Implement Receiver resource filtering with CEL #948
Conversation
|
@stefanprodan @matheuscscp I reworked it to filter the resources using CEL. I'm not quite sure that this is really that valuable, I suspect label filtering is also more efficient? There's some optimisation of the CEL that could be done within |
bigkevmcd
force-pushed
the
cel-resource-filtering
branch
from
4969c46
to
1fe996b
Compare
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
bigkevmcd
force-pushed
the
cel-resource-filtering
branch
2 times, most recently
from
995704b
to
d87dbfd
Compare
CEL for Receiver notification filtering This introduces CEL for filtering CEL resources in a Receiver. Users can define a CEL expression that is applied as a filter for resources that are identified for notification. A CEL expression that returns false means that a resource will not be annotated. Signed-off-by: Kevin McDermott <[email protected]>
bigkevmcd
force-pushed
the
cel-resource-filtering
branch
from
d87dbfd
to
b1c4e7e
Compare
stefanprodan
changed the title
bigkevmcd
force-pushed
the
cel-resource-filtering
branch
from
45bd724
to
1e6929c
Compare
This moves the JSON body to request.body from request to allow for future expansion with the headers. Add documentation for the CEL functionality to the receivers doc. Signed-off-by: Kevin McDermott <[email protected]>
bigkevmcd
force-pushed
the
cel-resource-filtering
branch
from
1e6929c
to
d658d4a
Compare
There was a problem hiding this comment.
Thanks again for all the work here, @bigkevmcd! I'm very excited for this feature 😄
This is just a preliminary review. I will try to review this again soon.
| w.WriteHeader(http.StatusBadRequest) | ||
| return | ||
| } | ||
| if err := s.validate(ctx, receiver, r); err != nil { |
There was a problem hiding this comment.
As mentioned in the first PR, this line reads the request payload depending on the type of the Receiver. If that happens, newCELEvaluator() further below will not be able to read the payload again. My suggestion is that we read the payload entirely into memory at some point earlier than both function calls and pass the payload to both.
There was a problem hiding this comment.
Ahhh...yes, I forgot about that, I guess I'm not triggering it because of the specific receiver type I'm using.
I will add a test and see what we can do about fixing it 😄
There was a problem hiding this comment.
Also I suggest reading the payload only after the Receiver object has been successfully fetched/identified to reduce the surface for DDoSing the server.
Signed-off-by: Kevin McDermott <[email protected]>
Signed-off-by: Kevin McDermott <[email protected]>
Signed-off-by: Kevin McDermott <[email protected]>
bigkevmcd
force-pushed
the
cel-resource-filtering
branch
3 times, most recently
from
39d85c0
to
5a22c4f
Compare
Signed-off-by: Kevin McDermott <[email protected]>
bigkevmcd
force-pushed
the
cel-resource-filtering
branch
from
5a22c4f
to
bddfd56
Compare
This implementation allows filtering of wildcarded resources for receivers using CEL expressions.
Closes: #491
Spec: #491 (comment)