkPolicy { + #[serde(default)] + pub filter: HttpFilterPolicy, +} + +#[derive(Clone, Default, Debug, Deserialize, Eq, PartialEq, Serialize, JsonSchema)] +#[serde(rename_all = "camelCase")] +pub struct HttpFilterPolicy { + pub header_filter: Option, +} + #[test] fn check_one_api_group() { use kube::Resource; From 4347d1bab9487c1e6c888d4dff28f2e633912b22 Mon Sep 17 00:00:00 2001 From: Dmitry Dodzin Date: Wed, 29 Jan 2025 14:09:03 +0200 Subject: [PATCH 02/15] Ops --- mirrord/operator/src/crd/policy.rs | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/mirrord/operator/src/crd/policy.rs b/mirrord/operator/src/crd/policy.rs index dcffef7c0a1..880883baad3 100644 --- a/mirrord/operator/src/crd/policy.rs +++ b/mirrord/operator/src/crd/policy.rs @@ -164,7 +164,7 @@ pub struct NetworkPolicy { #[serde(rename_all = "camelCase")] pub struct IncomingNetworkPolicy { #[serde(default)] - pub filter: HttpFilterPolicy, + pub http_filter: HttpFilterPolicy, } #[derive(Clone, Default, Debug, Deserialize, Eq, PartialEq, Serialize, JsonSchema)] From 85fb685be8178e23c0637d4894182dc5c1ee5781 Mon Sep 17 00:00:00 2001 From: Dmitry Dodzin Date: Wed, 29 Jan 2025 14:21:26 +0200 Subject: [PATCH 03/15] Ops 2 --- mirrord/operator/src/crd/policy.rs | 3 +++ 1 file changed, 3 insertions(+) diff --git a/mirrord/operator/src/crd/policy.rs b/mirrord/operator/src/crd/policy.rs index 880883baad3..2eaa6b95f30 100644 --- a/mirrord/operator/src/crd/policy.rs +++ b/mirrord/operator/src/crd/policy.rs @@ -63,6 +63,9 @@ pub struct MirrordPolicySpec { /// the user config. #[serde(default)] pub fs: FsPolicy, + + #[serde(default)] + pub network: NetworkPolicy, } /// Custom cluster-wide resource for policies that limit what mirrord features users can use. From e3d540a5782931a3a7a6ec6ba6d912c8c9ed44fd Mon Sep 17 00:00:00 2001 From: Dmitry Dodzin Date: Wed, 29 Jan 2025 15:04:36 +0200 Subject: [PATCH 04/15] deref str for filter --- mirrord/protocol/src/tcp.rs | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/mirrord/protocol/src/tcp.rs b/mirrord/protocol/src/tcp.rs index e98077a62ec..7dc3f046cbc 100644 --- a/mirrord/protocol/src/tcp.rs +++ b/mirrord/protocol/src/tcp.rs @@ -155,6 +155,14 @@ impl Display for Filter { } } +impl std::ops::Deref for Filter { + type Target = str; + + fn deref(&self) -> &Self::Target { + &self.0 + } +} + /// Describes different types of HTTP filtering available #[derive(Encode, Decode, Debug, PartialEq, Eq, Clone)] pub enum HttpFilter { From 2420d406b23ddbabffeb070af4163e8e8d6ea670 Mon Sep 17 00:00:00 2001 From: Dmitry Dodzin Date: Wed, 29 Jan 2025 15:39:43 +0200 Subject: [PATCH 05/15] Tiny --- Cargo.lock | 2 +- mirrord/protocol/Cargo.toml | 2 +- mirrord/protocol/src/error.rs | 19 +++++++++++++++++-- 3 files changed, 19 insertions(+), 4 deletions(-) diff --git a/Cargo.lock b/Cargo.lock index b580cd7c9fb..b14a2acc33a 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -4493,7 +4493,7 @@ dependencies = [ [[package]] name = "mirrord-protocol" -version = "1.16.1" +version = "1.17.0" dependencies = [ "actix-codec", "bincode", diff --git a/mirrord/protocol/Cargo.toml b/mirrord/protocol/Cargo.toml index 7b491c83e85..22b2174c5a4 100644 --- a/mirrord/protocol/Cargo.toml +++ b/mirrord/protocol/Cargo.toml @@ -1,6 +1,6 @@ [package] name = "mirrord-protocol" -version = "1.16.1" +version = "1.17.0" authors.workspace = true description.workspace = true documentation.workspace = true diff --git a/mirrord/protocol/src/error.rs b/mirrord/protocol/src/error.rs index 1047c9059cd..7acb0e31ea8 100644 --- a/mirrord/protocol/src/error.rs +++ b/mirrord/protocol/src/error.rs @@ -59,10 +59,11 @@ pub enum ResponseError { #[error("Operation is not yet supported by mirrord.")] NotImplemented, - #[error("{blocked_action} is forbidden by {} for this target (your