From d1fefd85c34a0ac15a36d89e01f791da94fe483d Mon Sep 17 00:00:00 2001 From: Huabing Zhao Date: Wed, 6 Nov 2024 12:12:34 +0800 Subject: [PATCH] [release/v1.2] Cherry pick main to v1.2 (#4640) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit * Reduce the amount of configuration logging, and make it line-delimeted friendly (#4505) * Reduce the amount and style of configuration logging Signed-off-by: Evan Anderson * Update verbosity from 1->4 Signed-off-by: Evan Anderson Signed-off-by: Evan Anderson --------- Signed-off-by: Evan Anderson Signed-off-by: Evan Anderson (cherry picked from commit 7897fc50274dc89540a232118aa23077e73092d6) Signed-off-by: Huabing Zhao * feat: enable load backend resources (#4535) enable load backend resources Signed-off-by: shawnh2 (cherry picked from commit 9c9f435d88610448f2f61b1d6658b4518905d71c) Signed-off-by: Huabing Zhao * build(deps): bump actions/setup-node from 4.0.4 to 4.1.0 (#4537) Bumps [actions/setup-node](https://github.com/actions/setup-node) from 4.0.4 to 4.1.0. - [Release notes](https://github.com/actions/setup-node/releases) - [Commits](https://github.com/actions/setup-node/compare/0a44ba7841725637a19e28fa30b79a866c81b0a6...39370e3970a6d050c480ffad4ff0ed4d3fdee5af) --- updated-dependencies: - dependency-name: actions/setup-node dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> (cherry picked from commit 6ccbbac3f98b628877cf713c065ccbdd04cfbdcf) Signed-off-by: Huabing Zhao * chore: optimized code (#4514) * chore: optimized code Signed-off-by: zirain * revert Signed-off-by: zirain --------- Signed-off-by: zirain (cherry picked from commit 7ad18fa8548ab6cc959381b308626673666727cb) Signed-off-by: Huabing Zhao * build(deps): bump github/codeql-action from 3.26.13 to 3.27.0 (#4538) Bumps [github/codeql-action](https://github.com/github/codeql-action) from 3.26.13 to 3.27.0. - [Release notes](https://github.com/github/codeql-action/releases) - [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md) - [Commits](https://github.com/github/codeql-action/compare/f779452ac5af1c261dce0346a8f964149f49322b...662472033e021d55d94146f66f6058822b0b39fd) --- updated-dependencies: - dependency-name: github/codeql-action dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> (cherry picked from commit a13f3843ac53ce457eb94ddd69d92bedcf0dd277) Signed-off-by: Huabing Zhao * build(deps): bump distroless/static from `26f9b99` to `3a03fc0` in /tools/docker/envoy-gateway (#4541) build(deps): bump distroless/static in /tools/docker/envoy-gateway Bumps distroless/static from `26f9b99` to `3a03fc0`. --- updated-dependencies: - dependency-name: distroless/static dependency-type: direct:production ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> (cherry picked from commit 6667e4c9ba85f4a6eda5d111b190ba3107d6b810) Signed-off-by: Huabing Zhao * build(deps): bump actions/setup-go from 5.0.2 to 5.1.0 in /tools/github-actions/setup-deps (#4540) build(deps): bump actions/setup-go in /tools/github-actions/setup-deps Bumps [actions/setup-go](https://github.com/actions/setup-go) from 5.0.2 to 5.1.0. - [Release notes](https://github.com/actions/setup-go/releases) - [Commits](https://github.com/actions/setup-go/compare/0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32...41dfa10bad2bb2ae585af6ee5bb4d7d973ad74ed) --- updated-dependencies: - dependency-name: actions/setup-go dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> (cherry picked from commit de72c774acc993282f90f4b68a3af63b56d3f84a) Signed-off-by: Huabing Zhao * build(deps): bump github.com/replicatedhq/troubleshoot from 0.107.1 to 0.107.4 (#4543) build(deps): bump github.com/replicatedhq/troubleshoot Bumps [github.com/replicatedhq/troubleshoot](https://github.com/replicatedhq/troubleshoot) from 0.107.1 to 0.107.4. - [Release notes](https://github.com/replicatedhq/troubleshoot/releases) - [Commits](https://github.com/replicatedhq/troubleshoot/compare/v0.107.1...v0.107.4) --- updated-dependencies: - dependency-name: github.com/replicatedhq/troubleshoot dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> (cherry picked from commit 189325b7090ee263f1b03d49eecf7bf8309ea2eb) Signed-off-by: Huabing Zhao * build(deps): bump github.com/tsaarni/certyaml from 0.9.3 to 0.10.0 (#4546) Bumps [github.com/tsaarni/certyaml](https://github.com/tsaarni/certyaml) from 0.9.3 to 0.10.0. - [Release notes](https://github.com/tsaarni/certyaml/releases) - [Commits](https://github.com/tsaarni/certyaml/compare/v0.9.3...v0.10.0) --- updated-dependencies: - dependency-name: github.com/tsaarni/certyaml dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> (cherry picked from commit 5e397ea7dcf7bff9b855d059ccbd565ade014de7) Signed-off-by: Huabing Zhao * build(deps): bump actions/checkout from 4.2.1 to 4.2.2 (#4539) Bumps [actions/checkout](https://github.com/actions/checkout) from 4.2.1 to 4.2.2. - [Release notes](https://github.com/actions/checkout/releases) - [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md) - [Commits](https://github.com/actions/checkout/compare/eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871...11bd71901bbe5b1630ceea73d27597364c9af683) --- updated-dependencies: - dependency-name: actions/checkout dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> (cherry picked from commit a9e5cfe6f779bbe58e479b13679fd083191e2a76) Signed-off-by: Huabing Zhao * build(deps): bump github.com/fatih/color from 1.17.0 to 1.18.0 (#4545) Bumps [github.com/fatih/color](https://github.com/fatih/color) from 1.17.0 to 1.18.0. - [Release notes](https://github.com/fatih/color/releases) - [Commits](https://github.com/fatih/color/compare/v1.17.0...v1.18.0) --- updated-dependencies: - dependency-name: github.com/fatih/color dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> (cherry picked from commit 902925fd53cfda9efc3f867d5ff109e5e3e6a70c) Signed-off-by: Huabing Zhao * e2e test for Gateway with EnvoyProxy (#4548) * e2e test for Gateway with EnvoyProxy Signed-off-by: Huabing Zhao * remove unnecessary comments Signed-off-by: Huabing Zhao --------- Signed-off-by: Huabing Zhao (cherry picked from commit 217c6a58ed798a01fa77a56b3910178e608339b7) Signed-off-by: Huabing Zhao * make watching alpha CRDs optional (#4519) * make watching alpha CRDs optional * The ownership of CRD installation is not tied to a single entity https://gateway-api.sigs.k8s.io/guides/crd-management/#who-should-manage-crds This results in multiple entities taking ownership of CRD installation * infra users * implementations * cloud providers This complicates things for implementations who may not know which version and release of CRDs are installed, so this PR makes watching alpha versioned CRDs optional * Even Envoy Gateway specific CRDs have been made optional to solve the use case where users want to only configure Gateway API resources * GRPCRoute is the only exception, which is v1, but has been made optional because it just graduated to v1 in v1.2 but a lot of cloud providers or service mesh implementations have not moved to v1.2 Fixes: https://github.com/envoyproxy/gateway/issues/3387 Signed-off-by: Arko Dasgupta (cherry picked from commit b877baca98bc9b28086bd80a8109aa25bca96247) Signed-off-by: Huabing Zhao * fix: validate proto messages before converting them to anypb.Any (#4499) * validate proto message before converting to any Signed-off-by: Huabing Zhao (cherry picked from commit 05817fcc42d803caba384d54eee6d9f0c562c1ef) Signed-off-by: Huabing Zhao * Fix: xds translation failed when wasm http code source configured without sha (#4547) * fix wasm http code source without sha Signed-off-by: Huabing Zhao * release note Signed-off-by: Huabing Zhao * fix gen Signed-off-by: Huabing Zhao * fix gen Signed-off-by: Huabing Zhao --------- Signed-off-by: Huabing Zhao (cherry picked from commit 74e5750386e0c9a08ae1933ac260b5c579f466cb) Signed-off-by: Huabing Zhao * build(deps): bump sigs.k8s.io/controller-runtime from 0.19.0 to 0.19.1 (#4544) * build(deps): bump sigs.k8s.io/controller-runtime from 0.19.0 to 0.19.1 Bumps [sigs.k8s.io/controller-runtime](https://github.com/kubernetes-sigs/controller-runtime) from 0.19.0 to 0.19.1. - [Release notes](https://github.com/kubernetes-sigs/controller-runtime/releases) - [Changelog](https://github.com/kubernetes-sigs/controller-runtime/blob/main/RELEASE.md) - [Commits](https://github.com/kubernetes-sigs/controller-runtime/compare/v0.19.0...v0.19.1) --- updated-dependencies: - dependency-name: sigs.k8s.io/controller-runtime dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] * fix gen check Signed-off-by: zirain --------- Signed-off-by: dependabot[bot] Signed-off-by: zirain Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: zirain Co-authored-by: Huabing Zhao (cherry picked from commit f5552a44f14b9d62e06d47f273704d7e28bc9bad) Signed-off-by: Huabing Zhao * feat(chart): Make security context configurable (#4536) * Make security context configurable Signed-off-by: Tamal Saha * make gen-check Signed-off-by: Tamal Saha * Update current.yaml Signed-off-by: Tamal Saha --------- Signed-off-by: Tamal Saha (cherry picked from commit 20a46220d95396661be875049700ab67e5dd913a) Signed-off-by: Huabing Zhao * helm: make eg-addons support IPv6 cluster (#4559) Signed-off-by: zirain (cherry picked from commit b0c6f8ca3c2b55ab1007a800264efe6226100db1) Signed-off-by: Huabing Zhao * ci: cleanup osv-scanner config (#4579) Signed-off-by: Shahar Harari (cherry picked from commit 1a275b99560a8cf1b1c68d72808a7671d0b6ec63) Signed-off-by: Huabing Zhao * fix egctl release artifacts (#4580) * the release artifact for `egctl` was being pulled from the `latest` release instead of a binary associated with the release tag Signed-off-by: Arko Dasgupta (cherry picked from commit 82ce107e76bfc9b8d7f1e2704c7d294bbb8b9606) Signed-off-by: Huabing Zhao * fix debug level logging for IR (#4584) https://pkg.go.dev/github.com/go-logr/zapr#hdr-Implementation_Details ``` V(1) is equivalent to Zap's DebugLevel ``` Now after setting the log level to `default: debug` I see ``` 2024-10-31T01:59:31.138Z DEBUG gateway-api runner/runner.go:176 {"proxy":{"metadata":{"labels":{"gateway.envoyproxy.io/owning-gateway-name":"eg","gateway.envoyproxy.io/owning-gateway-namespace":"default"}},"name":"default/eg","listeners":[{"name":"default/eg/http","address":null,"ports":[{"name":"http-80","protocol":"HTTP","servicePort":80,"containerPort":10080}]}]}} {"runner": "gateway-api", "infra-ir": "default/eg"} 2024-10-31T01:59:31.138Z DEBUG gateway-api runner/runner.go:187 {"accessLog":{"text":[{"path":"/dev/stdout"}]},"http":[{"name":"default/eg/http","address":"0.0.0.0","port":10080,"metadata":{"kind":"Gateway","name":"eg","namespace":"default","sectionName":"http"},"hostnames":["*"],"routes":[{"name":"httproute/default/backend/rule/0/match/0/www_example_com","hostname":"www.example.com","isHTTP2":false,"pathMatch":{"name":"","prefix":"/","distinct":false},"destination":{"name":"httproute/default/backend/rule/0","settings":[{"weight":1,"protocol":"HTTP","endpoints":[{"host":"10.1.19.7","port":3000}],"addressType":"IP"}]},"metadata":{"kind":"HTTPRoute","name":"backend","namespace":"default"}}],"isHTTP2":false,"path":{"mergeSlashes":true,"escapedSlashesAction":"UnescapeAndRedirect"}}]} {"runner": "gateway-api", "xds-ir": "default/eg"} ``` Relates to https://github.com/envoyproxy/gateway/pull/4505 Signed-off-by: Arko Dasgupta (cherry picked from commit e6307f0d090c28aae1a5231274848ea933e5f5af) Signed-off-by: Huabing Zhao * docs: remove List type (#4585) Signed-off-by: zirain (cherry picked from commit 13490ac59ddabc6d05b2b5993cad54a4b373b8d4) Signed-off-by: Huabing Zhao * ci: enable test for dual stack cluster (#4574) * ci: enable dual stack test Signed-off-by: zirain * more comment Signed-off-by: zirain * remove 1.31.0 ipv4 test suite Signed-off-by: zirain --------- Signed-off-by: zirain (cherry picked from commit bb3bbdbd5b8272c1e73b5771abd3cc054fb87729) Signed-off-by: Huabing Zhao * build(deps): bump the k8s-io group across 2 directories with 6 updates (#4542) * build(deps): bump the k8s-io group across 2 directories with 6 updates Bumps the k8s-io group with 4 updates in the / directory: [k8s.io/api](https://github.com/kubernetes/api), [k8s.io/apiextensions-apiserver](https://github.com/kubernetes/apiextensions-apiserver), [k8s.io/cli-runtime](https://github.com/kubernetes/cli-runtime) and [k8s.io/kubectl](https://github.com/kubernetes/kubectl). Bumps the k8s-io group with 1 update in the /examples/extension-server directory: [k8s.io/apimachinery](https://github.com/kubernetes/apimachinery). Updates `k8s.io/api` from 0.31.1 to 0.31.2 - [Commits](https://github.com/kubernetes/api/compare/v0.31.1...v0.31.2) Updates `k8s.io/apiextensions-apiserver` from 0.31.1 to 0.31.2 - [Release notes](https://github.com/kubernetes/apiextensions-apiserver/releases) - [Commits](https://github.com/kubernetes/apiextensions-apiserver/compare/v0.31.1...v0.31.2) Updates `k8s.io/apimachinery` from 0.31.1 to 0.31.2 - [Commits](https://github.com/kubernetes/apimachinery/compare/v0.31.1...v0.31.2) Updates `k8s.io/cli-runtime` from 0.31.1 to 0.31.2 - [Commits](https://github.com/kubernetes/cli-runtime/compare/v0.31.1...v0.31.2) Updates `k8s.io/client-go` from 0.31.1 to 0.31.2 - [Changelog](https://github.com/kubernetes/client-go/blob/master/CHANGELOG.md) - [Commits](https://github.com/kubernetes/client-go/compare/v0.31.1...v0.31.2) Updates `k8s.io/kubectl` from 0.31.1 to 0.31.2 - [Commits](https://github.com/kubernetes/kubectl/compare/v0.31.1...v0.31.2) Updates `k8s.io/apimachinery` from 0.31.1 to 0.31.2 - [Commits](https://github.com/kubernetes/apimachinery/compare/v0.31.1...v0.31.2) --- updated-dependencies: - dependency-name: k8s.io/api dependency-type: direct:production update-type: version-update:semver-patch dependency-group: k8s-io - dependency-name: k8s.io/apiextensions-apiserver dependency-type: direct:production update-type: version-update:semver-patch dependency-group: k8s-io - dependency-name: k8s.io/apimachinery dependency-type: direct:production update-type: version-update:semver-patch dependency-group: k8s-io - dependency-name: k8s.io/cli-runtime dependency-type: direct:production update-type: version-update:semver-patch dependency-group: k8s-io - dependency-name: k8s.io/client-go dependency-type: direct:production update-type: version-update:semver-patch dependency-group: k8s-io - dependency-name: k8s.io/kubectl dependency-type: direct:production update-type: version-update:semver-patch dependency-group: k8s-io - dependency-name: k8s.io/apimachinery dependency-type: direct:production update-type: version-update:semver-patch dependency-group: k8s-io ... Signed-off-by: dependabot[bot] * fix gen Signed-off-by: zirain --------- Signed-off-by: dependabot[bot] Signed-off-by: zirain Signed-off-by: Huabing Zhao Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: zirain Co-authored-by: Huabing Zhao (cherry picked from commit 74f43771ccdf2c2af8af8cfc61713ec92e78877e) Signed-off-by: Huabing Zhao * chore: remove dump (#4593) Signed-off-by: zirain (cherry picked from commit efe625d67eb9f6c0280200cf4910f5b5adfabdf1) Signed-off-by: Huabing Zhao * fix: trigger reconcile for Secret updates referenced by a BackendTLSP… (#4581) fix: trigger reconcile for Secret updates referenced by a BackendTLSPolicy Signed-off-by: Arko Dasgupta (cherry picked from commit db6802736680a08a210b16085af5a7bf2f124127) Signed-off-by: Huabing Zhao * chore: use net.JoinHostPort (#4599) * chore: use net.JoinHostPort Signed-off-by: zirain * more fix Signed-off-by: zirain * remove netutils.JoinHostPort Signed-off-by: zirain --------- Signed-off-by: zirain (cherry picked from commit 6e2587decbd9cd3f73a55bc0337873fd1c9108d1) Signed-off-by: Huabing Zhao * fix keycloak ipv6 issue (#4601) (cherry picked from commit d42915a7b7d12b7170232694845581a9fd48e7dd) Signed-off-by: Huabing Zhao * fix: Route with multiple parents has incorrect namespace in parentRef status (#4592) fix route status wrong ns Signed-off-by: Huabing Zhao (cherry picked from commit 7285dda6ba2727d10423887dc2262bad2711f80b) Signed-off-by: Huabing Zhao * add envoy-gateway binary to release artifacts (#4588) Fixes: https://github.com/envoyproxy/gateway/issues/4566 Signed-off-by: Arko Dasgupta (cherry picked from commit b51c66a75260571b5fc69e90e604a46906f1373b) Signed-off-by: Huabing Zhao * [release/v1.1] release v1.1.3 (#4600) * release: v1.1.3 Signed-off-by: Guy Daich * remove gw-api, fix style Signed-off-by: Guy Daich --------- Signed-off-by: Guy Daich (cherry picked from commit a88e6eba5e7e360c7c14bdbfaa4d56aee2003188) Signed-off-by: Huabing Zhao * chore: donot use space in short name (#4608) Signed-off-by: zirain (cherry picked from commit ee33b284565e2cc0c08a0d4bcf82ea302814f957) Signed-off-by: Huabing Zhao * Move v1.1 docs tag to v1.1.2 (#4615) Wait until v1.1.3 tag is ready Fixes: https://github.com/envoyproxy/gateway/issues/4614 Signed-off-by: Arko Dasgupta (cherry picked from commit 656ce52fad7ca98c0b4e200773e583f82f5476ad) Signed-off-by: Huabing Zhao * fix: HTTPRoute status only shows one parent when targeting multiple Gateways from different GatewayClasses (#4587) * fix route status Signed-off-by: Huabing Zhao * address comment Signed-off-by: Huabing Zhao * update unit test Signed-off-by: Huabing Zhao * fix lint Signed-off-by: Huabing Zhao --------- Signed-off-by: Huabing Zhao (cherry picked from commit 04ac7b404d4f0e7bd462e68d8f888a169be3feda) Signed-off-by: Huabing Zhao * direct response docs and tests (#4583) * tests: direct response Signed-off-by: Arko Dasgupta * unit tests Signed-off-by: Arko Dasgupta * fix ns Signed-off-by: Arko Dasgupta * docs for direct response Signed-off-by: Arko Dasgupta * negative tests Signed-off-by: Arko Dasgupta (cherry picked from commit f384a64f4d2d6f0fbee9c698fd4b32cd71a64108) Signed-off-by: Huabing Zhao * build(deps): bump github.com/fsnotify/fsnotify from 1.7.0 to 1.8.0 (#4619) Bumps [github.com/fsnotify/fsnotify](https://github.com/fsnotify/fsnotify) from 1.7.0 to 1.8.0. - [Release notes](https://github.com/fsnotify/fsnotify/releases) - [Changelog](https://github.com/fsnotify/fsnotify/blob/main/CHANGELOG.md) - [Commits](https://github.com/fsnotify/fsnotify/compare/v1.7.0...v1.8.0) --- updated-dependencies: - dependency-name: github.com/fsnotify/fsnotify dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> (cherry picked from commit 6f91867384c36c53bc75e71085edcd0264bf3311) Signed-off-by: Huabing Zhao * build(deps): bump github.com/bufbuild/buf from 1.45.0 to 1.46.0 in /tools/src/buf (#4616) build(deps): bump github.com/bufbuild/buf in /tools/src/buf Bumps [github.com/bufbuild/buf](https://github.com/bufbuild/buf) from 1.45.0 to 1.46.0. - [Release notes](https://github.com/bufbuild/buf/releases) - [Changelog](https://github.com/bufbuild/buf/blob/main/CHANGELOG.md) - [Commits](https://github.com/bufbuild/buf/compare/v1.45.0...v1.46.0) --- updated-dependencies: - dependency-name: github.com/bufbuild/buf dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Huabing Zhao (cherry picked from commit 22658622fb25ccd7898af9984b2a94fd0b50b486) Signed-off-by: Huabing Zhao * remove myself from maintainers (#4624) remove myself from maintainers and update github user Signed-off-by: Alice Lilith (cherry picked from commit 1205ccf0e1f45a0408fcd6c8e17252b4f3df1d19) Signed-off-by: Huabing Zhao * e2e: move apps to examples and pre-built (#4576) * e2e: move grpc-ext-auth envoy-als to examples Signed-off-by: zirain (cherry picked from commit a011146bf4bdaa36c53e167507b88e5598a238e4) Signed-off-by: Huabing Zhao * fix: wasm oci image source e2e test failed when IP_FAMILY=ipv6 (#4623) fixt wasm test” Signed-off-by: Huabing Zhao (cherry picked from commit 7b85d22ee1cc58d24ac99364a27cb75dcba93f29) Signed-off-by: Huabing Zhao * workaroud for the flaky oidc e2e test (#4603) * workaroud for the flaky oidc e2e test Signed-off-by: Huabing Zhao * add issue link Signed-off-by: Huabing Zhao * address comment Signed-off-by: Huabing Zhao * fix test Signed-off-by: Huabing Zhao --------- Signed-off-by: Huabing Zhao (cherry picked from commit b0ab317fa7ac81df756d647ea3a6f79678926f3f) Signed-off-by: Huabing Zhao * build(deps): bump softprops/action-gh-release from 2.0.8 to 2.0.9 (#4622) Bumps [softprops/action-gh-release](https://github.com/softprops/action-gh-release) from 2.0.8 to 2.0.9. - [Release notes](https://github.com/softprops/action-gh-release/releases) - [Changelog](https://github.com/softprops/action-gh-release/blob/master/CHANGELOG.md) - [Commits](https://github.com/softprops/action-gh-release/compare/c062e08bd532815e2082a85e87e3ef29c3e6d191...e7a8f85e1c67a31e6ed99a94b41bd0b71bbee6b8) --- updated-dependencies: - dependency-name: softprops/action-gh-release dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Huabing Zhao (cherry picked from commit 26a63e169bbb86abcc4d9034e98a3a947064a582) Signed-off-by: Huabing Zhao * Set ignore_health_on_host_removal to true for static clusters (#4612) Removes the endpoint from the pool faster instead of waiting for the result of the active health. Since the control plane already has definitive endpoint health info from the EndpointSlice API, its safe to set this. Fixes: https://github.com/envoyproxy/gateway/issues/4564 Signed-off-by: Arko Dasgupta (cherry picked from commit 1a57daf8eeb995c54aa5e32161806a5da201727b) Signed-off-by: Huabing Zhao * build(deps): bump github.com/prometheus/common from 0.60.0 to 0.60.1 (#4620) Bumps [github.com/prometheus/common](https://github.com/prometheus/common) from 0.60.0 to 0.60.1. - [Release notes](https://github.com/prometheus/common/releases) - [Changelog](https://github.com/prometheus/common/blob/main/RELEASE.md) - [Commits](https://github.com/prometheus/common/compare/v0.60.0...v0.60.1) --- updated-dependencies: - dependency-name: github.com/prometheus/common dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> (cherry picked from commit e5968c9d958faee0eaed130999759fd020635dd1) Signed-off-by: Huabing Zhao * build(deps): bump github.com/replicatedhq/troubleshoot from 0.107.4 to 0.107.5 (#4621) build(deps): bump github.com/replicatedhq/troubleshoot Bumps [github.com/replicatedhq/troubleshoot](https://github.com/replicatedhq/troubleshoot) from 0.107.4 to 0.107.5. - [Release notes](https://github.com/replicatedhq/troubleshoot/releases) - [Commits](https://github.com/replicatedhq/troubleshoot/compare/v0.107.4...v0.107.5) --- updated-dependencies: - dependency-name: github.com/replicatedhq/troubleshoot dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> (cherry picked from commit 976e6a1baed8542417bf85f8c6f91fd8a36a06c5) Signed-off-by: Huabing Zhao * add docker.io registry name in image name (#4628) * add docker.io registry name in image name Fixes: https://github.com/envoyproxy/gateway/issues/4626 Signed-off-by: Arko Dasgupta * add api file Signed-off-by: Arko Dasgupta --------- Signed-off-by: Arko Dasgupta (cherry picked from commit cc7104891d49d1c89b15f4b712ef055dbf4d65c9) Signed-off-by: Huabing Zhao * docs: Jwt claim based authorization (#4617) * docs for jwt claim auth Signed-off-by: Huabing Zhao * add docs for JWT claim based authorization Signed-off-by: Huabing Zhao * minor change Signed-off-by: Huabing Zhao * fix lint Signed-off-by: Huabing Zhao --------- Signed-off-by: Huabing Zhao (cherry picked from commit da4a060fc05f195956cf490da2ceae3ed52320a1) Signed-off-by: Huabing Zhao * build(deps): bump github.com/ohler55/ojg from 1.24.1 to 1.25.0 (#4618) Bumps [github.com/ohler55/ojg](https://github.com/ohler55/ojg) from 1.24.1 to 1.25.0. - [Release notes](https://github.com/ohler55/ojg/releases) - [Changelog](https://github.com/ohler55/ojg/blob/develop/CHANGELOG.md) - [Commits](https://github.com/ohler55/ojg/compare/v1.24.1...v1.25.0) --- updated-dependencies: - dependency-name: github.com/ohler55/ojg dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: zirain (cherry picked from commit 2d68e6a03a25d3f909e5f8828c2312911436f9cf) Signed-off-by: Huabing Zhao * e2e: use grafana alloy instead of fluent-bit (#4525) * use grafana alloy instead of fluent-bit Signed-off-by: zirain * make alloy disabled by default Signed-off-by: zirain * enable alloy in e2e Signed-off-by: zirain --------- Signed-off-by: zirain (cherry picked from commit 3191d49d455069e9b08a0f32b2e005cc47ed8b38) Signed-off-by: Huabing Zhao * chore: update site docs link for latest release (#4634) update site docs link for latest release Signed-off-by: Guy Daich (cherry picked from commit 5698e88228efaad6c8d3384179a9f2b45382245d) Signed-off-by: Huabing Zhao * fix: push a helm chart without v in ther version (#4636) * push a helm chart without v in ther version Signed-off-by: Huabing Zhao * rename tag Signed-off-by: Huabing Zhao --------- Signed-off-by: Huabing Zhao (cherry picked from commit f2c8b77c07c986be8b259e27bb922dc5e06f4514) Signed-off-by: Huabing Zhao * add envoy-gateway binary to latest release artifacts (#4638) * add envoy-gateway binary to latest release artifcats Missed in https://github.com/envoyproxy/gateway/issues/4566 Signed-off-by: Arko Dasgupta * fix also in tagged release Signed-off-by: Arko Dasgupta --------- Signed-off-by: Arko Dasgupta (cherry picked from commit 7b6834ee4a7cab94694e2a5aff10c1398948284f) Signed-off-by: Huabing Zhao * fix: BackendTlsPolicy specify multiple targetRefs of the same service, only one will work (#4630) * add tests Signed-off-by: Huabing Zhao * fix matching comparison Signed-off-by: Huabing Zhao * add release note Signed-off-by: Huabing Zhao * fix lint Signed-off-by: Huabing Zhao * fix lint Signed-off-by: Huabing Zhao --------- Signed-off-by: Huabing Zhao (cherry picked from commit 44c2f7421cdd5fa2d84fd25d847ed661a3d4588c) Signed-off-by: Huabing Zhao * fix build Signed-off-by: Huabing Zhao --------- Signed-off-by: Evan Anderson Signed-off-by: Evan Anderson Signed-off-by: Huabing Zhao Signed-off-by: shawnh2 Signed-off-by: dependabot[bot] Signed-off-by: zirain Signed-off-by: Arko Dasgupta Signed-off-by: Tamal Saha Signed-off-by: Shahar Harari Signed-off-by: Guy Daich Signed-off-by: Alice Lilith Co-authored-by: Evan Anderson Co-authored-by: sh2 Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: zirain Co-authored-by: Arko Dasgupta Co-authored-by: Tamal Saha Co-authored-by: shahar-h Co-authored-by: Guy Daich Co-authored-by: Alice Lilith --- .github/workflows/build_and_test.yaml | 39 +- .github/workflows/codeql.yml | 8 +- .github/workflows/docs.yaml | 6 +- .../workflows/experimental_conformance.yaml | 2 +- .github/workflows/latest_release.yaml | 24 +- .github/workflows/license-scan.yml | 2 +- .github/workflows/release.yaml | 35 +- .github/workflows/scorecard.yml | 4 +- .github/workflows/trivy.yml | 2 +- OWNERS | 2 +- api/v1alpha1/envoygateway_helpers.go | 5 +- api/v1alpha1/shared_types.go | 2 +- charts/gateway-addons-helm/Chart.lock | 7 +- charts/gateway-addons-helm/Chart.yaml | 4 + charts/gateway-addons-helm/README.md | 23 +- charts/gateway-addons-helm/values.yaml | 139 +++- charts/gateway-helm/README.md | 9 +- charts/gateway-helm/templates/certgen.yaml | 12 +- .../templates/envoy-gateway-deployment.yaml | 17 +- charts/gateway-helm/values.tmpl.yaml | 23 + examples/envoy-als/Dockerfile | 23 + examples/envoy-als/Makefile | 8 + examples/envoy-als/go.mod | 27 + examples/envoy-als/go.sum | 40 ++ examples/envoy-als/main.go | 115 +++ .../cmd/extension-server/main.go | 3 +- examples/extension-server/go.mod | 4 +- examples/extension-server/go.sum | 12 +- examples/grpc-ext-auth/Dockerfile | 23 + examples/grpc-ext-auth/Makefile | 8 + examples/grpc-ext-auth/go.mod | 20 + examples/grpc-ext-auth/go.sum | 24 + examples/grpc-ext-auth/main.go | 225 ++++++ examples/grpc-ext-proc/Dockerfile | 22 + examples/grpc-ext-proc/Makefile | 8 + examples/grpc-ext-proc/go.mod | 19 + examples/grpc-ext-proc/go.sum | 22 + examples/grpc-ext-proc/main.go | 289 ++++++++ examples/http-ext-auth/Dockerfile | 6 + examples/http-ext-auth/Makefile | 8 + examples/http-ext-auth/http-ext-auth.js | 38 + examples/preserve-case-backend/Dockerfile | 22 + examples/preserve-case-backend/Makefile | 8 + examples/preserve-case-backend/go.mod | 11 + examples/preserve-case-backend/go.sum | 8 + examples/preserve-case-backend/main.go | 42 ++ go.mod | 32 +- go.sum | 68 +- .../translate/in/backend-endpoint.yaml | 46 ++ .../translate/out/backend-endpoint.all.yaml | 106 +++ .../translate/out/default-resources.all.yaml | 5 + .../out/echo-gateway-api.cluster.yaml | 1 + .../out/from-gateway-api-to-xds.all.json | 5 + .../out/from-gateway-api-to-xds.all.yaml | 5 + .../out/from-gateway-api-to-xds.cluster.yaml | 5 + ...-single-route-single-match-to-xds.all.json | 1 + ...-single-route-single-match-to-xds.all.yaml | 1 + ...gle-route-single-match-to-xds.cluster.yaml | 1 + .../out/no-service-cluster-ip.all.yaml | 1 + internal/cmd/egctl/translate_test.go | 6 + .../extension/registry/extension_manager.go | 7 +- internal/gatewayapi/backendtlspolicy.go | 12 +- internal/gatewayapi/contexts.go | 52 +- internal/gatewayapi/envoyextensionpolicy.go | 6 +- internal/gatewayapi/helpers.go | 1 + internal/gatewayapi/resource/load.go | 14 +- internal/gatewayapi/route.go | 2 +- internal/gatewayapi/runner/runner.go | 4 +- internal/gatewayapi/securitypolicy.go | 11 +- .../backendtlspolicy-multiple-targets.in.yaml | 123 ++++ ...backendtlspolicy-multiple-targets.out.yaml | 239 +++++++ .../testdata/custom-filter-order.in.yaml | 4 +- .../testdata/custom-filter-order.out.yaml | 8 +- ...tensionpolicy-with-wasm-targetrefs.in.yaml | 4 +- ...ensionpolicy-with-wasm-targetrefs.out.yaml | 12 +- .../envoyextensionpolicy-with-wasm.in.yaml | 6 +- .../envoyextensionpolicy-with-wasm.out.yaml | 10 +- .../httproute-with-direct-response.in.yaml | 119 ++++ .../httproute-with-direct-response.out.yaml | 208 ++++++ ...ultiple-gateways-from-different-ns.in.yaml | 55 ++ ...ltiple-gateways-from-different-ns.out.yaml | 249 +++++++ ...ith-multiple-gateways-from-same-ns.in.yaml | 54 ++ ...th-multiple-gateways-from-same-ns.out.yaml | 247 +++++++ internal/gatewayapi/translator_test.go | 5 +- .../testdata/daemonsets/component-level.yaml | 2 +- .../proxy/testdata/daemonsets/custom.yaml | 2 +- .../testdata/daemonsets/default-env.yaml | 2 +- .../proxy/testdata/daemonsets/default.yaml | 2 +- .../daemonsets/disable-prometheus.yaml | 2 +- .../testdata/daemonsets/extension-env.yaml | 2 +- .../override-labels-and-annotations.yaml | 2 +- .../testdata/daemonsets/patch-daemonset.yaml | 2 +- .../proxy/testdata/daemonsets/volumes.yaml | 2 +- .../testdata/daemonsets/with-annotations.yaml | 2 +- .../testdata/daemonsets/with-concurrency.yaml | 2 +- .../testdata/daemonsets/with-extra-args.yaml | 2 +- .../daemonsets/with-image-pull-secrets.yaml | 2 +- .../proxy/testdata/daemonsets/with-name.yaml | 2 +- .../daemonsets/with-node-selector.yaml | 2 +- .../with-topology-spread-constraints.yaml | 2 +- .../proxy/testdata/deployments/bootstrap.yaml | 2 +- .../testdata/deployments/component-level.yaml | 2 +- .../proxy/testdata/deployments/custom.yaml | 2 +- .../custom_with_initcontainers.yaml | 2 +- .../testdata/deployments/default-env.yaml | 2 +- .../proxy/testdata/deployments/default.yaml | 2 +- .../deployments/disable-prometheus.yaml | 2 +- .../testdata/deployments/extension-env.yaml | 2 +- .../override-labels-and-annotations.yaml | 2 +- .../deployments/patch-deployment.yaml | 2 +- .../proxy/testdata/deployments/volumes.yaml | 2 +- .../deployments/with-annotations.yaml | 2 +- .../deployments/with-concurrency.yaml | 2 +- .../deployments/with-empty-memory-limits.yaml | 2 +- .../testdata/deployments/with-extra-args.yaml | 2 +- .../deployments/with-image-pull-secrets.yaml | 2 +- .../proxy/testdata/deployments/with-name.yaml | 2 +- .../deployments/with-node-selector.yaml | 2 +- .../with-topology-spread-constraints.yaml | 2 +- internal/ir/infra.go | 2 +- internal/ir/xds.go | 2 +- internal/kubernetes/port_forwarder.go | 4 +- internal/provider/kubernetes/controller.go | 668 ++++++++++-------- internal/provider/kubernetes/indexers.go | 24 +- internal/provider/kubernetes/predicates.go | 264 ++++--- .../provider/kubernetes/predicates_test.go | 16 +- internal/provider/kubernetes/resource.go | 43 +- internal/provider/kubernetes/routes.go | 19 +- internal/provider/kubernetes/status.go | 74 +- internal/provider/kubernetes/status_test.go | 294 ++++++++ internal/utils/protocov/protocov.go | 36 +- internal/xds/bootstrap/bootstrap.go | 8 +- internal/xds/translator/accesslog.go | 33 +- internal/xds/translator/authorization.go | 26 +- internal/xds/translator/basicauth.go | 5 +- internal/xds/translator/cluster.go | 12 +- internal/xds/translator/custom_response.go | 11 +- internal/xds/translator/fault.go | 5 +- internal/xds/translator/jwt.go | 11 +- internal/xds/translator/listener.go | 68 +- internal/xds/translator/listener_test.go | 19 +- internal/xds/translator/oidc.go | 4 +- .../in/xds-ir/accesslog-without-format.yaml | 3 +- .../testdata/in/xds-ir/accesslog.yaml | 3 +- .../authorization-multiple-principals.yaml | 4 +- ...extensionpolicy-tcp-udp-http.clusters.yaml | 1 + .../http-route-extension-filter.clusters.yaml | 1 + .../extension-xds-ir/http-route.clusters.yaml | 1 + .../xds-ir/accesslog-als-tcp.clusters.yaml | 1 + .../out/xds-ir/accesslog-cel.clusters.yaml | 1 + .../accesslog-endpoint-stats.clusters.yaml | 1 + .../xds-ir/accesslog-formatters.clusters.yaml | 1 + .../xds-ir/accesslog-multi-cel.clusters.yaml | 1 + .../out/xds-ir/accesslog-types.clusters.yaml | 7 + .../accesslog-without-format.clusters.yaml | 2 + .../accesslog-without-format.listeners.yaml | 2 + .../out/xds-ir/accesslog.clusters.yaml | 2 + .../out/xds-ir/accesslog.listeners.yaml | 2 + .../authorization-client-cidr.clusters.yaml | 3 + .../authorization-jwt-claim.clusters.yaml | 2 + .../authorization-jwt-scope.clusters.yaml | 2 + ...rization-multiple-principals.clusters.yaml | 1 + ...horization-multiple-principals.routes.yaml | 20 +- .../xds-ir/backend-buffer-limit.clusters.yaml | 3 + .../out/xds-ir/backend-priority.clusters.yaml | 3 + .../out/xds-ir/basic-auth.clusters.yaml | 3 + .../out/xds-ir/circuit-breaker.clusters.yaml | 1 + .../xds-ir/client-buffer-limit.clusters.yaml | 2 + .../xds-ir/client-ip-detection.clusters.yaml | 3 + .../out/xds-ir/client-timeout.clusters.yaml | 2 + .../testdata/out/xds-ir/cors.clusters.yaml | 1 + .../out/xds-ir/custom-response.clusters.yaml | 1 + .../out/xds-ir/ext-auth-backend.clusters.yaml | 3 + .../ext-auth-recomputation.clusters.yaml | 3 + .../out/xds-ir/ext-auth.clusters.yaml | 5 + ...t-proc-with-traffic-settings.clusters.yaml | 3 + .../out/xds-ir/ext-proc.clusters.yaml | 6 + .../out/xds-ir/fault-injection.clusters.yaml | 5 + ...s-with-preserve-x-request-id.clusters.yaml | 2 + ...ders-with-underscores-action.clusters.yaml | 4 + .../out/xds-ir/health-check.clusters.yaml | 5 + .../http-early-header-mutation.clusters.yaml | 2 + .../xds-ir/http-endpoint-stats.clusters.yaml | 1 + .../xds-ir/http-health-check.clusters.yaml | 1 + ...ttp-preserve-client-protocol.clusters.yaml | 1 + .../http-req-resp-sizes-stats.clusters.yaml | 1 + .../http-route-direct-response.clusters.yaml | 1 + .../xds-ir/http-route-mirror.clusters.yaml | 1 + .../http-route-multiple-matches.clusters.yaml | 7 + .../http-route-multiple-mirrors.clusters.yaml | 3 + .../http-route-partial-invalid.clusters.yaml | 1 + .../xds-ir/http-route-redirect.clusters.yaml | 1 + .../out/xds-ir/http-route-regex.clusters.yaml | 1 + .../http-route-request-headers.clusters.yaml | 1 + ...p-route-response-add-headers.clusters.yaml | 1 + ...-response-add-remove-headers.clusters.yaml | 1 + ...oute-response-remove-headers.clusters.yaml | 1 + ...rewrite-root-path-url-prefix.clusters.yaml | 1 + ...sufixx-with-slash-url-prefix.clusters.yaml | 1 + ...p-route-rewrite-url-fullpath.clusters.yaml | 1 + .../http-route-rewrite-url-host.clusters.yaml | 1 + ...ttp-route-rewrite-url-prefix.clusters.yaml | 1 + ...http-route-rewrite-url-regex.clusters.yaml | 1 + ...tp-route-session-persistence.clusters.yaml | 1 + .../xds-ir/http-route-timeout.clusters.yaml | 3 + ...oute-weighted-backend-uds-ip.clusters.yaml | 1 + ...eighted-backend-with-filters.clusters.yaml | 2 + .../http-route-weighted-backend.clusters.yaml | 1 + ...ute-weighted-invalid-backend.clusters.yaml | 1 + .../http-route-with-clientcert.clusters.yaml | 1 + .../http-route-with-metadata.clusters.yaml | 2 + ...e-with-tls-system-truststore.clusters.yaml | 1 + ...ith-tlsbundle-multiple-certs.clusters.yaml | 2 + .../http-route-with-tlsbundle.clusters.yaml | 1 + .../out/xds-ir/http-route.clusters.yaml | 1 + .../xds-ir/http1-preserve-case.clusters.yaml | 2 + .../out/xds-ir/http1-trailers.clusters.yaml | 1 + .../testdata/out/xds-ir/http10.clusters.yaml | 1 + .../out/xds-ir/http2-route.clusters.yaml | 4 + .../testdata/out/xds-ir/http2.clusters.yaml | 1 + .../testdata/out/xds-ir/http3.clusters.yaml | 1 + .../jsonpatch-missing-resource.clusters.yaml | 1 + .../jsonpatch-with-jsonpath.clusters.yaml | 2 + .../out/xds-ir/jsonpatch.clusters.yaml | 1 + .../xds-ir/jwt-custom-extractor.clusters.yaml | 1 + ...t-multi-route-multi-provider.clusters.yaml | 3 + ...-multi-route-single-provider.clusters.yaml | 2 + .../out/xds-ir/jwt-optional.clusters.yaml | 1 + .../out/xds-ir/jwt-ratelimit.clusters.yaml | 4 + ...wt-single-route-single-match.clusters.yaml | 1 + .../listener-connection-limit.clusters.yaml | 2 + .../listener-proxy-protocol.clusters.yaml | 2 + .../listener-tcp-keepalive.clusters.yaml | 2 + .../out/xds-ir/load-balancer.clusters.yaml | 10 + .../out/xds-ir/local-ratelimit.clusters.yaml | 3 + .../xds-ir/metrics-virtual-host.clusters.yaml | 1 + .../xds-ir/mixed-tls-jwt-authn.clusters.yaml | 1 + ...-port-with-different-filters.clusters.yaml | 4 + ...multiple-listeners-same-port.clusters.yaml | 6 + ...e-simple-tcp-route-same-port.clusters.yaml | 5 + ...certificate-with-custom-data.clusters.yaml | 5 + ...s-forward-client-certificate.clusters.yaml | 5 + ...-client-certificate-disabled.clusters.yaml | 2 + .../out/xds-ir/mutual-tls.clusters.yaml | 2 + ...idc-backend-cluster-provider.clusters.yaml | 1 + .../testdata/out/xds-ir/oidc.clusters.yaml | 2 + .../out/xds-ir/path-settings.clusters.yaml | 1 + .../proxy-protocol-upstream.clusters.yaml | 1 + .../ratelimit-custom-domain.clusters.yaml | 3 + .../ratelimit-disable-headers.clusters.yaml | 3 + .../ratelimit-endpoint-stats.clusters.yaml | 3 + .../ratelimit-headers-and-cidr.clusters.yaml | 3 + .../xds-ir/ratelimit-sourceip.clusters.yaml | 4 + .../out/xds-ir/ratelimit.clusters.yaml | 4 + .../retry-partial-invalid.clusters.yaml | 1 + .../out/xds-ir/simple-tls.clusters.yaml | 1 + .../suppress-envoy-headers.clusters.yaml | 1 + .../tcp-listener-ipfamily.clusters.yaml | 1 + .../xds-ir/tcp-route-complex.clusters.yaml | 1 + .../out/xds-ir/tcp-route-simple.clusters.yaml | 1 + .../tcp-route-tls-terminate.clusters.yaml | 2 + .../tcp-route-weighted-backend.clusters.yaml | 1 + .../testdata/out/xds-ir/timeout.clusters.yaml | 1 + .../tls-route-passthrough.clusters.yaml | 1 + ...s-with-ciphers-versions-alpn.clusters.yaml | 2 + .../out/xds-ir/tracing-datadog.clusters.yaml | 1 + .../tracing-endpoint-stats.clusters.yaml | 1 + .../out/xds-ir/tracing-zipkin.clusters.yaml | 1 + .../testdata/out/xds-ir/tracing.clusters.yaml | 1 + .../xds-ir/udp-endpoint-stats.clusters.yaml | 1 + .../udp-req-resp-sizes-stats.clusters.yaml | 1 + .../out/xds-ir/udp-route.clusters.yaml | 1 + .../upstream-tcpkeepalive.clusters.yaml | 1 + .../testdata/out/xds-ir/wasm.clusters.yaml | 2 + internal/xds/translator/tracing.go | 6 +- internal/xds/translator/translator.go | 29 +- osv-scanner.toml | 33 +- release-notes/current.yaml | 9 +- release-notes/v1.1.3.yaml | 28 + site/content/en/contributions/CODEOWNERS.md | 2 +- site/content/en/latest/api/extension_types.md | 140 +--- .../latest/install/gateway-addons-helm-api.md | 23 +- .../en/latest/install/gateway-helm-api.md | 9 +- .../tasks/security/jwt-claim-authorization.md | 226 ++++++ .../latest/tasks/traffic/direct-response.md | 284 ++++++++ site/content/en/news/releases/_index.md | 2 +- site/content/en/news/releases/notes/v1.1.3.md | 31 + .../en/v0.2/contributions/CODEOWNERS.md | 2 +- .../en/v0.2/contributions/RELEASING.md | 4 +- .../en/v0.3/contributions/CODEOWNERS.md | 2 +- .../en/v0.3/contributions/RELEASING.md | 4 +- .../en/v0.4/contributions/CODEOWNERS.md | 2 +- .../en/v0.4/contributions/RELEASING.md | 4 +- .../en/v0.5/contributions/CODEOWNERS.md | 2 +- .../en/v0.5/contributions/RELEASING.md | 4 +- .../en/v0.6/contributions/CODEOWNERS.md | 2 +- .../en/v0.6/contributions/RELEASING.md | 4 +- site/content/zh/contributions/CODEOWNERS.md | 2 +- site/content/zh/contributions/RELEASING.md | 4 +- site/content/zh/latest/api/extension_types.md | 140 +--- .../latest/install/gateway-addons-helm-api.md | 23 +- .../zh/latest/install/gateway-helm-api.md | 9 +- site/content/zh/news/releases/_index.md | 2 +- site/layouts/shortcodes/helm-version.html | 4 +- site/layouts/shortcodes/yaml-version.html | 4 +- test/e2e/base/manifests.yaml | 107 --- test/e2e/testdata/accesslog-als.yaml | 194 +---- test/e2e/testdata/direct-response.yaml | 64 ++ test/e2e/testdata/ext-auth-grpc-service.yaml | 394 ++--------- test/e2e/testdata/ext-auth-http-service.yaml | 76 +- test/e2e/testdata/ext-proc-service.yaml | 354 +--------- .../e2e/testdata/gateway-with-envoyproxy.yaml | 49 ++ test/e2e/testdata/oidc-keycloak.yaml | 2 +- test/e2e/testdata/preserve-case.yaml | 73 +- test/e2e/testdata/wasm-http.yaml | 36 + test/e2e/tests/accesslog.go | 6 +- test/e2e/tests/authorization_client_ip.go | 2 +- .../e2e/tests/authorization_default_action.go | 2 +- test/e2e/tests/authorization_jwt.go | 2 +- test/e2e/tests/backend_tls_settings.go | 2 +- test/e2e/tests/direct-response.go | 38 + test/e2e/tests/gateway_infra_resource.go | 2 +- test/e2e/tests/gatewayt-with-envoyproxy.go | 59 ++ test/e2e/tests/oidc-backendcluster.go | 9 +- test/e2e/tests/oidc.go | 45 +- test/e2e/tests/preservecase.go | 4 +- test/e2e/tests/ratelimit.go | 3 +- test/e2e/tests/response-override.go | 58 +- test/e2e/tests/wasm_http.go | 94 +-- test/e2e/tests/wasm_oci.go | 5 +- test/helm/gateway-addons-helm/e2e.in.yaml | 4 + test/helm/gateway-addons-helm/e2e.out.yaml | 429 +++++++---- .../certjen-custom-scheduling.out.yaml | 4 +- .../control-plane-with-pdb.out.yaml | 4 +- .../helm/gateway-helm/default-config.out.yaml | 4 +- .../deployment-custom-topology.out.yaml | 4 +- .../deployment-images-config.out.yaml | 4 +- .../deployment-priorityclass.out.yaml | 4 +- .../deployment-securitycontext.in.yaml | 32 + .../deployment-securitycontext.out.yaml | 574 +++++++++++++++ .../envoy-gateway-config.out.yaml | 4 +- .../global-images-config.out.yaml | 4 +- .../gateway-helm/service-annotations.out.yaml | 4 +- tools/crd-ref-docs/config.yaml | 2 +- tools/docker/envoy-gateway/Dockerfile | 2 +- tools/github-actions/setup-deps/action.yaml | 2 +- tools/make/common.mk | 1 + tools/make/examples.mk | 20 + tools/make/kube.mk | 25 +- tools/src/buf/go.mod | 42 +- tools/src/buf/go.sum | 84 +-- 351 files changed, 6594 insertions(+), 2520 deletions(-) create mode 100644 examples/envoy-als/Dockerfile create mode 100644 examples/envoy-als/Makefile create mode 100644 examples/envoy-als/go.mod create mode 100644 examples/envoy-als/go.sum create mode 100644 examples/envoy-als/main.go create mode 100644 examples/grpc-ext-auth/Dockerfile create mode 100644 examples/grpc-ext-auth/Makefile create mode 100644 examples/grpc-ext-auth/go.mod create mode 100644 examples/grpc-ext-auth/go.sum create mode 100644 examples/grpc-ext-auth/main.go create mode 100644 examples/grpc-ext-proc/Dockerfile create mode 100644 examples/grpc-ext-proc/Makefile create mode 100644 examples/grpc-ext-proc/go.mod create mode 100644 examples/grpc-ext-proc/go.sum create mode 100644 examples/grpc-ext-proc/main.go create mode 100644 examples/http-ext-auth/Dockerfile create mode 100644 examples/http-ext-auth/Makefile create mode 100644 examples/http-ext-auth/http-ext-auth.js create mode 100644 examples/preserve-case-backend/Dockerfile create mode 100644 examples/preserve-case-backend/Makefile create mode 100644 examples/preserve-case-backend/go.mod create mode 100644 examples/preserve-case-backend/go.sum create mode 100644 examples/preserve-case-backend/main.go create mode 100644 internal/cmd/egctl/testdata/translate/in/backend-endpoint.yaml create mode 100644 internal/cmd/egctl/testdata/translate/out/backend-endpoint.all.yaml create mode 100644 internal/gatewayapi/testdata/backendtlspolicy-multiple-targets.in.yaml create mode 100644 internal/gatewayapi/testdata/backendtlspolicy-multiple-targets.out.yaml create mode 100644 internal/gatewayapi/testdata/httproute-with-direct-response.in.yaml create mode 100644 internal/gatewayapi/testdata/httproute-with-direct-response.out.yaml create mode 100644 internal/gatewayapi/testdata/httproute-with-multiple-gateways-from-different-ns.in.yaml create mode 100644 internal/gatewayapi/testdata/httproute-with-multiple-gateways-from-different-ns.out.yaml create mode 100644 internal/gatewayapi/testdata/httproute-with-multiple-gateways-from-same-ns.in.yaml create mode 100644 internal/gatewayapi/testdata/httproute-with-multiple-gateways-from-same-ns.out.yaml create mode 100644 internal/provider/kubernetes/status_test.go create mode 100644 release-notes/v1.1.3.yaml create mode 100644 site/content/en/latest/tasks/security/jwt-claim-authorization.md create mode 100644 site/content/en/latest/tasks/traffic/direct-response.md create mode 100644 site/content/en/news/releases/notes/v1.1.3.md create mode 100644 test/e2e/testdata/direct-response.yaml create mode 100644 test/e2e/testdata/gateway-with-envoyproxy.yaml create mode 100644 test/e2e/tests/direct-response.go create mode 100644 test/e2e/tests/gatewayt-with-envoyproxy.go create mode 100644 test/helm/gateway-helm/deployment-securitycontext.in.yaml create mode 100644 test/helm/gateway-helm/deployment-securitycontext.out.yaml create mode 100644 tools/make/examples.mk diff --git a/.github/workflows/build_and_test.yaml b/.github/workflows/build_and_test.yaml index 80992fc9d6d..cd49c5a82c7 100644 --- a/.github/workflows/build_and_test.yaml +++ b/.github/workflows/build_and_test.yaml @@ -20,7 +20,7 @@ jobs: lint: runs-on: ubuntu-22.04 steps: - - uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - uses: ./tools/github-actions/setup-deps # Generate the installation manifests first, so it can check # for errors while running `make -k lint` @@ -31,14 +31,14 @@ jobs: gen-check: runs-on: ubuntu-22.04 steps: - - uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - uses: ./tools/github-actions/setup-deps - run: make -k gen-check license-check: runs-on: ubuntu-latest steps: - - uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - uses: ./tools/github-actions/setup-deps - run: make -k licensecheck @@ -48,7 +48,7 @@ jobs: contents: read # for actions/checkout id-token: write # for fetching OIDC token steps: - - uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - uses: ./tools/github-actions/setup-deps # test @@ -67,7 +67,7 @@ jobs: runs-on: ubuntu-latest needs: [lint, gen-check, license-check, coverage-test] steps: - - uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - uses: ./tools/github-actions/setup-deps - name: Build EG Multiarch Binaries @@ -87,7 +87,7 @@ jobs: matrix: version: [ v1.28.13, v1.29.8, v1.30.4, v1.31.0 ] steps: - - uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - uses: ./tools/github-actions/setup-deps - name: Download EG Binaries @@ -114,9 +114,21 @@ jobs: strategy: fail-fast: false matrix: - version: [ v1.28.13, v1.29.8, v1.30.4, v1.31.0 ] + target: + - version: v1.28.13 + ipFamily: ipv4 + - version: v1.29.8 + ipFamily: ipv4 + - version: v1.30.4 + ipFamily: ipv4 + # Enable these after https://github.com/envoyproxy/gateway/issues/4572 fixed + # - version: v1.31.0 + # ipFamily: ipv6 # only run ipv6 test on latest version to save time + # TODO: this's IPv4 first, need a way to test IPv6 first. + - version: v1.31.0 + ipFamily: dual # only run dual test on latest version to save time steps: - - uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - uses: ./tools/github-actions/setup-deps - name: Download EG Binaries @@ -133,8 +145,9 @@ jobs: # E2E - name: Run E2E Tests env: - KIND_NODE_TAG: ${{ matrix.version }} + KIND_NODE_TAG: ${{ matrix.target.version }} IMAGE_PULL_POLICY: IfNotPresent + IP_FAMILY: ${{ matrix.target.ipFamily }} run: make e2e benchmark-test: @@ -143,7 +156,7 @@ jobs: if: ${{ ! startsWith(github.event_name, 'push') }} needs: [build] steps: - - uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - uses: ./tools/github-actions/setup-deps - name: Setup Graphviz @@ -170,7 +183,7 @@ jobs: runs-on: ubuntu-latest needs: [conformance-test, e2e-test] steps: - - uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - uses: ./tools/github-actions/setup-deps - name: Download EG Binaries @@ -210,4 +223,6 @@ jobs: if: github.event_name == 'push' && github.ref == 'refs/heads/main' # use `0.0.0` as the default latest version. # use `Always` image pull policy for latest version. - run: IMAGE_PULL_POLICY=Always OCI_REGISTRY=oci://docker.io/envoyproxy CHART_VERSION=v0.0.0-latest TAG=latest make helm-push + run: | + IMAGE_PULL_POLICY=Always OCI_REGISTRY=oci://docker.io/envoyproxy CHART_VERSION=v0.0.0-latest TAG=latest make helm-push + IMAGE_PULL_POLICY=Always OCI_REGISTRY=oci://docker.io/envoyproxy CHART_VERSION=0.0.0-latest TAG=latest make helm-push diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index 5fceea67877..2027c7548aa 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -32,18 +32,18 @@ jobs: steps: - name: Checkout repository - uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - uses: ./tools/github-actions/setup-deps - name: Initialize CodeQL - uses: github/codeql-action/init@f779452ac5af1c261dce0346a8f964149f49322b # v3.26.13 + uses: github/codeql-action/init@662472033e021d55d94146f66f6058822b0b39fd # v3.27.0 with: languages: ${{ matrix.language }} - name: Autobuild - uses: github/codeql-action/autobuild@f779452ac5af1c261dce0346a8f964149f49322b # v3.26.13 + uses: github/codeql-action/autobuild@662472033e021d55d94146f66f6058822b0b39fd # v3.27.0 - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@f779452ac5af1c261dce0346a8f964149f49322b # v3.26.13 + uses: github/codeql-action/analyze@662472033e021d55d94146f66f6058822b0b39fd # v3.27.0 with: category: "/language:${{matrix.language}}" diff --git a/.github/workflows/docs.yaml b/.github/workflows/docs.yaml index 687c824ea41..22437cb9cd8 100644 --- a/.github/workflows/docs.yaml +++ b/.github/workflows/docs.yaml @@ -23,7 +23,7 @@ jobs: runs-on: ubuntu-22.04 steps: - name: Check out code - uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: ref: ${{ github.event.pull_request.head.sha }} @@ -48,7 +48,7 @@ jobs: contents: write steps: - name: Git checkout - uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: submodules: true ref: ${{ github.event.pull_request.head.sha }} @@ -62,7 +62,7 @@ jobs: extended: true - name: Setup Node - uses: actions/setup-node@0a44ba7841725637a19e28fa30b79a866c81b0a6 # v4.1.0 + uses: actions/setup-node@39370e3970a6d050c480ffad4ff0ed4d3fdee5af # v4.1.0 with: node-version: '18' diff --git a/.github/workflows/experimental_conformance.yaml b/.github/workflows/experimental_conformance.yaml index 931831b2bf1..e2b43edfbba 100644 --- a/.github/workflows/experimental_conformance.yaml +++ b/.github/workflows/experimental_conformance.yaml @@ -21,7 +21,7 @@ jobs: matrix: version: [ v1.28.13, v1.29.8, v1.30.4, v1.31.0 ] steps: - - uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - uses: ./tools/github-actions/setup-deps # gateway api experimental conformance diff --git a/.github/workflows/latest_release.yaml b/.github/workflows/latest_release.yaml index a0ceb53e08d..0b709f9fe1a 100644 --- a/.github/workflows/latest_release.yaml +++ b/.github/workflows/latest_release.yaml @@ -22,7 +22,7 @@ jobs: benchmark-test: runs-on: ubuntu-latest steps: - - uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - uses: ./tools/github-actions/setup-deps - name: Setup Graphviz @@ -57,7 +57,7 @@ jobs: permissions: contents: write steps: - - uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - uses: ./tools/github-actions/setup-deps - name: Generate Release Manifests @@ -72,11 +72,15 @@ jobs: - name: Build egctl latest multiarch binaries run: | - make build-multiarch BINS="egctl" - tar -zcvf egctl_latest_linux_amd64.tar.gz bin/linux/amd64/ - tar -zcvf egctl_latest_linux_arm64.tar.gz bin/linux/arm64/ - tar -zcvf egctl_latest_darwin_amd64.tar.gz bin/darwin/amd64/ - tar -zcvf egctl_latest_darwin_arm64.tar.gz bin/darwin/arm64/ + make build-multiarch + tar -zcvf envoy-gateway_latest_linux_amd64.tar.gz bin/linux/amd64/envoy-gateway + tar -zcvf envoy-gateway_linux_arm64.tar.gz bin/linux/arm64/envoy-gateway + tar -zcvf envoy-gateway_darwin_amd64.tar.gz bin/darwin/amd64/envoy-gateway + tar -zcvf envoy-gateway_darwin_arm64.tar.gz bin/darwin/arm64/envoy-gateway + tar -zcvf egctl_latest_linux_amd64.tar.gz bin/linux/amd64/egctl + tar -zcvf egctl_latest_linux_arm64.tar.gz bin/linux/arm64/egctl + tar -zcvf egctl_latest_darwin_amd64.tar.gz bin/darwin/amd64/egctl + tar -zcvf egctl_latest_darwin_arm64.tar.gz bin/darwin/arm64/egctl # Ignore the error when we delete the latest release, it might not exist. @@ -103,7 +107,7 @@ jobs: GITHUB_REPOSITORY: ${{ github.repository_owner }}/${{ github.event.repository.name }} - name: Recreate the Latest Release and Tag - uses: softprops/action-gh-release@c062e08bd532815e2082a85e87e3ef29c3e6d191 # v0.1.15 + uses: softprops/action-gh-release@e7a8f85e1c67a31e6ed99a94b41bd0b71bbee6b8 # v0.1.15 with: draft: false prerelease: true @@ -112,6 +116,10 @@ jobs: release-artifacts/install.yaml release-artifacts/quickstart.yaml release-artifacts/benchmark_report.zip + envoy-gateway_latest_linux_amd64.tar.gz + envoy-gateway_latest_linux_arm64.tar.gz + envoy-gateway_latest_darwin_amd64.tar.gz + envoy-gateway_latest_darwin_arm64.tar.gz egctl_latest_linux_amd64.tar.gz egctl_latest_linux_arm64.tar.gz egctl_latest_darwin_amd64.tar.gz diff --git a/.github/workflows/license-scan.yml b/.github/workflows/license-scan.yml index 2bbb36ce830..649f27fe979 100644 --- a/.github/workflows/license-scan.yml +++ b/.github/workflows/license-scan.yml @@ -16,7 +16,7 @@ jobs: runs-on: ubuntu-22.04 steps: - name: Checkout code - uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - name: Run scanner uses: google/osv-scanner-action/osv-scanner-action@19ec1116569a47416e11a45848722b1af31a857b # v1.9.0 with: diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml index a95f411890d..6c4d715edc8 100644 --- a/.github/workflows/release.yaml +++ b/.github/workflows/release.yaml @@ -15,7 +15,7 @@ jobs: benchmark-test: runs-on: ubuntu-latest steps: - - uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - uses: ./tools/github-actions/setup-deps - name: Setup Graphviz @@ -50,13 +50,14 @@ jobs: permissions: contents: write steps: - - uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - name: Extract Release Tag and Commit SHA id: vars shell: bash run: | echo "release_tag=$(echo ${GITHUB_REF##*/})" >> $GITHUB_ENV + echo "without_v_release_tag=${release_tag:1}" >> $GITHUB_ENV echo "sha_short=$(git rev-parse --short HEAD)" >> $GITHUB_ENV - name: Login to DockerHub @@ -72,7 +73,9 @@ jobs: run: IMAGE_PULL_POLICY=IfNotPresent make generate-artifacts IMAGE=envoyproxy/gateway TAG=${{ env.release_tag }} OUTPUT_DIR=release-artifacts - name: Build and Push EG Release Helm Chart - run: IMAGE_PULL_POLICY=IfNotPresent OCI_REGISTRY=oci://docker.io/envoyproxy CHART_VERSION=${{ env.release_tag }} IMAGE=docker.io/envoyproxy/gateway TAG=${{ env.release_tag }} make helm-package helm-push + run: | + IMAGE_PULL_POLICY=IfNotPresent OCI_REGISTRY=oci://docker.io/envoyproxy CHART_VERSION=${{ env.release_tag }} IMAGE=docker.io/envoyproxy/gateway TAG=${{ env.release_tag }} make helm-package helm-push + IMAGE_PULL_POLICY=IfNotPresent OCI_REGISTRY=oci://docker.io/envoyproxy CHART_VERSION=${{ env.without_v_release_tag }} IMAGE=docker.io/envoyproxy/gateway TAG=${{ env.release_tag }} make helm-package helm-push - name: Download Benchmark Report uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8 @@ -80,15 +83,31 @@ jobs: name: benchmark_report path: release-artifacts + - name: Build egctl multiarch binaries + run: | + make build-multiarch + tar -zcvf envoy-gateway_${{ env.release_tag }}_linux_amd64.tar.gz bin/linux/amd64/envoy-gateway + tar -zcvf envoy-gateway_${{ env.release_tag }}_linux_arm64.tar.gz bin/linux/arm64/envoy-gateway + tar -zcvf envoy-gateway_${{ env.release_tag }}_darwin_amd64.tar.gz bin/darwin/amd64/envoy-gateway + tar -zcvf envoy-gateway_${{ env.release_tag }}_darwin_arm64.tar.gz bin/darwin/arm64/envoy-gateway + tar -zcvf egctl_${{ env.release_tag }}_linux_amd64.tar.gz bin/linux/amd64/egctl + tar -zcvf egctl_${{ env.release_tag }}_linux_arm64.tar.gz bin/linux/arm64/egctl + tar -zcvf egctl_${{ env.release_tag }}_darwin_amd64.tar.gz bin/darwin/amd64/egctl + tar -zcvf egctl_${{ env.release_tag }}_darwin_arm64.tar.gz bin/darwin/arm64/egctl + - name: Upload Release Manifests - uses: softprops/action-gh-release@c062e08bd532815e2082a85e87e3ef29c3e6d191 # v0.1.15 + uses: softprops/action-gh-release@e7a8f85e1c67a31e6ed99a94b41bd0b71bbee6b8 # v0.1.15 with: files: | release-artifacts/install.yaml release-artifacts/quickstart.yaml release-artifacts/release-notes.yaml release-artifacts/benchmark_report.zip - release-artifacts/egctl_${{ env.release_tag }}_linux_amd64.tar.gz - release-artifacts/egctl_${{ env.release_tag }}_linux_arm64.tar.gz - release-artifacts/egctl_${{ env.release_tag }}_darwin_amd64.tar.gz - release-artifacts/egctl_${{ env.release_tag }}_darwin_arm64.tar.gz + envoy-gateway_${{ env.release_tag }}_linux_amd64.tar.gz + envoy-gateway_${{ env.release_tag }}_linux_arm64.tar.gz + envoy-gateway_${{ env.release_tag }}_darwin_amd64.tar.gz + envoy-gateway_${{ env.release_tag }}_darwin_arm64.tar.gz + egctl_${{ env.release_tag }}_linux_amd64.tar.gz + egctl_${{ env.release_tag }}_linux_arm64.tar.gz + egctl_${{ env.release_tag }}_darwin_amd64.tar.gz + egctl_${{ env.release_tag }}_darwin_arm64.tar.gz diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml index 018bb5c0dd7..6e816b5460f 100644 --- a/.github/workflows/scorecard.yml +++ b/.github/workflows/scorecard.yml @@ -21,7 +21,7 @@ jobs: steps: - name: "Checkout code" - uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: persist-credentials: false @@ -40,6 +40,6 @@ jobs: retention-days: 5 - name: "Upload to code-scanning" - uses: github/codeql-action/upload-sarif@f779452ac5af1c261dce0346a8f964149f49322b # v3.26.13 + uses: github/codeql-action/upload-sarif@662472033e021d55d94146f66f6058822b0b39fd # v3.27.0 with: sarif_file: results.sarif diff --git a/.github/workflows/trivy.yml b/.github/workflows/trivy.yml index f34bd237a88..077dfa44fcb 100644 --- a/.github/workflows/trivy.yml +++ b/.github/workflows/trivy.yml @@ -18,7 +18,7 @@ jobs: runs-on: ubuntu-22.04 steps: - name: Checkout code - uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - name: Build an image from Dockerfile run: | diff --git a/OWNERS b/OWNERS index 9237b007189..4a2e54e6db2 100644 --- a/OWNERS +++ b/OWNERS @@ -9,7 +9,6 @@ admins: maintainers: -- AliceProxy - arkodg - Xunzhuo - zirain @@ -25,6 +24,7 @@ emeritus-maintainers: - skriss - youngnick - qicz +- Alice-Lilith reviewers: diff --git a/api/v1alpha1/envoygateway_helpers.go b/api/v1alpha1/envoygateway_helpers.go index c61b43c82e1..68c451e68df 100644 --- a/api/v1alpha1/envoygateway_helpers.go +++ b/api/v1alpha1/envoygateway_helpers.go @@ -6,7 +6,8 @@ package v1alpha1 import ( - "fmt" + "net" + "strconv" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" "k8s.io/utils/ptr" @@ -80,7 +81,7 @@ func (e *EnvoyGateway) GetEnvoyGatewayAdmin() *EnvoyGatewayAdmin { func (e *EnvoyGateway) GetEnvoyGatewayAdminAddress() string { address := e.GetEnvoyGatewayAdmin().Address if address != nil { - return fmt.Sprintf("%s:%d", address.Host, address.Port) + return net.JoinHostPort(address.Host, strconv.Itoa(address.Port)) } return "" diff --git a/api/v1alpha1/shared_types.go b/api/v1alpha1/shared_types.go index fc6121f6922..aff125785e2 100644 --- a/api/v1alpha1/shared_types.go +++ b/api/v1alpha1/shared_types.go @@ -28,7 +28,7 @@ const ( // DefaultShutdownManagerMemoryResourceRequests for shutdown manager memory resource DefaultShutdownManagerMemoryResourceRequests = "32Mi" // DefaultShutdownManagerImage is the default image used for the shutdown manager. - DefaultShutdownManagerImage = "envoyproxy/gateway-dev:latest" + DefaultShutdownManagerImage = "docker.io/envoyproxy/gateway-dev:latest" // DefaultRateLimitImage is the default image used by ratelimit. DefaultRateLimitImage = "envoyproxy/ratelimit:28b1629a" // HTTPProtocol is the common-used http protocol. diff --git a/charts/gateway-addons-helm/Chart.lock b/charts/gateway-addons-helm/Chart.lock index 228a952fdc1..4e15b355cb5 100644 --- a/charts/gateway-addons-helm/Chart.lock +++ b/charts/gateway-addons-helm/Chart.lock @@ -8,6 +8,9 @@ dependencies: - name: fluent-bit repository: https://fluent.github.io/helm-charts version: 0.30.4 +- name: alloy + repository: https://grafana.github.io/helm-charts + version: 0.9.2 - name: loki repository: https://grafana.github.io/helm-charts version: 4.8.0 @@ -17,5 +20,5 @@ dependencies: - name: opentelemetry-collector repository: https://open-telemetry.github.io/opentelemetry-helm-charts version: 0.108.0 -digest: sha256:ea6663bb1358123b96b69d2c5b0b8c20650a43dc39b24c482f0560201fd2cc3a -generated: "2024-10-19T12:59:47.251089661+02:00" +digest: sha256:bc634c59972bfd4a01e0f4310a4949095752e659a9b5cb1d9c0fbe9a86f37011 +generated: "2024-10-25T10:55:26.755739+08:00" diff --git a/charts/gateway-addons-helm/Chart.yaml b/charts/gateway-addons-helm/Chart.yaml index 2571ccec51e..3a2303ef8c9 100644 --- a/charts/gateway-addons-helm/Chart.yaml +++ b/charts/gateway-addons-helm/Chart.yaml @@ -37,6 +37,10 @@ dependencies: repository: https://fluent.github.io/helm-charts version: 0.30.4 condition: fluent-bit.enabled + - name: alloy + repository: https://grafana.github.io/helm-charts + version: 0.9.2 + condition: alloy.enabled - name: loki version: 4.8.0 repository: https://grafana.github.io/helm-charts diff --git a/charts/gateway-addons-helm/README.md b/charts/gateway-addons-helm/README.md index a52af3e2d14..b30a535e724 100644 --- a/charts/gateway-addons-helm/README.md +++ b/charts/gateway-addons-helm/README.md @@ -22,6 +22,7 @@ An Add-ons Helm chart for Envoy Gateway | Repository | Name | Version | |------------|------|---------| | https://fluent.github.io/helm-charts | fluent-bit | 0.30.4 | +| https://grafana.github.io/helm-charts | alloy | 0.9.2 | | https://grafana.github.io/helm-charts | grafana | 8.0.0 | | https://grafana.github.io/helm-charts | loki | 4.8.0 | | https://grafana.github.io/helm-charts | tempo | 1.3.1 | @@ -55,6 +56,9 @@ To uninstall the chart: | Key | Type | Default | Description | |-----|------|---------|-------------| +| alloy.alloy.configMap.content | string | `"// Write your Alloy config here:\nlogging {\n level = \"info\"\n format = \"logfmt\"\n}\nloki.write \"alloy\" {\n endpoint {\n url = \"http://loki.monitoring.svc:3100/loki/api/v1/push\"\n }\n}\n// discovery.kubernetes allows you to find scrape targets from Kubernetes resources.\n// It watches cluster state and ensures targets are continually synced with what is currently running in your cluster.\ndiscovery.kubernetes \"pod\" {\n role = \"pod\"\n}\n\n// discovery.relabel rewrites the label set of the input targets by applying one or more relabeling rules.\n// If no rules are defined, then the input targets are exported as-is.\ndiscovery.relabel \"pod_logs\" {\n targets = discovery.kubernetes.pod.targets\n\n // Label creation - \"namespace\" field from \"__meta_kubernetes_namespace\"\n rule {\n source_labels = [\"__meta_kubernetes_namespace\"]\n action = \"replace\"\n target_label = \"namespace\"\n }\n\n // Label creation - \"pod\" field from \"__meta_kubernetes_pod_name\"\n rule {\n source_labels = [\"__meta_kubernetes_pod_name\"]\n action = \"replace\"\n target_label = \"pod\"\n }\n\n // Label creation - \"container\" field from \"__meta_kubernetes_pod_container_name\"\n rule {\n source_labels = [\"__meta_kubernetes_pod_container_name\"]\n action = \"replace\"\n target_label = \"container\"\n }\n\n // Label creation - \"app\" field from \"__meta_kubernetes_pod_label_app_kubernetes_io_name\"\n rule {\n source_labels = [\"__meta_kubernetes_pod_label_app_kubernetes_io_name\"]\n action = \"replace\"\n target_label = \"app\"\n }\n\n // Label creation - \"job\" field from \"__meta_kubernetes_namespace\" and \"__meta_kubernetes_pod_container_name\"\n // Concatenate values __meta_kubernetes_namespace/__meta_kubernetes_pod_container_name\n rule {\n source_labels = [\"__meta_kubernetes_namespace\", \"__meta_kubernetes_pod_container_name\"]\n action = \"replace\"\n target_label = \"job\"\n separator = \"/\"\n replacement = \"$1\"\n }\n\n // Label creation - \"container\" field from \"__meta_kubernetes_pod_uid\" and \"__meta_kubernetes_pod_container_name\"\n // Concatenate values __meta_kubernetes_pod_uid/__meta_kubernetes_pod_container_name.log\n rule {\n source_labels = [\"__meta_kubernetes_pod_uid\", \"__meta_kubernetes_pod_container_name\"]\n action = \"replace\"\n target_label = \"__path__\"\n separator = \"/\"\n replacement = \"/var/log/pods/*$1/*.log\"\n }\n\n // Label creation - \"container_runtime\" field from \"__meta_kubernetes_pod_container_id\"\n rule {\n source_labels = [\"__meta_kubernetes_pod_container_id\"]\n action = \"replace\"\n target_label = \"container_runtime\"\n regex = \"^(\\\\S+):\\\\/\\\\/.+$\"\n replacement = \"$1\"\n }\n}\n\n// loki.source.kubernetes tails logs from Kubernetes containers using the Kubernetes API.\nloki.source.kubernetes \"pod_logs\" {\n targets = discovery.relabel.pod_logs.output\n forward_to = [loki.process.pod_logs.receiver]\n}\n// loki.process receives log entries from other Loki components, applies one or more processing stages,\n// and forwards the results to the list of receivers in the component’s arguments.\nloki.process \"pod_logs\" {\n stage.static_labels {\n values = {\n cluster = \"envoy-gateway\",\n }\n }\n\n forward_to = [loki.write.alloy.receiver]\n}"` | | +| alloy.enabled | bool | `false` | | +| alloy.fullnameOverride | string | `"alloy"` | | | fluent-bit.config.filters | string | `"[FILTER]\n Name kubernetes\n Match kube.*\n Merge_Log On\n Keep_Log Off\n K8S-Logging.Parser On\n K8S-Logging.Exclude On\n\n[FILTER]\n Name grep\n Match kube.*\n Regex $kubernetes['container_name'] ^envoy$\n\n[FILTER]\n Name parser\n Match kube.*\n Key_Name log\n Parser envoy\n Reserve_Data True\n"` | | | fluent-bit.config.inputs | string | `"[INPUT]\n Name tail\n Path /var/log/containers/*.log\n multiline.parser docker, cri\n Tag kube.*\n Mem_Buf_Limit 5MB\n Skip_Long_Lines On\n"` | | | fluent-bit.config.outputs | string | `"[OUTPUT]\n Name loki\n Match kube.*\n Host loki.monitoring.svc.cluster.local\n Port 3100\n Labels job=fluentbit, app=$kubernetes['labels']['app'], k8s_namespace_name=$kubernetes['namespace_name'], k8s_pod_name=$kubernetes['pod_name'], k8s_container_name=$kubernetes['container_name']\n"` | | @@ -107,15 +111,21 @@ To uninstall the chart: | opentelemetry-collector.config.exporters.loki.endpoint | string | `"http://loki.monitoring.svc:3100/loki/api/v1/push"` | | | opentelemetry-collector.config.exporters.otlp.endpoint | string | `"tempo.monitoring.svc:4317"` | | | opentelemetry-collector.config.exporters.otlp.tls.insecure | bool | `true` | | -| opentelemetry-collector.config.exporters.prometheus.endpoint | string | `"0.0.0.0:19001"` | | -| opentelemetry-collector.config.extensions.health_check | object | `{}` | | +| opentelemetry-collector.config.exporters.prometheus.endpoint | string | `"[${env:MY_POD_IP}]:19001"` | | +| opentelemetry-collector.config.extensions.health_check.endpoint | string | `"[${env:MY_POD_IP}]:13133"` | | | opentelemetry-collector.config.processors.attributes.actions[0].action | string | `"insert"` | | | opentelemetry-collector.config.processors.attributes.actions[0].key | string | `"loki.attribute.labels"` | | | opentelemetry-collector.config.processors.attributes.actions[0].value | string | `"k8s.pod.name, k8s.namespace.name"` | | -| opentelemetry-collector.config.receivers.datadog.endpoint | string | `"${env:MY_POD_IP}:8126"` | | -| opentelemetry-collector.config.receivers.otlp.protocols.grpc.endpoint | string | `"${env:MY_POD_IP}:4317"` | | -| opentelemetry-collector.config.receivers.otlp.protocols.http.endpoint | string | `"${env:MY_POD_IP}:4318"` | | -| opentelemetry-collector.config.receivers.zipkin.endpoint | string | `"${env:MY_POD_IP}:9411"` | | +| opentelemetry-collector.config.receivers.datadog.endpoint | string | `"[${env:MY_POD_IP}]:8126"` | | +| opentelemetry-collector.config.receivers.jaeger.protocols.grpc.endpoint | string | `"[${env:MY_POD_IP}]:14250"` | | +| opentelemetry-collector.config.receivers.jaeger.protocols.thrift_compact.endpoint | string | `"[${env:MY_POD_IP}]:6831"` | | +| opentelemetry-collector.config.receivers.jaeger.protocols.thrift_http.endpoint | string | `"[${env:MY_POD_IP}]:14268"` | | +| opentelemetry-collector.config.receivers.otlp.protocols.grpc.endpoint | string | `"[${env:MY_POD_IP}]:4317"` | | +| opentelemetry-collector.config.receivers.otlp.protocols.http.endpoint | string | `"[${env:MY_POD_IP}]:4318"` | | +| opentelemetry-collector.config.receivers.prometheus.config.scrape_configs[0].job_name | string | `"opentelemetry-collector"` | | +| opentelemetry-collector.config.receivers.prometheus.config.scrape_configs[0].scrape_interval | string | `"10s"` | | +| opentelemetry-collector.config.receivers.prometheus.config.scrape_configs[0].static_configs[0].targets[0] | string | `"[${env:MY_POD_IP}]:8888"` | | +| opentelemetry-collector.config.receivers.zipkin.endpoint | string | `"[${env:MY_POD_IP}]:9411"` | | | opentelemetry-collector.config.service.extensions[0] | string | `"health_check"` | | | opentelemetry-collector.config.service.pipelines.logs.exporters[0] | string | `"loki"` | | | opentelemetry-collector.config.service.pipelines.logs.processors[0] | string | `"attributes"` | | @@ -127,6 +137,7 @@ To uninstall the chart: | opentelemetry-collector.config.service.pipelines.traces.receivers[0] | string | `"datadog"` | | | opentelemetry-collector.config.service.pipelines.traces.receivers[1] | string | `"otlp"` | | | opentelemetry-collector.config.service.pipelines.traces.receivers[2] | string | `"zipkin"` | | +| opentelemetry-collector.config.service.telemetry.metrics.address | string | `"[${env:MY_POD_IP}]:8888"` | | | opentelemetry-collector.enabled | bool | `false` | | | opentelemetry-collector.fullnameOverride | string | `"otel-collector"` | | | opentelemetry-collector.image.repository | string | `"otel/opentelemetry-collector-contrib"` | | diff --git a/charts/gateway-addons-helm/values.yaml b/charts/gateway-addons-helm/values.yaml index d3fb043ddd4..f8f80958129 100644 --- a/charts/gateway-addons-helm/values.yaml +++ b/charts/gateway-addons-helm/values.yaml @@ -60,6 +60,7 @@ prometheus: # Values for Fluent-bit dependency +# TODO: remove fluent-bit dependency fluent-bit: enabled: true image: @@ -167,6 +168,109 @@ loki: gateway: enabled: false +# Values for Alloy dependency +alloy: + enabled: false + fullnameOverride: alloy + alloy: + configMap: + content: |- + // Write your Alloy config here: + logging { + level = "info" + format = "logfmt" + } + loki.write "alloy" { + endpoint { + url = "http://loki.monitoring.svc:3100/loki/api/v1/push" + } + } + // discovery.kubernetes allows you to find scrape targets from Kubernetes resources. + // It watches cluster state and ensures targets are continually synced with what is currently running in your cluster. + discovery.kubernetes "pod" { + role = "pod" + } + + // discovery.relabel rewrites the label set of the input targets by applying one or more relabeling rules. + // If no rules are defined, then the input targets are exported as-is. + discovery.relabel "pod_logs" { + targets = discovery.kubernetes.pod.targets + + // Label creation - "namespace" field from "__meta_kubernetes_namespace" + rule { + source_labels = ["__meta_kubernetes_namespace"] + action = "replace" + target_label = "namespace" + } + + // Label creation - "pod" field from "__meta_kubernetes_pod_name" + rule { + source_labels = ["__meta_kubernetes_pod_name"] + action = "replace" + target_label = "pod" + } + + // Label creation - "container" field from "__meta_kubernetes_pod_container_name" + rule { + source_labels = ["__meta_kubernetes_pod_container_name"] + action = "replace" + target_label = "container" + } + + // Label creation - "app" field from "__meta_kubernetes_pod_label_app_kubernetes_io_name" + rule { + source_labels = ["__meta_kubernetes_pod_label_app_kubernetes_io_name"] + action = "replace" + target_label = "app" + } + + // Label creation - "job" field from "__meta_kubernetes_namespace" and "__meta_kubernetes_pod_container_name" + // Concatenate values __meta_kubernetes_namespace/__meta_kubernetes_pod_container_name + rule { + source_labels = ["__meta_kubernetes_namespace", "__meta_kubernetes_pod_container_name"] + action = "replace" + target_label = "job" + separator = "/" + replacement = "$1" + } + + // Label creation - "container" field from "__meta_kubernetes_pod_uid" and "__meta_kubernetes_pod_container_name" + // Concatenate values __meta_kubernetes_pod_uid/__meta_kubernetes_pod_container_name.log + rule { + source_labels = ["__meta_kubernetes_pod_uid", "__meta_kubernetes_pod_container_name"] + action = "replace" + target_label = "__path__" + separator = "/" + replacement = "/var/log/pods/*$1/*.log" + } + + // Label creation - "container_runtime" field from "__meta_kubernetes_pod_container_id" + rule { + source_labels = ["__meta_kubernetes_pod_container_id"] + action = "replace" + target_label = "container_runtime" + regex = "^(\\S+):\\/\\/.