[release/v1.3] release v1.3.0 cherry-pick from main (#5179)

* doc: response compression (#5071) compression docs Signed-off-by: Huabing Zhao <zhaohuabing@gmail.com> (cherry picked from commit 549fdde) Signed-off-by: Guy Daich <guy.daich@sap.com> * docs: how to specify a self-signed ca for the remote jwks host in the SP JWT settings. (#5085) * docs for jwt self-signed ca Signed-off-by: Huabing Zhao <zhaohuabing@gmail.com> * fix gen Signed-off-by: Huabing Zhao <zhaohuabing@gmail.com> * update docs Signed-off-by: Huabing Zhao <zhaohuabing@gmail.com> --------- Signed-off-by: Huabing Zhao <zhaohuabing@gmail.com> (cherry picked from commit fdc7849) Signed-off-by: Guy Daich <guy.daich@sap.com> * chore: fix gen (#5166) fix gen Signed-off-by: Huabing (Robin) Zhao <zhaohuabing@gmail.com> (cherry picked from commit 34db8af) Signed-off-by: Guy Daich <guy.daich@sap.com> * docs: add api key auth instructions (#5097) * docs: add api key auth instruction Signed-off-by: Taufik Mulyana <nothinux@gmail.com> * fix: remove unrelated links Signed-off-by: Taufik Mulyana <nothinux@gmail.com> --------- Signed-off-by: Taufik Mulyana <nothinux@gmail.com> (cherry picked from commit b5cf087) Signed-off-by: Guy Daich <guy.daich@sap.com> * add SECURITY.md (#5167) Signed-off-by: Arko Dasgupta <arko@tetrate.io> (cherry picked from commit f7a10eb) Signed-off-by: Guy Daich <guy.daich@sap.com> * chore: link SECURITY.md (#5168) Signed-off-by: Arko Dasgupta <arko@tetrate.io> (cherry picked from commit ac9026f) Signed-off-by: Guy Daich <guy.daich@sap.com> * build(deps): bump actions/stale from 9.0.0 to 9.1.0 (#5162) Bumps [actions/stale](https://github.com/actions/stale) from 9.0.0 to 9.1.0. - [Release notes](https://github.com/actions/stale/releases) - [Changelog](https://github.com/actions/stale/blob/main/CHANGELOG.md) - [Commits](actions/stale@28ca103...5bef64f) --- updated-dependencies: - dependency-name: actions/stale dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Arko Dasgupta <arkodg@users.noreply.github.com> (cherry picked from commit 57d4aa8) Signed-off-by: Guy Daich <guy.daich@sap.com> * docs: rm sectionName from some of the examples (#5173) adds whats left off from #4868 deleted the sectionName in these examples because the Service spec does not define a port `Name` Signed-off-by: Arko Dasgupta <arko@tetrate.io> (cherry picked from commit 45804e2) Signed-off-by: Guy Daich <guy.daich@sap.com> * ci(fix): osv-scanner PR mode (#5174) fix: osv-scanner PR mode Signed-off-by: shahar-h <shahar.harari@sap.com> Co-authored-by: Guy Daich <guy.daich@sap.com> (cherry picked from commit e904d3f) Signed-off-by: Guy Daich <guy.daich@sap.com> * wip: docs: add standalone in container instruction (#5172) * docs: add standalone in container instruction Signed-off-by: Denis Shatokhin <d_shatokhin@outlook.com> * docs: update headings and image tag Signed-off-by: Denis Shatokhin <d_shatokhin@outlook.com> --------- Signed-off-by: Denis Shatokhin <d_shatokhin@outlook.com> (cherry picked from commit a3448c1) Signed-off-by: Guy Daich <guy.daich@sap.com> * docs: update prerequisites files with installation and connectivity t… (#5094) * docs: update prerequisites files with installation and connectivity testing steps Signed-off-by: DeeBi9 <deepanshudb1@gmail.com> * lint Signed-off-by: DeeBi9 <deepanshudb1@gmail.com> * docs: remove the Note Signed-off-by: DeeBi9 <deepanshudb1@gmail.com> * remove redundant code Signed-off-by: DeeBi9 <deepanshudb1@gmail.com> --------- Signed-off-by: DeeBi9 <deepanshudb1@gmail.com> (cherry picked from commit 3253339) Signed-off-by: Guy Daich <guy.daich@sap.com> * [release/v1.3] fix 1.3.0-rc.1 release note (#5175) * fix 1.3.0-rc.1 release note Signed-off-by: Guy Daich <guy.daich@sap.com> * more fixes Signed-off-by: Guy Daich <guy.daich@sap.com> --------- Signed-off-by: Guy Daich <guy.daich@sap.com> (cherry picked from commit 4fba2bf) Signed-off-by: Guy Daich <guy.daich@sap.com> * fail validation if baseInterval is 0s (#5176) * fail validation if baseInterval is 0s Fixes: #5147 Signed-off-by: Arko Dasgupta <arko@tetrate.io> * more validations Signed-off-by: Arko Dasgupta <arko@tetrate.io> --------- Signed-off-by: Arko Dasgupta <arko@tetrate.io> (cherry picked from commit 4844d9a) Signed-off-by: Guy Daich <guy.daich@sap.com> * [release/1.3] release notes (#5177) Signed-off-by: Guy Daich <guy.daich@sap.com> (cherry picked from commit c2215b2) Signed-off-by: Guy Daich <guy.daich@sap.com> --------- Signed-off-by: Huabing Zhao <zhaohuabing@gmail.com> Signed-off-by: Guy Daich <guy.daich@sap.com> Signed-off-by: Huabing (Robin) Zhao <zhaohuabing@gmail.com> Signed-off-by: Taufik Mulyana <nothinux@gmail.com> Signed-off-by: Arko Dasgupta <arko@tetrate.io> Signed-off-by: dependabot[bot] <support@github.com> Signed-off-by: shahar-h <shahar.harari@sap.com> Signed-off-by: Denis Shatokhin <d_shatokhin@outlook.com> Signed-off-by: DeeBi9 <deepanshudb1@gmail.com> Co-authored-by: Huabing (Robin) Zhao <zhaohuabing@gmail.com> Co-authored-by: Taufik Mulyana <17433202+nothinux@users.noreply.github.com> Co-authored-by: Arko Dasgupta <arkodg@users.noreply.github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: shahar-h <shahar.harari@sap.com> Co-authored-by: Denis Shatokhin <d_shatokhin@outlook.com> Co-authored-by: Deepanshu Bisht <113498676+DeeBi9@users.noreply.github.com>
envoyproxy · Jan 31, 2025 · 76e714e · 76e714e
1 parent bfe2bc1
commit 76e714e
Show file tree