organization does not allow you to use this mirrord feature with the chosen target).", policy_name_string(.policy_name.clone()))] + #[error("{blocked_action} is forbidden by {} for this target ({}).", policy_name_string(.policy_name.as_deref()), policy_reason(.reason.as_deref()))] Forbidden { blocked_action: BlockedAction, policy_name: Option, + reason: Option, }, #[error("Failed stripping path with `{0}`!")] @@ -79,7 +80,7 @@ impl From for ResponseError { } /// If some then the name with a trailing space, else empty string. -fn policy_name_string(policy_name: Option) -> String { +fn policy_name_string(policy_name: Option<&str>) -> String { if let Some(name) = policy_name { format!("the mirrord policy \"{name}\"") } else { @@ -87,10 +88,24 @@ fn policy_name_string(policy_name: Option) -> String { } } +fn policy_reason(reason: Option<&str>) -> String { + if let Some(reason) = reason { + format!("reason: \"{reason}\"") + } else { + "your organization does not allow you to use this mirrord feature with the chosen target" + .to_string() + } +} + /// Minimal mirrord-protocol version that allows [`BlockedAction::Mirror`]. pub static MIRROR_BLOCK_VERSION: LazyLock = LazyLock::new(|| ">=1.12.0".parse().expect("Bad Identifier")); +/// Minimal mirrord-protocol version that allows [`ResponseError::Forbidden`] to have `reason` +/// member. +pub static MIRROR_POLICY_REASON_VERSION: LazyLock = + LazyLock::new(|| ">=1.17.0".parse().expect("Bad Identifier")); + /// All the actions that can be blocked by the operator, to identify the blocked feature in a /// [`ResponseError::Forbidden`] message. #[derive(Encode, Decode, Debug, PartialEq, Clone, Eq, Error)] From e86b138dbb39b3fd35a08ab7eabea994c06a25e4 Mon Sep 17 00:00:00 2001 From: Dmitry Dodzin Date: Wed, 29 Jan 2025 17:21:31 +0200 Subject: [PATCH 06/15] Docs --- mirrord/operator/src/crd/policy.rs | 8 ++++++++ mirrord/protocol/src/error.rs | 9 +++------ 2 files changed, 11 insertions(+), 6 deletions(-) diff --git a/mirrord/operator/src/crd/policy.rs b/mirrord/operator/src/crd/policy.rs index 2eaa6b95f30..a4b228e0f1e 100644 --- a/mirrord/operator/src/crd/policy.rs +++ b/mirrord/operator/src/crd/policy.rs @@ -64,6 +64,7 @@ pub struct MirrordPolicySpec { #[serde(default)] pub fs: FsPolicy, + /// Fine grained control over network features like specifiying required http filters. #[serde(default)] pub network: NetworkPolicy, } @@ -156,6 +157,7 @@ pub struct FsPolicy { pub not_found: HashSet, } +/// Network operations policy that partialy mimics the mirrord network config. #[derive(Clone, Default, Debug, Deserialize, Eq, PartialEq, Serialize, JsonSchema)] #[serde(rename_all = "camelCase")] pub struct NetworkPolicy { @@ -163,6 +165,7 @@ pub struct NetworkPolicy { pub incoming: IncomingNetworkPolicy, } +/// Incoming network operations policy that partialy mimics the mirrord network.incoming config. #[derive(Clone, Default, Debug, Deserialize, Eq, PartialEq, Serialize, JsonSchema)] #[serde(rename_all = "camelCase")] pub struct IncomingNetworkPolicy { @@ -170,9 +173,14 @@ pub struct IncomingNetworkPolicy { pub http_filter: HttpFilterPolicy, } +/// Http filter policy that allows to specify any filter requirments that users must specify in +/// their config for a successful network steal #[derive(Clone, Default, Debug, Deserialize, Eq, PartialEq, Serialize, JsonSchema)] #[serde(rename_all = "camelCase")] pub struct HttpFilterPolicy { + /// Require user's filter to match this regex if filter is provided. (this works in tandom with + /// `steal-without-filter` block to require the user to specify a header filter for network + /// steal feature) pub header_filter: Option, } diff --git a/mirrord/protocol/src/error.rs b/mirrord/protocol/src/error.rs index 7acb0e31ea8..5da1b48c828 100644 --- a/mirrord/protocol/src/error.rs +++ b/mirrord/protocol/src/error.rs @@ -89,12 +89,9 @@ fn policy_name_string(policy_name: Option<&str>) -> String { } fn policy_reason(reason: Option<&str>) -> String { - if let Some(reason) = reason { - format!