Problem
ResourceIndexPolicy.spec.fields[].path validation currently rejects the [*] array-traversal syntax. Only specific numeric indices like [0] are accepted. This forces policies that target list-shaped spec fields to either index a single entry or skip the field entirely.
Failure example, reported by Flux on datum-cloud/datum#228 after merge:
ResourceIndexPolicy.search.miloapis.com "exportpolicy-resource-index-policy" is invalid:
spec.fields[4].path: Invalid value: .spec.sources[*].name: invalid path syntax at: [*].name
Impact
Several resources have their primary search content inside arrays:
networking.datumapis.com/HTTPProxy: .spec.rules[].hostnames[], .spec.rules[].backends[].endpoint — multiple hostnames per rule, multiple rules per HTTPProxy. Users typically search by any of the hostnames.
telemetry.miloapis.com/ExportPolicy: .spec.sources[].name, .spec.sinks[].name, .spec.sinks[].endpoint.
dns.networking.miloapis.com/DNSRecordSet (future): record values are list-typed.
Workaround today is [0] only, which means search misses anything beyond the first list entry. For HTTPProxy that's a real gap — a proxy with rules for app.example.com and api.example.com is only findable by the first.
Proposed behavior
[*] flattens the array at that position into the indexer pipeline, producing one searchable token per element. Combined with nested [*]:
.spec.rules[*].hostnames[*] → every hostname across every rule becomes searchable.
.spec.rules[*].backends[*].endpoint → every backend endpoint across all rules.
Existing [0]-style paths continue to work unchanged.
Acceptance criteria
Related
Problem
ResourceIndexPolicy.spec.fields[].pathvalidation currently rejects the[*]array-traversal syntax. Only specific numeric indices like[0]are accepted. This forces policies that target list-shaped spec fields to either index a single entry or skip the field entirely.Failure example, reported by Flux on datum-cloud/datum#228 after merge:
Impact
Several resources have their primary search content inside arrays:
networking.datumapis.com/HTTPProxy:.spec.rules[].hostnames[],.spec.rules[].backends[].endpoint— multiple hostnames per rule, multiple rules per HTTPProxy. Users typically search by any of the hostnames.telemetry.miloapis.com/ExportPolicy:.spec.sources[].name,.spec.sinks[].name,.spec.sinks[].endpoint.dns.networking.miloapis.com/DNSRecordSet(future): record values are list-typed.Workaround today is
[0]only, which means search misses anything beyond the first list entry. For HTTPProxy that's a real gap — a proxy with rules forapp.example.comandapi.example.comis only findable by the first.Proposed behavior
[*]flattens the array at that position into the indexer pipeline, producing one searchable token per element. Combined with nested[*]:.spec.rules[*].hostnames[*]→ every hostname across every rule becomes searchable..spec.rules[*].backends[*].endpoint→ every backend endpoint across all rules.Existing
[0]-style paths continue to work unchanged.Acceptance criteria
ResourceIndexPolicywithpath: .spec.rules[*].hostnames[*]passes the validating webhook.[*]and[0]in the same policy) work as expected.pkg/apis/search/v1alpha1/policy_types.godoc comments describes[*]semantics.test/e2e/searchable-attributes/exercises a[*]-traversal policy end-to-end.Related
pkg/jsonpathand the validating webhook for ResourceIndexPolicy