Hide file tree

Showing 142 changed files with 31,034 additions and 1,218 deletions.
diff --git a/.github/ISSUE_TEMPLATE/config.yml b/.github/ISSUE_TEMPLATE/config.yml
@@ -1,5 +1 @@
 blank_issues_enabled: false
-contact_links:
-- name: "Crash bug"
-  url: https://github.com/envoyproxy/envoy/security/policy
-  about: "Please file any crash bug with envoy-security@googlegroups.com."
diff --git a/.github/ISSUE_TEMPLATE/non--crash-security--bug.md b/.github/ISSUE_TEMPLATE/non--crash-security--bug.md
@@ -9,8 +9,7 @@ assignees: ''
 
 *Description*:
 >What issue is being seen? Describe what should be happening instead of
-the bug, for example: Envoy should not crash, the expected value isn't
-returned, etc.
+the bug, for example: The expected value isn't returned, etc.
 
 *Repro steps*:
 > Include sample requests, environment, etc. All data and inputs

diff --git a/.github/workflows/osv-scanner.yml b/.github/workflows/osv-scanner.yml
@@ -33,7 +33,7 @@ jobs:
 
   scan-pr:
     if: ${{ github.event_name == 'pull_request' || github.event_name == 'merge_group' }}
-    uses: "google/osv-scanner-action/.github/workflows/osv-scanner-reusable.yml@764c91816374ff2d8fc2095dab36eecd42d61638"  # v1.9.2
+    uses: "google/osv-scanner-action/.github/workflows/osv-scanner-reusable-pr.yml@764c91816374ff2d8fc2095dab36eecd42d61638"  # v1.9.2
     with:
       scan-args: |-
         --skip-git

diff --git a/.github/workflows/stale.yml b/.github/workflows/stale.yml
@@ -18,7 +18,7 @@ jobs:
 
     steps:
     - name: Prune Stale
-      uses: actions/stale@28ca1036281a5e5922ead5184a1bbf96e5fc984e  # v9.0.0
+      uses: actions/stale@5bef64f19d7facfb25b37b414482c7164d639639  # v9.1.0
       with:
         repo-token: ${{ secrets.GITHUB_TOKEN }}
         # Different amounts of days for issues/PRs are not currently supported but there is a PR

diff --git a/README.md b/README.md
@@ -31,6 +31,10 @@ Kubernetes-based application gateway.
 * [Contributing guide](https://gateway.envoyproxy.io/contributions/contributing/)
 * [Developer guide](https://gateway.envoyproxy.io/contributions/develop/)
 
+## Security Reporting
+
+If youve found a security vulnerability or a process crash, please follow the instructions in [SECURITY.md](./SECURITY.md) to submit a report.
+
 ## Community Meeting
 
 The Envoy Gateway team meets every Tuesday and Thursday. We also have a separate meeting to be held in the