("reason: \"{reason}\"") - } else { - "your organization does not allow you to use this mirrord feature with the chosen target" - .to_string() - } + reason + .unwrap_or("your organization does not allow you to use this mirrord feature with the chosen target") + .into() } /// Minimal mirrord-protocol version that allows [`BlockedAction::Mirror`]. From 3c402f03a4b1f3f8fef552e6f33ca0bf8a26e5f7 Mon Sep 17 00:00:00 2001 From: Dmitry Dodzin Date: Wed, 29 Jan 2025 17:30:52 +0200 Subject: [PATCH 07/15] Changelog --- changelog.d/+operator-policy-http-filter.internal.md | 1 + 1 file changed, 1 insertion(+) create mode 100644 changelog.d/+operator-policy-http-filter.internal.md diff --git a/changelog.d/+operator-policy-http-filter.internal.md b/changelog.d/+operator-policy-http-filter.internal.md new file mode 100644 index 00000000000..50c577de1ae --- /dev/null +++ b/changelog.d/+operator-policy-http-filter.internal.md @@ -0,0 +1 @@ +Add mirrord policy support for specifying requirment for header filter when performing steal-with-filter. From 18bc696667d303e023c0bf1d56d0993ae384f4ea Mon Sep 17 00:00:00 2001 From: Dmitry Dodzin Date: Wed, 29 Jan 2025 17:32:04 +0200 Subject: [PATCH 08/15] Tiny --- changelog.d/+operator-policy-http-filter.internal.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/changelog.d/+operator-policy-http-filter.internal.md b/changelog.d/+operator-policy-http-filter.internal.md index 50c577de1ae..fd9e4b63e18 100644 --- a/changelog.d/+operator-policy-http-filter.internal.md +++ b/changelog.d/+operator-policy-http-filter.internal.md @@ -1 +1 @@ -Add mirrord policy support for specifying requirment for header filter when performing steal-with-filter. +Add mirrord policy support for specifying pattern requirment for header filter when performing steal-with-filter. From cd1aea4332c149610f03ea278a32947d8d3db053 Mon Sep 17 00:00:00 2001 From: Dmitry Dodzin Date: Wed, 29 Jan 2025 17:44:58 +0200 Subject: [PATCH 09/15] Ops --- tests/src/operator/policies.rs | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/tests/src/operator/policies.rs b/tests/src/operator/policies.rs index 2a0a8465bbe..0bfd8c081e2 100644 --- a/tests/src/operator/policies.rs +++ b/tests/src/operator/policies.rs @@ -121,6 +121,7 @@ fn block_steal_without_qualifiers() -> PolicyTestCase { block: vec![BlockedFeature::Steal], env: Default::default(), fs: Default::default(), + network: Default::default(), }, ), service_b_can_steal: No, @@ -141,6 +142,7 @@ fn block_steal_with_path_pattern() -> PolicyTestCase { block: vec![BlockedFeature::Steal], env: Default::default(), fs: Default::default(), + network: Default::default(), }, ), service_b_can_steal: EvenWithoutFilter, @@ -161,6 +163,7 @@ fn block_unfiltered_steal_with_path_pattern() -> PolicyTestCase { block: vec![BlockedFeature::StealWithoutFilter], env: Default::default(), fs: Default::default(), + network: Default::default(), }, ), service_b_can_steal: EvenWithoutFilter, @@ -181,6 +184,7 @@ fn block_unfiltered_steal_with_deployment_path_pattern() -> PolicyTestCase { block: vec![BlockedFeature::StealWithoutFilter], env: Default::default(), fs: Default::default(), + network: Default::default(), }, ), service_a_can_steal: OnlyWithFilter, @@ -207,6 +211,7 @@ fn block_steal_with_label_selector() -> PolicyTestCase { block: vec![BlockedFeature::Steal], env: Default::default(), fs: Default::default(), + network: Default::default(), }, ), service_b_can_steal: EvenWithoutFilter, @@ -234,6 +239,7 @@ fn block_steal_with_unmatching_policy() -> PolicyTestCase { block: