[V1.16] Secret Deletion Validation (#9207)

* Secret Deletion validation against Previous State (#9122)

* poc

* updated logging

* Update validator_test.go

* Update api_snapshot.sk.go

* Update validator.go

* build?

* Update validator.go

* Update validator.go

* logging for ee

* Update validator.go

* updates and logging

* tightening

* reverting githook

* Create secret-deletion-with-warnings.yaml

* updates, tests passing

* extra logging

* Progress

* separating errors and warnings in validation

* generate and cleanup

* Adding secret deletion test table

* Update validator.go

* Update aggregate_translator.go

* Update validator_test.go

* Update go.mod

* Update go.mod

* Revert "Update go.mod"

This reverts commit 19d72b7.

* unused artifact

* generate

* Adding changelog file to new location

* Deleting changelog file from old location

* Empty-Commit

* change EnableValidationAgainstSnapshot to DisableValidationAgainstSnapshot

* error tests

* fixing env

* generate

* Pr feedback

* Apply suggestions from code review

Co-authored-by: David Jumani <[email protected]>

* ordering proxies and PR feedback

* Added gloo validation scenarios

* Test updates

* Update validator.go

* Adding changelog file to new location

* Deleting changelog file from old location

* comments

* Update validator.go

* cleanup

* (feature branch target) Sheidkamp/secret delete no warnings (#9161)

* cleanup

* Update validator.go

Stop collecting separate warnings

* pull in modified solo-kit and update comments

* remove irrelevant `DO_NOT_SUBMITS`

* generate

* Add more errors to breaking error validation

* Update projects/gateway/pkg/validation/validator.go

Co-authored-by: Ben Taussig <[email protected]>

* PR Feedback

* Add kube2e test

* Update gateway_test.go

* Revert "Update gateway_test.go"

This reverts commit e83ab25.

* Update gateway_test.go

* kube e2e tests

* Update validator.go

* Update gateway_test.go

* Update solo-kit and generate

* typos

* Pr feedback

* Update test/kube2e/gateway/gateway_test.go

Co-authored-by: David Jumani <[email protected]>

* cleanup

* Rename `AgainstSnapshot`s to `AgainstPreviousState`

* generate

---------

Co-authored-by: changelog-bot <changelog-bot>
Co-authored-by: David Jumani <[email protected]>
Co-authored-by: soloio-bulldozer[bot] <48420018+soloio-bulldozer[bot]@users.noreply.github.com>
Co-authored-by: Ben Taussig <[email protected]>

* generate

* fix tests

* disableKubernetesDestinations: false

* disable by default

* No 'NEW_FEATURES' in backport

---------

Co-authored-by: David Jumani <[email protected]>
Co-authored-by: soloio-bulldozer[bot] <48420018+soloio-bulldozer[bot]@users.noreply.github.com>
Co-authored-by: Ben Taussig <[email protected]>

Author: 4 people

changelog/v1.16.5/secret-delete-with-revalidation.yaml

@@ -0,0 +1,29 @@
+changelog:
+  - type: FIX
+    issueLink: https://github.com/solo-io/gloo/issues/8931
+    resolvesIssue: false
+    description: >
+      Update to allow deletion of secrets when warnings or errors are present.
+
+      When the deletion of a secret is validated, the validating admission webhook removes the secret from the current snapshot,
+      runs translations and looks for errors. Previously, the secret would not be deleted if there were errors, or if there
+      were warnings and the `ignore_warnings` setting was set as `false`. This casues issues when trying to delete secrets that
+      are unrelated to the warnings or errors.
+
+      The new behavior is to collect all the artifacts of the valdiation process, rerun validation against the original snapshot,
+      and compare the artifacts from that process to the artifacts previously collected. If the artifacts are the same, the secret
+      did not degrade the system and the deletion is allowed. If the artifacts are different, the secret is not deleted and errors are returned.
+
+      Because this is a backport, the new behavior is disabled by default in order not to alter existing behavior. This feature can be 
+      turned on by setting the `DISABLE_VALIDATION_AGAINST_PREVIOUS_STATE` environment variable to `false` in the `gloo` deployment.
+      A dedicated helm value has not been added, and the environment variable can be set using `gloo.gloo.deployment.customEnv`
+  - type: DEPENDENCY_BUMP
+    dependencyOwner: rotisserie
+    dependencyRepo: eris
+    dependencyTag: v0.5.4
+    description: Upgrade to get 'As' functionality. No other notable changes.
+  - type: DEPENDENCY_BUMP
+    dependencyOwner: solo-io
+    dependencyRepo: solo-kit
+    dependencyTag: v0.34.2
+    description: Pull in changes to guarantee ordering of validation errors and warnings