diff --git a/SECURITY.md b/SECURITY.md
@@ -0,0 +1,39 @@
+# Security Policy
+
+## Reporting a Vulnerability or a Crash
+
+We take security seriously and appreciate your help in identifying and responsibly disclosing vulnerabilities to protect our users.
+
+To report a security issue:
+
+1. **Do not open a public issue** on the GitHub repository to disclose a vulnerability.
+2. Send an email to our security team at [envoy-gateway-security@googlegroups.com](mailto:envoy-gateway-security@googlegroups.com).
+3. Include the following details in your email:
+    - A detailed description of the vulnerability.
+    - Steps to reproduce the issue.
+    - Potential impact of the vulnerability.
+    - Any suggested remediation or patches (if applicable).
+
+We aim to respond to vulnerability reports within **48 hours** and will work with you to validate and address the issue. 
+Once a resolution is identified, we will coordinate a release timeline with you and provide credit if applicable (with your consent).
+
+## Security Updates
+
+Security patches are announced through:
+
+- The [GitHub Releases page](https://github.com/envoyproxy/gateway/releases)
+
+To stay up-to-date with the latest security updates, we recommend subscribing to these channels.
+
+## Best Practices for Secure Usage
+
+To minimize security risks when using Envoy Gateway:
+
+- Use the latest supported version of Envoy Gateway.
+- Regularly monitor for updates and apply patches promptly.
+
+## Contact
+
+If you have any questions about this security policy, please contact us at [envoy-gateway-security@googlegroups.com](mailto:envoy-gateway-security@googlegroups.com).
+
+Thank you for helping us ensure the security of Envoy Gateway!
diff --git a/VERSION b/VERSION
@@ -1 +1 @@
-v1.3.0-rc.1
+v1.3.0
diff --git a/examples/standalone/quickstart-containers.yaml b/examples/standalone/quickstart-containers.yaml
@@ -0,0 +1,46 @@
+apiVersion: gateway.networking.k8s.io/v1
+kind: GatewayClass
+metadata:
+  name: eg
+spec:
+  controllerName: gateway.envoyproxy.io/gatewayclass-controller
+---
+apiVersion: gateway.networking.k8s.io/v1
+kind: Gateway
+metadata:
+  name: eg
+spec:
+  gatewayClassName: eg
+  listeners:
+    - name: http
+      protocol: HTTP
+      port: 8888
+---
+apiVersion: gateway.networking.k8s.io/v1
+kind: HTTPRoute
+metadata:
+  name: backend
+spec:
+  parentRefs:
+    - name: eg
+  hostnames:
+    - "www.example.com"
+  rules:
+    - backendRefs:
+        - group: "gateway.envoyproxy.io"
+          kind: Backend
+          name: backend
+      matches:
+        - path:
+            type: PathPrefix
+            value: /
+---
+apiVersion: gateway.envoyproxy.io/v1alpha1
+kind: Backend
+metadata:
+  name: backend
+spec:
+  endpoints:
+    - fqdn:
+        hostname: local-server.local
+        port: 3000
diff --git a/internal/gatewayapi/backendtrafficpolicy.go b/internal/gatewayapi/backendtrafficpolicy.go
@@ -333,9 +333,12 @@ func (t *Translator) translateBackendTrafficPolicyForRoute(
 		err = perr.WithMessage(err, "TCPKeepalive")
 		errs = errors.Join(errs, err)
 	}
-	if policy.Spec.Retry != nil {
-		rt = buildRetry(policy.Spec.Retry)
+
+	if rt, err = buildRetry(policy.Spec.Retry); err != nil {
+		err = perr.WithMessage(err, "Retry")
+		errs = errors.Join(errs, err)
 	}
+
 	if to, err = buildClusterSettingsTimeout(policy.Spec.ClusterSettings); err != nil {
 		err = perr.WithMessage(err, "Timeout")
 		errs = errors.Join(errs, err)
@@ -484,9 +487,12 @@ func (t *Translator) translateBackendTrafficPolicyForGateway(
 		err = perr.WithMessage(err, "TCPKeepalive")
 		errs = errors.Join(errs, err)
 	}
-	if policy.Spec.Retry != nil {
-		rt = buildRetry(policy.Spec.Retry)
+
+	if rt, err = buildRetry(policy.Spec.Retry); err != nil {
+		err = perr.WithMessage(err, "Retry")
+		errs = errors.Join(errs, err)
 	}
+
 	if ct, err = buildClusterSettingsTimeout(policy.Spec.ClusterSettings); err != nil {
 		err = perr.WithMessage(err, "Timeout")
 		errs = errors.Join(errs, err)

diff --git a/internal/gatewayapi/clustersettings.go b/internal/gatewayapi/clustersettings.go
@@ -72,7 +72,10 @@ func translateTrafficFeatures(policy *egv1a1.ClusterSettings) (*ir.TrafficFeatur
 		ret.HTTP2 = h2
 	}
 
-	ret.Retry = buildRetry(policy.Retry)
+	var err error
+	if ret.Retry, err = buildRetry(policy.Retry); err != nil {
+		return nil, err
+	}
 
 	// If nothing was set in any of the above calls, return nil instead of an empty
 	// container
@@ -477,9 +480,9 @@ func translateDNS(policy egv1a1.ClusterSettings) *ir.DNS {
 	}
 }
 
-func buildRetry(r *egv1a1.Retry) *ir.Retry {
+func buildRetry(r *egv1a1.Retry) (*ir.Retry, error) {
 	if r == nil {
-		return nil
+		return nil, nil
 	}
 