vec![BlockedFeature::Steal], env: Default::default(), fs: Default::default(), + network: Default::default(), }, ), service_b_can_steal: EvenWithoutFilter, From 4d375430b598e04fbce1486a1495240074c27a08 Mon Sep 17 00:00:00 2001 From: Dmitry Dodzin Date: Wed, 29 Jan 2025 17:49:56 +0200 Subject: [PATCH 10/15] Ops --- tests/src/operator/policies.rs | 1 + tests/src/operator/policies/fs.rs | 1 + 2 files changed, 2 insertions(+) diff --git a/tests/src/operator/policies.rs b/tests/src/operator/policies.rs index 0bfd8c081e2..d0f12dcaef3 100644 --- a/tests/src/operator/policies.rs +++ b/tests/src/operator/policies.rs @@ -382,6 +382,7 @@ pub async fn create_cluster_policy_and_try_to_mirror( block: vec![BlockedFeature::Mirror], env: Default::default(), fs: Default::default(), + network: Default::default(), }, ), ) diff --git a/tests/src/operator/policies/fs.rs b/tests/src/operator/policies/fs.rs index 79a1b7e7202..c28a335956b 100644 --- a/tests/src/operator/policies/fs.rs +++ b/tests/src/operator/policies/fs.rs @@ -48,6 +48,7 @@ pub async fn create_namespaced_fs_policy_and_try_file_open( local: HashSet::from_iter(vec!["file\\.local".to_string()]), not_found: HashSet::from_iter(vec!["file\\.not-found".to_string()]), }, + network: Default::default(), }, ), &service.namespace, From a5f977300dde268eb721b2c6501c801efd925347 Mon Sep 17 00:00:00 2001 From: Dmitry Dodzin Date: Thu, 30 Jan 2025 11:54:10 +0200 Subject: [PATCH 11/15] Apply suggestions from code review MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Co-authored-by: Michał Smolarek <34063647+Razz4780@users.noreply.github.com> --- mirrord/operator/src/crd/policy.rs | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/mirrord/operator/src/crd/policy.rs b/mirrord/operator/src/crd/policy.rs index a4b228e0f1e..2bd2ac18996 100644 --- a/mirrord/operator/src/crd/policy.rs +++ b/mirrord/operator/src/crd/policy.rs @@ -165,7 +165,7 @@ pub struct NetworkPolicy { pub incoming: IncomingNetworkPolicy, } -/// Incoming network operations policy that partialy mimics the mirrord network.incoming config. +/// Incoming network operations policy that partialy mimics the mirrord `network.incoming` config. #[derive(Clone, Default, Debug, Deserialize, Eq, PartialEq, Serialize, JsonSchema)] #[serde(rename_all = "camelCase")] pub struct IncomingNetworkPolicy { @@ -173,14 +173,14 @@ pub struct IncomingNetworkPolicy { pub http_filter: HttpFilterPolicy, } -/// Http filter policy that allows to specify any filter requirments that users must specify in -/// their config for a successful network steal +/// Http filter policy that allows to specify requirements for the HTTP filter used in a session. #[derive(Clone, Default, Debug, Deserialize, Eq, PartialEq, Serialize, JsonSchema)] #[serde(rename_all = "camelCase")] pub struct HttpFilterPolicy { - /// Require user's filter to match this regex if filter is provided. (this works in tandom with - /// `steal-without-filter` block to require the user to specify a header filter for network - /// steal feature) + /// Require the user's header filter to match this regex if such filter is provided. + /// + /// This works in tandem with the `steal-without-filter` block + /// to require that the user to specifies a header filter for the network steal feature. pub header_filter: Option, } From 3c9680fa0b4a2d9cf5231db72f2fbc9bb74b8f9e Mon Sep 17 00:00:00 2001 From: Dmitry Dodzin Date: Tue, 4 Feb 2025 13:55:46 +0200 Subject: [PATCH 12/15] Make it so no protocol break --- .../src/proxies/incoming/subscriptions.rs | 7 +++++-- mirrord/layer/src/error.rs | 3 ++- mirrord/operator/src/crd/policy.rs | 2 +- mirrord/protocol/src/error.rs | 18 +++++++++--------- 4 files changed, 17 insertions(+), 13 deletions(-) diff --git a/mirrord/intproxy/src/proxies/incoming/subscriptions.rs b/mirrord/intproxy/src/proxies/incoming/subscriptions.rs index 7731707d8c8..24a59eaead7 100644 --- a/mirrord/intproxy/src/proxies/incoming/subscriptions.rs +++ b/mirrord/intproxy/src/proxies/incoming/subscriptions.rs @@ -258,9 +258,12 @@ impl SubscriptionsManager { } Err( - ref response_error @ ResponseError::Forbidden { + ref response_error @ (ResponseError::Forbidden { ref blocked_action, .. - }, + } + | ResponseError::ForbiddenWithReason { + ref blocked_action, .. + }), ) => { tracing::warn!