+$" + replacement = "$1" + } + } + + // loki.source.kubernetes tails logs from Kubernetes containers using the Kubernetes API. + loki.source.kubernetes "pod_logs" { + targets = discovery.relabel.pod_logs.output + forward_to = [loki.process.pod_logs.receiver] + } + // loki.process receives log entries from other Loki components, applies one or more processing stages, + // and forwards the results to the list of receivers in the component’s arguments. + loki.process "pod_logs" { + stage.static_labels { + values = { + cluster = "envoy-gateway", + } + } + + forward_to = [loki.write.alloy.receiver] + } + # Values for Tempo dependency tempo: @@ -186,7 +290,7 @@ opentelemetry-collector: config: exporters: prometheus: - endpoint: 0.0.0.0:19001 + endpoint: "[${env:MY_POD_IP}]:19001" debug: verbosity: detailed loki: @@ -196,10 +300,8 @@ opentelemetry-collector: tls: insecure: true extensions: - # The health_check extension is mandatory for this chart. - # Without the health_check extension the collector will fail the readiness and liveliness probes. - # The health_check extension can be modified, but should never be removed. - health_check: {} + health_check: + endpoint: "[${env:MY_POD_IP}]:13133" processors: attributes: actions: @@ -209,17 +311,36 @@ opentelemetry-collector: # Loki will convert this to k8s_pod_name label. value: k8s.pod.name, k8s.namespace.name receivers: + jaeger: + protocols: + grpc: + endpoint: "[${env:MY_POD_IP}]:14250" + thrift_http: + endpoint: "[${env:MY_POD_IP}]:14268" + thrift_compact: + endpoint: "[${env:MY_POD_IP}]:6831" datadog: - endpoint: ${env:MY_POD_IP}:8126 + endpoint: "[${env:MY_POD_IP}]:8126" zipkin: - endpoint: ${env:MY_POD_IP}:9411 + endpoint: "[${env:MY_POD_IP}]:9411" otlp: protocols: grpc: - endpoint: ${env:MY_POD_IP}:4317 + endpoint: "[${env:MY_POD_IP}]:4317" http: - endpoint: ${env:MY_POD_IP}:4318 + endpoint: "[${env:MY_POD_IP}]:4318" + prometheus: + config: + scrape_configs: + - job_name: opentelemetry-collector + scrape_interval: 10s + static_configs: + - targets: + - "[${env:MY_POD_IP}]:8888" service: + telemetry: + metrics: + address: "[${env:MY_POD_IP}]:8888" extensions: - health_check pipelines: diff --git a/charts/gateway-helm/README.md b/charts/gateway-helm/README.md index 61942016a29..5d9cecf616b 100644 --- a/charts/gateway-helm/README.md +++ b/charts/gateway-helm/README.md @@ -59,7 +59,7 @@ To uninstall the chart: | Key | Type | Default | Description | |-----|------|---------|-------------| -| certgen | object | `{"job":{"affinity":{},"annotations":{},"nodeSelector":{},"resources":{},"tolerations":[],"ttlSecondsAfterFinished":30},"rbac":{"annotations":{},"labels":{}}}` | Certgen is used to generate the certificates required by EnvoyGateway. If you want to construct a custom certificate, you can generate a custom certificate through Cert-Manager before installing EnvoyGateway. Certgen will not overwrite the custom certificate. Please do not manually modify `values.yaml` to disable certgen, it may cause EnvoyGateway OIDC,OAuth2,etc. to not work as expected. | +| certgen | object | `{"job":{"affinity":{},"annotations":{},"nodeSelector":{},"resources":{},"securityContext":{"allowPrivilegeEscalation":false,"capabilities":{"drop":["ALL"]},"privileged":false,"readOnlyRootFilesystem":true,"runAsGroup":65534,"runAsNonRoot":true,"runAsUser":65534,"seccompProfile":{"type":"RuntimeDefault"}},"tolerations":[],"ttlSecondsAfterFinished":30},"rbac":{"annotations":{},"labels":{}}}` | Certgen is used to generate the certificates required by EnvoyGateway. If you want to construct a custom certificate, you can generate a custom certificate through Cert-Manager before installing EnvoyGateway. Certgen will not overwrite the custom certificate. Please do not manually modify `values.yaml` to disable certgen, it may cause EnvoyGateway OIDC,OAuth2,etc. to not work as expected. | | config.envoyGateway.gateway.controllerName | string | `"gateway.envoyproxy.io/gatewayclass-controller"` | | | config.envoyGateway.logging.level.default | string | `"info"` | | | config.envoyGateway.provider.type | string | `"Kubernetes"` | | @@ -71,6 +71,13 @@ To uninstall the chart: | deployment.envoyGateway.resources.limits.memory | string | `"1024Mi"` | | | deployment.envoyGateway.resources.requests.cpu | string | `"100m"` | | | deployment.envoyGateway.resources.requests.memory | string | `"256Mi"` | | +| deployment.envoyGateway.securityContext.allowPrivilegeEscalation | bool | `false` | | +| deployment.envoyGateway.securityContext.capabilities.drop[0] | string | `"ALL"` | | +| deployment.envoyGateway.securityContext.privileged | bool | `false` | | +| deployment.envoyGateway.securityContext.runAsGroup | int | `65532` | | +| deployment.envoyGateway.securityContext.runAsNonRoot | bool | `true` | | +| deployment.envoyGateway.securityContext.runAsUser | int | `65532` | | +| deployment.envoyGateway.securityContext.seccompProfile.type | string | `"RuntimeDefault"` | | | deployment.pod.affinity | object | `{}` | | | deployment.pod.annotations."prometheus.io/port" | string | `"19001"` | | | deployment.pod.annotations."prometheus.io/scrape" | string | `"true"` | | diff --git a/charts/gateway-helm/templates/certgen.yaml b/charts/gateway-helm/templates/certgen.yaml index 00b7b6f8dca..f98c414ba22 100644 --- a/charts/gateway-helm/templates/certgen.yaml +++ b/charts/gateway-helm/templates/certgen.yaml @@ -39,17 +39,7 @@ spec: {{- toYaml . | nindent 10 }} {{- end }} securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - ALL - privileged: false - readOnlyRootFilesystem: true - runAsNonRoot: true - runAsGroup: 65534 - runAsUser: 65534 - seccompProfile: - type: RuntimeDefault + {{- toYaml .Values.certgen.job.securityContext | nindent 10 }} {{- include "eg.image.pullSecrets" . | nindent 6 }} {{- with .Values.certgen.job.affinity }} affinity: diff --git a/charts/gateway-helm/templates/envoy-gateway-deployment.yaml b/charts/gateway-helm/templates/envoy-gateway-deployment.yaml index 0be895fe76f..7746dd2e4ac 100644 --- a/charts/gateway-helm/templates/envoy-gateway-deployment.yaml +++ b/charts/gateway-helm/templates/envoy-gateway-deployment.yaml @@ -30,7 +30,7 @@ spec: {{- toYaml . | nindent 8 }} {{- end }} {{- with .Values.deployment.pod.nodeSelector }} - nodeSelector: + nodeSelector: {{ toYaml . | nindent 8 }} {{- end }} {{- with .Values.deployment.pod.topologySpreadConstraints }} @@ -73,19 +73,10 @@ spec: port: 8081 initialDelaySeconds: 5 periodSeconds: 10 - resources: {{- toYaml .Values.deployment.envoyGateway.resources | nindent 10 - }} + resources: + {{- toYaml .Values.deployment.envoyGateway.resources | nindent 10 }} securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - ALL - privileged: false - runAsNonRoot: true - runAsGroup: 65532 - runAsUser: 65532 - seccompProfile: - type: RuntimeDefault + {{- toYaml .Values.deployment.envoyGateway.securityContext | nindent 10 }} volumeMounts: - mountPath: /config name: envoy-gateway-config diff --git a/charts/gateway-helm/values.tmpl.yaml b/charts/gateway-helm/values.tmpl.yaml index 90e72f09956..cfcd9532491 100644 --- a/charts/gateway-helm/values.tmpl.yaml +++ b/charts/gateway-helm/values.tmpl.yaml @@ -35,6 +35,17 @@ deployment: requests: cpu: 100m memory: 256Mi + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + privileged: false + runAsNonRoot: true + runAsGroup: 65532 + runAsUser: 65532 + seccompProfile: + type: RuntimeDefault ports: - name: grpc port: 18000 @@ -86,6 +97,18 @@ certgen: tolerations: [] nodeSelector: {} ttlSecondsAfterFinished: 30 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + privileged: false + readOnlyRootFilesystem: true + runAsNonRoot: true + runAsGroup: 65534 + runAsUser: 65534 + seccompProfile: + type: RuntimeDefault rbac: annotations: {} labels: {} diff --git a/examples/envoy-als/Dockerfile b/examples/envoy-als/Dockerfile new file mode 100644 index 00000000000..0ad9437f993 --- /dev/null +++ b/examples/envoy-als/Dockerfile @@ -0,0 +1,23 @@ +FROM golang:1.23.1 AS builder + +ARG GO_LDFLAGS="" + +WORKDIR /workspace +COPY go.mod go.sum ./ +RUN --mount=type=cache,target=/root/.cache/go-build --mount=type=cache,target=/go/pkg/mod \ + go mod download + +COPY . ./ +RUN --mount=type=cache,target=/root/.cache/go-build --mount=type=cache,target=/go/pkg/mod \ + CGO_ENABLED=0 \ + GOOS=${TARGETOS} \ + GOARCH=${TARGETARCH} \ + go build -o /bin/envoy-als -ldflags "${GO_LDFLAGS}" . + +# Make our production image +FROM gcr.io/distroless/static-debian11:nonroot +COPY --from=builder /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/ +COPY --from=builder /bin/envoy-als / + +USER nonroot:nonroot +ENTRYPOINT ["/envoy-als"] diff --git a/examples/envoy-als/Makefile b/examples/envoy-als/Makefile new file mode 100644 index 00000000000..a8ca6cec25d --- /dev/null +++ b/examples/envoy-als/Makefile @@ -0,0 +1,8 @@ + +IMAGE_PREFIX ?= envoyproxy/gateway- +APP_NAME ?= envoy-als +TAG ?= latest + +.PHONY: docker-buildx +docker-buildx: + docker buildx build . -t $(IMAGE_PREFIX)$(APP_NAME):$(TAG) --build-arg GO_LDFLAGS="$(GO_LDFLAGS)" --load diff --git a/examples/envoy-als/go.mod b/examples/envoy-als/go.mod new file mode 100644 index 00000000000..610090483ad --- /dev/null +++ b/examples/envoy-als/go.mod @@ -0,0 +1,27 @@ +module github.com/envoyproxy/gateway-envoy-als + +go 1.23.1 + +require ( + github.com/envoyproxy/go-control-plane v0.13.1 + github.com/prometheus/client_golang v1.20.5 + google.golang.org/grpc v1.67.1 +) + +require ( + github.com/beorn7/perks v1.0.1 // indirect + github.com/cespare/xxhash/v2 v2.3.0 // indirect + github.com/cncf/xds/go v0.0.0-20240723142845-024c85f92f20 // indirect + github.com/envoyproxy/protoc-gen-validate v1.1.0 // indirect + github.com/klauspost/compress v1.17.9 // indirect + github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 // indirect + github.com/planetscale/vtprotobuf v0.6.1-0.20240319094008-0393e58bdf10 // indirect + github.com/prometheus/client_model v0.6.1 // indirect + github.com/prometheus/common v0.55.0 // indirect + github.com/prometheus/procfs v0.15.1 // indirect + golang.org/x/net v0.28.0 // indirect + golang.org/x/sys v0.24.0 // indirect + golang.org/x/text v0.17.0 // indirect + google.golang.org/genproto/googleapis/rpc v0.0.0-20240814211410-ddb44dafa142 // indirect + google.golang.org/protobuf v1.34.2 // indirect +) diff --git a/examples/envoy-als/go.sum b/examples/envoy-als/go.sum new file mode 100644 index 00000000000..1e30c20ec65 --- /dev/null +++ b/examples/envoy-als/go.sum @@ -0,0 +1,40 @@ +github.com/beorn7/perks v1.0.1 h1:VlbKKnNfV8bJzeqoa4cOKqO6bYr3WgKZxO8Z16+hsOM= +github.com/beorn7/perks v1.0.1/go.mod h1:G2ZrVWU2WbWT9wwq4/hrbKbnv/1ERSJQ0ibhJ6rlkpw= +github.com/cespare/xxhash/v2 v2.3.0 h1:UL815xU9SqsFlibzuggzjXhog7bL6oX9BbNZnL2UFvs= +github.com/cespare/xxhash/v2 v2.3.0/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XLFGgcrjCOs= +github.com/cncf/xds/go v0.0.0-20240723142845-024c85f92f20 h1:N+3sFI5GUjRKBi+i0TxYVST9h4Ie192jJWpHvthBBgg= +github.com/cncf/xds/go v0.0.0-20240723142845-024c85f92f20/go.mod h1:W+zGtBO5Y1IgJhy4+A9GOqVhqLpfZi+vwmdNXUehLA8= +github.com/envoyproxy/go-control-plane v0.13.1 h1:vPfJZCkob6yTMEgS+0TwfTUfbHjfy/6vOJ8hUWX/uXE= +github.com/envoyproxy/go-control-plane v0.13.1/go.mod h1:X45hY0mufo6Fd0KW3rqsGvQMw58jvjymeCzBU3mWyHw= +github.com/envoyproxy/protoc-gen-validate v1.1.0 h1:tntQDh69XqOCOZsDz0lVJQez/2L6Uu2PdjCQwWCJ3bM= +github.com/envoyproxy/protoc-gen-validate v1.1.0/go.mod h1:sXRDRVmzEbkM7CVcM06s9shE/m23dg3wzjl0UWqJ2q4= +github.com/google/go-cmp v0.6.0 h1:ofyhxvXcZhMsU5ulbFiLKl/XBFqE1GSq7atu8tAmTRI= +github.com/google/go-cmp v0.6.0/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY= +github.com/klauspost/compress v1.17.9 h1:6KIumPrER1LHsvBVuDa0r5xaG0Es51mhhB9BQB2qeMA= +github.com/klauspost/compress v1.17.9/go.mod h1:Di0epgTjJY877eYKx5yC51cX2A2Vl2ibi7bDH9ttBbw= +github.com/kylelemons/godebug v1.1.0 h1:RPNrshWIDI6G2gRW9EHilWtl7Z6Sb1BR0xunSBf0SNc= +github.com/kylelemons/godebug v1.1.0/go.mod h1:9/0rRGxNHcop5bhtWyNeEfOS8JIWk580+fNqagV/RAw= +github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 h1:C3w9PqII01/Oq1c1nUAm88MOHcQC9l5mIlSMApZMrHA= +github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822/go.mod h1:+n7T8mK8HuQTcFwEeznm/DIxMOiR9yIdICNftLE1DvQ= +github.com/planetscale/vtprotobuf v0.6.1-0.20240319094008-0393e58bdf10 h1:GFCKgmp0tecUJ0sJuv4pzYCqS9+RGSn52M3FUwPs+uo= +github.com/planetscale/vtprotobuf v0.6.1-0.20240319094008-0393e58bdf10/go.mod h1:t/avpk3KcrXxUnYOhZhMXJlSEyie6gQbtLq5NM3loB8= +github.com/prometheus/client_golang v1.20.5 h1:cxppBPuYhUnsO6yo/aoRol4L7q7UFfdm+bR9r+8l63Y= +github.com/prometheus/client_golang v1.20.5/go.mod h1:PIEt8X02hGcP8JWbeHyeZ53Y/jReSnHgO035n//V5WE= +github.com/prometheus/client_model v0.6.1 h1:ZKSh/rekM+n3CeS952MLRAdFwIKqeY8b62p8ais2e9E= +github.com/prometheus/client_model v0.6.1/go.mod h1:OrxVMOVHjw3lKMa8+x6HeMGkHMQyHDk9E3jmP2AmGiY= +github.com/prometheus/common v0.55.0 h1:KEi6DK7lXW/m7Ig5i47x0vRzuBsHuvJdi5ee6Y3G1dc= +github.com/prometheus/common v0.55.0/go.mod h1:2SECS4xJG1kd8XF9IcM1gMX6510RAEL65zxzNImwdc8= +github.com/prometheus/procfs v0.15.1 h1:YagwOFzUgYfKKHX6Dr+sHT7km/hxC76UB0learggepc= +github.com/prometheus/procfs v0.15.1/go.mod h1:fB45yRUv8NstnjriLhBQLuOUt+WW4BsoGhij/e3PBqk= +golang.org/x/net v0.28.0 h1:a9JDOJc5GMUJ0+UDqmLT86WiEy7iWyIhz8gz8E4e5hE= +golang.org/x/net v0.28.0/go.mod h1:yqtgsTWOOnlGLG9GFRrK3++bGOUEkNBoHZc8MEDWPNg= +golang.org/x/sys v0.24.0 h1:Twjiwq9dn6R1fQcyiK+wQyHWfaz/BJB+YIpzU/Cv3Xg= +golang.org/x/sys v0.24.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= +golang.org/x/text v0.17.0 h1:XtiM5bkSOt+ewxlOE/aE/AKEHibwj/6gvWMl9Rsh0Qc= +golang.org/x/text v0.17.0/go.mod h1:BuEKDfySbSR4drPmRPG/7iBdf8hvFMuRexcpahXilzY= +google.golang.org/genproto/googleapis/rpc v0.0.0-20240814211410-ddb44dafa142 h1:e7S5W7MGGLaSu8j3YjdezkZ+m1/Nm0uRVRMEMGk26Xs= +google.golang.org/genproto/googleapis/rpc v0.0.0-20240814211410-ddb44dafa142/go.mod h1:UqMtugtsSgubUsoxbuAoiCXvqvErP7Gf0so0mK9tHxU= +google.golang.org/grpc v1.67.1 h1:zWnc1Vrcno+lHZCOofnIMvycFcc0QRGIzm9dhnDX68E= +google.golang.org/grpc v1.67.1/go.mod h1:1gLDyUQU7CTLJI90u3nXZ9ekeghjeM7pTDZlqFNg2AA= +google.golang.org/protobuf v1.34.2 h1:6xV6lTsCfpGD21XK49h7MhtcApnLqkfYgPcdHftf6hg= +google.golang.org/protobuf v1.34.2/go.mod h1:qYOHts0dSfpeUzUFpOMr/WGzszTmLH+DiWniOlNbLDw= diff --git a/examples/envoy-als/main.go b/examples/envoy-als/main.go new file mode 100644 index 00000000000..9cecabe763a --- /dev/null +++ b/examples/envoy-als/main.go @@ -0,0 +1,115 @@ +// Copyright Envoy Gateway Authors +// SPDX-License-Identifier: Apache-2.0 +// The full text of the Apache license is available in the LICENSE file at +// the root of the repo. + +package main + +import ( + "log" + "net" + "net/http" + + alsv2 "github.com/envoyproxy/go-control-plane/envoy/service/accesslog/v2" + alsv3 "github.com/envoyproxy/go-control-plane/envoy/service/accesslog/v3" + "github.com/prometheus/client_golang/prometheus" + "github.com/prometheus/client_golang/prometheus/promhttp" + + "google.golang.org/grpc" +) + +var ( + LogCount = prometheus.NewCounterVec(prometheus.CounterOpts{ + Name: "log_count", + Help: "The total number of logs received.", + }, []string{"api_version"}) +) + +func init() { + // Register the summary and the histogram with Prometheus's default registry. + prometheus.MustRegister(LogCount) +} + +type ALSServer struct { +} + +func (a *ALSServer) StreamAccessLogs(logStream alsv2.AccessLogService_StreamAccessLogsServer) error { + log.Println("Streaming als v2 logs") + for { + data, err := logStream.Recv() + if err != nil { + return err + } + + httpLogs := data.GetHttpLogs() + if httpLogs != nil { + LogCount.WithLabelValues("v2").Add(float64(len(httpLogs.LogEntry))) + } + + log.Printf("Received v2 log data: %s\n", data.String()) + } +} + +type ALSServerV3 struct { +} + +func (a *ALSServerV3) StreamAccessLogs(logStream alsv3.AccessLogService_StreamAccessLogsServer) error { + log.Println("Streaming als v3 logs") + for { + data, err := logStream.Recv() + if err != nil { + return err + } + + httpLogs := data.GetHttpLogs() + if httpLogs != nil { + LogCount.WithLabelValues("v3").Add(float64(len(httpLogs.LogEntry))) + } + + log.Printf("Received v3 log data: %s\n", data.String()) + } +} + +func NewALSServer() *ALSServer { + return &ALSServer{} +} + +func NewALSServerV3() *ALSServerV3 { + return &ALSServerV3{} +} + +func main() { + mux := http.NewServeMux() + if err := addMonitor(mux); err != nil { + log.Printf("could not establish self-monitoring: %v\n", err) + } + + s := &http.Server{ + Addr: ":19001", + Handler: mux, + } + + go func() { + s.ListenAndServe() + }() + + listener, err := net.Listen("tcp", "0.0.0.0:8080") + if err != nil { + log.Fatalf("Failed to start listener on port 8080: %v", err) + } + + var opts []grpc.ServerOption + grpcServer := grpc.NewServer(opts...) + alsv2.RegisterAccessLogServiceServer(grpcServer, NewALSServer()) + alsv3.RegisterAccessLogServiceServer(grpcServer, NewALSServerV3()) + log.Println("Starting ALS Server") + if err := grpcServer.Serve(listener); err != nil { + log.Fatalf("grpc serve err: %v", err) + } +} + +func addMonitor(mux *http.ServeMux) error { + mux.Handle("/metrics", promhttp.HandlerFor(prometheus.DefaultGatherer, promhttp.HandlerOpts{EnableOpenMetrics: true})) + + return nil +} diff --git a/examples/extension-server/cmd/extension-server/main.go b/examples/extension-server/cmd/extension-server/main.go index 4a6b0474621..41a9018adc0 100644 --- a/examples/extension-server/cmd/extension-server/main.go +++ b/examples/extension-server/cmd/extension-server/main.go @@ -6,7 +6,6 @@ package main import ( - "fmt" "log/slog" "net" "os" @@ -82,7 +81,7 @@ func startExtensionServer(cCtx *cli.Context) error { logger := slog.New(slog.NewTextHandler(os.Stderr, &slog.HandlerOptions{ Level: level, })) - address := fmt.Sprintf("%s:%d", cCtx.String("host"), cCtx.Int("port")) + address := net.JoinHostPort(cCtx.String("host"), cCtx.String("port")) logger.Info("Starting the extension server", slog.String("host", address)) lis, err := net.Listen("tcp", address) if err != nil { diff --git a/examples/extension-server/go.mod b/examples/extension-server/go.mod index 25eb15516ef..7b09ae7320b 100644 --- a/examples/extension-server/go.mod +++ b/examples/extension-server/go.mod @@ -8,8 +8,8 @@ require ( github.com/urfave/cli/v2 v2.27.5 google.golang.org/grpc v1.67.1 google.golang.org/protobuf v1.35.1 - k8s.io/apimachinery v0.31.1 - sigs.k8s.io/controller-runtime v0.19.0 + k8s.io/apimachinery v0.31.2 + sigs.k8s.io/controller-runtime v0.19.1 sigs.k8s.io/gateway-api v1.2.0 ) diff --git a/examples/extension-server/go.sum b/examples/extension-server/go.sum index 29bfba9e9f4..42db960b446 100644 --- a/examples/extension-server/go.sum +++ b/examples/extension-server/go.sum @@ -123,16 +123,16 @@ gopkg.in/yaml.v2 v2.4.0 h1:D8xgwECY7CYvx+Y2n4sBz93Jn9JRvxdiyyo8CTfuKaY= gopkg.in/yaml.v2 v2.4.0/go.mod h1:RDklbk79AGWmwhnvt/jBztapEOGDOx6ZbXqjP6csGnQ= gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA= gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= -k8s.io/api v0.31.1 h1:Xe1hX/fPW3PXYYv8BlozYqw63ytA92snr96zMW9gWTU= -k8s.io/api v0.31.1/go.mod h1:sbN1g6eY6XVLeqNsZGLnI5FwVseTrZX7Fv3O26rhAaI= -k8s.io/apimachinery v0.31.1 h1:mhcUBbj7KUjaVhyXILglcVjuS4nYXiwC+KKFBgIVy7U= -k8s.io/apimachinery v0.31.1/go.mod h1:rsPdaZJfTfLsNJSQzNHQvYoTmxhoOEofxtOsF3rtsMo= +k8s.io/api v0.31.2 h1:3wLBbL5Uom/8Zy98GRPXpJ254nEFpl+hwndmk9RwmL0= +k8s.io/api v0.31.2/go.mod h1:bWmGvrGPssSK1ljmLzd3pwCQ9MgoTsRCuK35u6SygUk= +k8s.io/apimachinery v0.31.2 h1:i4vUt2hPK56W6mlT7Ry+AO8eEsyxMD1U44NR22CLTYw= +k8s.io/apimachinery v0.31.2/go.mod h1:rsPdaZJfTfLsNJSQzNHQvYoTmxhoOEofxtOsF3rtsMo= k8s.io/klog/v2 v2.130.1 h1:n9Xl7H1Xvksem4KFG4PYbdQCQxqc/tTUyrgXaOhHSzk= k8s.io/klog/v2 v2.130.1/go.mod h1:3Jpz1GvMt720eyJH1ckRHK1EDfpxISzJ7I9OYgaDtPE= k8s.io/utils v0.0.0-20240821151609-f90d01438635 h1:2wThSvJoW/Ncn9TmQEYXRnevZXi2duqHWf5OX9S3zjI= k8s.io/utils v0.0.0-20240821151609-f90d01438635/go.mod h1:OLgZIPagt7ERELqWJFomSt595RzquPNLL48iOWgYOg0= -sigs.k8s.io/controller-runtime v0.19.0 h1:nWVM7aq+Il2ABxwiCizrVDSlmDcshi9llbaFbC0ji/Q= -sigs.k8s.io/controller-runtime v0.19.0/go.mod h1:iRmWllt8IlaLjvTTDLhRBXIEtkCK6hwVBJJsYS9Ajf4= +sigs.k8s.io/controller-runtime v0.19.1 h1:Son+Q40+Be3QWb+niBXAg2vFiYWolDjjRfO8hn/cxOk= +sigs.k8s.io/controller-runtime v0.19.1/go.mod h1:iRmWllt8IlaLjvTTDLhRBXIEtkCK6hwVBJJsYS9Ajf4= sigs.k8s.io/gateway-api v1.2.0 h1:LrToiFwtqKTKZcZtoQPTuo3FxhrrhTgzQG0Te+YGSo8= sigs.k8s.io/gateway-api v1.2.0/go.mod h1:EpNfEXNjiYfUJypf0eZ0P5iXA9ekSGWaS1WgPaM42X0= sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd h1:EDPBXCAspyGV4jQlpZSudPeMmr1bNJefnuqLsRAsHZo= diff --git a/examples/grpc-ext-auth/Dockerfile b/examples/grpc-ext-auth/Dockerfile new file mode 100644 index 00000000000..4f6ea6ff545 --- /dev/null +++ b/examples/grpc-ext-auth/Dockerfile @@ -0,0 +1,23 @@ +FROM golang:1.23.1 AS builder + +ARG GO_LDFLAGS="" + +WORKDIR /workspace +COPY go.mod go.sum ./ +RUN --mount=type=cache,target=/root/.cache/go-build --mount=type=cache,target=/go/pkg/mod \ + go mod download + +COPY . ./ +RUN --mount=type=cache,target=/root/.cache/go-build --mount=type=cache,target=/go/pkg/mod \ + CGO_ENABLED=0 \ + GOOS=${TARGETOS} \ + GOARCH=${TARGETARCH} \ + go build -o /bin/grpc-ext-auth -ldflags "${GO_LDFLAGS}" . + +# Make our production image +FROM gcr.io/distroless/static-debian11:nonroot +COPY --from=builder /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/ +COPY --from=builder /bin/grpc-ext-auth / + +USER nonroot:nonroot +ENTRYPOINT ["/grpc-ext-auth"] diff --git a/examples/grpc-ext-auth/Makefile b/examples/grpc-ext-auth/Makefile new file mode 100644 index 00000000000..bdcb69d99eb --- /dev/null +++ b/examples/grpc-ext-auth/Makefile @@ -0,0 +1,8 @@ + +IMAGE_PREFIX ?= envoyproxy/gateway- +APP_NAME ?= grpc-ext-auth +TAG ?= latest + +.PHONY: docker-buildx +docker-buildx: + docker buildx build . -t $(IMAGE_PREFIX)$(APP_NAME):$(TAG) --build-arg GO_LDFLAGS="$(GO_LDFLAGS)" --load diff --git a/examples/grpc-ext-auth/go.mod b/examples/grpc-ext-auth/go.mod new file mode 100644 index 00000000000..8e3fcb7e061 --- /dev/null +++ b/examples/grpc-ext-auth/go.mod @@ -0,0 +1,20 @@ +module github.com/envoyproxy/gateway-grcp-ext-auth + +go 1.23.1 + +require ( + github.com/envoyproxy/go-control-plane v0.13.1 + github.com/golang/protobuf v1.5.4 + google.golang.org/genproto/googleapis/rpc v0.0.0-20241021214115-324edc3d5d38 + google.golang.org/grpc v1.67.1 +) + +require ( + github.com/cncf/xds/go v0.0.0-20240723142845-024c85f92f20 // indirect + github.com/envoyproxy/protoc-gen-validate v1.1.0 // indirect + github.com/planetscale/vtprotobuf v0.6.1-0.20240319094008-0393e58bdf10 // indirect + golang.org/x/net v0.28.0 // indirect + golang.org/x/sys v0.24.0 // indirect + golang.org/x/text v0.17.0 // indirect + google.golang.org/protobuf v1.35.1 // indirect +) diff --git a/examples/grpc-ext-auth/go.sum b/examples/grpc-ext-auth/go.sum new file mode 100644 index 00000000000..03b2f7f5cee --- /dev/null +++ b/examples/grpc-ext-auth/go.sum @@ -0,0 +1,24 @@ +github.com/cncf/xds/go v0.0.0-20240723142845-024c85f92f20 h1:N+3sFI5GUjRKBi+i0TxYVST9h4Ie192jJWpHvthBBgg= +github.com/cncf/xds/go v0.0.0-20240723142845-024c85f92f20/go.mod h1:W+zGtBO5Y1IgJhy4+A9GOqVhqLpfZi+vwmdNXUehLA8= +github.com/envoyproxy/go-control-plane v0.13.1 h1:vPfJZCkob6yTMEgS+0TwfTUfbHjfy/6vOJ8hUWX/uXE= +github.com/envoyproxy/go-control-plane v0.13.1/go.mod h1:X45hY0mufo6Fd0KW3rqsGvQMw58jvjymeCzBU3mWyHw= +github.com/envoyproxy/protoc-gen-validate v1.1.0 h1:tntQDh69XqOCOZsDz0lVJQez/2L6Uu2PdjCQwWCJ3bM= +github.com/envoyproxy/protoc-gen-validate v1.1.0/go.mod h1:sXRDRVmzEbkM7CVcM06s9shE/m23dg3wzjl0UWqJ2q4= +github.com/golang/protobuf v1.5.4 h1:i7eJL8qZTpSEXOPTxNKhASYpMn+8e5Q6AdndVa1dWek= +github.com/golang/protobuf v1.5.4/go.mod h1:lnTiLA8Wa4RWRcIUkrtSVa5nRhsEGBg48fD6rSs7xps= +github.com/google/go-cmp v0.6.0 h1:ofyhxvXcZhMsU5ulbFiLKl/XBFqE1GSq7atu8tAmTRI= +github.com/google/go-cmp v0.6.0/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY= +github.com/planetscale/vtprotobuf v0.6.1-0.20240319094008-0393e58bdf10 h1:GFCKgmp0tecUJ0sJuv4pzYCqS9+RGSn52M3FUwPs+uo= +github.com/planetscale/vtprotobuf v0.6.1-0.20240319094008-0393e58bdf10/go.mod h1:t/avpk3KcrXxUnYOhZhMXJlSEyie6gQbtLq5NM3loB8= +golang.org/x/net v0.28.0 h1:a9JDOJc5GMUJ0+UDqmLT86WiEy7iWyIhz8gz8E4e5hE= +golang.org/x/net v0.28.0/go.mod h1:yqtgsTWOOnlGLG9GFRrK3++bGOUEkNBoHZc8MEDWPNg= +golang.org/x/sys v0.24.0 h1:Twjiwq9dn6R1fQcyiK+wQyHWfaz/BJB+YIpzU/Cv3Xg= +golang.org/x/sys v0.24.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= +golang.org/x/text v0.17.0 h1:XtiM5bkSOt+ewxlOE/aE/AKEHibwj/6gvWMl9Rsh0Qc= +golang.org/x/text v0.17.0/go.mod h1:BuEKDfySbSR4drPmRPG/7iBdf8hvFMuRexcpahXilzY= +google.golang.org/genproto/googleapis/rpc v0.0.0-20241021214115-324edc3d5d38 h1:zciRKQ4kBpFgpfC5QQCVtnnNAcLIqweL7plyZRQHVpI= +google.golang.org/genproto/googleapis/rpc v0.0.0-20241021214115-324edc3d5d38/go.mod h1:GX3210XPVPUjJbTUbvwI8f2IpZDMZuPJWDzDuebbviI= +google.golang.org/grpc v1.67.1 h1:zWnc1Vrcno+lHZCOofnIMvycFcc0QRGIzm9dhnDX68E= +google.golang.org/grpc v1.67.1/go.mod h1:1gLDyUQU7CTLJI90u3nXZ9ekeghjeM7pTDZlqFNg2AA= +google.golang.org/protobuf v1.35.1 h1:m3LfL6/Ca+fqnjnlqQXNpFPABW1UD7mjh8KO2mKFytA= +google.golang.org/protobuf v1.35.1/go.mod h1:9fA7Ob0pmnwhb644+1+CVWFRbNajQ6iRojtC/QF5bRE= diff --git a/examples/grpc-ext-auth/main.go b/examples/grpc-ext-auth/main.go new file mode 100644 index 00000000000..f63b0ec1e85 --- /dev/null +++ b/examples/grpc-ext-auth/main.go @@ -0,0 +1,225 @@ +// Copyright Envoy Gateway Authors +// SPDX-License-Identifier: Apache-2.0 +// The full text of the Apache license is available in the LICENSE file at +// the root of the repo. + +package main + +import ( + "context" + "crypto/tls" + "crypto/x509" + "flag" + "fmt" + "log" + "net" + "net/http" + "os" + "strings" + + envoy_api_v3_core "github.com/envoyproxy/go-control-plane/envoy/config/core/v3" + envoy_service_auth_v3 "github.com/envoyproxy/go-control-plane/envoy/service/auth/v3" + "github.com/golang/protobuf/ptypes/wrappers" + "google.golang.org/genproto/googleapis/rpc/code" + "google.golang.org/genproto/googleapis/rpc/status" + "google.golang.org/grpc" + "google.golang.org/grpc/credentials" +) + +var ( + port int + certPath string +) + +func main() { + flag.IntVar(&port, "port", 9002, "gRPC port") + flag.StringVar(&certPath, "certPath", "", "path to server certificate and private key") + flag.Parse() + + lis, err := net.Listen("tcp", fmt.Sprintf(":%d", port)) + if err != nil { + log.Fatalf("failed to listen to %d: %v", port, err) + } + + users := TestUsers() + + // Load TLS credentials + creds, err := loadTLSCredentials(certPath) + if err != nil { + log.Fatalf("Failed to load TLS credentials: %v", err) + } + gs := grpc.NewServer(grpc.Creds(creds)) + + envoy_service_auth_v3.RegisterAuthorizationServer(gs, NewAuthServer(users)) + + log.Printf("starting gRPC server on: %d\n", port) + + go func() { + err = gs.Serve(lis) + if err != nil { + log.Fatalf("failed to serve: %v", err) + } + }() + + http.HandleFunc("/healthz", healthCheckHandler) + err = http.ListenAndServe(":8080", nil) + if err != nil { + log.Fatalf("failed to serve: %v", err) + } +} + +type authServer struct { + users Users +} + +var _ envoy_service_auth_v3.AuthorizationServer = &authServer{} + +// NewAuthServer creates a new authorization server. +func NewAuthServer(users Users) envoy_service_auth_v3.AuthorizationServer { + return &authServer{users} +} + +// Check implements authorization's Check interface which performs authorization check based on the +// attributes associated with the incoming request. +func (s *authServer) Check( + _ context.Context, + req *envoy_service_auth_v3.CheckRequest) (*envoy_service_auth_v3.CheckResponse, error) { + authorization := req.Attributes.Request.Http.Headers["authorization"] + log.Println(authorization) + + extracted := strings.Fields(authorization) + if len(extracted) == 2 && extracted[0] == "Bearer" { + valid, user := s.users.Check(extracted[1]) + if valid { + return &envoy_service_auth_v3.CheckResponse{ + HttpResponse: &envoy_service_auth_v3.CheckResponse_OkResponse{ + OkResponse: &envoy_service_auth_v3.OkHttpResponse{ + Headers: []*envoy_api_v3_core.HeaderValueOption{ + { + Append: &wrappers.BoolValue{Value: false}, + Header: &envoy_api_v3_core.HeaderValue{ + // For a successful request, the authorization server sets the + // x-current-user value. + Key: "x-current-user", + Value: user, + }, + }, + }, + }, + }, + Status: &status.Status{ + Code: int32(code.Code_OK), + }, + }, nil + } + } + + return &envoy_service_auth_v3.CheckResponse{ + Status: &status.Status{ + Code: int32(code.Code_PERMISSION_DENIED), + }, + }, nil +} + +// Users holds a list of users. +type Users map[string]string + +// Check checks if a key could retrieve a user from a list of users. +func (u Users) Check(key string) (bool, string) { + value, ok := u[key] + if !ok { + return false, "" + } + return ok, value +} + +func TestUsers() Users { + return map[string]string{ + "token1": "user1", + "token2": "user2", + "token3": "user3", + } +} + +func healthCheckHandler(w http.ResponseWriter, r *http.Request) { + certPool, err := loadCA(certPath) + if err != nil { + log.Fatalf("Could not load CA certificate: %v", err) + } + + // Create TLS configuration + tlsConfig := &tls.Config{ + RootCAs: certPool, + } + + // Create gRPC dial options + opts := []grpc.DialOption{ + grpc.WithTransportCredentials(credentials.NewTLS(tlsConfig)), + } + + conn, err := grpc.Dial("localhost:9002", opts...) + if err != nil { + log.Fatalf("Could not connect: %v", err) + } + client := envoy_service_auth_v3.NewAuthorizationClient(conn) + + response, err := client.Check(context.Background(), &envoy_service_auth_v3.CheckRequest{ + Attributes: &envoy_service_auth_v3.AttributeContext{ + Request: &envoy_service_auth_v3.AttributeContext_Request{ + Http: &envoy_service_auth_v3.AttributeContext_HttpRequest{ + Headers: map[string]string{ + "authorization": "Bearer token1", + }, + }, + }, + }, + }) + if err != nil { + log.Fatalf("Could not check: %v", err) + } + if response != nil && response.Status.Code == int32(code.Code_OK) { + w.WriteHeader(http.StatusOK) + } else { + w.WriteHeader(http.StatusServiceUnavailable) + } +} + +func loadTLSCredentials(certPath string) (credentials.TransportCredentials, error) { + // Load server's certificate and private key + crt := "server.crt" + key := "server.key" + + if certPath != "" { + if !strings.HasSuffix(certPath, "/") { + certPath = fmt.Sprintf("%s/", certPath) + } + crt = fmt.Sprintf("%s%s", certPath, crt) + key = fmt.Sprintf("%s%s", certPath, key) + } + certificate, err := tls.LoadX509KeyPair(crt, key) + if err != nil { + return nil, fmt.Errorf("could not load server key pair: %s", err) + } + + // Create a new credentials object + creds := credentials.NewTLS(&tls.Config{Certificates: []tls.Certificate{certificate}}) + + return creds, nil +} + +func loadCA(caPath string) (*x509.CertPool, error) { + ca := x509.NewCertPool() + caCertPath := "server.crt" + if caPath != "" { + if !strings.HasSuffix(caPath, "/") { + caPath = fmt.Sprintf("%s/", caPath) + } + caCertPath = fmt.Sprintf("%s%s", caPath, caCertPath) + } + caCert, err := os.ReadFile(caCertPath) + if err != nil { + return nil, fmt.Errorf("could not read ca certificate: %s", err) + } + ca.AppendCertsFromPEM(caCert) + return ca, nil +} diff --git a/examples/grpc-ext-proc/Dockerfile b/examples/grpc-ext-proc/Dockerfile new file mode 100644 index 00000000000..a07ab13f48b --- /dev/null +++ b/examples/grpc-ext-proc/Dockerfile @@ -0,0 +1,22 @@ +FROM golang:1.23.1 AS builder + +ARG GO_LDFLAGS="" + +WORKDIR /workspace +COPY go.mod go.sum ./ +RUN --mount=type=cache,target=/root/.cache/go-build --mount=type=cache,target=/go/pkg/mod \ + go mod download + +COPY . ./ +RUN --mount=type=cache,target=/root/.cache/go-build --mount=type=cache,target=/go/pkg/mod \ + CGO_ENABLED=0 \ + GOOS=${TARGETOS} \ + GOARCH=${TARGETARCH} \ + go build -o /bin/grpc-ext-proc -ldflags "${GO_LDFLAGS}" . + +# Need root user for UDS +FROM gcr.io/distroless/static-debian11 +COPY --from=builder /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/ +COPY --from=builder /bin/grpc-ext-proc / + +ENTRYPOINT ["/grpc-ext-proc"] diff --git a/examples/grpc-ext-proc/Makefile b/examples/grpc-ext-proc/Makefile new file mode 100644 index 00000000000..85de130d8fd --- /dev/null +++ b/examples/grpc-ext-proc/Makefile @@ -0,0 +1,8 @@ + +IMAGE_PREFIX ?= envoyproxy/gateway- +APP_NAME ?= grpc-ext-proc +TAG ?= latest + +.PHONY: docker-buildx +docker-buildx: + docker buildx build . -t $(IMAGE_PREFIX)$(APP_NAME):$(TAG) --build-arg GO_LDFLAGS="$(GO_LDFLAGS)" --load diff --git a/examples/grpc-ext-proc/go.mod b/examples/grpc-ext-proc/go.mod new file mode 100644 index 00000000000..bb18254c721 --- /dev/null +++ b/examples/grpc-ext-proc/go.mod @@ -0,0 +1,19 @@ +module github.com/envoyproxy/gateway-grpc-ext-proc + +go 1.23.1 + +require ( + github.com/envoyproxy/go-control-plane v0.13.1 + google.golang.org/grpc v1.67.1 +) + +require ( + github.com/cncf/xds/go v0.0.0-20240723142845-024c85f92f20 // indirect + github.com/envoyproxy/protoc-gen-validate v1.1.0 // indirect + github.com/planetscale/vtprotobuf v0.6.1-0.20240319094008-0393e58bdf10 // indirect + golang.org/x/net v0.28.0 // indirect + golang.org/x/sys v0.24.0 // indirect + golang.org/x/text v0.17.0 // indirect + google.golang.org/genproto/googleapis/rpc v0.0.0-20240814211410-ddb44dafa142 // indirect + google.golang.org/protobuf v1.34.2 // indirect +) diff --git a/examples/grpc-ext-proc/go.sum b/examples/grpc-ext-proc/go.sum new file mode 100644 index 00000000000..d3004724f02 --- /dev/null +++ b/examples/grpc-ext-proc/go.sum @@ -0,0 +1,22 @@ +github.com/cncf/xds/go v0.0.0-20240723142845-024c85f92f20 h1:N+3sFI5GUjRKBi+i0TxYVST9h4Ie192jJWpHvthBBgg= +github.com/cncf/xds/go v0.0.0-20240723142845-024c85f92f20/go.mod h1:W+zGtBO5Y1IgJhy4+A9GOqVhqLpfZi+vwmdNXUehLA8= +github.com/envoyproxy/go-control-plane v0.13.1 h1:vPfJZCkob6yTMEgS+0TwfTUfbHjfy/6vOJ8hUWX/uXE= +github.com/envoyproxy/go-control-plane v0.13.1/go.mod h1:X45hY0mufo6Fd0KW3rqsGvQMw58jvjymeCzBU3mWyHw= +github.com/envoyproxy/protoc-gen-validate v1.1.0 h1:tntQDh69XqOCOZsDz0lVJQez/2L6Uu2PdjCQwWCJ3bM= +github.com/envoyproxy/protoc-gen-validate v1.1.0/go.mod h1:sXRDRVmzEbkM7CVcM06s9shE/m23dg3wzjl0UWqJ2q4= +github.com/google/go-cmp v0.6.0 h1:ofyhxvXcZhMsU5ulbFiLKl/XBFqE1GSq7atu8tAmTRI= +github.com/google/go-cmp v0.6.0/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY= +github.com/planetscale/vtprotobuf v0.6.1-0.20240319094008-0393e58bdf10 h1:GFCKgmp0tecUJ0sJuv4pzYCqS9+RGSn52M3FUwPs+uo= +github.com/planetscale/vtprotobuf v0.6.1-0.20240319094008-0393e58bdf10/go.mod h1:t/avpk3KcrXxUnYOhZhMXJlSEyie6gQbtLq5NM3loB8= +golang.org/x/net v0.28.0 h1:a9JDOJc5GMUJ0+UDqmLT86WiEy7iWyIhz8gz8E4e5hE= +golang.org/x/net v0.28.0/go.mod h1:yqtgsTWOOnlGLG9GFRrK3++bGOUEkNBoHZc8MEDWPNg= +golang.org/x/sys v0.24.0 h1:Twjiwq9dn6R1fQcyiK+wQyHWfaz/BJB+YIpzU/Cv3Xg= +golang.org/x/sys v0.24.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= +golang.org/x/text v0.17.0 h1:XtiM5bkSOt+ewxlOE/aE/AKEHibwj/6gvWMl9Rsh0Qc= +golang.org/x/text v0.17.0/go.mod h1:BuEKDfySbSR4drPmRPG/7iBdf8hvFMuRexcpahXilzY= +google.golang.org/genproto/googleapis/rpc v0.0.0-20240814211410-ddb44dafa142 h1:e7S5W7MGGLaSu8j3YjdezkZ+m1/Nm0uRVRMEMGk26Xs= +google.golang.org/genproto/googleapis/rpc v0.0.0-20240814211410-ddb44dafa142/go.mod h1:UqMtugtsSgubUsoxbuAoiCXvqvErP7Gf0so0mK9tHxU= +google.golang.org/grpc v1.67.1 h1:zWnc1Vrcno+lHZCOofnIMvycFcc0QRGIzm9dhnDX68E= +google.golang.org/grpc v1.67.1/go.mod h1:1gLDyUQU7CTLJI90u3nXZ9ekeghjeM7pTDZlqFNg2AA= +google.golang.org/protobuf v1.34.2 h1:6xV6lTsCfpGD21XK49h7MhtcApnLqkfYgPcdHftf6hg= +google.golang.org/protobuf v1.34.2/go.mod h1:qYOHts0dSfpeUzUFpOMr/WGzszTmLH+DiWniOlNbLDw= diff --git a/examples/grpc-ext-proc/main.go b/examples/grpc-ext-proc/main.go new file mode 100644 index 00000000000..785480f1d20 --- /dev/null +++ b/examples/grpc-ext-proc/main.go @@ -0,0 +1,289 @@ +// Copyright Envoy Gateway Authors +// SPDX-License-Identifier: Apache-2.0 +// The full text of the Apache license is available in the LICENSE file at +// the root of the repo. + +package main + +import ( + "context" + "crypto/tls" + "crypto/x509" + "flag" + "fmt" + "io" + "log" + "net" + "net/http" + "os" + "strings" + + "google.golang.org/grpc/credentials" + + envoy_api_v3_core "github.com/envoyproxy/go-control-plane/envoy/config/core/v3" + envoy_service_proc_v3 "github.com/envoyproxy/go-control-plane/envoy/service/ext_proc/v3" + + "google.golang.org/grpc" + "google.golang.org/grpc/codes" + "google.golang.org/grpc/status" +) + +type extProcServer struct{} + +var ( + port int + certPath string +) + +func main() { + flag.IntVar(&port, "port", 9002, "gRPC port") + flag.StringVar(&certPath, "certPath", "", "path to extProcServer certificate and private key") + flag.Parse() + + lis, err := net.Listen("tcp", fmt.Sprintf(":%d", port)) + if err != nil { + log.Fatalf("failed to listen: %v", err) + } + + creds, err := loadTLSCredentials(certPath) + if err != nil { + log.Fatalf("Failed to load TLS credentials: %v", err) + } + gs := grpc.NewServer(grpc.Creds(creds)) + envoy_service_proc_v3.RegisterExternalProcessorServer(gs, &extProcServer{}) + + go func() { + err = gs.Serve(lis) + if err != nil { + log.Fatalf("failed to serve: %v", err) + } + }() + + // Create Unix listener + gus := grpc.NewServer(grpc.Creds(creds)) + envoy_service_proc_v3.RegisterExternalProcessorServer(gus, &extProcServer{}) + + udsAddr := "/var/run/ext-proc/extproc.sock" + if _, err := os.Stat(udsAddr); err == nil { + if err := os.RemoveAll(udsAddr); err != nil { + log.Fatalf("failed to remove: %v", err) + } + } + + ul, err := net.Listen("unix", udsAddr) + if err != nil { + log.Fatalf("failed to listen: %v", err) + } + + err = os.Chmod(udsAddr, 0700) + if err != nil { + log.Fatalf("failed to set permissions: %v", err) + } + + // envoy distroless uid + err = os.Chown(udsAddr, 65532, 0) + if err != nil { + log.Fatalf("failed to set permissions: %v", err) + } + + go func() { + err = gus.Serve(ul) + if err != nil { + log.Fatalf("failed to serve: %v", err) + } + }() + + http.HandleFunc("/healthz", healthCheckHandler) + err = http.ListenAndServe(":8080", nil) + if err != nil { + log.Fatalf("failed to serve: %v", err) + } +} + +// used by k8s readiness probes +// makes a processing request to check if the processor service is healthy +func healthCheckHandler(w http.ResponseWriter, r *http.Request) { + certPool, err := loadCA(certPath) + if err != nil { + log.Fatalf("Could not load CA certificate: %v", err) + } + + // Create TLS configuration + tlsConfig := &tls.Config{ + RootCAs: certPool, + ServerName: "grpc-ext-proc.envoygateway", + } + + // Create gRPC dial options + opts := []grpc.DialOption{ + grpc.WithTransportCredentials(credentials.NewTLS(tlsConfig)), + } + + conn, err := grpc.Dial("localhost:9002", opts...) + if err != nil { + log.Fatalf("Could not connect: %v", err) + } + client := envoy_service_proc_v3.NewExternalProcessorClient(conn) + + processor, err := client.Process(context.Background()) + if err != nil { + log.Fatalf("Could not check: %v", err) + } + + err = processor.Send(&envoy_service_proc_v3.ProcessingRequest{ + Request: &envoy_service_proc_v3.ProcessingRequest_RequestHeaders{ + RequestHeaders: &envoy_service_proc_v3.HttpHeaders{}, + }, + }) + if err != nil { + log.Fatalf("Could not check: %v", err) + } + + response, err := processor.Recv() + if err != nil { + log.Fatalf("Could not check: %v", err) + } + + if response != nil && response.GetRequestHeaders().Response.Status == envoy_service_proc_v3.CommonResponse_CONTINUE { + w.WriteHeader(http.StatusOK) + } else { + w.WriteHeader(http.StatusServiceUnavailable) + } +} + +func loadTLSCredentials(certPath string) (credentials.TransportCredentials, error) { + // Load extProcServer's certificate and private key + crt := "server.crt" + key := "server.key" + + if certPath != "" { + if !strings.HasSuffix(certPath, "/") { + certPath = fmt.Sprintf("%s/", certPath) + } + crt = fmt.Sprintf("%s%s", certPath, crt) + key = fmt.Sprintf("%s%s", certPath, key) + } + certificate, err := tls.LoadX509KeyPair(crt, key) + if err != nil { + return nil, fmt.Errorf("could not load extProcServer key pair: %s", err) + } + + // Create a new credentials object + creds := credentials.NewTLS(&tls.Config{Certificates: []tls.Certificate{certificate}}) + + return creds, nil +} + +func loadCA(caPath string) (*x509.CertPool, error) { + ca := x509.NewCertPool() + caCertPath := "server.crt" + if caPath != "" { + if !strings.HasSuffix(caPath, "/") { + caPath = fmt.Sprintf("%s/", caPath) + } + caCertPath = fmt.Sprintf("%s%s", caPath, caCertPath) + } + caCert, err := os.ReadFile(caCertPath) + if err != nil { + return nil, fmt.Errorf("could not read ca certificate: %s", err) + } + ca.AppendCertsFromPEM(caCert) + return ca, nil +} + +func (s *extProcServer) Process(srv envoy_service_proc_v3.ExternalProcessor_ProcessServer) error { + ctx := srv.Context() + for { + select { + case <-ctx.Done(): + return ctx.Err() + default: + } + req, err := srv.Recv() + if err == io.EOF { + return nil + } + if err != nil { + return status.Errorf(codes.Unknown, "cannot receive stream request: %v", err) + } + + resp := &envoy_service_proc_v3.ProcessingResponse{} + switch v := req.Request.(type) { + case *envoy_service_proc_v3.ProcessingRequest_RequestHeaders: + xrch := "" + if v.RequestHeaders != nil { + hdrs := v.RequestHeaders.Headers.GetHeaders() + for _, hdr := range hdrs { + if hdr.Key == "x-request-client-header" { + xrch = string(hdr.RawValue) + } + } + } + + rhq := &envoy_service_proc_v3.HeadersResponse{ + Response: &envoy_service_proc_v3.CommonResponse{ + HeaderMutation: &envoy_service_proc_v3.HeaderMutation{ + SetHeaders: []*envoy_api_v3_core.HeaderValueOption{ + { + Header: &envoy_api_v3_core.HeaderValue{ + Key: "x-request-ext-processed", + RawValue: []byte("true"), + }, + }, + }, + }, + }, + } + + if xrch != "" { + rhq.Response.HeaderMutation.SetHeaders = append(rhq.Response.HeaderMutation.SetHeaders, + &envoy_api_v3_core.HeaderValueOption{ + Header: &envoy_api_v3_core.HeaderValue{ + Key: "x-request-client-header", + RawValue: []byte("mutated"), + }, + }) + rhq.Response.HeaderMutation.SetHeaders = append(rhq.Response.HeaderMutation.SetHeaders, + &envoy_api_v3_core.HeaderValueOption{ + Header: &envoy_api_v3_core.HeaderValue{ + Key: "x-request-client-header-received", + RawValue: []byte(xrch), + }, + }) + } + + resp = &envoy_service_proc_v3.ProcessingResponse{ + Response: &envoy_service_proc_v3.ProcessingResponse_RequestHeaders{ + RequestHeaders: rhq, + }, + } + break + case *envoy_service_proc_v3.ProcessingRequest_ResponseHeaders: + rhq := &envoy_service_proc_v3.HeadersResponse{ + Response: &envoy_service_proc_v3.CommonResponse{ + HeaderMutation: &envoy_service_proc_v3.HeaderMutation{ + SetHeaders: []*envoy_api_v3_core.HeaderValueOption{ + { + Header: &envoy_api_v3_core.HeaderValue{ + Key: "x-response-ext-processed", + RawValue: []byte("true"), + }, + }, + }, + }, + }, + } + resp = &envoy_service_proc_v3.ProcessingResponse{ + Response: &envoy_service_proc_v3.ProcessingResponse_ResponseHeaders{ + ResponseHeaders: rhq, + }, + } + break + default: + log.Printf("Unknown Request type %v\n", v) + } + if err := srv.Send(resp); err != nil { + log.Printf("send error %v", err) + } + } +} diff --git a/examples/http-ext-auth/Dockerfile b/examples/http-ext-auth/Dockerfile new file mode 100644 index 00000000000..f3e3ef5d614 --- /dev/null +++ b/examples/http-ext-auth/Dockerfile @@ -0,0 +1,6 @@ +FROM node:19-bullseye + +COPY ./http-ext-auth.js . + +ENTRYPOINT ["node", "./http-ext-auth.js"] + diff --git a/examples/http-ext-auth/Makefile b/examples/http-ext-auth/Makefile new file mode 100644 index 00000000000..a0fe0063528 --- /dev/null +++ b/examples/http-ext-auth/Makefile @@ -0,0 +1,8 @@ + +IMAGE_PREFIX ?= envoyproxy/gateway- +APP_NAME ?= http-ext-auth +TAG ?= latest + +.PHONY: docker-buildx +docker-buildx: + docker buildx build . -t $(IMAGE_PREFIX)$(APP_NAME):$(TAG) --build-arg GO_LDFLAGS="$(GO_LDFLAGS)" --load diff --git a/examples/http-ext-auth/http-ext-auth.js b/examples/http-ext-auth/http-ext-auth.js new file mode 100644 index 00000000000..17ece921822 --- /dev/null +++ b/examples/http-ext-auth/http-ext-auth.js @@ -0,0 +1,38 @@ +// Copyright Envoy Gateway Authors +// SPDX-License-Identifier: Apache-2.0 +// The full text of the Apache license is available in the LICENSE file at +// the root of the repo. + +const Http = require("http"); +const path = require("path"); + +const tokens = { + "token1": "user1", + "token2": "user2", + "token3": "user3" +}; + +const server = new Http.Server((req, res) => { + const authorization = req.headers["authorization"] || ""; + const extracted = authorization.split(" "); + if (extracted.length === 2 && extracted[0] === "Bearer") { + const user = checkToken(extracted[1]); + console.log(`token: "${extracted[1]}" user: "${user}`); + if (user !== undefined) { + // The authorization server returns a response with "x-current-user" header for a successful + // request. + res.writeHead(200, { "x-current-user": user }); + return res.end(); + } + } + res.writeHead(403); + res.end(); +}); + +const port = process.env.PORT || 9002; +server.listen(port); +console.log(`starting HTTP server on: ${port}`); + +function checkToken(token) { + return tokens[token]; +} \ No newline at end of file diff --git a/examples/preserve-case-backend/Dockerfile b/examples/preserve-case-backend/Dockerfile new file mode 100644 index 00000000000..4616d465cb6 --- /dev/null +++ b/examples/preserve-case-backend/Dockerfile @@ -0,0 +1,22 @@ +FROM golang:1.23.1 AS builder + +ARG GO_LDFLAGS="" + +WORKDIR /workspace +COPY go.mod go.sum ./ +RUN --mount=type=cache,target=/root/.cache/go-build --mount=type=cache,target=/go/pkg/mod \ + go mod download + +COPY . ./ +RUN --mount=type=cache,target=/root/.cache/go-build --mount=type=cache,target=/go/pkg/mod \ + CGO_ENABLED=0 \ + GOOS=${TARGETOS} \ + GOARCH=${TARGETARCH} \ + go build -o /bin/preserve-case-backend -ldflags "${GO_LDFLAGS}" . + +# Need root user for UDS +FROM gcr.io/distroless/static-debian11 +COPY --from=builder /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/ +COPY --from=builder /bin/preserve-case-backend / + +ENTRYPOINT ["/preserve-case-backend"] diff --git a/examples/preserve-case-backend/Makefile b/examples/preserve-case-backend/Makefile new file mode 100644 index 00000000000..159725237f4 --- /dev/null +++ b/examples/preserve-case-backend/Makefile @@ -0,0 +1,8 @@ + +IMAGE_PREFIX ?= envoyproxy/gateway- +APP_NAME ?= preserve-case-backend +TAG ?= latest + +.PHONY: docker-buildx +docker-buildx: + docker buildx build . -t $(IMAGE_PREFIX)$(APP_NAME):$(TAG) --build-arg GO_LDFLAGS="$(GO_LDFLAGS)" --load diff --git a/examples/preserve-case-backend/go.mod b/examples/preserve-case-backend/go.mod new file mode 100644 index 00000000000..7a9712aa341 --- /dev/null +++ b/examples/preserve-case-backend/go.mod @@ -0,0 +1,11 @@ +module github.com/envoyproxy/gateway-preserve-case-backend + +go 1.23.1 + +require github.com/valyala/fasthttp v1.51.0 + +require ( + github.com/andybalholm/brotli v1.0.5 // indirect + github.com/klauspost/compress v1.17.0 // indirect + github.com/valyala/bytebufferpool v1.0.0 // indirect +) diff --git a/examples/preserve-case-backend/go.sum b/examples/preserve-case-backend/go.sum new file mode 100644 index 00000000000..cfe8f6c10e5 --- /dev/null +++ b/examples/preserve-case-backend/go.sum @@ -0,0 +1,8 @@ +github.com/andybalholm/brotli v1.0.5 h1:8uQZIdzKmjc/iuPu7O2ioW48L81FgatrcpfFmiq/cCs= +github.com/andybalholm/brotli v1.0.5/go.mod h1:fO7iG3H7G2nSZ7m0zPUDn85XEX2GTukHGRSepvi9Eig= +github.com/klauspost/compress v1.17.0 h1:Rnbp4K9EjcDuVuHtd0dgA4qNuv9yKDYKK1ulpJwgrqM= +github.com/klauspost/compress v1.17.0/go.mod h1:ntbaceVETuRiXiv4DpjP66DpAtAGkEQskQzEyD//IeE= +github.com/valyala/bytebufferpool v1.0.0 h1:GqA5TC/0021Y/b9FG4Oi9Mr3q7XYx6KllzawFIhcdPw= +github.com/valyala/bytebufferpool v1.0.0/go.mod h1:6bBcMArwyJ5K/AmCkWv1jt77kVWyCJ6HpOuEn7z0Csc= +github.com/valyala/fasthttp v1.51.0 h1:8b30A5JlZ6C7AS81RsWjYMQmrZG6feChmgAolCl1SqA= +github.com/valyala/fasthttp v1.51.0/go.mod h1:oI2XroL+lI7vdXyYoQk03bXBThfFl2cVdIA3Xl7cH8g= diff --git a/examples/preserve-case-backend/main.go b/examples/preserve-case-backend/main.go new file mode 100644 index 00000000000..1922d3c9b95 --- /dev/null +++ b/examples/preserve-case-backend/main.go @@ -0,0 +1,42 @@ +// Copyright Envoy Gateway Authors +// SPDX-License-Identifier: Apache-2.0 +// The full text of the Apache license is available in the LICENSE file at +// the root of the repo. + +package main + +import ( + "encoding/json" + "fmt" + "log" + "net" + + "github.com/valyala/fasthttp" +) + +func HandleFastHTTP(ctx *fasthttp.RequestCtx) { + ctx.QueryArgs().VisitAll(func(key, value []byte) { + if string(key) == "headers" { + ctx.Response.Header.Add(string(value), "PrEsEnT") + } + }) + headers := map[string][]string{} + ctx.Request.Header.VisitAll(func(key, value []byte) { + headers[string(key)] = append(headers[string(key)], string(value)) + }) + if d, err := json.MarshalIndent(headers, "", " "); err != nil { + ctx.Error(fmt.Sprintf("%s", err), fasthttp.StatusBadRequest) + } else { + fmt.Fprintf(ctx, string(d)+"\n") + } +} + +func main() { + s := fasthttp.Server{ + Handler: HandleFastHTTP, + DisableHeaderNamesNormalizing: true, + } + log.Printf("Starting on port 8000") + l, _ := net.Listen("tcp", ":8000") + log.Fatal(s.Serve(l)) +} diff --git a/go.mod b/go.mod index 1ec72d0a6bd..68fd42b5a31 100644 --- a/go.mod +++ b/go.mod @@ -15,7 +15,7 @@ require ( github.com/envoyproxy/go-control-plane v0.13.1 github.com/envoyproxy/ratelimit v1.4.1-0.20230427142404-e2a87f41d3a7 github.com/evanphx/json-patch/v5 v5.9.0 - github.com/fatih/color v1.17.0 + github.com/fatih/color v1.18.0 github.com/go-logfmt/logfmt v0.6.0 github.com/go-logr/logr v1.4.2 github.com/go-logr/zapr v1.3.0 @@ -26,14 +26,14 @@ require ( github.com/google/go-containerregistry v0.20.2 github.com/hashicorp/go-multierror v1.1.1 github.com/miekg/dns v1.1.62 - github.com/ohler55/ojg v1.24.1 + github.com/ohler55/ojg v1.25.0 github.com/prometheus/client_golang v1.20.5 - github.com/prometheus/common v0.60.0 + github.com/prometheus/common v0.60.1 github.com/spf13/cobra v1.8.1 github.com/spf13/pflag v1.0.5 github.com/stretchr/testify v1.9.0 github.com/telepresenceio/watchable v0.0.0-20220726211108-9bb86f92afa7 - github.com/tsaarni/certyaml v0.9.3 + github.com/tsaarni/certyaml v0.10.0 go.opentelemetry.io/otel v1.31.0 go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetricgrpc v1.31.0 go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetrichttp v1.31.0 @@ -48,14 +48,14 @@ require ( google.golang.org/protobuf v1.35.1 gopkg.in/yaml.v3 v3.0.1 helm.sh/helm/v3 v3.16.2 - k8s.io/api v0.31.1 - k8s.io/apiextensions-apiserver v0.31.1 - k8s.io/apimachinery v0.31.1 - k8s.io/cli-runtime v0.31.1 - k8s.io/client-go v0.31.1 - k8s.io/kubectl v0.31.1 + k8s.io/api v0.31.2 + k8s.io/apiextensions-apiserver v0.31.2 + k8s.io/apimachinery v0.31.2 + k8s.io/cli-runtime v0.31.2 + k8s.io/client-go v0.31.2 + k8s.io/kubectl v0.31.2 k8s.io/utils v0.0.0-20240821151609-f90d01438635 - sigs.k8s.io/controller-runtime v0.19.0 + sigs.k8s.io/controller-runtime v0.19.1 sigs.k8s.io/gateway-api v1.2.0 sigs.k8s.io/mcs-api v0.1.0 sigs.k8s.io/yaml v1.4.0 @@ -63,7 +63,7 @@ require ( require ( github.com/docker/docker v27.3.1+incompatible - github.com/replicatedhq/troubleshoot v0.107.1 + github.com/replicatedhq/troubleshoot v0.107.5 github.com/tetratelabs/func-e v1.1.5-0.20240822223546-c85a098d5bf0 google.golang.org/grpc v1.67.1 sigs.k8s.io/kubectl-validate v0.0.5-0.20240827210056-ce13d95db263 @@ -212,8 +212,8 @@ require ( golang.org/x/crypto/x509roots/fallback v0.0.0-20240904212608-c9da6b9a4008 // indirect gopkg.in/evanphx/json-patch.v4 v4.12.0 // indirect gopkg.in/ini.v1 v1.67.0 // indirect - k8s.io/apiserver v0.31.1 // indirect - k8s.io/metrics v0.31.1 // indirect + k8s.io/apiserver v0.31.2 // indirect + k8s.io/metrics v0.31.2 // indirect oras.land/oras-go v1.2.6 // indirect periph.io/x/host/v3 v3.8.2 // indirect sigs.k8s.io/apiserver-network-proxy/konnectivity-client v0.30.3 // indirect @@ -231,7 +231,7 @@ require ( github.com/envoyproxy/protoc-gen-validate v1.1.0 // indirect github.com/evanphx/json-patch v5.9.0+incompatible github.com/exponent-io/jsonpath v0.0.0-20210407135951-1de76d718b3f // indirect - github.com/fsnotify/fsnotify v1.7.0 + github.com/fsnotify/fsnotify v1.8.0 github.com/go-asn1-ber/asn1-ber v1.5.5 // indirect github.com/go-errors/errors v1.5.1 // indirect github.com/go-logr/stdr v1.2.2 // indirect @@ -289,7 +289,7 @@ require ( google.golang.org/genproto/googleapis/rpc v0.0.0-20241007155032-5fefd90f89a9 // indirect gopkg.in/inf.v0 v0.9.1 // indirect gopkg.in/yaml.v2 v2.4.0 // indirect - k8s.io/component-base v0.31.1 // indirect + k8s.io/component-base v0.31.2 // indirect k8s.io/klog/v2 v2.130.1 k8s.io/kube-openapi v0.0.0-20240521193020-835d969ad83a // indirect sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd // indirect diff --git a/go.sum b/go.sum index dbaf681efbb..00d7b32bb36 100644 --- a/go.sum +++ b/go.sum @@ -240,8 +240,8 @@ github.com/evanphx/json-patch/v5 v5.9.0/go.mod h1:VNkHZ/282BpEyt/tObQO8s5CMPmYYq github.com/exponent-io/jsonpath v0.0.0-20210407135951-1de76d718b3f h1:Wl78ApPPB2Wvf/TIe2xdyJxTlb6obmF18d8QdkxNDu4= github.com/exponent-io/jsonpath v0.0.0-20210407135951-1de76d718b3f/go.mod h1:OSYXu++VVOHnXeitef/D8n/6y4QV8uLHSFXX4NeXMGc= github.com/fatih/color v1.7.0/go.mod h1:Zm6kSWBoL9eyXnKyktHP6abPY2pDugNf5KwzbycvMj4= -github.com/fatih/color v1.17.0 h1:GlRw1BRJxkpqUCBKzKOw098ed57fEsKeNjpTe3cSjK4= -github.com/fatih/color v1.17.0/go.mod h1:YZ7TlrGPkiz6ku9fK3TLD/pl3CpsiFyu8N92HLgmosI= +github.com/fatih/color v1.18.0 h1:S8gINlzdQ840/4pfAwic/ZE0djQEH3wM94VfqLTZcOM= +github.com/fatih/color v1.18.0/go.mod h1:4FelSpRwEGDpQ12mAdzqdOukCy4u8WUtOY6lkT/6HfU= github.com/felixge/httpsnoop v1.0.4 h1:NFTV2Zj1bL4mc9sqWACXbQFVBBg2W3GPvqp8/ESS2Wg= github.com/felixge/httpsnoop v1.0.4/go.mod h1:m8KPJKqk1gH5J9DgRY2ASl2lWCfGKXixSwevea8zH2U= github.com/foxcpp/go-mockdns v1.1.0 h1:jI0rD8M0wuYAxL7r/ynTrCQQq0BVqfB99Vgk7DlmewI= @@ -250,8 +250,8 @@ github.com/frankban/quicktest v1.14.6 h1:7Xjx+VpznH+oBnejlPUj8oUpdxnVs4f8XU8WnHk github.com/frankban/quicktest v1.14.6/go.mod h1:4ptaffx2x8+WTWXmUCuVU6aPUX1/Mz7zb5vbUoiM6w0= github.com/fsnotify/fsnotify v1.4.7/go.mod h1:jwhsz4b93w/PPRr/qN1Yymfu8t87LnFCMoQvtojpjFo= github.com/fsnotify/fsnotify v1.4.9/go.mod h1:znqG4EE+3YCdAaPaxE2ZRY/06pZUdp0tY4IgpuI1SZQ= -github.com/fsnotify/fsnotify v1.7.0 h1:8JEhPFa5W2WU7YfeZzPNqzMP6Lwt7L2715Ggo0nosvA= -github.com/fsnotify/fsnotify v1.7.0/go.mod h1:40Bi/Hjc2AVfZrqy+aj+yEI+/bRxZnMJyTJwOpGvigM= +github.com/fsnotify/fsnotify v1.8.0 h1:dAwr6QBTBZIkG8roQaJjGof0pp0EeF+tNV7YBP3F/8M= +github.com/fsnotify/fsnotify v1.8.0/go.mod h1:8jBTzvmWwFyi3Pb8djgCCO5IBqzKJ/Jwo8TRcHyHii0= github.com/fxamacker/cbor/v2 v2.7.0 h1:iM5WgngdRBanHcxugY4JySA0nk1wZorNOpTgCMedv5E= github.com/fxamacker/cbor/v2 v2.7.0/go.mod h1:pxXPTn3joSm21Gbwsv0w9OSA2y1HFR9qXEeXQVeNoDQ= github.com/ghodss/yaml v0.0.0-20150909031657-73d445a93680/go.mod h1:4dBDuWmgqj2HViK6kFavaiC9ZROes6MMH2rRYeMEF04= @@ -629,8 +629,8 @@ github.com/mxk/go-flowrate v0.0.0-20140419014527-cca7078d478f/go.mod h1:ZdcZmHo+ github.com/nxadm/tail v1.4.4/go.mod h1:kenIhsEOeOJmVchQTgglprH7qJGnHDVpk1VPCcaMI8A= github.com/nxadm/tail v1.4.8 h1:nPr65rt6Y5JFSKQO7qToXr7pePgD6Gwiw05lkbyAQTE= github.com/nxadm/tail v1.4.8/go.mod h1:+ncqLTQzXmGhMZNUePPaPqPvBxHAIsmXswZKocGu+AU= -github.com/ohler55/ojg v1.24.1 h1:PaVLelrNgT5/0ppPaUtey54tOVp245z33fkhL2jljjY= -github.com/ohler55/ojg v1.24.1/go.mod h1:gQhDVpQLqrmnd2eqGAvJtn+NfKoYJbe/A4Sj3/Vro4o= +github.com/ohler55/ojg v1.25.0 h1:sDwc4u4zex65Uz5Nm7O1QwDKTT+YRcpeZQTy1pffRkw= +github.com/ohler55/ojg v1.25.0/go.mod h1:gQhDVpQLqrmnd2eqGAvJtn+NfKoYJbe/A4Sj3/Vro4o= github.com/oklog/ulid v1.3.1/go.mod h1:CirwcVhetQ6Lv90oh/F+FBtV6XMibvdAFo93nm5qn4U= github.com/olekukonko/tablewriter v0.0.0-20170122224234-a0225b3f23b5/go.mod h1:vsDQFd/mU46D+Z4whnwzcISnGGzXWMclvtLoiIKAKIo= github.com/onsi/ginkgo v0.0.0-20170829012221-11459a886d9c/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+WWjE= @@ -701,8 +701,8 @@ github.com/prometheus/common v0.0.0-20181113130724-41aa239b4cce/go.mod h1:daVV7q github.com/prometheus/common v0.4.0/go.mod h1:TNfzLD0ON7rHzMJeJkieUDPYmFC7Snx/y86RQel1bk4= github.com/prometheus/common v0.4.1/go.mod h1:TNfzLD0ON7rHzMJeJkieUDPYmFC7Snx/y86RQel1bk4= github.com/prometheus/common v0.6.0/go.mod h1:eBmuwkDJBwy6iBfxCBob6t6dR6ENT/y+J+Zk0j9GMYc= -github.com/prometheus/common v0.60.0 h1:+V9PAREWNvJMAuJ1x1BaWl9dewMW4YrHZQbx0sJNllA= -github.com/prometheus/common v0.60.0/go.mod h1:h0LYf1R1deLSKtD4Vdg8gy4RuOvENW2J/h19V5NADQw= +github.com/prometheus/common v0.60.1 h1:FUas6GcOw66yB/73KC+BOZoFJmbo/1pojoILArPAaSc= +github.com/prometheus/common v0.60.1/go.mod h1:h0LYf1R1deLSKtD4Vdg8gy4RuOvENW2J/h19V5NADQw= github.com/prometheus/procfs v0.0.0-20181005140218-185b4288413d/go.mod h1:c3At6R/oaqEKCNdg8wHV1ftS6bRYblBhIjjI8uT2IGk= github.com/prometheus/procfs v0.0.0-20190507164030-5867b95ac084/go.mod h1:TjEm7ze935MbeOT/UhFTIMYKhuLP4wbCsTZCD3I8kEA= github.com/prometheus/procfs v0.0.2/go.mod h1:TjEm7ze935MbeOT/UhFTIMYKhuLP4wbCsTZCD3I8kEA= @@ -717,8 +717,8 @@ github.com/redis/go-redis/extra/redisotel/v9 v9.0.5 h1:EfpWLLCyXw8PSM2/XNJLjI3Pb github.com/redis/go-redis/extra/redisotel/v9 v9.0.5/go.mod h1:WZjPDy7VNzn77AAfnAfVjZNvfJTYfPetfZk5yoSTLaQ= github.com/redis/go-redis/v9 v9.1.0 h1:137FnGdk+EQdCbye1FW+qOEcY5S+SpY9T0NiuqvtfMY= github.com/redis/go-redis/v9 v9.1.0/go.mod h1:urWj3He21Dj5k4TK1y59xH8Uj6ATueP8AH1cY3lZl4c= -github.com/replicatedhq/troubleshoot v0.107.1 h1:Hx9VbVv1r3M5fiH2fPTeoZ8LNIxh5R/e6vpe2jBgPfc= -github.com/replicatedhq/troubleshoot v0.107.1/go.mod h1:6mZzcO/EWVBNXVnFdSHfPaoTnjcQdV3sq61NkBF60YE= +github.com/replicatedhq/troubleshoot v0.107.5 h1:XrJEK8vN3HHEKmFnAe8rSmY+hPw8Fh5dsTMhhEBKQCM= +github.com/replicatedhq/troubleshoot v0.107.5/go.mod h1:QTV4q6TXiCO825IS1GcLzgJu2KHWekXiKdcHCqBJTck= github.com/rivo/uniseg v0.2.0/go.mod h1:J6wj4VEh+S6ZtnVlnTBMWIodfgj8LQOQFoIToxlJtxc= github.com/rivo/uniseg v0.4.7 h1:WUdvkW8uEhrYfLC4ZzdpI2ztxP1I582+49Oc5Mq64VQ= github.com/rivo/uniseg v0.4.7/go.mod h1:FN3SvrM+Zdj16jyLfmOkMNblXMcoc8DfTHruCPUcx88= @@ -828,8 +828,8 @@ github.com/tmc/grpc-websocket-proxy v0.0.0-20170815181823-89b8d40f7ca8/go.mod h1 github.com/tmc/grpc-websocket-proxy v0.0.0-20190109142713-0ad062ec5ee5/go.mod h1:ncp9v5uamzpCO7NfCPTXjqaC+bZgJeR0sMTm6dMHP7U= github.com/tmc/grpc-websocket-proxy v0.0.0-20220101234140-673ab2c3ae75 h1:6fotK7otjonDflCTK0BCfls4SPy3NcCVb5dqqmbRknE= github.com/tmc/grpc-websocket-proxy v0.0.0-20220101234140-673ab2c3ae75/go.mod h1:KO6IkyS8Y3j8OdNO85qEYBsRPuteD+YciPomcXdrMnk= -github.com/tsaarni/certyaml v0.9.3 h1:m8HHbuUzWVUOmv8IQU9HgVZZ8r5ICExKm++54DJKCs0= -github.com/tsaarni/certyaml v0.9.3/go.mod h1:hhuU1qYr5re488geArUP4gZWqMUMqGlj4HA2qUyGYLk= +github.com/tsaarni/certyaml v0.10.0 h1:8ZWHO4Zg4VHUf7YblZNju44PcG5M+YtlJawiArYUHRs= +github.com/tsaarni/certyaml v0.10.0/go.mod h1:rI1wDTE/VQIglHOyGbjfvqb+5mWTVT5uLFVDDcT1sq8= github.com/tsaarni/x500dn v1.0.0 h1:LvaWTkqRpse4VHBhB5uwf3wytokK4vF9IOyNAEyiA+U= github.com/tsaarni/x500dn v1.0.0/go.mod h1:QaHa3EcUKC4dfCAZmj8+ZRGLKukWgpGv9H3oOCsAbcE= github.com/ugorji/go v1.1.4/go.mod h1:uQMGLiO92mf5W77hV/PUCpI3pbzQx3CRekS0kk+RGrc= @@ -1159,32 +1159,32 @@ honnef.co/go/tools v0.0.0-20190106161140-3f1c8253044a/go.mod h1:rf3lG4BRIbNafJWh honnef.co/go/tools v0.0.0-20190523083050-ea95bdfd59fc/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4= k8s.io/api v0.18.2/go.mod h1:SJCWI7OLzhZSvbY7U8zwNl9UA4o1fizoug34OV/2r78= k8s.io/api v0.18.4/go.mod h1:lOIQAKYgai1+vz9J7YcDZwC26Z0zQewYOGWdyIPUUQ4= -k8s.io/api v0.31.1 h1:Xe1hX/fPW3PXYYv8BlozYqw63ytA92snr96zMW9gWTU= -k8s.io/api v0.31.1/go.mod h1:sbN1g6eY6XVLeqNsZGLnI5FwVseTrZX7Fv3O26rhAaI= +k8s.io/api v0.31.2 h1:3wLBbL5Uom/8Zy98GRPXpJ254nEFpl+hwndmk9RwmL0= +k8s.io/api v0.31.2/go.mod h1:bWmGvrGPssSK1ljmLzd3pwCQ9MgoTsRCuK35u6SygUk= k8s.io/apiextensions-apiserver v0.18.2/go.mod h1:q3faSnRGmYimiocj6cHQ1I3WpLqmDgJFlKL37fC4ZvY= k8s.io/apiextensions-apiserver v0.18.4/go.mod h1:NYeyeYq4SIpFlPxSAB6jHPIdvu3hL0pc36wuRChybio= -k8s.io/apiextensions-apiserver v0.31.1 h1:L+hwULvXx+nvTYX/MKM3kKMZyei+UiSXQWciX/N6E40= -k8s.io/apiextensions-apiserver v0.31.1/go.mod h1:tWMPR3sgW+jsl2xm9v7lAyRF1rYEK71i9G5dRtkknoQ= +k8s.io/apiextensions-apiserver v0.31.2 h1:W8EwUb8+WXBLu56ser5IudT2cOho0gAKeTOnywBLxd0= +k8s.io/apiextensions-apiserver v0.31.2/go.mod h1:i+Geh+nGCJEGiCGR3MlBDkS7koHIIKWVfWeRFiOsUcM= k8s.io/apimachinery v0.18.2/go.mod h1:9SnR/e11v5IbyPCGbvJViimtJ0SwHG4nfZFjU77ftcA= k8s.io/apimachinery v0.18.4/go.mod h1:OaXp26zu/5J7p0f92ASynJa1pZo06YlV9fG7BoWbCko= -k8s.io/apimachinery v0.31.1 h1:mhcUBbj7KUjaVhyXILglcVjuS4nYXiwC+KKFBgIVy7U= -k8s.io/apimachinery v0.31.1/go.mod h1:rsPdaZJfTfLsNJSQzNHQvYoTmxhoOEofxtOsF3rtsMo= +k8s.io/apimachinery v0.31.2 h1:i4vUt2hPK56W6mlT7Ry+AO8eEsyxMD1U44NR22CLTYw= +k8s.io/apimachinery v0.31.2/go.mod h1:rsPdaZJfTfLsNJSQzNHQvYoTmxhoOEofxtOsF3rtsMo= k8s.io/apiserver v0.18.2/go.mod h1:Xbh066NqrZO8cbsoenCwyDJ1OSi8Ag8I2lezeHxzwzw= k8s.io/apiserver v0.18.4/go.mod h1:q+zoFct5ABNnYkGIaGQ3bcbUNdmPyOCoEBcg51LChY8= -k8s.io/apiserver v0.31.1 h1:Sars5ejQDCRBY5f7R3QFHdqN3s61nhkpaX8/k1iEw1c= -k8s.io/apiserver v0.31.1/go.mod h1:lzDhpeToamVZJmmFlaLwdYZwd7zB+WYRYIboqA1kGxM= -k8s.io/cli-runtime v0.31.1 h1:/ZmKhmZ6hNqDM+yf9s3Y4KEYakNXUn5sod2LWGGwCuk= -k8s.io/cli-runtime v0.31.1/go.mod h1:pKv1cDIaq7ehWGuXQ+A//1OIF+7DI+xudXtExMCbe9U= +k8s.io/apiserver v0.31.2 h1:VUzOEUGRCDi6kX1OyQ801m4A7AUPglpsmGvdsekmcI4= +k8s.io/apiserver v0.31.2/go.mod h1:o3nKZR7lPlJqkU5I3Ove+Zx3JuoFjQobGX1Gctw6XuE= +k8s.io/cli-runtime v0.31.2 h1:7FQt4C4Xnqx8V1GJqymInK0FFsoC+fAZtbLqgXYVOLQ= +k8s.io/cli-runtime v0.31.2/go.mod h1:XROyicf+G7rQ6FQJMbeDV9jqxzkWXTYD6Uxd15noe0Q= k8s.io/client-go v0.18.2/go.mod h1:Xcm5wVGXX9HAA2JJ2sSBUn3tCJ+4SVlCbl2MNNv+CIU= k8s.io/client-go v0.18.4/go.mod h1:f5sXwL4yAZRkAtzOxRWUhA/N8XzGCb+nPZI8PfobZ9g= -k8s.io/client-go v0.31.1 h1:f0ugtWSbWpxHR7sjVpQwuvw9a3ZKLXX0u0itkFXufb0= -k8s.io/client-go v0.31.1/go.mod h1:sKI8871MJN2OyeqRlmA4W4KM9KBdBUpDLu/43eGemCg= +k8s.io/client-go v0.31.2 h1:Y2F4dxU5d3AQj+ybwSMqQnpZH9F30//1ObxOKlTI9yc= +k8s.io/client-go v0.31.2/go.mod h1:NPa74jSVR/+eez2dFsEIHNa+3o09vtNaWwWwb1qSxSs= k8s.io/code-generator v0.18.2/go.mod h1:+UHX5rSbxmR8kzS+FAv7um6dtYrZokQvjHpDSYRVkTc= k8s.io/code-generator v0.18.4/go.mod h1:TgNEVx9hCyPGpdtCWA34olQYLkh3ok9ar7XfSsr8b6c= k8s.io/component-base v0.18.2/go.mod h1:kqLlMuhJNHQ9lz8Z7V5bxUUtjFZnrypArGl58gmDfUM= k8s.io/component-base v0.18.4/go.mod h1:7jr/Ef5PGmKwQhyAz/pjByxJbC58mhKAhiaDu0vXfPk= -k8s.io/component-base v0.31.1 h1:UpOepcrX3rQ3ab5NB6g5iP0tvsgJWzxTyAo20sgYSy8= -k8s.io/component-base v0.31.1/go.mod h1:WGeaw7t/kTsqpVTaCoVEtillbqAhF2/JgvO0LDOMa0w= +k8s.io/component-base v0.31.2 h1:Z1J1LIaC0AV+nzcPRFqfK09af6bZ4D1nAOpWsy9owlA= +k8s.io/component-base v0.31.2/go.mod h1:9PeyyFN/drHjtJZMCTkSpQJS3U9OXORnHQqMLDz0sUQ= k8s.io/gengo v0.0.0-20190128074634-0689ccc1d7d6/go.mod h1:ezvh/TsK7cY6rbqRK0oQQ8IAqLxYwwyPxAX1Pzy0ii0= k8s.io/gengo v0.0.0-20200114144118-36b2048a9120/go.mod h1:ezvh/TsK7cY6rbqRK0oQQ8IAqLxYwwyPxAX1Pzy0ii0= k8s.io/klog v0.0.0-20181102134211-b9b56d5dfc92/go.mod h1:Gq+BEi5rUBO/HRz0bTSXDUcqjScdoY3a9IHpCEIOOfk= @@ -1193,16 +1193,16 @@ k8s.io/klog v1.0.0/go.mod h1:4Bi6QPql/J/LkTDqv7R/cd3hPo4k2DG6Ptcz060Ez5I= k8s.io/klog/v2 v2.0.0/go.mod h1:PBfzABfn139FHAV07az/IF9Wp1bkk3vpT2XSJ76fSDE= k8s.io/klog/v2 v2.130.1 h1:n9Xl7H1Xvksem4KFG4PYbdQCQxqc/tTUyrgXaOhHSzk= k8s.io/klog/v2 v2.130.1/go.mod h1:3Jpz1GvMt720eyJH1ckRHK1EDfpxISzJ7I9OYgaDtPE= -k8s.io/kms v0.31.1 h1:cGLyV3cIwb0ovpP/jtyIe2mEuQ/MkbhmeBF2IYCA9Io= -k8s.io/kms v0.31.1/go.mod h1:OZKwl1fan3n3N5FFxnW5C4V3ygrah/3YXeJWS3O6+94= +k8s.io/kms v0.31.2 h1:pyx7l2qVOkClzFMIWMVF/FxsSkgd+OIGH7DecpbscJI= +k8s.io/kms v0.31.2/go.mod h1:OZKwl1fan3n3N5FFxnW5C4V3ygrah/3YXeJWS3O6+94= k8s.io/kube-openapi v0.0.0-20200121204235-bf4fb3bd569c/go.mod h1:GRQhZsXIAJ1xR0C9bd8UpWHZ5plfAS9fzPjJuQ6JL3E= k8s.io/kube-openapi v0.0.0-20200410145947-61e04a5be9a6/go.mod h1:GRQhZsXIAJ1xR0C9bd8UpWHZ5plfAS9fzPjJuQ6JL3E= k8s.io/kube-openapi v0.0.0-20240521193020-835d969ad83a h1:zD1uj3Jf+mD4zmA7W+goE5TxDkI7OGJjBNBzq5fJtLA= k8s.io/kube-openapi v0.0.0-20240521193020-835d969ad83a/go.mod h1:UxDHUPsUwTOOxSU+oXURfFBcAS6JwiRXTYqYwfuGowc= -k8s.io/kubectl v0.31.1 h1:ih4JQJHxsEggFqDJEHSOdJ69ZxZftgeZvYo7M/cpp24= -k8s.io/kubectl v0.31.1/go.mod h1:aNuQoR43W6MLAtXQ/Bu4GDmoHlbhHKuyD49lmTC8eJM= -k8s.io/metrics v0.31.1 h1:h4I4dakgh/zKflWYAOQhwf0EXaqy8LxAIyE/GBvxqRc= -k8s.io/metrics v0.31.1/go.mod h1:JuH1S9tJiH9q1VCY0yzSCawi7kzNLsDzlWDJN4xR+iA= +k8s.io/kubectl v0.31.2 h1:gTxbvRkMBwvTSAlobiTVqsH6S8Aa1aGyBcu5xYLsn8M= +k8s.io/kubectl v0.31.2/go.mod h1:EyASYVU6PY+032RrTh5ahtSOMgoDRIux9V1JLKtG5xM= +k8s.io/metrics v0.31.2 h1:sQhujR9m3HN/Nu/0fTfTscjnswQl0qkQAodEdGBS0N4= +k8s.io/metrics v0.31.2/go.mod h1:QqqyReApEWO1UEgXOSXiHCQod6yTxYctbAAQBWZkboU= k8s.io/utils v0.0.0-20200324210504-a9aa75ae1b89/go.mod h1:sZAwmy6armz5eXlNoLmJcl4F1QuKu7sr+mFQ0byX7Ew= k8s.io/utils v0.0.0-20200603063816-c1c6865ac451/go.mod h1:jPW/WVKK9YHAvNhRxK0md/EJ228hCsBRufyofKtW8HA= k8s.io/utils v0.0.0-20240821151609-f90d01438635 h1:2wThSvJoW/Ncn9TmQEYXRnevZXi2duqHWf5OX9S3zjI= @@ -1215,8 +1215,8 @@ sigs.k8s.io/apiserver-network-proxy/konnectivity-client v0.0.7/go.mod h1:PHgbrJT sigs.k8s.io/apiserver-network-proxy/konnectivity-client v0.30.3 h1:2770sDpzrjjsAtVhSeUFseziht227YAWYHLGNM8QPwY= sigs.k8s.io/apiserver-network-proxy/konnectivity-client v0.30.3/go.mod h1:Ve9uj1L+deCXFrPOk1LpFXqTg7LCFzFso6PA48q/XZw= sigs.k8s.io/controller-runtime v0.6.1/go.mod h1:XRYBPdbf5XJu9kpS84VJiZ7h/u1hF3gEORz0efEja7A= -sigs.k8s.io/controller-runtime v0.19.0 h1:nWVM7aq+Il2ABxwiCizrVDSlmDcshi9llbaFbC0ji/Q= -sigs.k8s.io/controller-runtime v0.19.0/go.mod h1:iRmWllt8IlaLjvTTDLhRBXIEtkCK6hwVBJJsYS9Ajf4= +sigs.k8s.io/controller-runtime v0.19.1 h1:Son+Q40+Be3QWb+niBXAg2vFiYWolDjjRfO8hn/cxOk= +sigs.k8s.io/controller-runtime v0.19.1/go.mod h1:iRmWllt8IlaLjvTTDLhRBXIEtkCK6hwVBJJsYS9Ajf4= sigs.k8s.io/controller-tools v0.3.0/go.mod h1:enhtKGfxZD1GFEoMgP8Fdbu+uKQ/cq1/WGJhdVChfvI= sigs.k8s.io/gateway-api v1.2.0 h1:LrToiFwtqKTKZcZtoQPTuo3FxhrrhTgzQG0Te+YGSo8= sigs.k8s.io/gateway-api v1.2.0/go.mod h1:EpNfEXNjiYfUJypf0eZ0P5iXA9ekSGWaS1WgPaM42X0= diff --git a/internal/cmd/egctl/testdata/translate/in/backend-endpoint.yaml b/internal/cmd/egctl/testdata/translate/in/backend-endpoint.yaml new file mode 100644 index 00000000000..d2aa0f78f07 --- /dev/null +++ b/internal/cmd/egctl/testdata/translate/in/backend-endpoint.yaml @@ -0,0 +1,46 @@ +apiVersion: gateway.networking.k8s.io/v1 +kind: GatewayClass +metadata: + name: eg +spec: + controllerName: gateway.envoyproxy.io/gatewayclass-controller +--- +apiVersion: gateway.networking.k8s.io/v1 +kind: Gateway +metadata: + name: eg +spec: + gatewayClassName: eg + listeners: + - name: http + protocol: HTTP + port: 80 +--- +apiVersion: gateway.networking.k8s.io/v1 +kind: HTTPRoute +metadata: + name: backend +spec: + parentRefs: + - name: eg + hostnames: + - "www.example.com" + rules: + - backendRefs: + - group: gateway.envoyproxy.io + kind: Backend + name: backend + matches: + - path: + type: PathPrefix + value: / +--- +apiVersion: gateway.envoyproxy.io/v1alpha1 +kind: Backend +metadata: + name: backend +spec: + endpoints: + - ip: + address: 0.0.0.0 + port: 3000 diff --git a/internal/cmd/egctl/testdata/translate/out/backend-endpoint.all.yaml b/internal/cmd/egctl/testdata/translate/out/backend-endpoint.all.yaml new file mode 100644 index 00000000000..d3f3ed2c771 --- /dev/null +++ b/internal/cmd/egctl/testdata/translate/out/backend-endpoint.all.yaml @@ -0,0 +1,106 @@ +backends: +- kind: Backend + metadata: + creationTimestamp: null + name: backend + namespace: envoy-gateway-system + spec: + endpoints: + - ip: + address: 0.0.0.0 + port: 3000 + status: + conditions: + - lastTransitionTime: null + message: The Backend was accepted + reason: Accepted + status: "True" + type: Accepted +gatewayClass: + kind: GatewayClass + metadata: + creationTimestamp: null + name: eg + namespace: envoy-gateway-system + spec: + controllerName: gateway.envoyproxy.io/gatewayclass-controller + status: + conditions: + - lastTransitionTime: null + message: Valid GatewayClass + reason: Accepted + status: "True" + type: Accepted +gateways: +- kind: Gateway + metadata: + creationTimestamp: null + name: eg + namespace: envoy-gateway-system + spec: + gatewayClassName: eg + listeners: + - name: http + port: 80 + protocol: HTTP + status: + listeners: + - attachedRoutes: 1 + conditions: + - lastTransitionTime: null + message: Sending translated listener configuration to the data plane + reason: Programmed + status: "True" + type: Programmed + - lastTransitionTime: null + message: Listener has been successfully translated + reason: Accepted + status: "True" + type: Accepted + - lastTransitionTime: null + message: Listener references have been resolved + reason: ResolvedRefs + status: "True" + type: ResolvedRefs + name: http + supportedKinds: + - group: gateway.networking.k8s.io + kind: HTTPRoute + - group: gateway.networking.k8s.io + kind: GRPCRoute +httpRoutes: +- kind: HTTPRoute + metadata: + creationTimestamp: null + name: backend + namespace: envoy-gateway-system + spec: + hostnames: + - www.example.com + parentRefs: + - name: eg + rules: + - backendRefs: + - group: gateway.envoyproxy.io + kind: Backend + name: backend + matches: + - path: + type: PathPrefix + value: / + status: + parents: + - conditions: + - lastTransitionTime: null + message: Route is accepted + reason: Accepted + status: "True" + type: Accepted + - lastTransitionTime: null + message: Resolved all the Object references for the Route + reason: ResolvedRefs + status: "True" + type: ResolvedRefs + controllerName: gateway.envoyproxy.io/gatewayclass-controller + parentRef: + name: eg diff --git a/internal/cmd/egctl/testdata/translate/out/default-resources.all.yaml b/internal/cmd/egctl/testdata/translate/out/default-resources.all.yaml index b965d6d9818..26e42496459 100644 --- a/internal/cmd/egctl/testdata/translate/out/default-resources.all.yaml +++ b/internal/cmd/egctl/testdata/translate/out/default-resources.all.yaml @@ -778,6 +778,7 @@ xds: ads: {} resourceApiVersion: V3 serviceName: httproute/default/backend/rule/0 + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: httproute/default/backend/rule/0 outlierDetection: {} @@ -797,6 +798,7 @@ xds: ads: {} resourceApiVersion: V3 serviceName: grpcroute/default/backend/rule/0 + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: grpcroute/default/backend/rule/0 outlierDetection: {} @@ -823,6 +825,7 @@ xds: ads: {} resourceApiVersion: V3 serviceName: tcproute/default/backend/rule/-1 + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: tcproute/default/backend/rule/-1 outlierDetection: {} @@ -842,6 +845,7 @@ xds: ads: {} resourceApiVersion: V3 serviceName: tlsroute/default/backend/rule/-1 + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: tlsroute/default/backend/rule/-1 outlierDetection: {} @@ -861,6 +865,7 @@ xds: ads: {} resourceApiVersion: V3 serviceName: udproute/default/backend/rule/-1 + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: udproute/default/backend/rule/-1 outlierDetection: {} diff --git a/internal/cmd/egctl/testdata/translate/out/echo-gateway-api.cluster.yaml b/internal/cmd/egctl/testdata/translate/out/echo-gateway-api.cluster.yaml index f88b74ed0c4..cc99b73a833 100644 --- a/internal/cmd/egctl/testdata/translate/out/echo-gateway-api.cluster.yaml +++ b/internal/cmd/egctl/testdata/translate/out/echo-gateway-api.cluster.yaml @@ -106,6 +106,7 @@ xds: ads: {} resourceApiVersion: V3 serviceName: httproute/envoy-gateway-system/backend/rule/0 + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: httproute/envoy-gateway-system/backend/rule/0 outlierDetection: {} diff --git a/internal/cmd/egctl/testdata/translate/out/from-gateway-api-to-xds.all.json b/internal/cmd/egctl/testdata/translate/out/from-gateway-api-to-xds.all.json index 81f8f2b8c3d..a89e4bcdae3 100644 --- a/internal/cmd/egctl/testdata/translate/out/from-gateway-api-to-xds.all.json +++ b/internal/cmd/egctl/testdata/translate/out/from-gateway-api-to-xds.all.json @@ -466,6 +466,7 @@ }, "serviceName": "httproute/default/backend/rule/0" }, + "ignoreHealthOnHostRemoval": true, "lbPolicy": "LEAST_REQUEST", "name": "httproute/default/backend/rule/0", "outlierDetection": {}, @@ -495,6 +496,7 @@ }, "serviceName": "grpcroute/default/backend/rule/0" }, + "ignoreHealthOnHostRemoval": true, "lbPolicy": "LEAST_REQUEST", "name": "grpcroute/default/backend/rule/0", "outlierDetection": {}, @@ -535,6 +537,7 @@ }, "serviceName": "tcproute/default/backend/rule/-1" }, + "ignoreHealthOnHostRemoval": true, "lbPolicy": "LEAST_REQUEST", "name": "tcproute/default/backend/rule/-1", "outlierDetection": {}, @@ -564,6 +567,7 @@ }, "serviceName": "tlsroute/default/backend/rule/-1" }, + "ignoreHealthOnHostRemoval": true, "lbPolicy": "LEAST_REQUEST", "name": "tlsroute/default/backend/rule/-1", "outlierDetection": {}, @@ -593,6 +597,7 @@ }, "serviceName": "udproute/default/backend/rule/-1" }, + "ignoreHealthOnHostRemoval": true, "lbPolicy": "LEAST_REQUEST", "name": "udproute/default/backend/rule/-1", "outlierDetection": {}, diff --git a/internal/cmd/egctl/testdata/translate/out/from-gateway-api-to-xds.all.yaml b/internal/cmd/egctl/testdata/translate/out/from-gateway-api-to-xds.all.yaml index d4ceef84de2..fbb1df4f5b0 100644 --- a/internal/cmd/egctl/testdata/translate/out/from-gateway-api-to-xds.all.yaml +++ b/internal/cmd/egctl/testdata/translate/out/from-gateway-api-to-xds.all.yaml @@ -257,6 +257,7 @@ xds: ads: {} resourceApiVersion: V3 serviceName: httproute/default/backend/rule/0 + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: httproute/default/backend/rule/0 outlierDetection: {} @@ -276,6 +277,7 @@ xds: ads: {} resourceApiVersion: V3 serviceName: grpcroute/default/backend/rule/0 + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: grpcroute/default/backend/rule/0 outlierDetection: {} @@ -302,6 +304,7 @@ xds: ads: {} resourceApiVersion: V3 serviceName: tcproute/default/backend/rule/-1 + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: tcproute/default/backend/rule/-1 outlierDetection: {} @@ -321,6 +324,7 @@ xds: ads: {} resourceApiVersion: V3 serviceName: tlsroute/default/backend/rule/-1 + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: tlsroute/default/backend/rule/-1 outlierDetection: {} @@ -340,6 +344,7 @@ xds: ads: {} resourceApiVersion: V3 serviceName: udproute/default/backend/rule/-1 + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: udproute/default/backend/rule/-1 outlierDetection: {} diff --git a/internal/cmd/egctl/testdata/translate/out/from-gateway-api-to-xds.cluster.yaml b/internal/cmd/egctl/testdata/translate/out/from-gateway-api-to-xds.cluster.yaml index c9f782804a4..7545c4660d0 100644 --- a/internal/cmd/egctl/testdata/translate/out/from-gateway-api-to-xds.cluster.yaml +++ b/internal/cmd/egctl/testdata/translate/out/from-gateway-api-to-xds.cluster.yaml @@ -16,6 +16,7 @@ xds: ads: {} resourceApiVersion: V3 serviceName: httproute/default/backend/rule/0 + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: httproute/default/backend/rule/0 outlierDetection: {} @@ -35,6 +36,7 @@ xds: ads: {} resourceApiVersion: V3 serviceName: grpcroute/default/backend/rule/0 + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: grpcroute/default/backend/rule/0 outlierDetection: {} @@ -61,6 +63,7 @@ xds: ads: {} resourceApiVersion: V3 serviceName: tcproute/default/backend/rule/-1 + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: tcproute/default/backend/rule/-1 outlierDetection: {} @@ -80,6 +83,7 @@ xds: ads: {} resourceApiVersion: V3 serviceName: tlsroute/default/backend/rule/-1 + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: tlsroute/default/backend/rule/-1 outlierDetection: {} @@ -99,6 +103,7 @@ xds: ads: {} resourceApiVersion: V3 serviceName: udproute/default/backend/rule/-1 + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: udproute/default/backend/rule/-1 outlierDetection: {} diff --git a/internal/cmd/egctl/testdata/translate/out/jwt-single-route-single-match-to-xds.all.json b/internal/cmd/egctl/testdata/translate/out/jwt-single-route-single-match-to-xds.all.json index 782775f605f..6ce6ee01347 100644 --- a/internal/cmd/egctl/testdata/translate/out/jwt-single-route-single-match-to-xds.all.json +++ b/internal/cmd/egctl/testdata/translate/out/jwt-single-route-single-match-to-xds.all.json @@ -358,6 +358,7 @@ }, "serviceName": "httproute/envoy-gateway-system/backend/rule/0" }, + "ignoreHealthOnHostRemoval": true, "lbPolicy": "LEAST_REQUEST", "name": "httproute/envoy-gateway-system/backend/rule/0", "outlierDetection": {}, diff --git a/internal/cmd/egctl/testdata/translate/out/jwt-single-route-single-match-to-xds.all.yaml b/internal/cmd/egctl/testdata/translate/out/jwt-single-route-single-match-to-xds.all.yaml index 7579be57f5f..237f0f3a4ac 100644 --- a/internal/cmd/egctl/testdata/translate/out/jwt-single-route-single-match-to-xds.all.yaml +++ b/internal/cmd/egctl/testdata/translate/out/jwt-single-route-single-match-to-xds.all.yaml @@ -201,6 +201,7 @@ xds: ads: {} resourceApiVersion: V3 serviceName: httproute/envoy-gateway-system/backend/rule/0 + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: httproute/envoy-gateway-system/backend/rule/0 outlierDetection: {} diff --git a/internal/cmd/egctl/testdata/translate/out/jwt-single-route-single-match-to-xds.cluster.yaml b/internal/cmd/egctl/testdata/translate/out/jwt-single-route-single-match-to-xds.cluster.yaml index d0add370ce3..9d93c93a8a4 100644 --- a/internal/cmd/egctl/testdata/translate/out/jwt-single-route-single-match-to-xds.cluster.yaml +++ b/internal/cmd/egctl/testdata/translate/out/jwt-single-route-single-match-to-xds.cluster.yaml @@ -16,6 +16,7 @@ xds: ads: {} resourceApiVersion: V3 serviceName: httproute/envoy-gateway-system/backend/rule/0 + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: httproute/envoy-gateway-system/backend/rule/0 outlierDetection: {} diff --git a/internal/cmd/egctl/testdata/translate/out/no-service-cluster-ip.all.yaml b/internal/cmd/egctl/testdata/translate/out/no-service-cluster-ip.all.yaml index e6e91b9ec45..517f3482f9f 100644 --- a/internal/cmd/egctl/testdata/translate/out/no-service-cluster-ip.all.yaml +++ b/internal/cmd/egctl/testdata/translate/out/no-service-cluster-ip.all.yaml @@ -201,6 +201,7 @@ xds: ads: {} resourceApiVersion: V3 serviceName: httproute/envoy-gateway-system/routes/rule/0 + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: httproute/envoy-gateway-system/routes/rule/0 outlierDetection: {} diff --git a/internal/cmd/egctl/translate_test.go b/internal/cmd/egctl/translate_test.go index 9207c8bb75b..20cf76d0162 100644 --- a/internal/cmd/egctl/translate_test.go +++ b/internal/cmd/egctl/translate_test.go @@ -287,6 +287,12 @@ func TestTranslate(t *testing.T) { expect: true, extraArgs: []string{"--add-missing-resources"}, }, + { + name: "backend-endpoint", + from: "gateway-api", + to: "gateway-api", + expect: true, + }, } flag.Parse() diff --git a/internal/extension/registry/extension_manager.go b/internal/extension/registry/extension_manager.go index 918c9a7c018..cf4b86d3d08 100644 --- a/internal/extension/registry/extension_manager.go +++ b/internal/extension/registry/extension_manager.go @@ -11,6 +11,7 @@ import ( "errors" "fmt" "net" + "strconv" "google.golang.org/grpc" "google.golang.org/grpc/credentials" @@ -123,13 +124,13 @@ func getExtensionServerAddress(service *egv1a1.ExtensionService) string { var serverAddr string switch { case service.FQDN != nil: - serverAddr = fmt.Sprintf("%s:%d", service.FQDN.Hostname, service.FQDN.Port) + serverAddr = net.JoinHostPort(service.FQDN.Hostname, strconv.Itoa(int(service.FQDN.Port))) case service.IP != nil: - serverAddr = fmt.Sprintf("%s:%d", service.IP.Address, service.IP.Port) + serverAddr = net.JoinHostPort(service.IP.Address, strconv.Itoa(int(service.IP.Port))) case service.Unix != nil: serverAddr = fmt.Sprintf("unix://%s", service.Unix.Path) case service.Host != "": - serverAddr = fmt.Sprintf("%s:%d", service.Host, service.Port) + serverAddr = net.JoinHostPort(service.Host, strconv.Itoa(int(service.Port))) } return serverAddr } diff --git a/internal/gatewayapi/backendtlspolicy.go b/internal/gatewayapi/backendtlspolicy.go index a04f93c9c19..b76e215f99a 100644 --- a/internal/gatewayapi/backendtlspolicy.go +++ b/internal/gatewayapi/backendtlspolicy.go @@ -7,6 +7,7 @@ package gatewayapi import ( "fmt" + "reflect" "k8s.io/utils/ptr" gwapiv1 "sigs.k8s.io/gateway-api/apis/v1" @@ -145,13 +146,12 @@ func backendTLSTargetMatched(policy gwapiv1a3.BackendTLSPolicy, target gwapiv1a2 target.Kind == currTarget.Kind && backendNamespace == policy.Namespace && target.Name == currTarget.Name { - if currTarget.SectionName != nil { - if target.SectionName != nil && *currTarget.SectionName == *target.SectionName { - return true - } - return false + // if section name is not set, then it targets the entire backend + if currTarget.SectionName == nil { + return true + } else if reflect.DeepEqual(currTarget.SectionName, target.SectionName) { + return true } - return true } } return false diff --git a/internal/gatewayapi/contexts.go b/internal/gatewayapi/contexts.go index fbd4c588f9b..7bcf321d3a2 100644 --- a/internal/gatewayapi/contexts.go +++ b/internal/gatewayapi/contexts.go @@ -238,21 +238,26 @@ func GetRouteStatus(route RouteContext) *gwapiv1.RouteStatus { return &rs } -// GetRouteParentContext returns RouteParentContext by using the Route -// objects' ParentReference. +// GetRouteParentContext returns RouteParentContext by using the Route objects' ParentReference. +// It creates a new RouteParentContext and add a new RouteParentStatus to the Route's Status if the ParentReference is not found. func GetRouteParentContext(route RouteContext, forParentRef gwapiv1.ParentReference) *RouteParentContext { rv := reflect.ValueOf(route).Elem() pr := rv.FieldByName("ParentRefs") + + // If the ParentRefs field is nil, initialize it. if pr.IsNil() { mm := reflect.MakeMap(reflect.TypeOf(map[gwapiv1.ParentReference]*RouteParentContext{})) pr.Set(mm) } + // If the RouteParentContext is already in the RouteContext, return it. if p := pr.MapIndex(reflect.ValueOf(forParentRef)); p.IsValid() && !p.IsZero() { ctx := p.Interface().