refactor: support direct rule evaluation (#239)

## Issue
N/A

## Description
Refactor to support direct, in-process evaluation of network rules.

Required by:
- validator-labs/validatorctl#102

Related:
- validator-labs/validator-plugin-aws#450

---------

Signed-off-by: Tyler Gillson <tyler.gillson@gmail.com>

Author: TylerGillson

api/v1alpha1/networkvalidator_types.go

@@ -18,6 +18,8 @@ package v1alpha1
 
 import (
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+
+	"github.com/validator-labs/validator-plugin-network/pkg/constants"
 )
 
 // NetworkValidatorSpec defines the desired state of NetworkValidator
@@ -50,6 +52,16 @@ type NetworkValidatorSpec struct {
 	CACerts CACertificates `json:"caCerts,omitempty" yaml:"caCerts,omitempty"`
 }
 
+// PluginCode returns the network validator's plugin code.
+func (s NetworkValidatorSpec) PluginCode() string {
+	return constants.PluginCode
+}
+
+// ResultCount returns the number of validation results expected for a NetworkValidatorSpec.
+func (s NetworkValidatorSpec) ResultCount() int {
+	return len(s.DNSRules) + len(s.ICMPRules) + len(s.IPRangeRules) + len(s.MTURules) + len(s.TCPConnRules) + len(s.HTTPFileRules)
+}
+
 // CACertificates contains configuration for additional CA certificates to use for TLS. Can be certs
 // provided inline or secret references. Secrets are assumed to be in the same namespace as the
 // NetworkValidator.
@@ -62,6 +74,16 @@ type CACertificates struct {
 	SecretRefs []CASecretReference `json:"secretRefs,omitempty" yaml:"secretRefs,omitempty"`
 }
 
+// RawCerts returns the raw certificates included in a CACertificates.
+// SecretRefs are not included.
+func (c CACertificates) RawCerts() [][]byte {
+	certs := make([][]byte, 0, len(c.Certs))
+	for _, cert := range c.Certs {
+		certs = append(certs, []byte(cert))
+	}
+	return certs
+}
+
 // Certificate is a certificate specified inline.
 // +kubebuilder:validation:MinLength=1
 type Certificate string
@@ -81,11 +103,6 @@ func (r CASecretReference) Keys() []string {
 	return []string{r.Key}
 }
 
-// ResultCount returns the number of validation results expected for a NetworkValidatorSpec.
-func (s NetworkValidatorSpec) ResultCount() int {
-	return len(s.DNSRules) + len(s.ICMPRules) + len(s.IPRangeRules) + len(s.MTURules) + len(s.TCPConnRules) + len(s.HTTPFileRules)
-}
-
 // DNSRule defines a DNS validation rule.
 type DNSRule struct {
 	// RuleName is a unique identifier for the rule in the validator. Used to ensure conditions do not overwrite each other.
@@ -218,6 +235,16 @@ type NetworkValidator struct {
 	Status NetworkValidatorStatus `json:"status,omitempty"`
 }
 
+// PluginCode returns the network validator's plugin code.
+func (v NetworkValidator) PluginCode() string {
+	return v.Spec.PluginCode()
+}
+
+// ResultCount returns the number of validation results expected for a NetworkValidator.
+func (v NetworkValidator) ResultCount() int {
+	return v.Spec.ResultCount()
+}
+
 //+kubebuilder:object:root=true
 
 // NetworkValidatorList contains a list of NetworkValidator

go.mod

@@ -6,7 +6,7 @@ require (
 	github.com/go-logr/logr v1.4.2
 	github.com/onsi/ginkgo/v2 v2.19.1
 	github.com/onsi/gomega v1.34.1
-	github.com/validator-labs/validator v0.0.50
+	github.com/validator-labs/validator v0.1.1
 	k8s.io/api v0.30.3
 	k8s.io/apimachinery v0.30.3
 	k8s.io/client-go v0.30.3
@@ -72,3 +72,5 @@ require (
 	sigs.k8s.io/structured-merge-diff/v4 v4.4.1 // indirect
 	sigs.k8s.io/yaml v1.4.0 // indirect
 )
+
+// replace github.com/validator-labs/validator => ../validator

