feat: introduce validation levels for lua (#6355)

Signed-off-by: Rudrakh Panigrahi <rudrakh97@gmail.com>

Author: rudrakhp

api/v1alpha1/envoyproxy_types.go

@@ -158,12 +158,27 @@ type EnvoyProxySpec struct {
 	// +optional
 	PreserveRouteOrder *bool `json:"preserveRouteOrder,omitempty"`
 
-	// DisableLuaValidation disables the Lua script validation for Lua EnvoyExtensionPolicies
-	// +kubebuilder:default=false
+	// LuaValidation determines strictness of the Lua script validation for Lua EnvoyExtensionPolicies
+	// Default: Strict
 	// +optional
-	DisableLuaValidation *bool `json:"disableLuaValidation,omitempty"`
+	LuaValidation *LuaValidation `json:"luaValidation,omitempty"`
 }
 
+// +kubebuilder:validation:Enum=Strict;Disabled
+type LuaValidation string
+
+const (
+	// LuaValidationStrict is the default level and checks for issues during script execution.
+	// Recommended if your scripts only use the standard Envoy Lua stream handle API.
+	// For supported APIs, see: https://www.envoyproxy.io/docs/envoy/latest/configuration/http/http_filters/lua_filter#stream-handle-api
+	LuaValidationStrict LuaValidation = "Strict"
+
+	// LuaValidationDisabled disables all validation of Lua scripts.
+	// Scripts will be accepted and executed without any validation checks.
+	// This is not recommended unless your scripts import libraries that are not supported by Lua runtime validation.
+	LuaValidationDisabled LuaValidation = "Disabled"
+)
+
 // RoutingType defines the type of routing of this Envoy proxy.
 type RoutingType string
 

api/v1alpha1/zz_generated.deepcopy.go

@@ -270,11 +270,6 @@ spec:
                   the number of cpuset threads on the platform.
                 format: int32
                 type: integer
-              disableLuaValidation:
-                default: false
-                description: DisableLuaValidation disables the Lua script validation
-                  for Lua EnvoyExtensionPolicies
-                type: boolean
               extraArgs:
                 description: |-
                   ExtraArgs defines additional command line options that are provided to Envoy.
@@ -442,6 +437,14 @@ spec:
                       and the log level is the value. If unspecified, defaults to "default: warn".
                     type: object
                 type: object
+              luaValidation:
+                description: |-
+                  LuaValidation determines strictness of the Lua script validation for Lua EnvoyExtensionPolicies
+                  Default: Strict
+                enum:
+                - Strict
+                - Disabled
+                type: string
               mergeGateways:
                 description: |-
                   MergeGateways defines if Gateway resources should be merged onto the same Envoy Proxy Infrastructure.

charts/gateway-crds-helm/templates/generated/gateway.envoyproxy.io_envoyproxies.yaml

@@ -269,11 +269,6 @@ spec:
                   the number of cpuset threads on the platform.
                 format: int32
                 type: integer
-              disableLuaValidation:
-                default: false
-                description: DisableLuaValidation disables the Lua script validation
-                  for Lua EnvoyExtensionPolicies
-                type: boolean
               extraArgs:
                 description: |-
                   ExtraArgs defines additional command line options that are provided to Envoy.
@@ -441,6 +436,14 @@ spec:
                       and the log level is the value. If unspecified, defaults to "default: warn".
                     type: object
                 type: object
+              luaValidation:
+                description: |-
+                  LuaValidation determines strictness of the Lua script validation for Lua EnvoyExtensionPolicies
+                  Default: Strict
+                enum:
+                - Strict
+                - Disabled
+                type: string
               mergeGateways:
                 description: |-
                   MergeGateways defines if Gateway resources should be merged onto the same Envoy Proxy Infrastructure.

charts/gateway-helm/crds/generated/gateway.envoyproxy.io_envoyproxies.yaml

@@ -19,7 +19,6 @@ envoyProxyForGatewayClass:
             socket_address:
               address: 127.0.0.1
               port_value: 19000
-    disableLuaValidation: false
     logging:
       level:
         default: warn

internal/cmd/egctl/testdata/translate/out/invalid-envoyproxy.all.yaml

@@ -6,7 +6,6 @@ envoyProxyForGatewayClass:
     name: example
     namespace: default
   spec:
-    disableLuaValidation: false
     logging:
       level:
         default: warn

internal/cmd/egctl/testdata/translate/out/valid-envoyproxy.all.yaml

@@ -452,7 +452,8 @@ func (t *Translator) buildLua(
 	if err != nil {
 		return nil, err
 	}
-	if envoyProxy != nil && envoyProxy.Spec.DisableLuaValidation != nil && *envoyProxy.Spec.DisableLuaValidation {
+	if envoyProxy != nil && envoyProxy.Spec.LuaValidation != nil &&
+		*envoyProxy.Spec.LuaValidation == egv1a1.LuaValidationDisabled {
 		return &ir.Lua{
 			Name: name,
 			Code: luaCode,

internal/gatewayapi/envoyextensionpolicy.go

@@ -169,7 +169,6 @@ envoyProxyForGatewayClass:
     name: example
     namespace: default
   spec:
-    disableLuaValidation: false
     logging:
       level:
         default: warn

internal/gatewayapi/resource/testdata/all-resources.out.yaml

@@ -5,7 +5,7 @@ envoyProxyForGatewayClass:
     namespace: envoy-gateway-system
     name: test
   spec:
-    disableLuaValidation: true
+    luaValidation: Disabled
 gateways:
 - apiVersion: gateway.networking.k8s.io/v1
   kind: Gateway

internal/gatewayapi/testdata/envoyextensionpolicy-with-invalid-lua-validation-disabled.in.yaml

@@ -120,8 +120,8 @@ infraIR:
           name: test
           namespace: envoy-gateway-system
         spec:
-          disableLuaValidation: true
           logging: {}
+          luaValidation: Disabled
         status: {}
       listeners:
       - address: null