(*RouteParentContext) return ctx } + // Verify that the ParentReference is present in the Route.Spec.ParentRefs. + // This is just a sanity check, the parentRef should always be present, otherwise it's a programming error. var parentRef *gwapiv1.ParentReference specParentRefs := rv.FieldByName("Spec").FieldByName("ParentRefs") for i := 0; i < specParentRefs.Len(); i++ { @@ -266,25 +271,19 @@ func GetRouteParentContext(route RouteContext, forParentRef gwapiv1.ParentRefere panic("parentRef not found") } + // Find the parent in the Route's Status. routeParentStatusIdx := -1 - defaultNamespace := gwapiv1.Namespace(metav1.NamespaceDefault) statusParents := rv.FieldByName("Status").FieldByName("Parents") + for i := 0; i < statusParents.Len(); i++ { p := statusParents.Index(i).FieldByName("ParentRef").Interface().(gwapiv1.ParentReference) - // For those non-v1 routes, their underlying type of `ParentReference` is v1 as well. - // So we can skip upgrading these routes for simplicity. - if forParentRef.Namespace == nil { - forParentRef.Namespace = &defaultNamespace - } - if p.Namespace == nil { - p.Namespace = &defaultNamespace - } - if reflect.DeepEqual(p, forParentRef) { + if isParentRefEqual(p, *parentRef, route.GetNamespace()) { routeParentStatusIdx = i break } } + // If the parent is not found in the Route's Status, create a new RouteParentStatus and add it to the Route's Status. if routeParentStatusIdx == -1 { rParentStatus := gwapiv1a2.RouteParentStatus{ ControllerName: gwapiv1a2.GatewayController(rv.FieldByName("GatewayControllerName").String()), @@ -294,6 +293,7 @@ func GetRouteParentContext(route RouteContext, forParentRef gwapiv1.ParentRefere routeParentStatusIdx = statusParents.Len() - 1 } + // Also add the RouteParentContext to the RouteContext. ctx := &RouteParentContext{ ParentReference: parentRef, routeParentStatusIdx: routeParentStatusIdx, @@ -304,6 +304,34 @@ func GetRouteParentContext(route RouteContext, forParentRef gwapiv1.ParentRefere return ctx } +func isParentRefEqual(ref1, ref2 gwapiv1.ParentReference, routeNS string) bool { + defaultGroup := (*gwapiv1.Group)(&gwapiv1.GroupVersion.Group) + if ref1.Group == nil { + ref1.Group = defaultGroup + } + if ref2.Group == nil { + ref2.Group = defaultGroup + } + + defaultKind := gwapiv1.Kind(resource.KindGateway) + if ref1.Kind == nil { + ref1.Kind = &defaultKind + } + if ref2.Kind == nil { + ref2.Kind = &defaultKind + } + + // If the parent's namespace is not set, default to the namespace of the Route. + defaultNS := gwapiv1.Namespace(routeNS) + if ref1.Namespace == nil { + ref1.Namespace = &defaultNS + } + if ref2.Namespace == nil { + ref2.Namespace = &defaultNS + } + return reflect.DeepEqual(ref1, ref2) +} + // RouteParentContext wraps a ParentReference and provides helper methods for // setting conditions and other status information on the associated // HTTPRoute, TLSRoute etc. diff --git a/internal/gatewayapi/envoyextensionpolicy.go b/internal/gatewayapi/envoyextensionpolicy.go index 4abc9a69046..9ba561f1b5d 100644 --- a/internal/gatewayapi/envoyextensionpolicy.go +++ b/internal/gatewayapi/envoyextensionpolicy.go @@ -561,6 +561,8 @@ func (t *Translator) buildWasm( switch config.Code.Type { case egv1a1.HTTPWasmCodeSourceType: + var checksum string + // This is a sanity check, the validation should have caught this if config.Code.HTTP == nil { return nil, fmt.Errorf("missing HTTP field in Wasm code source") @@ -572,7 +574,7 @@ func (t *Translator) buildWasm( http := config.Code.HTTP - if servingURL, _, err = t.WasmCache.Get(http.URL, wasm.GetOptions{ + if servingURL, checksum, err = t.WasmCache.Get(http.URL, wasm.GetOptions{ Checksum: originalChecksum, PullPolicy: pullPolicy, ResourceName: irConfigNameForWasm(policy, idx), @@ -584,7 +586,7 @@ func (t *Translator) buildWasm( code = &ir.HTTPWasmCode{ ServingURL: servingURL, OriginalURL: http.URL, - SHA256: originalChecksum, + SHA256: checksum, } case egv1a1.ImageWasmCodeSourceType: diff --git a/internal/gatewayapi/helpers.go b/internal/gatewayapi/helpers.go index 1c1ecee7672..366a24b827e 100644 --- a/internal/gatewayapi/helpers.go +++ b/internal/gatewayapi/helpers.go @@ -86,6 +86,7 @@ var ( QueryParamMatchTypeDerefOr = ptr.Deref[gwapiv1.QueryParamMatchType] ) +// Deprecated: use k8s.io/utils/ptr ptr.Deref instead func NamespaceDerefOr(namespace *gwapiv1.Namespace, defaultNamespace string) string { if namespace != nil && *namespace != "" { return string(*namespace) diff --git a/internal/gatewayapi/resource/load.go b/internal/gatewayapi/resource/load.go index 2445a459c74..7c87ffb7918 100644 --- a/internal/gatewayapi/resource/load.go +++ b/internal/gatewayapi/resource/load.go @@ -44,7 +44,6 @@ func LoadResourcesFromYAMLBytes(yamlBytes []byte, addMissingResources bool) (*Re // loadKubernetesYAMLToResources converts a Kubernetes YAML string into GatewayAPI Resources. // TODO: add support for kind: -// - Backend (gateway.envoyproxy.io/v1alpha1) // - EnvoyExtensionPolicy (gateway.envoyproxy.io/v1alpha1) // - HTTPRouteFilter (gateway.envoyproxy.io/v1alpha1) // - BackendLPPolicy (gateway.networking.k8s.io/v1alpha2) @@ -295,6 +294,19 @@ func loadKubernetesYAMLToResources(input []byte, addMissingResources bool) (*Res Spec: typedSpec.(egv1a1.HTTPRouteFilterSpec), } resources.HTTPRouteFilters = append(resources.HTTPRouteFilters, httpRouteFilter) + case KindBackend: + typedSpec := spec.Interface() + backend := &egv1a1.Backend{ + TypeMeta: metav1.TypeMeta{ + Kind: KindBackend, + }, + ObjectMeta: metav1.ObjectMeta{ + Name: name, + Namespace: namespace, + }, + Spec: typedSpec.(egv1a1.BackendSpec), + } + resources.Backends = append(resources.Backends, backend) } return nil diff --git a/internal/gatewayapi/route.go b/internal/gatewayapi/route.go index 648aebaeb5c..e51947411d8 100644 --- a/internal/gatewayapi/route.go +++ b/internal/gatewayapi/route.go @@ -237,7 +237,7 @@ func (t *Translator) processHTTPRouteRules(httpRoute *HTTPRouteContext, parentRe // If the route has no valid backends then just use a direct response and don't fuss with weighted responses for _, ruleRoute := range ruleRoutes { noValidBackends := ruleRoute.Destination == nil || ruleRoute.Destination.ToBackendWeights().Valid == 0 - if noValidBackends && ruleRoute.Redirect == nil { + if ruleRoute.DirectResponse == nil && noValidBackends && ruleRoute.Redirect == nil { ruleRoute.DirectResponse = &ir.CustomResponse{ StatusCode: ptr.To(uint32(500)), } diff --git a/internal/gatewayapi/runner/runner.go b/internal/gatewayapi/runner/runner.go index bd093761911..62975892918 100644 --- a/internal/gatewayapi/runner/runner.go +++ b/internal/gatewayapi/runner/runner.go @@ -173,7 +173,7 @@ func (r *Runner) subscribeAndTranslate(ctx context.Context) { // Publish the IRs. // Also validate the ir before sending it. for key, val := range result.InfraIR { - r.Logger.WithValues("infra-ir", key).Info(val.JSONString()) + r.Logger.V(1).WithValues("infra-ir", key).Info(val.JSONString()) if err := val.Validate(); err != nil { r.Logger.Error(err, "unable to validate infra ir, skipped sending it") errChan <- err @@ -184,7 +184,7 @@ func (r *Runner) subscribeAndTranslate(ctx context.Context) { } for key, val := range result.XdsIR { - r.Logger.WithValues("xds-ir", key).Info(val.JSONString()) + r.Logger.V(1).WithValues("xds-ir", key).Info(val.JSONString()) if err := val.Validate(); err != nil { r.Logger.Error(err, "unable to validate xds ir, skipped sending it") errChan <- err diff --git a/internal/gatewayapi/securitypolicy.go b/internal/gatewayapi/securitypolicy.go index 302d5054507..3c2d2af31ed 100644 --- a/internal/gatewayapi/securitypolicy.go +++ b/internal/gatewayapi/securitypolicy.go @@ -9,6 +9,7 @@ import ( "encoding/json" "errors" "fmt" + "net" "net/http" "net/netip" "net/url" @@ -921,16 +922,16 @@ func backendRefAuthority(resources *resource.Resources, backendRef *gwapiv1.Back // TODO: exists multi FQDN endpoints? for _, ep := range backend.Spec.Endpoints { if ep.FQDN != nil { - return fmt.Sprintf("%s:%d", ep.FQDN.Hostname, ep.FQDN.Port) + return net.JoinHostPort(ep.FQDN.Hostname, strconv.Itoa(int(ep.FQDN.Port))) } } } } - return fmt.Sprintf("%s.%s:%d", - backendRef.Name, - backendNamespace, - *backendRef.Port) + return net.JoinHostPort( + fmt.Sprintf("%s.%s", backendRef.Name, backendNamespace), + strconv.Itoa(int(*backendRef.Port)), + ) } func (t *Translator) buildAuthorization(policy *egv1a1.SecurityPolicy) (*ir.Authorization, error) { diff --git a/internal/gatewayapi/testdata/backendtlspolicy-multiple-targets.in.yaml b/internal/gatewayapi/testdata/backendtlspolicy-multiple-targets.in.yaml new file mode 100644 index 00000000000..d3458d06da8 --- /dev/null +++ b/internal/gatewayapi/testdata/backendtlspolicy-multiple-targets.in.yaml @@ -0,0 +1,123 @@ +gateways: + - apiVersion: gateway.networking.k8s.io/v1 + kind: Gateway + metadata: + name: gateway-btls + namespace: envoy-gateway + spec: + gatewayClassName: envoy-gateway-class + listeners: + - name: http + protocol: HTTP + port: 80 + allowedRoutes: + namespaces: + from: All + +httpRoutes: + - apiVersion: gateway.networking.k8s.io/v1 + kind: HTTPRoute + metadata: + name: httproute-btls-1 + namespace: envoy-gateway + spec: + parentRefs: + - namespace: envoy-gateway + name: gateway-btls + sectionName: http + rules: + - matches: + - path: + type: Exact + value: "/exact-1" + backendRefs: + - name: http-backend + namespace: envoy-gateway + port: 8080 + - apiVersion: gateway.networking.k8s.io/v1 + kind: HTTPRoute + metadata: + name: httproute-btls-2 + namespace: envoy-gateway + spec: + parentRefs: + - namespace: envoy-gateway + name: gateway-btls + sectionName: http + rules: + - matches: + - path: + type: Exact + value: "/exact-2" + backendRefs: + - name: http-backend + namespace: envoy-gateway + port: 8081 + +services: + - apiVersion: v1 + kind: Service + metadata: + name: http-backend + namespace: envoy-gateway + spec: + clusterIP: 10.11.12.13 + ports: + - port: 8080 + name: http + protocol: TCP + targetPort: 8080 + - port: 8081 + name: http + protocol: TCP + targetPort: 8081 + +configMaps: + - apiVersion: v1 + kind: ConfigMap + metadata: + name: ca-cmap + namespace: envoy-gateway + data: + ca.crt: | + -----BEGIN CERTIFICATE----- + MIIDJzCCAg+gAwIBAgIUAl6UKIuKmzte81cllz5PfdN2IlIwDQYJKoZIhvcNAQEL + BQAwIzEQMA4GA1UEAwwHbXljaWVudDEPMA0GA1UECgwGa3ViZWRiMB4XDTIzMTAw + MjA1NDE1N1oXDTI0MTAwMTA1NDE1N1owIzEQMA4GA1UEAwwHbXljaWVudDEPMA0G + A1UECgwGa3ViZWRiMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAwSTc + 1yj8HW62nynkFbXo4VXKv2jC0PM7dPVky87FweZcTKLoWQVPQE2p2kLDK6OEszmM + yyr+xxWtyiveremrWqnKkNTYhLfYPhgQkczib7eUalmFjUbhWdLvHakbEgCodn3b + kz57mInX2VpiDOKg4kyHfiuXWpiBqrCx0KNLpxo3DEQcFcsQTeTHzh4752GV04RU + Ti/GEWyzIsl4Rg7tGtAwmcIPgUNUfY2Q390FGqdH4ahn+mw/6aFbW31W63d9YJVq + ioyOVcaMIpM5B/c7Qc8SuhCI1YGhUyg4cRHLEw5VtikioyE3X04kna3jQAj54YbR + bpEhc35apKLB21HOUQIDAQABo1MwUTAdBgNVHQ4EFgQUyvl0VI5vJVSuYFXu7B48 + 6PbMEAowHwYDVR0jBBgwFoAUyvl0VI5vJVSuYFXu7B486PbMEAowDwYDVR0TAQH/ + BAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEAMLxrgFVMuNRq2wAwcBt7SnNR5Cfz + 2MvXq5EUmuawIUi9kaYjwdViDREGSjk7JW17vl576HjDkdfRwi4E28SydRInZf6J + i8HZcZ7caH6DxR335fgHVzLi5NiTce/OjNBQzQ2MJXVDd8DBmG5fyatJiOJQ4bWE + A7FlP0RdP3CO3GWE0M5iXOB2m1qWkE2eyO4UHvwTqNQLdrdAXgDQlbam9e4BG3Gg + d/6thAkWDbt/QNT+EJHDCvhDRKh1RuGHyg+Y+/nebTWWrFWsktRrbOoHCZiCpXI1 + 3eXE6nt0YkgtDxG22KqnhpAg9gUSs2hlhoxyvkzyF0mu6NhPlwAgnq7+/Q== + -----END CERTIFICATE----- +backendTLSPolicies: + - apiVersion: gateway.networking.k8s.io/v1alpha2 + kind: BackendTLSPolicy + metadata: + name: policy-btls + namespace: envoy-gateway + spec: + targetRefs: + - group: "" + kind: Service + name: http-backend + sectionName: "8080" + - group: "" + kind: Service + name: http-backend + sectionName: "8081" + validation: + caCertificateRefs: + - name: ca-cmap + group: "" + kind: ConfigMap + hostname: example.com diff --git a/internal/gatewayapi/testdata/backendtlspolicy-multiple-targets.out.yaml b/internal/gatewayapi/testdata/backendtlspolicy-multiple-targets.out.yaml new file mode 100644 index 00000000000..8ecd25a2418 --- /dev/null +++ b/internal/gatewayapi/testdata/backendtlspolicy-multiple-targets.out.yaml @@ -0,0 +1,239 @@ +backendTLSPolicies: +- apiVersion: gateway.networking.k8s.io/v1alpha2 + kind: BackendTLSPolicy + metadata: + creationTimestamp: null + name: policy-btls + namespace: envoy-gateway + spec: + targetRefs: + - group: "" + kind: Service + name: http-backend + sectionName: "8080" + - group: "" + kind: Service + name: http-backend + sectionName: "8081" + validation: + caCertificateRefs: + - group: "" + kind: ConfigMap + name: ca-cmap + hostname: example.com + status: + ancestors: + - ancestorRef: + name: gateway-btls + namespace: envoy-gateway + sectionName: http + conditions: + - lastTransitionTime: null + message: Policy has been accepted. + reason: Accepted + status: "True" + type: Accepted + controllerName: gateway.envoyproxy.io/gatewayclass-controller +gateways: +- apiVersion: gateway.networking.k8s.io/v1 + kind: Gateway + metadata: + creationTimestamp: null + name: gateway-btls + namespace: envoy-gateway + spec: + gatewayClassName: envoy-gateway-class + listeners: + - allowedRoutes: + namespaces: + from: All + name: http + port: 80 + protocol: HTTP + status: + listeners: + - attachedRoutes: 2 + conditions: + - lastTransitionTime: null + message: Sending translated listener configuration to the data plane + reason: Programmed + status: "True" + type: Programmed + - lastTransitionTime: null + message: Listener has been successfully translated + reason: Accepted + status: "True" + type: Accepted + - lastTransitionTime: null + message: Listener references have been resolved + reason: ResolvedRefs + status: "True" + type: ResolvedRefs + name: http + supportedKinds: + - group: gateway.networking.k8s.io + kind: HTTPRoute + - group: gateway.networking.k8s.io + kind: GRPCRoute +httpRoutes: +- apiVersion: gateway.networking.k8s.io/v1 + kind: HTTPRoute + metadata: + creationTimestamp: null + name: httproute-btls-1 + namespace: envoy-gateway + spec: + parentRefs: + - name: gateway-btls + namespace: envoy-gateway + sectionName: http + rules: + - backendRefs: + - name: http-backend + namespace: envoy-gateway + port: 8080 + matches: + - path: + type: Exact + value: /exact-1 + status: + parents: + - conditions: + - lastTransitionTime: null + message: Route is accepted + reason: Accepted + status: "True" + type: Accepted + - lastTransitionTime: null + message: Resolved all the Object references for the Route + reason: ResolvedRefs + status: "True" + type: ResolvedRefs + controllerName: gateway.envoyproxy.io/gatewayclass-controller + parentRef: + name: gateway-btls + namespace: envoy-gateway + sectionName: http +- apiVersion: gateway.networking.k8s.io/v1 + kind: HTTPRoute + metadata: + creationTimestamp: null + name: httproute-btls-2 + namespace: envoy-gateway + spec: + parentRefs: + - name: gateway-btls + namespace: envoy-gateway + sectionName: http + rules: + - backendRefs: + - name: http-backend + namespace: envoy-gateway + port: 8081 + matches: + - path: + type: Exact + value: /exact-2 + status: + parents: + - conditions: + - lastTransitionTime: null + message: Route is accepted + reason: Accepted + status: "True" + type: Accepted + - lastTransitionTime: null + message: Resolved all the Object references for the Route + reason: ResolvedRefs + status: "True" + type: ResolvedRefs + controllerName: gateway.envoyproxy.io/gatewayclass-controller + parentRef: + name: gateway-btls + namespace: envoy-gateway + sectionName: http +infraIR: + envoy-gateway/gateway-btls: + proxy: + listeners: + - address: null + name: envoy-gateway/gateway-btls/http + ports: + - containerPort: 10080 + name: http-80 + protocol: HTTP + servicePort: 80 + metadata: + labels: + gateway.envoyproxy.io/owning-gateway-name: gateway-btls + gateway.envoyproxy.io/owning-gateway-namespace: envoy-gateway + name: envoy-gateway/gateway-btls +xdsIR: + envoy-gateway/gateway-btls: + accessLog: + text: + - path: /dev/stdout + http: + - address: 0.0.0.0 + hostnames: + - '*' + isHTTP2: false + metadata: + kind: Gateway + name: gateway-btls + namespace: envoy-gateway + sectionName: http + name: envoy-gateway/gateway-btls/http + path: + escapedSlashesAction: UnescapeAndRedirect + mergeSlashes: true + port: 10080 + routes: + - destination: + name: httproute/envoy-gateway/httproute-btls-1/rule/0 + settings: + - protocol: HTTP + tls: + alpnProtocols: null + caCertificate: + certificate: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURKekNDQWcrZ0F3SUJBZ0lVQWw2VUtJdUttenRlODFjbGx6NVBmZE4ySWxJd0RRWUpLb1pJaHZjTkFRRUwKQlFBd0l6RVFNQTRHQTFVRUF3d0hiWGxqYVdWdWRERVBNQTBHQTFVRUNnd0dhM1ZpWldSaU1CNFhEVEl6TVRBdwpNakExTkRFMU4xb1hEVEkwTVRBd01UQTFOREUxTjFvd0l6RVFNQTRHQTFVRUF3d0hiWGxqYVdWdWRERVBNQTBHCkExVUVDZ3dHYTNWaVpXUmlNSUlCSWpBTkJna3Foa2lHOXcwQkFRRUZBQU9DQVE4QU1JSUJDZ0tDQVFFQXdTVGMKMXlqOEhXNjJueW5rRmJYbzRWWEt2MmpDMFBNN2RQVmt5ODdGd2VaY1RLTG9XUVZQUUUycDJrTERLNk9Fc3ptTQp5eXIreHhXdHlpdmVyZW1yV3FuS2tOVFloTGZZUGhnUWtjemliN2VVYWxtRmpVYmhXZEx2SGFrYkVnQ29kbjNiCmt6NTdtSW5YMlZwaURPS2c0a3lIZml1WFdwaUJxckN4MEtOTHB4bzNERVFjRmNzUVRlVEh6aDQ3NTJHVjA0UlUKVGkvR0VXeXpJc2w0Umc3dEd0QXdtY0lQZ1VOVWZZMlEzOTBGR3FkSDRhaG4rbXcvNmFGYlczMVc2M2Q5WUpWcQppb3lPVmNhTUlwTTVCL2M3UWM4U3VoQ0kxWUdoVXlnNGNSSExFdzVWdGlraW95RTNYMDRrbmEzalFBajU0WWJSCmJwRWhjMzVhcEtMQjIxSE9VUUlEQVFBQm8xTXdVVEFkQmdOVkhRNEVGZ1FVeXZsMFZJNXZKVlN1WUZYdTdCNDgKNlBiTUVBb3dId1lEVlIwakJCZ3dGb0FVeXZsMFZJNXZKVlN1WUZYdTdCNDg2UGJNRUFvd0R3WURWUjBUQVFILwpCQVV3QXdFQi96QU5CZ2txaGtpRzl3MEJBUXNGQUFPQ0FRRUFNTHhyZ0ZWTXVOUnEyd0F3Y0J0N1NuTlI1Q2Z6CjJNdlhxNUVVbXVhd0lVaTlrYVlqd2RWaURSRUdTams3SlcxN3ZsNTc2SGpEa2RmUndpNEUyOFN5ZFJJblpmNkoKaThIWmNaN2NhSDZEeFIzMzVmZ0hWekxpNU5pVGNlL09qTkJRelEyTUpYVkRkOERCbUc1ZnlhdEppT0pRNGJXRQpBN0ZsUDBSZFAzQ08zR1dFME01aVhPQjJtMXFXa0UyZXlPNFVIdndUcU5RTGRyZEFYZ0RRbGJhbTllNEJHM0dnCmQvNnRoQWtXRGJ0L1FOVCtFSkhEQ3ZoRFJLaDFSdUdIeWcrWSsvbmViVFdXckZXc2t0UnJiT29IQ1ppQ3BYSTEKM2VYRTZudDBZa2d0RHhHMjJLcW5ocEFnOWdVU3MyaGxob3h5dmt6eUYwbXU2TmhQbHdBZ25xNysvUT09Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K + name: policy-btls/envoy-gateway-ca + sni: example.com + weight: 1 + directResponse: + statusCode: 500 + hostname: '*' + isHTTP2: false + metadata: + kind: HTTPRoute + name: httproute-btls-1 + namespace: envoy-gateway + name: httproute/envoy-gateway/httproute-btls-1/rule/0/match/0/* + pathMatch: + distinct: false + exact: /exact-1 + name: "" + - destination: + name: httproute/envoy-gateway/httproute-btls-2/rule/0 + settings: + - protocol: HTTP + tls: + alpnProtocols: null + caCertificate: + certificate: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURKekNDQWcrZ0F3SUJBZ0lVQWw2VUtJdUttenRlODFjbGx6NVBmZE4ySWxJd0RRWUpLb1pJaHZjTkFRRUwKQlFBd0l6RVFNQTRHQTFVRUF3d0hiWGxqYVdWdWRERVBNQTBHQTFVRUNnd0dhM1ZpWldSaU1CNFhEVEl6TVRBdwpNakExTkRFMU4xb1hEVEkwTVRBd01UQTFOREUxTjFvd0l6RVFNQTRHQTFVRUF3d0hiWGxqYVdWdWRERVBNQTBHCkExVUVDZ3dHYTNWaVpXUmlNSUlCSWpBTkJna3Foa2lHOXcwQkFRRUZBQU9DQVE4QU1JSUJDZ0tDQVFFQXdTVGMKMXlqOEhXNjJueW5rRmJYbzRWWEt2MmpDMFBNN2RQVmt5ODdGd2VaY1RLTG9XUVZQUUUycDJrTERLNk9Fc3ptTQp5eXIreHhXdHlpdmVyZW1yV3FuS2tOVFloTGZZUGhnUWtjemliN2VVYWxtRmpVYmhXZEx2SGFrYkVnQ29kbjNiCmt6NTdtSW5YMlZwaURPS2c0a3lIZml1WFdwaUJxckN4MEtOTHB4bzNERVFjRmNzUVRlVEh6aDQ3NTJHVjA0UlUKVGkvR0VXeXpJc2w0Umc3dEd0QXdtY0lQZ1VOVWZZMlEzOTBGR3FkSDRhaG4rbXcvNmFGYlczMVc2M2Q5WUpWcQppb3lPVmNhTUlwTTVCL2M3UWM4U3VoQ0kxWUdoVXlnNGNSSExFdzVWdGlraW95RTNYMDRrbmEzalFBajU0WWJSCmJwRWhjMzVhcEtMQjIxSE9VUUlEQVFBQm8xTXdVVEFkQmdOVkhRNEVGZ1FVeXZsMFZJNXZKVlN1WUZYdTdCNDgKNlBiTUVBb3dId1lEVlIwakJCZ3dGb0FVeXZsMFZJNXZKVlN1WUZYdTdCNDg2UGJNRUFvd0R3WURWUjBUQVFILwpCQVV3QXdFQi96QU5CZ2txaGtpRzl3MEJBUXNGQUFPQ0FRRUFNTHhyZ0ZWTXVOUnEyd0F3Y0J0N1NuTlI1Q2Z6CjJNdlhxNUVVbXVhd0lVaTlrYVlqd2RWaURSRUdTams3SlcxN3ZsNTc2SGpEa2RmUndpNEUyOFN5ZFJJblpmNkoKaThIWmNaN2NhSDZEeFIzMzVmZ0hWekxpNU5pVGNlL09qTkJRelEyTUpYVkRkOERCbUc1ZnlhdEppT0pRNGJXRQpBN0ZsUDBSZFAzQ08zR1dFME01aVhPQjJtMXFXa0UyZXlPNFVIdndUcU5RTGRyZEFYZ0RRbGJhbTllNEJHM0dnCmQvNnRoQWtXRGJ0L1FOVCtFSkhEQ3ZoRFJLaDFSdUdIeWcrWSsvbmViVFdXckZXc2t0UnJiT29IQ1ppQ3BYSTEKM2VYRTZudDBZa2d0RHhHMjJLcW5ocEFnOWdVU3MyaGxob3h5dmt6eUYwbXU2TmhQbHdBZ25xNysvUT09Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K + name: policy-btls/envoy-gateway-ca + sni: example.com + weight: 1 + directResponse: + statusCode: 500 + hostname: '*' + isHTTP2: false + metadata: + kind: HTTPRoute + name: httproute-btls-2 + namespace: envoy-gateway + name: httproute/envoy-gateway/httproute-btls-2/rule/0/match/0/* + pathMatch: + distinct: false + exact: /exact-2 + name: "" diff --git a/internal/gatewayapi/testdata/custom-filter-order.in.yaml b/internal/gatewayapi/testdata/custom-filter-order.in.yaml index 99b46e6de82..6f27637135c 100644 --- a/internal/gatewayapi/testdata/custom-filter-order.in.yaml +++ b/internal/gatewayapi/testdata/custom-filter-order.in.yaml @@ -111,7 +111,7 @@ envoyextensionpolicies: type: HTTP http: url: https://www.example.com/wasm-filter-1.wasm - sha256: 746df05c8f3a0b07a46c0967cfbc5cbe5b9d48d0f79b6177eeedf8be6c8b34b5 + sha256: 2d89c4c6ab2a1c615c7696ed37ade9e50654ac70384b5d45100eb08e62130ff4 config: parameter1: key1: value1 @@ -122,7 +122,7 @@ envoyextensionpolicies: type: HTTP http: url: https://www.example.com/wasm-filter-2.wasm - sha256: a1efca12ea51069abb123bf9c77889fcc2a31cc5483fc14d115e44fdf07c7980 + sha256: 84274ca23246855cc491b3c6a657a89167e0b109a7ae380f1e64df77c910307e config: parameter1: value1 parameter2: value2 diff --git a/internal/gatewayapi/testdata/custom-filter-order.out.yaml b/internal/gatewayapi/testdata/custom-filter-order.out.yaml index 6967bf280f3..043eeab1543 100644 --- a/internal/gatewayapi/testdata/custom-filter-order.out.yaml +++ b/internal/gatewayapi/testdata/custom-filter-order.out.yaml @@ -13,7 +13,7 @@ envoyExtensionPolicies: wasm: - code: http: - sha256: 746df05c8f3a0b07a46c0967cfbc5cbe5b9d48d0f79b6177eeedf8be6c8b34b5 + sha256: 2d89c4c6ab2a1c615c7696ed37ade9e50654ac70384b5d45100eb08e62130ff4 url: https://www.example.com/wasm-filter-1.wasm type: HTTP config: @@ -24,7 +24,7 @@ envoyExtensionPolicies: name: wasm-filter-1 - code: http: - sha256: a1efca12ea51069abb123bf9c77889fcc2a31cc5483fc14d115e44fdf07c7980 + sha256: 84274ca23246855cc491b3c6a657a89167e0b109a7ae380f1e64df77c910307e url: https://www.example.com/wasm-filter-2.wasm type: HTTP config: @@ -257,7 +257,7 @@ xdsIR: httpWasmCode: originalDownloadingURL: https://www.example.com/wasm-filter-1.wasm servingURL: https://envoy-gateway:18002/5c90b9a82642ce00a7753923fabead306b9d9a54a7c0bd2463a1af3efcfb110b.wasm - sha256: 746df05c8f3a0b07a46c0967cfbc5cbe5b9d48d0f79b6177eeedf8be6c8b34b5 + sha256: 2d89c4c6ab2a1c615c7696ed37ade9e50654ac70384b5d45100eb08e62130ff4 name: envoyextensionpolicy/envoy-gateway/policy-for-gateway/wasm/0 wasmName: wasm-filter-1 - config: @@ -267,7 +267,7 @@ xdsIR: httpWasmCode: originalDownloadingURL: https://www.example.com/wasm-filter-2.wasm servingURL: https://envoy-gateway:18002/593e4cc60a7e0fa4d4f86531a5e20e785213a52000f056a7a8b5c5afcb908052.wasm - sha256: a1efca12ea51069abb123bf9c77889fcc2a31cc5483fc14d115e44fdf07c7980 + sha256: 84274ca23246855cc491b3c6a657a89167e0b109a7ae380f1e64df77c910307e name: envoyextensionpolicy/envoy-gateway/policy-for-gateway/wasm/1 wasmName: wasm-filter-2 hostname: www.example.com diff --git a/internal/gatewayapi/testdata/envoyextensionpolicy-with-wasm-targetrefs.in.yaml b/internal/gatewayapi/testdata/envoyextensionpolicy-with-wasm-targetrefs.in.yaml index 106267da645..17026ebbad6 100644 --- a/internal/gatewayapi/testdata/envoyextensionpolicy-with-wasm-targetrefs.in.yaml +++ b/internal/gatewayapi/testdata/envoyextensionpolicy-with-wasm-targetrefs.in.yaml @@ -72,7 +72,7 @@ envoyextensionpolicies: type: HTTP http: url: https://www.example.com/wasm-filter-1.wasm - sha256: 746df05c8f3a0b07a46c0967cfbc5cbe5b9d48d0f79b6177eeedf8be6c8b34b5 + sha256: 2d89c4c6ab2a1c615c7696ed37ade9e50654ac70384b5d45100eb08e62130ff4 config: parameter1: key1: value1 @@ -83,7 +83,7 @@ envoyextensionpolicies: type: HTTP http: url: https://www.example.com/wasm-filter-2.wasm - sha256: a1efca12ea51069abb123bf9c77889fcc2a31cc5483fc14d115e44fdf07c7980 + sha256: 84274ca23246855cc491b3c6a657a89167e0b109a7ae380f1e64df77c910307e config: parameter1: value1 parameter2: value2 diff --git a/internal/gatewayapi/testdata/envoyextensionpolicy-with-wasm-targetrefs.out.yaml b/internal/gatewayapi/testdata/envoyextensionpolicy-with-wasm-targetrefs.out.yaml index 4abc9f59092..8c65fb9cf65 100644 --- a/internal/gatewayapi/testdata/envoyextensionpolicy-with-wasm-targetrefs.out.yaml +++ b/internal/gatewayapi/testdata/envoyextensionpolicy-with-wasm-targetrefs.out.yaml @@ -16,7 +16,7 @@ envoyExtensionPolicies: wasm: - code: http: - sha256: 746df05c8f3a0b07a46c0967cfbc5cbe5b9d48d0f79b6177eeedf8be6c8b34b5 + sha256: 2d89c4c6ab2a1c615c7696ed37ade9e50654ac70384b5d45100eb08e62130ff4 url: https://www.example.com/wasm-filter-1.wasm type: HTTP config: @@ -27,7 +27,7 @@ envoyExtensionPolicies: name: wasm-filter-1 - code: http: - sha256: a1efca12ea51069abb123bf9c77889fcc2a31cc5483fc14d115e44fdf07c7980 + sha256: 84274ca23246855cc491b3c6a657a89167e0b109a7ae380f1e64df77c910307e url: https://www.example.com/wasm-filter-2.wasm type: HTTP config: @@ -239,7 +239,7 @@ xdsIR: httpWasmCode: originalDownloadingURL: https://www.example.com/wasm-filter-1.wasm servingURL: https://envoy-gateway:18002/5c90b9a82642ce00a7753923fabead306b9d9a54a7c0bd2463a1af3efcfb110b.wasm - sha256: 746df05c8f3a0b07a46c0967cfbc5cbe5b9d48d0f79b6177eeedf8be6c8b34b5 + sha256: 2d89c4c6ab2a1c615c7696ed37ade9e50654ac70384b5d45100eb08e62130ff4 name: envoyextensionpolicy/envoy-gateway/policy-for-gateway/wasm/0 wasmName: wasm-filter-1 - config: @@ -249,7 +249,7 @@ xdsIR: httpWasmCode: originalDownloadingURL: https://www.example.com/wasm-filter-2.wasm servingURL: https://envoy-gateway:18002/593e4cc60a7e0fa4d4f86531a5e20e785213a52000f056a7a8b5c5afcb908052.wasm - sha256: a1efca12ea51069abb123bf9c77889fcc2a31cc5483fc14d115e44fdf07c7980 + sha256: 84274ca23246855cc491b3c6a657a89167e0b109a7ae380f1e64df77c910307e name: envoyextensionpolicy/envoy-gateway/policy-for-gateway/wasm/1 wasmName: wasm-filter-2 hostname: www.example.com @@ -280,7 +280,7 @@ xdsIR: httpWasmCode: originalDownloadingURL: https://www.example.com/wasm-filter-1.wasm servingURL: https://envoy-gateway:18002/5c90b9a82642ce00a7753923fabead306b9d9a54a7c0bd2463a1af3efcfb110b.wasm - sha256: 746df05c8f3a0b07a46c0967cfbc5cbe5b9d48d0f79b6177eeedf8be6c8b34b5 + sha256: 2d89c4c6ab2a1c615c7696ed37ade9e50654ac70384b5d45100eb08e62130ff4 name: envoyextensionpolicy/envoy-gateway/policy-for-gateway/wasm/0 wasmName: wasm-filter-1 - config: @@ -290,7 +290,7 @@ xdsIR: httpWasmCode: originalDownloadingURL: https://www.example.com/wasm-filter-2.wasm servingURL: https://envoy-gateway:18002/593e4cc60a7e0fa4d4f86531a5e20e785213a52000f056a7a8b5c5afcb908052.wasm - sha256: a1efca12ea51069abb123bf9c77889fcc2a31cc5483fc14d115e44fdf07c7980 + sha256: 84274ca23246855cc491b3c6a657a89167e0b109a7ae380f1e64df77c910307e name: envoyextensionpolicy/envoy-gateway/policy-for-gateway/wasm/1 wasmName: wasm-filter-2 hostname: www.example.com diff --git a/internal/gatewayapi/testdata/envoyextensionpolicy-with-wasm.in.yaml b/internal/gatewayapi/testdata/envoyextensionpolicy-with-wasm.in.yaml index 5cb2b192553..e7414013410 100644 --- a/internal/gatewayapi/testdata/envoyextensionpolicy-with-wasm.in.yaml +++ b/internal/gatewayapi/testdata/envoyextensionpolicy-with-wasm.in.yaml @@ -77,7 +77,7 @@ envoyextensionpolicies: type: HTTP http: url: https://www.example.com/wasm-filter-1.wasm - sha256: 746df05c8f3a0b07a46c0967cfbc5cbe5b9d48d0f79b6177eeedf8be6c8b34b5 + sha256: 2d89c4c6ab2a1c615c7696ed37ade9e50654ac70384b5d45100eb08e62130ff4 config: parameter1: key1: value1 @@ -91,7 +91,7 @@ envoyextensionpolicies: url: oci://www.example.com/wasm-filter-2:v1.0.0 pullSecretRef: name: my-pull-secret - sha256: a1efca12ea51069abb123bf9c77889fcc2a31cc5483fc14d115e44fdf07c7980 + sha256: 314100af781b98a8ca175d5bf90a8bf76576e20a2f397a88223404edc6ebfd46 config: parameter1: value1 parameter2: value2 @@ -115,7 +115,7 @@ envoyextensionpolicies: type: HTTP http: url: https://www.test.com/wasm-filter-4.wasm - sha256: a1f0b78b8c1320690327800e3a5de10e7dbba7b6c752e702193a395a52c727b6 + sha256: b6922722ab58109abfaa8d9eb16f339b38b2bb1c17076b083b34438b934e7463 config: parameter1: key1: value1 diff --git a/internal/gatewayapi/testdata/envoyextensionpolicy-with-wasm.out.yaml b/internal/gatewayapi/testdata/envoyextensionpolicy-with-wasm.out.yaml index 68cfaf92515..368c32a4055 100644 --- a/internal/gatewayapi/testdata/envoyextensionpolicy-with-wasm.out.yaml +++ b/internal/gatewayapi/testdata/envoyextensionpolicy-with-wasm.out.yaml @@ -13,7 +13,7 @@ envoyExtensionPolicies: wasm: - code: http: - sha256: a1f0b78b8c1320690327800e3a5de10e7dbba7b6c752e702193a395a52c727b6 + sha256: b6922722ab58109abfaa8d9eb16f339b38b2bb1c17076b083b34438b934e7463 url: https://www.test.com/wasm-filter-4.wasm type: HTTP config: @@ -53,7 +53,7 @@ envoyExtensionPolicies: wasm: - code: http: - sha256: 746df05c8f3a0b07a46c0967cfbc5cbe5b9d48d0f79b6177eeedf8be6c8b34b5 + sha256: 2d89c4c6ab2a1c615c7696ed37ade9e50654ac70384b5d45100eb08e62130ff4 url: https://www.example.com/wasm-filter-1.wasm type: HTTP config: @@ -68,7 +68,7 @@ envoyExtensionPolicies: group: null kind: null name: my-pull-secret - sha256: a1efca12ea51069abb123bf9c77889fcc2a31cc5483fc14d115e44fdf07c7980 + sha256: 314100af781b98a8ca175d5bf90a8bf76576e20a2f397a88223404edc6ebfd46 url: oci://www.example.com/wasm-filter-2:v1.0.0 type: Image config: @@ -277,7 +277,7 @@ xdsIR: httpWasmCode: originalDownloadingURL: https://www.test.com/wasm-filter-4.wasm servingURL: https://envoy-gateway:18002/fe571e7b1ef5dc626ceb2c2c86782a134a92989a2643485238951696ae4334c3.wasm - sha256: a1f0b78b8c1320690327800e3a5de10e7dbba7b6c752e702193a395a52c727b6 + sha256: b6922722ab58109abfaa8d9eb16f339b38b2bb1c17076b083b34438b934e7463 name: envoyextensionpolicy/default/policy-for-http-route/wasm/0 wasmName: wasm-filter-4 hostname: www.example.com @@ -311,7 +311,7 @@ xdsIR: httpWasmCode: originalDownloadingURL: https://www.example.com/wasm-filter-1.wasm servingURL: https://envoy-gateway:18002/5c90b9a82642ce00a7753923fabead306b9d9a54a7c0bd2463a1af3efcfb110b.wasm - sha256: 746df05c8f3a0b07a46c0967cfbc5cbe5b9d48d0f79b6177eeedf8be6c8b34b5 + sha256: 2d89c4c6ab2a1c615c7696ed37ade9e50654ac70384b5d45100eb08e62130ff4 name: envoyextensionpolicy/envoy-gateway/policy-for-gateway/wasm/0 wasmName: wasm-filter-1 - config: diff --git a/internal/gatewayapi/testdata/httproute-with-direct-response.in.yaml b/internal/gatewayapi/testdata/httproute-with-direct-response.in.yaml new file mode 100644 index 00000000000..bd9a316227e --- /dev/null +++ b/internal/gatewayapi/testdata/httproute-with-direct-response.in.yaml @@ -0,0 +1,119 @@ +gateways: +- apiVersion: gateway.networking.k8s.io/v1 + kind: Gateway + metadata: + namespace: envoy-gateway + name: gateway-1 + spec: + gatewayClassName: envoy-gateway-class + listeners: + - name: http + protocol: HTTP + port: 80 + hostname: "*.envoyproxy.io" + allowedRoutes: + namespaces: + from: All +httpRoutes: +- apiVersion: gateway.networking.k8s.io/v1 + kind: HTTPRoute + metadata: + name: direct-response + namespace: default + spec: + parentRefs: + - name: gateway-1 + namespace: envoy-gateway + sectionName: http + rules: + - matches: + - path: + type: PathPrefix + value: /inline + filters: + - type: ExtensionRef + extensionRef: + group: gateway.envoyproxy.io + kind: HTTPRouteFilter + name: direct-response-inline + - matches: + - path: + type: PathPrefix + value: /value-ref + filters: + - type: ExtensionRef + extensionRef: + group: gateway.envoyproxy.io + kind: HTTPRouteFilter + name: direct-response-value-ref +- apiVersion: gateway.networking.k8s.io/v1 + kind: HTTPRoute + metadata: + name: direct-response-with-errors + namespace: default + spec: + parentRefs: + - name: gateway-1 + namespace: envoy-gateway + sectionName: http + rules: + - matches: + - path: + type: PathPrefix + value: /value-ref-not-found + filters: + - type: ExtensionRef + extensionRef: + group: gateway.envoyproxy.io + kind: HTTPRouteFilter + name: direct-response-value-ref-not-found +configMaps: +- apiVersion: v1 + kind: ConfigMap + metadata: + name: value-ref-response + namespace: default + data: + response.body: '{"error": "Internal Server Error"}' +httpFilters: +- apiVersion: gateway.envoyproxy.io/v1alpha1 + kind: HTTPRouteFilter + metadata: + name: direct-response-inline + namespace: default + spec: + directResponse: + contentType: text/plain + body: + type: Inline + inline: "OK" +- apiVersion: gateway.envoyproxy.io/v1alpha1 + kind: HTTPRouteFilter + metadata: + name: direct-response-value-ref-not-exit + namespace: default + spec: + directResponse: + contentType: application/json + statusCode: 502 + body: + type: ValueRef + valueRef: + group: "" + kind: ConfigMap + name: value-ref-does-not-exist +- apiVersion: gateway.envoyproxy.io/v1alpha1 + kind: HTTPRouteFilter + metadata: + name: direct-response-value-ref + namespace: default + spec: + directResponse: + contentType: application/json + statusCode: 502 + body: + type: ValueRef + valueRef: + group: "" + kind: ConfigMap + name: value-ref-response diff --git a/internal/gatewayapi/testdata/httproute-with-direct-response.out.yaml b/internal/gatewayapi/testdata/httproute-with-direct-response.out.yaml new file mode 100644 index 00000000000..29b6b051366 --- /dev/null +++ b/internal/gatewayapi/testdata/httproute-with-direct-response.out.yaml @@ -0,0 +1,208 @@ +gateways: +- apiVersion: gateway.networking.k8s.io/v1 + kind: Gateway + metadata: + creationTimestamp: null + name: gateway-1 + namespace: envoy-gateway + spec: + gatewayClassName: envoy-gateway-class + listeners: + - allowedRoutes: + namespaces: + from: All + hostname: '*.envoyproxy.io' + name: http + port: 80 + protocol: HTTP + status: + listeners: + - attachedRoutes: 2 + conditions: + - lastTransitionTime: null + message: Sending translated listener configuration to the data plane + reason: Programmed + status: "True" + type: Programmed + - lastTransitionTime: null + message: Listener has been successfully translated + reason: Accepted + status: "True" + type: Accepted + - lastTransitionTime: null + message: Listener references have been resolved + reason: ResolvedRefs + status: "True" + type: ResolvedRefs + name: http + supportedKinds: + - group: gateway.networking.k8s.io + kind: HTTPRoute + - group: gateway.networking.k8s.io + kind: GRPCRoute +httpRoutes: +- apiVersion: gateway.networking.k8s.io/v1 + kind: HTTPRoute + metadata: + creationTimestamp: null + name: direct-response + namespace: default + spec: + parentRefs: + - name: gateway-1 + namespace: envoy-gateway + sectionName: http + rules: + - filters: + - extensionRef: + group: gateway.envoyproxy.io + kind: HTTPRouteFilter + name: direct-response-inline + type: ExtensionRef + matches: + - path: + type: PathPrefix + value: /inline + - filters: + - extensionRef: + group: gateway.envoyproxy.io + kind: HTTPRouteFilter + name: direct-response-value-ref + type: ExtensionRef + matches: + - path: + type: PathPrefix + value: /value-ref + status: + parents: + - conditions: + - lastTransitionTime: null + message: Route is accepted + reason: Accepted + status: "True" + type: Accepted + - lastTransitionTime: null + message: Resolved all the Object references for the Route + reason: ResolvedRefs + status: "True" + type: ResolvedRefs + controllerName: gateway.envoyproxy.io/gatewayclass-controller + parentRef: + name: gateway-1 + namespace: envoy-gateway + sectionName: http +- apiVersion: gateway.networking.k8s.io/v1 + kind: HTTPRoute + metadata: + creationTimestamp: null + name: direct-response-with-errors + namespace: default + spec: + parentRefs: + - name: gateway-1 + namespace: envoy-gateway + sectionName: http + rules: + - filters: + - extensionRef: + group: gateway.envoyproxy.io + kind: HTTPRouteFilter + name: direct-response-value-ref-not-found + type: ExtensionRef + matches: + - path: + type: PathPrefix + value: /value-ref-not-found + status: + parents: + - conditions: + - lastTransitionTime: null + message: 'Unable to translate HTTPRouteFilter: default/direct-response-value-ref-not-found' + reason: UnsupportedValue + status: "False" + type: Accepted + - lastTransitionTime: null + message: 'Unable to translate HTTPRouteFilter: default/direct-response-value-ref-not-found' + reason: BackendNotFound + status: "False" + type: ResolvedRefs + controllerName: gateway.envoyproxy.io/gatewayclass-controller + parentRef: + name: gateway-1 + namespace: envoy-gateway + sectionName: http +infraIR: + envoy-gateway/gateway-1: + proxy: + listeners: + - address: null + name: envoy-gateway/gateway-1/http + ports: + - containerPort: 10080 + name: http-80 + protocol: HTTP + servicePort: 80 + metadata: + labels: + gateway.envoyproxy.io/owning-gateway-name: gateway-1 + gateway.envoyproxy.io/owning-gateway-namespace: envoy-gateway + name: envoy-gateway/gateway-1 +xdsIR: + envoy-gateway/gateway-1: + accessLog: + text: + - path: /dev/stdout + http: + - address: 0.0.0.0 + hostnames: + - '*.envoyproxy.io' + isHTTP2: false + metadata: + kind: Gateway + name: gateway-1 + namespace: envoy-gateway + sectionName: http + name: envoy-gateway/gateway-1/http + path: + escapedSlashesAction: UnescapeAndRedirect + mergeSlashes: true + port: 10080 + routes: + - addResponseHeaders: + - append: false + name: Content-Type + value: + - application/json + directResponse: + body: '{"error": "Internal Server Error"}' + statusCode: 502 + hostname: '*.envoyproxy.io' + isHTTP2: false + metadata: + kind: HTTPRoute + name: direct-response + namespace: default + name: httproute/default/direct-response/rule/1/match/0/*_envoyproxy_io + pathMatch: + distinct: false + name: "" + prefix: /value-ref + - addResponseHeaders: + - append: false + name: Content-Type + value: + - text/plain + directResponse: + body: OK + statusCode: 200 + hostname: '*.envoyproxy.io' + isHTTP2: false + metadata: + kind: HTTPRoute + name: direct-response + namespace: default + name: httproute/default/direct-response/rule/0/match/0/*_envoyproxy_io + pathMatch: + distinct: false + name: "" + prefix: /inline diff --git a/internal/gatewayapi/testdata/httproute-with-multiple-gateways-from-different-ns.in.yaml b/internal/gatewayapi/testdata/httproute-with-multiple-gateways-from-different-ns.in.yaml new file mode 100644 index 00000000000..12aa992ef44 --- /dev/null +++ b/internal/gatewayapi/testdata/httproute-with-multiple-gateways-from-different-ns.in.yaml @@ -0,0 +1,55 @@ +gateways: + - apiVersion: gateway.networking.k8s.io/v1 + kind: Gateway + metadata: + name: gateway-a + namespace: default + spec: + gatewayClassName: envoy-gateway-class + listeners: + - name: default + port: 80 + protocol: HTTP + hostname: '*.a.example.com' + allowedRoutes: + namespaces: + from: All + - apiVersion: gateway.networking.k8s.io/v1 + kind: Gateway + metadata: + name: gateway-b + namespace: envoy-gateway + spec: + gatewayClassName: envoy-gateway-class + listeners: + - name: default + port: 80 + protocol: HTTP + hostname: '*.b.example.com' + allowedRoutes: + namespaces: + from: All +httpRoutes: + - apiVersion: gateway.networking.k8s.io/v1 + kind: HTTPRoute + metadata: + name: targeted-route + namespace: envoy-gateway + spec: + hostnames: + - targeted.a.example.com + - targeted.b.example.com + parentRefs: + - group: gateway.networking.k8s.io + kind: Gateway + name: gateway-a + namespace: default + - group: gateway.networking.k8s.io + kind: Gateway + name: gateway-b + rules: + - matches: + - method: GET + path: + type: PathPrefix + value: /toy diff --git a/internal/gatewayapi/testdata/httproute-with-multiple-gateways-from-different-ns.out.yaml b/internal/gatewayapi/testdata/httproute-with-multiple-gateways-from-different-ns.out.yaml new file mode 100644 index 00000000000..ba2f58b8667 --- /dev/null +++ b/internal/gatewayapi/testdata/httproute-with-multiple-gateways-from-different-ns.out.yaml @@ -0,0 +1,249 @@ +gateways: +- apiVersion: gateway.networking.k8s.io/v1 + kind: Gateway + metadata: + creationTimestamp: null + name: gateway-a + namespace: default + spec: + gatewayClassName: envoy-gateway-class + listeners: + - allowedRoutes: + namespaces: + from: All + hostname: '*.a.example.com' + name: default + port: 80 + protocol: HTTP + status: + listeners: + - attachedRoutes: 1 + conditions: + - lastTransitionTime: null + message: Sending translated listener configuration to the data plane + reason: Programmed + status: "True" + type: Programmed + - lastTransitionTime: null + message: Listener has been successfully translated + reason: Accepted + status: "True" + type: Accepted + - lastTransitionTime: null + message: Listener references have been resolved + reason: ResolvedRefs + status: "True" + type: ResolvedRefs + name: default + supportedKinds: + - group: gateway.networking.k8s.io + kind: HTTPRoute + - group: gateway.networking.k8s.io + kind: GRPCRoute +- apiVersion: gateway.networking.k8s.io/v1 + kind: Gateway + metadata: + creationTimestamp: null + name: gateway-b + namespace: envoy-gateway + spec: + gatewayClassName: envoy-gateway-class + listeners: + - allowedRoutes: + namespaces: + from: All + hostname: '*.b.example.com' + name: default + port: 80 + protocol: HTTP + status: + listeners: + - attachedRoutes: 1 + conditions: + - lastTransitionTime: null + message: Sending translated listener configuration to the data plane + reason: Programmed + status: "True" + type: Programmed + - lastTransitionTime: null + message: Listener has been successfully translated + reason: Accepted + status: "True" + type: Accepted + - lastTransitionTime: null + message: Listener references have been resolved + reason: ResolvedRefs + status: "True" + type: ResolvedRefs + name: default + supportedKinds: + - group: gateway.networking.k8s.io + kind: HTTPRoute + - group: gateway.networking.k8s.io + kind: GRPCRoute +httpRoutes: +- apiVersion: gateway.networking.k8s.io/v1 + kind: HTTPRoute + metadata: + creationTimestamp: null + name: targeted-route + namespace: envoy-gateway + spec: + hostnames: + - targeted.a.example.com + - targeted.b.example.com + parentRefs: + - group: gateway.networking.k8s.io + kind: Gateway + name: gateway-a + namespace: default + - group: gateway.networking.k8s.io + kind: Gateway + name: gateway-b + rules: + - matches: + - method: GET + path: + type: PathPrefix + value: /toy + status: + parents: + - conditions: + - lastTransitionTime: null + message: Route is accepted + reason: Accepted + status: "True" + type: Accepted + - lastTransitionTime: null + message: Resolved all the Object references for the Route + reason: ResolvedRefs + status: "True" + type: ResolvedRefs + controllerName: gateway.envoyproxy.io/gatewayclass-controller + parentRef: + group: gateway.networking.k8s.io + kind: Gateway + name: gateway-a + namespace: default + - conditions: + - lastTransitionTime: null + message: Route is accepted + reason: Accepted + status: "True" + type: Accepted + - lastTransitionTime: null + message: Resolved all the Object references for the Route + reason: ResolvedRefs + status: "True" + type: ResolvedRefs + controllerName: gateway.envoyproxy.io/gatewayclass-controller + parentRef: + group: gateway.networking.k8s.io + kind: Gateway + name: gateway-b +infraIR: + default/gateway-a: + proxy: + listeners: + - address: null + name: default/gateway-a/default + ports: + - containerPort: 10080 + name: http-80 + protocol: HTTP + servicePort: 80 + metadata: + labels: + gateway.envoyproxy.io/owning-gateway-name: gateway-a + gateway.envoyproxy.io/owning-gateway-namespace: default + name: default/gateway-a + envoy-gateway/gateway-b: + proxy: + listeners: + - address: null + name: envoy-gateway/gateway-b/default + ports: + - containerPort: 10080 + name: http-80 + protocol: HTTP + servicePort: 80 + metadata: + labels: + gateway.envoyproxy.io/owning-gateway-name: gateway-b + gateway.envoyproxy.io/owning-gateway-namespace: envoy-gateway + name: envoy-gateway/gateway-b +xdsIR: + default/gateway-a: + accessLog: + text: + - path: /dev/stdout + http: + - address: 0.0.0.0 + hostnames: + - '*.a.example.com' + isHTTP2: false + metadata: + kind: Gateway + name: gateway-a + namespace: default + sectionName: default + name: default/gateway-a/default + path: + escapedSlashesAction: UnescapeAndRedirect + mergeSlashes: true + port: 10080 + routes: + - directResponse: + statusCode: 500 + headerMatches: + - distinct: false + exact: GET + name: :method + hostname: targeted.a.example.com + isHTTP2: false + metadata: + kind: HTTPRoute + name: targeted-route + namespace: envoy-gateway + name: httproute/envoy-gateway/targeted-route/rule/0/match/0/targeted_a_example_com + pathMatch: + distinct: false + name: "" + prefix: /toy + envoy-gateway/gateway-b: + accessLog: + text: + - path: /dev/stdout + http: + - address: 0.0.0.0 + hostnames: + - '*.b.example.com' + isHTTP2: false + metadata: + kind: Gateway + name: gateway-b + namespace: envoy-gateway + sectionName: default + name: envoy-gateway/gateway-b/default + path: + escapedSlashesAction: UnescapeAndRedirect + mergeSlashes: true + port: 10080 + routes: + - directResponse: + statusCode: 500 + headerMatches: + - distinct: false + exact: GET + name: :method + hostname: targeted.b.example.com + isHTTP2: false + metadata: + kind: HTTPRoute + name: targeted-route + namespace: envoy-gateway + name: httproute/envoy-gateway/targeted-route/rule/0/match/0/targeted_b_example_com + pathMatch: + distinct: false + name: "" + prefix: /toy diff --git a/internal/gatewayapi/testdata/httproute-with-multiple-gateways-from-same-ns.in.yaml b/internal/gatewayapi/testdata/httproute-with-multiple-gateways-from-same-ns.in.yaml new file mode 100644 index 00000000000..6c9aa71d29c --- /dev/null +++ b/internal/gatewayapi/testdata/httproute-with-multiple-gateways-from-same-ns.in.yaml @@ -0,0 +1,54 @@ +gateways: + - apiVersion: gateway.networking.k8s.io/v1 + kind: Gateway + metadata: + name: gateway-a + namespace: envoy-gateway + spec: + gatewayClassName: envoy-gateway-class + listeners: + - name: default + port: 80 + protocol: HTTP + hostname: '*.a.example.com' + allowedRoutes: + namespaces: + from: All + - apiVersion: gateway.networking.k8s.io/v1 + kind: Gateway + metadata: + name: gateway-b + namespace: envoy-gateway + spec: + gatewayClassName: envoy-gateway-class + listeners: + - name: default + port: 80 + protocol: HTTP + hostname: '*.b.example.com' + allowedRoutes: + namespaces: + from: All +httpRoutes: + - apiVersion: gateway.networking.k8s.io/v1 + kind: HTTPRoute + metadata: + name: targeted-route + namespace: envoy-gateway + spec: + hostnames: + - targeted.a.example.com + - targeted.b.example.com + parentRefs: + - group: gateway.networking.k8s.io + kind: Gateway + name: gateway-a + - group: gateway.networking.k8s.io + kind: Gateway + name: gateway-b + rules: + - matches: + - method: GET + path: + type: PathPrefix + value: /toy diff --git a/internal/gatewayapi/testdata/httproute-with-multiple-gateways-from-same-ns.out.yaml b/internal/gatewayapi/testdata/httproute-with-multiple-gateways-from-same-ns.out.yaml new file mode 100644 index 00000000000..4e6bef64b9e --- /dev/null +++ b/internal/gatewayapi/testdata/httproute-with-multiple-gateways-from-same-ns.out.yaml @@ -0,0 +1,247 @@ +gateways: +- apiVersion: gateway.networking.k8s.io/v1 + kind: Gateway + metadata: + creationTimestamp: null + name: gateway-a + namespace: envoy-gateway + spec: + gatewayClassName: envoy-gateway-class + listeners: + - allowedRoutes: + namespaces: + from: All + hostname: '*.a.example.com' + name: default + port: 80 + protocol: HTTP + status: + listeners: + - attachedRoutes: 1 + conditions: + - lastTransitionTime: null + message: Sending translated listener configuration to the data plane + reason: Programmed + status: "True" + type: Programmed + - lastTransitionTime: null + message: Listener has been successfully translated + reason: Accepted + status: "True" + type: Accepted + - lastTransitionTime: null + message: Listener references have been resolved + reason: ResolvedRefs + status: "True" + type: ResolvedRefs + name: default + supportedKinds: + - group: gateway.networking.k8s.io + kind: HTTPRoute + - group: gateway.networking.k8s.io + kind: GRPCRoute +- apiVersion: gateway.networking.k8s.io/v1 + kind: Gateway + metadata: + creationTimestamp: null + name: gateway-b + namespace: envoy-gateway + spec: + gatewayClassName: envoy-gateway-class + listeners: + - allowedRoutes: + namespaces: + from: All + hostname: '*.b.example.com' + name: default + port: 80 + protocol: HTTP + status: + listeners: + - attachedRoutes: 1 + conditions: + - lastTransitionTime: null + message: Sending translated listener configuration to the data plane + reason: Programmed + status: "True" + type: Programmed + - lastTransitionTime: null + message: Listener has been successfully translated + reason: Accepted + status: "True" + type: Accepted + - lastTransitionTime: null + message: Listener references have been resolved + reason: ResolvedRefs + status: "True" + type: ResolvedRefs + name: default + supportedKinds: + - group: gateway.networking.k8s.io + kind: HTTPRoute + - group: gateway.networking.k8s.io + kind: GRPCRoute +httpRoutes: +- apiVersion: gateway.networking.k8s.io/v1 + kind: HTTPRoute + metadata: + creationTimestamp: null + name: targeted-route + namespace: envoy-gateway + spec: + hostnames: + - targeted.a.example.com + - targeted.b.example.com + parentRefs: + - group: gateway.networking.k8s.io + kind: Gateway + name: gateway-a + - group: gateway.networking.k8s.io + kind: Gateway + name: gateway-b + rules: + - matches: + - method: GET + path: + type: PathPrefix + value: /toy + status: + parents: + - conditions: + - lastTransitionTime: null + message: Route is accepted + reason: Accepted + status: "True" + type: Accepted + - lastTransitionTime: null + message: Resolved all the Object references for the Route + reason: ResolvedRefs + status: "True" + type: ResolvedRefs + controllerName: gateway.envoyproxy.io/gatewayclass-controller + parentRef: + group: gateway.networking.k8s.io + kind: Gateway + name: gateway-a + - conditions: + - lastTransitionTime: null + message: Route is accepted + reason: Accepted + status: "True" + type: Accepted + - lastTransitionTime: null + message: Resolved all the Object references for the Route + reason: ResolvedRefs + status: "True" + type: ResolvedRefs + controllerName: gateway.envoyproxy.io/gatewayclass-controller + parentRef: + group: gateway.networking.k8s.io + kind: Gateway + name: gateway-b +infraIR: + envoy-gateway/gateway-a: + proxy: + listeners: + - address: null + name: envoy-gateway/gateway-a/default + ports: + - containerPort: 10080 + name: http-80 + protocol: HTTP + servicePort: 80 + metadata: + labels: + gateway.envoyproxy.io/owning-gateway-name: gateway-a + gateway.envoyproxy.io/owning-gateway-namespace: envoy-gateway + name: envoy-gateway/gateway-a + envoy-gateway/gateway-b: + proxy: + listeners: + - address: null + name: envoy-gateway/gateway-b/default + ports: + - containerPort: 10080 + name: http-80 + protocol: HTTP + servicePort: 80 + metadata: + labels: + gateway.envoyproxy.io/owning-gateway-name: gateway-b + gateway.envoyproxy.io/owning-gateway-namespace: envoy-gateway + name: envoy-gateway/gateway-b +xdsIR: + envoy-gateway/gateway-a: + accessLog: + text: + - path: /dev/stdout + http: + - address: 0.0.0.0 + hostnames: + - '*.a.example.com' + isHTTP2: false + metadata: + kind: Gateway + name: gateway-a + namespace: envoy-gateway + sectionName: default + name: envoy-gateway/gateway-a/default + path: + escapedSlashesAction: UnescapeAndRedirect + mergeSlashes: true + port: 10080 + routes: + - directResponse: + statusCode: 500 + headerMatches: + - distinct: false + exact: GET + name: :method + hostname: targeted.a.example.com + isHTTP2: false + metadata: + kind: HTTPRoute + name: targeted-route + namespace: envoy-gateway + name: httproute/envoy-gateway/targeted-route/rule/0/match/0/targeted_a_example_com + pathMatch: + distinct: false + name: "" + prefix: /toy + envoy-gateway/gateway-b: + accessLog: + text: + - path: /dev/stdout + http: + - address: 0.0.0.0 + hostnames: + - '*.b.example.com' + isHTTP2: false + metadata: + kind: Gateway + name: gateway-b + namespace: envoy-gateway + sectionName: default + name: envoy-gateway/gateway-b/default + path: + escapedSlashesAction: UnescapeAndRedirect + mergeSlashes: true + port: 10080 + routes: + - directResponse: + statusCode: 500 + headerMatches: + - distinct: false + exact: GET + name: :method + hostname: targeted.b.example.com + isHTTP2: false + metadata: + kind: HTTPRoute + name: targeted-route + namespace: envoy-gateway + name: httproute/envoy-gateway/targeted-route/rule/0/match/0/targeted_b_example_com + pathMatch: + distinct: false + name: "" + prefix: /toy diff --git a/internal/gatewayapi/translator_test.go b/internal/gatewayapi/translator_test.go index 7184326fd62..39200342a5f 100644 --- a/internal/gatewayapi/translator_test.go +++ b/internal/gatewayapi/translator_test.go @@ -833,7 +833,7 @@ type mockWasmCache struct{} func (m *mockWasmCache) Start(_ context.Context) {} -func (m *mockWasmCache) Get(downloadURL string, _ wasm.GetOptions) (url string, checksum string, err error) { +func (m *mockWasmCache) Get(downloadURL string, options wasm.GetOptions) (url string, checksum string, err error) { // This is a mock implementation of the wasm.Cache.Get method. sha := sha256.Sum256([]byte(downloadURL)) hashedName := hex.EncodeToString(sha[:]) @@ -841,6 +841,9 @@ func (m *mockWasmCache) Get(downloadURL string, _ wasm.GetOptions) (url string, salt = append(salt, hashedName...) sha = sha256.Sum256(salt) checksum = hex.EncodeToString(sha[:]) + if options.Checksum != "" && checksum != options.Checksum { + return "", "", fmt.Errorf("module downloaded from %v has checksum %v, which does not match: %v", downloadURL, checksum, options.Checksum) + } return fmt.Sprintf("https://envoy-gateway:18002/%s.wasm", hashedName), checksum, nil } diff --git a/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/component-level.yaml b/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/component-level.yaml index bd91d900bb1..de77e642413 100644 --- a/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/component-level.yaml +++ b/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/component-level.yaml @@ -132,7 +132,7 @@ spec: fieldRef: apiVersion: v1 fieldPath: metadata.name - image: envoyproxy/gateway-dev:latest + image: docker.io/envoyproxy/gateway-dev:latest imagePullPolicy: IfNotPresent lifecycle: preStop: diff --git a/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/custom.yaml b/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/custom.yaml index 678eebb7cac..40b825d6f45 100644 --- a/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/custom.yaml +++ b/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/custom.yaml @@ -309,7 +309,7 @@ spec: fieldRef: apiVersion: v1 fieldPath: metadata.name - image: envoyproxy/gateway-dev:latest + image: docker.io/envoyproxy/gateway-dev:latest imagePullPolicy: IfNotPresent lifecycle: preStop: diff --git a/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/default-env.yaml b/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/default-env.yaml index 4cc285a5ea4..5179f48790b 100644 --- a/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/default-env.yaml +++ b/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/default-env.yaml @@ -308,7 +308,7 @@ spec: fieldRef: apiVersion: v1 fieldPath: metadata.name - image: envoyproxy/gateway-dev:latest + image: docker.io/envoyproxy/gateway-dev:latest imagePullPolicy: IfNotPresent lifecycle: preStop: diff --git a/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/default.yaml b/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/default.yaml index adf1b404e14..94bfc77c036 100644 --- a/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/default.yaml +++ b/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/default.yaml @@ -299,7 +299,7 @@ spec: fieldRef: apiVersion: v1 fieldPath: metadata.name - image: envoyproxy/gateway-dev:latest + image: docker.io/envoyproxy/gateway-dev:latest imagePullPolicy: IfNotPresent lifecycle: preStop: diff --git a/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/disable-prometheus.yaml b/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/disable-prometheus.yaml index 2ce6d9c6af1..ed5f24779f0 100644 --- a/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/disable-prometheus.yaml +++ b/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/disable-prometheus.yaml @@ -270,7 +270,7 @@ spec: fieldRef: apiVersion: v1 fieldPath: metadata.name - image: envoyproxy/gateway-dev:latest + image: docker.io/envoyproxy/gateway-dev:latest imagePullPolicy: IfNotPresent lifecycle: preStop: diff --git a/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/extension-env.yaml b/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/extension-env.yaml index 6642390520f..276b43fc833 100644 --- a/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/extension-env.yaml +++ b/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/extension-env.yaml @@ -312,7 +312,7 @@ spec: fieldRef: apiVersion: v1 fieldPath: metadata.name - image: envoyproxy/gateway-dev:latest + image: docker.io/envoyproxy/gateway-dev:latest imagePullPolicy: IfNotPresent lifecycle: preStop: diff --git a/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/override-labels-and-annotations.yaml b/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/override-labels-and-annotations.yaml index bcd59e73c0f..78c7fbc8dcf 100644 --- a/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/override-labels-and-annotations.yaml +++ b/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/override-labels-and-annotations.yaml @@ -308,7 +308,7 @@ spec: fieldRef: apiVersion: v1 fieldPath: metadata.name - image: envoyproxy/gateway-dev:latest + image: docker.io/envoyproxy/gateway-dev:latest imagePullPolicy: IfNotPresent lifecycle: preStop: diff --git a/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/patch-daemonset.yaml b/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/patch-daemonset.yaml index 255c6f51836..573c8533064 100644 --- a/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/patch-daemonset.yaml +++ b/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/patch-daemonset.yaml @@ -299,7 +299,7 @@ spec: fieldRef: apiVersion: v1 fieldPath: metadata.name - image: envoyproxy/gateway-dev:latest + image: docker.io/envoyproxy/gateway-dev:latest imagePullPolicy: IfNotPresent lifecycle: preStop: diff --git a/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/volumes.yaml b/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/volumes.yaml index ee1d74b0f16..56d527631de 100644 --- a/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/volumes.yaml +++ b/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/volumes.yaml @@ -312,7 +312,7 @@ spec: fieldRef: apiVersion: v1 fieldPath: metadata.name - image: envoyproxy/gateway-dev:latest + image: docker.io/envoyproxy/gateway-dev:latest imagePullPolicy: IfNotPresent lifecycle: preStop: diff --git a/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/with-annotations.yaml b/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/with-annotations.yaml index 479bc91bd4d..a3d0f681ea3 100644 --- a/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/with-annotations.yaml +++ b/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/with-annotations.yaml @@ -304,7 +304,7 @@ spec: fieldRef: apiVersion: v1 fieldPath: metadata.name - image: envoyproxy/gateway-dev:latest + image: docker.io/envoyproxy/gateway-dev:latest imagePullPolicy: IfNotPresent lifecycle: preStop: diff --git a/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/with-concurrency.yaml b/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/with-concurrency.yaml index 6f5a0d8f56a..20bca921e0c 100644 --- a/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/with-concurrency.yaml +++ b/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/with-concurrency.yaml @@ -132,7 +132,7 @@ spec: fieldRef: apiVersion: v1 fieldPath: metadata.name - image: envoyproxy/gateway-dev:latest + image: docker.io/envoyproxy/gateway-dev:latest imagePullPolicy: IfNotPresent lifecycle: preStop: diff --git a/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/with-extra-args.yaml b/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/with-extra-args.yaml index faf8ffd633a..a51fecae8e6 100644 --- a/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/with-extra-args.yaml +++ b/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/with-extra-args.yaml @@ -301,7 +301,7 @@ spec: fieldRef: apiVersion: v1 fieldPath: metadata.name - image: envoyproxy/gateway-dev:latest + image: docker.io/envoyproxy/gateway-dev:latest imagePullPolicy: IfNotPresent lifecycle: preStop: diff --git a/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/with-image-pull-secrets.yaml b/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/with-image-pull-secrets.yaml index 74ca2ad98bc..990a14c8c8b 100644 --- a/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/with-image-pull-secrets.yaml +++ b/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/with-image-pull-secrets.yaml @@ -299,7 +299,7 @@ spec: fieldRef: apiVersion: v1 fieldPath: metadata.name - image: envoyproxy/gateway-dev:latest + image: docker.io/envoyproxy/gateway-dev:latest imagePullPolicy: IfNotPresent lifecycle: preStop: diff --git a/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/with-name.yaml b/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/with-name.yaml index 5ac43575566..95ed6340e84 100644 --- a/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/with-name.yaml +++ b/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/with-name.yaml @@ -299,7 +299,7 @@ spec: fieldRef: apiVersion: v1 fieldPath: metadata.name - image: envoyproxy/gateway-dev:latest + image: docker.io/envoyproxy/gateway-dev:latest imagePullPolicy: IfNotPresent lifecycle: preStop: diff --git a/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/with-node-selector.yaml b/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/with-node-selector.yaml index a2cee5d74e0..e7a7a5178c1 100644 --- a/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/with-node-selector.yaml +++ b/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/with-node-selector.yaml @@ -299,7 +299,7 @@ spec: fieldRef: apiVersion: v1 fieldPath: metadata.name - image: envoyproxy/gateway-dev:latest + image: docker.io/envoyproxy/gateway-dev:latest imagePullPolicy: IfNotPresent lifecycle: preStop: diff --git a/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/with-topology-spread-constraints.yaml b/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/with-topology-spread-constraints.yaml index 25bd6953106..b1fca786103 100644 --- a/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/with-topology-spread-constraints.yaml +++ b/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/with-topology-spread-constraints.yaml @@ -299,7 +299,7 @@ spec: fieldRef: apiVersion: v1 fieldPath: metadata.name - image: envoyproxy/gateway-dev:latest + image: docker.io/envoyproxy/gateway-dev:latest imagePullPolicy: IfNotPresent lifecycle: preStop: diff --git a/internal/infrastructure/kubernetes/proxy/testdata/deployments/bootstrap.yaml b/internal/infrastructure/kubernetes/proxy/testdata/deployments/bootstrap.yaml index 077b6c6c56a..e26e671999d 100644 --- a/internal/infrastructure/kubernetes/proxy/testdata/deployments/bootstrap.yaml +++ b/internal/infrastructure/kubernetes/proxy/testdata/deployments/bootstrap.yaml @@ -135,7 +135,7 @@ spec: fieldRef: apiVersion: v1 fieldPath: metadata.name - image: envoyproxy/gateway-dev:latest + image: docker.io/envoyproxy/gateway-dev:latest imagePullPolicy: IfNotPresent lifecycle: preStop: diff --git a/internal/infrastructure/kubernetes/proxy/testdata/deployments/component-level.yaml b/internal/infrastructure/kubernetes/proxy/testdata/deployments/component-level.yaml index dd24ac2fe8a..5c8c25c3ee4 100644 --- a/internal/infrastructure/kubernetes/proxy/testdata/deployments/component-level.yaml +++ b/internal/infrastructure/kubernetes/proxy/testdata/deployments/component-level.yaml @@ -136,7 +136,7 @@ spec: fieldRef: apiVersion: v1 fieldPath: metadata.name - image: envoyproxy/gateway-dev:latest + image: docker.io/envoyproxy/gateway-dev:latest imagePullPolicy: IfNotPresent lifecycle: preStop: diff --git a/internal/infrastructure/kubernetes/proxy/testdata/deployments/custom.yaml b/internal/infrastructure/kubernetes/proxy/testdata/deployments/custom.yaml index 31841738dee..6c0cbc04bb8 100644 --- a/internal/infrastructure/kubernetes/proxy/testdata/deployments/custom.yaml +++ b/internal/infrastructure/kubernetes/proxy/testdata/deployments/custom.yaml @@ -314,7 +314,7 @@ spec: fieldRef: apiVersion: v1 fieldPath: metadata.name - image: envoyproxy/gateway-dev:latest + image: docker.io/envoyproxy/gateway-dev:latest imagePullPolicy: IfNotPresent lifecycle: preStop: diff --git a/internal/infrastructure/kubernetes/proxy/testdata/deployments/custom_with_initcontainers.yaml b/internal/infrastructure/kubernetes/proxy/testdata/deployments/custom_with_initcontainers.yaml index a81f3c8335a..a3cec93422c 100644 --- a/internal/infrastructure/kubernetes/proxy/testdata/deployments/custom_with_initcontainers.yaml +++ b/internal/infrastructure/kubernetes/proxy/testdata/deployments/custom_with_initcontainers.yaml @@ -316,7 +316,7 @@ spec: fieldRef: apiVersion: v1 fieldPath: metadata.name - image: envoyproxy/gateway-dev:latest + image: docker.io/envoyproxy/gateway-dev:latest imagePullPolicy: IfNotPresent lifecycle: preStop: diff --git a/internal/infrastructure/kubernetes/proxy/testdata/deployments/default-env.yaml b/internal/infrastructure/kubernetes/proxy/testdata/deployments/default-env.yaml index d90e6910a18..0dfc140ba9a 100644 --- a/internal/infrastructure/kubernetes/proxy/testdata/deployments/default-env.yaml +++ b/internal/infrastructure/kubernetes/proxy/testdata/deployments/default-env.yaml @@ -313,7 +313,7 @@ spec: fieldRef: apiVersion: v1 fieldPath: metadata.name - image: envoyproxy/gateway-dev:latest + image: docker.io/envoyproxy/gateway-dev:latest imagePullPolicy: IfNotPresent lifecycle: preStop: diff --git a/internal/infrastructure/kubernetes/proxy/testdata/deployments/default.yaml b/internal/infrastructure/kubernetes/proxy/testdata/deployments/default.yaml index 29197f2651c..95548c10f00 100644 --- a/internal/infrastructure/kubernetes/proxy/testdata/deployments/default.yaml +++ b/internal/infrastructure/kubernetes/proxy/testdata/deployments/default.yaml @@ -303,7 +303,7 @@ spec: fieldRef: apiVersion: v1 fieldPath: metadata.name - image: envoyproxy/gateway-dev:latest + image: docker.io/envoyproxy/gateway-dev:latest imagePullPolicy: IfNotPresent lifecycle: preStop: diff --git a/internal/infrastructure/kubernetes/proxy/testdata/deployments/disable-prometheus.yaml b/internal/infrastructure/kubernetes/proxy/testdata/deployments/disable-prometheus.yaml index ec1ee123a7c..ba8d010d140 100644 --- a/internal/infrastructure/kubernetes/proxy/testdata/deployments/disable-prometheus.yaml +++ b/internal/infrastructure/kubernetes/proxy/testdata/deployments/disable-prometheus.yaml @@ -274,7 +274,7 @@ spec: fieldRef: apiVersion: v1 fieldPath: metadata.name - image: envoyproxy/gateway-dev:latest + image: docker.io/envoyproxy/gateway-dev:latest imagePullPolicy: IfNotPresent lifecycle: preStop: diff --git a/internal/infrastructure/kubernetes/proxy/testdata/deployments/extension-env.yaml b/internal/infrastructure/kubernetes/proxy/testdata/deployments/extension-env.yaml index 53220f06d29..8dffdf1ea01 100644 --- a/internal/infrastructure/kubernetes/proxy/testdata/deployments/extension-env.yaml +++ b/internal/infrastructure/kubernetes/proxy/testdata/deployments/extension-env.yaml @@ -317,7 +317,7 @@ spec: fieldRef: apiVersion: v1 fieldPath: metadata.name - image: envoyproxy/gateway-dev:latest + image: docker.io/envoyproxy/gateway-dev:latest imagePullPolicy: IfNotPresent lifecycle: preStop: diff --git a/internal/infrastructure/kubernetes/proxy/testdata/deployments/override-labels-and-annotations.yaml b/internal/infrastructure/kubernetes/proxy/testdata/deployments/override-labels-and-annotations.yaml index ce139b7cc78..57307b4ce84 100644 --- a/internal/infrastructure/kubernetes/proxy/testdata/deployments/override-labels-and-annotations.yaml +++ b/internal/infrastructure/kubernetes/proxy/testdata/deployments/override-labels-and-annotations.yaml @@ -312,7 +312,7 @@ spec: fieldRef: apiVersion: v1 fieldPath: metadata.name - image: envoyproxy/gateway-dev:latest + image: docker.io/envoyproxy/gateway-dev:latest imagePullPolicy: IfNotPresent lifecycle: preStop: diff --git a/internal/infrastructure/kubernetes/proxy/testdata/deployments/patch-deployment.yaml b/internal/infrastructure/kubernetes/proxy/testdata/deployments/patch-deployment.yaml index 61a19e54bd0..b3f7fa5a175 100644 --- a/internal/infrastructure/kubernetes/proxy/testdata/deployments/patch-deployment.yaml +++ b/internal/infrastructure/kubernetes/proxy/testdata/deployments/patch-deployment.yaml @@ -303,7 +303,7 @@ spec: fieldRef: apiVersion: v1 fieldPath: metadata.name - image: envoyproxy/gateway-dev:latest + image: docker.io/envoyproxy/gateway-dev:latest imagePullPolicy: IfNotPresent lifecycle: preStop: diff --git a/internal/infrastructure/kubernetes/proxy/testdata/deployments/volumes.yaml b/internal/infrastructure/kubernetes/proxy/testdata/deployments/volumes.yaml index 62deebaba1e..bf360eb4d2b 100644 --- a/internal/infrastructure/kubernetes/proxy/testdata/deployments/volumes.yaml +++ b/internal/infrastructure/kubernetes/proxy/testdata/deployments/volumes.yaml @@ -317,7 +317,7 @@ spec: fieldRef: apiVersion: v1 fieldPath: metadata.name - image: envoyproxy/gateway-dev:latest + image: docker.io/envoyproxy/gateway-dev:latest imagePullPolicy: IfNotPresent lifecycle: preStop: diff --git a/internal/infrastructure/kubernetes/proxy/testdata/deployments/with-annotations.yaml b/internal/infrastructure/kubernetes/proxy/testdata/deployments/with-annotations.yaml index c24f94fe8fc..952e346c5af 100644 --- a/internal/infrastructure/kubernetes/proxy/testdata/deployments/with-annotations.yaml +++ b/internal/infrastructure/kubernetes/proxy/testdata/deployments/with-annotations.yaml @@ -308,7 +308,7 @@ spec: fieldRef: apiVersion: v1 fieldPath: metadata.name - image: envoyproxy/gateway-dev:latest + image: docker.io/envoyproxy/gateway-dev:latest imagePullPolicy: IfNotPresent lifecycle: preStop: diff --git a/internal/infrastructure/kubernetes/proxy/testdata/deployments/with-concurrency.yaml b/internal/infrastructure/kubernetes/proxy/testdata/deployments/with-concurrency.yaml index b13b6dbcced..0bd2860f6a5 100644 --- a/internal/infrastructure/kubernetes/proxy/testdata/deployments/with-concurrency.yaml +++ b/internal/infrastructure/kubernetes/proxy/testdata/deployments/with-concurrency.yaml @@ -136,7 +136,7 @@ spec: fieldRef: apiVersion: v1 fieldPath: metadata.name - image: envoyproxy/gateway-dev:latest + image: docker.io/envoyproxy/gateway-dev:latest imagePullPolicy: IfNotPresent lifecycle: preStop: diff --git a/internal/infrastructure/kubernetes/proxy/testdata/deployments/with-empty-memory-limits.yaml b/internal/infrastructure/kubernetes/proxy/testdata/deployments/with-empty-memory-limits.yaml index ab2641ff65c..8153e5d31f9 100644 --- a/internal/infrastructure/kubernetes/proxy/testdata/deployments/with-empty-memory-limits.yaml +++ b/internal/infrastructure/kubernetes/proxy/testdata/deployments/with-empty-memory-limits.yaml @@ -302,7 +302,7 @@ spec: fieldRef: apiVersion: v1 fieldPath: metadata.name - image: envoyproxy/gateway-dev:latest + image: docker.io/envoyproxy/gateway-dev:latest imagePullPolicy: IfNotPresent lifecycle: preStop: diff --git a/internal/infrastructure/kubernetes/proxy/testdata/deployments/with-extra-args.yaml b/internal/infrastructure/kubernetes/proxy/testdata/deployments/with-extra-args.yaml index f6ba26eab7c..7154978a93f 100644 --- a/internal/infrastructure/kubernetes/proxy/testdata/deployments/with-extra-args.yaml +++ b/internal/infrastructure/kubernetes/proxy/testdata/deployments/with-extra-args.yaml @@ -305,7 +305,7 @@ spec: fieldRef: apiVersion: v1 fieldPath: metadata.name - image: envoyproxy/gateway-dev:latest + image: docker.io/envoyproxy/gateway-dev:latest imagePullPolicy: IfNotPresent lifecycle: preStop: diff --git a/internal/infrastructure/kubernetes/proxy/testdata/deployments/with-image-pull-secrets.yaml b/internal/infrastructure/kubernetes/proxy/testdata/deployments/with-image-pull-secrets.yaml index 96588389310..d60f94518b8 100644 --- a/internal/infrastructure/kubernetes/proxy/testdata/deployments/with-image-pull-secrets.yaml +++ b/internal/infrastructure/kubernetes/proxy/testdata/deployments/with-image-pull-secrets.yaml @@ -303,7 +303,7 @@ spec: fieldRef: apiVersion: v1 fieldPath: metadata.name - image: envoyproxy/gateway-dev:latest + image: docker.io/envoyproxy/gateway-dev:latest imagePullPolicy: IfNotPresent lifecycle: preStop: diff --git a/internal/infrastructure/kubernetes/proxy/testdata/deployments/with-name.yaml b/internal/infrastructure/kubernetes/proxy/testdata/deployments/with-name.yaml index 16eb12b15e9..70023ba7e1b 100644 --- a/internal/infrastructure/kubernetes/proxy/testdata/deployments/with-name.yaml +++ b/internal/infrastructure/kubernetes/proxy/testdata/deployments/with-name.yaml @@ -303,7 +303,7 @@ spec: fieldRef: apiVersion: v1 fieldPath: metadata.name - image: envoyproxy/gateway-dev:latest + image: docker.io/envoyproxy/gateway-dev:latest imagePullPolicy: IfNotPresent lifecycle: preStop: diff --git a/internal/infrastructure/kubernetes/proxy/testdata/deployments/with-node-selector.yaml b/internal/infrastructure/kubernetes/proxy/testdata/deployments/with-node-selector.yaml index 6512c7a9dca..d780886d3fb 100644 --- a/internal/infrastructure/kubernetes/proxy/testdata/deployments/with-node-selector.yaml +++ b/internal/infrastructure/kubernetes/proxy/testdata/deployments/with-node-selector.yaml @@ -303,7 +303,7 @@ spec: fieldRef: apiVersion: v1 fieldPath: metadata.name - image: envoyproxy/gateway-dev:latest + image: docker.io/envoyproxy/gateway-dev:latest imagePullPolicy: IfNotPresent lifecycle: preStop: diff --git a/internal/infrastructure/kubernetes/proxy/testdata/deployments/with-topology-spread-constraints.yaml b/internal/infrastructure/kubernetes/proxy/testdata/deployments/with-topology-spread-constraints.yaml index 9c2a3e62192..1ccafdc751f 100644 --- a/internal/infrastructure/kubernetes/proxy/testdata/deployments/with-topology-spread-constraints.yaml +++ b/internal/infrastructure/kubernetes/proxy/testdata/deployments/with-topology-spread-constraints.yaml @@ -303,7 +303,7 @@ spec: fieldRef: apiVersion: v1 fieldPath: metadata.name - image: envoyproxy/gateway-dev:latest + image: docker.io/envoyproxy/gateway-dev:latest imagePullPolicy: IfNotPresent lifecycle: preStop: diff --git a/internal/ir/infra.go b/internal/ir/infra.go index 8bf433785fb..7044b695fda 100644 --- a/internal/ir/infra.go +++ b/internal/ir/infra.go @@ -36,7 +36,7 @@ func (i *Infra) YAMLString() string { } func (i *Infra) JSONString() string { - j, _ := json.MarshalIndent(i, "", "\t") + j, _ := json.Marshal(i) return string(j) } diff --git a/internal/ir/xds.go b/internal/ir/xds.go index 10c418af462..5e26af0f479 100644 --- a/internal/ir/xds.go +++ b/internal/ir/xds.go @@ -181,7 +181,7 @@ func (x *Xds) YAMLString() string { } func (x *Xds) JSONString() string { - j, _ := json.MarshalIndent(x.Printable(), "", "\t") + j, _ := json.Marshal(x.Printable()) return string(j) } diff --git a/internal/kubernetes/port_forwarder.go b/internal/kubernetes/port_forwarder.go index 176610dab3e..8e88b9c0212 100644 --- a/internal/kubernetes/port_forwarder.go +++ b/internal/kubernetes/port_forwarder.go @@ -8,8 +8,10 @@ package kubernetes import ( "fmt" "io" + "net" "net/http" "os" + "strconv" "k8s.io/apimachinery/pkg/types" "k8s.io/client-go/rest" @@ -134,5 +136,5 @@ func (f *localForwarder) WaitForStop() { } func (f *localForwarder) Address() string { - return fmt.Sprintf("%s:%d", netutil.DefaultLocalAddress, f.localPort) + return net.JoinHostPort(netutil.DefaultLocalAddress, strconv.Itoa(f.localPort)) } diff --git a/internal/provider/kubernetes/controller.go b/internal/provider/kubernetes/controller.go index 06d9dc39a0d..28a0eafaa77 100644 --- a/internal/provider/kubernetes/controller.go +++ b/internal/provider/kubernetes/controller.go @@ -65,6 +65,21 @@ type gatewayAPIReconciler struct { resources *message.ProviderResources extGVKs []schema.GroupVersionKind extServerPolicies []schema.GroupVersionKind + + backendCRDExists bool + bTLSPolicyCRDExists bool + btpCRDExists bool + ctpCRDExists bool + eepCRDExists bool + epCRDExists bool + eppCRDExists bool + hrfCRDExists bool + grpcRouteCRDExists bool + serviceImportCRDExists bool + spCRDExists bool + tcpRouteCRDExists bool + tlsRouteCRDExists bool + udpRouteCRDExists bool } // newGatewayAPIController @@ -197,42 +212,55 @@ func (r *gatewayAPIReconciler) Reconcile(ctx context.Context, _ reconcile.Reques return reconcile.Result{}, err } - // Add all EnvoyPatchPolicies to the resourceTree - if err = r.processEnvoyPatchPolicies(ctx, gwcResource, resourceMappings); err != nil { - return reconcile.Result{}, err + if r.eppCRDExists { + // Add all EnvoyPatchPolicies to the resourceTree + if err = r.processEnvoyPatchPolicies(ctx, gwcResource, resourceMappings); err != nil { + return reconcile.Result{}, err + } } - - // Add all ClientTrafficPolicies and their referenced resources to the resourceTree - if err = r.processClientTrafficPolicies(ctx, gwcResource, resourceMappings); err != nil { - return reconcile.Result{}, err + if r.ctpCRDExists { + // Add all ClientTrafficPolicies and their referenced resources to the resourceTree + if err = r.processClientTrafficPolicies(ctx, gwcResource, resourceMappings); err != nil { + return reconcile.Result{}, err + } } - // Add all BackendTrafficPolicies to the resourceTree - if err = r.processBackendTrafficPolicies(ctx, gwcResource, resourceMappings); err != nil { - return reconcile.Result{}, err + if r.btpCRDExists { + // Add all BackendTrafficPolicies to the resourceTree + if err = r.processBackendTrafficPolicies(ctx, gwcResource, resourceMappings); err != nil { + return reconcile.Result{}, err + } } - // Add all SecurityPolicies and their referenced resources to the resourceTree - if err = r.processSecurityPolicies(ctx, gwcResource, resourceMappings); err != nil { - return reconcile.Result{}, err + if r.spCRDExists { + // Add all SecurityPolicies and their referenced resources to the resourceTree + if err = r.processSecurityPolicies(ctx, gwcResource, resourceMappings); err != nil { + return reconcile.Result{}, err + } } - // Add all BackendTLSPolies to the resourceTree - if err = r.processBackendTLSPolicies(ctx, gwcResource, resourceMappings); err != nil { - return reconcile.Result{}, err + if r.bTLSPolicyCRDExists { + // Add all BackendTLSPolies to the resourceTree + if err = r.processBackendTLSPolicies(ctx, gwcResource, resourceMappings); err != nil { + return reconcile.Result{}, err + } } - // Add all EnvoyExtensionPolicies and their referenced resources to the resourceTree - if err = r.processEnvoyExtensionPolicies(ctx, gwcResource, resourceMappings); err != nil { - return reconcile.Result{}, err + if r.eepCRDExists { + // Add all EnvoyExtensionPolicies and their referenced resources to the resourceTree + if err = r.processEnvoyExtensionPolicies(ctx, gwcResource, resourceMappings); err != nil { + return reconcile.Result{}, err + } } if err = r.processExtensionServerPolicies(ctx, gwcResource); err != nil { return reconcile.Result{}, err } - if err = r.processBackends(ctx, gwcResource); err != nil { - return reconcile.Result{}, err + if r.backendCRDExists { + if err = r.processBackends(ctx, gwcResource); err != nil { + return reconcile.Result{}, err + } } // Add the referenced services, ServiceImports, and EndpointSlices in @@ -336,7 +364,7 @@ func (r *gatewayAPIReconciler) managedGatewayClasses(ctx context.Context) ([]*gw // so clean-up dependents. if !gwClass.DeletionTimestamp.IsZero() && !slice.ContainsString(gwClass.Finalizers, gatewayClassFinalizer) { - r.log.Info("gatewayclass marked for deletion") + r.log.Info("gatewayclass marked for deletion", "name", gwClass.Name) cc.removeMatch(&gwClass) continue } @@ -383,8 +411,9 @@ func (r *gatewayAPIReconciler) processBackendRefs(ctx context.Context, gwcResour "name", string(backendRef.Name)) } else { resourceMappings.allAssociatedNamespaces.Insert(serviceImport.Namespace) - if !resourceMappings.allAssociatedServiceImports.Has(utils.NamespacedName(serviceImport).String()) { - resourceMappings.allAssociatedServiceImports.Insert(utils.NamespacedName(serviceImport).String()) + key := utils.NamespacedName(serviceImport).String() + if !resourceMappings.allAssociatedServiceImports.Has(key) { + resourceMappings.allAssociatedServiceImports.Insert(key) gwcResource.ServiceImports = append(gwcResource.ServiceImports, serviceImport) r.log.Info("added ServiceImport to resource tree", "namespace", string(*backendRef.Namespace), "name", string(backendRef.Name)) @@ -399,11 +428,14 @@ func (r *gatewayAPIReconciler) processBackendRefs(ctx context.Context, gwcResour r.log.Error(err, "failed to get Backend", "namespace", string(*backendRef.Namespace), "name", string(backendRef.Name)) } else { - resourceMappings.allAssociatedNamespaces[backend.Namespace] = struct{}{} - backend.Status = egv1a1.BackendStatus{} - gwcResource.Backends = append(gwcResource.Backends, backend) - r.log.Info("added Backend to resource tree", "namespace", string(*backendRef.Namespace), - "name", string(backendRef.Name)) + resourceMappings.allAssociatedNamespaces.Insert(backend.Namespace) + key := utils.NamespacedName(backend).String() + if !resourceMappings.allAssociatedBackends.Has(key) { + resourceMappings.allAssociatedBackends.Insert(key) + gwcResource.Backends = append(gwcResource.Backends, backend) + r.log.Info("added Backend to resource tree", "namespace", string(*backendRef.Namespace), + "name", string(backendRef.Name)) + } } } @@ -414,17 +446,18 @@ func (r *gatewayAPIReconciler) processBackendRefs(ctx context.Context, gwcResour client.MatchingLabels(map[string]string{ endpointSliceLabelKey: string(backendRef.Name), }), - client.InNamespace(string(*backendRef.Namespace)), + client.InNamespace(*backendRef.Namespace), } if err := r.client.List(ctx, endpointSliceList, opts...); err != nil { r.log.Error(err, "failed to get EndpointSlices", "namespace", string(*backendRef.Namespace), backendRefKind, string(backendRef.Name)) } else { for _, endpointSlice := range endpointSliceList.Items { - endpointSlice := endpointSlice //nolint:copyloopvar - if !resourceMappings.allAssociatedEndpointSlices.Has(utils.NamespacedName(&endpointSlice).String()) { - resourceMappings.allAssociatedEndpointSlices.Insert(utils.NamespacedName(&endpointSlice).String()) - r.log.Info("added EndpointSlice to resource tree", "namespace", endpointSlice.Namespace, + key := utils.NamespacedName(&endpointSlice).String() + if !resourceMappings.allAssociatedEndpointSlices.Has(key) { + resourceMappings.allAssociatedEndpointSlices.Insert(key) + r.log.Info("added EndpointSlice to resource tree", + "namespace", endpointSlice.Namespace, "name", endpointSlice.Name) gwcResource.EndpointSlices = append(gwcResource.EndpointSlices, &endpointSlice) } @@ -567,8 +600,9 @@ func (r *gatewayAPIReconciler) processOIDCHMACSecret(ctx context.Context, resour return } - if !resourceMap.allAssociatedSecrets.Has(utils.NamespacedName(&secret).String()) { - resourceMap.allAssociatedSecrets.Insert(utils.NamespacedName(&secret).String()) + key := utils.NamespacedName(&secret).String() + if !resourceMap.allAssociatedSecrets.Has(key) { + resourceMap.allAssociatedSecrets.Insert(key) resourceTree.Secrets = append(resourceTree.Secrets, &secret) r.log.Info("processing OIDC HMAC Secret", "namespace", r.namespace, "name", oidcHMACSecretName) } @@ -625,9 +659,10 @@ func (r *gatewayAPIReconciler) processSecretRef( } } } - resourceMap.allAssociatedNamespaces.Insert(secretNS) // TODO Zhaohuabing do we need this line? - if !resourceMap.allAssociatedSecrets.Has(utils.NamespacedName(secret).String()) { - resourceMap.allAssociatedSecrets.Insert(utils.NamespacedName(secret).String()) + resourceMap.allAssociatedNamespaces.Insert(secretNS) + key := utils.NamespacedName(secret).String() + if !resourceMap.allAssociatedSecrets.Has(key) { + resourceMap.allAssociatedSecrets.Insert(key) resourceTree.Secrets = append(resourceTree.Secrets, secret) r.log.Info("processing Secret", "namespace", secretNS, "name", string(secretRef.Name)) } @@ -733,7 +768,7 @@ func (r *gatewayAPIReconciler) processConfigMapRef( } } } - resourceMap.allAssociatedNamespaces.Insert(configMapNS) // TODO Zhaohuabing do we need this line? + resourceMap.allAssociatedNamespaces.Insert(configMapNS) if !resourceMap.allAssociatedConfigMaps.Has(utils.NamespacedName(configMap).String()) { resourceMap.allAssociatedConfigMaps.Insert(utils.NamespacedName(configMap).String()) resourceTree.ConfigMaps = append(resourceTree.ConfigMaps, configMap) @@ -898,9 +933,12 @@ func (r *gatewayAPIReconciler) processGateways(ctx context.Context, managedGC *g gtwNamespacedName := utils.NamespacedName(>w).String() // Route Processing - // Get TLSRoute objects and check if it exists. - if err := r.processTLSRoutes(ctx, gtwNamespacedName, resourceMap, resourceTree); err != nil { - return err + + if r.tlsRouteCRDExists { + // Get TLSRoute objects and check if it exists. + if err := r.processTLSRoutes(ctx, gtwNamespacedName, resourceMap, resourceTree); err != nil { + return err + } } // Get HTTPRoute objects and check if it exists. @@ -908,21 +946,26 @@ func (r *gatewayAPIReconciler) processGateways(ctx context.Context, managedGC *g return err } - // Get GRPCRoute objects and check if it exists. - if err := r.processGRPCRoutes(ctx, gtwNamespacedName, resourceMap, resourceTree); err != nil { - return err + if r.grpcRouteCRDExists { + // Get GRPCRoute objects and check if it exists. + if err := r.processGRPCRoutes(ctx, gtwNamespacedName, resourceMap, resourceTree); err != nil { + return err + } } - // Get TCPRoute objects and check if it exists. - if err := r.processTCPRoutes(ctx, gtwNamespacedName, resourceMap, resourceTree); err != nil { - return err + if r.tcpRouteCRDExists { + // Get TCPRoute objects and check if it exists. + if err := r.processTCPRoutes(ctx, gtwNamespacedName, resourceMap, resourceTree); err != nil { + return err + } } - // Get UDPRoute objects and check if it exists. - if err := r.processUDPRoutes(ctx, gtwNamespacedName, resourceMap, resourceTree); err != nil { - return err + if r.udpRouteCRDExists { + // Get UDPRoute objects and check if it exists. + if err := r.processUDPRoutes(ctx, gtwNamespacedName, resourceMap, resourceTree); err != nil { + return err + } } - // Discard Status to reduce memory consumption in watchable // It will be recomputed by the gateway-api layer gtw.Status = gwapiv1.GatewayStatus{} @@ -1115,24 +1158,30 @@ func (r *gatewayAPIReconciler) watchResources(ctx context.Context, mgr manager.M return fmt.Errorf("failed to watch GatewayClass: %w", err) } - epPredicates := []predicate.TypedPredicate[*egv1a1.EnvoyProxy]{ - &predicate.TypedGenerationChangedPredicate[*egv1a1.EnvoyProxy]{}, - } - if r.namespaceLabel != nil { - epPredicates = append(epPredicates, predicate.NewTypedPredicateFuncs(func(ep *egv1a1.EnvoyProxy) bool { - return r.hasMatchingNamespaceLabels(ep) - })) - } - if err := c.Watch( - source.Kind(mgr.GetCache(), &egv1a1.EnvoyProxy{}, - handler.TypedEnqueueRequestsFromMapFunc(func(ctx context.Context, t *egv1a1.EnvoyProxy) []reconcile.Request { - return r.enqueueClass(ctx, t) - }), - epPredicates...)); err != nil { - return err - } - if err := addEnvoyProxyIndexers(ctx, mgr); err != nil { - return err + r.epCRDExists = r.crdExists(mgr, resource.KindEnvoyProxy, egv1a1.GroupVersion.String()) + if !r.epCRDExists { + r.log.Info("EnvoyProxy CRD not found, skipping EnvoyProxy watch") + } else { + epPredicates := []predicate.TypedPredicate[*egv1a1.EnvoyProxy]{ + &predicate.TypedGenerationChangedPredicate[*egv1a1.EnvoyProxy]{}, + } + if r.namespaceLabel != nil { + epPredicates = append(epPredicates, predicate.NewTypedPredicateFuncs(func(ep *egv1a1.EnvoyProxy) bool { + return r.hasMatchingNamespaceLabels(ep) + })) + } + + if err := c.Watch( + source.Kind(mgr.GetCache(), &egv1a1.EnvoyProxy{}, + handler.TypedEnqueueRequestsFromMapFunc(func(ctx context.Context, t *egv1a1.EnvoyProxy) []reconcile.Request { + return r.enqueueClass(ctx, t) + }), + epPredicates...)); err != nil { + return err + } + if err := addEnvoyProxyIndexers(ctx, mgr); err != nil { + return err + } } // Watch Gateway CRUDs and reconcile affected GatewayClass. @@ -1182,92 +1231,113 @@ func (r *gatewayAPIReconciler) watchResources(ctx context.Context, mgr manager.M return err } - // Watch GRPCRoute CRUDs and process affected Gateways. - grpcrPredicates := []predicate.TypedPredicate[*gwapiv1.GRPCRoute]{ - predicate.Or(predicate.TypedGenerationChangedPredicate[*gwapiv1.GRPCRoute]{}, - predicate.TypedLabelChangedPredicate[*gwapiv1.GRPCRoute]{}), - } - if r.namespaceLabel != nil { - grpcrPredicates = append(grpcrPredicates, predicate.NewTypedPredicateFuncs[*gwapiv1.GRPCRoute](func(grpc *gwapiv1.GRPCRoute) bool { - return r.hasMatchingNamespaceLabels(grpc) - })) - } - if err := c.Watch( - source.Kind(mgr.GetCache(), &gwapiv1.GRPCRoute{}, - handler.TypedEnqueueRequestsFromMapFunc[*gwapiv1.GRPCRoute](func(ctx context.Context, route *gwapiv1.GRPCRoute) []reconcile.Request { - return r.enqueueClass(ctx, route) - }), - grpcrPredicates...)); err != nil { - return err - } - if err := addGRPCRouteIndexers(ctx, mgr); err != nil { - return err + // TODO: Remove this optional check once most cloud providers and service meshes support GRPCRoute v1 + r.grpcRouteCRDExists = r.crdExists(mgr, resource.KindGRPCRoute, gwapiv1.GroupVersion.String()) + if !r.grpcRouteCRDExists { + r.log.Info("GRPCRoute CRD not found, skipping GRPCRoute watch") + } else { + // Watch GRPCRoute CRUDs and process affected Gateways. + grpcrPredicates := []predicate.TypedPredicate[*gwapiv1.GRPCRoute]{ + predicate.Or(predicate.TypedGenerationChangedPredicate[*gwapiv1.GRPCRoute]{}, + predicate.TypedLabelChangedPredicate[*gwapiv1.GRPCRoute]{}), + } + if r.namespaceLabel != nil { + grpcrPredicates = append(grpcrPredicates, predicate.NewTypedPredicateFuncs[*gwapiv1.GRPCRoute](func(grpc *gwapiv1.GRPCRoute) bool { + return r.hasMatchingNamespaceLabels(grpc) + })) + } + if err := c.Watch( + source.Kind(mgr.GetCache(), &gwapiv1.GRPCRoute{}, + handler.TypedEnqueueRequestsFromMapFunc[*gwapiv1.GRPCRoute](func(ctx context.Context, route *gwapiv1.GRPCRoute) []reconcile.Request { + return r.enqueueClass(ctx, route) + }), + grpcrPredicates...)); err != nil { + return err + } + if err := addGRPCRouteIndexers(ctx, mgr); err != nil { + return err + } } - // Watch TLSRoute CRUDs and process affected Gateways. - tlsrPredicates := []predicate.TypedPredicate[*gwapiv1a2.TLSRoute]{ - predicate.Or(predicate.TypedGenerationChangedPredicate[*gwapiv1a2.TLSRoute]{}, - predicate.TypedLabelChangedPredicate[*gwapiv1a2.TLSRoute]{}), - } - if r.namespaceLabel != nil { - tlsrPredicates = append(tlsrPredicates, predicate.NewTypedPredicateFuncs[*gwapiv1a2.TLSRoute](func(route *gwapiv1a2.TLSRoute) bool { - return r.hasMatchingNamespaceLabels(route) - })) - } - if err := c.Watch( - source.Kind(mgr.GetCache(), &gwapiv1a2.TLSRoute{}, - handler.TypedEnqueueRequestsFromMapFunc[*gwapiv1a2.TLSRoute](func(ctx context.Context, route *gwapiv1a2.TLSRoute) []reconcile.Request { - return r.enqueueClass(ctx, route) - }), - tlsrPredicates...)); err != nil { - return err - } - if err := addTLSRouteIndexers(ctx, mgr); err != nil { - return err + r.tlsRouteCRDExists = r.crdExists(mgr, resource.KindTLSRoute, gwapiv1a2.GroupVersion.String()) + if !r.tlsRouteCRDExists { + r.log.Info("TLSRoute CRD not found, skipping TLSRoute watch") + } else { + // Watch TLSRoute CRUDs and process affected Gateways. + tlsrPredicates := []predicate.TypedPredicate[*gwapiv1a2.TLSRoute]{ + predicate.Or(predicate.TypedGenerationChangedPredicate[*gwapiv1a2.TLSRoute]{}, + predicate.TypedLabelChangedPredicate[*gwapiv1a2.TLSRoute]{}), + } + if r.namespaceLabel != nil { + tlsrPredicates = append(tlsrPredicates, predicate.NewTypedPredicateFuncs[*gwapiv1a2.TLSRoute](func(route *gwapiv1a2.TLSRoute) bool { + return r.hasMatchingNamespaceLabels(route) + })) + } + if err := c.Watch( + source.Kind(mgr.GetCache(), &gwapiv1a2.TLSRoute{}, + handler.TypedEnqueueRequestsFromMapFunc[*gwapiv1a2.TLSRoute](func(ctx context.Context, route *gwapiv1a2.TLSRoute) []reconcile.Request { + return r.enqueueClass(ctx, route) + }), + tlsrPredicates...)); err != nil { + return err + } + if err := addTLSRouteIndexers(ctx, mgr); err != nil { + return err + } } - // Watch UDPRoute CRUDs and process affected Gateways. - udprPredicates := []predicate.TypedPredicate[*gwapiv1a2.UDPRoute]{ - predicate.Or(predicate.TypedGenerationChangedPredicate[*gwapiv1a2.UDPRoute]{}, - predicate.TypedLabelChangedPredicate[*gwapiv1a2.UDPRoute]{}), - } - if r.namespaceLabel != nil { - udprPredicates = append(udprPredicates, predicate.NewTypedPredicateFuncs[*gwapiv1a2.UDPRoute](func(route *gwapiv1a2.UDPRoute) bool { - return r.hasMatchingNamespaceLabels(route) - })) - } - if err := c.Watch( - source.Kind(mgr.GetCache(), &gwapiv1a2.UDPRoute{}, - handler.TypedEnqueueRequestsFromMapFunc[*gwapiv1a2.UDPRoute](func(ctx context.Context, route *gwapiv1a2.UDPRoute) []reconcile.Request { - return r.enqueueClass(ctx, route) - }), - udprPredicates...)); err != nil { - return err - } - if err := addUDPRouteIndexers(ctx, mgr); err != nil { - return err + r.udpRouteCRDExists = r.crdExists(mgr, resource.KindUDPRoute, gwapiv1a2.GroupVersion.String()) + if !r.udpRouteCRDExists { + r.log.Info("UDPRoute CRD not found, skipping UDPRoute watch") + } else { + // Watch UDPRoute CRUDs and process affected Gateways. + udprPredicates := []predicate.TypedPredicate[*gwapiv1a2.UDPRoute]{ + predicate.Or(predicate.TypedGenerationChangedPredicate[*gwapiv1a2.UDPRoute]{}, + predicate.TypedLabelChangedPredicate[*gwapiv1a2.UDPRoute]{}), + } + if r.namespaceLabel != nil { + udprPredicates = append(udprPredicates, predicate.NewTypedPredicateFuncs[*gwapiv1a2.UDPRoute](func(route *gwapiv1a2.UDPRoute) bool { + return r.hasMatchingNamespaceLabels(route) + })) + } + if err := c.Watch( + source.Kind(mgr.GetCache(), &gwapiv1a2.UDPRoute{}, + handler.TypedEnqueueRequestsFromMapFunc[*gwapiv1a2.UDPRoute](func(ctx context.Context, route *gwapiv1a2.UDPRoute) []reconcile.Request { + return r.enqueueClass(ctx, route) + }), + udprPredicates...)); err != nil { + return err + } + if err := addUDPRouteIndexers(ctx, mgr); err != nil { + return err + } } - // Watch TCPRoute CRUDs and process affected Gateways. - tcprPredicates := []predicate.TypedPredicate[*gwapiv1a2.TCPRoute]{ - predicate.Or(predicate.TypedGenerationChangedPredicate[*gwapiv1a2.TCPRoute]{}, - predicate.TypedLabelChangedPredicate[*gwapiv1a2.TCPRoute]{}), - } - if r.namespaceLabel != nil { - tcprPredicates = append(tcprPredicates, predicate.NewTypedPredicateFuncs[*gwapiv1a2.TCPRoute](func(route *gwapiv1a2.TCPRoute) bool { - return r.hasMatchingNamespaceLabels(route) - })) - } - if err := c.Watch( - source.Kind(mgr.GetCache(), &gwapiv1a2.TCPRoute{}, - handler.TypedEnqueueRequestsFromMapFunc[*gwapiv1a2.TCPRoute](func(ctx context.Context, route *gwapiv1a2.TCPRoute) []reconcile.Request { - return r.enqueueClass(ctx, route) - }), - tcprPredicates...)); err != nil { - return err - } - if err := addTCPRouteIndexers(ctx, mgr); err != nil { - return err + r.tcpRouteCRDExists = r.crdExists(mgr, resource.KindTCPRoute, gwapiv1a2.GroupVersion.String()) + if !r.tcpRouteCRDExists { + r.log.Info("TCPRoute CRD not found, skipping TCPRoute watch") + } else { + // Watch TCPRoute CRUDs and process affected Gateways. + tcprPredicates := []predicate.TypedPredicate[*gwapiv1a2.TCPRoute]{ + predicate.Or(predicate.TypedGenerationChangedPredicate[*gwapiv1a2.TCPRoute]{}, + predicate.TypedLabelChangedPredicate[*gwapiv1a2.TCPRoute]{}), + } + if r.namespaceLabel != nil { + tcprPredicates = append(tcprPredicates, predicate.NewTypedPredicateFuncs[*gwapiv1a2.TCPRoute](func(route *gwapiv1a2.TCPRoute) bool { + return r.hasMatchingNamespaceLabels(route) + })) + } + if err := c.Watch( + source.Kind(mgr.GetCache(), &gwapiv1a2.TCPRoute{}, + handler.TypedEnqueueRequestsFromMapFunc[*gwapiv1a2.TCPRoute](func(ctx context.Context, route *gwapiv1a2.TCPRoute) []reconcile.Request { + return r.enqueueClass(ctx, route) + }), + tcprPredicates...)); err != nil { + return err + } + if err := addTCPRouteIndexers(ctx, mgr); err != nil { + return err + } } // Watch Service CRUDs and process affected *Route objects. @@ -1291,11 +1361,10 @@ func (r *gatewayAPIReconciler) watchResources(ctx context.Context, mgr manager.M } // Watch ServiceImport CRUDs and process affected *Route objects. - serviceImportCRDExists := r.serviceImportCRDExists(mgr) - if !serviceImportCRDExists { + r.serviceImportCRDExists = r.crdExists(mgr, resource.KindServiceImport, mcsapiv1a1.GroupVersion.String()) + if !r.serviceImportCRDExists { r.log.Info("ServiceImport CRD not found, skipping ServiceImport watch") - } - if serviceImportCRDExists { + } else { if err := c.Watch( source.Kind(mgr.GetCache(), &mcsapiv1a1.ServiceImport{}, handler.TypedEnqueueRequestsFromMapFunc(func(ctx context.Context, si *mcsapiv1a1.ServiceImport) []reconcile.Request { @@ -1331,8 +1400,11 @@ func (r *gatewayAPIReconciler) watchResources(ctx context.Context, mgr manager.M return err } - // Watch Backend CRUDs and process affected *Route objects. - if r.envoyGateway.ExtensionAPIs != nil && r.envoyGateway.ExtensionAPIs.EnableBackend { + r.backendCRDExists = r.crdExists(mgr, resource.KindBackend, egv1a1.GroupVersion.String()) + if !r.backendCRDExists { + r.log.Info("Backend CRD not found, skipping Backend watch") + } else if r.envoyGateway.ExtensionAPIs != nil && r.envoyGateway.ExtensionAPIs.EnableBackend { + // Watch Backend CRUDs and process affected *Route objects. backendPredicates := []predicate.TypedPredicate[*egv1a1.Backend]{ predicate.TypedGenerationChangedPredicate[*egv1a1.Backend]{}, predicate.NewTypedPredicateFuncs[*egv1a1.Backend](func(be *egv1a1.Backend) bool { @@ -1478,7 +1550,10 @@ func (r *gatewayAPIReconciler) watchResources(ctx context.Context, mgr manager.M return err } - if r.envoyGateway.ExtensionAPIs != nil && r.envoyGateway.ExtensionAPIs.EnableEnvoyPatchPolicy { + r.eppCRDExists = r.crdExists(mgr, resource.KindEnvoyPatchPolicy, egv1a1.GroupVersion.String()) + if !r.eppCRDExists { + r.log.Info("EnvoyPatchPolicy CRD not found, skipping EnvoyPatchPolicy watch") + } else if r.envoyGateway.ExtensionAPIs != nil && r.envoyGateway.ExtensionAPIs.EnableEnvoyPatchPolicy { // Watch EnvoyPatchPolicy if enabled in config eppPredicates := []predicate.TypedPredicate[*egv1a1.EnvoyPatchPolicy]{ predicate.TypedGenerationChangedPredicate[*egv1a1.EnvoyPatchPolicy]{}, @@ -1499,118 +1574,143 @@ func (r *gatewayAPIReconciler) watchResources(ctx context.Context, mgr manager.M } } - // Watch ClientTrafficPolicy - ctpPredicates := []predicate.TypedPredicate[*egv1a1.ClientTrafficPolicy]{ - predicate.TypedGenerationChangedPredicate[*egv1a1.ClientTrafficPolicy]{}, - } - if r.namespaceLabel != nil { - ctpPredicates = append(ctpPredicates, predicate.NewTypedPredicateFuncs[*egv1a1.ClientTrafficPolicy](func(ctp *egv1a1.ClientTrafficPolicy) bool { - return r.hasMatchingNamespaceLabels(ctp) - })) - } + r.ctpCRDExists = r.crdExists(mgr, resource.KindClientTrafficPolicy, egv1a1.GroupVersion.String()) + if !r.ctpCRDExists { + r.log.Info("ClientTrafficPolicy CRD not found, skipping ClientTrafficPolicy watch") + } else { + // Watch ClientTrafficPolicy + ctpPredicates := []predicate.TypedPredicate[*egv1a1.ClientTrafficPolicy]{ + predicate.TypedGenerationChangedPredicate[*egv1a1.ClientTrafficPolicy]{}, + } + if r.namespaceLabel != nil { + ctpPredicates = append(ctpPredicates, predicate.NewTypedPredicateFuncs[*egv1a1.ClientTrafficPolicy](func(ctp *egv1a1.ClientTrafficPolicy) bool { + return r.hasMatchingNamespaceLabels(ctp) + })) + } - if err := c.Watch( - source.Kind(mgr.GetCache(), &egv1a1.ClientTrafficPolicy{}, - handler.TypedEnqueueRequestsFromMapFunc(func(ctx context.Context, ctp *egv1a1.ClientTrafficPolicy) []reconcile.Request { - return r.enqueueClass(ctx, ctp) - }), - ctpPredicates...)); err != nil { - return err - } + if err := c.Watch( + source.Kind(mgr.GetCache(), &egv1a1.ClientTrafficPolicy{}, + handler.TypedEnqueueRequestsFromMapFunc(func(ctx context.Context, ctp *egv1a1.ClientTrafficPolicy) []reconcile.Request { + return r.enqueueClass(ctx, ctp) + }), + ctpPredicates...)); err != nil { + return err + } - if err := addCtpIndexers(ctx, mgr); err != nil { - return err + if err := addCtpIndexers(ctx, mgr); err != nil { + return err + } } - // Watch BackendTrafficPolicy - btpPredicates := []predicate.TypedPredicate[*egv1a1.BackendTrafficPolicy]{ - predicate.TypedGenerationChangedPredicate[*egv1a1.BackendTrafficPolicy]{}, - } - if r.namespaceLabel != nil { - btpPredicates = append(btpPredicates, predicate.NewTypedPredicateFuncs[*egv1a1.BackendTrafficPolicy](func(btp *egv1a1.BackendTrafficPolicy) bool { - return r.hasMatchingNamespaceLabels(btp) - })) - } + r.btpCRDExists = r.crdExists(mgr, resource.KindBackendTrafficPolicy, egv1a1.GroupVersion.String()) + if !r.btpCRDExists { + r.log.Info("BackendTrafficPolicy CRD not found, skipping BackendTrafficPolicy watch") + } else { + // Watch BackendTrafficPolicy + btpPredicates := []predicate.TypedPredicate[*egv1a1.BackendTrafficPolicy]{ + predicate.TypedGenerationChangedPredicate[*egv1a1.BackendTrafficPolicy]{}, + } + if r.namespaceLabel != nil { + btpPredicates = append(btpPredicates, predicate.NewTypedPredicateFuncs[*egv1a1.BackendTrafficPolicy](func(btp *egv1a1.BackendTrafficPolicy) bool { + return r.hasMatchingNamespaceLabels(btp) + })) + } - if err := c.Watch( - source.Kind(mgr.GetCache(), &egv1a1.BackendTrafficPolicy{}, - handler.TypedEnqueueRequestsFromMapFunc(func(ctx context.Context, btp *egv1a1.BackendTrafficPolicy) []reconcile.Request { - return r.enqueueClass(ctx, btp) - }), - btpPredicates...)); err != nil { - return err - } + if err := c.Watch( + source.Kind(mgr.GetCache(), &egv1a1.BackendTrafficPolicy{}, + handler.TypedEnqueueRequestsFromMapFunc(func(ctx context.Context, btp *egv1a1.BackendTrafficPolicy) []reconcile.Request { + return r.enqueueClass(ctx, btp) + }), + btpPredicates...)); err != nil { + return err + } - if err := addBtpIndexers(ctx, mgr); err != nil { - return err + if err := addBtpIndexers(ctx, mgr); err != nil { + return err + } } - // Watch SecurityPolicy - spPredicates := []predicate.TypedPredicate[*egv1a1.SecurityPolicy]{ - predicate.TypedGenerationChangedPredicate[*egv1a1.SecurityPolicy]{}, - } - if r.namespaceLabel != nil { - spPredicates = append(spPredicates, predicate.NewTypedPredicateFuncs[*egv1a1.SecurityPolicy](func(sp *egv1a1.SecurityPolicy) bool { - return r.hasMatchingNamespaceLabels(sp) - })) - } + r.spCRDExists = r.crdExists(mgr, resource.KindSecurityPolicy, egv1a1.GroupVersion.String()) + if !r.spCRDExists { + r.log.Info("SecurityPolicy CRD not found, skipping SecurityPolicy watch") + } else { + // Watch SecurityPolicy + spPredicates := []predicate.TypedPredicate[*egv1a1.SecurityPolicy]{ + predicate.TypedGenerationChangedPredicate[*egv1a1.SecurityPolicy]{}, + } + if r.namespaceLabel != nil { + spPredicates = append(spPredicates, predicate.NewTypedPredicateFuncs[*egv1a1.SecurityPolicy](func(sp *egv1a1.SecurityPolicy) bool { + return r.hasMatchingNamespaceLabels(sp) + })) + } - if err := c.Watch( - source.Kind(mgr.GetCache(), &egv1a1.SecurityPolicy{}, - handler.TypedEnqueueRequestsFromMapFunc(func(ctx context.Context, sp *egv1a1.SecurityPolicy) []reconcile.Request { - return r.enqueueClass(ctx, sp) - }), - spPredicates...)); err != nil { - return err - } - if err := addSecurityPolicyIndexers(ctx, mgr); err != nil { - return err + if err := c.Watch( + source.Kind(mgr.GetCache(), &egv1a1.SecurityPolicy{}, + handler.TypedEnqueueRequestsFromMapFunc(func(ctx context.Context, sp *egv1a1.SecurityPolicy) []reconcile.Request { + return r.enqueueClass(ctx, sp) + }), + spPredicates...)); err != nil { + return err + } + if err := addSecurityPolicyIndexers(ctx, mgr); err != nil { + return err + } } - // Watch BackendTLSPolicy - btlsPredicates := []predicate.TypedPredicate[*gwapiv1a3.BackendTLSPolicy]{ - predicate.TypedGenerationChangedPredicate[*gwapiv1a3.BackendTLSPolicy]{}, - } - if r.namespaceLabel != nil { - btlsPredicates = append(btlsPredicates, predicate.NewTypedPredicateFuncs[*gwapiv1a3.BackendTLSPolicy](func(btp *gwapiv1a3.BackendTLSPolicy) bool { - return r.hasMatchingNamespaceLabels(btp) - })) - } + r.bTLSPolicyCRDExists = r.crdExists(mgr, resource.KindBackendTLSPolicy, gwapiv1a3.GroupVersion.String()) + if !r.bTLSPolicyCRDExists { + r.log.Info("BackendTLSPolicy CRD not found, skipping BackendTLSPolicy watch") + } else { + // Watch BackendTLSPolicy + btlsPredicates := []predicate.TypedPredicate[*gwapiv1a3.BackendTLSPolicy]{ + predicate.TypedGenerationChangedPredicate[*gwapiv1a3.BackendTLSPolicy]{}, + } + if r.namespaceLabel != nil { + btlsPredicates = append(btlsPredicates, predicate.NewTypedPredicateFuncs[*gwapiv1a3.BackendTLSPolicy](func(btp *gwapiv1a3.BackendTLSPolicy) bool { + return r.hasMatchingNamespaceLabels(btp) + })) + } - if err := c.Watch( - source.Kind(mgr.GetCache(), &gwapiv1a3.BackendTLSPolicy{}, - handler.TypedEnqueueRequestsFromMapFunc(func(ctx context.Context, btp *gwapiv1a3.BackendTLSPolicy) []reconcile.Request { - return r.enqueueClass(ctx, btp) - }), - btlsPredicates...)); err != nil { - return err - } + if err := c.Watch( + source.Kind(mgr.GetCache(), &gwapiv1a3.BackendTLSPolicy{}, + handler.TypedEnqueueRequestsFromMapFunc(func(ctx context.Context, btp *gwapiv1a3.BackendTLSPolicy) []reconcile.Request { + return r.enqueueClass(ctx, btp) + }), + btlsPredicates...)); err != nil { + return err + } - if err := addBtlsIndexers(ctx, mgr); err != nil { - return err + if err := addBtlsIndexers(ctx, mgr); err != nil { + return err + } } - // Watch EnvoyExtensionPolicy - eepPredicates := []predicate.TypedPredicate[*egv1a1.EnvoyExtensionPolicy]{ - predicate.TypedGenerationChangedPredicate[*egv1a1.EnvoyExtensionPolicy]{}, - } - if r.namespaceLabel != nil { - eepPredicates = append(eepPredicates, predicate.NewTypedPredicateFuncs[*egv1a1.EnvoyExtensionPolicy](func(eep *egv1a1.EnvoyExtensionPolicy) bool { - return r.hasMatchingNamespaceLabels(eep) - })) - } + r.eepCRDExists = r.crdExists(mgr, resource.KindEnvoyExtensionPolicy, egv1a1.GroupVersion.String()) + if !r.eepCRDExists { + r.log.Info("EnvoyExtensionPolicy CRD not found, skipping EnvoyExtensionPolicy watch") + } else { + // Watch EnvoyExtensionPolicy + eepPredicates := []predicate.TypedPredicate[*egv1a1.EnvoyExtensionPolicy]{ + predicate.TypedGenerationChangedPredicate[*egv1a1.EnvoyExtensionPolicy]{}, + } + if r.namespaceLabel != nil { + eepPredicates = append(eepPredicates, predicate.NewTypedPredicateFuncs[*egv1a1.EnvoyExtensionPolicy](func(eep *egv1a1.EnvoyExtensionPolicy) bool { + return r.hasMatchingNamespaceLabels(eep) + })) + } - // Watch EnvoyExtensionPolicy CRUDs - if err := c.Watch( - source.Kind(mgr.GetCache(), &egv1a1.EnvoyExtensionPolicy{}, - handler.TypedEnqueueRequestsFromMapFunc(func(ctx context.Context, eep *egv1a1.EnvoyExtensionPolicy) []reconcile.Request { - return r.enqueueClass(ctx, eep) - }), - eepPredicates...)); err != nil { - return err - } - if err := addEnvoyExtensionPolicyIndexers(ctx, mgr); err != nil { - return err + // Watch EnvoyExtensionPolicy CRUDs + if err := c.Watch( + source.Kind(mgr.GetCache(), &egv1a1.EnvoyExtensionPolicy{}, + handler.TypedEnqueueRequestsFromMapFunc(func(ctx context.Context, eep *egv1a1.EnvoyExtensionPolicy) []reconcile.Request { + return r.enqueueClass(ctx, eep) + }), + eepPredicates...)); err != nil { + return err + } + if err := addEnvoyExtensionPolicyIndexers(ctx, mgr); err != nil { + return err + } } r.log.Info("Watching gatewayAPI related objects") @@ -1649,31 +1749,35 @@ func (r *gatewayAPIReconciler) watchResources(ctx context.Context, mgr manager.M r.log.Info("Watching additional policy resource", "resource", gvk.String()) } - // Watch HTTPRouteFilter CRUDs and process affected HTTPRoute objects. - httpRouteFilter := []predicate.TypedPredicate[*egv1a1.HTTPRouteFilter]{ - predicate.TypedGenerationChangedPredicate[*egv1a1.HTTPRouteFilter]{}, - predicate.NewTypedPredicateFuncs[*egv1a1.HTTPRouteFilter](func(be *egv1a1.HTTPRouteFilter) bool { - return r.validateHTTPRouteFilterForReconcile(be) - }), - } - if r.namespaceLabel != nil { - httpRouteFilter = append(httpRouteFilter, predicate.NewTypedPredicateFuncs[*egv1a1.HTTPRouteFilter](func(be *egv1a1.HTTPRouteFilter) bool { - return r.hasMatchingNamespaceLabels(be) - })) - } - if err := c.Watch( - source.Kind(mgr.GetCache(), &egv1a1.HTTPRouteFilter{}, - handler.TypedEnqueueRequestsFromMapFunc(func(ctx context.Context, be *egv1a1.HTTPRouteFilter) []reconcile.Request { - return r.enqueueClass(ctx, be) + r.hrfCRDExists = r.crdExists(mgr, resource.KindHTTPRouteFilter, egv1a1.GroupVersion.String()) + if !r.hrfCRDExists { + r.log.Info("HTTPRouteFilter CRD not found, skipping HTTPRouteFilter watch") + } else { + // Watch HTTPRouteFilter CRUDs and process affected HTTPRoute objects. + httpRouteFilter := []predicate.TypedPredicate[*egv1a1.HTTPRouteFilter]{ + predicate.TypedGenerationChangedPredicate[*egv1a1.HTTPRouteFilter]{}, + predicate.NewTypedPredicateFuncs[*egv1a1.HTTPRouteFilter](func(be *egv1a1.HTTPRouteFilter) bool { + return r.validateHTTPRouteFilterForReconcile(be) }), - httpRouteFilter...)); err != nil { - return err - } + } + if r.namespaceLabel != nil { + httpRouteFilter = append(httpRouteFilter, predicate.NewTypedPredicateFuncs[*egv1a1.HTTPRouteFilter](func(be *egv1a1.HTTPRouteFilter) bool { + return r.hasMatchingNamespaceLabels(be) + })) + } + if err := c.Watch( + source.Kind(mgr.GetCache(), &egv1a1.HTTPRouteFilter{}, + handler.TypedEnqueueRequestsFromMapFunc(func(ctx context.Context, be *egv1a1.HTTPRouteFilter) []reconcile.Request { + return r.enqueueClass(ctx, be) + }), + httpRouteFilter...)); err != nil { + return err + } - if err := addRouteFilterIndexers(ctx, mgr); err != nil { - return err + if err := addRouteFilterIndexers(ctx, mgr); err != nil { + return err + } } - return nil } @@ -1813,8 +1917,8 @@ func (r *gatewayAPIReconciler) processEnvoyProxy(ep *egv1a1.EnvoyProxy, resource return nil } -// serviceImportCRDExists checks for the existence of the ServiceImport CRD in k8s APIServer before watching it -func (r *gatewayAPIReconciler) serviceImportCRDExists(mgr manager.Manager) bool { +// crdExists checks for the existence of the CRD in k8s APIServer before watching it +func (r *gatewayAPIReconciler) crdExists(mgr manager.Manager, kind string, groupVersion string) bool { discoveryClient, err := discovery.NewDiscoveryClientForConfig(mgr.GetConfig()) if err != nil { r.log.Error(err, "failed to create discovery client") @@ -1823,17 +1927,17 @@ func (r *gatewayAPIReconciler) serviceImportCRDExists(mgr manager.Manager) bool if err != nil { r.log.Error(err, "failed to get API resource list") } - serviceImportFound := false + found := false for _, list := range apiResourceList { for _, res := range list.APIResources { - if list.GroupVersion == mcsapiv1a1.GroupVersion.String() && res.Kind == resource.KindServiceImport { - serviceImportFound = true + if list.GroupVersion == groupVersion && res.Kind == kind { + found = true break } } } - return serviceImportFound + return found } func (r *gatewayAPIReconciler) processBackendTLSPolicyRefs( diff --git a/internal/provider/kubernetes/indexers.go b/internal/provider/kubernetes/indexers.go index ab3c098961e..031a2657a9c 100644 --- a/internal/provider/kubernetes/indexers.go +++ b/internal/provider/kubernetes/indexers.go @@ -40,6 +40,7 @@ const ( backendSecurityPolicyIndex = "backendSecurityPolicyIndex" configMapCtpIndex = "configMapCtpIndex" secretCtpIndex = "secretCtpIndex" + secretBtlsIndex = "secretBtlsIndex" configMapBtlsIndex = "configMapBtlsIndex" backendEnvoyExtensionPolicyIndex = "backendEnvoyExtensionPolicyIndex" backendEnvoyProxyTelemetryIndex = "backendEnvoyProxyTelemetryIndex" @@ -702,7 +703,7 @@ func configMapRouteFilterIndexFunc(rawObj client.Object) []string { return configMapReferences } -// addBtlsIndexers adds indexing on BackendTLSPolicy, for ConfigMap objects that are +// addBtlsIndexers adds indexing on BackendTLSPolicy, for ConfigMap and Secret objects that are // referenced in BackendTLSPolicy objects. This helps in querying for BackendTLSPolicies that are // affected by a particular ConfigMap CRUD. func addBtlsIndexers(ctx context.Context, mgr manager.Manager) error { @@ -710,6 +711,9 @@ func addBtlsIndexers(ctx context.Context, mgr manager.Manager) error { return err } + if err := mgr.GetFieldIndexer().IndexField(ctx, &gwapiv1a3.BackendTLSPolicy{}, secretBtlsIndex, secretBtlsIndexFunc); err != nil { + return err + } return nil } @@ -731,6 +735,24 @@ func configMapBtlsIndexFunc(rawObj client.Object) []string { return configMapReferences } +func secretBtlsIndexFunc(rawObj client.Object) []string { + btls := rawObj.(*gwapiv1a3.BackendTLSPolicy) + var secretReferences []string + if btls.Spec.Validation.CACertificateRefs != nil { + for _, caCertRef := range btls.Spec.Validation.CACertificateRefs { + if string(caCertRef.Kind) == resource.KindSecret { + secretReferences = append(secretReferences, + types.NamespacedName{ + Namespace: btls.Namespace, + Name: string(caCertRef.Name), + }.String(), + ) + } + } + } + return secretReferences +} + // addEnvoyExtensionPolicyIndexers adds indexing on EnvoyExtensionPolicy. // - For Service objects that are referenced in EnvoyExtensionPolicy objects via // `.spec.extProc.[*].service.backendObjectReference`. This helps in querying for diff --git a/internal/provider/kubernetes/predicates.go b/internal/provider/kubernetes/predicates.go index ae4f63ef3e9..d25ec2fb7d4 100644 --- a/internal/provider/kubernetes/predicates.go +++ b/internal/provider/kubernetes/predicates.go @@ -144,23 +144,53 @@ func (r *gatewayAPIReconciler) validateSecretForReconcile(obj client.Object) boo return true } - if r.isSecurityPolicyReferencingSecret(&nsName) { - return true + if r.spCRDExists { + if r.isSecurityPolicyReferencingSecret(&nsName) { + return true + } } - if r.isCtpReferencingSecret(&nsName) { - return true + if r.ctpCRDExists { + if r.isCtpReferencingSecret(&nsName) { + return true + } } if r.isOIDCHMACSecret(&nsName) { return true } - if r.isEnvoyProxyReferencingSecret(&nsName) { - return true + if r.epCRDExists { + if r.isEnvoyProxyReferencingSecret(&nsName) { + return true + } + } + + if r.eepCRDExists { + if r.isExtensionPolicyReferencingSecret(&nsName) { + return true + } + } + + if r.bTLSPolicyCRDExists { + if r.isBackendTLSPolicyReferencingSecret(&nsName) { + return true + } } - if r.isExtensionPolicyReferencingSecret(&nsName) { + return false +} + +func (r *gatewayAPIReconciler) isBackendTLSPolicyReferencingSecret(nsName *types.NamespacedName) bool { + btlsList := &gwapiv1a3.BackendTLSPolicyList{} + if err := r.client.List(context.Background(), btlsList, &client.ListOptions{ + FieldSelector: fields.OneTermEqualSelector(secretBtlsIndex, nsName.String()), + }); err != nil { + r.log.Error(err, "unable to find associated BackendTLSPolicy") + return false + } + + if len(btlsList.Items) > 0 { return true } @@ -283,15 +313,25 @@ func (r *gatewayAPIReconciler) validateServiceForReconcile(obj client.Object) bo return true } - if r.isSecurityPolicyReferencingBackend(&nsName) { - return true + if r.spCRDExists { + if r.isSecurityPolicyReferencingBackend(&nsName) { + return true + } } - if r.isEnvoyProxyReferencingBackend(&nsName) { - return true + if r.epCRDExists { + if r.isEnvoyProxyReferencingBackend(&nsName) { + return true + } + } + + if r.eepCRDExists { + if r.isEnvoyExtensionPolicyReferencingBackend(&nsName) { + return true + } } - return r.isEnvoyExtensionPolicyReferencingBackend(&nsName) + return false } // validateBackendForReconcile tries finding the owning Gateway of the Backend @@ -309,15 +349,25 @@ func (r *gatewayAPIReconciler) validateBackendForReconcile(obj client.Object) bo return true } - if r.isSecurityPolicyReferencingBackend(&nsName) { - return true + if r.spCRDExists { + if r.isSecurityPolicyReferencingBackend(&nsName) { + return true + } } - if r.isEnvoyProxyReferencingBackend(&nsName) { - return true + if r.epCRDExists { + if r.isEnvoyProxyReferencingBackend(&nsName) { + return true + } + } + + if r.eepCRDExists { + if r.isEnvoyExtensionPolicyReferencingBackend(&nsName) { + return true + } } - return r.isEnvoyExtensionPolicyReferencingBackend(&nsName) + return false } func (r *gatewayAPIReconciler) isSecurityPolicyReferencingBackend(nsName *types.NamespacedName) bool { @@ -357,47 +407,63 @@ func (r *gatewayAPIReconciler) isRouteReferencingBackend(nsName *types.Namespace r.log.Error(err, "failed to find associated HTTPRoutes") return false } - - grpcRouteList := &gwapiv1.GRPCRouteList{} - if err := r.client.List(ctx, grpcRouteList, &client.ListOptions{ - FieldSelector: fields.OneTermEqualSelector(backendGRPCRouteIndex, nsName.String()), - }); err != nil && !kerrors.IsNotFound(err) { - r.log.Error(err, "failed to find associated GRPCRoutes") - return false + if len(httpRouteList.Items) > 0 { + return true } - tlsRouteList := &gwapiv1a2.TLSRouteList{} - if err := r.client.List(ctx, tlsRouteList, &client.ListOptions{ - FieldSelector: fields.OneTermEqualSelector(backendTLSRouteIndex, nsName.String()), - }); err != nil && !kerrors.IsNotFound(err) { - r.log.Error(err, "failed to find associated TLSRoutes") - return false + if r.grpcRouteCRDExists { + grpcRouteList := &gwapiv1.GRPCRouteList{} + if err := r.client.List(ctx, grpcRouteList, &client.ListOptions{ + FieldSelector: fields.OneTermEqualSelector(backendGRPCRouteIndex, nsName.String()), + }); err != nil && !kerrors.IsNotFound(err) { + r.log.Error(err, "failed to find associated GRPCRoutes") + return false + } + if len(grpcRouteList.Items) > 0 { + return true + } } - tcpRouteList := &gwapiv1a2.TCPRouteList{} - if err := r.client.List(ctx, tcpRouteList, &client.ListOptions{ - FieldSelector: fields.OneTermEqualSelector(backendTCPRouteIndex, nsName.String()), - }); err != nil && !kerrors.IsNotFound(err) { - r.log.Error(err, "failed to find associated TCPRoutes") - return false + if r.tlsRouteCRDExists { + tlsRouteList := &gwapiv1a2.TLSRouteList{} + if err := r.client.List(ctx, tlsRouteList, &client.ListOptions{ + FieldSelector: fields.OneTermEqualSelector(backendTLSRouteIndex, nsName.String()), + }); err != nil && !kerrors.IsNotFound(err) { + r.log.Error(err, "failed to find associated TLSRoutes") + return false + } + if len(tlsRouteList.Items) > 0 { + return true + } } - udpRouteList := &gwapiv1a2.UDPRouteList{} - if err := r.client.List(ctx, udpRouteList, &client.ListOptions{ - FieldSelector: fields.OneTermEqualSelector(backendUDPRouteIndex, nsName.String()), - }); err != nil && !kerrors.IsNotFound(err) { - r.log.Error(err, "failed to find associated UDPRoutes") - return false + if r.tcpRouteCRDExists { + tcpRouteList := &gwapiv1a2.TCPRouteList{} + if err := r.client.List(ctx, tcpRouteList, &client.ListOptions{ + FieldSelector: fields.OneTermEqualSelector(backendTCPRouteIndex, nsName.String()), + }); err != nil && !kerrors.IsNotFound(err) { + r.log.Error(err, "failed to find associated TCPRoutes") + return false + } + if len(tcpRouteList.Items) > 0 { + return true + } } - // Check how many Route objects refer this Backend - allAssociatedRoutes := len(httpRouteList.Items) + - len(grpcRouteList.Items) + - len(tlsRouteList.Items) + - len(tcpRouteList.Items) + - len(udpRouteList.Items) + if r.udpRouteCRDExists { + udpRouteList := &gwapiv1a2.UDPRouteList{} + if err := r.client.List(ctx, udpRouteList, &client.ListOptions{ + FieldSelector: fields.OneTermEqualSelector(backendUDPRouteIndex, nsName.String()), + }); err != nil && !kerrors.IsNotFound(err) { + r.log.Error(err, "failed to find associated UDPRoutes") + return false + } + if len(udpRouteList.Items) > 0 { + return true + } + } - return allAssociatedRoutes != 0 + return false } // validateEndpointSliceForReconcile returns true if the endpointSlice references @@ -429,15 +495,25 @@ func (r *gatewayAPIReconciler) validateEndpointSliceForReconcile(obj client.Obje return true } - if r.isSecurityPolicyReferencingBackend(&nsName) { - return true + if r.spCRDExists { + if r.isSecurityPolicyReferencingBackend(&nsName) { + return true + } } - if r.isEnvoyProxyReferencingBackend(&nsName) { - return true + if r.epCRDExists { + if r.isEnvoyProxyReferencingBackend(&nsName) { + return true + } + } + + if r.eepCRDExists { + if r.isEnvoyExtensionPolicyReferencingBackend(&nsName) { + return true + } } - return r.isEnvoyExtensionPolicyReferencingBackend(&nsName) + return false } // validateObjectForReconcile tries finding the owning Gateway of the Deployment or DaemonSet @@ -596,52 +672,60 @@ func (r *gatewayAPIReconciler) validateConfigMapForReconcile(obj client.Object) return false } - ctpList := &egv1a1.ClientTrafficPolicyList{} - if err := r.client.List(context.Background(), ctpList, &client.ListOptions{ - FieldSelector: fields.OneTermEqualSelector(configMapCtpIndex, utils.NamespacedName(configMap).String()), - }); err != nil { - r.log.Error(err, "unable to find associated ClientTrafficPolicy") - return false - } + if r.ctpCRDExists { + ctpList := &egv1a1.ClientTrafficPolicyList{} + if err := r.client.List(context.Background(), ctpList, &client.ListOptions{ + FieldSelector: fields.OneTermEqualSelector(configMapCtpIndex, utils.NamespacedName(configMap).String()), + }); err != nil { + r.log.Error(err, "unable to find associated ClientTrafficPolicy") + return false + } - if len(ctpList.Items) > 0 { - return true + if len(ctpList.Items) > 0 { + return true + } } - btlsList := &gwapiv1a3.BackendTLSPolicyList{} - if err := r.client.List(context.Background(), btlsList, &client.ListOptions{ - FieldSelector: fields.OneTermEqualSelector(configMapBtlsIndex, utils.NamespacedName(configMap).String()), - }); err != nil { - r.log.Error(err, "unable to find associated BackendTLSPolicy") - return false - } + if r.bTLSPolicyCRDExists { + btlsList := &gwapiv1a3.BackendTLSPolicyList{} + if err := r.client.List(context.Background(), btlsList, &client.ListOptions{ + FieldSelector: fields.OneTermEqualSelector(configMapBtlsIndex, utils.NamespacedName(configMap).String()), + }); err != nil { + r.log.Error(err, "unable to find associated BackendTLSPolicy") + return false + } - if len(btlsList.Items) > 0 { - return true + if len(btlsList.Items) > 0 { + return true + } } - btpList := &egv1a1.BackendTrafficPolicyList{} - if err := r.client.List(context.Background(), btpList, &client.ListOptions{ - FieldSelector: fields.OneTermEqualSelector(configMapBtpIndex, utils.NamespacedName(configMap).String()), - }); err != nil { - r.log.Error(err, "unable to find associated BackendTrafficPolicy") - return false - } + if r.btpCRDExists { + btpList := &egv1a1.BackendTrafficPolicyList{} + if err := r.client.List(context.Background(), btpList, &client.ListOptions{ + FieldSelector: fields.OneTermEqualSelector(configMapBtpIndex, utils.NamespacedName(configMap).String()), + }); err != nil { + r.log.Error(err, "unable to find associated BackendTrafficPolicy") + return false + } - if len(btpList.Items) > 0 { - return true + if len(btpList.Items) > 0 { + return true + } } - routeFilterList := &egv1a1.HTTPRouteFilterList{} - if err := r.client.List(context.Background(), routeFilterList, &client.ListOptions{ - FieldSelector: fields.OneTermEqualSelector(configMapHTTPRouteFilterIndex, utils.NamespacedName(configMap).String()), - }); err != nil { - r.log.Error(err, "unable to find associated HTTPRouteFilter") - return false - } + if r.hrfCRDExists { + routeFilterList := &egv1a1.HTTPRouteFilterList{} + if err := r.client.List(context.Background(), routeFilterList, &client.ListOptions{ + FieldSelector: fields.OneTermEqualSelector(configMapHTTPRouteFilterIndex, utils.NamespacedName(configMap).String()), + }); err != nil { + r.log.Error(err, "unable to find associated HTTPRouteFilter") + return false + } - if len(routeFilterList.Items) > 0 { - return true + if len(routeFilterList.Items) > 0 { + return true + } } return false diff --git a/internal/provider/kubernetes/predicates_test.go b/internal/provider/kubernetes/predicates_test.go index 5954e94675e..d8abf845f4d 100644 --- a/internal/provider/kubernetes/predicates_test.go +++ b/internal/provider/kubernetes/predicates_test.go @@ -356,6 +356,9 @@ func TestValidateSecretForReconcile(t *testing.T) { r := gatewayAPIReconciler{ classController: egv1a1.GatewayControllerName, log: logger, + spCRDExists: true, + epCRDExists: true, + eepCRDExists: true, } for _, tc := range testCases { @@ -848,9 +851,16 @@ func TestValidateServiceForReconcile(t *testing.T) { logger := logging.DefaultLogger(egv1a1.LogLevelInfo) r := gatewayAPIReconciler{ - classController: egv1a1.GatewayControllerName, - log: logger, - mergeGateways: sets.New[string]("test-mg"), + classController: egv1a1.GatewayControllerName, + log: logger, + mergeGateways: sets.New[string]("test-mg"), + grpcRouteCRDExists: true, + tcpRouteCRDExists: true, + udpRouteCRDExists: true, + tlsRouteCRDExists: true, + spCRDExists: true, + eepCRDExists: true, + epCRDExists: true, } for _, tc := range testCases { diff --git a/internal/provider/kubernetes/resource.go b/internal/provider/kubernetes/resource.go index 4d3aafb6fa2..b867d6319d3 100644 --- a/internal/provider/kubernetes/resource.go +++ b/internal/provider/kubernetes/resource.go @@ -15,45 +15,47 @@ import ( ) type resourceMappings struct { - // Map for storing Gateways' NamespacedNames. + // Set for storing Gateways' NamespacedNames. allAssociatedGateways sets.Set[string] - // Map for storing ReferenceGrants' NamespacedNames. + // Set for storing ReferenceGrants' NamespacedNames. allAssociatedReferenceGrants sets.Set[string] - // Map for storing ServiceImports' NamespacedNames. + // Set for storing ServiceImports' NamespacedNames. allAssociatedServiceImports sets.Set[string] - // Map for storing EndpointSlices' NamespacedNames. + // Set for storing EndpointSlices' NamespacedNames. allAssociatedEndpointSlices sets.Set[string] - // Map for storing Secrets' NamespacedNames. + // Set for storing Backends' NamespacedNames. + allAssociatedBackends sets.Set[string] + // Set for storing Secrets' NamespacedNames. allAssociatedSecrets sets.Set[string] - // Map for storing ConfigMaps' NamespacedNames. + // Set for storing ConfigMaps' NamespacedNames. allAssociatedConfigMaps sets.Set[string] - // Map for storing namespaces for Route, Service and Gateway objects. + // Set for storing namespaces for Route, Service and Gateway objects. allAssociatedNamespaces sets.Set[string] - // Map for storing EnvoyProxies' NamespacedNames attaching to Gateway or GatewayClass. + // Set for storing EnvoyProxies' NamespacedNames attaching to Gateway or GatewayClass. allAssociatedEnvoyProxies sets.Set[string] - // Map for storing EnvoyPatchPolicies' NamespacedNames attaching to Gateway. + // Set for storing EnvoyPatchPolicies' NamespacedNames attaching to Gateway. allAssociatedEnvoyPatchPolicies sets.Set[string] - // Map for storing TLSRoutes' NamespacedNames attaching to various Gateway objects. + // Set for storing TLSRoutes' NamespacedNames attaching to various Gateway objects. allAssociatedTLSRoutes sets.Set[string] - // Map for storing HTTPRoutes' NamespacedNames attaching to various Gateway objects. + // Set for storing HTTPRoutes' NamespacedNames attaching to various Gateway objects. allAssociatedHTTPRoutes sets.Set[string] - // Map for storing GRPCRoutes' NamespacedNames attaching to various Gateway objects. + // Set for storing GRPCRoutes' NamespacedNames attaching to various Gateway objects. allAssociatedGRPCRoutes sets.Set[string] - // Map for storing TCPRoutes' NamespacedNames attaching to various Gateway objects. + // Set for storing TCPRoutes' NamespacedNames attaching to various Gateway objects. allAssociatedTCPRoutes sets.Set[string] - // Map for storing UDPRoutes' NamespacedNames attaching to various Gateway objects. + // Set for storing UDPRoutes' NamespacedNames attaching to various Gateway objects. allAssociatedUDPRoutes sets.Set[string] - // Map for storing backendRefs' BackendObjectReference referred by various Route objects. + // Set for storing backendRefs' BackendObjectReference referred by various Route objects. allAssociatedBackendRefs sets.Set[gwapiv1.BackendObjectReference] - // Map for storing ClientTrafficPolicies' NamespacedNames referred by various Route objects. + // Set for storing ClientTrafficPolicies' NamespacedNames referred by various Route objects. allAssociatedClientTrafficPolicies sets.Set[string] - // Map for storing BackendTrafficPolicies' NamespacedNames referred by various Route objects. + // Set for storing BackendTrafficPolicies' NamespacedNames referred by various Route objects. allAssociatedBackendTrafficPolicies sets.Set[string] - // Map for storing SecurityPolicies' NamespacedNames referred by various Route objects. + // Set for storing SecurityPolicies' NamespacedNames referred by various Route objects. allAssociatedSecurityPolicies sets.Set[string] - // Map for storing BackendTLSPolicies' NamespacedNames referred by various Backend objects. + // Set for storing BackendTLSPolicies' NamespacedNames referred by various Backend objects. allAssociatedBackendTLSPolicies sets.Set[string] - // Map for storing EnvoyExtensionPolicies' NamespacedNames attaching to various Gateway objects. + // Set for storing EnvoyExtensionPolicies' NamespacedNames attaching to various Gateway objects. allAssociatedEnvoyExtensionPolicies sets.Set[string] // extensionRefFilters is a map of filters managed by an extension. // The key is the namespaced name, group and kind of the filter and the value is the @@ -70,6 +72,7 @@ func newResourceMapping() *resourceMappings { allAssociatedReferenceGrants: sets.New[string](), allAssociatedServiceImports: sets.New[string](), allAssociatedEndpointSlices: sets.New[string](), + allAssociatedBackends: sets.New[string](), allAssociatedSecrets: sets.New[string](), allAssociatedConfigMaps: sets.New[string](), allAssociatedNamespaces: sets.New[string](), diff --git a/internal/provider/kubernetes/routes.go b/internal/provider/kubernetes/routes.go index dcc01631f3b..fa148ffd441 100644 --- a/internal/provider/kubernetes/routes.go +++ b/internal/provider/kubernetes/routes.go @@ -238,16 +238,17 @@ func (r *gatewayAPIReconciler) processHTTPRoutes(ctx context.Context, gatewayNam resourceMap *resourceMappings, resourceTree *resource.Resources, ) error { httpRouteList := &gwapiv1.HTTPRouteList{} + if r.hrfCRDExists { + httpFilters, err := r.getHTTPRouteFilters(ctx) + if err != nil { + return err + } - httpFilters, err := r.getHTTPRouteFilters(ctx) - if err != nil { - return err - } - - for i := range httpFilters { - filter := httpFilters[i] - resourceMap.httpRouteFilters[utils.GetNamespacedNameWithGroupKind(&filter)] = &filter - r.processRouteFilterConfigMapRef(ctx, &filter, resourceMap, resourceTree) + for i := range httpFilters { + filter := httpFilters[i] + resourceMap.httpRouteFilters[utils.GetNamespacedNameWithGroupKind(&filter)] = &filter + r.processRouteFilterConfigMapRef(ctx, &filter, resourceMap, resourceTree) + } } extensionRefFilters, err := r.getExtensionRefFilters(ctx) diff --git a/internal/provider/kubernetes/status.go b/internal/provider/kubernetes/status.go index c3d5553b0bf..a59eb82f75a 100644 --- a/internal/provider/kubernetes/status.go +++ b/internal/provider/kubernetes/status.go @@ -8,6 +8,7 @@ package kubernetes import ( "context" "fmt" + "reflect" kerrors "k8s.io/apimachinery/pkg/api/errors" "k8s.io/apimachinery/pkg/apis/meta/v1/unstructured" @@ -18,6 +19,7 @@ import ( gwapiv1a3 "sigs.k8s.io/gateway-api/apis/v1alpha3" egv1a1 "github.com/envoyproxy/gateway/api/v1alpha1" + "github.com/envoyproxy/gateway/internal/gatewayapi/resource" "github.com/envoyproxy/gateway/internal/gatewayapi/status" "github.com/envoyproxy/gateway/internal/message" "github.com/envoyproxy/gateway/internal/utils" @@ -74,7 +76,7 @@ func (r *gatewayAPIReconciler) subscribeAndUpdateStatus(ctx context.Context, ext panic(err) } hCopy := h.DeepCopy() - hCopy.Status.Parents = val.Parents + hCopy.Status.Parents = mergeRouteParentStatus(h.Namespace, h.Status.Parents, val.Parents) return hCopy }), }) @@ -97,15 +99,15 @@ func (r *gatewayAPIReconciler) subscribeAndUpdateStatus(ctx context.Context, ext NamespacedName: key, Resource: new(gwapiv1.GRPCRoute), Mutator: MutatorFunc(func(obj client.Object) client.Object { - h, ok := obj.(*gwapiv1.GRPCRoute) + g, ok := obj.(*gwapiv1.GRPCRoute) if !ok { err := fmt.Errorf("unsupported object type %T", obj) errChan <- err panic(err) } - hCopy := h.DeepCopy() - hCopy.Status.Parents = val.Parents - return hCopy + gCopy := g.DeepCopy() + gCopy.Status.Parents = mergeRouteParentStatus(g.Namespace, g.Status.Parents, val.Parents) + return gCopy }), }) }, @@ -136,7 +138,7 @@ func (r *gatewayAPIReconciler) subscribeAndUpdateStatus(ctx context.Context, ext panic(err) } tCopy := t.DeepCopy() - tCopy.Status.Parents = val.Parents + tCopy.Status.Parents = mergeRouteParentStatus(t.Namespace, t.Status.Parents, val.Parents) return tCopy }), }) @@ -168,7 +170,7 @@ func (r *gatewayAPIReconciler) subscribeAndUpdateStatus(ctx context.Context, ext panic(err) } tCopy := t.DeepCopy() - tCopy.Status.Parents = val.Parents + tCopy.Status.Parents = mergeRouteParentStatus(t.Namespace, t.Status.Parents, val.Parents) return tCopy }), }) @@ -193,15 +195,15 @@ func (r *gatewayAPIReconciler) subscribeAndUpdateStatus(ctx context.Context, ext NamespacedName: key, Resource: new(gwapiv1a2.UDPRoute), Mutator: MutatorFunc(func(obj client.Object) client.Object { - t, ok := obj.(*gwapiv1a2.UDPRoute) + u, ok := obj.(*gwapiv1a2.UDPRoute) if !ok { err := fmt.Errorf("unsupported object type %T", obj) errChan <- err panic(err) } - tCopy := t.DeepCopy() - tCopy.Status.Parents = val.Parents - return tCopy + uCopy := u.DeepCopy() + uCopy.Status.Parents = mergeRouteParentStatus(u.Namespace, u.Status.Parents, val.Parents) + return uCopy }), }) }, @@ -469,6 +471,56 @@ func (r *gatewayAPIReconciler) subscribeAndUpdateStatus(ctx context.Context, ext } } +// mergeRouteParentStatus merges the old and new RouteParentStatus. +// This is needed because the RouteParentStatus doesn't support strategic merge patch yet. +func mergeRouteParentStatus(ns string, old, new []gwapiv1.RouteParentStatus) []gwapiv1.RouteParentStatus { + merged := make([]gwapiv1.RouteParentStatus, len(old)) + _ = copy(merged, old) + for _, parent := range new { + found := -1 + for i, existing := range old { + if isParentRefEqual(parent.ParentRef, existing.ParentRef, ns) { + found = i + break + } + } + if found >= 0 { + merged[found] = parent + } else { + merged = append(merged, parent) + } + } + return merged +} + +func isParentRefEqual(ref1, ref2 gwapiv1.ParentReference, routeNS string) bool { + defaultGroup := (*gwapiv1.Group)(&gwapiv1.GroupVersion.Group) + if ref1.Group == nil { + ref1.Group = defaultGroup + } + if ref2.Group == nil { + ref2.Group = defaultGroup + } + + defaultKind := gwapiv1.Kind(resource.KindGateway) + if ref1.Kind == nil { + ref1.Kind = &defaultKind + } + if ref2.Kind == nil { + ref2.Kind = &defaultKind + } + + // If the parent's namespace is not set, default to the namespace of the Route. + defaultNS := gwapiv1.Namespace(routeNS) + if ref1.Namespace == nil { + ref1.Namespace = &defaultNS + } + if ref2.Namespace == nil { + ref2.Namespace = &defaultNS + } + return reflect.DeepEqual(ref1, ref2) +} + func (r *gatewayAPIReconciler) updateStatusForGateway(ctx context.Context, gtw *gwapiv1.Gateway) { // nil check for unit tests. if r.statusUpdater == nil { diff --git a/internal/provider/kubernetes/status_test.go b/internal/provider/kubernetes/status_test.go new file mode 100644 index 00000000000..5e81c46135e --- /dev/null +++ b/internal/provider/kubernetes/status_test.go @@ -0,0 +1,294 @@ +// Copyright Envoy Gateway Authors +// SPDX-License-Identifier: Apache-2.0 +// The full text of the Apache license is available in the LICENSE file at +// the root of the repo. + +package kubernetes + +import ( + "reflect" + "testing" + + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + "k8s.io/utils/ptr" + gwapiv1 "sigs.k8s.io/gateway-api/apis/v1" +) + +func Test_mergeRouteParentStatus(t *testing.T) { + type args struct { + old []gwapiv1.RouteParentStatus + new []gwapiv1.RouteParentStatus + } + tests := []struct { + name string + args args + want []gwapiv1.RouteParentStatus + }{ + { + name: "merge old and new", + args: args{ + old: []gwapiv1.RouteParentStatus{ + { + ControllerName: "gateway.envoyproxy.io/gatewayclass-controller", + ParentRef: gwapiv1.ParentReference{ + Name: "gateway1", + Namespace: ptr.To[gwapiv1.Namespace]("default"), + SectionName: ptr.To[gwapiv1.SectionName]("listener1"), + Port: ptr.To[gwapiv1.PortNumber](80), + }, + Conditions: []metav1.Condition{ + { + Type: string(gwapiv1.RouteConditionAccepted), + Status: metav1.ConditionTrue, + Reason: "Accepted", + }, + { + Type: string(gwapiv1.RouteConditionResolvedRefs), + Status: metav1.ConditionTrue, + Reason: "ResolvedRefs", + }, + }, + }, + }, + new: []gwapiv1.RouteParentStatus{ + { + ControllerName: "gateway.envoyproxy.io/gatewayclass-controller", + ParentRef: gwapiv1.ParentReference{ + Name: "gateway2", + }, + Conditions: []metav1.Condition{ + { + Type: string(gwapiv1.RouteConditionAccepted), + Status: metav1.ConditionFalse, + Reason: "SomeReason", + }, + }, + }, + }, + }, + want: []gwapiv1.RouteParentStatus{ + { + ControllerName: "gateway.envoyproxy.io/gatewayclass-controller", + ParentRef: gwapiv1.ParentReference{ + Name: "gateway1", + Namespace: ptr.To[gwapiv1.Namespace]("default"), + SectionName: ptr.To[gwapiv1.SectionName]("listener1"), + Port: ptr.To[gwapiv1.PortNumber](80), + }, + Conditions: []metav1.Condition{ + { + Type: string(gwapiv1.RouteConditionAccepted), + Status: metav1.ConditionTrue, + Reason: "Accepted", + }, + { + Type: string(gwapiv1.RouteConditionResolvedRefs), + Status: metav1.ConditionTrue, + Reason: "ResolvedRefs", + }, + }, + }, + { + ControllerName: "gateway.envoyproxy.io/gatewayclass-controller", + ParentRef: gwapiv1.ParentReference{ + Name: "gateway2", + }, + Conditions: []metav1.Condition{ + { + Type: string(gwapiv1.RouteConditionAccepted), + Status: metav1.ConditionFalse, + Reason: "SomeReason", + }, + }, + }, + }, + }, + + { + name: "override an existing parent", + args: args{ + old: []gwapiv1.RouteParentStatus{ + { + ControllerName: "gateway.envoyproxy.io/gatewayclass-controller", + ParentRef: gwapiv1.ParentReference{ + Name: "gateway1", + }, + Conditions: []metav1.Condition{ + { + Type: string(gwapiv1.RouteConditionAccepted), + Status: metav1.ConditionTrue, + Reason: "Accepted", + }, + { + Type: string(gwapiv1.RouteConditionResolvedRefs), + Status: metav1.ConditionTrue, + Reason: "ResolvedRefs", + }, + }, + }, + { + ControllerName: "gateway.envoyproxy.io/gatewayclass-controller", + ParentRef: gwapiv1.ParentReference{ + Name: "gateway2", + Namespace: ptr.To[gwapiv1.Namespace]("default"), + }, + Conditions: []metav1.Condition{ + { + Type: string(gwapiv1.RouteConditionAccepted), + Status: metav1.ConditionTrue, + Reason: "Accepted", + }, + { + Type: string(gwapiv1.RouteConditionResolvedRefs), + Status: metav1.ConditionTrue, + Reason: "ResolvedRefs", + }, + }, + }, + }, + new: []gwapiv1.RouteParentStatus{ + { + ControllerName: "gateway.envoyproxy.io/gatewayclass-controller", + ParentRef: gwapiv1.ParentReference{ + Name: "gateway2", + }, + Conditions: []metav1.Condition{ + { + Type: string(gwapiv1.RouteConditionAccepted), + Status: metav1.ConditionFalse, + Reason: "SomeReason", + }, + }, + }, + }, + }, + want: []gwapiv1.RouteParentStatus{ + { + ControllerName: "gateway.envoyproxy.io/gatewayclass-controller", + ParentRef: gwapiv1.ParentReference{ + Name: "gateway1", + }, + Conditions: []metav1.Condition{ + { + Type: string(gwapiv1.RouteConditionAccepted), + Status: metav1.ConditionTrue, + Reason: "Accepted", + }, + { + Type: string(gwapiv1.RouteConditionResolvedRefs), + Status: metav1.ConditionTrue, + Reason: "ResolvedRefs", + }, + }, + }, + { + ControllerName: "gateway.envoyproxy.io/gatewayclass-controller", + ParentRef: gwapiv1.ParentReference{ + Name: "gateway2", + }, + Conditions: []metav1.Condition{ + { + Type: string(gwapiv1.RouteConditionAccepted), + Status: metav1.ConditionFalse, + Reason: "SomeReason", + }, + }, + }, + }, + }, + + { + name: "nothing changed", + args: args{ + old: []gwapiv1.RouteParentStatus{ + { + ControllerName: "gateway.envoyproxy.io/gatewayclass-controller", + ParentRef: gwapiv1.ParentReference{ + Name: "gateway1", + }, + Conditions: []metav1.Condition{ + { + Type: string(gwapiv1.RouteConditionAccepted), + Status: metav1.ConditionTrue, + Reason: "Accepted", + }, + { + Type: string(gwapiv1.RouteConditionResolvedRefs), + Status: metav1.ConditionTrue, + Reason: "ResolvedRefs", + }, + }, + }, + { + ControllerName: "gateway.envoyproxy.io/gatewayclass-controller", + ParentRef: gwapiv1.ParentReference{ + Name: "gateway2", + }, + Conditions: []metav1.Condition{ + { + Type: string(gwapiv1.RouteConditionAccepted), + Status: metav1.ConditionFalse, + Reason: "SomeReason", + }, + }, + }, + }, + new: []gwapiv1.RouteParentStatus{ + { + ControllerName: "gateway.envoyproxy.io/gatewayclass-controller", + ParentRef: gwapiv1.ParentReference{ + Name: "gateway2", + }, + Conditions: []metav1.Condition{ + { + Type: string(gwapiv1.RouteConditionAccepted), + Status: metav1.ConditionFalse, + Reason: "SomeReason", + }, + }, + }, + }, + }, + want: []gwapiv1.RouteParentStatus{ + { + ControllerName: "gateway.envoyproxy.io/gatewayclass-controller", + ParentRef: gwapiv1.ParentReference{ + Name: "gateway1", + }, + Conditions: []metav1.Condition{ + { + Type: string(gwapiv1.RouteConditionAccepted), + Status: metav1.ConditionTrue, + Reason: "Accepted", + }, + { + Type: string(gwapiv1.RouteConditionResolvedRefs), + Status: metav1.ConditionTrue, + Reason: "ResolvedRefs", + }, + }, + }, + { + ControllerName: "gateway.envoyproxy.io/gatewayclass-controller", + ParentRef: gwapiv1.ParentReference{ + Name: "gateway2", + }, + Conditions: []metav1.Condition{ + { + Type: string(gwapiv1.RouteConditionAccepted), + Status: metav1.ConditionFalse, + Reason: "SomeReason", + }, + }, + }, + }, + }, + } + for _, tt := range tests { + t.Run(tt.name, func(t *testing.T) { + if got := mergeRouteParentStatus("default", tt.args.old, tt.args.new); !reflect.DeepEqual(got, tt.want) { + t.Errorf("mergeRouteParentStatus() = %v, want %v", got, tt.want) + } + }) + } +} diff --git a/internal/utils/protocov/protocov.go b/internal/utils/protocov/protocov.go index 6533f84c543..2c5693ee9a3 100644 --- a/internal/utils/protocov/protocov.go +++ b/internal/utils/protocov/protocov.go @@ -12,30 +12,30 @@ import ( "google.golang.org/protobuf/types/known/anypb" ) -const ( - APIPrefix = "type.googleapis.com/" -) - -var marshalOpts = proto.MarshalOptions{} +// Deprecated: error should not be ignored, use ToAnyWithValidation instead. +func ToAny(msg proto.Message) *anypb.Any { + res, err := ToAnyWithValidation(msg) + if err != nil { + return nil + } + return res +} -func ToAnyWithError(msg proto.Message) (*anypb.Any, error) { +func ToAnyWithValidation(msg proto.Message) (*anypb.Any, error) { if msg == nil { return nil, errors.New("empty message received") } - b, err := marshalOpts.Marshal(msg) - if err != nil { - return nil, err + + // If the message has a ValidateAll method, call it before marshaling. + if validator, ok := msg.