NETOBSERV-2438: enforce validation on subnet names (#2172)

openshift-cherrypick-robot · jotak · web-flow · commit 6f549480b7a1 · 2025-11-21T18:05:02.000+01:00
Also standardize using EXT: for external subnet names in sample metrics

Co-authored-by: Joel Takvorian &lt;jtakvori@redhat.com&gt;
diff --git a/api/flowcollector/v1beta2/flowcollector_types.go b/api/flowcollector/v1beta2/flowcollector_types.go
@@ -1417,7 +1417,9 @@ type SubnetLabel struct {
 	// List of CIDRs, such as `["1.2.3.4/32"]`.
 	//+required
 	CIDRs []string `json:"cidrs,omitempty"` // Note, starting with k8s 1.31 / ocp 4.16 there's a new way to validate CIDR such as `+kubebuilder:validation:XValidation:rule="isCIDR(self)",message="field should be in CIDR notation format"`. But older versions would reject the CRD so we cannot implement it now to maintain compatibility.
+
 	// Label name, used to flag matching flows.
+	// +kubebuilder:validation:Pattern:="^[a-zA-Z_:-][a-zA-Z0-9_:-]*$"
 	//+required
 	Name string `json:"name,omitempty"`
 }
diff --git a/bundle/manifests/flows.netobserv.io_flowcollectors.yaml b/bundle/manifests/flows.netobserv.io_flowcollectors.yaml
@@ -6112,6 +6112,7 @@ spec:
                               type: array
                             name:
                               description: Label name, used to flag matching flows.
+                              pattern: ^[a-zA-Z_:-][a-zA-Z0-9_:-]*$
                               type: string
                           required:
                           - cidrs
diff --git a/config/crd/bases/flows.netobserv.io_flowcollectors.yaml b/config/crd/bases/flows.netobserv.io_flowcollectors.yaml
@@ -5647,6 +5647,7 @@ spec:
                                 type: array
                               name:
                                 description: Label name, used to flag matching flows.
+                                pattern: ^[a-zA-Z_:-][a-zA-Z0-9_:-]*$
                                 type: string
                             required:
                               - cidrs
diff --git a/config/samples/flowmetrics/cluster_external_egress_traffic.yaml b/config/samples/flowmetrics/cluster_external_egress_traffic.yaml
@@ -9,10 +9,13 @@ spec:
   type: Counter
   valueField: Bytes
   direction: Egress
-  labels: [SrcK8S_HostName,SrcK8S_Namespace,SrcK8S_OwnerName,SrcK8S_OwnerType]
+  labels: [SrcK8S_HostName,SrcK8S_Namespace,SrcK8S_OwnerName,SrcK8S_OwnerType,DstSubnetLabel]
   filters:
   - field: DstSubnetLabel
     matchType: Absence
+  - field: DstSubnetLabel
+    matchType: MatchRegex
+    value: "^EXT:.*"
   charts:
   - dashboardName: Main
     title: External egress traffic
diff --git a/config/samples/flowmetrics/cluster_external_ingress_traffic.yaml b/config/samples/flowmetrics/cluster_external_ingress_traffic.yaml
@@ -9,10 +9,13 @@ spec:
   type: Counter
   valueField: Bytes
   direction: Ingress
-  labels: [DstK8S_HostName,DstK8S_Namespace,DstK8S_OwnerName,DstK8S_OwnerType]
+  labels: [DstK8S_HostName,DstK8S_Namespace,DstK8S_OwnerName,DstK8S_OwnerType,SrcSubnetLabel]
   filters:
   - field: SrcSubnetLabel
     matchType: Absence
+  - field: SrcSubnetLabel
+    matchType: MatchRegex
+    value: "^EXT:.*"
   charts:
   - dashboardName: Main
     title: External ingress traffic
diff --git a/helm/crds/flows.netobserv.io_flowcollectors.yaml b/helm/crds/flows.netobserv.io_flowcollectors.yaml
@@ -5651,6 +5651,7 @@ spec:
                                 type: array
                               name:
                                 description: Label name, used to flag matching flows.
+                                pattern: ^[a-zA-Z_:-][a-zA-Z0-9_:-]*$
                                 type: string
                             required:
                               - cidrs