go.sum

@@ -132,8 +132,8 @@ github.com/stretchr/testify v1.8.0/go.mod h1:yNjHg4UonilssWZ8iaSj1OCr/vHnekPRkoO
 github.com/stretchr/testify v1.8.1/go.mod h1:w2LPCIKwWwSfY2zedu0+kehJoqGctiVI29o6fzry7u4=
 github.com/stretchr/testify v1.9.0 h1:HtqpIVDClZ4nwg75+f6Lvsy/wHu+3BoSGCbBAcpTsTg=
 github.com/stretchr/testify v1.9.0/go.mod h1:r2ic/lqez/lEtzL7wO/rwa5dbSLXVDPFyf8C91i36aY=
-github.com/validator-labs/validator v0.0.50 h1:8h0Dy1Hl0818WuTF8hgZ3HaNxUtGSm130Zrp7f7vjGw=
-github.com/validator-labs/validator v0.0.50/go.mod h1:YxUKAXuSR6fIAi7WCQV/Wbrzf9szf8aCTeYWEA+JyIY=
+github.com/validator-labs/validator v0.1.1 h1:BzUWeSAP5eGHX2oOulJWZxXr+Zz6Uh6ZqP5sYudnv3I=
+github.com/validator-labs/validator v0.1.1/go.mod h1:to8CMM+LlTcEzbqxVyHND9/uJO2+ORTFk9ovqVOnCU8=
 github.com/yuin/goldmark v1.1.27/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
 github.com/yuin/goldmark v1.2.1/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
 go.uber.org/goleak v1.3.0 h1:2K3zAYmnTNqV73imy9J1T3WC+gmCePx2hEGkimedGto=

internal/controller/networkvalidator_controller.go

@@ -19,26 +19,20 @@ package controller
 
 import (
 	"context"
-	"fmt"
 	"time"
 
 	"github.com/go-logr/logr"
 	apierrs "k8s.io/apimachinery/pkg/api/errors"
-	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/runtime"
 	ktypes "k8s.io/apimachinery/pkg/types"
 	"sigs.k8s.io/cluster-api/util/patch"
 	ctrl "sigs.k8s.io/controller-runtime"
 	"sigs.k8s.io/controller-runtime/pkg/client"
 
 	"github.com/validator-labs/validator-plugin-network/api/v1alpha1"
-	"github.com/validator-labs/validator-plugin-network/internal/constants"
-	"github.com/validator-labs/validator-plugin-network/internal/http"
-	"github.com/validator-labs/validator-plugin-network/internal/secrets"
-	"github.com/validator-labs/validator-plugin-network/internal/validators"
+	"github.com/validator-labs/validator-plugin-network/pkg/secrets"
+	"github.com/validator-labs/validator-plugin-network/pkg/validate"
 	vapi "github.com/validator-labs/validator/api/v1alpha1"
-	"github.com/validator-labs/validator/pkg/types"
-	"github.com/validator-labs/validator/pkg/util"
 	vres "github.com/validator-labs/validator/pkg/validationresult"
 )
 
@@ -74,16 +68,16 @@ func (r *NetworkValidatorReconciler) Reconcile(ctx context.Context, req ctrl.Req
 		return ctrl.Result{}, err
 	}
 	nn := ktypes.NamespacedName{
-		Name:      validationResultName(validator),
+		Name:      vres.Name(validator),
 		Namespace: req.Namespace,
 	}
 	if err := r.Get(ctx, nn, vr); err == nil {
-		vres.HandleExistingValidationResult(vr, r.Log)
+		vres.HandleExisting(vr, r.Log)
 	} else {
 		if !apierrs.IsNotFound(err) {
 			l.Error(err, "unexpected error getting ValidationResult")
 		}
-		if err := vres.HandleNewValidationResult(ctx, r.Client, p, buildValidationResult(validator), r.Log); err != nil {
+		if err := vres.HandleNew(ctx, r.Client, p, vres.Build(validator), r.Log); err != nil {
 			return ctrl.Result{}, err
 		}
 		return ctrl.Result{RequeueAfter: time.Millisecond}, nil
@@ -92,18 +86,9 @@ func (r *NetworkValidatorReconciler) Reconcile(ctx context.Context, req ctrl.Req
 	// Always update the expected result count in case the validator's rules have changed
 	vr.Spec.ExpectedResults = validator.Spec.ResultCount()
 
-	resp := types.ValidationResponse{
-		ValidationRuleResults: make([]*types.ValidationRuleResult, 0, vr.Spec.ExpectedResults),
-		ValidationRuleErrors:  make([]error, 0, vr.Spec.ExpectedResults),
-	}
-
-	networkService := validators.NewNetworkService(r.Log)
+	// Fetch additional CAs to augment the system cert pool
+	caPems := validator.Spec.CACerts.RawCerts()
 
-	// If CACert config provided, use the inline certs and secret refs.
-	caPems := make([][]byte, 0)
-	for _, cert := range validator.Spec.CACerts.Certs {
-		caPems = append(caPems, []byte(cert))
-	}
 	for _, secretRef := range validator.Spec.CACerts.SecretRefs {
 		caPem, err := secrets.ReadKeys(secretRef.Name, req.Namespace, []string{secretRef.Key}, r.Client)
 		if err != nil {
@@ -113,57 +98,25 @@ func (r *NetworkValidatorReconciler) Reconcile(ctx context.Context, req ctrl.Req
 		caPems = append(caPems, caPem[0])
 	}
 