(interface{ ValidateAll() error }); ok { + if err := validator.ValidateAll(); err != nil { + return nil, err + } } - return &anypb.Any{ - TypeUrl: APIPrefix + string(msg.ProtoReflect().Descriptor().FullName()), - Value: b, - }, nil -} -func ToAny(msg proto.Message) *anypb.Any { - res, err := ToAnyWithError(msg) + any, err := anypb.New(msg) if err != nil { - return nil + return nil, err } - return res + return any, nil } diff --git a/internal/xds/bootstrap/bootstrap.go b/internal/xds/bootstrap/bootstrap.go index 0efad8c314f..e8aab4d836a 100644 --- a/internal/xds/bootstrap/bootstrap.go +++ b/internal/xds/bootstrap/bootstrap.go @@ -9,13 +9,15 @@ import ( // Register embed _ "embed" "fmt" + "net" + "strconv" "strings" "text/template" "k8s.io/apimachinery/pkg/util/sets" egv1a1 "github.com/envoyproxy/gateway/api/v1alpha1" - "github.com/envoyproxy/gateway/internal/utils/net" + netutils "github.com/envoyproxy/gateway/internal/utils/net" "github.com/envoyproxy/gateway/internal/utils/regex" ) @@ -199,9 +201,9 @@ func GetRenderedBootstrapConfig(opts *RenderBootstrapConfigOptions) (string, err host, port = *sink.OpenTelemetry.Host, uint32(sink.OpenTelemetry.Port) } if len(sink.OpenTelemetry.BackendRefs) > 0 { - host, port = net.BackendHostAndPort(sink.OpenTelemetry.BackendRefs[0].BackendObjectReference, "") + host, port = netutils.BackendHostAndPort(sink.OpenTelemetry.BackendRefs[0].BackendObjectReference, "") } - addr := fmt.Sprintf("%s:%d", host, port) + addr := net.JoinHostPort(host, strconv.Itoa(int(port))) if addresses.Has(addr) { continue } diff --git a/internal/xds/translator/accesslog.go b/internal/xds/translator/accesslog.go index 6660ba8fab6..076eb659d83 100644 --- a/internal/xds/translator/accesslog.go +++ b/internal/xds/translator/accesslog.go @@ -22,7 +22,6 @@ import ( "github.com/envoyproxy/go-control-plane/pkg/wellknown" otlpcommonv1 "go.opentelemetry.io/proto/otlp/common/v1" "golang.org/x/exp/maps" - "google.golang.org/protobuf/types/known/anypb" "google.golang.org/protobuf/types/known/structpb" egv1a1 "github.com/envoyproxy/gateway/api/v1alpha1" @@ -90,9 +89,9 @@ var ( } ) -func buildXdsAccessLog(al *ir.AccessLog, accessLogType ir.ProxyAccessLogType) []*accesslog.AccessLog { +func buildXdsAccessLog(al *ir.AccessLog, accessLogType ir.ProxyAccessLogType) ([]*accesslog.AccessLog, error) { if al == nil { - return nil + return nil, nil } totalLen := len(al.Text) + len(al.JSON) + len(al.OpenTelemetry) @@ -133,8 +132,10 @@ func buildXdsAccessLog(al *ir.AccessLog, accessLogType ir.ProxyAccessLogType) [] filelog.GetLogFormat().Formatters = formatters } - // TODO: find a better way to handle this - accesslogAny, _ := anypb.New(filelog) + accesslogAny, err := protocov.ToAnyWithValidation(filelog) + if err != nil { + return nil, err + } accessLogs = append(accessLogs, &accesslog.AccessLog{ Name: wellknown.FileAccessLog, ConfigType: &accesslog.AccessLog_TypedConfig{ @@ -185,7 +186,10 @@ func buildXdsAccessLog(al *ir.AccessLog, accessLogType ir.ProxyAccessLogType) [] filelog.GetLogFormat().Formatters = formatters } - accesslogAny, _ := anypb.New(filelog) + accesslogAny, err := protocov.ToAnyWithValidation(filelog) + if err != nil { + return nil, err + } accessLogs = append(accessLogs, &accesslog.AccessLog{ Name: wellknown.FileAccessLog, ConfigType: &accesslog.AccessLog_TypedConfig{ @@ -228,7 +232,10 @@ func buildXdsAccessLog(al *ir.AccessLog, accessLogType ir.ProxyAccessLogType) [] alCfg.AdditionalResponseTrailersToLog = als.HTTP.ResponseTrailers } - accesslogAny, _ := anypb.New(alCfg) + accesslogAny, err := protocov.ToAnyWithValidation(alCfg) + if err != nil { + return nil, err + } accessLogs = append(accessLogs, &accesslog.AccessLog{ Name: wellknown.HTTPGRPCAccessLog, ConfigType: &accesslog.AccessLog_TypedConfig{ @@ -241,7 +248,10 @@ func buildXdsAccessLog(al *ir.AccessLog, accessLogType ir.ProxyAccessLogType) [] CommonConfig: cc, } - accesslogAny, _ := anypb.New(alCfg) + accesslogAny, err := protocov.ToAnyWithValidation(alCfg) + if err != nil { + return nil, err + } accessLogs = append(accessLogs, &accesslog.AccessLog{ Name: tcpGRPCAccessLog, ConfigType: &accesslog.AccessLog_TypedConfig{ @@ -297,7 +307,10 @@ func buildXdsAccessLog(al *ir.AccessLog, accessLogType ir.ProxyAccessLogType) [] al.Formatters = formatters } - accesslogAny, _ := anypb.New(al) + accesslogAny, err := protocov.ToAnyWithValidation(al) + if err != nil { + return nil, err + } accessLogs = append(accessLogs, &accesslog.AccessLog{ Name: otelAccessLog, ConfigType: &accesslog.AccessLog_TypedConfig{ @@ -307,7 +320,7 @@ func buildXdsAccessLog(al *ir.AccessLog, accessLogType ir.ProxyAccessLogType) [] }) } - return accessLogs + return accessLogs, nil } func celAccessLogFilter(expr string) *accesslog.AccessLogFilter { diff --git a/internal/xds/translator/authorization.go b/internal/xds/translator/authorization.go index 0d2d19dc571..e19d1dbaf53 100644 --- a/internal/xds/translator/authorization.go +++ b/internal/xds/translator/authorization.go @@ -26,6 +26,7 @@ import ( egv1a1 "github.com/envoyproxy/gateway/api/v1alpha1" "github.com/envoyproxy/gateway/internal/ir" + "github.com/envoyproxy/gateway/internal/utils/protocov" "github.com/envoyproxy/gateway/internal/xds/types" ) @@ -75,7 +76,7 @@ func (*rbac) patchHCM( // buildHCMRBACFilter returns a RBAC filter from the provided IR listener. func buildHCMRBACFilter() (*hcmv3.HttpFilter, error) { rbacProto := &rbacv3.RBAC{} - rbacAny, err := anypb.New(rbacProto) + rbacAny, err := protocov.ToAnyWithValidation(rbacProto) if err != nil { return nil, err } @@ -133,7 +134,7 @@ func (*rbac) patchRoute(route *routev3.Route, irRoute *ir.HTTPRoute) error { return err } - if cfgAny, err = anypb.New(rbacPerRoute); err != nil { + if cfgAny, err = protocov.ToAnyWithValidation(rbacPerRoute); err != nil { return err } @@ -159,7 +160,7 @@ func buildRBACPerRoute(authorization *ir.Authorization) (*rbacv3.RBACPerRoute, e Name: "ALLOW", Action: rbacconfigv3.RBAC_ALLOW, } - if allowAction, err = anypb.New(allow); err != nil { + if allowAction, err = protocov.ToAnyWithValidation(allow); err != nil { return nil, err } @@ -167,7 +168,7 @@ func buildRBACPerRoute(authorization *ir.Authorization) (*rbacv3.RBACPerRoute, e Name: "DENY", Action: rbacconfigv3.RBAC_DENY, } - if denyAction, err = anypb.New(deny); err != nil { + if denyAction, err = protocov.ToAnyWithValidation(deny); err != nil { return nil, err } @@ -287,11 +288,6 @@ func buildRBACPerRoute(authorization *ir.Authorization) (*rbacv3.RBACPerRoute, e rbac.Rbac.Matcher.MatcherType = nil } - // We need to validate the RBACPerRoute message before converting it to an Any. - if err = rbac.ValidateAll(); err != nil { - return nil, err - } - return rbac, nil } @@ -316,11 +312,11 @@ func buildIPPredicate(clientCIDRs []*ir.CIDRMatch) (*matcherv3.Matcher_MatcherLi }) } - if ipMatcher, err = anypb.New(ipRangeMatcher); err != nil { + if ipMatcher, err = protocov.ToAnyWithValidation(ipRangeMatcher); err != nil { return nil, err } - if sourceIPInput, err = anypb.New(&networkinput.SourceIPInput{}); err != nil { + if sourceIPInput, err = protocov.ToAnyWithValidation(&networkinput.SourceIPInput{}); err != nil { return nil, err } @@ -389,11 +385,11 @@ func buildJWTPredicate(jwt egv1a1.JWTPrincipal) ([]*matcherv3.Matcher_MatcherLis }, } - if inputPb, err = anypb.New(input); err != nil { + if inputPb, err = protocov.ToAnyWithValidation(input); err != nil { return nil, err } - if matcherPb, err = anypb.New(scopeMatcher); err != nil { + if matcherPb, err = protocov.ToAnyWithValidation(scopeMatcher); err != nil { return nil, err } @@ -454,7 +450,7 @@ func buildJWTPredicate(jwt egv1a1.JWTPrincipal) ([]*matcherv3.Matcher_MatcherLis Path: path, } - if inputPb, err = anypb.New(input); err != nil { + if inputPb, err = protocov.ToAnyWithValidation(input); err != nil { return nil, err } @@ -492,7 +488,7 @@ func buildJWTPredicate(jwt egv1a1.JWTPrincipal) ([]*matcherv3.Matcher_MatcherLis } } - if matcherPb, err = anypb.New(&metadatav3.Metadata{ + if matcherPb, err = protocov.ToAnyWithValidation(&metadatav3.Metadata{ Value: valueMatcher, }); err != nil { return nil, err diff --git a/internal/xds/translator/basicauth.go b/internal/xds/translator/basicauth.go index 50c4935140b..31a421ae8a9 100644 --- a/internal/xds/translator/basicauth.go +++ b/internal/xds/translator/basicauth.go @@ -17,6 +17,7 @@ import ( egv1a1 "github.com/envoyproxy/gateway/api/v1alpha1" "github.com/envoyproxy/gateway/internal/ir" + "github.com/envoyproxy/gateway/internal/utils/protocov" "github.com/envoyproxy/gateway/internal/xds/types" ) @@ -84,7 +85,7 @@ func buildHCMBasicAuthFilter(basicAuth *ir.BasicAuth) (*hcmv3.HttpFilter, error) if err = basicAuthProto.ValidateAll(); err != nil { return nil, err } - if basicAuthAny, err = anypb.New(basicAuthProto); err != nil { + if basicAuthAny, err = protocov.ToAnyWithValidation(basicAuthProto); err != nil { return nil, err } @@ -134,7 +135,7 @@ func (*basicAuth) patchRoute(route *routev3.Route, irRoute *ir.HTTPRoute) error return err } - if basicAuthAny, err = anypb.New(basicAuthProto); err != nil { + if basicAuthAny, err = protocov.ToAnyWithValidation(basicAuthProto); err != nil { return err } diff --git a/internal/xds/translator/cluster.go b/internal/xds/translator/cluster.go index 145d616bde7..5a13076e456 100644 --- a/internal/xds/translator/cluster.go +++ b/internal/xds/translator/cluster.go @@ -30,6 +30,7 @@ import ( egv1a1 "github.com/envoyproxy/gateway/api/v1alpha1" "github.com/envoyproxy/gateway/internal/ir" + "github.com/envoyproxy/gateway/internal/utils/protocov" ) const ( @@ -157,6 +158,9 @@ func buildXdsCluster(args *xdsClusterArgs) *clusterv3.Cluster { }, }, } + // Dont wait for a health check to determine health and remove these endpoints + // if the endpoint has been removed via EDS by the control plane + cluster.IgnoreHealthOnHostRemoval = true } else { cluster.ClusterDiscoveryType = &clusterv3.Cluster_Type{Type: clusterv3.Cluster_STRICT_DNS} cluster.DnsRefreshRate = durationpb.New(30 * time.Second) @@ -509,7 +513,7 @@ func buildTypedExtensionProtocolOptions(args *xdsClusterArgs) map[string]*anypb. if args.http1Settings != nil { http1opts.EnableTrailers = args.http1Settings.EnableTrailers if args.http1Settings.PreserveHeaderCase { - preservecaseAny, _ := anypb.New(&preservecasev3.PreserveCaseFormatterConfig{}) + preservecaseAny, _ := protocov.ToAnyWithValidation(&preservecasev3.PreserveCaseFormatterConfig{}) http1opts.HeaderKeyFormat = &corev3.Http1ProtocolOptions_HeaderKeyFormat{ HeaderFormat: &corev3.Http1ProtocolOptions_HeaderKeyFormat_StatefulFormatter{ StatefulFormatter: &corev3.TypedExtensionConfig{ @@ -562,7 +566,7 @@ func buildTypedExtensionProtocolOptions(args *xdsClusterArgs) map[string]*anypb. } } - anyProtocolOptions, _ := anypb.New(&protocolOptions) + anyProtocolOptions, _ := protocov.ToAnyWithValidation(&protocolOptions) extensionOptions := map[string]*anypb.Any{ extensionOptionsKey: anyProtocolOptions, @@ -593,7 +597,7 @@ func buildProxyProtocolSocket(proxyProtocol *ir.ProxyProtocol, tSocket *corev3.T // If existing transport socket does not exist wrap around raw buffer if tSocket == nil { rawCtx := &rawbufferv3.RawBuffer{} - rawCtxAny, err := anypb.New(rawCtx) + rawCtxAny, err := protocov.ToAnyWithValidation(rawCtx) if err != nil { return nil } @@ -608,7 +612,7 @@ func buildProxyProtocolSocket(proxyProtocol *ir.ProxyProtocol, tSocket *corev3.T ppCtx.TransportSocket = tSocket } - ppCtxAny, err := anypb.New(ppCtx) + ppCtxAny, err := protocov.ToAnyWithValidation(ppCtx) if err != nil { return nil } diff --git a/internal/xds/translator/custom_response.go b/internal/xds/translator/custom_response.go index e5d48d21bfd..6cca67982e9 100644 --- a/internal/xds/translator/custom_response.go +++ b/internal/xds/translator/custom_response.go @@ -24,6 +24,7 @@ import ( egv1a1 "github.com/envoyproxy/gateway/api/v1alpha1" "github.com/envoyproxy/gateway/internal/ir" + "github.com/envoyproxy/gateway/internal/utils/protocov" "github.com/envoyproxy/gateway/internal/xds/types" ) @@ -85,7 +86,7 @@ func (c *customResponse) buildHCMCustomResponseFilter(ro *ir.ResponseOverride) ( return nil, err } - any, err := anypb.New(proto) + any, err := protocov.ToAnyWithValidation(proto) if err != nil { return nil, err } @@ -237,7 +238,7 @@ func (c *customResponse) buildHTTPAttributeCELInput() (*cncfv3.TypedExtensionCon err error ) - if pb, err = anypb.New(&matcherv3.HttpAttributesCelMatchInput{}); err != nil { + if pb, err = protocov.ToAnyWithValidation(&matcherv3.HttpAttributesCelMatchInput{}); err != nil { return nil, err } @@ -253,7 +254,7 @@ func (c *customResponse) buildStatusCodeInput() (*cncfv3.TypedExtensionConfig, e err error ) - if pb, err = anypb.New(&envoymatcherv3.HttpResponseStatusCodeMatchInput{}); err != nil { + if pb, err = protocov.ToAnyWithValidation(&envoymatcherv3.HttpResponseStatusCodeMatchInput{}); err != nil { return nil, err } @@ -364,7 +365,7 @@ func (c *customResponse) buildStatusCodeCELMatcher(codeRange ir.StatusCodeRange) return nil, err } - if pb, err = anypb.New(matcher); err != nil { + if pb, err = protocov.ToAnyWithValidation(matcher); err != nil { return nil, err } @@ -403,7 +404,7 @@ func (c *customResponse) buildAction(r ir.ResponseOverrideRule) (*matcherv3.Matc return nil, err } - if pb, err = anypb.New(response); err != nil { + if pb, err = protocov.ToAnyWithValidation(response); err != nil { return nil, err } diff --git a/internal/xds/translator/fault.go b/internal/xds/translator/fault.go index e0acbd6c840..192ce5bf8e9 100644 --- a/internal/xds/translator/fault.go +++ b/internal/xds/translator/fault.go @@ -20,6 +20,7 @@ import ( egv1a1 "github.com/envoyproxy/gateway/api/v1alpha1" "github.com/envoyproxy/gateway/internal/ir" + "github.com/envoyproxy/gateway/internal/utils/protocov" "github.com/envoyproxy/gateway/internal/xds/types" ) @@ -71,7 +72,7 @@ func buildHCMFaultFilter() (*hcmv3.HttpFilter, error) { return nil, err } - faultAny, err := anypb.New(faultProto) + faultAny, err := protocov.ToAnyWithValidation(faultProto) if err != nil { return nil, err } @@ -165,7 +166,7 @@ func (*fault) patchRoute(route *routev3.Route, irRoute *ir.HTTPRoute) error { return nil } - routeCfgAny, err := anypb.New(routeCfgProto) + routeCfgAny, err := protocov.ToAnyWithValidation(routeCfgProto) if err != nil { return err } diff --git a/internal/xds/translator/jwt.go b/internal/xds/translator/jwt.go index 53a20808ff6..f3f16b20c6f 100644 --- a/internal/xds/translator/jwt.go +++ b/internal/xds/translator/jwt.go @@ -22,6 +22,7 @@ import ( egv1a1 "github.com/envoyproxy/gateway/api/v1alpha1" "github.com/envoyproxy/gateway/internal/ir" + "github.com/envoyproxy/gateway/internal/utils/protocov" "github.com/envoyproxy/gateway/internal/xds/types" ) @@ -76,11 +77,7 @@ func buildHCMJWTFilter(irListener *ir.HTTPListener) (*hcmv3.HttpFilter, error) { return nil, err } - if err := jwtAuthnProto.ValidateAll(); err != nil { - return nil, err - } - - jwtAuthnAny, err := anypb.New(jwtAuthnProto) + jwtAuthnAny, err := protocov.ToAnyWithValidation(jwtAuthnProto) if err != nil { return nil, err } @@ -214,7 +211,7 @@ func buildXdsUpstreamTLSSocket(sni string) (*corev3.TransportSocket, error) { }, } - tlsCtxAny, err := anypb.New(tlsCtxProto) + tlsCtxAny, err := protocov.ToAnyWithValidation(tlsCtxProto) if err != nil { return nil, err } @@ -247,7 +244,7 @@ func (*jwt) patchRoute(route *routev3.Route, irRoute *ir.HTTPRoute) error { RequirementSpecifier: &jwtauthnv3.PerRouteConfig_RequirementName{RequirementName: irRoute.Name}, } - routeCfgAny, err := anypb.New(routeCfgProto) + routeCfgAny, err := protocov.ToAnyWithValidation(routeCfgProto) if err != nil { return err } diff --git a/internal/xds/translator/listener.go b/internal/xds/translator/listener.go index c855d3ddf92..9a68c5f3c1f 100644 --- a/internal/xds/translator/listener.go +++ b/internal/xds/translator/listener.go @@ -29,7 +29,6 @@ import ( "github.com/envoyproxy/go-control-plane/pkg/resource/v3" "github.com/envoyproxy/go-control-plane/pkg/wellknown" "google.golang.org/protobuf/proto" - "google.golang.org/protobuf/types/known/anypb" "google.golang.org/protobuf/types/known/durationpb" "google.golang.org/protobuf/types/known/wrapperspb" "k8s.io/utils/ptr" @@ -66,7 +65,7 @@ func http1ProtocolOptions(opts *ir.HTTP1Settings) *corev3.Http1ProtocolOptions { EnableTrailers: opts.EnableTrailers, } if opts.PreserveHeaderCase { - preservecaseAny, _ := anypb.New(&preservecasev3.PreserveCaseFormatterConfig{}) + preservecaseAny, _ := protocov.ToAnyWithValidation(&preservecasev3.PreserveCaseFormatterConfig{}) r.HeaderKeyFormat = &corev3.Http1ProtocolOptions_HeaderKeyFormat{ HeaderFormat: &corev3.Http1ProtocolOptions_HeaderKeyFormat_StatefulFormatter{ StatefulFormatter: &corev3.TypedExtensionConfig{ @@ -131,7 +130,7 @@ func originalIPDetectionExtensions(clientIPDetection *ir.ClientIPDetectionSettin rejectWithStatus = &typev3.HttpStatus{Code: typev3.StatusCode_Forbidden} } - customHeaderConfigAny, _ := anypb.New(&customheaderv3.CustomHeaderConfig{ + customHeaderConfigAny, _ := protocov.ToAnyWithValidation(&customheaderv3.CustomHeaderConfig{ HeaderName: clientIPDetection.CustomHeader.Name, RejectWithStatus: rejectWithStatus, @@ -179,9 +178,19 @@ func setAddressByIPFamily(socketAddress *corev3.SocketAddress, ipFamily *ir.IPFa // buildXdsTCPListener creates a xds Listener resource // TODO: Improve function parameters -func buildXdsTCPListener(name, address string, port uint32, ipFamily *ir.IPFamily, keepalive *ir.TCPKeepalive, connection *ir.ClientConnection, accesslog *ir.AccessLog) *listenerv3.Listener { +func buildXdsTCPListener( + name, address string, + port uint32, + ipFamily *ir.IPFamily, + keepalive *ir.TCPKeepalive, + connection *ir.ClientConnection, + accesslog *ir.AccessLog, +) (*listenerv3.Listener, error) { socketOptions := buildTCPSocketOptions(keepalive) - al := buildXdsAccessLog(accesslog, ir.ProxyAccessLogTypeListener) + al, err := buildXdsAccessLog(accesslog, ir.ProxyAccessLogTypeListener) + if err != nil { + return nil, err + } bufferLimitBytes := buildPerConnectionBufferLimitBytes(connection) listener := &listenerv3.Listener{ Name: name, @@ -203,7 +212,7 @@ func buildXdsTCPListener(name, address string, port uint32, ipFamily *ir.IPFamil socketAddress := listener.Address.GetSocketAddress() listener.AdditionalAddresses = setAddressByIPFamily(socketAddress, ipFamily, port) - return listener + return listener, nil } func buildPerConnectionBufferLimitBytes(connection *ir.ClientConnection) *wrapperspb.UInt32Value { @@ -214,10 +223,14 @@ func buildPerConnectionBufferLimitBytes(connection *ir.ClientConnection) *wrappe } // buildXdsQuicListener creates a xds Listener resource for quic -func buildXdsQuicListener(name, address string, port uint32, accesslog *ir.AccessLog) *listenerv3.Listener { +func buildXdsQuicListener(name, address string, port uint32, accesslog *ir.AccessLog) (*listenerv3.Listener, error) { + log, err := buildXdsAccessLog(accesslog, ir.ProxyAccessLogTypeListener) + if err != nil { + return nil, err + } xdsListener := &listenerv3.Listener{ Name: name + "-quic", - AccessLog: buildXdsAccessLog(accesslog, ir.ProxyAccessLogTypeListener), + AccessLog: log, Address: &corev3.Address{ Address: &corev3.Address_SocketAddress{ SocketAddress: &corev3.SocketAddress{ @@ -238,7 +251,7 @@ func buildXdsQuicListener(name, address string, port uint32, accesslog *ir.Acces DrainType: listenerv3.Listener_MODIFY_ONLY, } - return xdsListener + return xdsListener, nil } // addHCMToXDSListener adds a HCM filter to the listener's filter chain, and adds @@ -254,7 +267,10 @@ func buildXdsQuicListener(name, address string, port uint32, accesslog *ir.Acces func (t *Translator) addHCMToXDSListener(xdsListener *listenerv3.Listener, irListener *ir.HTTPListener, accesslog *ir.AccessLog, tracing *ir.Tracing, http3Listener bool, connection *ir.ClientConnection, ) error { - al := buildXdsAccessLog(accesslog, ir.ProxyAccessLogTypeRoute) + al, err := buildXdsAccessLog(accesslog, ir.ProxyAccessLogTypeRoute) + if err != nil { + return err + } hcmTracing, err := buildHCMTracing(tracing) if err != nil { @@ -454,7 +470,7 @@ func buildEarlyHeaderMutation(headers *ir.HeaderSettings) []*corev3.TypedExtensi mutationRules = append(mutationRules, mr) } - earlyHeaderMutationAny, _ := anypb.New(&early_header_mutationv3.HeaderMutation{ + earlyHeaderMutationAny, _ := protocov.ToAnyWithValidation(&early_header_mutationv3.HeaderMutation{ Mutations: mutationRules, }) @@ -526,9 +542,12 @@ func addXdsTCPFilterChain(xdsListener *listenerv3.Listener, irRoute *ir.TCPRoute // Append port to the statPrefix. statPrefix = strings.Join([]string{statPrefix, strconv.Itoa(int(xdsListener.Address.GetSocketAddress().GetPortValue()))}, "-") - + al, error := buildXdsAccessLog(accesslog, ir.ProxyAccessLogTypeRoute) + if error != nil { + return error + } mgr := &tcpv3.TcpProxy{ - AccessLog: buildXdsAccessLog(accesslog, ir.ProxyAccessLogTypeRoute), + AccessLog: al, StatPrefix: statPrefix, ClusterSpecifier: &tcpv3.TcpProxy_Cluster{ Cluster: clusterName, @@ -612,7 +631,7 @@ func addXdsTLSInspectorFilter(xdsListener *listenerv3.Listener) error { } tlsInspector := &tls_inspectorv3.TlsInspector{} - tlsInspectorAny, err := anypb.New(tlsInspector) + tlsInspectorAny, err := protocov.ToAnyWithValidation(tlsInspector) if err != nil { return err } @@ -660,7 +679,7 @@ func buildDownstreamQUICTransportSocket(tlsConfig *ir.TLSConfig) (*corev3.Transp setDownstreamTLSSessionSettings(tlsConfig, tlsCtx.DownstreamTlsContext) - tlsCtxAny, err := anypb.New(tlsCtx) + tlsCtxAny, err := protocov.ToAnyWithValidation(tlsCtx) if err != nil { return nil, err } @@ -702,7 +721,7 @@ func buildXdsDownstreamTLSSocket(tlsConfig *ir.TLSConfig) (*corev3.TransportSock setDownstreamTLSSessionSettings(tlsConfig, tlsCtx) - tlsCtxAny, err := anypb.New(tlsCtx) + tlsCtxAny, err := protocov.ToAnyWithValidation(tlsCtx) if err != nil { return nil, err } @@ -817,14 +836,18 @@ func buildXdsUDPListener(clusterName string, udpListener *ir.UDPListener, access route := &udpv3.Route{ Cluster: clusterName, } - routeAny, err := anypb.New(route) + routeAny, err := protocov.ToAnyWithValidation(route) if err != nil { return nil, err } + al, error := buildXdsAccessLog(accesslog, ir.ProxyAccessLogTypeRoute) + if error != nil { + return nil, error + } udpProxy := &udpv3.UdpProxyConfig{ StatPrefix: statPrefix, - AccessLog: buildXdsAccessLog(accesslog, ir.ProxyAccessLogTypeRoute), + AccessLog: al, RouteSpecifier: &udpv3.UdpProxyConfig_Matcher{ Matcher: &matcher.Matcher{ OnNoMatch: &matcher.Matcher_OnMatch{ @@ -838,14 +861,17 @@ func buildXdsUDPListener(clusterName string, udpListener *ir.UDPListener, access }, }, } - udpProxyAny, err := anypb.New(udpProxy) + udpProxyAny, err := protocov.ToAnyWithValidation(udpProxy) if err != nil { return nil, err } + if al, err = buildXdsAccessLog(accesslog, ir.ProxyAccessLogTypeListener); err != nil { + return nil, err + } xdsListener := &listenerv3.Listener{ Name: udpListener.Name, - AccessLog: buildXdsAccessLog(accesslog, ir.ProxyAccessLogTypeListener), + AccessLog: al, Address: &corev3.Address{ Address: &corev3.Address_SocketAddress{ SocketAddress: &corev3.SocketAddress{ @@ -892,7 +918,7 @@ func translateEscapePath(in ir.PathEscapedSlashAction) hcmv3.HttpConnectionManag } func toNetworkFilter(filterName string, filterProto proto.Message) (*listenerv3.Filter, error) { - filterAny, err := protocov.ToAnyWithError(filterProto) + filterAny, err := protocov.ToAnyWithValidation(filterProto) if err != nil { return nil, err } diff --git a/internal/xds/translator/listener_test.go b/internal/xds/translator/listener_test.go index 28572bb06be..fbb716c1ac4 100644 --- a/internal/xds/translator/listener_test.go +++ b/internal/xds/translator/listener_test.go @@ -10,6 +10,7 @@ import ( "reflect" "testing" + routev3 "github.com/envoyproxy/go-control-plane/envoy/config/route/v3" hcmv3 "github.com/envoyproxy/go-control-plane/envoy/extensions/filters/network/http_connection_manager/v3" typev3 "github.com/envoyproxy/go-control-plane/envoy/type/v3" "github.com/stretchr/testify/assert" @@ -25,12 +26,24 @@ func Test_toNetworkFilter(t *testing.T) { wantErr error }{ { - name: "valid filter", - proto: &hcmv3.HttpConnectionManager{}, + name: "valid filter", + proto: &hcmv3.HttpConnectionManager{ + StatPrefix: "stats", + RouteSpecifier: &hcmv3.HttpConnectionManager_RouteConfig{ + RouteConfig: &routev3.RouteConfiguration{ + Name: "route", + }, + }, + }, wantErr: nil, }, { name: "invalid proto msg", + proto: &hcmv3.HttpConnectionManager{}, + wantErr: errors.New("invalid HttpConnectionManager.StatPrefix: value length must be at least 1 runes; invalid HttpConnectionManager.RouteSpecifier: value is required"), + }, + { + name: "nil proto msg", proto: nil, wantErr: errors.New("empty message received"), }, @@ -39,7 +52,7 @@ func Test_toNetworkFilter(t *testing.T) { t.Run(tt.name, func(t *testing.T) { _, err := toNetworkFilter("name", tt.proto) if tt.wantErr != nil { - assert.Equalf(t, tt.wantErr, err, "toNetworkFilter(%v)", tt.proto) + assert.Containsf(t, err.Error(), tt.wantErr.Error(), "toNetworkFilter(%v)", tt.proto) } else { assert.NoErrorf(t, err, "toNetworkFilter(%v)", tt.proto) } diff --git a/internal/xds/translator/oidc.go b/internal/xds/translator/oidc.go index e4e7b4a0216..a706cae662f 100644 --- a/internal/xds/translator/oidc.go +++ b/internal/xds/translator/oidc.go @@ -16,12 +16,12 @@ import ( tlsv3 "github.com/envoyproxy/go-control-plane/envoy/extensions/transport_sockets/tls/v3" matcherv3 "github.com/envoyproxy/go-control-plane/envoy/type/matcher/v3" "github.com/golang/protobuf/ptypes/wrappers" - "google.golang.org/protobuf/types/known/anypb" "google.golang.org/protobuf/types/known/durationpb" "k8s.io/utils/ptr" egv1a1 "github.com/envoyproxy/gateway/api/v1alpha1" "github.com/envoyproxy/gateway/internal/ir" + "github.com/envoyproxy/gateway/internal/utils/protocov" "github.com/envoyproxy/gateway/internal/xds/types" ) @@ -83,7 +83,7 @@ func buildHCMOAuth2Filter(oidc *ir.OIDC) (*hcmv3.HttpFilter, error) { return nil, err } - OAuth2Any, err := anypb.New(oauth2Proto) + OAuth2Any, err := protocov.ToAnyWithValidation(oauth2Proto) if err != nil { return nil, err } diff --git a/internal/xds/translator/testdata/in/xds-ir/accesslog-without-format.yaml b/internal/xds/translator/testdata/in/xds-ir/accesslog-without-format.yaml index 90e9f0e0c9b..434f2fb524c 100644 --- a/internal/xds/translator/testdata/in/xds-ir/accesslog-without-format.yaml +++ b/internal/xds/translator/testdata/in/xds-ir/accesslog-without-format.yaml @@ -11,7 +11,8 @@ accesslog: protocol: "%PROTOCOL%" response_code: "%RESPONSE_CODE%" als: - - destination: + - name: als + destination: name: accesslog/monitoring/envoy-als/port/9000 settings: - addressType: IP diff --git a/internal/xds/translator/testdata/in/xds-ir/accesslog.yaml b/internal/xds/translator/testdata/in/xds-ir/accesslog.yaml index 5169bae040e..3f84816fdcf 100644 --- a/internal/xds/translator/testdata/in/xds-ir/accesslog.yaml +++ b/internal/xds/translator/testdata/in/xds-ir/accesslog.yaml @@ -13,7 +13,8 @@ accesslog: protocol: "%PROTOCOL%" response_code: "%RESPONSE_CODE%" als: - - destination: + - name: als + destination: name: accesslog/monitoring/envoy-als/port/9000 settings: - addressType: IP diff --git a/internal/xds/translator/testdata/in/xds-ir/authorization-multiple-principals.yaml b/internal/xds/translator/testdata/in/xds-ir/authorization-multiple-principals.yaml index c93708b4c8a..8b83e16d556 100644 --- a/internal/xds/translator/testdata/in/xds-ir/authorization-multiple-principals.yaml +++ b/internal/xds/translator/testdata/in/xds-ir/authorization-multiple-principals.yaml @@ -44,7 +44,7 @@ http: isIPv6: false maskLen: 24 jwt: - issuer: https://one.example.com + provider: https://one.example.com scopes: - foo claims: @@ -68,7 +68,7 @@ http: isIPv6: false maskLen: 24 jwt: - issuer: https://two.example.com + provider: https://two.example.com scopes: - for - bar diff --git a/internal/xds/translator/testdata/out/extension-xds-ir/extensionpolicy-tcp-udp-http.clusters.yaml b/internal/xds/translator/testdata/out/extension-xds-ir/extensionpolicy-tcp-udp-http.clusters.yaml index 8012c6fa499..cdbb352dd54 100644 --- a/internal/xds/translator/testdata/out/extension-xds-ir/extensionpolicy-tcp-udp-http.clusters.yaml +++ b/internal/xds/translator/testdata/out/extension-xds-ir/extensionpolicy-tcp-udp-http.clusters.yaml @@ -10,6 +10,7 @@ ads: {} resourceApiVersion: V3 serviceName: udp-route-dest + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: udp-route-dest outlierDetection: {} diff --git a/internal/xds/translator/testdata/out/extension-xds-ir/http-route-extension-filter.clusters.yaml b/internal/xds/translator/testdata/out/extension-xds-ir/http-route-extension-filter.clusters.yaml index 45f45f5c9bf..f986750be1b 100644 --- a/internal/xds/translator/testdata/out/extension-xds-ir/http-route-extension-filter.clusters.yaml +++ b/internal/xds/translator/testdata/out/extension-xds-ir/http-route-extension-filter.clusters.yaml @@ -10,6 +10,7 @@ ads: {} resourceApiVersion: V3 serviceName: first-route-dest + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: first-route-dest outlierDetection: {} diff --git a/internal/xds/translator/testdata/out/extension-xds-ir/http-route.clusters.yaml b/internal/xds/translator/testdata/out/extension-xds-ir/http-route.clusters.yaml index 45f45f5c9bf..f986750be1b 100644 --- a/internal/xds/translator/testdata/out/extension-xds-ir/http-route.clusters.yaml +++ b/internal/xds/translator/testdata/out/extension-xds-ir/http-route.clusters.yaml @@ -10,6 +10,7 @@ ads: {} resourceApiVersion: V3 serviceName: first-route-dest + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: first-route-dest outlierDetection: {} diff --git a/internal/xds/translator/testdata/out/xds-ir/accesslog-als-tcp.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/accesslog-als-tcp.clusters.yaml index be515fc1afb..9696a28a86c 100755 --- a/internal/xds/translator/testdata/out/xds-ir/accesslog-als-tcp.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/accesslog-als-tcp.clusters.yaml @@ -11,6 +11,7 @@ ads: {} resourceApiVersion: V3 serviceName: accesslog/monitoring/envoy-als/port/9000 + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: accesslog/monitoring/envoy-als/port/9000 outlierDetection: diff --git a/internal/xds/translator/testdata/out/xds-ir/accesslog-cel.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/accesslog-cel.clusters.yaml index 6d040000dbb..22d5e08aca3 100644 --- a/internal/xds/translator/testdata/out/xds-ir/accesslog-cel.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/accesslog-cel.clusters.yaml @@ -10,6 +10,7 @@ ads: {} resourceApiVersion: V3 serviceName: direct-route-dest + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: direct-route-dest outlierDetection: {} diff --git a/internal/xds/translator/testdata/out/xds-ir/accesslog-endpoint-stats.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/accesslog-endpoint-stats.clusters.yaml index ea9ef9405ee..7709f2c4e9c 100644 --- a/internal/xds/translator/testdata/out/xds-ir/accesslog-endpoint-stats.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/accesslog-endpoint-stats.clusters.yaml @@ -10,6 +10,7 @@ ads: {} resourceApiVersion: V3 serviceName: direct-route-dest + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: direct-route-dest outlierDetection: {} diff --git a/internal/xds/translator/testdata/out/xds-ir/accesslog-formatters.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/accesslog-formatters.clusters.yaml index 6d040000dbb..22d5e08aca3 100644 --- a/internal/xds/translator/testdata/out/xds-ir/accesslog-formatters.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/accesslog-formatters.clusters.yaml @@ -10,6 +10,7 @@ ads: {} resourceApiVersion: V3 serviceName: direct-route-dest + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: direct-route-dest outlierDetection: {} diff --git a/internal/xds/translator/testdata/out/xds-ir/accesslog-multi-cel.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/accesslog-multi-cel.clusters.yaml index 6d040000dbb..22d5e08aca3 100644 --- a/internal/xds/translator/testdata/out/xds-ir/accesslog-multi-cel.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/accesslog-multi-cel.clusters.yaml @@ -10,6 +10,7 @@ ads: {} resourceApiVersion: V3 serviceName: direct-route-dest + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: direct-route-dest outlierDetection: {} diff --git a/internal/xds/translator/testdata/out/xds-ir/accesslog-types.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/accesslog-types.clusters.yaml index e0328b6e26c..5e41cf09397 100644 --- a/internal/xds/translator/testdata/out/xds-ir/accesslog-types.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/accesslog-types.clusters.yaml @@ -10,6 +10,7 @@ ads: {} resourceApiVersion: V3 serviceName: direct-route-dest + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: direct-route-dest outlierDetection: {} @@ -27,6 +28,7 @@ ads: {} resourceApiVersion: V3 serviceName: accesslog_als_0_1 + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: accesslog_als_0_1 outlierDetection: {} @@ -51,6 +53,7 @@ ads: {} resourceApiVersion: V3 serviceName: accesslog_als_0_2 + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: accesslog_als_0_2 outlierDetection: {} @@ -75,6 +78,7 @@ ads: {} resourceApiVersion: V3 serviceName: accesslog_als_1_1 + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: accesslog_als_1_1 outlierDetection: {} @@ -99,6 +103,7 @@ ads: {} resourceApiVersion: V3 serviceName: accesslog_als_1_2 + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: accesslog_als_1_2 outlierDetection: {} @@ -123,6 +128,7 @@ ads: {} resourceApiVersion: V3 serviceName: accesslog_als_2_1 + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: accesslog_als_2_1 outlierDetection: {} @@ -147,6 +153,7 @@ ads: {} resourceApiVersion: V3 serviceName: accesslog_als_2_2 + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: accesslog_als_2_2 outlierDetection: {} diff --git a/internal/xds/translator/testdata/out/xds-ir/accesslog-without-format.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/accesslog-without-format.clusters.yaml index d9c561cee48..dbf145e7d6d 100644 --- a/internal/xds/translator/testdata/out/xds-ir/accesslog-without-format.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/accesslog-without-format.clusters.yaml @@ -10,6 +10,7 @@ ads: {} resourceApiVersion: V3 serviceName: direct-route-dest + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: direct-route-dest outlierDetection: {} @@ -27,6 +28,7 @@ ads: {} resourceApiVersion: V3 serviceName: accesslog/monitoring/envoy-als/port/9000 + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: accesslog/monitoring/envoy-als/port/9000 outlierDetection: {} diff --git a/internal/xds/translator/testdata/out/xds-ir/accesslog-without-format.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/accesslog-without-format.listeners.yaml index fecb2076871..9df135e671c 100644 --- a/internal/xds/translator/testdata/out/xds-ir/accesslog-without-format.listeners.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/accesslog-without-format.listeners.yaml @@ -43,6 +43,7 @@ grpcService: envoyGrpc: clusterName: accesslog/monitoring/envoy-als/port/9000 + logName: als transportApiVersion: V3 - filter: responseFlagFilter: @@ -119,6 +120,7 @@ grpcService: envoyGrpc: clusterName: accesslog/monitoring/envoy-als/port/9000 + logName: als transportApiVersion: V3 - name: envoy.access_loggers.open_telemetry typedConfig: diff --git a/internal/xds/translator/testdata/out/xds-ir/accesslog.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/accesslog.clusters.yaml index d9c561cee48..dbf145e7d6d 100644 --- a/internal/xds/translator/testdata/out/xds-ir/accesslog.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/accesslog.clusters.yaml @@ -10,6 +10,7 @@ ads: {} resourceApiVersion: V3 serviceName: direct-route-dest + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: direct-route-dest outlierDetection: {} @@ -27,6 +28,7 @@ ads: {} resourceApiVersion: V3 serviceName: accesslog/monitoring/envoy-als/port/9000 + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: accesslog/monitoring/envoy-als/port/9000 outlierDetection: {} diff --git a/internal/xds/translator/testdata/out/xds-ir/accesslog.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/accesslog.listeners.yaml index 3b52d45e8e8..0ef9cdc5fab 100644 --- a/internal/xds/translator/testdata/out/xds-ir/accesslog.listeners.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/accesslog.listeners.yaml @@ -43,6 +43,7 @@ grpcService: envoyGrpc: clusterName: accesslog/monitoring/envoy-als/port/9000 + logName: als transportApiVersion: V3 - filter: responseFlagFilter: @@ -119,6 +120,7 @@ grpcService: envoyGrpc: clusterName: accesslog/monitoring/envoy-als/port/9000 + logName: als transportApiVersion: V3 - name: envoy.access_loggers.open_telemetry typedConfig: diff --git a/internal/xds/translator/testdata/out/xds-ir/authorization-client-cidr.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/authorization-client-cidr.clusters.yaml index b3f75f0e04e..0002897cb8d 100644 --- a/internal/xds/translator/testdata/out/xds-ir/authorization-client-cidr.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/authorization-client-cidr.clusters.yaml @@ -10,6 +10,7 @@ ads: {} resourceApiVersion: V3 serviceName: httproute/default/httproute-3/rule/0 + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: httproute/default/httproute-3/rule/0 outlierDetection: {} @@ -27,6 +28,7 @@ ads: {} resourceApiVersion: V3 serviceName: httproute/default/httproute-1/rule/0 + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: httproute/default/httproute-1/rule/0 outlierDetection: {} @@ -44,6 +46,7 @@ ads: {} resourceApiVersion: V3 serviceName: httproute/default/httproute-2/rule/0 + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: httproute/default/httproute-2/rule/0 outlierDetection: {} diff --git a/internal/xds/translator/testdata/out/xds-ir/authorization-jwt-claim.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/authorization-jwt-claim.clusters.yaml index 660d4f6b224..f5211bc9922 100644 --- a/internal/xds/translator/testdata/out/xds-ir/authorization-jwt-claim.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/authorization-jwt-claim.clusters.yaml @@ -10,6 +10,7 @@ ads: {} resourceApiVersion: V3 serviceName: httproute/default/httproute-1/rule/0 + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: httproute/default/httproute-1/rule/0 outlierDetection: {} @@ -27,6 +28,7 @@ ads: {} resourceApiVersion: V3 serviceName: httproute/default/httproute-2/rule/0 + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: httproute/default/httproute-2/rule/0 outlierDetection: {} diff --git a/internal/xds/translator/testdata/out/xds-ir/authorization-jwt-scope.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/authorization-jwt-scope.clusters.yaml index 660d4f6b224..f5211bc9922 100644 --- a/internal/xds/translator/testdata/out/xds-ir/authorization-jwt-scope.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/authorization-jwt-scope.clusters.yaml @@ -10,6 +10,7 @@ ads: {} resourceApiVersion: V3 serviceName: httproute/default/httproute-1/rule/0 + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: httproute/default/httproute-1/rule/0 outlierDetection: {} @@ -27,6 +28,7 @@ ads: {} resourceApiVersion: V3 serviceName: httproute/default/httproute-2/rule/0 + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: httproute/default/httproute-2/rule/0 outlierDetection: {} diff --git a/internal/xds/translator/testdata/out/xds-ir/authorization-multiple-principals.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/authorization-multiple-principals.clusters.yaml index 9714612e3de..1c72d4f070f 100644 --- a/internal/xds/translator/testdata/out/xds-ir/authorization-multiple-principals.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/authorization-multiple-principals.clusters.yaml @@ -10,6 +10,7 @@ ads: {} resourceApiVersion: V3 serviceName: httproute/default/httproute-1/rule/0 + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: httproute/default/httproute-1/rule/0 outlierDetection: {} diff --git a/internal/xds/translator/testdata/out/xds-ir/authorization-multiple-principals.routes.yaml b/internal/xds/translator/testdata/out/xds-ir/authorization-multiple-principals.routes.yaml index c6510f63778..2b9a4906343 100644 --- a/internal/xds/translator/testdata/out/xds-ir/authorization-multiple-principals.routes.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/authorization-multiple-principals.routes.yaml @@ -59,7 +59,7 @@ '@type': type.googleapis.com/envoy.extensions.matching.common_inputs.network.v3.DynamicMetadataInput filter: envoy.filters.http.jwt_authn path: - - key: "" + - key: https://one.example.com - key: scope - orMatcher: predicate: @@ -79,7 +79,7 @@ '@type': type.googleapis.com/envoy.extensions.matching.common_inputs.network.v3.DynamicMetadataInput filter: envoy.filters.http.jwt_authn path: - - key: "" + - key: https://one.example.com - key: roles - singlePredicate: customMatch: @@ -97,7 +97,7 @@ '@type': type.googleapis.com/envoy.extensions.matching.common_inputs.network.v3.DynamicMetadataInput filter: envoy.filters.http.jwt_authn path: - - key: "" + - key: https://one.example.com - key: roles - singlePredicate: customMatch: @@ -113,7 +113,7 @@ '@type': type.googleapis.com/envoy.extensions.matching.common_inputs.network.v3.DynamicMetadataInput filter: envoy.filters.http.jwt_authn path: - - key: "" + - key: https://one.example.com - key: department - onMatch: action: @@ -155,7 +155,7 @@ '@type': type.googleapis.com/envoy.extensions.matching.common_inputs.network.v3.DynamicMetadataInput filter: envoy.filters.http.jwt_authn path: - - key: "" + - key: https://two.example.com - key: scope - singlePredicate: customMatch: @@ -173,7 +173,7 @@ '@type': type.googleapis.com/envoy.extensions.matching.common_inputs.network.v3.DynamicMetadataInput filter: envoy.filters.http.jwt_authn path: - - key: "" + - key: https://two.example.com - key: scope - orMatcher: predicate: @@ -193,7 +193,7 @@ '@type': type.googleapis.com/envoy.extensions.matching.common_inputs.network.v3.DynamicMetadataInput filter: envoy.filters.http.jwt_authn path: - - key: "" + - key: https://two.example.com - key: roles - singlePredicate: customMatch: @@ -211,7 +211,7 @@ '@type': type.googleapis.com/envoy.extensions.matching.common_inputs.network.v3.DynamicMetadataInput filter: envoy.filters.http.jwt_authn path: - - key: "" + - key: https://two.example.com - key: roles - orMatcher: predicate: @@ -229,7 +229,7 @@ '@type': type.googleapis.com/envoy.extensions.matching.common_inputs.network.v3.DynamicMetadataInput filter: envoy.filters.http.jwt_authn path: - - key: "" + - key: https://two.example.com - key: name - singlePredicate: customMatch: @@ -245,7 +245,7 @@ '@type': type.googleapis.com/envoy.extensions.matching.common_inputs.network.v3.DynamicMetadataInput filter: envoy.filters.http.jwt_authn path: - - key: "" + - key: https://two.example.com - key: name onNoMatch: action: diff --git a/internal/xds/translator/testdata/out/xds-ir/backend-buffer-limit.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/backend-buffer-limit.clusters.yaml index 33c8f6a68a4..e36a7f976be 100644 --- a/internal/xds/translator/testdata/out/xds-ir/backend-buffer-limit.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/backend-buffer-limit.clusters.yaml @@ -10,6 +10,7 @@ ads: {} resourceApiVersion: V3 serviceName: first-route-dest + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: first-route-dest outlierDetection: {} @@ -27,6 +28,7 @@ ads: {} resourceApiVersion: V3 serviceName: tcp-route-dest + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: tcp-route-dest outlierDetection: {} @@ -44,6 +46,7 @@ ads: {} resourceApiVersion: V3 serviceName: udp-route-dest + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: udp-route-dest outlierDetection: {} diff --git a/internal/xds/translator/testdata/out/xds-ir/backend-priority.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/backend-priority.clusters.yaml index b6f2821b650..4088295c2de 100644 --- a/internal/xds/translator/testdata/out/xds-ir/backend-priority.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/backend-priority.clusters.yaml @@ -10,6 +10,7 @@ ads: {} resourceApiVersion: V3 serviceName: httproute/default/httproute-1/rule/0 + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: httproute/default/httproute-1/rule/0 outlierDetection: {} @@ -27,6 +28,7 @@ ads: {} resourceApiVersion: V3 serviceName: httproute/default/httproute-2/rule/0 + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: httproute/default/httproute-2/rule/0 outlierDetection: {} @@ -44,6 +46,7 @@ ads: {} resourceApiVersion: V3 serviceName: envoyextensionpolicy/default/policy-for-http-route/0 + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: envoyextensionpolicy/default/policy-for-http-route/0 outlierDetection: {} diff --git a/internal/xds/translator/testdata/out/xds-ir/basic-auth.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/basic-auth.clusters.yaml index e4e5b8994bc..1c7cbaf45e0 100644 --- a/internal/xds/translator/testdata/out/xds-ir/basic-auth.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/basic-auth.clusters.yaml @@ -10,6 +10,7 @@ ads: {} resourceApiVersion: V3 serviceName: httproute/default/httproute-1/rule/0 + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: httproute/default/httproute-1/rule/0 outlierDetection: {} @@ -27,6 +28,7 @@ ads: {} resourceApiVersion: V3 serviceName: httproute/default/httproute-1/rule/1 + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: httproute/default/httproute-1/rule/1 outlierDetection: {} @@ -44,6 +46,7 @@ ads: {} resourceApiVersion: V3 serviceName: httproute/default/httproute-2/rule/0 + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: httproute/default/httproute-2/rule/0 outlierDetection: {} diff --git a/internal/xds/translator/testdata/out/xds-ir/circuit-breaker.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/circuit-breaker.clusters.yaml index 90636e8ffe1..93e5ebb91b6 100644 --- a/internal/xds/translator/testdata/out/xds-ir/circuit-breaker.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/circuit-breaker.clusters.yaml @@ -13,6 +13,7 @@ ads: {} resourceApiVersion: V3 serviceName: first-route-dest + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: first-route-dest outlierDetection: {} diff --git a/internal/xds/translator/testdata/out/xds-ir/client-buffer-limit.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/client-buffer-limit.clusters.yaml index 5aa4727b18a..045afb39e71 100644 --- a/internal/xds/translator/testdata/out/xds-ir/client-buffer-limit.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/client-buffer-limit.clusters.yaml @@ -10,6 +10,7 @@ ads: {} resourceApiVersion: V3 serviceName: first-route-dest + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: first-route-dest outlierDetection: {} @@ -27,6 +28,7 @@ ads: {} resourceApiVersion: V3 serviceName: tcp-route-dest + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: tcp-route-dest outlierDetection: {} diff --git a/internal/xds/translator/testdata/out/xds-ir/client-ip-detection.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/client-ip-detection.clusters.yaml index a89644e62d9..b7a2badfead 100644 --- a/internal/xds/translator/testdata/out/xds-ir/client-ip-detection.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/client-ip-detection.clusters.yaml @@ -10,6 +10,7 @@ ads: {} resourceApiVersion: V3 serviceName: first-route-dest + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: first-route-dest outlierDetection: {} @@ -27,6 +28,7 @@ ads: {} resourceApiVersion: V3 serviceName: second-route-dest + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: second-route-dest outlierDetection: {} @@ -44,6 +46,7 @@ ads: {} resourceApiVersion: V3 serviceName: third-route-dest + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: third-route-dest outlierDetection: {} diff --git a/internal/xds/translator/testdata/out/xds-ir/client-timeout.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/client-timeout.clusters.yaml index d65e267ad7d..820f85f625b 100644 --- a/internal/xds/translator/testdata/out/xds-ir/client-timeout.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/client-timeout.clusters.yaml @@ -10,6 +10,7 @@ ads: {} resourceApiVersion: V3 serviceName: first-route-dest + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: first-route-dest outlierDetection: {} @@ -27,6 +28,7 @@ ads: {} resourceApiVersion: V3 serviceName: second-route-dest + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: second-route-dest outlierDetection: {} diff --git a/internal/xds/translator/testdata/out/xds-ir/cors.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/cors.clusters.yaml index d53a7a1b2ce..9ada55d6523 100644 --- a/internal/xds/translator/testdata/out/xds-ir/cors.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/cors.clusters.yaml @@ -10,6 +10,7 @@ ads: {} resourceApiVersion: V3 serviceName: first-route-dest + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: first-route-dest outlierDetection: {} diff --git a/internal/xds/translator/testdata/out/xds-ir/custom-response.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/custom-response.clusters.yaml index 9714612e3de..1c72d4f070f 100644 --- a/internal/xds/translator/testdata/out/xds-ir/custom-response.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/custom-response.clusters.yaml @@ -10,6 +10,7 @@ ads: {} resourceApiVersion: V3 serviceName: httproute/default/httproute-1/rule/0 + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: httproute/default/httproute-1/rule/0 outlierDetection: {} diff --git a/internal/xds/translator/testdata/out/xds-ir/ext-auth-backend.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/ext-auth-backend.clusters.yaml index 880f77a06f0..18846488a59 100644 --- a/internal/xds/translator/testdata/out/xds-ir/ext-auth-backend.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/ext-auth-backend.clusters.yaml @@ -10,6 +10,7 @@ ads: {} resourceApiVersion: V3 serviceName: httproute/default/httproute-1/rule/0 + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: httproute/default/httproute-1/rule/0 outlierDetection: {} @@ -27,6 +28,7 @@ ads: {} resourceApiVersion: V3 serviceName: httproute/default/httproute-1/rule/1 + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: httproute/default/httproute-1/rule/1 outlierDetection: {} @@ -44,6 +46,7 @@ ads: {} resourceApiVersion: V3 serviceName: httproute/default/httproute-2/rule/0 + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: httproute/default/httproute-2/rule/0 outlierDetection: {} diff --git a/internal/xds/translator/testdata/out/xds-ir/ext-auth-recomputation.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/ext-auth-recomputation.clusters.yaml index 880f77a06f0..18846488a59 100644 --- a/internal/xds/translator/testdata/out/xds-ir/ext-auth-recomputation.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/ext-auth-recomputation.clusters.yaml @@ -10,6 +10,7 @@ ads: {} resourceApiVersion: V3 serviceName: httproute/default/httproute-1/rule/0 + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: httproute/default/httproute-1/rule/0 outlierDetection: {} @@ -27,6 +28,7 @@ ads: {} resourceApiVersion: V3 serviceName: httproute/default/httproute-1/rule/1 + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: httproute/default/httproute-1/rule/1 outlierDetection: {} @@ -44,6 +46,7 @@ ads: {} resourceApiVersion: V3 serviceName: httproute/default/httproute-2/rule/0 + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: httproute/default/httproute-2/rule/0 outlierDetection: {} diff --git a/internal/xds/translator/testdata/out/xds-ir/ext-auth.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/ext-auth.clusters.yaml index e478c2054cd..ba70eb86e94 100644 --- a/internal/xds/translator/testdata/out/xds-ir/ext-auth.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/ext-auth.clusters.yaml @@ -10,6 +10,7 @@ ads: {} resourceApiVersion: V3 serviceName: httproute/default/httproute-1/rule/0 + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: httproute/default/httproute-1/rule/0 outlierDetection: {} @@ -27,6 +28,7 @@ ads: {} resourceApiVersion: V3 serviceName: httproute/default/httproute-1/rule/1 + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: httproute/default/httproute-1/rule/1 outlierDetection: {} @@ -44,6 +46,7 @@ ads: {} resourceApiVersion: V3 serviceName: httproute/default/httproute-2/rule/0 + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: httproute/default/httproute-2/rule/0 outlierDetection: {} @@ -61,6 +64,7 @@ ads: {} resourceApiVersion: V3 serviceName: securitypolicy/default/policy-for-http-route-1/default/grpc-backend + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: securitypolicy/default/policy-for-http-route-1/default/grpc-backend outlierDetection: {} @@ -85,6 +89,7 @@ ads: {} resourceApiVersion: V3 serviceName: securitypolicy/default/policy-for-gateway-1/envoy-gateway/http-backend + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: securitypolicy/default/policy-for-gateway-1/envoy-gateway/http-backend outlierDetection: {} diff --git a/internal/xds/translator/testdata/out/xds-ir/ext-proc-with-traffic-settings.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/ext-proc-with-traffic-settings.clusters.yaml index 4e73328fa8e..3bac84394be 100644 --- a/internal/xds/translator/testdata/out/xds-ir/ext-proc-with-traffic-settings.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/ext-proc-with-traffic-settings.clusters.yaml @@ -10,6 +10,7 @@ ads: {} resourceApiVersion: V3 serviceName: httproute/default/httproute-1/rule/0 + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: httproute/default/httproute-1/rule/0 outlierDetection: {} @@ -27,6 +28,7 @@ ads: {} resourceApiVersion: V3 serviceName: httproute/default/httproute-2/rule/0 + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: httproute/default/httproute-2/rule/0 outlierDetection: {} @@ -45,6 +47,7 @@ ads: {} resourceApiVersion: V3 serviceName: envoyextensionpolicy/default/policy-for-http-route/0 + ignoreHealthOnHostRemoval: true name: envoyextensionpolicy/default/policy-for-http-route/0 outlierDetection: baseEjectionTime: 30s diff --git a/internal/xds/translator/testdata/out/xds-ir/ext-proc.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/ext-proc.clusters.yaml index 6ea0615cb31..ede262a5694 100755 --- a/internal/xds/translator/testdata/out/xds-ir/ext-proc.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/ext-proc.clusters.yaml @@ -10,6 +10,7 @@ ads: {} resourceApiVersion: V3 serviceName: httproute/default/httproute-1/rule/0 + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: httproute/default/httproute-1/rule/0 outlierDetection: {} @@ -27,6 +28,7 @@ ads: {} resourceApiVersion: V3 serviceName: httproute/default/httproute-2/rule/0 + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: httproute/default/httproute-2/rule/0 outlierDetection: {} @@ -44,6 +46,7 @@ ads: {} resourceApiVersion: V3 serviceName: envoyextensionpolicy/default/policy-for-route-2/0/grpc-backend-4 + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: envoyextensionpolicy/default/policy-for-route-2/0/grpc-backend-4 outlierDetection: {} @@ -68,6 +71,7 @@ ads: {} resourceApiVersion: V3 serviceName: envoyextensionpolicy/default/policy-for-route-1/0/grpc-backend-2 + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: envoyextensionpolicy/default/policy-for-route-1/0/grpc-backend-2 outlierDetection: {} @@ -92,6 +96,7 @@ ads: {} resourceApiVersion: V3 serviceName: envoyextensionpolicy/envoy-gateway/policy-for-gateway-2/0/grpc-backend-3 + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: envoyextensionpolicy/envoy-gateway/policy-for-gateway-2/0/grpc-backend-3 outlierDetection: {} @@ -116,6 +121,7 @@ ads: {} resourceApiVersion: V3 serviceName: envoyextensionpolicy/envoy-gateway/policy-for-gateway-1/0/grpc-backend + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: envoyextensionpolicy/envoy-gateway/policy-for-gateway-1/0/grpc-backend outlierDetection: {} diff --git a/internal/xds/translator/testdata/out/xds-ir/fault-injection.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/fault-injection.clusters.yaml index 03e10ccd7fc..ff3aedce52a 100644 --- a/internal/xds/translator/testdata/out/xds-ir/fault-injection.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/fault-injection.clusters.yaml @@ -10,6 +10,7 @@ ads: {} resourceApiVersion: V3 serviceName: first-route-dest + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: first-route-dest outlierDetection: {} @@ -27,6 +28,7 @@ ads: {} resourceApiVersion: V3 serviceName: second-route-dest + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: second-route-dest outlierDetection: {} @@ -44,6 +46,7 @@ ads: {} resourceApiVersion: V3 serviceName: third-route-dest + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: third-route-dest outlierDetection: {} @@ -61,6 +64,7 @@ ads: {} resourceApiVersion: V3 serviceName: fourth-route-dest + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: fourth-route-dest outlierDetection: {} @@ -78,6 +82,7 @@ ads: {} resourceApiVersion: V3 serviceName: fifth-route-dest + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: fifth-route-dest outlierDetection: {} diff --git a/internal/xds/translator/testdata/out/xds-ir/headers-with-preserve-x-request-id.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/headers-with-preserve-x-request-id.clusters.yaml index d65e267ad7d..820f85f625b 100755 --- a/internal/xds/translator/testdata/out/xds-ir/headers-with-preserve-x-request-id.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/headers-with-preserve-x-request-id.clusters.yaml @@ -10,6 +10,7 @@ ads: {} resourceApiVersion: V3 serviceName: first-route-dest + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: first-route-dest outlierDetection: {} @@ -27,6 +28,7 @@ ads: {} resourceApiVersion: V3 serviceName: second-route-dest + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: second-route-dest outlierDetection: {} diff --git a/internal/xds/translator/testdata/out/xds-ir/headers-with-underscores-action.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/headers-with-underscores-action.clusters.yaml index 7a7e90de25b..0a3d6ba340e 100755 --- a/internal/xds/translator/testdata/out/xds-ir/headers-with-underscores-action.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/headers-with-underscores-action.clusters.yaml @@ -10,6 +10,7 @@ ads: {} resourceApiVersion: V3 serviceName: first-route-dest + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: first-route-dest outlierDetection: {} @@ -27,6 +28,7 @@ ads: {} resourceApiVersion: V3 serviceName: second-route-dest + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: second-route-dest outlierDetection: {} @@ -44,6 +46,7 @@ ads: {} resourceApiVersion: V3 serviceName: third-route-dest + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: third-route-dest outlierDetection: {} @@ -61,6 +64,7 @@ ads: {} resourceApiVersion: V3 serviceName: fourth-route-dest + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: fourth-route-dest outlierDetection: {} diff --git a/internal/xds/translator/testdata/out/xds-ir/health-check.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/health-check.clusters.yaml index 485139eb2c8..09b9396270a 100644 --- a/internal/xds/translator/testdata/out/xds-ir/health-check.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/health-check.clusters.yaml @@ -25,6 +25,7 @@ interval: 3s timeout: 0.500s unhealthyThreshold: 3 + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: first-route-dest outlierDetection: @@ -61,6 +62,7 @@ interval: 5s timeout: 1s unhealthyThreshold: 3 + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: second-route-dest outlierDetection: @@ -94,6 +96,7 @@ text: "70696e67" timeout: 1s unhealthyThreshold: 3 + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: third-route-dest outlierDetection: @@ -127,6 +130,7 @@ binary: cGluZw== timeout: 1s unhealthyThreshold: 3 + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: fourth-route-dest outlierDetection: @@ -158,6 +162,7 @@ interval: 5s timeout: 1s unhealthyThreshold: 3 + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: fifth-route-dest outlierDetection: {} diff --git a/internal/xds/translator/testdata/out/xds-ir/http-early-header-mutation.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/http-early-header-mutation.clusters.yaml index 22e6727066a..35b68d18b32 100644 --- a/internal/xds/translator/testdata/out/xds-ir/http-early-header-mutation.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/http-early-header-mutation.clusters.yaml @@ -10,6 +10,7 @@ ads: {} resourceApiVersion: V3 serviceName: first-route-dest + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: first-route-dest outlierDetection: {} @@ -37,6 +38,7 @@ ads: {} resourceApiVersion: V3 serviceName: second-route-dest + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: second-route-dest outlierDetection: {} diff --git a/internal/xds/translator/testdata/out/xds-ir/http-endpoint-stats.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/http-endpoint-stats.clusters.yaml index e9ea29c138f..f1b16b07b54 100644 --- a/internal/xds/translator/testdata/out/xds-ir/http-endpoint-stats.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/http-endpoint-stats.clusters.yaml @@ -10,6 +10,7 @@ ads: {} resourceApiVersion: V3 serviceName: first-route-dest + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: first-route-dest outlierDetection: {} diff --git a/internal/xds/translator/testdata/out/xds-ir/http-health-check.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/http-health-check.clusters.yaml index d53a7a1b2ce..9ada55d6523 100644 --- a/internal/xds/translator/testdata/out/xds-ir/http-health-check.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/http-health-check.clusters.yaml @@ -10,6 +10,7 @@ ads: {} resourceApiVersion: V3 serviceName: first-route-dest + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: first-route-dest outlierDetection: {} diff --git a/internal/xds/translator/testdata/out/xds-ir/http-preserve-client-protocol.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/http-preserve-client-protocol.clusters.yaml index f8cfa834cdd..4f007ff7c47 100644 --- a/internal/xds/translator/testdata/out/xds-ir/http-preserve-client-protocol.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/http-preserve-client-protocol.clusters.yaml @@ -10,6 +10,7 @@ ads: {} resourceApiVersion: V3 serviceName: httproute/default/httproute-1/rule/0 + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: httproute/default/httproute-1/rule/0 outlierDetection: {} diff --git a/internal/xds/translator/testdata/out/xds-ir/http-req-resp-sizes-stats.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/http-req-resp-sizes-stats.clusters.yaml index 7d112afb676..9b420408aaa 100644 --- a/internal/xds/translator/testdata/out/xds-ir/http-req-resp-sizes-stats.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/http-req-resp-sizes-stats.clusters.yaml @@ -10,6 +10,7 @@ ads: {} resourceApiVersion: V3 serviceName: first-route-dest + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: first-route-dest outlierDetection: {} diff --git a/internal/xds/translator/testdata/out/xds-ir/http-route-direct-response.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/http-route-direct-response.clusters.yaml index f0ea3b32320..3e4300de532 100644 --- a/internal/xds/translator/testdata/out/xds-ir/http-route-direct-response.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/http-route-direct-response.clusters.yaml @@ -10,6 +10,7 @@ ads: {} resourceApiVersion: V3 serviceName: direct-route-dest + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: direct-route-dest outlierDetection: {} diff --git a/internal/xds/translator/testdata/out/xds-ir/http-route-mirror.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/http-route-mirror.clusters.yaml index 53d1f9a7c1a..0bd72d2b460 100644 --- a/internal/xds/translator/testdata/out/xds-ir/http-route-mirror.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/http-route-mirror.clusters.yaml @@ -10,6 +10,7 @@ ads: {} resourceApiVersion: V3 serviceName: route-dest + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: route-dest outlierDetection: {} diff --git a/internal/xds/translator/testdata/out/xds-ir/http-route-multiple-matches.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/http-route-multiple-matches.clusters.yaml index 0322cbb616d..d76408ee96f 100644 --- a/internal/xds/translator/testdata/out/xds-ir/http-route-multiple-matches.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/http-route-multiple-matches.clusters.yaml @@ -10,6 +10,7 @@ ads: {} resourceApiVersion: V3 serviceName: first-route-dest + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: first-route-dest outlierDetection: {} @@ -27,6 +28,7 @@ ads: {} resourceApiVersion: V3 serviceName: second-route-dest + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: second-route-dest outlierDetection: {} @@ -44,6 +46,7 @@ ads: {} resourceApiVersion: V3 serviceName: third-route-dest + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: third-route-dest outlierDetection: {} @@ -61,6 +64,7 @@ ads: {} resourceApiVersion: V3 serviceName: fourth-route-dest + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: fourth-route-dest outlierDetection: {} @@ -78,6 +82,7 @@ ads: {} resourceApiVersion: V3 serviceName: fifth-route-dest + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: fifth-route-dest outlierDetection: {} @@ -95,6 +100,7 @@ ads: {} resourceApiVersion: V3 serviceName: sixth-route-dest + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: sixth-route-dest outlierDetection: {} @@ -112,6 +118,7 @@ ads: {} resourceApiVersion: V3 serviceName: seventh-route-dest + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: seventh-route-dest outlierDetection: {} diff --git a/internal/xds/translator/testdata/out/xds-ir/http-route-multiple-mirrors.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/http-route-multiple-mirrors.clusters.yaml index 046021604df..7be6b0f7ade 100644 --- a/internal/xds/translator/testdata/out/xds-ir/http-route-multiple-mirrors.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/http-route-multiple-mirrors.clusters.yaml @@ -10,6 +10,7 @@ ads: {} resourceApiVersion: V3 serviceName: route-dest + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: route-dest outlierDetection: {} @@ -27,6 +28,7 @@ ads: {} resourceApiVersion: V3 serviceName: mirror-route-dest + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: mirror-route-dest outlierDetection: {} @@ -44,6 +46,7 @@ ads: {} resourceApiVersion: V3 serviceName: mirror-route-dest1 + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: mirror-route-dest1 outlierDetection: {} diff --git a/internal/xds/translator/testdata/out/xds-ir/http-route-partial-invalid.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/http-route-partial-invalid.clusters.yaml index 61496817710..565c93fd5ff 100644 --- a/internal/xds/translator/testdata/out/xds-ir/http-route-partial-invalid.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/http-route-partial-invalid.clusters.yaml @@ -10,6 +10,7 @@ ads: {} resourceApiVersion: V3 serviceName: valid-route-dest + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: valid-route-dest outlierDetection: {} diff --git a/internal/xds/translator/testdata/out/xds-ir/http-route-redirect.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/http-route-redirect.clusters.yaml index b435363bef7..c8dc8147580 100644 --- a/internal/xds/translator/testdata/out/xds-ir/http-route-redirect.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/http-route-redirect.clusters.yaml @@ -10,6 +10,7 @@ ads: {} resourceApiVersion: V3 serviceName: redirect-route-dest + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: redirect-route-dest outlierDetection: {} diff --git a/internal/xds/translator/testdata/out/xds-ir/http-route-regex.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/http-route-regex.clusters.yaml index 0f75e67e278..de1e5ced9a4 100644 --- a/internal/xds/translator/testdata/out/xds-ir/http-route-regex.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/http-route-regex.clusters.yaml @@ -10,6 +10,7 @@ ads: {} resourceApiVersion: V3 serviceName: regex-route-dest + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: regex-route-dest outlierDetection: {} diff --git a/internal/xds/translator/testdata/out/xds-ir/http-route-request-headers.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/http-route-request-headers.clusters.yaml index 2adb8e01e4d..1e0be1f0405 100644 --- a/internal/xds/translator/testdata/out/xds-ir/http-route-request-headers.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/http-route-request-headers.clusters.yaml @@ -10,6 +10,7 @@ ads: {} resourceApiVersion: V3 serviceName: request-header-route-dest + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: request-header-route-dest outlierDetection: {} diff --git a/internal/xds/translator/testdata/out/xds-ir/http-route-response-add-headers.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/http-route-response-add-headers.clusters.yaml index ca020e482fe..f3b7838ceee 100644 --- a/internal/xds/translator/testdata/out/xds-ir/http-route-response-add-headers.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/http-route-response-add-headers.clusters.yaml @@ -10,6 +10,7 @@ ads: {} resourceApiVersion: V3 serviceName: response-header-route-dest + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: response-header-route-dest outlierDetection: {} diff --git a/internal/xds/translator/testdata/out/xds-ir/http-route-response-add-remove-headers.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/http-route-response-add-remove-headers.clusters.yaml index ca020e482fe..f3b7838ceee 100644 --- a/internal/xds/translator/testdata/out/xds-ir/http-route-response-add-remove-headers.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/http-route-response-add-remove-headers.clusters.yaml @@ -10,6 +10,7 @@ ads: {} resourceApiVersion: V3 serviceName: response-header-route-dest + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: response-header-route-dest outlierDetection: {} diff --git a/internal/xds/translator/testdata/out/xds-ir/http-route-response-remove-headers.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/http-route-response-remove-headers.clusters.yaml index ca020e482fe..f3b7838ceee 100644 --- a/internal/xds/translator/testdata/out/xds-ir/http-route-response-remove-headers.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/http-route-response-remove-headers.clusters.yaml @@ -10,6 +10,7 @@ ads: {} resourceApiVersion: V3 serviceName: response-header-route-dest + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: response-header-route-dest outlierDetection: {} diff --git a/internal/xds/translator/testdata/out/xds-ir/http-route-rewrite-root-path-url-prefix.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/http-route-rewrite-root-path-url-prefix.clusters.yaml index 027db39fb29..3041d18c4eb 100644 --- a/internal/xds/translator/testdata/out/xds-ir/http-route-rewrite-root-path-url-prefix.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/http-route-rewrite-root-path-url-prefix.clusters.yaml @@ -10,6 +10,7 @@ ads: {} resourceApiVersion: V3 serviceName: rewrite-route-dest + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: rewrite-route-dest outlierDetection: {} diff --git a/internal/xds/translator/testdata/out/xds-ir/http-route-rewrite-sufixx-with-slash-url-prefix.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/http-route-rewrite-sufixx-with-slash-url-prefix.clusters.yaml index 027db39fb29..3041d18c4eb 100644 --- a/internal/xds/translator/testdata/out/xds-ir/http-route-rewrite-sufixx-with-slash-url-prefix.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/http-route-rewrite-sufixx-with-slash-url-prefix.clusters.yaml @@ -10,6 +10,7 @@ ads: {} resourceApiVersion: V3 serviceName: rewrite-route-dest + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: rewrite-route-dest outlierDetection: {} diff --git a/internal/xds/translator/testdata/out/xds-ir/http-route-rewrite-url-fullpath.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/http-route-rewrite-url-fullpath.clusters.yaml index 3a2b7308d8e..8290c2d1837 100644 --- a/internal/xds/translator/testdata/out/xds-ir/http-route-rewrite-url-fullpath.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/http-route-rewrite-url-fullpath.clusters.yaml @@ -10,6 +10,7 @@ ads: {} resourceApiVersion: V3 serviceName: rewrite-route + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: rewrite-route outlierDetection: {} diff --git a/internal/xds/translator/testdata/out/xds-ir/http-route-rewrite-url-host.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/http-route-rewrite-url-host.clusters.yaml index 027db39fb29..3041d18c4eb 100644 --- a/internal/xds/translator/testdata/out/xds-ir/http-route-rewrite-url-host.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/http-route-rewrite-url-host.clusters.yaml @@ -10,6 +10,7 @@ ads: {} resourceApiVersion: V3 serviceName: rewrite-route-dest + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: rewrite-route-dest outlierDetection: {} diff --git a/internal/xds/translator/testdata/out/xds-ir/http-route-rewrite-url-prefix.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/http-route-rewrite-url-prefix.clusters.yaml index 027db39fb29..3041d18c4eb 100644 --- a/internal/xds/translator/testdata/out/xds-ir/http-route-rewrite-url-prefix.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/http-route-rewrite-url-prefix.clusters.yaml @@ -10,6 +10,7 @@ ads: {} resourceApiVersion: V3 serviceName: rewrite-route-dest + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: rewrite-route-dest outlierDetection: {} diff --git a/internal/xds/translator/testdata/out/xds-ir/http-route-rewrite-url-regex.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/http-route-rewrite-url-regex.clusters.yaml index 3a2b7308d8e..8290c2d1837 100644 --- a/internal/xds/translator/testdata/out/xds-ir/http-route-rewrite-url-regex.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/http-route-rewrite-url-regex.clusters.yaml @@ -10,6 +10,7 @@ ads: {} resourceApiVersion: V3 serviceName: rewrite-route + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: rewrite-route outlierDetection: {} diff --git a/internal/xds/translator/testdata/out/xds-ir/http-route-session-persistence.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/http-route-session-persistence.clusters.yaml index 0f75e67e278..de1e5ced9a4 100644 --- a/internal/xds/translator/testdata/out/xds-ir/http-route-session-persistence.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/http-route-session-persistence.clusters.yaml @@ -10,6 +10,7 @@ ads: {} resourceApiVersion: V3 serviceName: regex-route-dest + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: regex-route-dest outlierDetection: {} diff --git a/internal/xds/translator/testdata/out/xds-ir/http-route-timeout.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/http-route-timeout.clusters.yaml index a89644e62d9..b7a2badfead 100644 --- a/internal/xds/translator/testdata/out/xds-ir/http-route-timeout.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/http-route-timeout.clusters.yaml @@ -10,6 +10,7 @@ ads: {} resourceApiVersion: V3 serviceName: first-route-dest + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: first-route-dest outlierDetection: {} @@ -27,6 +28,7 @@ ads: {} resourceApiVersion: V3 serviceName: second-route-dest + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: second-route-dest outlierDetection: {} @@ -44,6 +46,7 @@ ads: {} resourceApiVersion: V3 serviceName: third-route-dest + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: third-route-dest outlierDetection: {} diff --git a/internal/xds/translator/testdata/out/xds-ir/http-route-weighted-backend-uds-ip.