docs/content/static/content/osa_provided.md

@@ -35,7 +35,7 @@ Name|Version|License
 [onsi/gomega](https://github.com/onsi/gomega)|v1.27.10|MIT License
 [pkg/browser](https://github.com/pkg/browser)|v0.0.0-20180916011732-0a3d74bf9ce4|BSD 2-clause "Simplified" License
 [pkg/errors](https://github.com/pkg/errors)|v0.9.1|BSD 2-clause "Simplified" License
-[rotisserie/eris](https://github.com/rotisserie/eris)|v0.4.0|MIT License
+[rotisserie/eris](https://github.com/rotisserie/eris)|v0.5.4|MIT License
 [saiskee/gettercheck](https://github.com/saiskee/gettercheck)|v0.0.0-20210820204958-38443d06ebe0|MIT License
 [sergi/go-diff](https://github.com/sergi/go-diff)|v1.1.0|MIT License
 [spf13/afero](https://github.com/spf13/afero)|v1.9.2|Apache License 2.0

go.mod

@@ -45,7 +45,7 @@ require (
 	github.com/onsi/gomega v1.27.10
 	github.com/pkg/browser v0.0.0-20180916011732-0a3d74bf9ce4
 	github.com/pkg/errors v0.9.1
-	github.com/rotisserie/eris v0.4.0
+	github.com/rotisserie/eris v0.5.4
 	github.com/saiskee/gettercheck v0.0.0-20210820204958-38443d06ebe0
 	github.com/sergi/go-diff v1.1.0
 	github.com/solo-io/go-list-licenses v0.1.4
@@ -57,7 +57,7 @@ require (
 
 	// Pinned to the latest `gloo-repo-branch` tag of solo-apis (`sa-k8s-1.28-bump`)
 	github.com/solo-io/solo-apis v0.0.0-20231206142556-d2e3ed6d4476
-	github.com/solo-io/solo-kit v0.34.0
+	github.com/solo-io/solo-kit v0.34.2
 	github.com/spf13/afero v1.9.2
 	github.com/spf13/cobra v1.7.0
 	github.com/spf13/pflag v1.0.5

go.sum

@@ -1748,8 +1748,8 @@ github.com/rogpeppe/go-internal v1.11.0 h1:cWPaGQEPrBb5/AsnsZesgZZ9yb1OQ+GOISoDN
 github.com/rogpeppe/go-internal v1.11.0/go.mod h1:ddIwULY96R17DhadqLgMfk9H9tvdUzkipdSkR5nkCZA=
 github.com/rollbar/rollbar-go v1.0.2/go.mod h1:AcFs5f0I+c71bpHlXNNDbOWJiKwjFDtISeXco0L5PKQ=
 github.com/rotisserie/eris v0.1.1/go.mod h1:2ik3CyJrzlOjGyDGrKfqZivSfmkhCS3ktE+T1mNzzLk=
-github.com/rotisserie/eris v0.4.0 h1:wfZW5hp90Y386s54DoJDK2Th3ycZotiBGM7b5b5aIHI=
-github.com/rotisserie/eris v0.4.0/go.mod h1:lODN/gtqebxPHRbCcWeCYOE350FC2M3V/oAPT2wKxAU=
+github.com/rotisserie/eris v0.5.4 h1:Il6IvLdAapsMhvuOahHWiBnl1G++Q0/L5UIkI5mARSk=
+github.com/rotisserie/eris v0.5.4/go.mod h1:Z/kgYTJiJtocxCbFfvRmO+QejApzG6zpyky9G1A4g9s=
 github.com/rs/dnscache v0.0.0-20211102005908-e0241e321417/go.mod h1:qe5TWALJ8/a1Lqznoc5BDHpYX/8HU60Hm2AwRmqzxqA=
 github.com/rs/xid v1.2.1/go.mod h1:+uKXf+4Djp6Md1KODXJxgGQPKngRmWyn10oCKFzNHOQ=
 github.com/rs/zerolog v1.9.1/go.mod h1:YbFCdg8HfsridGWAh22vktObvhZbQsZXe4/zB0OKkWU=
@@ -1815,8 +1815,8 @@ github.com/solo-io/skv2 v0.36.0 h1:Z1iCQou0Ei5K97UShAmB8xPYrFFZeseMZvef+kZ4Of0=
 github.com/solo-io/skv2 v0.36.0/go.mod h1:0GKILLOrQiTKvGsf7UEFZJiDxJHrp0yKJQ6NbHzn+vY=
 github.com/solo-io/solo-apis v0.0.0-20231206142556-d2e3ed6d4476 h1:qtImo1deMtbVHKKkepwKfu1CDJBjGPvTmADtXVWBynE=
 github.com/solo-io/solo-apis v0.0.0-20231206142556-d2e3ed6d4476/go.mod h1:/2NUdNZ37KAhD1AfwFGR54rOK7ldDvmro17c0YRriKk=
-github.com/solo-io/solo-kit v0.34.0 h1:TbcxhR7qBr5UVjVG5QfoGawVdrEqBG14DLrgLmePfmo=
-github.com/solo-io/solo-kit v0.34.0/go.mod h1:HkrxDRo+uR0FZUJi+SGAUkbrUNWC6V0FD7GGXbtC0UU=
+github.com/solo-io/solo-kit v0.34.2 h1:qcQGvhGEBDY5zvDMcP7z4BjAi+v66BtNLm984hZQK/s=
+github.com/solo-io/solo-kit v0.34.2/go.mod h1:HkrxDRo+uR0FZUJi+SGAUkbrUNWC6V0FD7GGXbtC0UU=
 github.com/spaolacci/murmur3 v0.0.0-20180118202830-f09979ecbc72/go.mod h1:JwIasOWyU6f++ZhiEuf87xNszmSA2myDM2Kzu9HwQUA=
 github.com/spf13/afero v1.1.2/go.mod h1:j4pytiNVoe2o6bmDsKpLACNPDBIoEAkihy7loJ1B0CQ=
 github.com/spf13/afero v1.2.2/go.mod h1:9ZxEEn6pIJ8Rxe320qSDBk6AsU0r9pR7Q4OcevTdifk=