(%response_error, "Port subscribe blocked by policy"); diff --git a/mirrord/layer/src/error.rs b/mirrord/layer/src/error.rs index 771f198944c..4f4b44b7812 100644 --- a/mirrord/layer/src/error.rs +++ b/mirrord/layer/src/error.rs @@ -281,7 +281,8 @@ impl From for i64 { ResponseError::PortAlreadyStolen(_port) => libc::EINVAL, ResponseError::NotImplemented => libc::EINVAL, ResponseError::StripPrefix(_) => libc::EINVAL, - err @ ResponseError::Forbidden { .. } => { + err @ (ResponseError::Forbidden { .. } + | ResponseError::ForbiddenWithReason { .. }) => { graceful_exit!( "Stopping mirrord run. Please adjust your mirrord configuration.\n{err}" ); diff --git a/mirrord/operator/src/crd/policy.rs b/mirrord/operator/src/crd/policy.rs index 2bd2ac18996..598439653c3 100644 --- a/mirrord/operator/src/crd/policy.rs +++ b/mirrord/operator/src/crd/policy.rs @@ -178,7 +178,7 @@ pub struct IncomingNetworkPolicy { #[serde(rename_all = "camelCase")] pub struct HttpFilterPolicy { /// Require the user's header filter to match this regex if such filter is provided. - /// + /// /// This works in tandem with the `steal-without-filter` block /// to require that the user to specifies a header filter for the network steal feature. pub header_filter: Option, diff --git a/mirrord/protocol/src/error.rs b/mirrord/protocol/src/error.rs index 5da1b48c828..95cc85dcd45 100644 --- a/mirrord/protocol/src/error.rs +++ b/mirrord/protocol/src/error.rs @@ -59,11 +59,10 @@ pub enum ResponseError { #[error("Operation is not yet supported by mirrord.")] NotImplemented, - #[error("{blocked_action} is forbidden by {} for this target ({}).", policy_name_string(.policy_name.as_deref()), policy_reason(.reason.as_deref()))] + #[error("{blocked_action} is forbidden by {} for this target (your organization does not allow you to use this mirrord feature with the chosen target).", policy_name_string(.policy_name.as_deref()))] Forbidden { blocked_action: BlockedAction, policy_name: Option, - reason: Option, }, #[error("Failed stripping path with `{0}`!")] @@ -71,6 +70,13 @@ pub enum ResponseError { #[error("File has to be opened locally!")] OpenLocal, + + #[error("{blocked_action} is forbidden by {} for this target ({reason}).", policy_name_string(.policy_name.as_deref()))] + ForbiddenWithReason { + blocked_action: BlockedAction, + policy_name: Option, + reason: String, + }, } impl From for ResponseError { @@ -88,12 +94,6 @@ fn policy_name_string(policy_name: Option<&str>) -> String { } } -fn policy_reason(reason: Option<&str>) -> String { - reason - .unwrap_or("your organization does not allow you to use this mirrord feature with the chosen target") - .into() -} - /// Minimal mirrord-protocol version that allows [`BlockedAction::Mirror`]. pub static MIRROR_BLOCK_VERSION: LazyLock = LazyLock::new(|| ">=1.12.0".parse().expect("Bad Identifier")); @@ -104,7 +104,7 @@ pub static MIRROR_POLICY_REASON_VERSION: LazyLock = LazyLock::new(|| ">=1.17.0".parse().expect("Bad Identifier")); /// All the actions that can be blocked by the operator, to identify the blocked feature in a -/// [`ResponseError::Forbidden`] message. +/// [`ResponseError::Forbidden`] or [`ResponseError::ForbiddenWithReason`] message. #[derive(Encode, Decode, Debug, PartialEq, Clone, Eq, Error)] pub enum BlockedAction { Steal(StealType), From 