refactor: align using CEL for target ref validation

[KevFan]

• refactor: use standard lib instead for slices
  • The experimental slices package has been moved to the standard library from go 1.21 which allows us to remove this as a direct dependency
• refactor: remove redundant validation code from auth policy
  • Target Ref validation is already covered by CEL validation
• refactor: use kubebuilder validation for supported target refs for rlp
  • Align with AuthPolicy which uses CEL validation instead
• test: target ref validation integrations tests for RLP and AP
  • refactor unit tests to integration tests to check that target ref CEL is working as expected
• refactor: integration test auth policy route selector CEL
  • Route selector validation is already covered by CEL. Remove redundant validation code in Validation() function and add new integration tests for testing CEL validation
• refactor: rlp route selector validation using CEL
  • Align using CEL for RLP route selector validation like in AP. Add new integration test for testing route selector CEL for RLP

[codecov]

Codecov Report

Merging #364 (aa55a03) into main (13c75de) will decrease coverage by 0.93%.
The diff coverage is n/a.

Additional details and impacted files

@@            Coverage Diff             @@
##             main     #364      +/-   ##
==========================================
- Coverage   66.14%   65.21%   -0.93%     
==========================================
  Files          35       35              
  Lines        3843     3795      -48     
==========================================
- Hits         2542     2475      -67     
- Misses       1113     1126      +13     
- Partials      188      194       +6     

Flag	Coverage Δ
integration	70.73% <ø> (-1.34%)	⬇️
unit	58.90% <ø> (-0.65%)	⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

Components	Coverage Δ
api/v1beta1 (u)	∅ <ø> (∅)
pkg/common (u)	76.92% <ø> (ø)
pkg/istio (u)	37.11% <ø> (ø)
pkg/log (u)	31.81% <ø> (ø)
pkg/reconcilers (u)	33.21% <ø> (ø)
pkg/rlptools (u)	56.46% <ø> (ø)
controllers (i)	70.73% <ø> (-1.34%)	⬇️

Files	Coverage Δ
api/v1beta2/authpolicy_types.go	72.85% <ø> (-4.72%)	⬇️
api/v1beta2/ratelimitpolicy_types.go	17.85% <ø> (-9.01%)	⬇️
controllers/authpolicy_status.go	94.44% <ø> (ø)
controllers/kuadrant_status.go	73.72% <ø> (-3.39%)	⬇️
controllers/ratelimitpolicy_istio_wasmplugin.go	77.77% <ø> (-1.67%)	⬇️
controllers/ratelimitpolicy_status.go	98.11% <ø> (ø)
pkg/common/apimachinery_status_conditions.go	100.00% <ø> (ø)
pkg/common/common.go	88.39% <ø> (ø)
pkg/common/gatewayapi_utils.go	68.23% <ø> (ø)

... and 4 files with indirect coverage changes

[eguzki]

❤️

[didierofrivia]

🧇

[eguzki]

great contribution!

[guicassolato]

I wonder if we aren't ready to remove as well the validation at:

kuadrant-operator/api/v1beta2/authpolicy_types.go

Line 242 in 13c75de

// prevents usage of routeSelectors in a gateway AuthPolicy

and

kuadrant-operator/api/v1beta2/ratelimitpolicy_types.go

Line 189 in 13c75de

// prevents usage of routeSelectors in a gateway RLP

WDYT?

[KevFan]

I wonder if we aren't ready to remove as well the validation at:

kuadrant-operator/api/v1beta2/authpolicy_types.go

Line 242 in 13c75de

// prevents usage of routeSelectors in a gateway AuthPolicy

and

kuadrant-operator/api/v1beta2/ratelimitpolicy_types.go

Line 189 in 13c75de

// prevents usage of routeSelectors in a gateway RLP

WDYT?

@guicassolato Yes, I think AuthPolicy is covered

kuadrant-operator/api/v1beta2/authpolicy_types.go

Lines 125 to 131 in 13c75de

	// +kubebuilder:validation:XValidation:rule="self.targetRef.kind != 'Gateway' || !has(self.routeSelectors)",message="route selectors not supported when targeting a Gateway"
	// +kubebuilder:validation:XValidation:rule="self.targetRef.kind != 'Gateway' || !has(self.rules.authentication) || !self.rules.authentication.exists(x, has(self.rules.authentication[x].routeSelectors))",message="route selectors not supported when targeting a Gateway"
	// +kubebuilder:validation:XValidation:rule="self.targetRef.kind != 'Gateway' || !has(self.rules.metadata) || !self.rules.metadata.exists(x, has(self.rules.metadata[x].routeSelectors))",message="route selectors not supported when targeting a Gateway"
	// +kubebuilder:validation:XValidation:rule="self.targetRef.kind != 'Gateway' || !has(self.rules.authorization) || !self.rules.authorization.exists(x, has(self.rules.authorization[x].routeSelectors))",message="route selectors not supported when targeting a Gateway"
	// +kubebuilder:validation:XValidation:rule="self.targetRef.kind != 'Gateway' || !has(self.rules.response) || !has(self.rules.response.success) || !has(self.rules.response.success.headers) || !self.rules.response.success.headers.exists(x, has(self.rules.response.success.headers[x].routeSelectors))",message="route selectors not supported when targeting a Gateway"
	// +kubebuilder:validation:XValidation:rule="self.targetRef.kind != 'Gateway' || !has(self.rules.response) || !has(self.rules.response.success) || !has(self.rules.response.success.dynamicMetadata) || !self.rules.response.success.dynamicMetadata.exists(x, has(self.rules.response.success.dynamicMetadata[x].routeSelectors))",message="route selectors not supported when targeting a Gateway"
	// +kubebuilder:validation:XValidation:rule="self.targetRef.kind != 'Gateway' || !has(self.rules.callbacks) || !self.rules.callbacks.exists(x, has(self.rules.callbacks[x].routeSelectors))",message="route selectors not supported when targeting a Gateway"

so I'll remove the redundant validation.

But RateLimitPolicy is not covered

kuadrant-operator/api/v1beta2/ratelimitpolicy_types.go

Line 116 in 13c75de

// RateLimitPolicySpec defines the desired state of RateLimitPolicy

I'll add a new commit to align RateLimitPolicy with AuthPolicy for this bit also and add new integration tests 👍