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/http-route-weighted-backend-uds-ip.clusters.yaml index d53a7a1b2ce..9ada55d6523 100644 --- a/internal/xds/translator/testdata/out/xds-ir/http-route-weighted-backend-uds-ip.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/http-route-weighted-backend-uds-ip.clusters.yaml @@ -10,6 +10,7 @@ ads: {} resourceApiVersion: V3 serviceName: first-route-dest + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: first-route-dest outlierDetection: {} diff --git a/internal/xds/translator/testdata/out/xds-ir/http-route-weighted-backend-with-filters.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/http-route-weighted-backend-with-filters.clusters.yaml index d65e267ad7d..820f85f625b 100644 --- a/internal/xds/translator/testdata/out/xds-ir/http-route-weighted-backend-with-filters.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/http-route-weighted-backend-with-filters.clusters.yaml @@ -10,6 +10,7 @@ ads: {} resourceApiVersion: V3 serviceName: first-route-dest + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: first-route-dest outlierDetection: {} @@ -27,6 +28,7 @@ ads: {} resourceApiVersion: V3 serviceName: second-route-dest + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: second-route-dest outlierDetection: {} diff --git a/internal/xds/translator/testdata/out/xds-ir/http-route-weighted-backend.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/http-route-weighted-backend.clusters.yaml index d53a7a1b2ce..9ada55d6523 100644 --- a/internal/xds/translator/testdata/out/xds-ir/http-route-weighted-backend.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/http-route-weighted-backend.clusters.yaml @@ -10,6 +10,7 @@ ads: {} resourceApiVersion: V3 serviceName: first-route-dest + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: first-route-dest outlierDetection: {} diff --git a/internal/xds/translator/testdata/out/xds-ir/http-route-weighted-invalid-backend.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/http-route-weighted-invalid-backend.clusters.yaml index d53a7a1b2ce..9ada55d6523 100644 --- a/internal/xds/translator/testdata/out/xds-ir/http-route-weighted-invalid-backend.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/http-route-weighted-invalid-backend.clusters.yaml @@ -10,6 +10,7 @@ ads: {} resourceApiVersion: V3 serviceName: first-route-dest + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: first-route-dest outlierDetection: {} diff --git a/internal/xds/translator/testdata/out/xds-ir/http-route-with-clientcert.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/http-route-with-clientcert.clusters.yaml index 6d69b493981..a9be418a101 100644 --- a/internal/xds/translator/testdata/out/xds-ir/http-route-with-clientcert.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/http-route-with-clientcert.clusters.yaml @@ -10,6 +10,7 @@ ads: {} resourceApiVersion: V3 serviceName: httproute/envoy-gateway/httproute-btls/rule/0 + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: httproute/envoy-gateway/httproute-btls/rule/0 outlierDetection: {} diff --git a/internal/xds/translator/testdata/out/xds-ir/http-route-with-metadata.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/http-route-with-metadata.clusters.yaml index d65e267ad7d..820f85f625b 100644 --- a/internal/xds/translator/testdata/out/xds-ir/http-route-with-metadata.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/http-route-with-metadata.clusters.yaml @@ -10,6 +10,7 @@ ads: {} resourceApiVersion: V3 serviceName: first-route-dest + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: first-route-dest outlierDetection: {} @@ -27,6 +28,7 @@ ads: {} resourceApiVersion: V3 serviceName: second-route-dest + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: second-route-dest outlierDetection: {} diff --git a/internal/xds/translator/testdata/out/xds-ir/http-route-with-tls-system-truststore.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/http-route-with-tls-system-truststore.clusters.yaml index 573625b4671..fccf18807c5 100644 --- a/internal/xds/translator/testdata/out/xds-ir/http-route-with-tls-system-truststore.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/http-route-with-tls-system-truststore.clusters.yaml @@ -10,6 +10,7 @@ ads: {} resourceApiVersion: V3 serviceName: httproute/envoy-gateway/httproute-btls/rule/0 + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: httproute/envoy-gateway/httproute-btls/rule/0 outlierDetection: {} diff --git a/internal/xds/translator/testdata/out/xds-ir/http-route-with-tlsbundle-multiple-certs.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/http-route-with-tlsbundle-multiple-certs.clusters.yaml index ccfa16dbd99..51702c7c79b 100755 --- a/internal/xds/translator/testdata/out/xds-ir/http-route-with-tlsbundle-multiple-certs.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/http-route-with-tlsbundle-multiple-certs.clusters.yaml @@ -10,6 +10,7 @@ ads: {} resourceApiVersion: V3 serviceName: httproute/envoy-gateway/httproute-btls/rule/0 + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: httproute/envoy-gateway/httproute-btls/rule/0 outlierDetection: {} @@ -68,6 +69,7 @@ ads: {} resourceApiVersion: V3 serviceName: httproute/envoy-gateway/httproute-btls-2/rule/0 + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: httproute/envoy-gateway/httproute-btls-2/rule/0 outlierDetection: {} diff --git a/internal/xds/translator/testdata/out/xds-ir/http-route-with-tlsbundle.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/http-route-with-tlsbundle.clusters.yaml index f368f4c94d0..73cb7f276b2 100644 --- a/internal/xds/translator/testdata/out/xds-ir/http-route-with-tlsbundle.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/http-route-with-tlsbundle.clusters.yaml @@ -10,6 +10,7 @@ ads: {} resourceApiVersion: V3 serviceName: httproute/envoy-gateway/httproute-btls/rule/0 + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: httproute/envoy-gateway/httproute-btls/rule/0 outlierDetection: {} diff --git a/internal/xds/translator/testdata/out/xds-ir/http-route.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/http-route.clusters.yaml index d53a7a1b2ce..9ada55d6523 100644 --- a/internal/xds/translator/testdata/out/xds-ir/http-route.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/http-route.clusters.yaml @@ -10,6 +10,7 @@ ads: {} resourceApiVersion: V3 serviceName: first-route-dest + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: first-route-dest outlierDetection: {} diff --git a/internal/xds/translator/testdata/out/xds-ir/http1-preserve-case.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/http1-preserve-case.clusters.yaml index 1489e95f6fd..ee7ebf5a19f 100644 --- a/internal/xds/translator/testdata/out/xds-ir/http1-preserve-case.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/http1-preserve-case.clusters.yaml @@ -10,6 +10,7 @@ ads: {} resourceApiVersion: V3 serviceName: first-route-dest + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: first-route-dest outlierDetection: {} @@ -37,6 +38,7 @@ ads: {} resourceApiVersion: V3 serviceName: second-route-dest + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: second-route-dest outlierDetection: {} diff --git a/internal/xds/translator/testdata/out/xds-ir/http1-trailers.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/http1-trailers.clusters.yaml index 8c3dd7a549c..7fb571dc42f 100644 --- a/internal/xds/translator/testdata/out/xds-ir/http1-trailers.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/http1-trailers.clusters.yaml @@ -10,6 +10,7 @@ ads: {} resourceApiVersion: V3 serviceName: first-route-dest + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: first-route-dest outlierDetection: {} diff --git a/internal/xds/translator/testdata/out/xds-ir/http10.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/http10.clusters.yaml index 2cb022cfad0..de12099b7de 100644 --- a/internal/xds/translator/testdata/out/xds-ir/http10.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/http10.clusters.yaml @@ -10,6 +10,7 @@ ads: {} resourceApiVersion: V3 serviceName: first-route-dest + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: first-route-dest outlierDetection: {} diff --git a/internal/xds/translator/testdata/out/xds-ir/http2-route.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/http2-route.clusters.yaml index 05cf41776c6..0a2796cd6ac 100644 --- a/internal/xds/translator/testdata/out/xds-ir/http2-route.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/http2-route.clusters.yaml @@ -10,6 +10,7 @@ ads: {} resourceApiVersion: V3 serviceName: first-route-dest + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: first-route-dest outlierDetection: {} @@ -36,6 +37,7 @@ ads: {} resourceApiVersion: V3 serviceName: second-route-dest + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: second-route-dest outlierDetection: {} @@ -60,6 +62,7 @@ ads: {} resourceApiVersion: V3 serviceName: third-route-dest + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: third-route-dest outlierDetection: {} @@ -87,6 +90,7 @@ ads: {} resourceApiVersion: V3 serviceName: fourth-route-dest + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: fourth-route-dest outlierDetection: {} diff --git a/internal/xds/translator/testdata/out/xds-ir/http2.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/http2.clusters.yaml index d53a7a1b2ce..9ada55d6523 100755 --- a/internal/xds/translator/testdata/out/xds-ir/http2.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/http2.clusters.yaml @@ -10,6 +10,7 @@ ads: {} resourceApiVersion: V3 serviceName: first-route-dest + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: first-route-dest outlierDetection: {} diff --git a/internal/xds/translator/testdata/out/xds-ir/http3.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/http3.clusters.yaml index 9714612e3de..1c72d4f070f 100644 --- a/internal/xds/translator/testdata/out/xds-ir/http3.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/http3.clusters.yaml @@ -10,6 +10,7 @@ ads: {} resourceApiVersion: V3 serviceName: httproute/default/httproute-1/rule/0 + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: httproute/default/httproute-1/rule/0 outlierDetection: {} diff --git a/internal/xds/translator/testdata/out/xds-ir/jsonpatch-missing-resource.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/jsonpatch-missing-resource.clusters.yaml index d53a7a1b2ce..9ada55d6523 100644 --- a/internal/xds/translator/testdata/out/xds-ir/jsonpatch-missing-resource.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/jsonpatch-missing-resource.clusters.yaml @@ -10,6 +10,7 @@ ads: {} resourceApiVersion: V3 serviceName: first-route-dest + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: first-route-dest outlierDetection: {} diff --git a/internal/xds/translator/testdata/out/xds-ir/jsonpatch-with-jsonpath.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/jsonpatch-with-jsonpath.clusters.yaml index b3842b6e52e..f9a046becf5 100644 --- a/internal/xds/translator/testdata/out/xds-ir/jsonpatch-with-jsonpath.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/jsonpatch-with-jsonpath.clusters.yaml @@ -10,6 +10,7 @@ ads: {} resourceApiVersion: V3 serviceName: first-route-dest + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: first-route-dest outlierDetection: {} @@ -27,6 +28,7 @@ ads: {} resourceApiVersion: V3 serviceName: second-route-dest + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: second-route-dest outlierDetection: {} diff --git a/internal/xds/translator/testdata/out/xds-ir/jsonpatch.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/jsonpatch.clusters.yaml index b6e4ed1ae7d..745719faa2b 100644 --- a/internal/xds/translator/testdata/out/xds-ir/jsonpatch.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/jsonpatch.clusters.yaml @@ -10,6 +10,7 @@ ads: {} resourceApiVersion: V3 serviceName: first-route-dest + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: first-route-dest outlierDetection: {} diff --git a/internal/xds/translator/testdata/out/xds-ir/jwt-custom-extractor.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/jwt-custom-extractor.clusters.yaml index 8ede70cf99a..8f5d81ea045 100644 --- a/internal/xds/translator/testdata/out/xds-ir/jwt-custom-extractor.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/jwt-custom-extractor.clusters.yaml @@ -10,6 +10,7 @@ ads: {} resourceApiVersion: V3 serviceName: first-route-dest + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: first-route-dest outlierDetection: {} diff --git a/internal/xds/translator/testdata/out/xds-ir/jwt-multi-route-multi-provider.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/jwt-multi-route-multi-provider.clusters.yaml index 9de709310e6..308f92773e8 100644 --- a/internal/xds/translator/testdata/out/xds-ir/jwt-multi-route-multi-provider.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/jwt-multi-route-multi-provider.clusters.yaml @@ -10,6 +10,7 @@ ads: {} resourceApiVersion: V3 serviceName: first-route-www.test.com-dest + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: first-route-www.test.com-dest outlierDetection: {} @@ -27,6 +28,7 @@ ads: {} resourceApiVersion: V3 serviceName: second-route-www.test.com-dest + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: second-route-www.test.com-dest outlierDetection: {} @@ -71,6 +73,7 @@ ads: {} resourceApiVersion: V3 serviceName: "192_168_1_250_8080" + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: "192_168_1_250_8080" outlierDetection: {} diff --git a/internal/xds/translator/testdata/out/xds-ir/jwt-multi-route-single-provider.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/jwt-multi-route-single-provider.clusters.yaml index 8d7b2d37ca0..8555780dab4 100644 --- a/internal/xds/translator/testdata/out/xds-ir/jwt-multi-route-single-provider.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/jwt-multi-route-single-provider.clusters.yaml @@ -10,6 +10,7 @@ ads: {} resourceApiVersion: V3 serviceName: first-route-dest + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: first-route-dest outlierDetection: {} @@ -27,6 +28,7 @@ ads: {} resourceApiVersion: V3 serviceName: second-route-dest + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: second-route-dest outlierDetection: {} diff --git a/internal/xds/translator/testdata/out/xds-ir/jwt-optional.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/jwt-optional.clusters.yaml index 8ede70cf99a..8f5d81ea045 100644 --- a/internal/xds/translator/testdata/out/xds-ir/jwt-optional.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/jwt-optional.clusters.yaml @@ -10,6 +10,7 @@ ads: {} resourceApiVersion: V3 serviceName: first-route-dest + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: first-route-dest outlierDetection: {} diff --git a/internal/xds/translator/testdata/out/xds-ir/jwt-ratelimit.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/jwt-ratelimit.clusters.yaml index e75a68919d1..a5f1527ade9 100644 --- a/internal/xds/translator/testdata/out/xds-ir/jwt-ratelimit.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/jwt-ratelimit.clusters.yaml @@ -10,6 +10,7 @@ ads: {} resourceApiVersion: V3 serviceName: first-route-dest + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: first-route-dest outlierDetection: {} @@ -27,6 +28,7 @@ ads: {} resourceApiVersion: V3 serviceName: second-route-dest + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: second-route-dest outlierDetection: {} @@ -44,6 +46,7 @@ ads: {} resourceApiVersion: V3 serviceName: third-route-dest + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: third-route-dest outlierDetection: {} @@ -61,6 +64,7 @@ ads: {} resourceApiVersion: V3 serviceName: "192_168_1_250_443" + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: "192_168_1_250_443" outlierDetection: {} diff --git a/internal/xds/translator/testdata/out/xds-ir/jwt-single-route-single-match.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/jwt-single-route-single-match.clusters.yaml index 8ede70cf99a..8f5d81ea045 100644 --- a/internal/xds/translator/testdata/out/xds-ir/jwt-single-route-single-match.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/jwt-single-route-single-match.clusters.yaml @@ -10,6 +10,7 @@ ads: {} resourceApiVersion: V3 serviceName: first-route-dest + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: first-route-dest outlierDetection: {} diff --git a/internal/xds/translator/testdata/out/xds-ir/listener-connection-limit.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/listener-connection-limit.clusters.yaml index d65e267ad7d..820f85f625b 100644 --- a/internal/xds/translator/testdata/out/xds-ir/listener-connection-limit.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/listener-connection-limit.clusters.yaml @@ -10,6 +10,7 @@ ads: {} resourceApiVersion: V3 serviceName: first-route-dest + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: first-route-dest outlierDetection: {} @@ -27,6 +28,7 @@ ads: {} resourceApiVersion: V3 serviceName: second-route-dest + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: second-route-dest outlierDetection: {} diff --git a/internal/xds/translator/testdata/out/xds-ir/listener-proxy-protocol.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/listener-proxy-protocol.clusters.yaml index 454192ce491..c21b71ce6c5 100644 --- a/internal/xds/translator/testdata/out/xds-ir/listener-proxy-protocol.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/listener-proxy-protocol.clusters.yaml @@ -10,6 +10,7 @@ ads: {} resourceApiVersion: V3 serviceName: first-route-dest + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: first-route-dest outlierDetection: {} @@ -27,6 +28,7 @@ ads: {} resourceApiVersion: V3 serviceName: tls-route-dest + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: tls-route-dest outlierDetection: {} diff --git a/internal/xds/translator/testdata/out/xds-ir/listener-tcp-keepalive.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/listener-tcp-keepalive.clusters.yaml index d65e267ad7d..820f85f625b 100644 --- a/internal/xds/translator/testdata/out/xds-ir/listener-tcp-keepalive.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/listener-tcp-keepalive.clusters.yaml @@ -10,6 +10,7 @@ ads: {} resourceApiVersion: V3 serviceName: first-route-dest + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: first-route-dest outlierDetection: {} @@ -27,6 +28,7 @@ ads: {} resourceApiVersion: V3 serviceName: second-route-dest + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: second-route-dest outlierDetection: {} diff --git a/internal/xds/translator/testdata/out/xds-ir/load-balancer.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/load-balancer.clusters.yaml index 16792f24cb1..0c2202ce28f 100644 --- a/internal/xds/translator/testdata/out/xds-ir/load-balancer.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/load-balancer.clusters.yaml @@ -10,6 +10,7 @@ ads: {} resourceApiVersion: V3 serviceName: first-route-dest + ignoreHealthOnHostRemoval: true name: first-route-dest outlierDetection: {} perConnectionBufferLimitBytes: 32768 @@ -26,6 +27,7 @@ ads: {} resourceApiVersion: V3 serviceName: second-route-dest + ignoreHealthOnHostRemoval: true lbPolicy: RANDOM name: second-route-dest outlierDetection: {} @@ -43,6 +45,7 @@ ads: {} resourceApiVersion: V3 serviceName: third-route-dest + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: third-route-dest outlierDetection: {} @@ -60,6 +63,7 @@ ads: {} resourceApiVersion: V3 serviceName: fourth-route-dest + ignoreHealthOnHostRemoval: true lbPolicy: MAGLEV name: fourth-route-dest outlierDetection: {} @@ -77,6 +81,7 @@ ads: {} resourceApiVersion: V3 serviceName: fifth-route-dest + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST leastRequestLbConfig: slowStartConfig: @@ -97,6 +102,7 @@ ads: {} resourceApiVersion: V3 serviceName: sixth-route-dest + ignoreHealthOnHostRemoval: true name: sixth-route-dest outlierDetection: {} perConnectionBufferLimitBytes: 32768 @@ -116,6 +122,7 @@ ads: {} resourceApiVersion: V3 serviceName: seventh-route-dest + ignoreHealthOnHostRemoval: true lbPolicy: MAGLEV name: seventh-route-dest outlierDetection: {} @@ -133,6 +140,7 @@ ads: {} resourceApiVersion: V3 serviceName: eighth-route-dest + ignoreHealthOnHostRemoval: true lbPolicy: MAGLEV maglevLbConfig: tableSize: "524287" @@ -152,6 +160,7 @@ ads: {} resourceApiVersion: V3 serviceName: ninth-route-dest + ignoreHealthOnHostRemoval: true lbPolicy: MAGLEV name: ninth-route-dest outlierDetection: {} @@ -169,6 +178,7 @@ ads: {} resourceApiVersion: V3 serviceName: tenth-route-dest + ignoreHealthOnHostRemoval: true lbPolicy: MAGLEV name: tenth-route-dest outlierDetection: {} diff --git a/internal/xds/translator/testdata/out/xds-ir/local-ratelimit.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/local-ratelimit.clusters.yaml index a89644e62d9..b7a2badfead 100644 --- a/internal/xds/translator/testdata/out/xds-ir/local-ratelimit.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/local-ratelimit.clusters.yaml @@ -10,6 +10,7 @@ ads: {} resourceApiVersion: V3 serviceName: first-route-dest + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: first-route-dest outlierDetection: {} @@ -27,6 +28,7 @@ ads: {} resourceApiVersion: V3 serviceName: second-route-dest + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: second-route-dest outlierDetection: {} @@ -44,6 +46,7 @@ ads: {} resourceApiVersion: V3 serviceName: third-route-dest + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: third-route-dest outlierDetection: {} diff --git a/internal/xds/translator/testdata/out/xds-ir/metrics-virtual-host.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/metrics-virtual-host.clusters.yaml index d53a7a1b2ce..9ada55d6523 100644 --- a/internal/xds/translator/testdata/out/xds-ir/metrics-virtual-host.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/metrics-virtual-host.clusters.yaml @@ -10,6 +10,7 @@ ads: {} resourceApiVersion: V3 serviceName: first-route-dest + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: first-route-dest outlierDetection: {} diff --git a/internal/xds/translator/testdata/out/xds-ir/mixed-tls-jwt-authn.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/mixed-tls-jwt-authn.clusters.yaml index d53a7a1b2ce..9ada55d6523 100644 --- a/internal/xds/translator/testdata/out/xds-ir/mixed-tls-jwt-authn.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/mixed-tls-jwt-authn.clusters.yaml @@ -10,6 +10,7 @@ ads: {} resourceApiVersion: V3 serviceName: first-route-dest + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: first-route-dest outlierDetection: {} diff --git a/internal/xds/translator/testdata/out/xds-ir/multiple-listeners-same-port-with-different-filters.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/multiple-listeners-same-port-with-different-filters.clusters.yaml index 2b9b567cf39..c3b0666ab24 100755 --- a/internal/xds/translator/testdata/out/xds-ir/multiple-listeners-same-port-with-different-filters.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/multiple-listeners-same-port-with-different-filters.clusters.yaml @@ -10,6 +10,7 @@ ads: {} resourceApiVersion: V3 serviceName: httproute/default/httproute-1/rule/0 + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: httproute/default/httproute-1/rule/0 outlierDetection: {} @@ -27,6 +28,7 @@ ads: {} resourceApiVersion: V3 serviceName: httproute/default/httproute-2/rule/0 + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: httproute/default/httproute-2/rule/0 outlierDetection: {} @@ -44,6 +46,7 @@ ads: {} resourceApiVersion: V3 serviceName: securitypolicy/default/policy-for-http-route-2/envoy-gateway/http-backend + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: securitypolicy/default/policy-for-http-route-2/envoy-gateway/http-backend outlierDetection: {} @@ -61,6 +64,7 @@ ads: {} resourceApiVersion: V3 serviceName: httproute/default/httproute-3/rule/0 + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: httproute/default/httproute-3/rule/0 outlierDetection: {} diff --git a/internal/xds/translator/testdata/out/xds-ir/multiple-listeners-same-port.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/multiple-listeners-same-port.clusters.yaml index ce7f4361a40..bd6b6e1ae2e 100644 --- a/internal/xds/translator/testdata/out/xds-ir/multiple-listeners-same-port.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/multiple-listeners-same-port.clusters.yaml @@ -10,6 +10,7 @@ ads: {} resourceApiVersion: V3 serviceName: first-route-dest + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: first-route-dest outlierDetection: {} @@ -27,6 +28,7 @@ ads: {} resourceApiVersion: V3 serviceName: second-route-dest + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: second-route-dest outlierDetection: {} @@ -44,6 +46,7 @@ ads: {} resourceApiVersion: V3 serviceName: third-route-dest + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: third-route-dest outlierDetection: {} @@ -61,6 +64,7 @@ ads: {} resourceApiVersion: V3 serviceName: fourth-route-dest + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: fourth-route-dest outlierDetection: {} @@ -78,6 +82,7 @@ ads: {} resourceApiVersion: V3 serviceName: tcp-route-dest + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: tcp-route-dest outlierDetection: {} @@ -95,6 +100,7 @@ ads: {} resourceApiVersion: V3 serviceName: tls-route-dest + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: tls-route-dest outlierDetection: {} diff --git a/internal/xds/translator/testdata/out/xds-ir/multiple-simple-tcp-route-same-port.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/multiple-simple-tcp-route-same-port.clusters.yaml index e0f57c2a695..19e6869eb5e 100644 --- a/internal/xds/translator/testdata/out/xds-ir/multiple-simple-tcp-route-same-port.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/multiple-simple-tcp-route-same-port.clusters.yaml @@ -10,6 +10,7 @@ ads: {} resourceApiVersion: V3 serviceName: tcp-route-simple-dest + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: tcp-route-simple-dest outlierDetection: {} @@ -27,6 +28,7 @@ ads: {} resourceApiVersion: V3 serviceName: tcp-route-simple-1-dest + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: tcp-route-simple-1-dest outlierDetection: {} @@ -44,6 +46,7 @@ ads: {} resourceApiVersion: V3 serviceName: tcp-route-simple-2-dest + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: tcp-route-simple-2-dest outlierDetection: {} @@ -61,6 +64,7 @@ ads: {} resourceApiVersion: V3 serviceName: tcp-route-simple-3-dest + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: tcp-route-simple-3-dest outlierDetection: {} @@ -78,6 +82,7 @@ ads: {} resourceApiVersion: V3 serviceName: tcp-route-simple-4-dest + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: tcp-route-simple-4-dest outlierDetection: {} diff --git a/internal/xds/translator/testdata/out/xds-ir/mutual-tls-forward-client-certificate-with-custom-data.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/mutual-tls-forward-client-certificate-with-custom-data.clusters.yaml index 03e10ccd7fc..ff3aedce52a 100644 --- a/internal/xds/translator/testdata/out/xds-ir/mutual-tls-forward-client-certificate-with-custom-data.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/mutual-tls-forward-client-certificate-with-custom-data.clusters.yaml @@ -10,6 +10,7 @@ ads: {} resourceApiVersion: V3 serviceName: first-route-dest + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: first-route-dest outlierDetection: {} @@ -27,6 +28,7 @@ ads: {} resourceApiVersion: V3 serviceName: second-route-dest + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: second-route-dest outlierDetection: {} @@ -44,6 +46,7 @@ ads: {} resourceApiVersion: V3 serviceName: third-route-dest + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: third-route-dest outlierDetection: {} @@ -61,6 +64,7 @@ ads: {} resourceApiVersion: V3 serviceName: fourth-route-dest + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: fourth-route-dest outlierDetection: {} @@ -78,6 +82,7 @@ ads: {} resourceApiVersion: V3 serviceName: fifth-route-dest + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: fifth-route-dest outlierDetection: {} diff --git a/internal/xds/translator/testdata/out/xds-ir/mutual-tls-forward-client-certificate.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/mutual-tls-forward-client-certificate.clusters.yaml index 03e10ccd7fc..ff3aedce52a 100644 --- a/internal/xds/translator/testdata/out/xds-ir/mutual-tls-forward-client-certificate.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/mutual-tls-forward-client-certificate.clusters.yaml @@ -10,6 +10,7 @@ ads: {} resourceApiVersion: V3 serviceName: first-route-dest + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: first-route-dest outlierDetection: {} @@ -27,6 +28,7 @@ ads: {} resourceApiVersion: V3 serviceName: second-route-dest + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: second-route-dest outlierDetection: {} @@ -44,6 +46,7 @@ ads: {} resourceApiVersion: V3 serviceName: third-route-dest + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: third-route-dest outlierDetection: {} @@ -61,6 +64,7 @@ ads: {} resourceApiVersion: V3 serviceName: fourth-route-dest + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: fourth-route-dest outlierDetection: {} @@ -78,6 +82,7 @@ ads: {} resourceApiVersion: V3 serviceName: fifth-route-dest + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: fifth-route-dest outlierDetection: {} diff --git a/internal/xds/translator/testdata/out/xds-ir/mutual-tls-required-client-certificate-disabled.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/mutual-tls-required-client-certificate-disabled.clusters.yaml index 4dad0aad1a7..16f6727a1a1 100644 --- a/internal/xds/translator/testdata/out/xds-ir/mutual-tls-required-client-certificate-disabled.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/mutual-tls-required-client-certificate-disabled.clusters.yaml @@ -10,6 +10,7 @@ ads: {} resourceApiVersion: V3 serviceName: first-route-dest + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: first-route-dest outlierDetection: {} @@ -27,6 +28,7 @@ ads: {} resourceApiVersion: V3 serviceName: tls-terminate-dest + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: tls-terminate-dest outlierDetection: {} diff --git a/internal/xds/translator/testdata/out/xds-ir/mutual-tls.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/mutual-tls.clusters.yaml index 4dad0aad1a7..16f6727a1a1 100644 --- a/internal/xds/translator/testdata/out/xds-ir/mutual-tls.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/mutual-tls.clusters.yaml @@ -10,6 +10,7 @@ ads: {} resourceApiVersion: V3 serviceName: first-route-dest + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: first-route-dest outlierDetection: {} @@ -27,6 +28,7 @@ ads: {} resourceApiVersion: V3 serviceName: tls-terminate-dest + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: tls-terminate-dest outlierDetection: {} diff --git a/internal/xds/translator/testdata/out/xds-ir/oidc-backend-cluster-provider.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/oidc-backend-cluster-provider.clusters.yaml index 863e761bf9a..e467e24db53 100644 --- a/internal/xds/translator/testdata/out/xds-ir/oidc-backend-cluster-provider.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/oidc-backend-cluster-provider.clusters.yaml @@ -10,6 +10,7 @@ ads: {} resourceApiVersion: V3 serviceName: third-route-dest + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: third-route-dest outlierDetection: {} diff --git a/internal/xds/translator/testdata/out/xds-ir/oidc.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/oidc.clusters.yaml index 5309331d017..f196a3fdd9a 100644 --- a/internal/xds/translator/testdata/out/xds-ir/oidc.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/oidc.clusters.yaml @@ -10,6 +10,7 @@ ads: {} resourceApiVersion: V3 serviceName: first-route-dest + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: first-route-dest outlierDetection: {} @@ -27,6 +28,7 @@ ads: {} resourceApiVersion: V3 serviceName: second-route-dest + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: second-route-dest outlierDetection: {} diff --git a/internal/xds/translator/testdata/out/xds-ir/path-settings.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/path-settings.clusters.yaml index d53a7a1b2ce..9ada55d6523 100644 --- a/internal/xds/translator/testdata/out/xds-ir/path-settings.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/path-settings.clusters.yaml @@ -10,6 +10,7 @@ ads: {} resourceApiVersion: V3 serviceName: first-route-dest + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: first-route-dest outlierDetection: {} diff --git a/internal/xds/translator/testdata/out/xds-ir/proxy-protocol-upstream.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/proxy-protocol-upstream.clusters.yaml index 6441952eae8..47b4007397e 100644 --- a/internal/xds/translator/testdata/out/xds-ir/proxy-protocol-upstream.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/proxy-protocol-upstream.clusters.yaml @@ -10,6 +10,7 @@ ads: {} resourceApiVersion: V3 serviceName: first-route-dest + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: first-route-dest outlierDetection: {} diff --git a/internal/xds/translator/testdata/out/xds-ir/ratelimit-custom-domain.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/ratelimit-custom-domain.clusters.yaml index 45e8e0898ce..182245f1986 100644 --- a/internal/xds/translator/testdata/out/xds-ir/ratelimit-custom-domain.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/ratelimit-custom-domain.clusters.yaml @@ -10,6 +10,7 @@ ads: {} resourceApiVersion: V3 serviceName: first-route-dest + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: first-route-dest outlierDetection: {} @@ -27,6 +28,7 @@ ads: {} resourceApiVersion: V3 serviceName: second-route-dest + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: second-route-dest outlierDetection: {} @@ -44,6 +46,7 @@ ads: {} resourceApiVersion: V3 serviceName: third-route-dest + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: third-route-dest outlierDetection: {} diff --git a/internal/xds/translator/testdata/out/xds-ir/ratelimit-disable-headers.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/ratelimit-disable-headers.clusters.yaml index 0ba1749076a..d2577b68f8b 100644 --- a/internal/xds/translator/testdata/out/xds-ir/ratelimit-disable-headers.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/ratelimit-disable-headers.clusters.yaml @@ -10,6 +10,7 @@ ads: {} resourceApiVersion: V3 serviceName: first-route-dest + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: first-route-dest outlierDetection: {} @@ -27,6 +28,7 @@ ads: {} resourceApiVersion: V3 serviceName: second-route-dest + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: second-route-dest outlierDetection: {} @@ -44,6 +46,7 @@ ads: {} resourceApiVersion: V3 serviceName: third-route-dest + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: third-route-dest outlierDetection: {} diff --git a/internal/xds/translator/testdata/out/xds-ir/ratelimit-endpoint-stats.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/ratelimit-endpoint-stats.clusters.yaml index a3c9b6623c9..4e607e59dbb 100644 --- a/internal/xds/translator/testdata/out/xds-ir/ratelimit-endpoint-stats.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/ratelimit-endpoint-stats.clusters.yaml @@ -10,6 +10,7 @@ ads: {} resourceApiVersion: V3 serviceName: first-route-dest + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: first-route-dest outlierDetection: {} @@ -29,6 +30,7 @@ ads: {} resourceApiVersion: V3 serviceName: second-route-dest + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: second-route-dest outlierDetection: {} @@ -48,6 +50,7 @@ ads: {} resourceApiVersion: V3 serviceName: third-route-dest + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: third-route-dest outlierDetection: {} diff --git a/internal/xds/translator/testdata/out/xds-ir/ratelimit-headers-and-cidr.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/ratelimit-headers-and-cidr.clusters.yaml index 0ba1749076a..d2577b68f8b 100644 --- a/internal/xds/translator/testdata/out/xds-ir/ratelimit-headers-and-cidr.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/ratelimit-headers-and-cidr.clusters.yaml @@ -10,6 +10,7 @@ ads: {} resourceApiVersion: V3 serviceName: first-route-dest + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: first-route-dest outlierDetection: {} @@ -27,6 +28,7 @@ ads: {} resourceApiVersion: V3 serviceName: second-route-dest + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: second-route-dest outlierDetection: {} @@ -44,6 +46,7 @@ ads: {} resourceApiVersion: V3 serviceName: third-route-dest + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: third-route-dest outlierDetection: {} diff --git a/internal/xds/translator/testdata/out/xds-ir/ratelimit-sourceip.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/ratelimit-sourceip.clusters.yaml index 427f6d15340..8aff78e3195 100644 --- a/internal/xds/translator/testdata/out/xds-ir/ratelimit-sourceip.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/ratelimit-sourceip.clusters.yaml @@ -10,6 +10,7 @@ ads: {} resourceApiVersion: V3 serviceName: first-route-dest + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: first-route-dest outlierDetection: {} @@ -27,6 +28,7 @@ ads: {} resourceApiVersion: V3 serviceName: second-route-dest + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: second-route-dest outlierDetection: {} @@ -44,6 +46,7 @@ ads: {} resourceApiVersion: V3 serviceName: third-route-dest + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: third-route-dest outlierDetection: {} @@ -61,6 +64,7 @@ ads: {} resourceApiVersion: V3 serviceName: fourth-route-dest + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: fourth-route-dest outlierDetection: {} diff --git a/internal/xds/translator/testdata/out/xds-ir/ratelimit.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/ratelimit.clusters.yaml index 427f6d15340..8aff78e3195 100644 --- a/internal/xds/translator/testdata/out/xds-ir/ratelimit.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/ratelimit.clusters.yaml @@ -10,6 +10,7 @@ ads: {} resourceApiVersion: V3 serviceName: first-route-dest + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: first-route-dest outlierDetection: {} @@ -27,6 +28,7 @@ ads: {} resourceApiVersion: V3 serviceName: second-route-dest + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: second-route-dest outlierDetection: {} @@ -44,6 +46,7 @@ ads: {} resourceApiVersion: V3 serviceName: third-route-dest + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: third-route-dest outlierDetection: {} @@ -61,6 +64,7 @@ ads: {} resourceApiVersion: V3 serviceName: fourth-route-dest + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: fourth-route-dest outlierDetection: {} diff --git a/internal/xds/translator/testdata/out/xds-ir/retry-partial-invalid.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/retry-partial-invalid.clusters.yaml index d53a7a1b2ce..9ada55d6523 100644 --- a/internal/xds/translator/testdata/out/xds-ir/retry-partial-invalid.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/retry-partial-invalid.clusters.yaml @@ -10,6 +10,7 @@ ads: {} resourceApiVersion: V3 serviceName: first-route-dest + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: first-route-dest outlierDetection: {} diff --git a/internal/xds/translator/testdata/out/xds-ir/simple-tls.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/simple-tls.clusters.yaml index d53a7a1b2ce..9ada55d6523 100644 --- a/internal/xds/translator/testdata/out/xds-ir/simple-tls.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/simple-tls.clusters.yaml @@ -10,6 +10,7 @@ ads: {} resourceApiVersion: V3 serviceName: first-route-dest + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: first-route-dest outlierDetection: {} diff --git a/internal/xds/translator/testdata/out/xds-ir/suppress-envoy-headers.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/suppress-envoy-headers.clusters.yaml index d53a7a1b2ce..9ada55d6523 100644 --- a/internal/xds/translator/testdata/out/xds-ir/suppress-envoy-headers.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/suppress-envoy-headers.clusters.yaml @@ -10,6 +10,7 @@ ads: {} resourceApiVersion: V3 serviceName: first-route-dest + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: first-route-dest outlierDetection: {} diff --git a/internal/xds/translator/testdata/out/xds-ir/tcp-listener-ipfamily.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/tcp-listener-ipfamily.clusters.yaml index 3b5a7b58376..1daefb357c5 100644 --- a/internal/xds/translator/testdata/out/xds-ir/tcp-listener-ipfamily.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/tcp-listener-ipfamily.clusters.yaml @@ -10,6 +10,7 @@ ads: {} resourceApiVersion: V3 serviceName: tcp-route-dual-dest + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: tcp-route-dual-dest outlierDetection: {} diff --git a/internal/xds/translator/testdata/out/xds-ir/tcp-route-complex.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/tcp-route-complex.clusters.yaml index 382c2857a1f..c6291c77dd5 100644 --- a/internal/xds/translator/testdata/out/xds-ir/tcp-route-complex.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/tcp-route-complex.clusters.yaml @@ -10,6 +10,7 @@ ads: {} resourceApiVersion: V3 serviceName: tcp-route-complex-dest + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: tcp-route-complex-dest outlierDetection: {} diff --git a/internal/xds/translator/testdata/out/xds-ir/tcp-route-simple.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/tcp-route-simple.clusters.yaml index c845c64037d..aa8f0b0902b 100644 --- a/internal/xds/translator/testdata/out/xds-ir/tcp-route-simple.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/tcp-route-simple.clusters.yaml @@ -10,6 +10,7 @@ ads: {} resourceApiVersion: V3 serviceName: tcp-route-simple-dest + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: tcp-route-simple-dest outlierDetection: {} diff --git a/internal/xds/translator/testdata/out/xds-ir/tcp-route-tls-terminate.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/tcp-route-tls-terminate.clusters.yaml index a7bedbf76be..dbd196ef664 100644 --- a/internal/xds/translator/testdata/out/xds-ir/tcp-route-tls-terminate.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/tcp-route-tls-terminate.clusters.yaml @@ -10,6 +10,7 @@ ads: {} resourceApiVersion: V3 serviceName: tls-terminate-dest + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: tls-terminate-dest outlierDetection: {} @@ -27,6 +28,7 @@ ads: {} resourceApiVersion: V3 serviceName: tls-terminate-hostname-dest + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: tls-terminate-hostname-dest outlierDetection: {} diff --git a/internal/xds/translator/testdata/out/xds-ir/tcp-route-weighted-backend.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/tcp-route-weighted-backend.clusters.yaml index 849359c1385..2219185b250 100644 --- a/internal/xds/translator/testdata/out/xds-ir/tcp-route-weighted-backend.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/tcp-route-weighted-backend.clusters.yaml @@ -10,6 +10,7 @@ ads: {} resourceApiVersion: V3 serviceName: tcp-route-weighted-backend-dest + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: tcp-route-weighted-backend-dest outlierDetection: {} diff --git a/internal/xds/translator/testdata/out/xds-ir/timeout.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/timeout.clusters.yaml index e2156cb6aff..4c2749a767a 100644 --- a/internal/xds/translator/testdata/out/xds-ir/timeout.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/timeout.clusters.yaml @@ -10,6 +10,7 @@ ads: {} resourceApiVersion: V3 serviceName: first-route-dest + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: first-route-dest outlierDetection: {} diff --git a/internal/xds/translator/testdata/out/xds-ir/tls-route-passthrough.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/tls-route-passthrough.clusters.yaml index f60942991df..c2659deb6c9 100644 --- a/internal/xds/translator/testdata/out/xds-ir/tls-route-passthrough.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/tls-route-passthrough.clusters.yaml @@ -10,6 +10,7 @@ ads: {} resourceApiVersion: V3 serviceName: tls-passthrough-foo-dest + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: tls-passthrough-foo-dest outlierDetection: {} diff --git a/internal/xds/translator/testdata/out/xds-ir/tls-with-ciphers-versions-alpn.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/tls-with-ciphers-versions-alpn.clusters.yaml index 4dad0aad1a7..16f6727a1a1 100644 --- a/internal/xds/translator/testdata/out/xds-ir/tls-with-ciphers-versions-alpn.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/tls-with-ciphers-versions-alpn.clusters.yaml @@ -10,6 +10,7 @@ ads: {} resourceApiVersion: V3 serviceName: first-route-dest + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: first-route-dest outlierDetection: {} @@ -27,6 +28,7 @@ ads: {} resourceApiVersion: V3 serviceName: tls-terminate-dest + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: tls-terminate-dest outlierDetection: {} diff --git a/internal/xds/translator/testdata/out/xds-ir/tracing-datadog.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/tracing-datadog.clusters.yaml index 51ef591844c..7597e1328d9 100644 --- a/internal/xds/translator/testdata/out/xds-ir/tracing-datadog.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/tracing-datadog.clusters.yaml @@ -10,6 +10,7 @@ ads: {} resourceApiVersion: V3 serviceName: direct-route-dest + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: direct-route-dest outlierDetection: {} diff --git a/internal/xds/translator/testdata/out/xds-ir/tracing-endpoint-stats.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/tracing-endpoint-stats.clusters.yaml index 9e7469dd278..7ea8aa936c4 100644 --- a/internal/xds/translator/testdata/out/xds-ir/tracing-endpoint-stats.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/tracing-endpoint-stats.clusters.yaml @@ -10,6 +10,7 @@ ads: {} resourceApiVersion: V3 serviceName: direct-route-dest + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: direct-route-dest outlierDetection: {} diff --git a/internal/xds/translator/testdata/out/xds-ir/tracing-zipkin.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/tracing-zipkin.clusters.yaml index a9d0472bfac..f1a975a6e6a 100644 --- a/internal/xds/translator/testdata/out/xds-ir/tracing-zipkin.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/tracing-zipkin.clusters.yaml @@ -10,6 +10,7 @@ ads: {} resourceApiVersion: V3 serviceName: direct-route-dest + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: direct-route-dest outlierDetection: {} diff --git a/internal/xds/translator/testdata/out/xds-ir/tracing.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/tracing.clusters.yaml index 4d419611516..975086f5fff 100644 --- a/internal/xds/translator/testdata/out/xds-ir/tracing.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/tracing.clusters.yaml @@ -10,6 +10,7 @@ ads: {} resourceApiVersion: V3 serviceName: direct-route-dest + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: direct-route-dest outlierDetection: {} diff --git a/internal/xds/translator/testdata/out/xds-ir/udp-endpoint-stats.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/udp-endpoint-stats.clusters.yaml index e26cb444c5c..dd47af97cdd 100644 --- a/internal/xds/translator/testdata/out/xds-ir/udp-endpoint-stats.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/udp-endpoint-stats.clusters.yaml @@ -10,6 +10,7 @@ ads: {} resourceApiVersion: V3 serviceName: udp-route-dest + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: udp-route-dest outlierDetection: {} diff --git a/internal/xds/translator/testdata/out/xds-ir/udp-req-resp-sizes-stats.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/udp-req-resp-sizes-stats.clusters.yaml index f7c6a0bf095..7ce45648946 100644 --- a/internal/xds/translator/testdata/out/xds-ir/udp-req-resp-sizes-stats.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/udp-req-resp-sizes-stats.clusters.yaml @@ -10,6 +10,7 @@ ads: {} resourceApiVersion: V3 serviceName: udp-route-dest + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: udp-route-dest outlierDetection: {} diff --git a/internal/xds/translator/testdata/out/xds-ir/udp-route.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/udp-route.clusters.yaml index 0656b7c45e5..e153c882fd6 100644 --- a/internal/xds/translator/testdata/out/xds-ir/udp-route.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/udp-route.clusters.yaml @@ -10,6 +10,7 @@ ads: {} resourceApiVersion: V3 serviceName: udp-route-dest + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: udp-route-dest outlierDetection: {} diff --git a/internal/xds/translator/testdata/out/xds-ir/upstream-tcpkeepalive.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/upstream-tcpkeepalive.clusters.yaml index 6d5dffadf8c..eca236db657 100644 --- a/internal/xds/translator/testdata/out/xds-ir/upstream-tcpkeepalive.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/upstream-tcpkeepalive.clusters.yaml @@ -10,6 +10,7 @@ ads: {} resourceApiVersion: V3 serviceName: first-route-dest + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: first-route-dest outlierDetection: {} diff --git a/internal/xds/translator/testdata/out/xds-ir/wasm.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/wasm.clusters.yaml index 6a277bb94f6..408fc9c218e 100755 --- a/internal/xds/translator/testdata/out/xds-ir/wasm.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/wasm.clusters.yaml @@ -10,6 +10,7 @@ ads: {} resourceApiVersion: V3 serviceName: httproute/default/httproute-1/rule/0 + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: httproute/default/httproute-1/rule/0 outlierDetection: {} @@ -27,6 +28,7 @@ ads: {} resourceApiVersion: V3 serviceName: httproute/default/httproute-2/rule/0 + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: httproute/default/httproute-2/rule/0 outlierDetection: {} diff --git a/internal/xds/translator/tracing.go b/internal/xds/translator/tracing.go index c7777f94ba2..3e817bad1bf 100644 --- a/internal/xds/translator/tracing.go +++ b/internal/xds/translator/tracing.go @@ -50,7 +50,7 @@ func buildHCMTracing(tracing *ir.Tracing) (*hcm.HttpConnectionManager_Tracing, e ServiceName: tracing.ServiceName, CollectorCluster: tracing.Destination.Name, } - return protocov.ToAnyWithError(config) + return protocov.ToAnyWithValidation(config) } case egv1a1.TracingProviderTypeOpenTelemetry: providerName = envoyOpenTelemetry @@ -68,7 +68,7 @@ func buildHCMTracing(tracing *ir.Tracing) (*hcm.HttpConnectionManager_Tracing, e ServiceName: tracing.ServiceName, } - return protocov.ToAnyWithError(config) + return protocov.ToAnyWithValidation(config) } case egv1a1.TracingProviderTypeZipkin: providerName = envoyZipkin @@ -82,7 +82,7 @@ func buildHCMTracing(tracing *ir.Tracing) (*hcm.HttpConnectionManager_Tracing, e CollectorEndpointVersion: tracecfg.ZipkinConfig_HTTP_JSON, } - return protocov.ToAnyWithError(config) + return protocov.ToAnyWithValidation(config) } default: return nil, fmt.Errorf("unknown tracing provider type: %s", tracing.Provider.Type) diff --git a/internal/xds/translator/translator.go b/internal/xds/translator/translator.go index 30a54fe6990..27c0d3c5a04 100644 --- a/internal/xds/translator/translator.go +++ b/internal/xds/translator/translator.go @@ -217,7 +217,11 @@ func (t *Translator) processHTTPListenerXdsTranslation( case !xdsListenerOnSameAddressPortExists: // Create a new UDP(QUIC) listener for HTTP3 traffic if HTTP3 is enabled if http3Enabled { - quicXDSListener = buildXdsQuicListener(httpListener.Name, httpListener.Address, httpListener.Port, accessLog) + if quicXDSListener, err = buildXdsQuicListener(httpListener.Name, httpListener.Address, httpListener.Port, accessLog); err != nil { + errs = errors.Join(errs, err) + continue + } + if err = tCtx.AddXdsResource(resourcev3.ListenerType, quicXDSListener); err != nil { errs = errors.Join(errs, err) continue @@ -225,7 +229,13 @@ func (t *Translator) processHTTPListenerXdsTranslation( } // Create a new TCP listener for HTTP1/HTTP2 traffic. - tcpXDSListener = buildXdsTCPListener(httpListener.Name, httpListener.Address, httpListener.Port, httpListener.IPFamily, httpListener.TCPKeepalive, httpListener.Connection, accessLog) + if tcpXDSListener, err = buildXdsTCPListener( + httpListener.Name, httpListener.Address, httpListener.Port, httpListener.IPFamily, + httpListener.TCPKeepalive, httpListener.Connection, accessLog); err != nil { + errs = errors.Join(errs, err) + continue + } + if err = tCtx.AddXdsResource(resourcev3.ListenerType, tcpXDSListener); err != nil { errs = errors.Join(errs, err) continue @@ -514,7 +524,7 @@ func (t *Translator) addHTTPFiltersToHCM(filterChain *listenerv3.FilterChain, ht for i, filter := range filterChain.Filters { if filter.Name == wellknown.HTTPConnectionManager { var mgrAny *anypb.Any - if mgrAny, err = protocov.ToAnyWithError(hcm); err != nil { + if mgrAny, err = protocov.ToAnyWithValidation(hcm); err != nil { return err } @@ -560,12 +570,19 @@ func (t *Translator) processTCPListenerXdsTranslation( ) error { // The XDS translation is done in a best-effort manner, so we collect all // errors and return them at the end. - var errs error + var errs, err error for _, tcpListener := range tcpListeners { // Search for an existing listener, if it does not exist, create one. xdsListener := findXdsListenerByHostPort(tCtx, tcpListener.Address, tcpListener.Port, corev3.SocketAddress_TCP) if xdsListener == nil { - xdsListener = buildXdsTCPListener(tcpListener.Name, tcpListener.Address, tcpListener.Port, tcpListener.IPFamily, tcpListener.TCPKeepalive, tcpListener.Connection, accesslog) + if xdsListener, err = buildXdsTCPListener( + tcpListener.Name, tcpListener.Address, tcpListener.Port, tcpListener.IPFamily, + tcpListener.TCPKeepalive, tcpListener.Connection, accesslog); err != nil { + // skip this listener if failed to build xds listener + errs = errors.Join(errs, err) + continue + } + if err := tCtx.AddXdsResource(resourcev3.ListenerType, xdsListener); err != nil { // skip this listener if failed to add xds listener to the errs = errors.Join(errs, err) @@ -911,7 +928,7 @@ func buildXdsUpstreamTLSSocketWthCert(tlsConfig *ir.TLSUpstreamConfig) (*corev3. } } - tlsCtxAny, err := anypb.New(tlsCtx) + tlsCtxAny, err := protocov.ToAnyWithValidation(tlsCtx) if err != nil { return nil, err } diff --git a/osv-scanner.toml b/osv-scanner.toml index 6144707a297..bed9a0c7a6a 100644 --- a/osv-scanner.toml +++ b/osv-scanner.toml @@ -1,7 +1,3 @@ -[[IgnoredVulns]] -id = "GO-2022-0646" -reason = "No a real issue, just a warning about third party package." - [[PackageOverrides]] name = "github.com/AdaLogics/go-fuzz-headers" version = "0.0.0-20230811130428-ced1acdcaa24" @@ -16,13 +12,6 @@ ecosystem = "Go" license.override = ["MIT"] reason = "Unidentified license, remove once https://github.com/google/deps.dev/issues/87 is resolved" -[[PackageOverrides]] -name = "github.com/containers/storage" -version = "1.55.0" -ecosystem = "Go" -license.override = ["Apache-2.0"] -reason = "Unidentified license, remove once https://github.com/google/deps.dev/issues/104 is resolved" - [[PackageOverrides]] name = "github.com/distribution/distribution/v3" version = "3.0.0-beta.1" @@ -41,32 +30,28 @@ reason = "This package has dual license - the code is licensed under the Apache name = "github.com/go-sql-driver/mysql" version = "1.8.1" ecosystem = "Go" -# Override the license to an allowed one until https://github.com/google/osv-scanner/issues/1124 is resolved and we can skip it from license scanning instead -license.override = ["Apache-2.0"] +license.ignore = true reason = "This package has MPL-2.0 which is not approved in CNCF Allowlist, but it has an exception. See https://github.com/cncf/foundation/blob/main/license-exceptions/CNCF-licensing-exceptions.csv" [[PackageOverrides]] name = "github.com/hashicorp/errwrap" version = "1.1.0" ecosystem = "Go" -# Override the license to an allowed one until https://github.com/google/osv-scanner/issues/1124 is resolved and we can skip it from license scanning instead -license.override = ["Apache-2.0"] +license.ignore = true reason = "This package has MPL-2.0 which is not approved in CNCF Allowlist, but it has an exception. See https://github.com/cncf/foundation/blob/main/license-exceptions/CNCF-licensing-exceptions.csv" [[PackageOverrides]] name = "github.com/hashicorp/go-multierror" version = "1.1.1" ecosystem = "Go" -# Override the license to an allowed one until https://github.com/google/osv-scanner/issues/1124 is resolved and we can skip it from license scanning instead -license.override = ["Apache-2.0"] +license.ignore = true reason = "This package has MPL-2.0 which is not approved in CNCF Allowlist, but it has an exception. See https://github.com/cncf/foundation/blob/main/license-exceptions/CNCF-licensing-exceptions.csv" [[PackageOverrides]] name = "github.com/hashicorp/hcl" version = "1.0.0" ecosystem = "Go" -# Override the license to an allowed one until https://github.com/google/osv-scanner/issues/1124 is resolved and we can skip it from license scanning instead -license.override = ["Apache-2.0"] +license.ignore = true reason = "This package has MPL-2.0 which is not approved in CNCF Allowlist, but it has an exception. See https://github.com/cncf/foundation/blob/main/license-exceptions/CNCF-licensing-exceptions.csv" [[PackageOverrides]] @@ -80,8 +65,7 @@ reason = "This package has dual license - the code is licensed under the Apache name = "github.com/shoenig/go-m1cpu" version = "0.1.6" ecosystem = "Go" -# Override the license to an allowed one until https://github.com/google/osv-scanner/issues/1124 is resolved and we can skip it from license scanning instead -license.override = ["Apache-2.0"] +license.ignore = true reason = "This package has MPL-2.0 which is not approved in CNCF Allowlist, but it has an exception. See https://github.com/cncf/foundation/blob/main/license-exceptions/cncf-exceptions-2023-08-31.spdx" [[PackageOverrides]] @@ -89,10 +73,3 @@ name = "stdlib" ecosystem = "Go" license.override = ["BSD-3-Clause"] reason = "Unidentified license, remove once https://github.com/google/deps.dev/issues/86 is resolved" - -[[PackageOverrides]] -name = "sigs.k8s.io/json" -version = "0.0.0-20221116044647-bc3834ca7abd" -ecosystem = "Go" -license.override = ["Apache-2.0"] -reason = "https://github.com/kubernetes-sigs/json/blob/main/LICENSE" diff --git a/release-notes/current.yaml b/release-notes/current.yaml index bfc711148bd..2a028241148 100644 --- a/release-notes/current.yaml +++ b/release-notes/current.yaml @@ -10,11 +10,16 @@ security updates: | # New features or capabilities added in this release. new features: | - Add a new feature here + Add support for modifying container securityContext for Envoy Gateway deployment in Helm # Fixes for bugs identified in previous versions. bug fixes: | - Add a bug fix here + Only log endpoint configuration in verbose logging mode (`-v 4` or higher) + The xDS translation failed when wasm http code source configured without a sha + HTTPRoute status only shows one parent when targeting multiple Gateways from different GatewayClasses + Route with multiple parents has incorrect namespace in parentRef status + BackendTlsPolicy specify multiple targetRefs of the same service, only one will work + Helm chart fails for Flux HelmRelease # Enhancements that improve performance. performance improvements: | diff --git a/release-notes/v1.1.3.yaml b/release-notes/v1.1.3.yaml new file mode 100644 index 00000000000..7e2f9070888 --- /dev/null +++ b/release-notes/v1.1.3.yaml @@ -0,0 +1,28 @@ +date: November 1, 2024 + +# Changes that are expected to cause an incompatibility with previous versions, such as deletions or modifications to existing APIs. +breaking changes: | + +# New features or capabilities added in this release. +new features: | + +# Fixes for bugs identified in previous versions. +bug fixes: | + Fixed unsupported listener protocol type causing an error while updating Gateway Status + Fixed some status updates were being discarded by the status updater + Fixed error level logging for admin and metrics modules + Fixed Dashboard typos + Fixed Ratelimit Deployment ignoring pod labels and annotation merge + Fixed the API Server receives unnecessary requests + Fixed set invalid Listener.SupportedKinds to empty list + Fixed losing timeout settings that originate from the route when translating the backend traffic policy + Fixed xds translation failure when wasm http code source configured without sha + +# Enhancements that improve performance. +performance improvements: | + +# Other notable changes not covered by the above sections. +Other changes: | + Bumped Envoy proxy to 1.31.3 + Bumped github.com/docker/docker to 27.3.1+incompatible + diff --git a/site/content/en/contributions/CODEOWNERS.md b/site/content/en/contributions/CODEOWNERS.md index aeec0b7439b..071532f02c1 100644 --- a/site/content/en/contributions/CODEOWNERS.md +++ b/site/content/en/contributions/CODEOWNERS.md @@ -5,7 +5,6 @@ description: "This section includes Maintainers of Envoy Gateway." ## The following maintainers, listed in alphabetical order, own everything -- @AliceProxy - @arkodg - @qicz - @Xunzhuo @@ -19,3 +18,4 @@ description: "This section includes Maintainers of Envoy Gateway." - @LukeShu - @skriss - @youngnick +- @Alice-Lilith diff --git a/site/content/en/latest/api/extension_types.md b/site/content/en/latest/api/extension_types.md index 2999d46410c..23f69fd832a 100644 --- a/site/content/en/latest/api/extension_types.md +++ b/site/content/en/latest/api/extension_types.md @@ -15,21 +15,14 @@ API group. ### Resource Types - [Backend](#backend) -- [BackendList](#backendlist) - [BackendTrafficPolicy](#backendtrafficpolicy) -- [BackendTrafficPolicyList](#backendtrafficpolicylist) - [ClientTrafficPolicy](#clienttrafficpolicy) -- [ClientTrafficPolicyList](#clienttrafficpolicylist) - [EnvoyExtensionPolicy](#envoyextensionpolicy) -- [EnvoyExtensionPolicyList](#envoyextensionpolicylist) - [EnvoyGateway](#envoygateway) - [EnvoyPatchPolicy](#envoypatchpolicy) -- [EnvoyPatchPolicyList](#envoypatchpolicylist) - [EnvoyProxy](#envoyproxy) - [HTTPRouteFilter](#httproutefilter) -- [HTTPRouteFilterList](#httproutefilterlist) - [SecurityPolicy](#securitypolicy) -- [SecurityPolicyList](#securitypolicylist) @@ -267,8 +260,7 @@ _Appears in:_ Backend allows the user to configure the endpoints of a backend and the behavior of the connection from Envoy Proxy to the backend. -_Appears in:_ -- [BackendList](#backendlist) + | Field | Type | Required | Description | | --- | --- | --- | --- | @@ -328,22 +320,6 @@ _Appears in:_ | `unix` | _[UnixSocket](#unixsocket)_ | false | Unix defines the unix domain socket endpoint | -#### BackendList - - - -BackendList contains a list of Backend resources. - - - -| Field | Type | Required | Description | -| --- | --- | --- | --- | -| `apiVersion` | _string_ | |`gateway.envoyproxy.io/v1alpha1` -| `kind` | _string_ | |`BackendList` -| `metadata` | _[ListMeta](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.29/#listmeta-v1-meta)_ | true | Refer to Kubernetes API documentation for fields of `metadata`. | -| `items` | _[Backend](#backend) array_ | true | | - - #### BackendRef @@ -428,8 +404,7 @@ _Appears in:_ BackendTrafficPolicy allows the user to configure the behavior of the connection between the Envoy Proxy listener and the backend service. -_Appears in:_ -- [BackendTrafficPolicyList](#backendtrafficpolicylist) + | Field | Type | Required | Description | | --- | --- | --- | --- | @@ -440,22 +415,6 @@ _Appears in:_ | `status` | _[PolicyStatus](https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1alpha2.PolicyStatus)_ | true | status defines the current status of BackendTrafficPolicy. | -#### BackendTrafficPolicyList - - - -BackendTrafficPolicyList contains a list of BackendTrafficPolicy resources. - - - -| Field | Type | Required | Description | -| --- | --- | --- | --- | -| `apiVersion` | _string_ | |`gateway.envoyproxy.io/v1alpha1` -| `kind` | _string_ | |`BackendTrafficPolicyList` -| `metadata` | _[ListMeta](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.29/#listmeta-v1-meta)_ | true | Refer to Kubernetes API documentation for fields of `metadata`. | -| `items` | _[BackendTrafficPolicy](#backendtrafficpolicy) array_ | true | | - - #### BackendTrafficPolicySpec @@ -637,8 +596,7 @@ _Appears in:_ ClientTrafficPolicy allows the user to configure the behavior of the connection between the downstream client and Envoy Proxy listener. -_Appears in:_ -- [ClientTrafficPolicyList](#clienttrafficpolicylist) + | Field | Type | Required | Description | | --- | --- | --- | --- | @@ -649,22 +607,6 @@ _Appears in:_ | `status` | _[PolicyStatus](https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1alpha2.PolicyStatus)_ | true | Status defines the current status of ClientTrafficPolicy. | -#### ClientTrafficPolicyList - - - -ClientTrafficPolicyList contains a list of ClientTrafficPolicy resources. - - - -| Field | Type | Required | Description | -| --- | --- | --- | --- | -| `apiVersion` | _string_ | |`gateway.envoyproxy.io/v1alpha1` -| `kind` | _string_ | |`ClientTrafficPolicyList` -| `metadata` | _[ListMeta](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.29/#listmeta-v1-meta)_ | true | Refer to Kubernetes API documentation for fields of `metadata`. | -| `items` | _[ClientTrafficPolicy](#clienttrafficpolicy) array_ | true | | - - #### ClientTrafficPolicySpec @@ -957,8 +899,7 @@ _Appears in:_ EnvoyExtensionPolicy allows the user to configure various envoy extensibility options for the Gateway. -_Appears in:_ -- [EnvoyExtensionPolicyList](#envoyextensionpolicylist) + | Field | Type | Required | Description | | --- | --- | --- | --- | @@ -969,22 +910,6 @@ _Appears in:_ | `status` | _[PolicyStatus](https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1alpha2.PolicyStatus)_ | true | Status defines the current status of EnvoyExtensionPolicy. | -#### EnvoyExtensionPolicyList - - - -EnvoyExtensionPolicyList contains a list of EnvoyExtensionPolicy resources. - - - -| Field | Type | Required | Description | -| --- | --- | --- | --- | -| `apiVersion` | _string_ | |`gateway.envoyproxy.io/v1alpha1` -| `kind` | _string_ | |`EnvoyExtensionPolicyList` -| `metadata` | _[ListMeta](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.29/#listmeta-v1-meta)_ | true | Refer to Kubernetes API documentation for fields of `metadata`. | -| `items` | _[EnvoyExtensionPolicy](#envoyextensionpolicy) array_ | true | | - - #### EnvoyExtensionPolicySpec @@ -1350,8 +1275,7 @@ _Appears in:_ EnvoyPatchPolicy allows the user to modify the generated Envoy xDS resources by Envoy Gateway using this patch API -_Appears in:_ -- [EnvoyPatchPolicyList](#envoypatchpolicylist) + | Field | Type | Required | Description | | --- | --- | --- | --- | @@ -1362,22 +1286,6 @@ _Appears in:_ | `status` | _[PolicyStatus](https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1alpha2.PolicyStatus)_ | true | Status defines the current status of EnvoyPatchPolicy. | -#### EnvoyPatchPolicyList - - - -EnvoyPatchPolicyList contains a list of EnvoyPatchPolicy resources. - - - -| Field | Type | Required | Description | -| --- | --- | --- | --- | -| `apiVersion` | _string_ | |`gateway.envoyproxy.io/v1alpha1` -| `kind` | _string_ | |`EnvoyPatchPolicyList` -| `metadata` | _[ListMeta](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.29/#listmeta-v1-meta)_ | true | Refer to Kubernetes API documentation for fields of `metadata`. | -| `items` | _[EnvoyPatchPolicy](#envoypatchpolicy) array_ | true | | - - #### EnvoyPatchPolicySpec @@ -2026,8 +1934,7 @@ _Appears in:_ HTTPRouteFilter is a custom Envoy Gateway HTTPRouteFilter which provides extended traffic processing options such as path regex rewrite, direct response and more. -_Appears in:_ -- [HTTPRouteFilterList](#httproutefilterlist) + | Field | Type | Required | Description | | --- | --- | --- | --- | @@ -2037,22 +1944,6 @@ _Appears in:_ | `spec` | _[HTTPRouteFilterSpec](#httproutefilterspec)_ | true | Spec defines the desired state of HTTPRouteFilter. | -#### HTTPRouteFilterList - - - -HTTPRouteFilterList contains a list of HTTPRouteFilter resources. - - - -| Field | Type | Required | Description | -| --- | --- | --- | --- | -| `apiVersion` | _string_ | |`gateway.envoyproxy.io/v1alpha1` -| `kind` | _string_ | |`HTTPRouteFilterList` -| `metadata` | _[ListMeta](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.29/#listmeta-v1-meta)_ | true | Refer to Kubernetes API documentation for fields of `metadata`. | -| `items` | _[HTTPRouteFilter](#httproutefilter) array_ | true | | - - #### HTTPRouteFilterSpec @@ -3638,8 +3529,7 @@ _Appears in:_ SecurityPolicy allows the user to configure various security settings for a Gateway. -_Appears in:_ -- [SecurityPolicyList](#securitypolicylist) + | Field | Type | Required | Description | | --- | --- | --- | --- | @@ -3650,22 +3540,6 @@ _Appears in:_ | `status` | _[PolicyStatus](https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1alpha2.PolicyStatus)_ | true | Status defines the current status of SecurityPolicy. | -#### SecurityPolicyList - - - -SecurityPolicyList contains a list of SecurityPolicy resources. - - - -| Field | Type | Required | Description | -| --- | --- | --- | --- | -| `apiVersion` | _string_ | |`gateway.envoyproxy.io/v1alpha1` -| `kind` | _string_ | |`SecurityPolicyList` -| `metadata` | _[ListMeta](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.29/#listmeta-v1-meta)_ | true | Refer to Kubernetes API documentation for fields of `metadata`. | -| `items` | _[SecurityPolicy](#securitypolicy) array_ | true | | - - #### SecurityPolicySpec diff --git a/site/content/en/latest/install/gateway-addons-helm-api.md b/site/content/en/latest/install/gateway-addons-helm-api.md index 9835e21cd62..dce51039fa2 100644 --- a/site/content/en/latest/install/gateway-addons-helm-api.md +++ b/site/content/en/latest/install/gateway-addons-helm-api.md @@ -24,6 +24,7 @@ An Add-ons Helm chart for Envoy Gateway | Repository | Name | Version | |------------|------|---------| | https://fluent.github.io/helm-charts | fluent-bit | 0.30.4 | +| https://grafana.github.io/helm-charts | alloy | 0.9.2 | | https://grafana.github.io/helm-charts | grafana | 8.0.0 | | https://grafana.github.io/helm-charts | loki | 4.8.0 | | https://grafana.github.io/helm-charts | tempo | 1.3.1 | @@ -34,6 +35,9 @@ An Add-ons Helm chart for Envoy Gateway | Key | Type | Default | Description | |-----|------|---------|-------------| +| alloy.alloy.configMap.content | string | `"// Write your Alloy config here:\nlogging {\n level = \"info\"\n format = \"logfmt\"\n}\nloki.write \"alloy\" {\n endpoint {\n url = \"http://loki.monitoring.svc:3100/loki/api/v1/push\"\n }\n}\n// discovery.kubernetes allows you to find scrape targets from Kubernetes resources.\n// It watches cluster state and ensures targets are continually synced with what is currently running in your cluster.\ndiscovery.kubernetes \"pod\" {\n role = \"pod\"\n}\n\n// discovery.relabel rewrites the label set of the input targets by applying one or more relabeling rules.\n// If no rules are defined, then the input targets are exported as-is.\ndiscovery.relabel \"pod_logs\" {\n targets = discovery.kubernetes.pod.targets\n\n // Label creation - \"namespace\" field from \"__meta_kubernetes_namespace\"\n rule {\n source_labels = [\"__meta_kubernetes_namespace\"]\n action = \"replace\"\n target_label = \"namespace\"\n }\n\n // Label creation - \"pod\" field from \"__meta_kubernetes_pod_name\"\n rule {\n source_labels = [\"__meta_kubernetes_pod_name\"]\n action = \"replace\"\n target_label = \"pod\"\n }\n\n // Label creation - \"container\" field from \"__meta_kubernetes_pod_container_name\"\n rule {\n source_labels = [\"__meta_kubernetes_pod_container_name\"]\n action = \"replace\"\n target_label = \"container\"\n }\n\n // Label creation - \"app\" field from \"__meta_kubernetes_pod_label_app_kubernetes_io_name\"\n rule {\n source_labels = [\"__meta_kubernetes_pod_label_app_kubernetes_io_name\"]\n action = \"replace\"\n target_label = \"app\"\n }\n\n // Label creation - \"job\" field from \"__meta_kubernetes_namespace\" and \"__meta_kubernetes_pod_container_name\"\n // Concatenate values __meta_kubernetes_namespace/__meta_kubernetes_pod_container_name\n rule {\n source_labels = [\"__meta_kubernetes_namespace\", \"__meta_kubernetes_pod_container_name\"]\n action = \"replace\"\n target_label = \"job\"\n separator = \"/\"\n replacement = \"$1\"\n }\n\n // Label creation - \"container\" field from \"__meta_kubernetes_pod_uid\" and \"__meta_kubernetes_pod_container_name\"\n // Concatenate values __meta_kubernetes_pod_uid/__meta_kubernetes_pod_container_name.log\n rule {\n source_labels = [\"__meta_kubernetes_pod_uid\", \"__meta_kubernetes_pod_container_name\"]\n action = \"replace\"\n target_label = \"__path__\"\n separator = \"/\"\n replacement = \"/var/log/pods/*$1/*.log\"\n }\n\n // Label creation - \"container_runtime\" field from \"__meta_kubernetes_pod_container_id\"\n rule {\n source_labels = [\"__meta_kubernetes_pod_container_id\"]\n action = \"replace\"\n target_label = \"container_runtime\"\n regex = \"^(\\\\S+):\\\\/\\\\/.+$\"\n replacement = \"$1\"\n }\n}\n\n// loki.source.kubernetes tails logs from Kubernetes containers using the Kubernetes API.\nloki.source.kubernetes \"pod_logs\" {\n targets = discovery.relabel.pod_logs.output\n forward_to = [loki.process.pod_logs.receiver]\n}\n// loki.process receives log entries from other Loki components, applies one or more processing stages,\n// and forwards the results to the list of receivers in the component’s arguments.\nloki.process \"pod_logs\" {\n stage.static_labels {\n values = {\n cluster = \"envoy-gateway\",\n }\n }\n\n forward_to = [loki.write.alloy.receiver]\n}"` | | +| alloy.enabled | bool | `false` | | +| alloy.fullnameOverride | string | `"alloy"` | | | fluent-bit.config.filters | string | `"[FILTER]\n Name kubernetes\n Match kube.*\n Merge_Log On\n Keep_Log Off\n K8S-Logging.Parser On\n K8S-Logging.Exclude On\n\n[FILTER]\n Name grep\n Match kube.*\n Regex $kubernetes['container_name'] ^envoy$\n\n[FILTER]\n Name parser\n Match kube.*\n Key_Name log\n Parser envoy\n Reserve_Data True\n"` | | | fluent-bit.config.inputs | string | `"[INPUT]\n Name tail\n Path /var/log/containers/*.log\n multiline.parser docker, cri\n Tag kube.*\n Mem_Buf_Limit 5MB\n Skip_Long_Lines On\n"` | | | fluent-bit.config.outputs | string | `"[OUTPUT]\n Name loki\n Match kube.