projects/gateway/pkg/utils/gateway_filtering.go

@@ -1,6 +1,8 @@
 package utils
 
 import (
+	"sort"
+
 	"github.com/solo-io/gloo/projects/gateway/pkg/defaults"
 
 	v1 "github.com/solo-io/gloo/projects/gateway/pkg/api/v1"
@@ -17,6 +19,41 @@ func GatewaysByProxyName(gateways v1.GatewayList) map[string]v1.GatewayList {
 	return result
 }
 
+// GatewaysAndProxyName is a struct that holds a list of gateways and a proxy name
+type GatewaysAndProxyName struct {
+	Gateways v1.GatewayList
+	Name     string
+}
+
+// SortedGatewaysByProxyName returns a slice of GatewaysAndProxyName structs, sorted by proxy name
+func SortedGatewaysByProxyName(gateways v1.GatewayList) []GatewaysAndProxyName {
+	// Create the mapping
+	gatewaysByProxyName := make(map[string]v1.GatewayList)
+	for _, gw := range gateways {
+		proxyNames := GetProxyNamesForGateway(gw)
+		for _, name := range proxyNames {
+			gatewaysByProxyName[name] = append(gatewaysByProxyName[name], gw)
+		}
+	}
+
+	// Create and populate the slice
+	var gatewayAndProxyNames []GatewaysAndProxyName
+
+	for name, gateways := range gatewaysByProxyName {
+		gatewayAndProxyNames = append(gatewayAndProxyNames, GatewaysAndProxyName{
+			Gateways: gateways,
+			Name:     name,
+		})
+	}
+
+	// sort the slice by the struct's Name field
+	sort.Slice(gatewayAndProxyNames, func(i, j int) bool {
+		return gatewayAndProxyNames[i].Name < gatewayAndProxyNames[j].Name
+	})
+
+	return gatewayAndProxyNames
+}
+
 func GetProxyNamesForGateway(gw *v1.Gateway) []string {
 	proxyNames := gw.GetProxyNames()
 	if len(proxyNames) == 0 {

projects/gateway/pkg/utils/gateway_filtering_test.go

@@ -30,4 +30,29 @@ var _ = Describe("gateway util unit tests", func() {
 			}))
 		})
 	})
+
+	Describe("SortedGatewaysByProxyName", func() {
+		// Must pass repeatedly so we don't accidentally get the right order by chance
+		It("assigns each gateway once to each proxy by their proxyNames", MustPassRepeatedly(5), func() {
+
+			gws := v1.GatewayList{
+				{Metadata: &core.Metadata{Name: "gw5"}, ProxyNames: []string{"proxy3", "proxy2"}},
+				{Metadata: &core.Metadata{Name: "gw4"}, ProxyNames: []string{"proxy1", "proxy4"}},
+				{Metadata: &core.Metadata{Name: "gw3"}, ProxyNames: []string{"proxy1", defaults.GatewayProxyName}},
+				{Metadata: &core.Metadata{Name: "gw2"}, ProxyNames: []string{"proxy1", "proxy2"}},
+				{Metadata: &core.Metadata{Name: "gw1"}, ProxyNames: nil /*default proxy*/},
+			}
+
+			gw5, gw4, gw3, gw2, gw1 := gws[0], gws[1], gws[2], gws[3], gws[4]
+
+			byProxy := SortedGatewaysByProxyName(gws)
+			Expect(byProxy).To(Equal([]GatewaysAndProxyName{
+				{Gateways: v1.GatewayList{gw3, gw1}, Name: defaults.GatewayProxyName},
+				{Gateways: v1.GatewayList{gw4, gw3, gw2}, Name: "proxy1"},
+				{Gateways: v1.GatewayList{gw5, gw2}, Name: "proxy2"},
+				{Gateways: v1.GatewayList{gw5}, Name: "proxy3"},
+				{Gateways: v1.GatewayList{gw4}, Name: "proxy4"},
+			}))
+		})
+	})
 })