61550a1d919d4b70d431de399171ef4cd69e5732 Mon Sep 17 00:00:00 2001 From: Dmitry Dodzin Date: Wed, 5 Feb 2025 18:06:03 +0200 Subject: [PATCH 13/15] Apply suggestions from code review MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Co-authored-by: Michał Smolarek <34063647+Razz4780@users.noreply.github.com> --- mirrord/operator/src/crd/policy.rs | 14 +++++++++++--- 1 file changed, 11 insertions(+), 3 deletions(-) diff --git a/mirrord/operator/src/crd/policy.rs b/mirrord/operator/src/crd/policy.rs index 598439653c3..2852e1ea774 100644 --- a/mirrord/operator/src/crd/policy.rs +++ b/mirrord/operator/src/crd/policy.rs @@ -64,7 +64,7 @@ pub struct MirrordPolicySpec { #[serde(default)] pub fs: FsPolicy, - /// Fine grained control over network features like specifiying required http filters. + /// Fine grained control over network features like specifying required HTTP filters. #[serde(default)] pub network: NetworkPolicy, } @@ -177,10 +177,18 @@ pub struct IncomingNetworkPolicy { #[derive(Clone, Default, Debug, Deserialize, Eq, PartialEq, Serialize, JsonSchema)] #[serde(rename_all = "camelCase")] pub struct HttpFilterPolicy { - /// Require the user's header filter to match this regex if such filter is provided. + /// Require the user's header filter to match this regex, if such filter is provided. /// /// This works in tandem with the `steal-without-filter` block - /// to require that the user to specifies a header filter for the network steal feature. + /// to require that the user specifies a header filter for the network steal feature. + /// + /// # Composed filters + /// + /// When the user requests an `all_of` HTTP filter, at least one of the nested filters + /// must be a header filter that matches this regex. At least one nested filter is required. + /// + /// When the user requests an `any_of` HTTP filter, all nested filters + /// must be header filters and match this regex. At least one nested filter is required. pub header_filter: Option, } From e764363bcdeeb72bdfc2992dec9c0bcdc464ad70 Mon Sep 17 00:00:00 2001 From: Dmitry Dodzin Date: Wed, 5 Feb 2025 18:09:34 +0200 Subject: [PATCH 14/15] Update to current behavior --- mirrord/operator/src/crd/policy.rs | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/mirrord/operator/src/crd/policy.rs b/mirrord/operator/src/crd/policy.rs index 2852e1ea774..6e3c95dfc82 100644 --- a/mirrord/operator/src/crd/policy.rs +++ b/mirrord/operator/src/crd/policy.rs @@ -186,9 +186,9 @@ pub struct HttpFilterPolicy { /// /// When the user requests an `all_of` HTTP filter, at least one of the nested filters /// must be a header filter that matches this regex. At least one nested filter is required. - /// - /// When the user requests an `any_of` HTTP filter, all nested filters - /// must be header filters and match this regex. At least one nested filter is required. + /// + /// When the user requests an `any_of` HTTP filter, all nested header filters must match this + /// regex. pub header_filter: Option, } From 948bb0da59f94ac9ec22d42a8e4fde5a01cbe8eb Mon Sep 17 00:00:00 2001 From: Dmitry Dodzin Date: Wed, 5 Feb 2025 18:11:44 +0200 Subject: [PATCH 15/15] Update --- mirrord/operator/src/crd/policy.rs | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/mirrord/operator/src/crd/policy.rs b/mirrord/operator/src/crd/policy.rs index 6e3c95dfc82..26ffacacff5 100644 --- a/mirrord/operator/src/crd/policy.rs +++ b/mirrord/operator/src/crd/policy.rs @@ -188,7 +188,7 @@ pub struct HttpFilterPolicy { /// must be a header filter that matches this regex. At least one nested filter is required. /// /// When the user requests an `any_of` HTTP filter, all nested header filters must match this - /// regex. + /// regex. At least one nested header filter is required. pub header_filter: Option, }