*\n Host loki.monitoring.svc.cluster.local\n Port 3100\n Labels job=fluentbit, app=$kubernetes['labels']['app'], k8s_namespace_name=$kubernetes['namespace_name'], k8s_pod_name=$kubernetes['pod_name'], k8s_container_name=$kubernetes['container_name']\n"` | | @@ -86,15 +90,21 @@ An Add-ons Helm chart for Envoy Gateway | opentelemetry-collector.config.exporters.loki.endpoint | string | `"http://loki.monitoring.svc:3100/loki/api/v1/push"` | | | opentelemetry-collector.config.exporters.otlp.endpoint | string | `"tempo.monitoring.svc:4317"` | | | opentelemetry-collector.config.exporters.otlp.tls.insecure | bool | `true` | | -| opentelemetry-collector.config.exporters.prometheus.endpoint | string | `"0.0.0.0:19001"` | | -| opentelemetry-collector.config.extensions.health_check | object | `{}` | | +| opentelemetry-collector.config.exporters.prometheus.endpoint | string | `"[${env:MY_POD_IP}]:19001"` | | +| opentelemetry-collector.config.extensions.health_check.endpoint | string | `"[${env:MY_POD_IP}]:13133"` | | | opentelemetry-collector.config.processors.attributes.actions[0].action | string | `"insert"` | | | opentelemetry-collector.config.processors.attributes.actions[0].key | string | `"loki.attribute.labels"` | | | opentelemetry-collector.config.processors.attributes.actions[0].value | string | `"k8s.pod.name, k8s.namespace.name"` | | -| opentelemetry-collector.config.receivers.datadog.endpoint | string | `"${env:MY_POD_IP}:8126"` | | -| opentelemetry-collector.config.receivers.otlp.protocols.grpc.endpoint | string | `"${env:MY_POD_IP}:4317"` | | -| opentelemetry-collector.config.receivers.otlp.protocols.http.endpoint | string | `"${env:MY_POD_IP}:4318"` | | -| opentelemetry-collector.config.receivers.zipkin.endpoint | string | `"${env:MY_POD_IP}:9411"` | | +| opentelemetry-collector.config.receivers.datadog.endpoint | string | `"[${env:MY_POD_IP}]:8126"` | | +| opentelemetry-collector.config.receivers.jaeger.protocols.grpc.endpoint | string | `"[${env:MY_POD_IP}]:14250"` | | +| opentelemetry-collector.config.receivers.jaeger.protocols.thrift_compact.endpoint | string | `"[${env:MY_POD_IP}]:6831"` | | +| opentelemetry-collector.config.receivers.jaeger.protocols.thrift_http.endpoint | string | `"[${env:MY_POD_IP}]:14268"` | | +| opentelemetry-collector.config.receivers.otlp.protocols.grpc.endpoint | string | `"[${env:MY_POD_IP}]:4317"` | | +| opentelemetry-collector.config.receivers.otlp.protocols.http.endpoint | string | `"[${env:MY_POD_IP}]:4318"` | | +| opentelemetry-collector.config.receivers.prometheus.config.scrape_configs[0].job_name | string | `"opentelemetry-collector"` | | +| opentelemetry-collector.config.receivers.prometheus.config.scrape_configs[0].scrape_interval | string | `"10s"` | | +| opentelemetry-collector.config.receivers.prometheus.config.scrape_configs[0].static_configs[0].targets[0] | string | `"[${env:MY_POD_IP}]:8888"` | | +| opentelemetry-collector.config.receivers.zipkin.endpoint | string | `"[${env:MY_POD_IP}]:9411"` | | | opentelemetry-collector.config.service.extensions[0] | string | `"health_check"` | | | opentelemetry-collector.config.service.pipelines.logs.exporters[0] | string | `"loki"` | | | opentelemetry-collector.config.service.pipelines.logs.processors[0] | string | `"attributes"` | | @@ -106,6 +116,7 @@ An Add-ons Helm chart for Envoy Gateway | opentelemetry-collector.config.service.pipelines.traces.receivers[0] | string | `"datadog"` | | | opentelemetry-collector.config.service.pipelines.traces.receivers[1] | string | `"otlp"` | | | opentelemetry-collector.config.service.pipelines.traces.receivers[2] | string | `"zipkin"` | | +| opentelemetry-collector.config.service.telemetry.metrics.address | string | `"[${env:MY_POD_IP}]:8888"` | | | opentelemetry-collector.enabled | bool | `false` | | | opentelemetry-collector.fullnameOverride | string | `"otel-collector"` | | | opentelemetry-collector.image.repository | string | `"otel/opentelemetry-collector-contrib"` | | diff --git a/site/content/en/latest/install/gateway-helm-api.md b/site/content/en/latest/install/gateway-helm-api.md index 99023e65c6c..bb817b992dc 100644 --- a/site/content/en/latest/install/gateway-helm-api.md +++ b/site/content/en/latest/install/gateway-helm-api.md @@ -23,7 +23,7 @@ The Helm chart for Envoy Gateway | Key | Type | Default | Description | |-----|------|---------|-------------| -| certgen | object | `{"job":{"affinity":{},"annotations":{},"nodeSelector":{},"resources":{},"tolerations":[],"ttlSecondsAfterFinished":30},"rbac":{"annotations":{},"labels":{}}}` | Certgen is used to generate the certificates required by EnvoyGateway. If you want to construct a custom certificate, you can generate a custom certificate through Cert-Manager before installing EnvoyGateway. Certgen will not overwrite the custom certificate. Please do not manually modify `values.yaml` to disable certgen, it may cause EnvoyGateway OIDC,OAuth2,etc. to not work as expected. | +| certgen | object | `{"job":{"affinity":{},"annotations":{},"nodeSelector":{},"resources":{},"securityContext":{"allowPrivilegeEscalation":false,"capabilities":{"drop":["ALL"]},"privileged":false,"readOnlyRootFilesystem":true,"runAsGroup":65534,"runAsNonRoot":true,"runAsUser":65534,"seccompProfile":{"type":"RuntimeDefault"}},"tolerations":[],"ttlSecondsAfterFinished":30},"rbac":{"annotations":{},"labels":{}}}` | Certgen is used to generate the certificates required by EnvoyGateway. If you want to construct a custom certificate, you can generate a custom certificate through Cert-Manager before installing EnvoyGateway. Certgen will not overwrite the custom certificate. Please do not manually modify `values.yaml` to disable certgen, it may cause EnvoyGateway OIDC,OAuth2,etc. to not work as expected. | | config.envoyGateway.gateway.controllerName | string | `"gateway.envoyproxy.io/gatewayclass-controller"` | | | config.envoyGateway.logging.level.default | string | `"info"` | | | config.envoyGateway.provider.type | string | `"Kubernetes"` | | @@ -35,6 +35,13 @@ The Helm chart for Envoy Gateway | deployment.envoyGateway.resources.limits.memory | string | `"1024Mi"` | | | deployment.envoyGateway.resources.requests.cpu | string | `"100m"` | | | deployment.envoyGateway.resources.requests.memory | string | `"256Mi"` | | +| deployment.envoyGateway.securityContext.allowPrivilegeEscalation | bool | `false` | | +| deployment.envoyGateway.securityContext.capabilities.drop[0] | string | `"ALL"` | | +| deployment.envoyGateway.securityContext.privileged | bool | `false` | | +| deployment.envoyGateway.securityContext.runAsGroup | int | `65532` | | +| deployment.envoyGateway.securityContext.runAsNonRoot | bool | `true` | | +| deployment.envoyGateway.securityContext.runAsUser | int | `65532` | | +| deployment.envoyGateway.securityContext.seccompProfile.type | string | `"RuntimeDefault"` | | | deployment.pod.affinity | object | `{}` | | | deployment.pod.annotations."prometheus.io/port" | string | `"19001"` | | | deployment.pod.annotations."prometheus.io/scrape" | string | `"true"` | | diff --git a/site/content/en/latest/tasks/security/jwt-claim-authorization.md b/site/content/en/latest/tasks/security/jwt-claim-authorization.md new file mode 100644 index 00000000000..2e67ea7ffe9 --- /dev/null +++ b/site/content/en/latest/tasks/security/jwt-claim-authorization.md @@ -0,0 +1,226 @@ +--- +title: "JWT Claim-Based Authorization" +--- + +This task provides instructions for configuring JWT claim-based authorization. JWT claim-based authorization checks if an incoming request has the required JWT claims before routing the request to a backend service. + +Envoy Gateway introduces a new CRD called [SecurityPolicy][SecurityPolicy] that allows the user to configure JWT claim-based authorization. + +This instantiated resource can be linked to a [Gateway][Gateway], [HTTPRoute][HTTPRoute] or [GRPCRoute][GRPCRoute] resource. + +## Prerequisites + +{{< boilerplate prerequisites >}} + +## Configuration + +### Create a SecurityPolicy + +Please note that the JWT claim-based authorization requires the JWT token to be present in the request. A JWT authentication must be configured in the same SecurityPolicy to validate the JWT token and extract the claims. + +The below SecurityPolicy configuration allows requests with a valid JWT token that has the following claims: +- `user.name` claim with the value `John Doe` +- `user.roles` claim with the value `admin` +- `scope` claim with the values `read`, `add`, and `modify` + +{{< tabpane text=true >}} +{{% tab header="Apply from stdin" %}} + +```shell +cat <}} + +Verify the SecurityPolicy configuration: + +```shell +kubectl get securitypolicy/authorization-jwt-claim -o yaml +``` + +## Testing + +Ensure the `GATEWAY_HOST` environment variable from the [Quickstart](../../quickstart) is set. If not, follow the +Quickstart instructions to set the variable. + +```shell +echo $GATEWAY_HOST +``` + +Define a JWT token with the required claims. + +```shell +export VALID_TOKEN="eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsImtpZCI6ImI1MjBiM2MyYzRiZDc1YTEwZTljZWJjOTU3NjkzM2RjIn0.eyJpc3MiOiJodHRwczovL2Zvby5iYXIuY29tIiwic3ViIjoiMTIzNDU2Nzg5MCIsInVzZXIiOnsibmFtZSI6IkpvaG4gRG9lIiwiZW1haWwiOiJqb2huLmRvZUBleGFtcGxlLmNvbSIsInJvbGVzIjpbImFkbWluIiwiZWRpdG9yIl19LCJwcmVtaXVtX3VzZXIiOnRydWUsImlhdCI6MTUxNjIzOTAyMiwic2NvcGUiOiJyZWFkIGFkZCBkZWxldGUgbW9kaWZ5In0.P36iAlmiRCC79OiB3vstF5Q_9OqUYAMGF3a3H492GlojbV6DcuOz8YIEYGsRSWc-BNJaBKlyvUKsKsGVPtYbbF8ajwZTs64wyO-zhd2R8riPkg_HsW7iwGswV12f5iVRpfQ4AG2owmdOToIaoch0aym89He1ZzEjcShr9olgqlAbbmhnk-namd1rP-xpzPnWhhIVI3mCz5hYYgDTMcM7qbokM5FzFttTRXAn5_Luor23U1062Ct_K53QArwxBvwJ-QYiqcBycHf-hh6sMx_941cUswrZucCpa-EwA3piATf9PKAyeeWHfHV9X-y8ipGOFg3mYMMVBuUZ1lBkJCik9f9kboRY6QzpOISARQj9PKMXfxZdIPNuGmA7msSNAXQgqkvbx04jMwb9U7eCEdGZztH4C8LhlRjgj0ZdD7eNbRjeH2F6zrWyMUpGWaWyq6rMuP98W2DWM5ZflK6qvT1c7FuFsWPvWLkgxQwTWQKrHdKwdbsu32Sj8VtUBJ0-ddEb" +``` + +Decode the JWT token to verify that it has the required claims. + +```shell +jq -R 'split(".") | .[0],.[1] | @base64d | fromjson' <<< $(echo ${VALID_TOKEN}) +``` + +The decoded JWT token should look like the following: + +```json +{ + "typ": "JWT", + "alg": "RS256", + "kid": "b520b3c2c4bd75a10e9cebc9576933dc" +} +{ + "iss": "https://foo.bar.com", + "sub": "1234567890", + "user": { + "name": "John Doe", + "email": "john.doe@example.com", + "roles": [ + "admin", + "editor" + ] + }, + "premium_user": true, + "iat": 1516239022, + "scope": "read add delete modify" +} +``` + +Send a request to the backend service with the valid JWT token: + +```shell +curl -H "Host: www.example.com" -H "Authorization: Bearer ${VALID_TOKEN}" "http://${GATEWAY_HOST}/" +``` + +The request should be allowed and you should see the response from the backend service. + +Define a JWT token without the required claims. + +```shell +export INVALID_TOKEN="eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsImtpZCI6ImI1MjBiM2MyYzRiZDc1YTEwZTljZWJjOTU3NjkzM2RjIn0.eyJpc3MiOiJodHRwczovL2Zvby5iYXIuY29tIiwic3ViIjoiMTIzNDU2Nzg5MCIsInVzZXIiOnsibmFtZSI6IkFsaWNlIFNtaXRoIiwiZW1haWwiOiJhbGljZS5zbWl0aEBleGFtcGxlLmNvbSIsInJvbGVzIjpbImRldmVsb3BlciJdfSwicHJlbWl1bV91c2VyIjpmYWxzZSwiaWF0IjoxNTE2MjM5MDIyLCJzY29wZSI6InJlYWQgYWRkIGRlbGV0ZSJ9.Da547nNXzuQXm5E7LuLAiyFswXsW4RDhuitD_rpadtR7PTwzzOsJoqrVWJ_u1jJDaOTWIpLF4gwxDoY-Aoz_couzXzlAbECLs45ZFoc_UdffpfIbGKqTZx8VtwKuDLFsAeDDDqqx1flxFhvXHftJJdZYr1FgFz9u-absMmRU90DLmEZX3Hnyc8k8eBgeiu6vsWUD0-aNy8cWkFRbwRggkGmucFyUTG8Z1MY3iyH5E66W-ISoX8G9bzE9PTxVAAPDTvefD5iLJPSDJ8qV69OuMCJ8Dczq0L9Dd_w0sF-D1s9MTvexmGg4zBWluJ3r-pU9NHEdhqBypehp_yH8xF5Rt9AE7stZ4oPFZNyfrtkE-4IOnSEkMmzcC65g_rscn0ycerv4N5ZNpkr0x2IYYM4iGuo-ULv5Htnli3rffST45kx1XA8cdsrT1D0K3aPxdIxDIk8sTJf5-WVqRyo-bwxXXltwQLB9jCM_7QbTWQBYAJwUpi-0RW4jCl44-42gZnXf" +``` + +Decode the JWT token to verify that it does not have the required claims. + +```shell +jq -R 'split(".") | .[0],.[1] | @base64d | fromjson' <<< $(echo ${INVALID_TOKEN}) +``` + +The decoded JWT token should look like the following: + +```json +{ + "typ": "JWT", + "alg": "RS256", + "kid": "b520b3c2c4bd75a10e9cebc9576933dc" +} +{ + "iss": "https://foo.bar.com", + "sub": "1234567890", + "user": { + "name": "Alice Smith", + "email": "alice.smith@example.com", + "roles": [ + "developer" + ] + }, + "premium_user": false, + "iat": 1516239022, + "scope": "read add delete" +} +``` + +Send a request to the backend service with the invalid JWT token: + +```shell +curl -v -H "Host: www.example.com" -H "Authorization: Bearer ${INVALID_TOKEN}" "http://${GATEWAY_HOST}/" +``` + +The request should be denied and you should see a `403 Forbidden` response. + +## Clean-Up + +Follow the steps from the [Quickstart](../../quickstart) to uninstall Envoy Gateway and the example manifest. + +Delete the SecurityPolicy and the ClientTrafficPolicy + +```shell +kubectl delete securitypolicy/authorization-jwt-claim +``` + +## Next Steps + +Checkout the [Developer Guide](../../../contributions/develop) to get involved in the project. + +[SecurityPolicy]: ../../../contributions/design/security-policy +[Gateway]: https://gateway-api.sigs.k8s.io/api-types/gateway +[HTTPRoute]: https://gateway-api.sigs.k8s.io/api-types/httproute +[GRPCRoute]: https://gateway-api.sigs.k8s.io/api-types/grpcroute diff --git a/site/content/en/latest/tasks/traffic/direct-response.md b/site/content/en/latest/tasks/traffic/direct-response.md new file mode 100644 index 00000000000..4b9aaa5551e --- /dev/null +++ b/site/content/en/latest/tasks/traffic/direct-response.md @@ -0,0 +1,284 @@ +--- +title: "Direct Response" +--- + +Direct responses are valuable in cases where you want the gateway itself +to handle certain requests without forwarding them to backend services. +This task shows you how to configure them. + +## Installation + +Follow the steps from the [Quickstart](../../quickstart) to install Envoy Gateway and the example manifest. +Before proceeding, you should be able to query the example backend using HTTP. + +## Testing Direct Response + +{{< tabpane text=true >}} +{{% tab header="Apply from stdin" %}} + +```shell +cat <}} + +```shell +curl --header "Host: timeout.example.com" http://${GATEWAY_HOST}/?delay=3s -I +``` + +```console +HTTP/1.1 200 OK +content-type: application/json +x-content-type-options: nosniff +date: Mon, 04 Mar 2024 02:34:21 GMT +content-length: 480 +``` + +Then we set the request timeout to 2 seconds. In this case, Envoy Gateway will respond with a timeout. + +{{< tabpane text=true >}} +{{% tab header="Apply from stdin" %}} + +```shell +cat <}} + +```shell +curl --verbose --header "Host: www.example.com" http://$GATEWAY_HOST/inline +``` + +```console +* Trying 127.0.0.1:80... +* Connected to 127.0.0.1 (127.0.0.1) port 80 +> GET /inline HTTP/1.1 +> Host: www.example.com +> User-Agent: curl/8.4.0 +> Accept: */* +> +< HTTP/1.1 503 Service Unavailable +< content-type: text/plain +< content-length: 32 +< date: Sat, 02 Nov 2024 00:35:48 GMT +< +* Connection #0 to host 127.0.0.1 left intact +Oops! Your request is not found. +``` + +```shell +curl --verbose --header "Host: www.example.com" http://$GATEWAY_HOST/value-ref +``` + +```console +* Trying 127.0.0.1:80... +* Connected to 127.0.0.1 (127.0.0.1) port 80 +> GET /value-ref HTTP/1.1 +> Host: www.example.com +> User-Agent: curl/8.4.0 +> Accept: */* +> +< HTTP/1.1 500 Internal Server Error +< content-type: application/json +< content-length: 34 +< date: Sat, 02 Nov 2024 00:35:55 GMT +< +* Connection #0 to host 127.0.0.1 left intact +{"error": "Internal Server Error"} +``` diff --git a/site/content/en/news/releases/_index.md b/site/content/en/news/releases/_index.md index 71ff48fd392..4449a100c7e 100644 --- a/site/content/en/news/releases/_index.md +++ b/site/content/en/news/releases/_index.md @@ -31,7 +31,7 @@ communications with the Envoy Gateway community, and the mechanics of the releas |:-------:|:--------------------------------------------------------------:| | 2022 Q4 | Daneyon Hansen ([danehans](https://github.com/danehans)) | | 2023 Q1 | Xunzhuo Liu ([Xunzhuo](https://github.com/Xunzhuo)) | -| 2023 Q2 | Alice Wasko ([AliceProxy](https://github.com/AliceProxy)) | +| 2023 Q2 | Alice Wasko ([Alice-Lilith](https://github.com/Alice-Lilith)) | | 2023 Q3 | Arko Dasgupta ([arkodg](https://github.com/arkodg)) | | 2023 Q4 | Arko Dasgupta ([arkodg](https://github.com/arkodg)) | | 2024 Q1 | Xunzhuo Liu ([Xunzhuo](https://github.com/Xunzhuo)) | diff --git a/site/content/en/news/releases/notes/v1.1.3.md b/site/content/en/news/releases/notes/v1.1.3.md new file mode 100644 index 00000000000..97128c1cc6c --- /dev/null +++ b/site/content/en/news/releases/notes/v1.1.3.md @@ -0,0 +1,31 @@ +--- +title: "v1.1.3" +publishdate: 2024-11-01 +--- + +Date: November 1, 2024 + +## Breaking changes +- + +## New features +- + +## Bug fixes +- Fixed unsupported listener protocol type causing an error while updating Gateway Status +- Fixed some status updates were being discarded by the status updater +- Fixed error level logging for admin and metrics modules +- Fixed Dashboard typos +- Fixed Ratelimit Deployment ignoring pod labels and annotation merge +- Fixed the API Server receives unnecessary requests +- Fixed set invalid Listener.SupportedKinds to empty list +- Fixed losing timeout settings that originate from the route when translating the backend traffic policy +- Fixed xds translation failure when wasm http code source configured without sha + +## Performance improvements +- + +## Other changes +- Bumped Envoy proxy to 1.31.3 +- Bumped github.com/docker/docker to 27.3.1+incompatible + diff --git a/site/content/en/v0.2/contributions/CODEOWNERS.md b/site/content/en/v0.2/contributions/CODEOWNERS.md index 63b751abde5..b4c4c737e19 100644 --- a/site/content/en/v0.2/contributions/CODEOWNERS.md +++ b/site/content/en/v0.2/contributions/CODEOWNERS.md @@ -5,7 +5,7 @@ description: "This section includes Maintainers of Envoy Gateway." ## The following maintainers, listed in alphabetical order, own everything -- @AliceProxy +- @Alice-Lilith - @arkodg - @Xunzhuo - @zirain diff --git a/site/content/en/v0.2/contributions/RELEASING.md b/site/content/en/v0.2/contributions/RELEASING.md index bad13a6830c..ad0143bdeb9 100644 --- a/site/content/en/v0.2/contributions/RELEASING.md +++ b/site/content/en/v0.2/contributions/RELEASING.md @@ -97,10 +97,10 @@ Configuration looks like following: cherrypick/release-v0.4 # put release manager here reviewers: | - AliceProxy + Alice-Lilith ``` -Replace `v0.4` with real branch name, and `AliceProxy` with the real name of RM. +Replace `v0.4` with real branch name, and `Alice-Lilith` with the real name of RM. ## Minor Release diff --git a/site/content/en/v0.3/contributions/CODEOWNERS.md b/site/content/en/v0.3/contributions/CODEOWNERS.md index 63b751abde5..b4c4c737e19 100644 --- a/site/content/en/v0.3/contributions/CODEOWNERS.md +++ b/site/content/en/v0.3/contributions/CODEOWNERS.md @@ -5,7 +5,7 @@ description: "This section includes Maintainers of Envoy Gateway." ## The following maintainers, listed in alphabetical order, own everything -- @AliceProxy +- @Alice-Lilith - @arkodg - @Xunzhuo - @zirain diff --git a/site/content/en/v0.3/contributions/RELEASING.md b/site/content/en/v0.3/contributions/RELEASING.md index bad13a6830c..ad0143bdeb9 100644 --- a/site/content/en/v0.3/contributions/RELEASING.md +++ b/site/content/en/v0.3/contributions/RELEASING.md @@ -97,10 +97,10 @@ Configuration looks like following: cherrypick/release-v0.4 # put release manager here reviewers: | - AliceProxy + Alice-Lilith ``` -Replace `v0.4` with real branch name, and `AliceProxy` with the real name of RM. +Replace `v0.4` with real branch name, and `Alice-Lilith` with the real name of RM. ## Minor Release diff --git a/site/content/en/v0.4/contributions/CODEOWNERS.md b/site/content/en/v0.4/contributions/CODEOWNERS.md index 63b751abde5..b4c4c737e19 100644 --- a/site/content/en/v0.4/contributions/CODEOWNERS.md +++ b/site/content/en/v0.4/contributions/CODEOWNERS.md @@ -5,7 +5,7 @@ description: "This section includes Maintainers of Envoy Gateway." ## The following maintainers, listed in alphabetical order, own everything -- @AliceProxy +- @Alice-Lilith - @arkodg - @Xunzhuo - @zirain diff --git a/site/content/en/v0.4/contributions/RELEASING.md b/site/content/en/v0.4/contributions/RELEASING.md index bad13a6830c..ad0143bdeb9 100644 --- a/site/content/en/v0.4/contributions/RELEASING.md +++ b/site/content/en/v0.4/contributions/RELEASING.md @@ -97,10 +97,10 @@ Configuration looks like following: cherrypick/release-v0.4 # put release manager here reviewers: | - AliceProxy + Alice-Lilith ``` -Replace `v0.4` with real branch name, and `AliceProxy` with the real name of RM. +Replace `v0.4` with real branch name, and `Alice-Lilith` with the real name of RM. ## Minor Release diff --git a/site/content/en/v0.5/contributions/CODEOWNERS.md b/site/content/en/v0.5/contributions/CODEOWNERS.md index 63b751abde5..b4c4c737e19 100644 --- a/site/content/en/v0.5/contributions/CODEOWNERS.md +++ b/site/content/en/v0.5/contributions/CODEOWNERS.md @@ -5,7 +5,7 @@ description: "This section includes Maintainers of Envoy Gateway." ## The following maintainers, listed in alphabetical order, own everything -- @AliceProxy +- @Alice-Lilith - @arkodg - @Xunzhuo - @zirain diff --git a/site/content/en/v0.5/contributions/RELEASING.md b/site/content/en/v0.5/contributions/RELEASING.md index 206c9f0589d..7e02ccff581 100644 --- a/site/content/en/v0.5/contributions/RELEASING.md +++ b/site/content/en/v0.5/contributions/RELEASING.md @@ -97,10 +97,10 @@ Configuration looks like following: cherrypick/release-v0.4 # put release manager here reviewers: | - AliceProxy + Alice-Lilith ``` -Replace `v0.4` with real branch name, and `AliceProxy` with the real name of RM. +Replace `v0.4` with real branch name, and `Alice-Lilith` with the real name of RM. ## Minor Release diff --git a/site/content/en/v0.6/contributions/CODEOWNERS.md b/site/content/en/v0.6/contributions/CODEOWNERS.md index 63b751abde5..b4c4c737e19 100644 --- a/site/content/en/v0.6/contributions/CODEOWNERS.md +++ b/site/content/en/v0.6/contributions/CODEOWNERS.md @@ -5,7 +5,7 @@ description: "This section includes Maintainers of Envoy Gateway." ## The following maintainers, listed in alphabetical order, own everything -- @AliceProxy +- @Alice-Lilith - @arkodg - @Xunzhuo - @zirain diff --git a/site/content/en/v0.6/contributions/RELEASING.md b/site/content/en/v0.6/contributions/RELEASING.md index 5abb7ba4503..37336d96acd 100644 --- a/site/content/en/v0.6/contributions/RELEASING.md +++ b/site/content/en/v0.6/contributions/RELEASING.md @@ -100,10 +100,10 @@ Configuration looks like following: cherrypick/release-v0.4 # put release manager here reviewers: | - AliceProxy + Alice-Lilith ``` -Replace `v0.4` with real branch name, and `AliceProxy` with the real name of RM. +Replace `v0.4` with real branch name, and `Alice-Lilith` with the real name of RM. ## Minor Release diff --git a/site/content/zh/contributions/CODEOWNERS.md b/site/content/zh/contributions/CODEOWNERS.md index 74e885d852a..d7ad10786d4 100644 --- a/site/content/zh/contributions/CODEOWNERS.md +++ b/site/content/zh/contributions/CODEOWNERS.md @@ -5,7 +5,6 @@ description: "本部分包括 Envoy Gateway 的维护者。" ## 以下是拥有所有权限的维护者(按字母顺序排列) {#the-following-maintainers-listed-in-alphabetical-order-own-everything} -- @AliceProxy - @arkodg - @qicz - @Xunzhuo @@ -19,3 +18,4 @@ description: "本部分包括 Envoy Gateway 的维护者。" - @LukeShu - @skriss - @youngnick +- @Alice-Lilith diff --git a/site/content/zh/contributions/RELEASING.md b/site/content/zh/contributions/RELEASING.md index e1412e4eb7c..fd4b0af328e 100644 --- a/site/content/zh/contributions/RELEASING.md +++ b/site/content/zh/contributions/RELEASING.md @@ -102,10 +102,10 @@ export GITHUB_REMOTE=origin cherrypick/release-v0.4 # 将发布经理名字放在这里 reviewers: | - AliceProxy + Alice-Lilith ``` -将 `v0.4` 替换为真实的分支名称,并将 `AliceProxy` 替换为 RM 的真实名称。 +将 `v0.4` 替换为真实的分支名称,并将 `Alice-Lilith` 替换为 RM 的真实名称。 ## 次要版本 {#minor-release} diff --git a/site/content/zh/latest/api/extension_types.md b/site/content/zh/latest/api/extension_types.md index 2999d46410c..23f69fd832a 100644 --- a/site/content/zh/latest/api/extension_types.md +++ b/site/content/zh/latest/api/extension_types.md @@ -15,21 +15,14 @@ API group. ### Resource Types - [Backend](#backend) -- [BackendList](#backendlist) - [BackendTrafficPolicy](#backendtrafficpolicy) -- [BackendTrafficPolicyList](#backendtrafficpolicylist) - [ClientTrafficPolicy](#clienttrafficpolicy) -- [ClientTrafficPolicyList](#clienttrafficpolicylist) - [EnvoyExtensionPolicy](#envoyextensionpolicy) -- [EnvoyExtensionPolicyList](#envoyextensionpolicylist) - [EnvoyGateway](#envoygateway) - [EnvoyPatchPolicy](#envoypatchpolicy) -- [EnvoyPatchPolicyList](#envoypatchpolicylist) - [EnvoyProxy](#envoyproxy) - [HTTPRouteFilter](#httproutefilter) -- [HTTPRouteFilterList](#httproutefilterlist) - [SecurityPolicy](#securitypolicy) -- [SecurityPolicyList](#securitypolicylist) @@ -267,8 +260,7 @@ _Appears in:_ Backend allows the user to configure the endpoints of a backend and the behavior of the connection from Envoy Proxy to the backend. -_Appears in:_ -- [BackendList](#backendlist) + | Field | Type | Required | Description | | --- | --- | --- | --- | @@ -328,22 +320,6 @@ _Appears in:_ | `unix` | _[UnixSocket](#unixsocket)_ | false | Unix defines the unix domain socket endpoint | -#### BackendList - - - -BackendList contains a list of Backend resources. - - - -| Field | Type | Required | Description | -| --- | --- | --- | --- | -| `apiVersion` | _string_ | |`gateway.envoyproxy.io/v1alpha1` -| `kind` | _string_ | |`BackendList` -| `metadata` | _[ListMeta](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.29/#listmeta-v1-meta)_ | true | Refer to Kubernetes API documentation for fields of `metadata`. | -| `items` | _[Backend](#backend) array_ | true | | - - #### BackendRef @@ -428,8 +404,7 @@ _Appears in:_ BackendTrafficPolicy allows the user to configure the behavior of the connection between the Envoy Proxy listener and the backend service. -_Appears in:_ -- [BackendTrafficPolicyList](#backendtrafficpolicylist) + | Field | Type | Required | Description | | --- | --- | --- | --- | @@ -440,22 +415,6 @@ _Appears in:_ | `status` | _[PolicyStatus](https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1alpha2.PolicyStatus)_ | true | status defines the current status of BackendTrafficPolicy. | -#### BackendTrafficPolicyList - - - -BackendTrafficPolicyList contains a list of BackendTrafficPolicy resources. - - - -| Field | Type | Required | Description | -| --- | --- | --- | --- | -| `apiVersion` | _string_ | |`gateway.envoyproxy.io/v1alpha1` -| `kind` | _string_ | |`BackendTrafficPolicyList` -| `metadata` | _[ListMeta](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.29/#listmeta-v1-meta)_ | true | Refer to Kubernetes API documentation for fields of `metadata`. | -| `items` | _[BackendTrafficPolicy](#backendtrafficpolicy) array_ | true | | - - #### BackendTrafficPolicySpec @@ -637,8 +596,7 @@ _Appears in:_ ClientTrafficPolicy allows the user to configure the behavior of the connection between the downstream client and Envoy Proxy listener. -_Appears in:_ -- [ClientTrafficPolicyList](#clienttrafficpolicylist) + | Field | Type | Required | Description | | --- | --- | --- | --- | @@ -649,22 +607,6 @@ _Appears in:_ | `status` | _[PolicyStatus](https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1alpha2.PolicyStatus)_ | true | Status defines the current status of ClientTrafficPolicy. | -#### ClientTrafficPolicyList - - - -ClientTrafficPolicyList contains a list of ClientTrafficPolicy resources. - - - -| Field | Type | Required | Description | -| --- | --- | --- | --- | -| `apiVersion` | _string_ | |`gateway.envoyproxy.io/v1alpha1` -| `kind` | _string_ | |`ClientTrafficPolicyList` -| `metadata` | _[ListMeta](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.29/#listmeta-v1-meta)_ | true | Refer to Kubernetes API documentation for fields of `metadata`. | -| `items` | _[ClientTrafficPolicy](#clienttrafficpolicy) array_ | true | | - - #### ClientTrafficPolicySpec @@ -957,8 +899,7 @@ _Appears in:_ EnvoyExtensionPolicy allows the user to configure various envoy extensibility options for the Gateway. -_Appears in:_ -- [EnvoyExtensionPolicyList](#envoyextensionpolicylist) + | Field | Type | Required | Description | | --- | --- | --- | --- | @@ -969,22 +910,6 @@ _Appears in:_ | `status` | _[PolicyStatus](https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1alpha2.PolicyStatus)_ | true | Status defines the current status of EnvoyExtensionPolicy. | -#### EnvoyExtensionPolicyList - - - -EnvoyExtensionPolicyList contains a list of EnvoyExtensionPolicy resources. - - - -| Field | Type | Required | Description | -| --- | --- | --- | --- | -| `apiVersion` | _string_ | |`gateway.envoyproxy.io/v1alpha1` -| `kind` | _string_ | |`EnvoyExtensionPolicyList` -| `metadata` | _[ListMeta](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.29/#listmeta-v1-meta)_ | true | Refer to Kubernetes API documentation for fields of `metadata`. | -| `items` | _[EnvoyExtensionPolicy](#envoyextensionpolicy) array_ | true | | - - #### EnvoyExtensionPolicySpec @@ -1350,8 +1275,7 @@ _Appears in:_ EnvoyPatchPolicy allows the user to modify the generated Envoy xDS resources by Envoy Gateway using this patch API -_Appears in:_ -- [EnvoyPatchPolicyList](#envoypatchpolicylist) + | Field | Type | Required | Description | | --- | --- | --- | --- | @@ -1362,22 +1286,6 @@ _Appears in:_ | `status` | _[PolicyStatus](https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1alpha2.PolicyStatus)_ | true | Status defines the current status of EnvoyPatchPolicy. | -#### EnvoyPatchPolicyList - - - -EnvoyPatchPolicyList contains a list of EnvoyPatchPolicy resources. - - - -| Field | Type | Required | Description | -| --- | --- | --- | --- | -| `apiVersion` | _string_ | |`gateway.envoyproxy.io/v1alpha1` -| `kind` | _string_ | |`EnvoyPatchPolicyList` -| `metadata` | _[ListMeta](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.29/#listmeta-v1-meta)_ | true | Refer to Kubernetes API documentation for fields of `metadata`. | -| `items` | _[EnvoyPatchPolicy](#envoypatchpolicy) array_ | true | | - - #### EnvoyPatchPolicySpec @@ -2026,8 +1934,7 @@ _Appears in:_ HTTPRouteFilter is a custom Envoy Gateway HTTPRouteFilter which provides extended traffic processing options such as path regex rewrite, direct response and more. -_Appears in:_ -- [HTTPRouteFilterList](#httproutefilterlist) + | Field | Type | Required | Description | | --- | --- | --- | --- | @@ -2037,22 +1944,6 @@ _Appears in:_ | `spec` | _[HTTPRouteFilterSpec](#httproutefilterspec)_ | true | Spec defines the desired state of HTTPRouteFilter. | -#### HTTPRouteFilterList - - - -HTTPRouteFilterList contains a list of HTTPRouteFilter resources. - - - -| Field | Type | Required | Description | -| --- | --- | --- | --- | -| `apiVersion` | _string_ | |`gateway.envoyproxy.io/v1alpha1` -| `kind` | _string_ | |`HTTPRouteFilterList` -| `metadata` | _[ListMeta](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.29/#listmeta-v1-meta)_ | true | Refer to Kubernetes API documentation for fields of `metadata`. | -| `items` | _[HTTPRouteFilter](#httproutefilter) array_ | true | | - - #### HTTPRouteFilterSpec @@ -3638,8 +3529,7 @@ _Appears in:_ SecurityPolicy allows the user to configure various security settings for a Gateway. -_Appears in:_ -- [SecurityPolicyList](#securitypolicylist) + | Field | Type | Required | Description | | --- | --- | --- | --- | @@ -3650,22 +3540,6 @@ _Appears in:_ | `status` | _[PolicyStatus](https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1alpha2.PolicyStatus)_ | true | Status defines the current status of SecurityPolicy. | -#### SecurityPolicyList - - - -SecurityPolicyList contains a list of SecurityPolicy resources. - - - -| Field | Type | Required | Description | -| --- | --- | --- | --- | -| `apiVersion` | _string_ | |`gateway.envoyproxy.io/v1alpha1` -| `kind` | _string_ | |`SecurityPolicyList` -| `metadata` | _[ListMeta](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.29/#listmeta-v1-meta)_ | true | Refer to Kubernetes API documentation for fields of `metadata`. | -| `items` | _[SecurityPolicy](#securitypolicy) array_ | true | | - - #### SecurityPolicySpec diff --git a/site/content/zh/latest/install/gateway-addons-helm-api.md b/site/content/zh/latest/install/gateway-addons-helm-api.md index 9835e21cd62..dce51039fa2 100644 --- a/site/content/zh/latest/install/gateway-addons-helm-api.md +++ b/site/content/zh/latest/install/gateway-addons-helm-api.md @@ -24,6 +24,7 @@ An Add-ons Helm chart for Envoy Gateway | Repository | Name | Version | |------------|------|---------| | https://fluent.github.io/helm-charts | fluent-bit | 0.30.4 | +| https://grafana.github.io/helm-charts | alloy | 0.9.2 | | https://grafana.github.io/helm-charts | grafana | 8.0.0 | | https://grafana.github.io/helm-charts | loki | 4.8.0 | | https://grafana.github.io/helm-charts | tempo | 1.3.1 | @@ -34,6 +35,9 @@ An Add-ons Helm chart for Envoy Gateway | Key | Type | Default | Description | |-----|------|---------|-------------| +| alloy.alloy.configMap.content | string | `"// Write your Alloy config here:\nlogging {\n level = \"info\"\n format = \"logfmt\"\n}\nloki.write \"alloy\" {\n endpoint {\n url = \"http://loki.monitoring.svc:3100/loki/api/v1/push\"\n }\n}\n// discovery.kubernetes allows you to find scrape targets from Kubernetes resources.\n// It watches cluster state and ensures targets are continually synced with what is currently running in your cluster.\ndiscovery.kubernetes \"pod\" {\n role = \"pod\"\n}\n\n// discovery.relabel rewrites the label set of the input targets by applying one or more relabeling rules.\n// If no rules are defined, then the input targets are exported as-is.\ndiscovery.relabel \"pod_logs\" {\n targets = discovery.kubernetes.pod.targets\n\n // Label creation - \"namespace\" field from \"__meta_kubernetes_namespace\"\n rule {\n source_labels = [\"__meta_kubernetes_namespace\"]\n action = \"replace\"\n target_label = \"namespace\"\n }\n\n // Label creation - \"pod\" field from \"__meta_kubernetes_pod_name\"\n rule {\n source_labels = [\"__meta_kubernetes_pod_name\"]\n action = \"replace\"\n target_label = \"pod\"\n }\n\n // Label creation - \"container\" field from \"__meta_kubernetes_pod_container_name\"\n rule {\n source_labels = [\"__meta_kubernetes_pod_container_name\"]\n action = \"replace\"\n target_label = \"container\"\n }\n\n // Label creation - \"app\" field from \"__meta_kubernetes_pod_label_app_kubernetes_io_name\"\n rule {\n source_labels = [\"__meta_kubernetes_pod_label_app_kubernetes_io_name\"]\n action = \"replace\"\n target_label = \"app\"\n }\n\n // Label creation - \"job\" field from \"__meta_kubernetes_namespace\" and \"__meta_kubernetes_pod_container_name\"\n // Concatenate values __meta_kubernetes_namespace/__meta_kubernetes_pod_container_name\n rule {\n source_labels = [\"__meta_kubernetes_namespace\", \"__meta_kubernetes_pod_container_name\"]\n action = \"replace\"\n target_label = \"job\"\n separator = \"/\"\n replacement = \"$1\"\n }\n\n // Label creation - \"container\" field from \"__meta_kubernetes_pod_uid\" and \"__meta_kubernetes_pod_container_name\"\n // Concatenate values __meta_kubernetes_pod_uid/__meta_kubernetes_pod_container_name.log\n rule {\n source_labels = [\"__meta_kubernetes_pod_uid\", \"__meta_kubernetes_pod_container_name\"]\n action = \"replace\"\n target_label = \"__path__\"\n separator = \"/\"\n replacement = \"/var/log/pods/*$1/*.log\"\n }\n\n // Label creation - \"container_runtime\" field from \"__meta_kubernetes_pod_container_id\"\n rule {\n source_labels = [\"__meta_kubernetes_pod_container_id\"]\n action = \"replace\"\n target_label = \"container_runtime\"\n regex = \"^(\\\\S+):\\\\/\\\\/.+$\"\n replacement = \"$1\"\n }\n}\n\n// loki.source.kubernetes tails logs from Kubernetes containers using the Kubernetes API.\nloki.source.kubernetes \"pod_logs\" {\n targets = discovery.relabel.pod_logs.output\n forward_to = [loki.process.pod_logs.receiver]\n}\n// loki.process receives log entries from other Loki components, applies one or more processing stages,\n// and forwards the results to the list of receivers in the component’s arguments.\nloki.process \"pod_logs\" {\n stage.static_labels {\n values = {\n cluster = \"envoy-gateway\",\n }\n }\n\n forward_to = [loki.write.alloy.receiver]\n}"` | | +| alloy.enabled | bool | `false` | | +| alloy.fullnameOverride | string | `"alloy"` | | | fluent-bit.config.filters | string | `"[FILTER]\n Name kubernetes\n Match kube.*\n Merge_Log On\n Keep_Log Off\n K8S-Logging.Parser On\n K8S-Logging.Exclude On\n\n[FILTER]\n Name grep\n Match kube.*\n Regex $kubernetes['container_name'] ^envoy$\n\n[FILTER]\n Name parser\n Match kube.*\n Key_Name log\n Parser envoy\n Reserve_Data True\n"` | | | fluent-bit.config.inputs | string | `"[INPUT]\n Name tail\n Path /var/log/containers/*.log\n multiline.parser docker, cri\n Tag kube.*\n Mem_Buf_Limit 5MB\n Skip_Long_Lines On\n"` | | | fluent-bit.config.outputs | string | `"[OUTPUT]\n Name loki\n Match kube.*\n Host loki.monitoring.svc.cluster.local\n Port 3100\n Labels job=fluentbit, app=$kubernetes['labels']['app'], k8s_namespace_name=$kubernetes['namespace_name'], k8s_pod_name=$kubernetes['pod_name'], k8s_container_name=$kubernetes['container_name']\n"` | | @@ -86,15 +90,21 @@ An Add-ons Helm chart for Envoy Gateway | opentelemetry-collector.config.exporters.loki.endpoint | string | `"http://loki.monitoring.svc:3100/loki/api/v1/push"` | | | opentelemetry-collector.config.exporters.otlp.endpoint | string | `"tempo.monitoring.svc:4317"` | | | opentelemetry-collector.config.exporters.otlp.tls.insecure | bool | `true` | | -| opentelemetry-collector.config.exporters.prometheus.endpoint | string | `"0.0.0.0:19001"` | | -| opentelemetry-collector.config.extensions.health_check | object | `{}` | | +| opentelemetry-collector.config.exporters.prometheus.endpoint | string | `"[${env:MY_POD_IP}]:19001"` | | +| opentelemetry-collector.config.extensions.health_check.endpoint | string | `"[${env:MY_POD_IP}]:13133"` | | | opentelemetry-collector.config.processors.attributes.actions[0].action | string | `"insert"` | | | opentelemetry-collector.config.processors.attributes.actions[0].key | string | `"loki.attribute.labels"` | | | opentelemetry-collector.config.processors.attributes.actions[0].value | string | `"k8s.pod.name, k8s.namespace.name"` | | -| opentelemetry-collector.config.receivers.datadog.endpoint | string | `"${env:MY_POD_IP}:8126"` | | -| opentelemetry-collector.config.receivers.otlp.protocols.grpc.endpoint | string | `"${env:MY_POD_IP}:4317"` | | -| opentelemetry-collector.config.receivers.otlp.protocols.http.endpoint | string | `"${env:MY_POD_IP}:4318"` | | -| opentelemetry-collector.config.receivers.zipkin.endpoint | string | `"${env:MY_POD_IP}:9411"` | | +| opentelemetry-collector.config.receivers.datadog.endpoint | string | `"[${env:MY_POD_IP}]:8126"` | | +| opentelemetry-collector.config.receivers.jaeger.protocols.grpc.endpoint | string | `"[${env:MY_POD_IP}]:14250"` | | +| opentelemetry-collector.config.receivers.jaeger.protocols.thrift_compact.endpoint | string | `"[${env:MY_POD_IP}]:6831"` | | +| opentelemetry-collector.config.receivers.jaeger.protocols.thrift_http.endpoint | string | `"[${env:MY_POD_IP}]:14268"` | | +| opentelemetry-collector.config.receivers.otlp.protocols.grpc.endpoint | string | `"[${env:MY_POD_IP}]:4317"` | | +| opentelemetry-collector.config.receivers.otlp.protocols.http.endpoint | string | `"[${env:MY_POD_IP}]:4318"` | | +| opentelemetry-collector.config.receivers.prometheus.config.scrape_configs[0].job_name | string | `"opentelemetry-collector"` | | +| opentelemetry-collector.config.receivers.prometheus.config.scrape_configs[0].scrape_interval | string | `"10s"` | | +| opentelemetry-collector.config.receivers.prometheus.config.scrape_configs[0].static_configs[0].targets[0] | string | `"[${env:MY_POD_IP}]:8888"` | | +| opentelemetry-collector.config.receivers.zipkin.endpoint | string | `"[${env:MY_POD_IP}]:9411"` | | | opentelemetry-collector.config.service.extensions[0] | string | `"health_check"` | | | opentelemetry-collector.config.service.pipelines.logs.exporters[0] | string | `"loki"` | | | opentelemetry-collector.config.service.pipelines.logs.processors[0] | string | `"attributes"` | | @@ -106,6 +116,7 @@ An Add-ons Helm chart for Envoy Gateway | opentelemetry-collector.config.service.pipelines.traces.receivers[0] | string | `"datadog"` | | | opentelemetry-collector.config.service.pipelines.traces.receivers[1] | string | `"otlp"` | | | opentelemetry-collector.config.service.pipelines.traces.receivers[2] | string | `"zipkin"` | | +| opentelemetry-collector.config.service.telemetry.metrics.address | string | `"[${env:MY_POD_IP}]:8888"` | | | opentelemetry-collector.enabled | bool | `false` | | | opentelemetry-collector.fullnameOverride | string | `"otel-collector"` | | | opentelemetry-collector.image.repository | string | `"otel/opentelemetry-collector-contrib"` | | diff --git a/site/content/zh/latest/install/gateway-helm-api.md b/site/content/zh/latest/install/gateway-helm-api.md index 99023e65c6c..bb817b992dc 100644 --- a/site/content/zh/latest/install/gateway-helm-api.md +++ b/site/content/zh/latest/install/gateway-helm-api.md @@ -23,7 +23,7 @@ The Helm chart for Envoy Gateway | Key | Type | Default | Description | |-----|------|---------|-------------| -| certgen | object | `{"job":{"affinity":{},"annotations":{},"nodeSelector":{},"resources":{},"tolerations":[],"ttlSecondsAfterFinished":30},"rbac":{"annotations":{},"labels":{}}}` | Certgen is used to generate the certificates required by EnvoyGateway. If you want to construct a custom certificate, you can generate a custom certificate through Cert-Manager before installing EnvoyGateway. Certgen will not overwrite the custom certificate. Please do not manually modify `values.yaml` to disable certgen, it may cause EnvoyGateway OIDC,OAuth2,etc. to not work as expected. | +| certgen | object | `{"job":{"affinity":{},"annotations":{},"nodeSelector":{},"resources":{},"securityContext":{"allowPrivilegeEscalation":false,"capabilities":{"drop":["ALL"]},"privileged":false,"readOnlyRootFilesystem":true,"runAsGroup":65534,"runAsNonRoot":true,"runAsUser":65534,"seccompProfile":{"type":"RuntimeDefault"}},"tolerations":[],"ttlSecondsAfterFinished":30},"rbac":{"annotations":{},"labels":{}}}` | Certgen is used to generate the certificates required by EnvoyGateway. If you want to construct a custom certificate, you can generate a custom certificate through Cert-Manager before installing EnvoyGateway. Certgen will not overwrite the custom certificate. Please do not manually modify `values.yaml` to disable certgen, it may cause EnvoyGateway OIDC,OAuth2,etc. to not work as expected. | | config.envoyGateway.gateway.controllerName | string | `"gateway.envoyproxy.io/gatewayclass-controller"` | | | config.envoyGateway.logging.level.default | string | `"info"` | | | config.envoyGateway.provider.type | string | `"Kubernetes"` | | @@ -35,6 +35,13 @@ The Helm chart for Envoy Gateway | deployment.envoyGateway.resources.limits.memory | string | `"1024Mi"` | | | deployment.envoyGateway.resources.requests.cpu | string | `"100m"` | | | deployment.envoyGateway.resources.requests.memory | string | `"256Mi"` | | +| deployment.envoyGateway.securityContext.allowPrivilegeEscalation | bool | `false` | | +| deployment.envoyGateway.securityContext.capabilities.drop[0] | string | `"ALL"` | | +| deployment.envoyGateway.securityContext.privileged | bool | `false` | | +| deployment.envoyGateway.securityContext.runAsGroup | int | `65532` | | +| deployment.envoyGateway.securityContext.runAsNonRoot | bool | `true` | | +| deployment.envoyGateway.securityContext.runAsUser | int | `65532` | | +| deployment.envoyGateway.securityContext.seccompProfile.type | string | `"RuntimeDefault"` | | | deployment.pod.affinity | object | `{}` | | | deployment.pod.annotations."prometheus.io/port" | string | `"19001"` | | | deployment.pod.annotations."prometheus.io/scrape" | string | `"true"` | | diff --git a/site/content/zh/news/releases/_index.md b/site/content/zh/news/releases/_index.md index 8afc5916c6e..0862210010f 100644 --- a/site/content/zh/news/releases/_index.md +++ b/site/content/zh/news/releases/_index.md @@ -32,7 +32,7 @@ Envoy Gateway 的稳定版本包括: |:-------:|:--------------------------------------------------------------:| | 2022 Q4 | Daneyon Hansen ([danehans](https://github.com/danehans)) | | 2023 Q1 | Xunzhuo Liu ([Xunzhuo](https://github.com/Xunzhuo)) | -| 2023 Q2 | Alice Wasko ([AliceProxy](https://github.com/AliceProxy)) | +| 2023 Q2 | Alice Wasko ([Alice-Lilith](https://github.com/Alice-Lilith)) | | 2023 Q3 | Arko Dasgupta ([arkodg](https://github.com/arkodg)) | | 2023 Q4 | Arko Dasgupta ([arkodg](https://github.com/arkodg)) | | 2024 Q1 | Xunzhuo Liu ([Xunzhuo](https://github.com/Xunzhuo)) | diff --git a/site/layouts/shortcodes/helm-version.html b/site/layouts/shortcodes/helm-version.html index 704c3dfde80..0bdf6092027 100644 --- a/site/layouts/shortcodes/helm-version.html +++ b/site/layouts/shortcodes/helm-version.html @@ -3,8 +3,8 @@ {{- "v0.0.0-latest" -}} {{- end -}} {{- with (strings.HasPrefix $pagePrefix "v1.1") -}} -{{- "v1.1.2" -}} +{{- "v1.1.3" -}} {{- end -}} {{- with (strings.HasPrefix $pagePrefix "doc") -}} -{{- "v1.1.2" -}} +{{- "v1.1.3" -}} {{- end -}} diff --git a/site/layouts/shortcodes/yaml-version.html b/site/layouts/shortcodes/yaml-version.html index eced902814a..fd96ac1799e 100644 --- a/site/layouts/shortcodes/yaml-version.html +++ b/site/layouts/shortcodes/yaml-version.html @@ -3,8 +3,8 @@ {{- "latest" -}} {{- end -}} {{- with (strings.HasPrefix $pagePrefix "v1.1") -}} -{{- "v1.1.2" -}} +{{- "v1.1.3" -}} {{- end -}} {{- with (strings.HasPrefix $pagePrefix "doc") -}} -{{- "v1.1.2" -}} +{{- "v1.1.3" -}} {{- end -}} diff --git a/test/e2e/base/manifests.yaml b/test/e2e/base/manifests.yaml index 714dd296067..c7390d6d70d 100644 --- a/test/e2e/base/manifests.yaml +++ b/test/e2e/base/manifests.yaml @@ -424,113 +424,6 @@ spec: cpu: 10m --- apiVersion: v1 -kind: Namespace -metadata: - name: gateway-preserve-case-backend ---- -apiVersion: v1 -kind: ConfigMap -metadata: - name: go-server - namespace: gateway-preserve-case-backend -data: - go.mod: | - module srvr - go 1.22 - require ( - github.com/andybalholm/brotli v1.0.5 // indirect - github.com/klauspost/compress v1.17.0 // indirect - github.com/valyala/bytebufferpool v1.0.0 // indirect - github.com/valyala/fasthttp v1.51.0 // indirect - ) - go.sum: | - github.com/andybalholm/brotli v1.0.5 h1:8uQZIdzKmjc/iuPu7O2ioW48L81FgatrcpfFmiq/cCs= - github.com/andybalholm/brotli v1.0.5/go.mod h1:fO7iG3H7G2nSZ7m0zPUDn85XEX2GTukHGRSepvi9Eig= - github.com/klauspost/compress v1.17.0 h1:Rnbp4K9EjcDuVuHtd0dgA4qNuv9yKDYKK1ulpJwgrqM= - github.com/klauspost/compress v1.17.0/go.mod h1:ntbaceVETuRiXiv4DpjP66DpAtAGkEQskQzEyD//IeE= - github.com/valyala/bytebufferpool v1.0.0 h1:GqA5TC/0021Y/b9FG4Oi9Mr3q7XYx6KllzawFIhcdPw= - github.com/valyala/bytebufferpool v1.0.0/go.mod h1:6bBcMArwyJ5K/AmCkWv1jt77kVWyCJ6HpOuEn7z0Csc= - github.com/valyala/fasthttp v1.51.0 h1:8b30A5JlZ6C7AS81RsWjYMQmrZG6feChmgAolCl1SqA= - github.com/valyala/fasthttp v1.51.0/go.mod h1:oI2XroL+lI7vdXyYoQk03bXBThfFl2cVdIA3Xl7cH8g= - main.go: | - package main - import ( - "encoding/json" - "fmt" - "log" - "github.com/valyala/fasthttp" - ) - func HandleFastHTTP(ctx *fasthttp.RequestCtx) { - ctx.QueryArgs().VisitAll(func(key, value []byte) { - if string(key) == "headers" { - ctx.Response.Header.Add(string(value), "PrEsEnT") - } - }) - headers := map[string][]string{} - ctx.Request.Header.VisitAll(func(key, value []byte) { - headers[string(key)] = append(headers[string(key)], string(value)) - }) - if d, err := json.MarshalIndent(headers, "", " "); err != nil { - ctx.Error(fmt.Sprintf("%s", err), fasthttp.StatusBadRequest) - } else { - fmt.Fprintf(ctx, string(d)+"\n") - } - } - func main() { - s := fasthttp.Server{ - Handler: HandleFastHTTP, - DisableHeaderNamesNormalizing: true, - } - log.Printf("Starting on port 8000") - log.Fatal(s.ListenAndServe(":8000")) - } ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: golang-app-deployment - namespace: gateway-preserve-case-backend -spec: - replicas: 1 - selector: - matchLabels: - app: golang-app - template: - metadata: - labels: - app: golang-app - spec: - containers: - - name: golang-app-container - command: - - sh - - "-c" - - "cp -a /app /app-live && cd /app-live && go run . " - image: golang:1.22.3-alpine - ports: - - containerPort: 8000 - volumeMounts: - - name: go-server - mountPath: /app - volumes: - - name: go-server - configMap: - name: go-server ---- -apiVersion: v1 -kind: Service -metadata: - name: fasthttp-backend - namespace: gateway-preserve-case-backend -spec: - selector: - app: golang-app - ports: - - protocol: TCP - port: 8000 - targetPort: 8000 ---- -apiVersion: v1 data: tls.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURPVENDQWlHZ0F3SUJBZ0lVUWNxbnZtQXlkRUtuOEdqWTdjZzVDb3A2QWp3d0RRWUpLb1pJaHZjTkFRRUwKQlFBd1JURUxNQWtHQTFVRUJoTUNRVlV4RXpBUkJnTlZCQWdNQ2xOdmJXVXRVM1JoZEdVeElUQWZCZ05WQkFvTQpHRWx1ZEdWeWJtVjBJRmRwWkdkcGRITWdVSFI1SUV4MFpEQWVGdzB5TkRBMU1USXhOakF3TlROYUZ3MHlOVEExCk1USXhOakF3TlROYU1FVXhDekFKQmdOVkJBWVRBa0ZWTVJNd0VRWURWUVFJREFwVGIyMWxMVk4wWVhSbE1TRXcKSHdZRFZRUUtEQmhKYm5SbGNtNWxkQ0JYYVdSbmFYUnpJRkIwZVNCTWRHUXdnZ0VpTUEwR0NTcUdTSWIzRFFFQgpBUVVBQTRJQkR3QXdnZ0VLQW9JQkFRQ2kzUis1WGx3SnlYSTNidTRVQ3E0NXgwSkdWQVBTVXRFTFlLUkxpOEo2CnlxOStySE1hVUtubDhsdldLaHlCNDk4WkJBdVVGS0RpcGhkS1A2eU0rRGl1azVIa2UrK0NmeGxkUDFiSGZiNlkKSGFWczh2cFMyUThneUF6NEZqc3NnNThMV1NKWTdEeEhSOWJibUVWelhSUjNWOEtDeDVaYVlkZ3RxU0NZTGJMTwozaGtGRGQramZxSzM3RHdiT253d21OQ2R0QmpRSTF1TmF2dm1QZzB0c3pwd29TQUtPRitPR0pHcTZHcDdNY0NtClFHZ3dYNkV0YzMwd3hJQTd6c3RnTWwzT293a3p4NHNMcFdJamdCSDVlVk9oYnB6NXROLzB2VFZ3Z3hlbTlOVisKQURjSTFBcnY5M1ZsaFB6VEFmZUNDUlljeFFiNlp4dnBuMWlRbVIrZkVpT0JBZ01CQUFHaklUQWZNQjBHQTFVZApEZ1FXQkJTMGRnRHNtQ3AyU0pZVzNPa3pkNDZtbFNndHZ6QU5CZ2txaGtpRzl3MEJBUXNGQUFPQ0FRRUFab0NCCnE0M2taV1RZT21QR3JYMU5RMllIVTQ2Y0pzRGxsN2JFL0ZIRUo1eEJEcWRGaUdhWkZBcGRkK3Mra2tkUUw5NUUKcU1SVk9nYS83TUFIL042dlRmb2tXcnVKUUFqaStpLzhGSllWb1VZTWMyeUxqYXp3ZS9ZMHlzTDRWRTNGUlZybApmVHRCTC9nVkhjNk9ZOFBpVFh4eitqdy9FN2kxQkRxZkdSK29sYmt4ZkVmWnhHN0tEZUVtQnVva0dxbDlYQXhSCjMzbnhSbFZuODdxSnJrdUlzdWl2ZzczaVVNMVpGUE1CRVp0OEJjU05MaWhxZEx0b29FVy9mcGZ1am9oaC9yTjUKOFA1ajJpWm9KOGpBS0t4YW5SaWhXTklSNzJtYnJ1R2hYOFRIQkxzczFvZlpLdHBXMzlUOTBTM2hnWkFwSmNZYQp2aGVwSnRtbm9jcHNnYUJiL0E9PQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg== tls.key: LS0tLS1CRUdJTiBQUklWQVRFIEtFWS0tLS0tCk1JSUV2UUlCQURBTkJna3Foa2lHOXcwQkFRRUZBQVNDQktjd2dnU2pBZ0VBQW9JQkFRQ2kzUis1WGx3SnlYSTMKYnU0VUNxNDV4MEpHVkFQU1V0RUxZS1JMaThKNnlxOStySE1hVUtubDhsdldLaHlCNDk4WkJBdVVGS0RpcGhkSwpQNnlNK0RpdWs1SGtlKytDZnhsZFAxYkhmYjZZSGFWczh2cFMyUThneUF6NEZqc3NnNThMV1NKWTdEeEhSOWJiCm1FVnpYUlIzVjhLQ3g1WmFZZGd0cVNDWUxiTE8zaGtGRGQramZxSzM3RHdiT253d21OQ2R0QmpRSTF1TmF2dm0KUGcwdHN6cHdvU0FLT0YrT0dKR3E2R3A3TWNDbVFHZ3dYNkV0YzMwd3hJQTd6c3RnTWwzT293a3p4NHNMcFdJagpnQkg1ZVZPaGJwejV0Ti8wdlRWd2d4ZW05TlYrQURjSTFBcnY5M1ZsaFB6VEFmZUNDUlljeFFiNlp4dnBuMWlRCm1SK2ZFaU9CQWdNQkFBRUNnZ0VBQkZlOUxUbXNMb3VBWGZTWmdRZStnT0pZbU1pTDZpcG91aWI0Wlk1dFUvM3kKYVZoRXlOVHhuVlRadkoyT2lWc0JzWVNLWUo5TzBaRmFSOUhJSnBHR1BTYzRvOGNYWGpkb2RqUmFrbjdtbDQ2NwprT3JQR0lsQ3ZFb0NVTVdTdkExNXpzMGdmNTZUdmthMjFxL2VHdmtPZ3c3SVBEbVJSNEZpT05nNGt3ODlwRU1FClhNMVROK1NZSGR1eU50RG1wSy90bjFFcUxtOUJUVy9XSk8rMHhLaG1EVStDZnN6Y2hmcS82QitQSVNteEhXUTUKV2JVL3BBNVlvRlM3TWZYbjhMcXVuSG55RGcvNERaQ2NXQkpZZTdZNWtqczVVd2c2MnJBanZxTUZPaWk2ZEgvWgpSQWFWbzlUeEEwZVB4TkZIY2w5M2xuQzRvSGpFV0pvajIzOUdTb3pMWVFLQmdRRGJaNDhNOUpNdkJ2Q2JvSWlXCi9jc3U2ZFRNNmlRTzd3dVJEekhETlpGN0pxWmxOVUhkMU1hZXVYOGhYaE1YeWZpN2FFcGhKMGFZOXNwZ29SdWYKamIyeWVhb3JBbnlOL1VIZ2NjdG5ESWdheEJ0K1JVREZUeE1uTnhrRUVnTnF5WDJCZllOdlNyMmxOVm9PbGhUWQo4VzV6UGJyekNDbUgzSXd6bkhmcW54QVZJUUtCZ1FDK0IwOEVpRERZd1ZKRU9uNyt3eDZyZWlQQklmanBFNUNICjM4ekpYVVBUaWRLZWpORnU4aUlGZmkrdzEvY0VBTTJXcE1xVEtnM2RCSTlzUGZnWXZFSUlvMW5adUFNVnhaY04Kb0k2QXdUckdWMldHSjdQNlNNbjhyWTJhUGRQcDl1ZXE2MFEwZ2p2NVQ1eUliekdPaElmeUpxSXJHYlFvbGdkagp3cXg4K2ZQaVlRS0JnRWJSdklqd0FQb3pBVU1hcER3b200Yi9EeU05aUhvUml1Zzl3VkJEWUR3aUU1K2pleWxCClh3TW8yUEpLVFZ0bVpCVUo2c2hGUnpKa3BwcGVKbTV2OEFWRjVEbVJ5ZWFERXRxQm9LZ1lrVzRpVXNXRlVRemYKSTAyTEtWWDVBb1ZibUZsTnpEa0dKUVRJbmRNTGVwczBBdlRMdmlab1FnK0tqdTZ4Mkxzd3NKNUJBb0dCQUxFcApDUzcxZFd5dkZ1NUxCdGltdWpJdDVhV0o4WkFDVUcyTVpWU1o0Y0VXcmNocENsdi8yMTM1bmFhbVFVRjNLalEyCm9ER0JOSG1JWmRvSkVBS25pSHliSmdwSGRvRFd2SlBVeXVZWXY1M29IdHRxcW0wOWJTcG45eXNFVjB1NWg1UWUKVUhFUHRiQWgyNUtLNzgycG0wQlRhajc2Y0s2aDZIUEdLNTg4UEhZaEFvR0FILzJMS044WnJ3c1R6Nmx6T2c3ZApzdUFuaDVFTUp0TEhTSDJHeFJ5aFcrYVFHdGNxdDZYK1dkNDZnd1BMQjRjd2QzL01nQkFvcFhGazhYV3pTVUlhCnI5SG9SQzZJT2tzQ0lOallCd2h2TjArcm5oN3JzTm5XZVd5Z2tWQ2tERDN5NlNTa2RTZjliOUZzWUJtOHY0VkcKYzFqdmVjWVF6S243QzFRU2FtUnAzRUk9Ci0tLS0tRU5EIFBSSVZBVEUgS0VZLS0tLS0K diff --git a/test/e2e/testdata/accesslog-als.yaml b/test/e2e/testdata/accesslog-als.yaml index cd998df4655..569195aba1a 100644 --- a/test/e2e/testdata/accesslog-als.yaml +++ b/test/e2e/testdata/accesslog-als.yaml @@ -15,186 +15,6 @@ spec: - name: infra-backend-v1 port: 8080 --- -apiVersion: v1 -kind: ConfigMap -metadata: - name: envoy-als - namespace: monitoring -data: - go.mod: | - module envoy-als - go 1.22 - require ( - github.com/envoyproxy/go-control-plane v0.12.0 - github.com/prometheus/client_golang v1.19.1 - google.golang.org/grpc v1.64.0 - ) - - require ( - github.com/beorn7/perks v1.0.1 // indirect - github.com/cespare/xxhash/v2 v2.2.0 // indirect - github.com/cncf/xds/go v0.0.0-20240318125728-8a4994d93e50 // indirect - github.com/envoyproxy/protoc-gen-validate v1.0.4 // indirect - github.com/golang/protobuf v1.5.4 // indirect - github.com/prometheus/client_model v0.5.0 // indirect - github.com/prometheus/common v0.48.0 // indirect - github.com/prometheus/procfs v0.12.0 // indirect - golang.org/x/net v0.22.0 // indirect - golang.org/x/sys v0.18.0 // indirect - golang.org/x/text v0.14.0 // indirect - google.golang.org/genproto/googleapis/rpc v0.0.0-20240318140521-94a12d6c2237 // indirect - google.golang.org/protobuf v1.33.0 // indirect - ) - go.sum: | - github.com/beorn7/perks v1.0.1 h1:VlbKKnNfV8bJzeqoa4cOKqO6bYr3WgKZxO8Z16+hsOM= - github.com/beorn7/perks v1.0.1/go.mod h1:G2ZrVWU2WbWT9wwq4/hrbKbnv/1ERSJQ0ibhJ6rlkpw= - github.com/cespare/xxhash/v2 v2.2.0 h1:DC2CZ1Ep5Y4k3ZQ899DldepgrayRUGE6BBZ/cd9Cj44= - github.com/cespare/xxhash/v2 v2.2.0/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XLFGgcrjCOs= - github.com/cncf/xds/go v0.0.0-20240318125728-8a4994d93e50 h1:DBmgJDC9dTfkVyGgipamEh2BpGYxScCH1TOF1LL1cXc= - github.com/cncf/xds/go v0.0.0-20240318125728-8a4994d93e50/go.mod h1:5e1+Vvlzido69INQaVO6d87Qn543Xr6nooe9Kz7oBFM= - github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c= - github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= - github.com/envoyproxy/go-control-plane v0.12.0 h1:4X+VP1GHd1Mhj6IB5mMeGbLCleqxjletLK6K0rbxyZI= - github.com/envoyproxy/go-control-plane v0.12.0/go.mod h1:ZBTaoJ23lqITozF0M6G4/IragXCQKCnYbmlmtHvwRG0= - github.com/envoyproxy/protoc-gen-validate v1.0.4 h1:gVPz/FMfvh57HdSJQyvBtF00j8JU4zdyUgIUNhlgg0A= - github.com/envoyproxy/protoc-gen-validate v1.0.4/go.mod h1:qys6tmnRsYrQqIhm2bvKZH4Blx/1gTIZ2UKVY1M+Yew= - github.com/golang/protobuf v1.5.4 h1:i7eJL8qZTpSEXOPTxNKhASYpMn+8e5Q6AdndVa1dWek= - github.com/golang/protobuf v1.5.4/go.mod h1:lnTiLA8Wa4RWRcIUkrtSVa5nRhsEGBg48fD6rSs7xps= - github.com/google/go-cmp v0.6.0 h1:ofyhxvXcZhMsU5ulbFiLKl/XBFqE1GSq7atu8tAmTRI= - github.com/google/go-cmp v0.6.0/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY= - github.com/prometheus/client_golang v1.19.1 h1:wZWJDwK+NameRJuPGDhlnFgx8e8HN3XHQeLaYJFJBOE= - github.com/prometheus/client_golang v1.19.1/go.mod h1:mP78NwGzrVks5S2H6ab8+ZZGJLZUq1hoULYBAYBw1Ho= - github.com/prometheus/client_model v0.5.0 h1:VQw1hfvPvk3Uv6Qf29VrPF32JB6rtbgI6cYPYQjL0Qw= - github.com/prometheus/client_model v0.5.0/go.mod h1:dTiFglRmd66nLR9Pv9f0mZi7B7fk5Pm3gvsjB5tr+kI= - github.com/prometheus/common v0.48.0 h1:QO8U2CdOzSn1BBsmXJXduaaW+dY/5QLjfB8svtSzKKE= - github.com/prometheus/common v0.48.0/go.mod h1:0/KsvlIEfPQCQ5I2iNSAWKPZziNCvRs5EC6ILDTlAPc= - github.com/prometheus/procfs v0.12.0 h1:jluTpSng7V9hY0O2R9DzzJHYb2xULk9VTR1V1R/k6Bo= - github.com/prometheus/procfs v0.12.0/go.mod h1:pcuDEFsWDnvcgNzo4EEweacyhjeA9Zk3cnaOZAZEfOo= - golang.org/x/net v0.22.0 h1:9sGLhx7iRIHEiX0oAJ3MRZMUCElJgy7Br1nO+AMN3Tc= - golang.org/x/net v0.22.0/go.mod h1:JKghWKKOSdJwpW2GEx0Ja7fmaKnMsbu+MWVZTokSYmg= - golang.org/x/sys v0.18.0 h1:DBdB3niSjOA/O0blCZBqDefyWNYveAYMNF1Wum0DYQ4= - golang.org/x/sys v0.18.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= - golang.org/x/text v0.14.0 h1:ScX5w1eTa3QqT8oi6+ziP7dTV1S2+ALU0bI+0zXKWiQ= - golang.org/x/text v0.14.0/go.mod h1:18ZOQIKpY8NJVqYksKHtTdi31H5itFRjB5/qKTNYzSU= - google.golang.org/genproto/googleapis/rpc v0.0.0-20240318140521-94a12d6c2237 h1:NnYq6UN9ReLM9/Y01KWNOWyI5xQ9kbIms5GGJVwS/Yc= - google.golang.org/genproto/googleapis/rpc v0.0.0-20240318140521-94a12d6c2237/go.mod h1:WtryC6hu0hhx87FDGxWCDptyssuo68sk10vYjF+T9fY= - google.golang.org/grpc v1.64.0 h1:KH3VH9y/MgNQg1dE7b3XfVK0GsPSIzJwdF617gUSbvY= - google.golang.org/grpc v1.64.0/go.mod h1:oxjF8E3FBnjp+/gVFYdWacaLDx9na1aqy9oovLpxQYg= - google.golang.org/protobuf v1.33.0 h1:uNO2rsAINq/JlFpSdYEKIZ0uKD/R9cpdv0T+yoGwGmI= - google.golang.org/protobuf v1.33.0/go.mod h1:c6P6GXX6sHbq/GpV6MGZEdwhWPcYBgnhAHhKbcUYpos= - main.go: | - package main - - import ( - "log" - "net" - "net/http" - - alsv2 "github.com/envoyproxy/go-control-plane/envoy/service/accesslog/v2" - alsv3 "github.com/envoyproxy/go-control-plane/envoy/service/accesslog/v3" - "github.com/prometheus/client_golang/prometheus" - "github.com/prometheus/client_golang/prometheus/promhttp" - - "google.golang.org/grpc" - ) - - var ( - LogCount = prometheus.NewCounterVec(prometheus.CounterOpts{ - Name: "log_count", - Help: "The total number of logs received.", - }, []string{"api_version"}) - ) - - func init() { - // Register the summary and the histogram with Prometheus's default registry. - prometheus.MustRegister(LogCount) - } - - type ALSServer struct { - } - - func (a *ALSServer) StreamAccessLogs(logStream alsv2.AccessLogService_StreamAccessLogsServer) error { - log.Println("Streaming als v2 logs") - for { - data, err := logStream.Recv() - if err != nil { - return err - } - - httpLogs := data.GetHttpLogs() - if httpLogs != nil { - LogCount.WithLabelValues("v2").Add(float64(len(httpLogs.LogEntry))) - } - - log.Printf("Received v2 log data: %s\n", data.String()) - } - } - - type ALSServerV3 struct { - } - - func (a *ALSServerV3) StreamAccessLogs(logStream alsv3.AccessLogService_StreamAccessLogsServer) error { - log.Println("Streaming als v3 logs") - for { - data, err := logStream.Recv() - if err != nil { - return err - } - - httpLogs := data.GetHttpLogs() - if httpLogs != nil { - LogCount.WithLabelValues("v3").Add(float64(len(httpLogs.LogEntry))) - } - - log.Printf("Received v3 log data: %s\n", data.String()) - } - } - - func NewALSServer() *ALSServer { - return &ALSServer{} - } - - func NewALSServerV3() *ALSServerV3 { - return &ALSServerV3{} - } - - func main() { - mux := http.NewServeMux() - if err := addMonitor(mux); err != nil { - log.Printf("could not establish self-monitoring: %v\n", err) - } - - s := &http.Server{ - Addr: ":19001", - Handler: mux, - } - - go func() { - s.ListenAndServe() - }() - - listener, err := net.Listen("tcp", "0.0.0.0:8080") - if err != nil { - log.Fatalf("Failed to start listener on port 8080: %v", err) - } - - var opts []grpc.ServerOption - grpcServer := grpc.NewServer(opts...) - alsv2.RegisterAccessLogServiceServer(grpcServer, NewALSServer()) - alsv3.RegisterAccessLogServiceServer(grpcServer, NewALSServerV3()) - log.Println("Starting ALS Server") - if err := grpcServer.Serve(listener); err != nil { - log.Fatalf("grpc serve err: %v", err) - } - } - - func addMonitor(mux *http.ServeMux) error { - mux.Handle("/metrics", promhttp.HandlerFor(prometheus.DefaultGatherer, promhttp.HandlerOpts{EnableOpenMetrics: true})) - - return nil - } - ---- apiVersion: apps/v1 kind: Deployment metadata: @@ -215,18 +35,8 @@ spec: spec: containers: - name: envoy-als - command: - - sh - - "-c" - - "cp -a /app /app-live && cd /app-live && go run . " - image: golang:1.22.3-alpine + image: envoyproxy/gateway-envoy-als + imagePullPolicy: IfNotPresent ports: - containerPort: 8080 - containerPort: 19001 - volumeMounts: - - name: envoy-als - mountPath: /app - volumes: - - name: envoy-als - configMap: - name: envoy-als diff --git a/test/e2e/testdata/direct-response.yaml b/test/e2e/testdata/direct-response.yaml new file mode 100644 index 00000000000..a1d2d81e8bb --- /dev/null +++ b/test/e2e/testdata/direct-response.yaml @@ -0,0 +1,64 @@ +apiVersion: gateway.networking.k8s.io/v1 +kind: HTTPRoute +metadata: + name: direct-response + namespace: gateway-conformance-infra +spec: + parentRefs: + - name: same-namespace + rules: + - matches: + - path: + type: PathPrefix + value: /inline + filters: + - type: ExtensionRef + extensionRef: + group: gateway.envoyproxy.io + kind: HTTPRouteFilter + name: direct-response-inline + - matches: + - path: + type: PathPrefix + value: /value-ref + filters: + - type: ExtensionRef + extensionRef: + group: gateway.envoyproxy.io + kind: HTTPRouteFilter + name: direct-response-value-ref +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: value-ref-response + namespace: gateway-conformance-infra +data: + response.body: '{"error": "Internal Server Error"}' +--- +apiVersion: gateway.envoyproxy.io/v1alpha1 +kind: HTTPRouteFilter +metadata: + name: direct-response-inline + namespace: gateway-conformance-infra +spec: + directResponse: + contentType: text/plain + body: + type: Inline + inline: "Oops! Your request is not found." +--- +apiVersion: gateway.envoyproxy.io/v1alpha1 +kind: HTTPRouteFilter +metadata: + name: direct-response-value-ref + namespace: gateway-conformance-infra +spec: + directResponse: + contentType: application/json + body: + type: ValueRef + valueRef: + group: "" + kind: ConfigMap + name: value-ref-response diff --git a/test/e2e/testdata/ext-auth-grpc-service.yaml b/test/e2e/testdata/ext-auth-grpc-service.yaml index 744be444ba0..587dad8a860 100644 --- a/test/e2e/testdata/ext-auth-grpc-service.yaml +++ b/test/e2e/testdata/ext-auth-grpc-service.yaml @@ -1,276 +1,5 @@ --- apiVersion: v1 -kind: ConfigMap -metadata: - name: grpc-ext-auth - namespace: gateway-conformance-infra -data: - go.mod: | - module github.com/envoyproxy/gateway - - go 1.21 - - require ( - github.com/envoyproxy/go-control-plane v0.12.0 - github.com/golang/protobuf v1.5.4 - google.golang.org/genproto/googleapis/rpc v0.0.0-20240304212257-790db918fca8 - google.golang.org/grpc v1.62.1 - ) - - require ( - github.com/cncf/xds/go v0.0.0-20231128003011-0fa0005c9caa // indirect - github.com/envoyproxy/protoc-gen-validate v1.0.4 // indirect - golang.org/x/net v0.20.0 // indirect - golang.org/x/sys v0.16.0 // indirect - golang.org/x/text v0.14.0 // indirect - google.golang.org/protobuf v1.33.0 // indirect - ) - go.sum: | - github.com/cncf/xds/go v0.0.0-20231128003011-0fa0005c9caa h1:jQCWAUqqlij9Pgj2i/PB79y4KOPYVyFYdROxgaCwdTQ= - github.com/cncf/xds/go v0.0.0-20231128003011-0fa0005c9caa/go.mod h1:x/1Gn8zydmfq8dk6e9PdstVsDgu9RuyIIJqAaF//0IM= - github.com/envoyproxy/go-control-plane v0.12.0 h1:4X+VP1GHd1Mhj6IB5mMeGbLCleqxjletLK6K0rbxyZI= - github.com/envoyproxy/go-control-plane v0.12.0/go.mod h1:ZBTaoJ23lqITozF0M6G4/IragXCQKCnYbmlmtHvwRG0= - github.com/envoyproxy/protoc-gen-validate v1.0.4 h1:gVPz/FMfvh57HdSJQyvBtF00j8JU4zdyUgIUNhlgg0A= - github.com/envoyproxy/protoc-gen-validate v1.0.4/go.mod h1:qys6tmnRsYrQqIhm2bvKZH4Blx/1gTIZ2UKVY1M+Yew= - github.com/golang/protobuf v1.5.4 h1:i7eJL8qZTpSEXOPTxNKhASYpMn+8e5Q6AdndVa1dWek= - github.com/golang/protobuf v1.5.4/go.mod h1:lnTiLA8Wa4RWRcIUkrtSVa5nRhsEGBg48fD6rSs7xps= - github.com/google/go-cmp v0.6.0 h1:ofyhxvXcZhMsU5ulbFiLKl/XBFqE1GSq7atu8tAmTRI= - github.com/google/go-cmp v0.6.0/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY= - golang.org/x/net v0.20.0 h1:aCL9BSgETF1k+blQaYUBx9hJ9LOGP3gAVemcZlf1Kpo= - golang.org/x/net v0.20.0/go.mod h1:z8BVo6PvndSri0LbOE3hAn0apkU+1YvI6E70E9jsnvY= - golang.org/x/sys v0.16.0 h1:xWw16ngr6ZMtmxDyKyIgsE93KNKz5HKmMa3b8ALHidU= - golang.org/x/sys v0.16.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= - golang.org/x/text v0.14.0 h1:ScX5w1eTa3QqT8oi6+ziP7dTV1S2+ALU0bI+0zXKWiQ= - golang.org/x/text v0.14.0/go.mod h1:18ZOQIKpY8NJVqYksKHtTdi31H5itFRjB5/qKTNYzSU= - google.golang.org/genproto/googleapis/rpc v0.0.0-20240304212257-790db918fca8 h1:IR+hp6ypxjH24bkMfEJ0yHR21+gwPWdV+/IBrPQyn3k= - google.golang.org/genproto/googleapis/rpc v0.0.0-20240304212257-790db918fca8/go.mod h1:UCOku4NytXMJuLQE5VuqA5lX3PcHCBo8pxNyvkf4xBs= - google.golang.org/grpc v1.62.1 h1:B4n+nfKzOICUXMgyrNd19h/I9oH0L1pizfk1d4zSgTk= - google.golang.org/grpc v1.62.1/go.mod h1:IWTG0VlJLCh1SkC58F7np9ka9mx/WNkjl4PGJaiq+QE= - google.golang.org/protobuf v1.33.0 h1:uNO2rsAINq/JlFpSdYEKIZ0uKD/R9cpdv0T+yoGwGmI= - google.golang.org/protobuf v1.33.0/go.mod h1:c6P6GXX6sHbq/GpV6MGZEdwhWPcYBgnhAHhKbcUYpos= - main.go: | - package main - - import ( - "context" - "crypto/tls" - "crypto/x509" - "flag" - "fmt" - "log" - "net" - "net/http" - "os" - "strings" - - envoy_api_v3_core "github.com/envoyproxy/go-control-plane/envoy/config/core/v3" - envoy_service_auth_v3 "github.com/envoyproxy/go-control-plane/envoy/service/auth/v3" - "github.com/golang/protobuf/ptypes/wrappers" - "google.golang.org/genproto/googleapis/rpc/code" - "google.golang.org/genproto/googleapis/rpc/status" - "google.golang.org/grpc" - "google.golang.org/grpc/credentials" - ) - - var ( - port int - certPath string - ) - - func main() { - flag.IntVar(&port, "port", 9002, "gRPC port") - flag.StringVar(&certPath, "certPath", "", "path to server certificate and private key") - flag.Parse() - - lis, err := net.Listen("tcp", fmt.Sprintf(":%d", port)) - if err != nil { - log.Fatalf("failed to listen to %d: %v", port, err) - } - - users := TestUsers() - - // Load TLS credentials - creds, err := loadTLSCredentials(certPath) - if err != nil { - log.Fatalf("Failed to load TLS credentials: %v", err) - } - gs := grpc.NewServer(grpc.Creds(creds)) - - envoy_service_auth_v3.RegisterAuthorizationServer(gs, NewAuthServer(users)) - - log.Printf("starting gRPC server on: %d\n", port) - - go func() { - err = gs.Serve(lis) - if err != nil { - log.Fatalf("failed to serve: %v", err) - } - }() - - http.HandleFunc("/healthz", healthCheckHandler) - err = http.ListenAndServe(":8080", nil) - if err != nil { - log.Fatalf("failed to serve: %v", err) - } - } - - type authServer struct { - users Users - } - - var _ envoy_service_auth_v3.AuthorizationServer = &authServer{} - - // NewAuthServer creates a new authorization server. - func NewAuthServer(users Users) envoy_service_auth_v3.AuthorizationServer { - return &authServer{users} - } - - // Check implements authorization's Check interface which performs authorization check based on the - // attributes associated with the incoming request. - func (s *authServer) Check( - _ context.Context, - req *envoy_service_auth_v3.CheckRequest) (*envoy_service_auth_v3.CheckResponse, error) { - authorization := req.Attributes.Request.Http.Headers["authorization"] - log.Println(authorization) - - extracted := strings.Fields(authorization) - if len(extracted) == 2 && extracted[0] == "Bearer" { - valid, user := s.users.Check(extracted[1]) - if valid { - return &envoy_service_auth_v3.CheckResponse{ - HttpResponse: &envoy_service_auth_v3.CheckResponse_OkResponse{ - OkResponse: &envoy_service_auth_v3.OkHttpResponse{ - Headers: []*envoy_api_v3_core.HeaderValueOption{ - { - Append: &wrappers.BoolValue{Value: false}, - Header: &envoy_api_v3_core.HeaderValue{ - // For a successful request, the authorization server sets the - // x-current-user value. - Key: "x-current-user", - Value: user, - }, - }, - }, - }, - }, - Status: &status.Status{ - Code: int32(code.Code_OK), - }, - }, nil - } - } - - return &envoy_service_auth_v3.CheckResponse{ - Status: &status.Status{ - Code: int32(code.Code_PERMISSION_DENIED), - }, - }, nil - } - - // Users holds a list of users. - type Users map[string]string - - // Check checks if a key could retrieve a user from a list of users. - func (u Users) Check(key string) (bool, string) { - value, ok := u[key] - if !ok { - return false, "" - } - return ok, value - } - - func TestUsers() Users { - return map[string]string{ - "token1": "user1", - "token2": "user2", - "token3": "user3", - } - } - - func healthCheckHandler(w http.ResponseWriter, r *http.Request) { - certPool, err := loadCA(certPath) - if err != nil { - log.Fatalf("Could not load CA certificate: %v", err) - } - - // Create TLS configuration - tlsConfig := &tls.Config{ - RootCAs: certPool, - } - - // Create gRPC dial options - opts := []grpc.DialOption{ - grpc.WithTransportCredentials(credentials.NewTLS(tlsConfig)), - } - - conn, err := grpc.Dial("localhost:9002", opts...) - if err != nil { - log.Fatalf("Could not connect: %v", err) - } - client := envoy_service_auth_v3.NewAuthorizationClient(conn) - - response, err := client.Check(context.Background(), &envoy_service_auth_v3.CheckRequest{ - Attributes: &envoy_service_auth_v3.AttributeContext{ - Request: &envoy_service_auth_v3.AttributeContext_Request{ - Http: &envoy_service_auth_v3.AttributeContext_HttpRequest{ - Headers: map[string]string{ - "authorization": "Bearer token1", - }, - }, - }, - }, - }) - if err != nil { - log.Fatalf("Could not check: %v", err) - } - if response != nil && response.Status.Code == int32(code.Code_OK) { - w.WriteHeader(http.StatusOK) - } else { - w.WriteHeader(http.StatusServiceUnavailable) - } - } - - func loadTLSCredentials(certPath string) (credentials.TransportCredentials, error) { - // Load server's certificate and private key - crt := "server.crt" - key := "server.key" - - if certPath != "" { - if !strings.HasSuffix(certPath, "/") { - certPath = fmt.Sprintf("%s/", certPath) - } - crt = fmt.Sprintf("%s%s", certPath, crt) - key = fmt.Sprintf("%s%s", certPath, key) - } - certificate, err := tls.LoadX509KeyPair(crt, key) - if err != nil { - return nil, fmt.Errorf("could not load server key pair: %s", err) - } - - // Create a new credentials object - creds := credentials.NewTLS(&tls.Config{Certificates: []tls.Certificate{certificate}}) - - return creds, nil - } - - func loadCA(caPath string) (*x509.CertPool, error) { - ca := x509.NewCertPool() - caCertPath := "server.crt" - if caPath != "" { - if !strings.HasSuffix(caPath, "/") { - caPath = fmt.Sprintf("%s/", caPath) - } - caCertPath = fmt.Sprintf("%s%s", caPath, caCertPath) - } - caCert, err := os.ReadFile(caCertPath) - if err != nil { - return nil, fmt.Errorf("could not read ca certificate: %s", err) - } - ca.AppendCertsFromPEM(caCert) - return ca, nil - } ---- -apiVersion: v1 kind: Secret metadata: name: grpc-ext-auth-secret @@ -287,39 +16,39 @@ metadata: namespace: gateway-conformance-infra data: ca.crt: | - -----BEGIN CERTIFICATE----- - MIIFqzCCA5OgAwIBAgIUVuzUBkjFNxlNvZ+MPyR1AC7Tqb8wDQYJKoZIhvcNAQEL - BQAwGDEWMBQGA1UEAwwNZ3JwYy1leHQtYXV0aDAeFw0yNDAzMDkwMzUzMTdaFw0z - NDAzMDcwMzUzMTdaMBgxFjAUBgNVBAMMDWdycGMtZXh0LWF1dGgwggIiMA0GCSqG - SIb3DQEBAQUAA4ICDwAwggIKAoICAQCZnjeGlZbDVent0vEvFQZYLR8X/FeMN9O8 - zxFIZu9wGBEHk3Swn/Zxo8maNNB1L7R1/Ns2uT0uGWu/XHuUyRr8nsx3FKmnNLH7 - tXSlllEWSW3NTNt6OiMUqQygBpNlyHDL4WDzMXnwKm4lQaDYjpgsQVO3zIXDVEU2 - 4FFYN5RRdi29PK2TSMlVaktDLbsimXS4Yr0BPdm6GE73j1sSgzXwyFvzkn+AcHTV - u0d7gbOS0R0cE1T+BRIQ1TCB1boFwC5nA63rIC+oIseAIKk88v2OzkWGPx39+9EM - 0TEjmFBtoYqtsmxFVPzbGao+bxfJGH7pnEIctWXuXxaxEdonm0ZUIbjBZlQ9UhrG - qPZp7dpxc+lGafNTVrx0oXl4LKzVTNuJfqIuvpVTSwxNY2hdO0xwjl0VbZ/ojs5Z - UuKSp16KMj+i7gk2cyrLnBTDGaiZq2Uu0gmPV73MKc8LEqoI7g8bi6opAb93hlil - sJCmYkgy6Bw+H3rtLzYx+EpCQf5rZz6CxAd+L/ZHADFcGuTSRDOC6wuDfi4QCIbO - 7r6gso+sznqmRCd8B1vRT/NF6T8IaSY6hbpfFB+7kX1rC++V7NfVx81WKjTPsISi - 80kobVvC8qjvv/6lCDHvL5fbZb6bu0HoE7y3+YkaOXhKNpwGifPOkhm38O8Gwo41 - wM6mUnGtvwIDAQABo4HsMIHpMB0GA1UdDgQWBBQFwa6nI2fNbFi/gBpoGWzaiGba - zzAfBgNVHSMEGDAWgBQFwa6nI2fNbFi/gBpoGWzaiGbazzAJBgNVHRMEAjAAMAsG - A1UdDwQEAwIF4DATBgNVHSUEDDAKBggrBgEFBQcDATBMBgNVHREERTBDgg1ncnBj - LWV4dC1hdXRogidncnBjLWV4dC1hdXRoLmdhdGV3YXktY29uZm9ybWFuY2UtaW5m - cmGCCWxvY2FsaG9zdDAsBglghkgBhvhCAQ0EHxYdT3BlblNTTCBHZW5lcmF0ZWQg - Q2VydGlmaWNhdGUwDQYJKoZIhvcNAQELBQADggIBAJIzSoC9PQ/R8f02p+4DWvTz - W78vKJIxiLko7onR1qt0H2OLv5Kc4atnT/jxt7VZWy4UJkfj0bVqTuWU4WyahmlH - b1QKwWiX3bjv+swbo8/wZJ22sHw0boqn0GVrgrQX0hEbh6T47eYCcBtvgVVmCKnr - issmU0Hhpox6roT3wan8l9dFD4xo9ihq4rHuorBlIMCgvEhdIUHT0wyX2z4KXRSZ - bgE8ezUgoyueOjgoE6agLbtK8KUUQWfLLqgFQOs8rA7HfvnQxB7wiJduvIdeyf+i - tn7fQVCqpWzsHuGfvY3ivjnAcQb9Toq+Q4I+/Xtq17Gh39go6+1nm/V/oJPEagEg - XL+OzcOF6cOMD7Zyov3PWVbJmRFsqvi2/ijf8vtgm5fGUFRIcJKZak7f4C9D5Cij - +3yyi8PhoQHyqC6q+GMEaxs2FCXWAmo1xWU67pCCYOMgegKcmXahGhVDpwTuuDsH - e1QwTLfMACks0vQWt9lL0u17OtqzQ94zNtLE9dSuLaZvSXqi0PjIVquMuqUBu9v8 - 01Z1TVBfFwUNO0tgUAiMRMcVlfjKj3fE0xNZeB/mXhvaiy5hZa6vUqIrEc9yxrIw - uCo3Acgff9aF+3AUBX4oWiaDmP0ZL5V0rD0dVSWeAmjagWUtTsVFzY8cbyOG6hWx - iFI1UfLQ/CuOtNsDTbi0 - -----END CERTIFICATE----- + -----BEGIN CERTIFICATE----- + MIIFqzCCA5OgAwIBAgIUVuzUBkjFNxlNvZ+MPyR1AC7Tqb8wDQYJKoZIhvcNAQEL + BQAwGDEWMBQGA1UEAwwNZ3JwYy1leHQtYXV0aDAeFw0yNDAzMDkwMzUzMTdaFw0z + NDAzMDcwMzUzMTdaMBgxFjAUBgNVBAMMDWdycGMtZXh0LWF1dGgwggIiMA0GCSqG + SIb3DQEBAQUAA4ICDwAwggIKAoICAQCZnjeGlZbDVent0vEvFQZYLR8X/FeMN9O8 + zxFIZu9wGBEHk3Swn/Zxo8maNNB1L7R1/Ns2uT0uGWu/XHuUyRr8nsx3FKmnNLH7 + tXSlllEWSW3NTNt6OiMUqQygBpNlyHDL4WDzMXnwKm4lQaDYjpgsQVO3zIXDVEU2 + 4FFYN5RRdi29PK2TSMlVaktDLbsimXS4Yr0BPdm6GE73j1sSgzXwyFvzkn+AcHTV + u0d7gbOS0R0cE1T+BRIQ1TCB1boFwC5nA63rIC+oIseAIKk88v2OzkWGPx39+9EM + 0TEjmFBtoYqtsmxFVPzbGao+bxfJGH7pnEIctWXuXxaxEdonm0ZUIbjBZlQ9UhrG + qPZp7dpxc+lGafNTVrx0oXl4LKzVTNuJfqIuvpVTSwxNY2hdO0xwjl0VbZ/ojs5Z + UuKSp16KMj+i7gk2cyrLnBTDGaiZq2Uu0gmPV73MKc8LEqoI7g8bi6opAb93hlil + sJCmYkgy6Bw+H3rtLzYx+EpCQf5rZz6CxAd+L/ZHADFcGuTSRDOC6wuDfi4QCIbO + 7r6gso+sznqmRCd8B1vRT/NF6T8IaSY6hbpfFB+7kX1rC++V7NfVx81WKjTPsISi + 80kobVvC8qjvv/6lCDHvL5fbZb6bu0HoE7y3+YkaOXhKNpwGifPOkhm38O8Gwo41 + wM6mUnGtvwIDAQABo4HsMIHpMB0GA1UdDgQWBBQFwa6nI2fNbFi/gBpoGWzaiGba + zzAfBgNVHSMEGDAWgBQFwa6nI2fNbFi/gBpoGWzaiGbazzAJBgNVHRMEAjAAMAsG + A1UdDwQEAwIF4DATBgNVHSUEDDAKBggrBgEFBQcDATBMBgNVHREERTBDgg1ncnBj + LWV4dC1hdXRogidncnBjLWV4dC1hdXRoLmdhdGV3YXktY29uZm9ybWFuY2UtaW5m + cmGCCWxvY2FsaG9zdDAsBglghkgBhvhCAQ0EHxYdT3BlblNTTCBHZW5lcmF0ZWQg + Q2VydGlmaWNhdGUwDQYJKoZIhvcNAQELBQADggIBAJIzSoC9PQ/R8f02p+4DWvTz + W78vKJIxiLko7onR1qt0H2OLv5Kc4atnT/jxt7VZWy4UJkfj0bVqTuWU4WyahmlH + b1QKwWiX3bjv+swbo8/wZJ22sHw0boqn0GVrgrQX0hEbh6T47eYCcBtvgVVmCKnr + issmU0Hhpox6roT3wan8l9dFD4xo9ihq4rHuorBlIMCgvEhdIUHT0wyX2z4KXRSZ + bgE8ezUgoyueOjgoE6agLbtK8KUUQWfLLqgFQOs8rA7HfvnQxB7wiJduvIdeyf+i + tn7fQVCqpWzsHuGfvY3ivjnAcQb9Toq+Q4I+/Xtq17Gh39go6+1nm/V/oJPEagEg + XL+OzcOF6cOMD7Zyov3PWVbJmRFsqvi2/ijf8vtgm5fGUFRIcJKZak7f4C9D5Cij + +3yyi8PhoQHyqC6q+GMEaxs2FCXWAmo1xWU67pCCYOMgegKcmXahGhVDpwTuuDsH + e1QwTLfMACks0vQWt9lL0u17OtqzQ94zNtLE9dSuLaZvSXqi0PjIVquMuqUBu9v8 + 01Z1TVBfFwUNO0tgUAiMRMcVlfjKj3fE0xNZeB/mXhvaiy5hZa6vUqIrEc9yxrIw + uCo3Acgff9aF+3AUBX4oWiaDmP0ZL5V0rD0dVSWeAmjagWUtTsVFzY8cbyOG6hWx + iFI1UfLQ/CuOtNsDTbi0 + -----END CERTIFICATE----- --- apiVersion: apps/v1 kind: Deployment @@ -337,35 +66,30 @@ spec: app: grpc-ext-auth spec: containers: - - name: golang-app-container - command: - - sh - - "-c" - - "cp -a /app /app-live && cd /app-live && go run . --certPath=/app-live/certs/ " - image: golang:1.21.3-alpine - ports: - - containerPort: 8000 - volumeMounts: - - name: grpc-ext-auth - mountPath: /app - - name: grpc-ext-auth-secret - mountPath: /app/certs - readinessProbe: - httpGet: - path: /healthz - port: 8080 + - name: golang-app-container + command: + - /grpc-ext-auth + - "--certPath=/app/certs" + image: envoyproxy/gateway-grpc-ext-auth:latest + imagePullPolicy: IfNotPresent + ports: + - containerPort: 8000 + volumeMounts: + - name: grpc-ext-auth-secret + mountPath: /app/certs + readinessProbe: + httpGet: + path: /healthz + port: 8080 volumes: - - name: grpc-ext-auth - configMap: - name: grpc-ext-auth - - name: grpc-ext-auth-secret - secret: - secretName: grpc-ext-auth-secret - items: - - key: tls.crt - path: server.crt - - key: tls.key - path: server.key + - name: grpc-ext-auth-secret + secret: + secretName: grpc-ext-auth-secret + items: + - key: tls.crt + path: server.crt + - key: tls.key + path: server.key --- apiVersion: v1 kind: Service @@ -376,6 +100,6 @@ spec: selector: app: grpc-ext-auth ports: - - protocol: TCP - port: 9002 - targetPort: 9002 + - protocol: TCP + port: 9002 + targetPort: 9002 diff --git a/test/e2e/testdata/ext-auth-http-service.yaml b/test/e2e/testdata/ext-auth-http-service.yaml index cf08cc20751..a4e96928292 100644 --- a/test/e2e/testdata/ext-auth-http-service.yaml +++ b/test/e2e/testdata/ext-auth-http-service.yaml @@ -1,45 +1,4 @@ --- -apiVersion: v1 -kind: ConfigMap -metadata: - name: http-ext-auth - namespace: gateway-conformance-infra -data: - http-ext-auth.js: | - const Http = require("http"); - const path = require("path"); - - const tokens = { - "token1": "user1", - "token2": "user2", - "token3": "user3" - }; - - const server = new Http.Server((req, res) => { - const authorization = req.headers["authorization"] || ""; - const extracted = authorization.split(" "); - if (extracted.length === 2 && extracted[0] === "Bearer") { - const user = checkToken(extracted[1]); - console.log(`token: "${extracted[1]}" user: "${user}`); - if (user !