ngrok · masonj5n · Jan 15, 2025 · Jan 15, 2025 · Jan 15, 2025 · Jan 15, 2025
@@ -34,11 +34,6 @@ import (
 
 // BoundEndpointSpec defines the desired state of BoundEndpoint
 type BoundEndpointSpec struct {
-	// Allowed is a flag that determines if the BoundEndpoint is allowed to be projected into the cluster
-	// This is controlled by the KubernetesOperator CRD .spec.allowedURLs field
-	// +kubebuilder:validation:Required
-	Allowed bool `json:"allowed"`
-
 	// EndpointURI is the unique identifier
 	// representing the BoundEndpoint + its Endpoints
 	// Format: <scheme>://<service>.<namespace>:<port>
@@ -147,14 +142,12 @@ type BindingEndpoint struct {
 }
 
 // BindingEndpointStatus is an enum that represents the status of a BindingEndpoint
-// TODO(https://github.com/ngrok-private/ngrok/issues/32666)
-// +kubebuilder:validation:Enum=unknown;provisioning;denied;bound;error
+// +kubebuilder:validation:Enum=unknown;provisioning;bound;error
 type BindingEndpointStatus string
 
 const (
 	StatusUnknown      BindingEndpointStatus = "unknown"
 	StatusProvisioning BindingEndpointStatus = "provisioning"
-	StatusDenied       BindingEndpointStatus = "denied"
 	StatusBound        BindingEndpointStatus = "bound"
 	StatusError        BindingEndpointStatus = "error"
 )

@@ -51,16 +51,9 @@ type KubernetesOperatorDeployment struct {
 }
 
 type KubernetesOperatorBinding struct {
-	// AllowedURLs is a list of URI patterns ([scheme://]<service-name>.<namespace-name>) thet determine which BoundEndpoints are allowed to be created by the operator
-	// You may specify a wildcard for:
-	//   - All endpoints: `*`
-	//   - All services in a namespace: `*.namespace`
-	//   - All namespaces: `*.*`
-	//   - Named service in all namespaces: `service.*`
-	// See: https://regex101.com/r/APbE3G/4
+	// EndpointSelectors is a list of cel expression that determine which kubernetes-bound Endpoints will be created by the operator
 	// +kubebuilder:validation:Required
-	// +kubebuilder:validation:items:Pattern=`^(([*]|(https?|tls|tcp)://)?([*]|([*]|[a-z]([-a-z0-9]{0,61}[a-z0-9])?)[.]([*]|[a-z]([-a-z0-9]{0,61}[a-z0-9])?)))$`
-	AllowedURLs []string `json:"allowedURLs,omitempty"`
+	EndpointSelectors []string `json:"endpointSelectors,omitempty"`
 
 	// The public ingress endpoint for this Kubernetes Operator
 	// +kubebuilder:validation:Optional

@@ -120,7 +120,7 @@
 	enableFeatureBindings bool
 
 	bindings struct {
-		allowedURLs        []string
+		endpointSelectors  []string
 		serviceAnnotations string
 		serviceLabels      string
 		ingressEndpoint    string
@@ -163,7 +163,7 @@
 	c.Flags().BoolVar(&opts.enableFeatureIngress, "enable-feature-ingress", true, "Enables the Ingress controller")
 	c.Flags().BoolVar(&opts.enableFeatureGateway, "enable-feature-gateway", false, "Enables the Gateway controller")
 	c.Flags().BoolVar(&opts.enableFeatureBindings, "enable-feature-bindings", false, "Enables the Endpoint Bindings controller")
-	c.Flags().StringSliceVar(&opts.bindings.allowedURLs, "bindings-allowed-urls", []string{"*"}, "Allowed URLs for Endpoint Bindings")
+	c.Flags().StringSliceVar(&opts.bindings.endpointSelectors, "bindings-endpoint-selectors", []string{"true"}, "Endpoint Selectors for Endpoint Bindings")
 	c.Flags().StringVar(&opts.bindings.serviceAnnotations, "bindings-service-annotations", "", "Service Annotations to propagate to the target service")
 	c.Flags().StringVar(&opts.bindings.serviceLabels, "bindings-service-labels", "", "Service Labels to propagate to the target service")
 	c.Flags().StringVar(&opts.bindings.ingressEndpoint, "bindings-ingress-endpoint", "", "The endpoint the bindings forwarder connects to")
@@ -626,7 +626,7 @@
 		Recorder:                     mgr.GetEventRecorderFor("endpoint-binding-poller"),
 		Namespace:                    opts.namespace,
 		KubernetesOperatorConfigName: opts.releaseName,
-		AllowedURLs:                  opts.bindings.allowedURLs,
+		EndpointSelectors:            opts.bindings.endpointSelectors,
 		TargetServiceAnnotations:     targetServiceAnnotations,
 		TargetServiceLabels:          targetServiceLabels,
 		PollingInterval:              10 * time.Second,
@@ -669,8 +669,8 @@
 		if opts.enableFeatureBindings {
 			features = append(features, ngrokv1alpha1.KubernetesOperatorFeatureBindings)
 			k8sOperator.Spec.Binding = &ngrokv1alpha1.KubernetesOperatorBinding{
-				TlsSecretName: "ngrok-operator-default-tls",
-				AllowedURLs:   opts.bindings.allowedURLs,
+				TlsSecretName:     "ngrok-operator-default-tls",
+				EndpointSelectors: opts.bindings.endpointSelectors,
 			}
 			if opts.bindings.ingressEndpoint != "" {
 				k8sOperator.Spec.Binding.IngressEndpoint = &opts.bindings.ingressEndpoint