 	rt := &ir.Retry{}
@@ -518,13 +521,22 @@ func buildRetry(r *egv1a1.Retry) *ir.Retry {
 		if r.PerRetry.BackOff != nil {
 			if r.PerRetry.BackOff.MaxInterval != nil || r.PerRetry.BackOff.BaseInterval != nil {
 				bop := &ir.BackOffPolicy{}
+				if r.PerRetry.BackOff.BaseInterval != nil {
+					bop.BaseInterval = r.PerRetry.BackOff.BaseInterval
+					if bop.BaseInterval.Duration == 0 {
+						return nil, fmt.Errorf("baseInterval cannot be set to 0s")
+					}
+				}
 				if r.PerRetry.BackOff.MaxInterval != nil {
 					bop.MaxInterval = r.PerRetry.BackOff.MaxInterval
+					if bop.MaxInterval.Duration == 0 {
+						return nil, fmt.Errorf("maxInterval cannot be set to 0s")
+					}
+					if bop.BaseInterval != nil && bop.BaseInterval.Duration > bop.MaxInterval.Duration {
+						return nil, fmt.Errorf("maxInterval cannot be less than baseInterval")
+					}
 				}
 
-				if r.PerRetry.BackOff.BaseInterval != nil {
-					bop.BaseInterval = r.PerRetry.BackOff.BaseInterval
-				}
 				pr.BackOff = bop
 				bpr = true
 			}
@@ -535,5 +547,5 @@ func buildRetry(r *egv1a1.Retry) *ir.Retry {
 		}
 	}
 
-	return rt
+	return rt, nil
 }
diff --git a/internal/gatewayapi/testdata/backendtrafficpolicy-with-retries.in.yaml b/internal/gatewayapi/testdata/backendtrafficpolicy-with-retries.in.yaml
@@ -62,6 +62,44 @@ httpRoutes:
       backendRefs:
       - name: service-1
         port: 8080
+- apiVersion: gateway.networking.k8s.io/v1
+  kind: HTTPRoute
+  metadata:
+    namespace: default
+    name: httproute-2
+  spec:
+    hostnames:
+    - gateway.envoyproxy.io
+    parentRefs:
+    - namespace: envoy-gateway
+      name: gateway-2
+      sectionName: http
+    rules:
+    - matches:
+      - path:
+          value: "/route2"
+      backendRefs:
+      - name: service-1
+        port: 8080
+- apiVersion: gateway.networking.k8s.io/v1
+  kind: HTTPRoute
+  metadata:
+    namespace: default
+    name: httproute-3
+  spec:
+    hostnames:
+    - gateway.envoyproxy.io
+    parentRefs:
+    - namespace: envoy-gateway
+      name: gateway-2
+      sectionName: http
+    rules:
+    - matches:
+      - path:
+          value: "/route3"
+      backendRefs:
+      - name: service-1
+        port: 8080
 backendTrafficPolicies:
 - apiVersion: gateway.envoyproxy.io/v1alpha1
   kind: BackendTrafficPolicy
@@ -86,7 +124,7 @@ backendTrafficPolicies:
   kind: BackendTrafficPolicy
   metadata:
     namespace: default
-    name: policy-for-route
+    name: policy-for-route-1
   spec:
     targetRef:
       group: gateway.networking.k8s.io
@@ -106,3 +144,32 @@ backendTrafficPolicies:
         backoff:
           baseInterval: 100ms
           maxInterval: 10s
+- apiVersion: gateway.envoyproxy.io/v1alpha1
+  kind: BackendTrafficPolicy
+  metadata:
+    namespace: default
+    name: policy-for-route-2
+  spec:
+    targetRef:
+      group: gateway.networking.k8s.io
+      kind: HTTPRoute
+      name: httproute-2
+    retry:
+      perRetry:
+        backoff:
+          baseInterval: 0s
+- apiVersion: gateway.envoyproxy.io/v1alpha1
+  kind: BackendTrafficPolicy
+  metadata:
+    namespace: default
+    name: policy-for-route-3
+  spec:
+    targetRef:
+      group: gateway.networking.k8s.io
+      kind: HTTPRoute
+      name: httproute-3
+    retry:
+      perRetry:
+        backoff:
+          baseInterval: 2s
+          maxInterval: 1s