feat(Traefik Hub): add OAS validateRequestMethodAndPath - CRDs update

traefik-crds/crds-files/hub/hub.traefik.io_apis.yaml

@@ -153,6 +153,11 @@ spec:
                     x-kubernetes-validations:
                     - message: must be a valid URL
                       rule: isURL(self)
+                  validateRequestMethodAndPath:
+                    description: |-
+                      ValidateRequestMethodAndPath validates that the path and method matches an operation defined in the OpenAPI specification.
+                      This option overrides the default behavior configured in the static configuration.
+                    type: boolean
                 type: object
                 x-kubernetes-validations:
                 - message: path or url must be defined

traefik-crds/crds-files/hub/hub.traefik.io_apiversions.yaml

@@ -157,6 +157,11 @@ spec:
                     x-kubernetes-validations:
                     - message: must be a valid URL
                       rule: isURL(self)
+                  validateRequestMethodAndPath:
+                    description: |-
+                      ValidateRequestMethodAndPath validates that the path and method matches an operation defined in the OpenAPI specification.
+                      This option overrides the default behavior configured in the static configuration.
+                    type: boolean
                 type: object
                 x-kubernetes-validations:
                 - message: path or url must be defined

traefik/VALUES.md

@@ -85,6 +85,7 @@ Kubernetes: `>=1.22.0-0`
 | hub.apimanagement.admission.listenAddr | string | `""` | WebHook admission server listen address. Default: "0.0.0.0:9943". |
 | hub.apimanagement.admission.secretName | string | `""` | Certificate of the WebHook admission server. Default: "hub-agent-cert". |
 | hub.apimanagement.enabled | bool | `false` | Set to true in order to enable API Management. Requires a valid license token. |
+| hub.apimanagement.openApi.validateRequestMethodAndPath | bool | `false` | When set to true, it will only accept paths and methods that are explicitly defined in its OpenAPI specification |
 | hub.experimental.aigateway | bool | `false` | Set to true in order to enable AI Gateway. Requires a valid license token. |
 | hub.redis.cluster | string | `nil` | Enable Redis Cluster. Default: true. |
 | hub.redis.database | string | `nil` | Database used to store information. Default: "0". |

traefik/crds/hub.traefik.io_apis.yaml

@@ -153,6 +153,11 @@ spec:
                     x-kubernetes-validations:
                     - message: must be a valid URL
                       rule: isURL(self)
+                  validateRequestMethodAndPath:
+                    description: |-
+                      ValidateRequestMethodAndPath validates that the path and method matches an operation defined in the OpenAPI specification.
+                      This option overrides the default behavior configured in the static configuration.
+                    type: boolean
                 type: object
                 x-kubernetes-validations:
                 - message: path or url must be defined

traefik/crds/hub.traefik.io_apiversions.yaml

@@ -157,6 +157,11 @@ spec:
                     x-kubernetes-validations:
                     - message: must be a valid URL
                       rule: isURL(self)
+                  validateRequestMethodAndPath:
+                    description: |-
+                      ValidateRequestMethodAndPath validates that the path and method matches an operation defined in the OpenAPI specification.
+                      This option overrides the default behavior configured in the static configuration.
+                    type: boolean
                 type: object
                 x-kubernetes-validations:
                 - message: path or url must be defined

traefik/templates/_podtemplate.tpl

@@ -777,6 +777,9 @@
               {{- with .admission.secretName }}
           - "--hub.apimanagement.admission.secretName={{ . }}"
               {{- end }}
+              {{- if .openApi.validateRequestMethodAndPath }}
+          - "--hub.apiManagement.openApi.validateRequestMethodAndPath=true"
+              {{- end }}
              {{- end }}
             {{- end }}
             {{- if .experimental.aigateway }}

traefik/tests/deployment-hub-config_test.yaml

@@ -75,6 +75,17 @@ tests:
       - contains:
           path: spec.template.spec.containers[0].args
           content: "--hub.apimanagement.admission.secretName=secret"
+  - it: should be possible to enforce OAS
+    set:
+      hub:
+        apimanagement:
+          enabled: true
+          openApi:
+            validateRequestMethodAndPath: true
+    asserts:
+      - contains:
+          path: spec.template.spec.containers[0].args
+          content: "--hub.apiManagement.openApi.validateRequestMethodAndPath=true"
   - it: api management and ai gateway should not be enabled by default
     asserts:
       - notContains:

traefik/values.schema.json

@@ -270,6 +270,14 @@
                         },
                         "enabled": {
                             "type": "boolean"
+                        },
+                        "openApi": {
+                            "properties": {
+                                "validateRequestMethodAndPath": {
+                                    "type": "boolean"
+                                }
+                            },
+                            "type": "object"
                         }
                     },
                     "type": "object"

traefik/values.yaml

@@ -941,6 +941,10 @@ hub:
       listenAddr: ""
       # -- Certificate of the WebHook admission server. Default: "hub-agent-cert".
       secretName: ""
+    openApi:
+      # -- When set to true, it will only accept paths and methods that are explicitly defined in its OpenAPI specification
+      validateRequestMethodAndPath: false
+
   experimental:
     # -- Set to true in order to enable AI Gateway. Requires a valid license token.
     aigateway: false