-	// DNS rules
-	for _, rule := range validator.Spec.DNSRules {
-		vrr := networkService.ReconcileDNSRule(rule)
-		resp.AddResult(vrr, err)
-	}
-
-	// ICMP rules
-	for _, rule := range validator.Spec.ICMPRules {
-		vrr := networkService.ReconcileICMPRule(rule)
-		resp.AddResult(vrr, err)
-	}
-
-	// IP range rules
-	for _, rule := range validator.Spec.IPRangeRules {
-		vrr := networkService.ReconcileIPRangeRule(rule)
-		resp.AddResult(vrr, err)
-	}
-
-	// MTU rules
-	for _, rule := range validator.Spec.MTURules {
-		vrr := networkService.ReconcileMTURule(rule)
-		resp.AddResult(vrr, err)
-	}
-
-	// TCP connection rules
-	for _, rule := range validator.Spec.TCPConnRules {
-		tlsConfig := http.TLSConfig(caPems, rule.InsecureSkipTLSVerify, r.Log)
-		ruleSvc := validators.NewNetworkService(r.Log, validators.WithTLSConfig(tlsConfig))
-		vrr := ruleSvc.ReconcileTCPConnRule(rule)
-		resp.AddResult(vrr, err)
-	}
-
-	// HTTP file rules
+	// Fetch HTTP basic auth credentials
+	auths := make([][][]byte, len(validator.Spec.HTTPFileRules))
 	for _, rule := range validator.Spec.HTTPFileRules {
 		var auth [][]byte
 		if rule.AuthSecretRef != nil {
 			auth, err = secrets.ReadKeys(rule.AuthSecretRef.Name, req.Namespace, rule.AuthSecretRef.Keys(), r.Client)
 			if err != nil {
-				vrr := validators.BuildValidationResult(rule, constants.ValidationTypeHTTPFile)
-				resp.AddResult(vrr, fmt.Errorf("failed to parse HTTP basic auth: %w", err))
-				continue
+				r.Log.Error(err, "failed to parse HTTP basic auth", "rule", rule.RuleName)
+				return ctrl.Result{}, err
 			}
 		}
-		transport := http.Transport(caPems, auth, rule.InsecureSkipTLSVerify, r.Log)
-		ruleSvc := validators.NewNetworkService(r.Log, validators.WithTransport(transport))
-		vrr := ruleSvc.ReconcileHTTPFileRule(rule)
-		resp.AddResult(vrr, err)
+		auths = append(auths, auth)
 	}
 
+	// Validate the rules
+	resp := validate.Validate(validator.Spec, caPems, auths, r.Log)
+
 	// Patch the ValidationResult with the latest ValidationRuleResults
-	if err := vres.SafeUpdateValidationResult(ctx, p, vr, resp, r.Log); err != nil {
+	if err := vres.SafeUpdate(ctx, p, vr, resp, r.Log); err != nil {
 		return ctrl.Result{}, err
 	}
 
@@ -177,29 +130,3 @@ func (r *NetworkValidatorReconciler) SetupWithManager(mgr ctrl.Manager) error {
 		For(&v1alpha1.NetworkValidator{}).
 		Complete(r)
 }
-
-func buildValidationResult(validator *v1alpha1.NetworkValidator) *vapi.ValidationResult {
-	return &vapi.ValidationResult{
-		ObjectMeta: metav1.ObjectMeta{
-			Name:      validationResultName(validator),
-			Namespace: validator.Namespace,
-			OwnerReferences: []metav1.OwnerReference{
-				{
-					APIVersion: validator.APIVersion,
-					Kind:       validator.Kind,
-					Name:       validator.Name,
-					UID:        validator.UID,
-					Controller: util.Ptr(true),
-				},
-			},
-		},
-		Spec: vapi.ValidationResultSpec{
-			Plugin:          constants.PluginCode,
-			ExpectedResults: validator.Spec.ResultCount(),
-		},
-	}
-}
-
-func validationResultName(validator *v1alpha1.NetworkValidator) string {
-	return fmt.Sprintf("validator-plugin-network-%s", validator.Name)
-}

internal/controller/networkvalidator_controller_test.go

@@ -15,6 +15,7 @@ import (
 
 	"github.com/validator-labs/validator-plugin-network/api/v1alpha1"
 	vapi "github.com/validator-labs/validator/api/v1alpha1"
+	vres "github.com/validator-labs/validator/pkg/validationresult"
 	//+kubebuilder:scaffold:imports
 )
 
@@ -95,7 +96,7 @@ var _ = Describe("NetworkValidator controller", Ordered, func() {
 	}
 
 	vr := &vapi.ValidationResult{}
-	vrKey := types.NamespacedName{Name: validationResultName(val), Namespace: validatorNamespace}
+	vrKey := types.NamespacedName{Name: vres.Name(val), Namespace: validatorNamespace}
 
 	It("Should create a ValidationResult and update its Status", func() {
 		By("By creating a new NetworkValidator")