== undefined) { - // The authorization server returns a response with "x-current-user" header for a successful - // request. - res.writeHead(200, { "x-current-user": user }); - return res.end(); - } - } - res.writeHead(403); - res.end(); - }); - - const port = process.env.PORT || 9002; - server.listen(port); - console.log(`starting HTTP server on: ${port}`); - - function checkToken(token) { - return tokens[token]; - } ---- apiVersion: apps/v1 kind: Deployment metadata: @@ -56,26 +15,17 @@ spec: app: http-ext-auth spec: containers: - - name: http-ext-auth - command: - - node - - /usr/src/app/http-ext-auth.js - image: node:19-bullseye - ports: - - containerPort: 9002 - volumeMounts: - name: http-ext-auth - mountPath: /usr/src/app - readinessProbe: - httpGet: - httpHeaders: - - name: authorization - value: "Bearer token1" - port: 9002 - volumes: - - name: http-ext-auth - configMap: - name: http-ext-auth + image: envoyproxy/gateway-http-ext-auth + imagePullPolicy: IfNotPresent + ports: + - containerPort: 9002 + readinessProbe: + httpGet: + httpHeaders: + - name: authorization + value: "Bearer token1" + port: 9002 --- apiVersion: v1 kind: Service @@ -86,6 +36,6 @@ spec: selector: app: http-ext-auth ports: - - protocol: TCP - port: 9002 - targetPort: 9002 + - protocol: TCP + port: 9002 + targetPort: 9002 diff --git a/test/e2e/testdata/ext-proc-service.yaml b/test/e2e/testdata/ext-proc-service.yaml index 23b325f2031..3dc4796e123 100644 --- a/test/e2e/testdata/ext-proc-service.yaml +++ b/test/e2e/testdata/ext-proc-service.yaml @@ -1,343 +1,3 @@ ---- -apiVersion: v1 -kind: ConfigMap -metadata: - name: grpc-ext-proc - namespace: gateway-conformance-infra -data: - go.mod: | - module github.com/envoyproxy/gateway - - go 1.22 - - require ( - github.com/envoyproxy/go-control-plane v0.12.1-0.20240322155512-db0b36a50fa8 - google.golang.org/grpc v1.62.1 - ) - - require ( - github.com/cncf/xds/go v0.0.0-20231128003011-0fa0005c9caa // indirect - github.com/envoyproxy/protoc-gen-validate v1.0.4 // indirect - github.com/golang/protobuf v1.5.4 // indirect - github.com/planetscale/vtprotobuf v0.5.1-0.20231212170721-e7d721933795 // indirect - golang.org/x/net v0.20.0 // indirect - golang.org/x/sys v0.16.0 // indirect - golang.org/x/text v0.14.0 // indirect - google.golang.org/genproto/googleapis/rpc v0.0.0-20240123012728-ef4313101c80 // indirect - google.golang.org/protobuf v1.33.0 // indirect - ) - go.sum: | - github.com/cncf/xds/go v0.0.0-20231128003011-0fa0005c9caa h1:jQCWAUqqlij9Pgj2i/PB79y4KOPYVyFYdROxgaCwdTQ= - github.com/cncf/xds/go v0.0.0-20231128003011-0fa0005c9caa/go.mod h1:x/1Gn8zydmfq8dk6e9PdstVsDgu9RuyIIJqAaF//0IM= - github.com/envoyproxy/go-control-plane v0.12.1-0.20240322155512-db0b36a50fa8 h1:Zghtu+wdlGvrmutCyhU9Ew5ozU18PVpxP+zGSgyUpFs= - github.com/envoyproxy/go-control-plane v0.12.1-0.20240322155512-db0b36a50fa8/go.mod h1:YtsM9q/kVkKyvmemY+BF/ZK7I93OWsx4uk4Do2Mr/OA= - github.com/envoyproxy/protoc-gen-validate v1.0.4 h1:gVPz/FMfvh57HdSJQyvBtF00j8JU4zdyUgIUNhlgg0A= - github.com/envoyproxy/protoc-gen-validate v1.0.4/go.mod h1:qys6tmnRsYrQqIhm2bvKZH4Blx/1gTIZ2UKVY1M+Yew= - github.com/golang/protobuf v1.5.4 h1:i7eJL8qZTpSEXOPTxNKhASYpMn+8e5Q6AdndVa1dWek= - github.com/golang/protobuf v1.5.4/go.mod h1:lnTiLA8Wa4RWRcIUkrtSVa5nRhsEGBg48fD6rSs7xps= - github.com/google/go-cmp v0.6.0 h1:ofyhxvXcZhMsU5ulbFiLKl/XBFqE1GSq7atu8tAmTRI= - github.com/google/go-cmp v0.6.0/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY= - github.com/planetscale/vtprotobuf v0.5.1-0.20231212170721-e7d721933795 h1:pH+U6pJP0BhxqQ4njBUjOg0++WMMvv3eByWzB+oATBY= - github.com/planetscale/vtprotobuf v0.5.1-0.20231212170721-e7d721933795/go.mod h1:t/avpk3KcrXxUnYOhZhMXJlSEyie6gQbtLq5NM3loB8= - golang.org/x/net v0.20.0 h1:aCL9BSgETF1k+blQaYUBx9hJ9LOGP3gAVemcZlf1Kpo= - golang.org/x/net v0.20.0/go.mod h1:z8BVo6PvndSri0LbOE3hAn0apkU+1YvI6E70E9jsnvY= - golang.org/x/sys v0.16.0 h1:xWw16ngr6ZMtmxDyKyIgsE93KNKz5HKmMa3b8ALHidU= - golang.org/x/sys v0.16.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= - golang.org/x/text v0.14.0 h1:ScX5w1eTa3QqT8oi6+ziP7dTV1S2+ALU0bI+0zXKWiQ= - golang.org/x/text v0.14.0/go.mod h1:18ZOQIKpY8NJVqYksKHtTdi31H5itFRjB5/qKTNYzSU= - google.golang.org/genproto/googleapis/rpc v0.0.0-20240123012728-ef4313101c80 h1:AjyfHzEPEFp/NpvfN5g+KDla3EMojjhRVZc1i7cj+oM= - google.golang.org/genproto/googleapis/rpc v0.0.0-20240123012728-ef4313101c80/go.mod h1:PAREbraiVEVGVdTZsVWjSbbTtSyGbAgIIvni8a8CD5s= - google.golang.org/grpc v1.62.1 h1:B4n+nfKzOICUXMgyrNd19h/I9oH0L1pizfk1d4zSgTk= - google.golang.org/grpc v1.62.1/go.mod h1:IWTG0VlJLCh1SkC58F7np9ka9mx/WNkjl4PGJaiq+QE= - google.golang.org/protobuf v1.33.0 h1:uNO2rsAINq/JlFpSdYEKIZ0uKD/R9cpdv0T+yoGwGmI= - google.golang.org/protobuf v1.33.0/go.mod h1:c6P6GXX6sHbq/GpV6MGZEdwhWPcYBgnhAHhKbcUYpos= - main.go: | - package main - - import ( - "context" - "crypto/tls" - "crypto/x509" - "flag" - "fmt" - "io" - "log" - "net" - "net/http" - "os" - "strings" - - "google.golang.org/grpc/credentials" - - envoy_api_v3_core "github.com/envoyproxy/go-control-plane/envoy/config/core/v3" - envoy_service_proc_v3 "github.com/envoyproxy/go-control-plane/envoy/service/ext_proc/v3" - - "google.golang.org/grpc" - "google.golang.org/grpc/codes" - "google.golang.org/grpc/status" - ) - - type extProcServer struct{} - - var ( - port int - certPath string - ) - - func main() { - flag.IntVar(&port, "port", 9002, "gRPC port") - flag.StringVar(&certPath, "certPath", "", "path to extProcServer certificate and private key") - flag.Parse() - - lis, err := net.Listen("tcp", fmt.Sprintf(":%d", port)) - if err != nil { - log.Fatalf("failed to listen: %v", err) - } - - creds, err := loadTLSCredentials(certPath) - if err != nil { - log.Fatalf("Failed to load TLS credentials: %v", err) - } - gs := grpc.NewServer(grpc.Creds(creds)) - envoy_service_proc_v3.RegisterExternalProcessorServer(gs, &extProcServer{}) - - go func() { - err = gs.Serve(lis) - if err != nil { - log.Fatalf("failed to serve: %v", err) - } - }() - - // Create Unix listener - gus := grpc.NewServer(grpc.Creds(creds)) - envoy_service_proc_v3.RegisterExternalProcessorServer(gus, &extProcServer{}) - - udsAddr := "/var/run/ext-proc/extproc.sock" - if _, err := os.Stat(udsAddr); err == nil { - if err := os.RemoveAll(udsAddr); err != nil { - log.Fatalf("failed to remove: %v", err) - } - } - - ul, err := net.Listen("unix", udsAddr) - if err != nil { - log.Fatalf("failed to listen: %v", err) - } - - err = os.Chmod(udsAddr, 0700) - if err != nil { - log.Fatalf("failed to set permissions: %v", err) - } - - // envoy distroless uid - err = os.Chown(udsAddr, 65532, 0) - if err != nil { - log.Fatalf("failed to set permissions: %v", err) - } - - go func() { - err = gus.Serve(ul) - if err != nil { - log.Fatalf("failed to serve: %v", err) - } - }() - - http.HandleFunc("/healthz", healthCheckHandler) - err = http.ListenAndServe(":8080", nil) - if err != nil { - log.Fatalf("failed to serve: %v", err) - } - } - - // used by k8s readiness probes - // makes a processing request to check if the processor service is healthy - func healthCheckHandler(w http.ResponseWriter, r *http.Request) { - certPool, err := loadCA(certPath) - if err != nil { - log.Fatalf("Could not load CA certificate: %v", err) - } - - // Create TLS configuration - tlsConfig := &tls.Config{ - RootCAs: certPool, - ServerName: "grpc-ext-proc.envoygateway", - } - - // Create gRPC dial options - opts := []grpc.DialOption{ - grpc.WithTransportCredentials(credentials.NewTLS(tlsConfig)), - } - - conn, err := grpc.Dial("localhost:9002", opts...) - if err != nil { - log.Fatalf("Could not connect: %v", err) - } - client := envoy_service_proc_v3.NewExternalProcessorClient(conn) - - processor, err := client.Process(context.Background()) - if err != nil { - log.Fatalf("Could not check: %v", err) - } - - err = processor.Send(&envoy_service_proc_v3.ProcessingRequest{ - Request: &envoy_service_proc_v3.ProcessingRequest_RequestHeaders{ - RequestHeaders: &envoy_service_proc_v3.HttpHeaders{}, - }, - }) - if err != nil { - log.Fatalf("Could not check: %v", err) - } - - response, err := processor.Recv() - if err != nil { - log.Fatalf("Could not check: %v", err) - } - - if response != nil && response.GetRequestHeaders().Response.Status == envoy_service_proc_v3.CommonResponse_CONTINUE { - w.WriteHeader(http.StatusOK) - } else { - w.WriteHeader(http.StatusServiceUnavailable) - } - } - - func loadTLSCredentials(certPath string) (credentials.TransportCredentials, error) { - // Load extProcServer's certificate and private key - crt := "server.crt" - key := "server.key" - - if certPath != "" { - if !strings.HasSuffix(certPath, "/") { - certPath = fmt.Sprintf("%s/", certPath) - } - crt = fmt.Sprintf("%s%s", certPath, crt) - key = fmt.Sprintf("%s%s", certPath, key) - } - certificate, err := tls.LoadX509KeyPair(crt, key) - if err != nil { - return nil, fmt.Errorf("could not load extProcServer key pair: %s", err) - } - - // Create a new credentials object - creds := credentials.NewTLS(&tls.Config{Certificates: []tls.Certificate{certificate}}) - - return creds, nil - } - - func loadCA(caPath string) (*x509.CertPool, error) { - ca := x509.NewCertPool() - caCertPath := "server.crt" - if caPath != "" { - if !strings.HasSuffix(caPath, "/") { - caPath = fmt.Sprintf("%s/", caPath) - } - caCertPath = fmt.Sprintf("%s%s", caPath, caCertPath) - } - caCert, err := os.ReadFile(caCertPath) - if err != nil { - return nil, fmt.Errorf("could not read ca certificate: %s", err) - } - ca.AppendCertsFromPEM(caCert) - return ca, nil - } - - func (s *extProcServer) Process(srv envoy_service_proc_v3.ExternalProcessor_ProcessServer) error { - ctx := srv.Context() - for { - select { - case <-ctx.Done(): - return ctx.Err() - default: - } - req, err := srv.Recv() - if err == io.EOF { - return nil - } - if err != nil { - return status.Errorf(codes.Unknown, "cannot receive stream request: %v", err) - } - - resp := &envoy_service_proc_v3.ProcessingResponse{} - switch v := req.Request.(type) { - case *envoy_service_proc_v3.ProcessingRequest_RequestHeaders: - xrch := "" - if v.RequestHeaders != nil { - hdrs := v.RequestHeaders.Headers.GetHeaders() - for _, hdr := range hdrs { - if hdr.Key == "x-request-client-header" { - xrch = string(hdr.RawValue) - } - } - } - - rhq := &envoy_service_proc_v3.HeadersResponse{ - Response: &envoy_service_proc_v3.CommonResponse{ - HeaderMutation: &envoy_service_proc_v3.HeaderMutation{ - SetHeaders: []*envoy_api_v3_core.HeaderValueOption{ - { - Header: &envoy_api_v3_core.HeaderValue{ - Key: "x-request-ext-processed", - RawValue: []byte("true"), - }, - }, - }, - }, - }, - } - - if xrch != "" { - rhq.Response.HeaderMutation.SetHeaders = append(rhq.Response.HeaderMutation.SetHeaders, - &envoy_api_v3_core.HeaderValueOption{ - Header: &envoy_api_v3_core.HeaderValue{ - Key: "x-request-client-header", - RawValue: []byte("mutated"), - }, - }) - rhq.Response.HeaderMutation.SetHeaders = append(rhq.Response.HeaderMutation.SetHeaders, - &envoy_api_v3_core.HeaderValueOption{ - Header: &envoy_api_v3_core.HeaderValue{ - Key: "x-request-client-header-received", - RawValue: []byte(xrch), - }, - }) - } - - resp = &envoy_service_proc_v3.ProcessingResponse{ - Response: &envoy_service_proc_v3.ProcessingResponse_RequestHeaders{ - RequestHeaders: rhq, - }, - } - break - case *envoy_service_proc_v3.ProcessingRequest_ResponseHeaders: - rhq := &envoy_service_proc_v3.HeadersResponse{ - Response: &envoy_service_proc_v3.CommonResponse{ - HeaderMutation: &envoy_service_proc_v3.HeaderMutation{ - SetHeaders: []*envoy_api_v3_core.HeaderValueOption{ - { - Header: &envoy_api_v3_core.HeaderValue{ - Key: "x-response-ext-processed", - RawValue: []byte("true"), - }, - }, - }, - }, - }, - } - resp = &envoy_service_proc_v3.ProcessingResponse{ - Response: &envoy_service_proc_v3.ProcessingResponse_ResponseHeaders{ - ResponseHeaders: rhq, - }, - } - break - default: - log.Printf("Unknown Request type %v\n", v) - } - if err := srv.Send(resp); err != nil { - log.Printf("send error %v", err) - } - } - } - - --- apiVersion: v1 kind: Secret @@ -394,16 +54,13 @@ spec: spec: containers: - name: golang-app-container - command: - - sh - - "-c" - - "cd /app && go run . --certPath=/app/certs/" - image: golang:1.22.3-alpine + image: envoyproxy/gateway-grpc-ext-proc:latest + imagePullPolicy: IfNotPresent + args: + - --certPath=/app/certs/ ports: - containerPort: 8000 volumeMounts: - - name: grpc-ext-proc - mountPath: /app - name: grpc-ext-proc-secret mountPath: /app/certs - name: socket-dir @@ -413,9 +70,6 @@ spec: path: /healthz port: 8080 volumes: - - name: grpc-ext-proc - configMap: - name: grpc-ext-proc - name: grpc-ext-proc-secret secret: secretName: grpc-ext-proc-secret diff --git a/test/e2e/testdata/gateway-with-envoyproxy.yaml b/test/e2e/testdata/gateway-with-envoyproxy.yaml new file mode 100644 index 00000000000..0d04562c13d --- /dev/null +++ b/test/e2e/testdata/gateway-with-envoyproxy.yaml @@ -0,0 +1,49 @@ +apiVersion: gateway.networking.k8s.io/v1 +kind: Gateway +metadata: + name: gateway-with-envoyproxy + namespace: gateway-conformance-infra +spec: + gatewayClassName: "{GATEWAY_CLASS_NAME}" + infrastructure: + parametersRef: + group: gateway.envoyproxy.io + kind: EnvoyProxy + name: test + listeners: + - name: http + protocol: HTTP + port: 80 + allowedRoutes: + namespaces: + from: All +--- +apiVersion: gateway.envoyproxy.io/v1alpha1 +kind: EnvoyProxy +metadata: + namespace: gateway-conformance-infra + name: test +spec: + routingType: Service +--- +apiVersion: gateway.networking.k8s.io/v1 +kind: HTTPRoute +metadata: + name: http-route + namespace: gateway-conformance-infra +spec: + parentRefs: + - name: gateway-with-envoyproxy + rules: + - matches: + - path: + value: / + backendRefs: + - name: infra-backend-v1 + port: 8080 + filters: + - type: ResponseHeaderModifier + responseHeaderModifier: + add: + - name: upstream-host + value: '%UPSTREAM_HOST%' diff --git a/test/e2e/testdata/oidc-keycloak.yaml b/test/e2e/testdata/oidc-keycloak.yaml index 5e7eca54013..8921b9eb204 100644 --- a/test/e2e/testdata/oidc-keycloak.yaml +++ b/test/e2e/testdata/oidc-keycloak.yaml @@ -43,7 +43,7 @@ spec: serviceAccountName: keycloak containers: - name: keycloak - image: quay.io/keycloak/keycloak:23.0.6 + image: quay.io/keycloak/keycloak:26.0.4 imagePullPolicy: IfNotPresent args: - "start-dev" diff --git a/test/e2e/testdata/preserve-case.yaml b/test/e2e/testdata/preserve-case.yaml index c815a19e332..52f061662d1 100644 --- a/test/e2e/testdata/preserve-case.yaml +++ b/test/e2e/testdata/preserve-case.yaml @@ -1,3 +1,9 @@ +--- +apiVersion: v1 +kind: Namespace +metadata: + name: gateway-preserve-case-backend +--- apiVersion: gateway.networking.k8s.io/v1beta1 kind: ReferenceGrant metadata: @@ -5,12 +11,12 @@ metadata: namespace: gateway-preserve-case-backend spec: from: - - group: gateway.networking.k8s.io - kind: HTTPRoute - namespace: gateway-conformance-infra + - group: gateway.networking.k8s.io + kind: HTTPRoute + namespace: gateway-conformance-infra to: - - group: "" - kind: Service + - group: "" + kind: Service --- apiVersion: gateway.envoyproxy.io/v1alpha1 kind: ClientTrafficPolicy @@ -19,9 +25,9 @@ metadata: namespace: gateway-conformance-infra spec: targetRefs: - - group: gateway.networking.k8s.io - kind: Gateway - name: same-namespace + - group: gateway.networking.k8s.io + kind: Gateway + name: same-namespace http1: preserveHeaderCase: true --- @@ -32,13 +38,48 @@ metadata: namespace: gateway-conformance-infra spec: parentRefs: - - name: same-namespace + - name: same-namespace rules: - - matches: - - path: - type: PathPrefix - value: /preserve - backendRefs: - - name: fasthttp-backend - namespace: gateway-preserve-case-backend + - matches: + - path: + type: PathPrefix + value: /preserve + backendRefs: + - name: fasthttp-backend + namespace: gateway-preserve-case-backend + port: 8000 +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: preserve-case + namespace: gateway-preserve-case-backend +spec: + replicas: 1 + selector: + matchLabels: + app: preserve-case + template: + metadata: + labels: + app: preserve-case + spec: + containers: + - name: preserve-case + image: envoyproxy/gateway-preserve-case-backend + imagePullPolicy: IfNotPresent + ports: + - containerPort: 8000 +--- +apiVersion: v1 +kind: Service +metadata: + name: fasthttp-backend + namespace: gateway-preserve-case-backend +spec: + selector: + app: preserve-case + ports: + - protocol: TCP port: 8000 + targetPort: 8000 diff --git a/test/e2e/testdata/wasm-http.yaml b/test/e2e/testdata/wasm-http.yaml index 2bc1aae0ab3..856d381a517 100644 --- a/test/e2e/testdata/wasm-http.yaml +++ b/test/e2e/testdata/wasm-http.yaml @@ -19,6 +19,24 @@ spec: --- apiVersion: gateway.networking.k8s.io/v1 kind: HTTPRoute +metadata: + name: http-with-http-wasm-source-no-sha + namespace: gateway-conformance-infra +spec: + parentRefs: + - name: same-namespace + hostnames: ["www.example.com"] + rules: + - matches: + - path: + type: PathPrefix + value: /wasm-http-no-sha + backendRefs: + - name: infra-backend-v1 + port: 8080 +--- +apiVersion: gateway.networking.k8s.io/v1 +kind: HTTPRoute metadata: name: http-without-wasm namespace: gateway-conformance-infra @@ -53,3 +71,21 @@ spec: http: url: https://raw.githubusercontent.com/envoyproxy/examples/main/wasm-cc/lib/envoy_filter_http_wasm_example.wasm sha256: 79c9f85128bb0177b6511afa85d587224efded376ac0ef76df56595f1e6315c0 +--- +apiVersion: gateway.envoyproxy.io/v1alpha1 +kind: EnvoyExtensionPolicy +metadata: + name: http-wasm-source-test-no-sha + namespace: gateway-conformance-infra +spec: + targetRefs: + - group: gateway.networking.k8s.io + kind: HTTPRoute + name: http-with-http-wasm-source-no-sha + wasm: + - name: wasm-filter + rootID: my_root_id + code: + type: HTTP + http: + url: https://raw.githubusercontent.com/envoyproxy/examples/main/wasm-cc/lib/envoy_filter_http_wasm_example.wasm diff --git a/test/e2e/tests/accesslog.go b/test/e2e/tests/accesslog.go index b2c9a28ac94..4edc12f7c55 100644 --- a/test/e2e/tests/accesslog.go +++ b/test/e2e/tests/accesslog.go @@ -30,9 +30,9 @@ var FileAccessLogTest = suite.ConformanceTest{ Manifests: []string{"testdata/accesslog-file.yaml"}, Test: func(t *testing.T, suite *suite.ConformanceTestSuite) { labels := map[string]string{ - "job": "fluentbit", - "k8s_namespace_name": "envoy-gateway-system", - "k8s_container_name": "envoy", + "job": "envoy-gateway-system/envoy", + "namespace": "envoy-gateway-system", + "container": "envoy", } match := "test-annotation-value" diff --git a/test/e2e/tests/authorization_client_ip.go b/test/e2e/tests/authorization_client_ip.go index 8887c46b1a0..698a4d73a6a 100644 --- a/test/e2e/tests/authorization_client_ip.go +++ b/test/e2e/tests/authorization_client_ip.go @@ -26,7 +26,7 @@ func init() { } var AuthorizationClientIPTest = suite.ConformanceTest{ - ShortName: "Authorization with client IP", + ShortName: "AuthzWithClientIP", Description: "Authorization with client IP Allow/Deny list", Manifests: []string{"testdata/authorization-client-ip.yaml"}, Test: func(t *testing.T, suite *suite.ConformanceTestSuite) { diff --git a/test/e2e/tests/authorization_default_action.go b/test/e2e/tests/authorization_default_action.go index 88462808dd9..81345fa3ee9 100644 --- a/test/e2e/tests/authorization_default_action.go +++ b/test/e2e/tests/authorization_default_action.go @@ -26,7 +26,7 @@ func init() { } var AuthorizationDefaultActionTest = suite.ConformanceTest{ - ShortName: "Authorization with default actions", + ShortName: "AuthzWithDefaultActions", Description: "Authorization with default actions", Manifests: []string{"testdata/authorization-default-action.yaml"}, Test: func(t *testing.T, suite *suite.ConformanceTestSuite) { diff --git a/test/e2e/tests/authorization_jwt.go b/test/e2e/tests/authorization_jwt.go index 66f5a526a2d..635bdbc451c 100644 --- a/test/e2e/tests/authorization_jwt.go +++ b/test/e2e/tests/authorization_jwt.go @@ -59,7 +59,7 @@ func init() { } var AuthorizationJWTTest = suite.ConformanceTest{ - ShortName: "Authorization with jwt claims and scopes", + ShortName: "AuthzWithJWTClaimsScopes", Description: "Authorization with jwt claims and scopes", Manifests: []string{"testdata/authorization-jwt.yaml"}, Test: func(t *testing.T, suite *suite.ConformanceTestSuite) { diff --git a/test/e2e/tests/backend_tls_settings.go b/test/e2e/tests/backend_tls_settings.go index e007a791fdd..6545be196da 100644 --- a/test/e2e/tests/backend_tls_settings.go +++ b/test/e2e/tests/backend_tls_settings.go @@ -46,7 +46,7 @@ func init() { } var BackendTLSSettingsTest = suite.ConformanceTest{ - ShortName: "Backend tls settings", + ShortName: "BackendTLSSettings", Description: "Use envoy proxy tls settings with backend", Manifests: []string{"testdata/backend-tls-settings.yaml"}, Test: func(t *testing.T, suite *suite.ConformanceTestSuite) { diff --git a/test/e2e/tests/direct-response.go b/test/e2e/tests/direct-response.go new file mode 100644 index 00000000000..12c667fdd30 --- /dev/null +++ b/test/e2e/tests/direct-response.go @@ -0,0 +1,38 @@ +// Copyright Envoy Gateway Authors +// SPDX-License-Identifier: Apache-2.0 +// The full text of the Apache license is available in the LICENSE file at +// the root of the repo. + +//go:build e2e + +package tests + +import ( + "testing" + + "k8s.io/apimachinery/pkg/types" + "sigs.k8s.io/gateway-api/conformance/utils/kubernetes" + "sigs.k8s.io/gateway-api/conformance/utils/suite" +) + +func init() { + ConformanceTests = append(ConformanceTests, DirectResponseTest) +} + +var DirectResponseTest = suite.ConformanceTest{ + ShortName: "DirectResponse", + Description: "Direct", + Manifests: []string{"testdata/direct-response.yaml"}, + Test: func(t *testing.T, suite *suite.ConformanceTestSuite) { + t.Run("direct response", func(t *testing.T) { + ns := "gateway-conformance-infra" + routeNN := types.NamespacedName{Name: "direct-response", Namespace: ns} + gwNN := types.NamespacedName{Name: "same-namespace", Namespace: ns} + gwAddr := kubernetes.GatewayAndHTTPRoutesMustBeAccepted(t, suite.Client, suite.TimeoutConfig, suite.ControllerName, kubernetes.NewGatewayRef(gwNN), routeNN) + + kubernetes.HTTPRouteMustHaveResolvedRefsConditionsTrue(t, suite.Client, suite.TimeoutConfig, routeNN, gwNN) + verifyCustomResponse(t, suite.TimeoutConfig, gwAddr, "/inline", "text/plain", "Oops! Your request is not found.") + verifyCustomResponse(t, suite.TimeoutConfig, gwAddr, "/value-ref", "application/json", `{"error": "Internal Server Error"}`) + }) + }, +} diff --git a/test/e2e/tests/gateway_infra_resource.go b/test/e2e/tests/gateway_infra_resource.go index 213b6de1238..0a92f9d311e 100644 --- a/test/e2e/tests/gateway_infra_resource.go +++ b/test/e2e/tests/gateway_infra_resource.go @@ -27,7 +27,7 @@ func init() { } var GatewayInfraResourceTest = suite.ConformanceTest{ - ShortName: "GatewayInfraResourceTest", + ShortName: "GatewayInfraResource", Description: "Gateway Infra Resource E2E Test", Test: func(t *testing.T, suite *suite.ConformanceTestSuite) { gatewayTypeMeta := metav1.TypeMeta{ diff --git a/test/e2e/tests/gatewayt-with-envoyproxy.go b/test/e2e/tests/gatewayt-with-envoyproxy.go new file mode 100644 index 00000000000..ec9f7252a5e --- /dev/null +++ b/test/e2e/tests/gatewayt-with-envoyproxy.go @@ -0,0 +1,59 @@ +// Copyright Envoy Gateway Authors +// SPDX-License-Identifier: Apache-2.0 +// The full text of the Apache license is available in the LICENSE file at +// the root of the repo. + +//go:build e2e + +package tests + +import ( + "context" + "testing" + + "github.com/stretchr/testify/require" + corev1 "k8s.io/api/core/v1" + "k8s.io/apimachinery/pkg/types" + "sigs.k8s.io/gateway-api/conformance/utils/http" + "sigs.k8s.io/gateway-api/conformance/utils/kubernetes" + "sigs.k8s.io/gateway-api/conformance/utils/suite" +) + +func init() { + ConformanceTests = append(ConformanceTests, GatewayWithEnvoyProxy) +} + +var GatewayWithEnvoyProxy = suite.ConformanceTest{ + ShortName: "GatewayWithEnvoyProxy", + Description: "Attach an EnvoyProxy to a Gateway", + Manifests: []string{"testdata/gateway-with-envoyproxy.yaml"}, + Test: func(t *testing.T, suite *suite.ConformanceTestSuite) { + t.Run("Attach an EnvoyProxy to a Gateway and set RoutingType to Service", func(t *testing.T) { + ns := "gateway-conformance-infra" + routeNN := types.NamespacedName{Name: "http-route", Namespace: ns} + gwNN := types.NamespacedName{Name: "gateway-with-envoyproxy", Namespace: ns} + gwAddr := kubernetes.GatewayAndHTTPRoutesMustBeAccepted(t, suite.Client, suite.TimeoutConfig, suite.ControllerName, kubernetes.NewGatewayRef(gwNN), routeNN) + + backendNN := types.NamespacedName{Name: "infra-backend-v1", Namespace: ns} + svc := corev1.Service{} + require.NoError(t, suite.Client.Get(context.Background(), backendNN, &svc)) + + expectedResponse := http.ExpectedResponse{ + Request: http.Request{ + Path: "/basic-auth-1", + }, + Response: http.Response{ + StatusCode: 200, + + // Verify that the RouteType is set to Service by the attached EnvoyProxy + Headers: map[string]string{ + "upstream-host": svc.Spec.ClusterIP + ":8080", + }, + }, + Namespace: ns, + } + + http.MakeRequestAndExpectEventuallyConsistentResponse(t, suite.RoundTripper, suite.TimeoutConfig, gwAddr, expectedResponse) + }) + }, +} diff --git a/test/e2e/tests/oidc-backendcluster.go b/test/e2e/tests/oidc-backendcluster.go index b2bcc93cecb..146c5f194ab 100644 --- a/test/e2e/tests/oidc-backendcluster.go +++ b/test/e2e/tests/oidc-backendcluster.go @@ -18,7 +18,7 @@ func init() { ConformanceTests = append(ConformanceTests, OIDCBackendClusterTest) } -// OIDCTest tests OIDC authentication for an http route with OIDC configured. +// OIDCBackendClusterTest tests OIDC authentication for an http route with OIDC configured. // The http route points to an application to verify that OIDC authentication works on application/http path level. var OIDCBackendClusterTest = suite.ConformanceTest{ ShortName: "OIDC with BackendCluster", @@ -26,12 +26,7 @@ var OIDCBackendClusterTest = suite.ConformanceTest{ Manifests: []string{"testdata/oidc-keycloak.yaml", "testdata/oidc-securitypolicy-backendcluster.yaml"}, Test: func(t *testing.T, suite *suite.ConformanceTestSuite) { t.Run("oidc provider represented by a BackendCluster", func(t *testing.T) { - // Add a function to dump current cluster status - t.Cleanup(func() { - CollectAndDump(t, suite.RestConfig) - }) - - testOIDC(t, suite) + testOIDC(t, suite, "testdata/oidc-securitypolicy-backendcluster.yaml") }) }, } diff --git a/test/e2e/tests/oidc.go b/test/e2e/tests/oidc.go index f03512c1e27..ccc11bc02c5 100644 --- a/test/e2e/tests/oidc.go +++ b/test/e2e/tests/oidc.go @@ -17,6 +17,7 @@ import ( "github.com/stretchr/testify/require" corev1 "k8s.io/api/core/v1" + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" "k8s.io/apimachinery/pkg/types" "k8s.io/apimachinery/pkg/util/wait" gwapiv1 "sigs.k8s.io/gateway-api/apis/v1" @@ -26,6 +27,7 @@ import ( "sigs.k8s.io/gateway-api/conformance/utils/suite" "sigs.k8s.io/gateway-api/conformance/utils/tlog" + egv1a1 "github.com/envoyproxy/gateway/api/v1alpha1" "github.com/envoyproxy/gateway/internal/gatewayapi" "github.com/envoyproxy/gateway/internal/gatewayapi/resource" ) @@ -48,12 +50,7 @@ var OIDCTest = suite.ConformanceTest{ Manifests: []string{"testdata/oidc-keycloak.yaml", "testdata/oidc-securitypolicy.yaml"}, Test: func(t *testing.T, suite *suite.ConformanceTestSuite) { t.Run("oidc provider represented by a URL", func(t *testing.T) { - // Add a function to dump current cluster status - t.Cleanup(func() { - CollectAndDump(t, suite.RestConfig) - }) - - testOIDC(t, suite) + testOIDC(t, suite, "testdata/oidc-securitypolicy.yaml") }) t.Run("http route without oidc authentication", func(t *testing.T) { @@ -97,7 +94,7 @@ var OIDCTest = suite.ConformanceTest{ }, } -func testOIDC(t *testing.T, suite *suite.ConformanceTestSuite) { +func testOIDC(t *testing.T, suite *suite.ConformanceTestSuite, securityPolicyManifest string) { var ( testURL = "http://www.example.com/myapp" logoutURL = "http://www.example.com/myapp/logout" @@ -124,7 +121,7 @@ func testOIDC(t *testing.T, suite *suite.ConformanceTestSuite) { WaitForPods(t, suite.Client, ns, map[string]string{"job-name": "setup-keycloak"}, corev1.PodSucceeded, podInitialized) // Initialize the test OIDC client that will keep track of the state of the OIDC login process - client, err := NewOIDCTestClient( + oidcClient, err := NewOIDCTestClient( WithLoggingOptions(t.Log, true), // Map the application and keycloak cluster DNS name to the gateway address WithCustomAddressMappings(map[string]string{ @@ -140,13 +137,31 @@ func testOIDC(t *testing.T, suite *suite.ConformanceTestSuite) { // Send a request to the http route with OIDC configured. // It will be redirected to the keycloak login page - res, err := client.Get(testURL, true) - require.NoError(t, err, "Failed to get the login page") - require.Equal(t, 200, res.StatusCode, "Expected 200 OK") + res, err := oidcClient.Get(testURL, true) + if err != nil { + tlog.Logf(t, "failed to get the login page: %v", err) + return false, nil + } + if res.StatusCode != http.StatusOK { + tlog.Logf(t, "Failed to get the login page, expected 200 OK, got %d", res.StatusCode) + return false, nil + } // Parse the response body to get the URL where the login page would post the user-entered credentials - if err := client.ParseLoginForm(res.Body, keyCloakLoginFormID); err != nil { + if err := oidcClient.ParseLoginForm(res.Body, keyCloakLoginFormID); err != nil { tlog.Logf(t, "failed to parse login form: %v", err) + // recreate the security policy to force repushing the configuration to the envoy proxy to recover from the error. + // This is a workaround for the flaky test: https://github.com/envoyproxy/gateway/issues/3898 + // TODO: we should investigate the root cause of the flakiness and remove this workaround + existingSP := &egv1a1.SecurityPolicy{ + ObjectMeta: metav1.ObjectMeta{ + Namespace: ns, + Name: sp, + }, + } + require.NoError(t, suite.Client.Delete(context.TODO(), existingSP)) + suite.Applier.MustApplyWithCleanup(t, suite.Client, suite.TimeoutConfig, securityPolicyManifest, false) + SecurityPolicyMustBeAccepted(t, suite.Client, types.NamespacedName{Name: sp, Namespace: ns}, suite.ControllerName, ancestorRef) return false, nil } @@ -158,7 +173,7 @@ func testOIDC(t *testing.T, suite *suite.ConformanceTestSuite) { // Submit the login form to the IdP. // This will authenticate and redirect back to the application - res, err := client.Login(map[string]string{"username": username, "password": password, "credentialId": ""}) + res, err := oidcClient.Login(map[string]string{"username": username, "password": password, "credentialId": ""}) require.NoError(t, err, "Failed to login to the IdP") // Verify that we get the expected response from the application @@ -168,14 +183,14 @@ func testOIDC(t *testing.T, suite *suite.ConformanceTestSuite) { require.Contains(t, string(body), "infra-backend-v1", "Expected response from the application") // Verify that we can access the application without logging in again - res, err = client.Get(testURL, false) + res, err = oidcClient.Get(testURL, false) require.NoError(t, err) require.Equal(t, http.StatusOK, res.StatusCode) require.Contains(t, string(body), "infra-backend-v1", "Expected response from the application") // Verify that we can logout // Note: OAuth2 filter just clears its cookies and does not log out from the IdP. - res, err = client.Get(logoutURL, false) + res, err = oidcClient.Get(logoutURL, false) require.NoError(t, err) require.Equal(t, http.StatusFound, res.StatusCode) diff --git a/test/e2e/tests/preservecase.go b/test/e2e/tests/preservecase.go index 82e865aaad0..6c81dfe5092 100644 --- a/test/e2e/tests/preservecase.go +++ b/test/e2e/tests/preservecase.go @@ -17,6 +17,7 @@ import ( "regexp" "testing" + corev1 "k8s.io/api/core/v1" "k8s.io/apimachinery/pkg/types" "sigs.k8s.io/gateway-api/conformance/utils/http" "sigs.k8s.io/gateway-api/conformance/utils/kubernetes" @@ -101,7 +102,7 @@ func casePreservingRoundTrip(request roundtripper.Request, transport nethttp.Rou } var PreserveCaseTest = suite.ConformanceTest{ - ShortName: "Preserve Case", + ShortName: "PreserveCase", Description: "Preserve header cases", Manifests: []string{"testdata/preserve-case.yaml"}, Test: func(t *testing.T, suite *suite.ConformanceTestSuite) { @@ -111,6 +112,7 @@ var PreserveCaseTest = suite.ConformanceTest{ gwNN := types.NamespacedName{Name: "same-namespace", Namespace: ns} gwAddr := kubernetes.GatewayAndHTTPRoutesMustBeAccepted(t, suite.Client, suite.TimeoutConfig, suite.ControllerName, kubernetes.NewGatewayRef(gwNN), routeNN) + WaitForPods(t, suite.Client, "gateway-preserve-case-backend", map[string]string{"app": "preserve-case"}, corev1.PodRunning, PodReady) // Can't use the standard method for checking the response, since the remote side isn't the // conformance echo server and it returns a differently formatted response. expectedResponse := http.ExpectedResponse{ diff --git a/test/e2e/tests/ratelimit.go b/test/e2e/tests/ratelimit.go index d1e18f74b92..17ce6d245cf 100644 --- a/test/e2e/tests/ratelimit.go +++ b/test/e2e/tests/ratelimit.go @@ -9,7 +9,6 @@ package tests import ( "context" - "fmt" "net" "testing" "time" @@ -495,7 +494,7 @@ var RateLimitMultipleListenersTest = suite.ConformanceTest{ gwPorts := []string{"80", "8080"} for _, port := range gwPorts { - gwAddr = fmt.Sprintf("%s:%s", gwIP, port) + gwAddr = net.JoinHostPort(gwIP, port) ratelimitHeader := make(map[string]string) expectOkResp := http.ExpectedResponse{ diff --git a/test/e2e/tests/response-override.go b/test/e2e/tests/response-override.go index b21db88e242..c7c12bd2c10 100644 --- a/test/e2e/tests/response-override.go +++ b/test/e2e/tests/response-override.go @@ -8,18 +8,20 @@ package tests import ( - "fmt" "io" "net/http" "net/url" "testing" + "time" "k8s.io/apimachinery/pkg/types" gwapiv1 "sigs.k8s.io/gateway-api/apis/v1" gwapiv1a2 "sigs.k8s.io/gateway-api/apis/v1alpha2" + "sigs.k8s.io/gateway-api/conformance/utils/config" httputils "sigs.k8s.io/gateway-api/conformance/utils/http" "sigs.k8s.io/gateway-api/conformance/utils/kubernetes" "sigs.k8s.io/gateway-api/conformance/utils/suite" + "sigs.k8s.io/gateway-api/conformance/utils/tlog" "github.com/envoyproxy/gateway/internal/gatewayapi" "github.com/envoyproxy/gateway/internal/gatewayapi/resource" @@ -47,37 +49,47 @@ var ResponseOverrideTest = suite.ConformanceTest{ Name: gwapiv1.ObjectName(gwNN.Name), } BackendTrafficPolicyMustBeAccepted(t, suite.Client, types.NamespacedName{Name: "response-override", Namespace: ns}, suite.ControllerName, ancestorRef) - verifyResponseOverride(t, gwAddr, 404, "text/plain", "Oops! Your request is not found.") - verifyResponseOverride(t, gwAddr, 500, "application/json", `{"error": "Internal Server Error"}`) + verifyCustomResponse(t, suite.TimeoutConfig, gwAddr, "/status/404", "text/plain", "Oops! Your request is not found.") + verifyCustomResponse(t, suite.TimeoutConfig, gwAddr, "/status/500", "application/json", `{"error": "Internal Server Error"}`) }) }, } -func verifyResponseOverride(t *testing.T, gwAddr string, statusCode int, expectedContentType string, expectedBody string) { +func verifyCustomResponse(t *testing.T, timeoutConfig config.TimeoutConfig, gwAddr, path, expectedContentType, expectedBody string) { reqURL := url.URL{ Scheme: "http", Host: httputils.CalculateHost(t, gwAddr, "http"), - Path: fmt.Sprintf("/status/%d", statusCode), + Path: path, } - rsp, err := http.Get(reqURL.String()) - if err != nil { - t.Fatalf("failed to get response: %v", err) - } + httputils.AwaitConvergence(t, timeoutConfig.RequiredConsecutiveSuccesses, timeoutConfig.MaxTimeToConsistency, func(elapsed time.Duration) bool { + rsp, err := http.Get(reqURL.String()) + if err != nil { + tlog.Logf(t, "failed to get response: %v", err) + return false + } - // Verify that the response body is overridden - defer rsp.Body.Close() - body, err := io.ReadAll(rsp.Body) - if err != nil { - t.Fatalf("failed to read response body: %v", err) - } - if string(body) != expectedBody { - t.Errorf("expected response body to be %s but got %s", expectedBody, string(body)) - } + // Verify that the response body is overridden + defer rsp.Body.Close() + body, err := io.ReadAll(rsp.Body) + if err != nil { + tlog.Logf(t, "failed to read response body: %v", err) + return false + } + if string(body) != expectedBody { + tlog.Logf(t, "expected response body to be %s but got %s", expectedBody, string(body)) + return false + } - // Verify that the content type is overridden - contentType := rsp.Header.Get("Content-Type") - if contentType != expectedContentType { - t.Errorf("expected content type to be %s but got %s", expectedContentType, contentType) - } + // Verify that the content type is overridden + contentType := rsp.Header.Get("Content-Type") + if contentType != expectedContentType { + tlog.Logf(t, "expected content type to be %s but got %s", expectedContentType, contentType) + return false + } + + return true + }) + + tlog.Logf(t, "Request passed") } diff --git a/test/e2e/tests/wasm_http.go b/test/e2e/tests/wasm_http.go index e5ef2e14c82..824e9b3d2f4 100644 --- a/test/e2e/tests/wasm_http.go +++ b/test/e2e/tests/wasm_http.go @@ -27,54 +27,16 @@ func init() { // HTTPWasmTest tests Wasm extension for an http route with HTTP Wasm configured. var HTTPWasmTest = suite.ConformanceTest{ - ShortName: "Wasm HTTP Code Source", + ShortName: "WasmHTTPCodeSource", Description: "Test Wasm extension that adds response headers", Manifests: []string{"testdata/wasm-http.yaml"}, Test: func(t *testing.T, suite *suite.ConformanceTestSuite) { t.Run("http route with http wasm source", func(t *testing.T) { - ns := "gateway-conformance-infra" - routeNN := types.NamespacedName{Name: "http-with-http-wasm-source", Namespace: ns} - gwNN := types.NamespacedName{Name: "same-namespace", Namespace: ns} - gwAddr := kubernetes.GatewayAndHTTPRoutesMustBeAccepted(t, suite.Client, suite.TimeoutConfig, suite.ControllerName, kubernetes.NewGatewayRef(gwNN), routeNN) - - ancestorRef := gwapiv1a2.ParentReference{ - Group: gatewayapi.GroupPtr(gwapiv1.GroupName), - Kind: gatewayapi.KindPtr(resource.KindGateway), - Namespace: gatewayapi.NamespacePtr(gwNN.Namespace), - Name: gwapiv1.ObjectName(gwNN.Name), - } - EnvoyExtensionPolicyMustBeAccepted(t, suite.Client, types.NamespacedName{Name: "http-wasm-source-test", Namespace: ns}, suite.ControllerName, ancestorRef) - - expectedResponse := http.ExpectedResponse{ - Request: http.Request{ - Host: "www.example.com", - Path: "/wasm-http", - }, - - // Set the expected request properties to empty strings. - // This is a workaround to avoid the test failure. - // These values can't be extracted from the json format response - // body because the test wasm code appends a "Hello, world" text - // to the response body, invalidating the json format. - ExpectedRequest: &http.ExpectedRequest{ - Request: http.Request{ - Host: "", - Method: "", - Path: "", - Headers: nil, - }, - }, - Namespace: "", - - Response: http.Response{ - StatusCode: 200, - Headers: map[string]string{ - "x-wasm-custom": "FOO", // response header added by wasm - }, - }, - } + testWasmHTTPCodeSource(t, suite, "http-with-http-wasm-source", "http-wasm-source-test", "/wasm-http") + }) - http.MakeRequestAndExpectEventuallyConsistentResponse(t, suite.RoundTripper, suite.TimeoutConfig, gwAddr, expectedResponse) + t.Run("http route with http wasm source no sha", func(t *testing.T) { + testWasmHTTPCodeSource(t, suite, "http-with-http-wasm-source-no-sha", "http-wasm-source-test-no-sha", "/wasm-http-no-sha") }) t.Run("http route without wasm", func(t *testing.T) { @@ -115,3 +77,49 @@ var HTTPWasmTest = suite.ConformanceTest{ }) }, } + +func testWasmHTTPCodeSource(t *testing.T, suite *suite.ConformanceTestSuite, route, eep, path string) { + ns := "gateway-conformance-infra" + routeNN := types.NamespacedName{Name: route, Namespace: ns} + gwNN := types.NamespacedName{Name: "same-namespace", Namespace: ns} + gwAddr := kubernetes.GatewayAndHTTPRoutesMustBeAccepted(t, suite.Client, suite.TimeoutConfig, suite.ControllerName, kubernetes.NewGatewayRef(gwNN), routeNN) + + ancestorRef := gwapiv1a2.ParentReference{ + Group: gatewayapi.GroupPtr(gwapiv1.GroupName), + Kind: gatewayapi.KindPtr(resource.KindGateway), + Namespace: gatewayapi.NamespacePtr(gwNN.Namespace), + Name: gwapiv1.ObjectName(gwNN.Name), + } + EnvoyExtensionPolicyMustBeAccepted(t, suite.Client, types.NamespacedName{Name: eep, Namespace: ns}, suite.ControllerName, ancestorRef) + + expectedResponse := http.ExpectedResponse{ + Request: http.Request{ + Host: "www.example.com", + Path: path, + }, + + // Set the expected request properties to empty strings. + // This is a workaround to avoid the test failure. + // These values can't be extracted from the json format response + // body because the test wasm code appends a "Hello, world" text + // to the response body, invalidating the json format. + ExpectedRequest: &http.ExpectedRequest{ + Request: http.Request{ + Host: "", + Method: "", + Path: "", + Headers: nil, + }, + }, + Namespace: "", + + Response: http.Response{ + StatusCode: 200, + Headers: map[string]string{ + "x-wasm-custom": "FOO", // response header added by wasm + }, + }, + } + + http.MakeRequestAndExpectEventuallyConsistentResponse(t, suite.RoundTripper, suite.TimeoutConfig, gwAddr, expectedResponse) +} diff --git a/test/e2e/tests/wasm_oci.go b/test/e2e/tests/wasm_oci.go index 4a6a53f6603..514ab937352 100644 --- a/test/e2e/tests/wasm_oci.go +++ b/test/e2e/tests/wasm_oci.go @@ -15,6 +15,7 @@ import ( "errors" "fmt" "io" + "net" "testing" "time" @@ -60,7 +61,7 @@ func init() { // OCIWasmTest tests Wasm extension for an http route with OCI Wasm configured. var OCIWasmTest = suite.ConformanceTest{ - ShortName: "Wasm OCI Image Code Source", + ShortName: "WasmOCIImageCodeSource", Description: "Test OCI Wasm extension", Manifests: []string{"testdata/wasm-oci.yaml", "testdata/wasm-oci-registry-test-server.yaml"}, Test: func(t *testing.T, suite *suite.ConformanceTestSuite) { @@ -70,7 +71,7 @@ var OCIWasmTest = suite.ConformanceTest{ if err != nil { t.Fatalf("failed to get registry IP: %v", err) } - registryAddr := fmt.Sprintf("%s:5000", registryIP) + registryAddr := net.JoinHostPort(registryIP, "5000") // Push the wasm image to the registry digest := pushWasmImageForTest(t, suite, registryAddr) diff --git a/test/helm/gateway-addons-helm/e2e.in.yaml b/test/helm/gateway-addons-helm/e2e.in.yaml index 93ce0d8d622..bf913c259a9 100644 --- a/test/helm/gateway-addons-helm/e2e.in.yaml +++ b/test/helm/gateway-addons-helm/e2e.in.yaml @@ -1,4 +1,8 @@ +alloy: + enabled: true grafana: enabled: false opentelemetry-collector: enabled: true +fluent-bit: + enabled: false diff --git a/test/helm/gateway-addons-helm/e2e.out.yaml b/test/helm/gateway-addons-helm/e2e.out.yaml index 1e7c8fda8ff..5a2f32ed2c8 100644 --- a/test/helm/gateway-addons-helm/e2e.out.yaml +++ b/test/helm/gateway-addons-helm/e2e.out.yaml @@ -1,16 +1,19 @@ --- -# Source: gateway-addons-helm/charts/fluent-bit/templates/serviceaccount.yaml +# Source: gateway-addons-helm/charts/alloy/templates/serviceaccount.yaml apiVersion: v1 kind: ServiceAccount metadata: - name: fluent-bit + name: alloy namespace: monitoring labels: - helm.sh/chart: fluent-bit-0.30.4 - app.kubernetes.io/name: fluent-bit + helm.sh/chart: alloy-0.9.2 + app.kubernetes.io/name: alloy app.kubernetes.io/instance: gateway-addons-helm - app.kubernetes.io/version: "2.1.4" + + app.kubernetes.io/version: "v1.4.3" app.kubernetes.io/managed-by: Helm + app.kubernetes.io/part-of: alloy + app.kubernetes.io/component: rbac --- # Source: gateway-addons-helm/charts/loki/templates/serviceaccount.yaml apiVersion: v1 @@ -69,73 +72,117 @@ metadata: app.kubernetes.io/managed-by: Helm automountServiceAccountToken: true --- -# Source: gateway-addons-helm/charts/fluent-bit/templates/configmap.yaml +# Source: gateway-addons-helm/charts/alloy/templates/configmap.yaml apiVersion: v1 kind: ConfigMap metadata: - name: fluent-bit - namespace: monitoring + name: alloy labels: - helm.sh/chart: fluent-bit-0.30.4 - app.kubernetes.io/name: fluent-bit + helm.sh/chart: alloy-0.9.2 + app.kubernetes.io/name: alloy app.kubernetes.io/instance: gateway-addons-helm - app.kubernetes.io/version: "2.1.4" + + app.kubernetes.io/version: "v1.4.3" app.kubernetes.io/managed-by: Helm + app.kubernetes.io/part-of: alloy + app.kubernetes.io/component: config data: - custom_parsers.conf: | - [PARSER] - Name docker_no_time - Format json - Time_Keep Off - Time_Key time - Time_Format %Y-%m-%dT%H:%M:%S.%L + config.alloy: |- + // Write your Alloy config here: + logging { + level = "info" + format = "logfmt" + } + loki.write "alloy" { + endpoint { + url = "http://loki.monitoring.svc:3100/loki/api/v1/push" + } + } + // discovery.kubernetes allows you to find scrape targets from Kubernetes resources. + // It watches cluster state and ensures targets are continually synced with what is currently running in your cluster. + discovery.kubernetes "pod" { + role = "pod" + } - fluent-bit.conf: | - [SERVICE] - Daemon Off - Flush 1 - Log_Level info - Parsers_File parsers.conf - Parsers_File custom_parsers.conf - HTTP_Server On - HTTP_Listen 0.0.0.0 - HTTP_Port 2020 - Health_Check On + // discovery.relabel rewrites the label set of the input targets by applying one or more relabeling rules. + // If no rules are defined, then the input targets are exported as-is. + discovery.relabel "pod_logs" { + targets = discovery.kubernetes.pod.targets - [INPUT] - Name tail - Path /var/log/containers/*.log - multiline.parser docker, cri - Tag kube.* - Mem_Buf_Limit 5MB - Skip_Long_Lines On + // Label creation - "namespace" field from "__meta_kubernetes_namespace" + rule { + source_labels = ["__meta_kubernetes_namespace"] + action = "replace" + target_label = "namespace" + } - [FILTER] - Name kubernetes - Match kube.* - Merge_Log On - Keep_Log Off - K8S-Logging.Parser On - K8S-Logging.Exclude On + // Label creation - "pod" field from "__meta_kubernetes_pod_name" + rule { + source_labels = ["__meta_kubernetes_pod_name"] + action = "replace" + target_label = "pod" + } - [FILTER] - Name grep - Match kube.* - Regex $kubernetes['container_name'] ^envoy$ + // Label creation - "container" field from "__meta_kubernetes_pod_container_name" + rule { + source_labels = ["__meta_kubernetes_pod_container_name"] + action = "replace" + target_label = "container" + } - [FILTER] - Name parser - Match kube.* - Key_Name log - Parser envoy - Reserve_Data True + // Label creation - "app" field from "__meta_kubernetes_pod_label_app_kubernetes_io_name" + rule { + source_labels = ["__meta_kubernetes_pod_label_app_kubernetes_io_name"] + action = "replace" + target_label = "app" + } + + // Label creation - "job" field from "__meta_kubernetes_namespace" and "__meta_kubernetes_pod_container_name" + // Concatenate values __meta_kubernetes_namespace/__meta_kubernetes_pod_container_name + rule { + source_labels = ["__meta_kubernetes_namespace", "__meta_kubernetes_pod_container_name"] + action = "replace" + target_label = "job" + separator = "/" + replacement = "$1" + } - [OUTPUT] - Name loki - Match kube.* - Host loki.monitoring.svc.cluster.local - Port 3100 - Labels job=fluentbit, app=$kubernetes['labels']['app'], k8s_namespace_name=$kubernetes['namespace_name'], k8s_pod_name=$kubernetes['pod_name'], k8s_container_name=$kubernetes['container_name'] + // Label creation - "container" field from "__meta_kubernetes_pod_uid" and "__meta_kubernetes_pod_container_name" + // Concatenate values __meta_kubernetes_pod_uid/__meta_kubernetes_pod_container_name.log + rule { + source_labels = ["__meta_kubernetes_pod_uid", "__meta_kubernetes_pod_container_name"] + action = "replace" + target_label = "__path__" + separator = "/" + replacement = "/var/log/pods/*$1/*.log" + } + + // Label creation - "container_runtime" field from "__meta_kubernetes_pod_container_id" + rule { + source_labels = ["__meta_kubernetes_pod_container_id"] + action = "replace" + target_label = "container_runtime" + regex = "^(\\S+):\\/\\/.+$" + replacement = "$1" + } + } + + // loki.source.kubernetes tails logs from Kubernetes containers using the Kubernetes API. + loki.source.kubernetes "pod_logs" { + targets = discovery.relabel.pod_logs.output + forward_to = [loki.process.pod_logs.receiver] + } + // loki.process receives log entries from other Loki components, applies one or more processing stages, + // and forwards the results to the list of receivers in the component’s arguments. + loki.process "pod_logs" { + stage.static_labels { + values = { + cluster = "envoy-gateway", + } + } + + forward_to = [loki.write.alloy.receiver] + } --- # Source: gateway-addons-helm/charts/loki/templates/configmap.yaml apiVersion: v1 @@ -237,10 +284,10 @@ data: tls: insecure: true prometheus: - endpoint: 0.0.0.0:19001 + endpoint: '[${env:MY_POD_IP}]:19001' extensions: health_check: - endpoint: ${env:MY_POD_IP}:13133 + endpoint: '[${env:MY_POD_IP}]:13133' processors: attributes: actions: @@ -254,21 +301,21 @@ data: spike_limit_percentage: 25 receivers: datadog: - endpoint: ${env:MY_POD_IP}:8126 + endpoint: '[${env:MY_POD_IP}]:8126' jaeger: protocols: grpc: - endpoint: ${env:MY_POD_IP}:14250 + endpoint: '[${env:MY_POD_IP}]:14250' thrift_compact: - endpoint: ${env:MY_POD_IP}:6831 + endpoint: '[${env:MY_POD_IP}]:6831' thrift_http: - endpoint: ${env:MY_POD_IP}:14268 + endpoint: '[${env:MY_POD_IP}]:14268' otlp: protocols: grpc: - endpoint: ${env:MY_POD_IP}:4317 + endpoint: '[${env:MY_POD_IP}]:4317' http: - endpoint: ${env:MY_POD_IP}:4318 + endpoint: '[${env:MY_POD_IP}]:4318' prometheus: config: scrape_configs: @@ -276,9 +323,9 @@ data: scrape_interval: 10s static_configs: - targets: - - ${env:MY_POD_IP}:8888 + - '[${env:MY_POD_IP}]:8888' zipkin: - endpoint: ${env:MY_POD_IP}:9411 + endpoint: '[${env:MY_POD_IP}]:9411' service: extensions: - health_check @@ -311,7 +358,7 @@ data: - zipkin telemetry: metrics: - address: ${env:MY_POD_IP}:8888 + address: '[${env:MY_POD_IP}]:8888' --- # Source: gateway-addons-helm/charts/prometheus/templates/cm.yaml apiVersion: v1 @@ -9298,27 +9345,105 @@ data: "uid": "f7aeb41676b7865cf31ae49691325f91" } --- -# Source: gateway-addons-helm/charts/fluent-bit/templates/clusterrole.yaml +# Source: gateway-addons-helm/charts/alloy/templates/rbac.yaml apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: - name: fluent-bit + name: alloy labels: - helm.sh/chart: fluent-bit-0.30.4 - app.kubernetes.io/name: fluent-bit + helm.sh/chart: alloy-0.9.2 + app.kubernetes.io/name: alloy app.kubernetes.io/instance: gateway-addons-helm - app.kubernetes.io/version: "2.1.4" + + app.kubernetes.io/version: "v1.4.3" app.kubernetes.io/managed-by: Helm + app.kubernetes.io/part-of: alloy + app.kubernetes.io/component: rbac rules: + # Rules which allow discovery.kubernetes to function. - apiGroups: - "" + - "discovery.k8s.io" + - "networking.k8s.io" resources: - - namespaces + - endpoints + - endpointslices + - ingresses + - nodes + - nodes/proxy + - nodes/metrics - pods + - services + verbs: + - get + - list + - watch + # Rules which allow loki.source.kubernetes and loki.source.podlogs to work. + - apiGroups: + - "" + resources: + - pods + - pods/log + - namespaces + verbs: + - get + - list + - watch + - apiGroups: + - "monitoring.grafana.com" + resources: + - podlogs + verbs: + - get + - list + - watch + # Rules which allow mimir.rules.kubernetes to work. + - apiGroups: ["monitoring.coreos.com"] + resources: + - prometheusrules + verbs: + - get + - list + - watch + - nonResourceURLs: + - /metrics + verbs: + - get + # Rules for prometheus.kubernetes.* + - apiGroups: ["monitoring.coreos.com"] + resources: + - podmonitors + - servicemonitors + - probes + verbs: + - get + - list + - watch + # Rules which allow eventhandler to work. + - apiGroups: + - "" + resources: + - events verbs: - get - list - watch + # needed for remote.kubernetes.* + - apiGroups: [""] + resources: + - "configmaps" + - "secrets" + verbs: + - get + - list + - watch + # needed for otelcol.processor.k8sattributes + - apiGroups: ["apps"] + resources: ["replicasets"] + verbs: ["get", "list", "watch"] + - apiGroups: ["extensions"] + resources: ["replicasets"] + verbs: ["get", "list", "watch"] --- # Source: gateway-addons-helm/charts/prometheus/templates/clusterrole.yaml apiVersion: rbac.authorization.k8s.io/v1 @@ -9372,24 +9497,27 @@ rules: verbs: - get --- -# Source: gateway-addons-helm/charts/fluent-bit/templates/clusterrolebinding.yaml +# Source: gateway-addons-helm/charts/alloy/templates/rbac.yaml apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: - name: fluent-bit + name: alloy labels: - helm.sh/chart: fluent-bit-0.30.4 - app.kubernetes.io/name: fluent-bit + helm.sh/chart: alloy-0.9.2 + app.kubernetes.io/name: alloy app.kubernetes.io/instance: gateway-addons-helm - app.kubernetes.io/version: "2.1.4" + + app.kubernetes.io/version: "v1.4.3" app.kubernetes.io/managed-by: Helm + app.kubernetes.io/part-of: alloy + app.kubernetes.io/component: rbac roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole - name: fluent-bit + name: alloy subjects: - kind: ServiceAccount - name: fluent-bit + name: alloy namespace: monitoring --- # Source: gateway-addons-helm/charts/prometheus/templates/clusterrolebinding.yaml @@ -9414,28 +9542,31 @@ roleRef: kind: ClusterRole name: prometheus --- -# Source: gateway-addons-helm/charts/fluent-bit/templates/service.yaml +# Source: gateway-addons-helm/charts/alloy/templates/service.yaml apiVersion: v1 kind: Service metadata: - name: fluent-bit - namespace: monitoring + name: alloy labels: - helm.sh/chart: fluent-bit-0.30.4 - app.kubernetes.io/name: fluent-bit + helm.sh/chart: alloy-0.9.2 + app.kubernetes.io/name: alloy app.kubernetes.io/instance: gateway-addons-helm - app.kubernetes.io/version: "2.1.4" + + app.kubernetes.io/version: "v1.4.3" app.kubernetes.io/managed-by: Helm + app.kubernetes.io/part-of: alloy + app.kubernetes.io/component: networking spec: type: ClusterIP - ports: - - port: 2020 - targetPort: http - protocol: TCP - name: http selector: - app.kubernetes.io/name: fluent-bit + app.kubernetes.io/name: alloy app.kubernetes.io/instance: gateway-addons-helm + internalTrafficPolicy: Cluster + ports: + - name: http-metrics + port: 12345 + targetPort: 12345 + protocol: "TCP" --- # Source: gateway-addons-helm/charts/loki/templates/service-memberlist.yaml apiVersion: v1 @@ -9651,84 +9782,82 @@ spec: app.kubernetes.io/name: tempo app.kubernetes.io/instance: gateway-addons-helm --- -# Source: gateway-addons-helm/charts/fluent-bit/templates/daemonset.yaml +# Source: gateway-addons-helm/charts/alloy/templates/controllers/daemonset.yaml apiVersion: apps/v1 kind: DaemonSet metadata: - name: fluent-bit - namespace: monitoring + name: alloy labels: - helm.sh/chart: fluent-bit-0.30.4 - app.kubernetes.io/name: fluent-bit + helm.sh/chart: alloy-0.9.2 + app.kubernetes.io/name: alloy app.kubernetes.io/instance: gateway-addons-helm - app.kubernetes.io/version: "2.1.4" + + app.kubernetes.io/version: "v1.4.3" app.kubernetes.io/managed-by: Helm + app.kubernetes.io/part-of: alloy spec: + minReadySeconds: 10 selector: matchLabels: - app.kubernetes.io/name: fluent-bit + app.kubernetes.io/name: alloy app.kubernetes.io/instance: gateway-addons-helm template: metadata: annotations: - checksum/config: 03d122555879033ccf6443369f73463490b100f195550b1483d337f497c749e3 - checksum/luascripts: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 - fluentbit.io/exclude: "true" - prometheus.io/path: /api/v1/metrics/prometheus - prometheus.io/port: "2020" - prometheus.io/scrape: "true" + kubectl.kubernetes.io/default-container: alloy labels: - app.kubernetes.io/name: fluent-bit + app.kubernetes.io/name: alloy app.kubernetes.io/instance: gateway-addons-helm spec: - serviceAccountName: fluent-bit - hostNetwork: false - dnsPolicy: ClusterFirst + serviceAccountName: alloy containers: - - name: fluent-bit - image: "fluent/fluent-bit:2.1.4" - imagePullPolicy: Always + - name: alloy + image: docker.io/grafana/alloy:v1.4.3 + imagePullPolicy: IfNotPresent + args: + - run + - /etc/alloy/config.alloy + - --storage.path=/tmp/alloy + - --server.http.listen-addr=0.0.0.0:12345 + - --server.http.ui-path-prefix=/ + - --stability.level=generally-available + env: + - name: ALLOY_DEPLOY_MODE + value: "helm" + - name: HOSTNAME + valueFrom: + fieldRef: + fieldPath: spec.nodeName ports: - - name: http - containerPort: 2020 - protocol: TCP - livenessProbe: - httpGet: - path: / - port: http + - containerPort: 12345 + name: http-metrics readinessProbe: httpGet: - path: /api/v1/health - port: http + path: /-/ready + port: 12345 + scheme: HTTP + initialDelaySeconds: 10 + timeoutSeconds: 1 volumeMounts: - - mountPath: /fluent-bit/etc/fluent-bit.conf - name: config - subPath: fluent-bit.conf - - mountPath: /fluent-bit/etc/custom_parsers.conf - name: config - subPath: custom_parsers.conf - - mountPath: /var/log - name: varlog - - mountPath: /var/lib/docker/containers - name: varlibdockercontainers - readOnly: true - - mountPath: /etc/machine-id - name: etcmachineid - readOnly: true + - name: config + mountPath: /etc/alloy + - name: config-reloader + image: ghcr.io/jimmidyson/configmap-reload:v0.12.0 + args: + - --volume-dir=/etc/alloy + - --webhook-url=http://localhost:12345/-/reload + volumeMounts: + - name: config + mountPath: /etc/alloy + resources: + requests: + cpu: 1m + memory: 5Mi + dnsPolicy: ClusterFirst volumes: - name: config configMap: - name: fluent-bit - - hostPath: - path: /var/log - name: varlog - - hostPath: - path: /var/lib/docker/containers - name: varlibdockercontainers - - hostPath: - path: /etc/machine-id - type: File - name: etcmachineid + name: alloy --- # Source: gateway-addons-helm/charts/opentelemetry-collector/templates/deployment.yaml apiVersion: apps/v1 @@ -9756,7 +9885,7 @@ spec: template: metadata: annotations: - checksum/config: 270a8503091b51a264317115cf6df46b4501b03fc135eca95b93dca57a522a70 + checksum/config: 77c11cf41a890ec6a75a644880450d53887eca3e37511c3139cf0b3e8ebbe1ee labels: app.kubernetes.io/name: opentelemetry-collector diff --git a/test/helm/gateway-helm/certjen-custom-scheduling.out.yaml b/test/helm/gateway-helm/certjen-custom-scheduling.out.yaml index f0c1e0d1309..37d0212f719 100644 --- a/test/helm/gateway-helm/certjen-custom-scheduling.out.yaml +++ b/test/helm/gateway-helm/certjen-custom-scheduling.out.yaml @@ -432,8 +432,8 @@ spec: drop: - ALL privileged: false - runAsNonRoot: true runAsGroup: 65532 + runAsNonRoot: true runAsUser: 65532 seccompProfile: type: RuntimeDefault @@ -563,8 +563,8 @@ spec: - ALL privileged: false readOnlyRootFilesystem: true - runAsNonRoot: true runAsGroup: 65534 + runAsNonRoot: true runAsUser: 65534 seccompProfile: type: RuntimeDefault diff --git a/test/helm/gateway-helm/control-plane-with-pdb.out.yaml b/test/helm/gateway-helm/control-plane-with-pdb.out.yaml index ab0c09e3ed3..69f08e1dbb7 100644 --- a/test/helm/gateway-helm/control-plane-with-pdb.out.yaml +++ b/test/helm/gateway-helm/control-plane-with-pdb.out.yaml @@ -447,8 +447,8 @@ spec: drop: - ALL privileged: false - runAsNonRoot: true runAsGroup: 65532 + runAsNonRoot: true runAsUser: 65532 seccompProfile: type: RuntimeDefault @@ -578,8 +578,8 @@ spec: - ALL privileged: false readOnlyRootFilesystem: true - runAsNonRoot: true runAsGroup: 65534 + runAsNonRoot: true runAsUser: 65534 seccompProfile: type: RuntimeDefault diff --git a/test/helm/gateway-helm/default-config.out.yaml b/test/helm/gateway-helm/default-config.out.yaml index 655c1b7fbeb..6e1b1846bae 100644 --- a/test/helm/gateway-helm/default-config.out.yaml +++ b/test/helm/gateway-helm/default-config.out.yaml @@ -432,8 +432,8 @@ spec: drop: - ALL privileged: false - runAsNonRoot: true runAsGroup: 65532 + runAsNonRoot: true runAsUser: 65532 seccompProfile: type: RuntimeDefault @@ -563,8 +563,8 @@ spec: - ALL privileged: false readOnlyRootFilesystem: true - runAsNonRoot: true runAsGroup: 65534 + runAsNonRoot: true runAsUser: 65534 seccompProfile: type: RuntimeDefault diff --git a/test/helm/gateway-helm/deployment-custom-topology.out.yaml b/test/helm/gateway-helm/deployment-custom-topology.out.yaml index 879ca6a2351..0bc5809337c 100644 --- a/test/helm/gateway-helm/deployment-custom-topology.out.yaml +++ b/test/helm/gateway-helm/deployment-custom-topology.out.yaml @@ -460,8 +460,8 @@ spec: drop: - ALL privileged: false - runAsNonRoot: true runAsGroup: 65532 + runAsNonRoot: true runAsUser: 65532 seccompProfile: type: RuntimeDefault @@ -591,8 +591,8 @@ spec: - ALL privileged: false readOnlyRootFilesystem: true - runAsNonRoot: true runAsGroup: 65534 + runAsNonRoot: true runAsUser: 65534 seccompProfile: type: RuntimeDefault diff --git a/test/helm/gateway-helm/deployment-images-config.out.yaml b/test/helm/gateway-helm/deployment-images-config.out.yaml index 28eba2f209e..f99a89039d8 100644 --- a/test/helm/gateway-helm/deployment-images-config.out.yaml +++ b/test/helm/gateway-helm/deployment-images-config.out.yaml @@ -432,8 +432,8 @@ spec: drop: - ALL privileged: false - runAsNonRoot: true runAsGroup: 65532 + runAsNonRoot: true runAsUser: 65532 seccompProfile: type: RuntimeDefault @@ -565,8 +565,8 @@ spec: - ALL privileged: false readOnlyRootFilesystem: true - runAsNonRoot: true runAsGroup: 65534 + runAsNonRoot: true runAsUser: 65534 seccompProfile: type: RuntimeDefault diff --git a/test/helm/gateway-helm/deployment-priorityclass.out.yaml b/test/helm/gateway-helm/deployment-priorityclass.out.yaml index 28375ac5bf0..3757e360d95 100644 --- a/test/helm/gateway-helm/deployment-priorityclass.out.yaml +++ b/test/helm/gateway-helm/deployment-priorityclass.out.yaml @@ -432,8 +432,8 @@ spec: drop: - ALL privileged: false - runAsNonRoot: true runAsGroup: 65532 + runAsNonRoot: true runAsUser: 65532 seccompProfile: type: RuntimeDefault @@ -564,8 +564,8 @@ spec: - ALL privileged: false readOnlyRootFilesystem: true - runAsNonRoot: true runAsGroup: 65534 + runAsNonRoot: true runAsUser: 65534 seccompProfile: type: RuntimeDefault diff --git a/test/helm/gateway-helm/deployment-securitycontext.in.yaml b/test/helm/gateway-helm/deployment-securitycontext.in.yaml new file mode 100644 index 00000000000..47b8d1cec23 --- /dev/null +++ b/test/helm/gateway-helm/deployment-securitycontext.in.yaml @@ -0,0 +1,32 @@ +global: + images: + envoyGateway: + image: "docker.io/envoyproxy/gateway-dev:latest" + pullPolicy: Always +deployment: + envoyGateway: + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + privileged: false + runAsNonRoot: true + runAsGroup: 1000 + runAsUser: 1000 + seccompProfile: + type: RuntimeDefault +certgen: + job: + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + privileged: false + readOnlyRootFilesystem: true + runAsNonRoot: true + runAsGroup: 1000 + runAsUser: 1000 + seccompProfile: + type: RuntimeDefault diff --git a/test/helm/gateway-helm/deployment-securitycontext.out.yaml b/test/helm/gateway-helm/deployment-securitycontext.out.yaml new file mode 100644 index 00000000000..e98bd1e9730 --- /dev/null +++ b/test/helm/gateway-helm/deployment-securitycontext.out.yaml @@ -0,0 +1,574 @@ +--- +# Source: gateway-helm/templates/envoy-gateway-serviceaccount.yaml +apiVersion: v1 +kind: ServiceAccount +metadata: + name: envoy-gateway + namespace: 'envoy-gateway-system' + labels: + helm.sh/chart: gateway-helm-v0.0.0-latest + app.kubernetes.io/name: gateway-helm + app.kubernetes.io/instance: gateway-helm + app.kubernetes.io/version: "latest" + app.kubernetes.io/managed-by: Helm +--- +# Source: gateway-helm/templates/envoy-gateway-config.yaml +apiVersion: v1 +kind: ConfigMap +metadata: + name: envoy-gateway-config + namespace: 'envoy-gateway-system' + labels: + helm.sh/chart: gateway-helm-v0.0.0-latest + app.kubernetes.io/name: gateway-helm + app.kubernetes.io/instance: gateway-helm + app.kubernetes.io/version: "latest" + app.kubernetes.io/managed-by: Helm +data: + envoy-gateway.yaml: | + apiVersion: gateway.envoyproxy.io/v1alpha1 + kind: EnvoyGateway + gateway: + controllerName: gateway.envoyproxy.io/gatewayclass-controller + logging: + level: + default: info + provider: + kubernetes: + rateLimitDeployment: + container: + image: docker.io/envoyproxy/ratelimit:master + patch: + type: StrategicMerge + value: + spec: + template: + spec: + containers: + - imagePullPolicy: IfNotPresent + name: envoy-ratelimit + shutdownManager: + image: docker.io/envoyproxy/gateway-dev:latest + type: Kubernetes +--- +# Source: gateway-helm/templates/envoy-gateway-rbac.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + creationTimestamp: null + name: gateway-helm-envoy-gateway-role +rules: +- apiGroups: + - "" + resources: + - nodes + - namespaces + verbs: + - get + - list + - watch +- apiGroups: + - gateway.networking.k8s.io + resources: + - gatewayclasses + verbs: + - get + - list + - patch + - update + - watch +- apiGroups: + - gateway.networking.k8s.io + resources: + - gatewayclasses/status + verbs: + - update +- apiGroups: + - multicluster.x-k8s.io + resources: + - serviceimports + verbs: + - get + - list + - watch +- apiGroups: + - "" + resources: + - configmaps + - secrets + - services + verbs: + - get + - list + - watch +- apiGroups: + - apps + resources: + - deployments + - daemonsets + verbs: + - get + - list + - watch +- apiGroups: + - discovery.k8s.io + resources: + - endpointslices + verbs: + - get + - list + - watch +- apiGroups: + - gateway.envoyproxy.io + resources: + - envoyproxies + - envoypatchpolicies + - clienttrafficpolicies + - backendtrafficpolicies + - securitypolicies + - envoyextensionpolicies + - backends + - httproutefilters + verbs: + - get + - list + - watch +- apiGroups: + - gateway.envoyproxy.io + resources: + - envoypatchpolicies/status + - clienttrafficpolicies/status + - backendtrafficpolicies/status + - securitypolicies/status + - envoyextensionpolicies/status + - backends/status + verbs: + - update +- apiGroups: + - gateway.networking.k8s.io + resources: + - gateways + - grpcroutes + - httproutes + - referencegrants + - tcproutes + - tlsroutes + - udproutes + - backendtlspolicies + verbs: + - get + - list + - watch +- apiGroups: + - gateway.networking.k8s.io + resources: + - gateways/status + - grpcroutes/status + - httproutes/status + - tcproutes/status + - tlsroutes/status + - udproutes/status + - backendtlspolicies/status + verbs: + - update +--- +# Source: gateway-helm/templates/envoy-gateway-rbac.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: gateway-helm-envoy-gateway-rolebinding +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: gateway-helm-envoy-gateway-role +subjects: +- kind: ServiceAccount + name: 'envoy-gateway' + namespace: 'envoy-gateway-system' +--- +# Source: gateway-helm/templates/infra-manager-rbac.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: gateway-helm-infra-manager + namespace: 'envoy-gateway-system' + labels: + helm.sh/chart: gateway-helm-v0.0.0-latest + app.kubernetes.io/name: gateway-helm + app.kubernetes.io/instance: gateway-helm + app.kubernetes.io/version: "latest" + app.kubernetes.io/managed-by: Helm +rules: +- apiGroups: + - "" + resources: + - serviceaccounts + - services + - configmaps + verbs: + - create + - get + - delete + - deletecollection + - patch +- apiGroups: + - apps + resources: + - deployments + - daemonsets + verbs: + - create + - get + - delete + - deletecollection + - patch +- apiGroups: + - autoscaling + - policy + resources: + - horizontalpodautoscalers + - poddisruptionbudgets + verbs: + - create + - get + - delete + - deletecollection + - patch +--- +# Source: gateway-helm/templates/leader-election-rbac.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: gateway-helm-leader-election-role + namespace: 'envoy-gateway-system' + labels: + helm.sh/chart: gateway-helm-v0.0.0-latest + app.kubernetes.io/name: gateway-helm + app.kubernetes.io/instance: gateway-helm + app.kubernetes.io/version: "latest" + app.kubernetes.io/managed-by: Helm +rules: +- apiGroups: + - "" + resources: + - configmaps + verbs: + - get + - list + - watch + - create + - update + - patch + - delete +- apiGroups: + - coordination.k8s.io + resources: + - leases + verbs: + - get + - list + - watch + - create + - update + - patch + - delete +- apiGroups: + - "" + resources: + - events + verbs: + - create + - patch +--- +# Source: gateway-helm/templates/infra-manager-rbac.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: gateway-helm-infra-manager + namespace: 'envoy-gateway-system' + labels: + helm.sh/chart: gateway-helm-v0.0.0-latest + app.kubernetes.io/name: gateway-helm + app.kubernetes.io/instance: gateway-helm + app.kubernetes.io/version: "latest" + app.kubernetes.io/managed-by: Helm +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: 'gateway-helm-infra-manager' +subjects: +- kind: ServiceAccount + name: 'envoy-gateway' + namespace: 'envoy-gateway-system' +--- +# Source: gateway-helm/templates/leader-election-rbac.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: gateway-helm-leader-election-rolebinding + namespace: 'envoy-gateway-system' + labels: + helm.sh/chart: gateway-helm-v0.0.0-latest + app.kubernetes.io/name: gateway-helm + app.kubernetes.io/instance: gateway-helm + app.kubernetes.io/version: "latest" + app.kubernetes.io/managed-by: Helm +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: 'gateway-helm-leader-election-role' +subjects: +- kind: ServiceAccount + name: 'envoy-gateway' + namespace: 'envoy-gateway-system' +--- +# Source: gateway-helm/templates/envoy-gateway-service.yaml +apiVersion: v1 +kind: Service +metadata: + name: envoy-gateway + namespace: 'envoy-gateway-system' + labels: + control-plane: envoy-gateway + helm.sh/chart: gateway-helm-v0.0.0-latest + app.kubernetes.io/name: gateway-helm + app.kubernetes.io/instance: gateway-helm + app.kubernetes.io/version: "latest" + app.kubernetes.io/managed-by: Helm +spec: + selector: + control-plane: envoy-gateway + app.kubernetes.io/name: gateway-helm + app.kubernetes.io/instance: gateway-helm + ports: + - name: grpc + port: 18000 + targetPort: 18000 + - name: ratelimit + port: 18001 + targetPort: 18001 + - name: wasm + port: 18002 + targetPort: 18002 + - name: metrics + port: 19001 + targetPort: 19001 +--- +# Source: gateway-helm/templates/envoy-gateway-deployment.yaml +apiVersion: apps/v1 +kind: Deployment +metadata: + name: envoy-gateway + namespace: 'envoy-gateway-system' + labels: + control-plane: envoy-gateway + helm.sh/chart: gateway-helm-v0.0.0-latest + app.kubernetes.io/name: gateway-helm + app.kubernetes.io/instance: gateway-helm + app.kubernetes.io/version: "latest" + app.kubernetes.io/managed-by: Helm +spec: + replicas: 1 + selector: + matchLabels: + control-plane: envoy-gateway + app.kubernetes.io/name: gateway-helm + app.kubernetes.io/instance: gateway-helm + template: + metadata: + annotations: + prometheus.io/port: "19001" + prometheus.io/scrape: "true" + labels: + control-plane: envoy-gateway + app.kubernetes.io/name: gateway-helm + app.kubernetes.io/instance: gateway-helm + spec: + containers: + - args: + - server + - --config-path=/config/envoy-gateway.yaml + env: + - name: ENVOY_GATEWAY_NAMESPACE + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.namespace + - name: KUBERNETES_CLUSTER_DOMAIN + value: cluster.local + image: docker.io/envoyproxy/gateway-dev:latest + imagePullPolicy: Always + livenessProbe: + httpGet: + path: /healthz + port: 8081 + initialDelaySeconds: 15 + periodSeconds: 20 + name: envoy-gateway + ports: + - containerPort: 18000 + name: grpc + - containerPort: 18001 + name: ratelimit + - containerPort: 18002 + name: wasm + - containerPort: 19001 + name: metrics + readinessProbe: + httpGet: + path: /readyz + port: 8081 + initialDelaySeconds: 5 + periodSeconds: 10 + resources: + limits: + memory: 1024Mi + requests: + cpu: 100m + memory: 256Mi + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + privileged: false + runAsGroup: 1000 + runAsNonRoot: true + runAsUser: 1000 + seccompProfile: + type: RuntimeDefault + volumeMounts: + - mountPath: /config + name: envoy-gateway-config + readOnly: true + - mountPath: /certs + name: certs + readOnly: true + imagePullSecrets: [] + serviceAccountName: envoy-gateway + terminationGracePeriodSeconds: 10 + volumes: + - configMap: + defaultMode: 420 + name: envoy-gateway-config + name: envoy-gateway-config + - name: certs + secret: + secretName: envoy-gateway +--- +# Source: gateway-helm/templates/certgen-rbac.yaml +apiVersion: v1 +kind: ServiceAccount +metadata: + name: gateway-helm-certgen + namespace: 'envoy-gateway-system' + labels: + helm.sh/chart: gateway-helm-v0.0.0-latest + app.kubernetes.io/name: gateway-helm + app.kubernetes.io/instance: gateway-helm + app.kubernetes.io/version: "latest" + app.kubernetes.io/managed-by: Helm + annotations: + "helm.sh/hook": pre-install +--- +# Source: gateway-helm/templates/certgen-rbac.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: gateway-helm-certgen + namespace: 'envoy-gateway-system' + labels: + helm.sh/chart: gateway-helm-v0.0.0-latest + app.kubernetes.io/name: gateway-helm + app.kubernetes.io/instance: gateway-helm + app.kubernetes.io/version: "latest" + app.kubernetes.io/managed-by: Helm + annotations: + "helm.sh/hook": pre-install +rules: +- apiGroups: + - "" + resources: + - secrets + verbs: + - get + - create + - update +--- +# Source: gateway-helm/templates/certgen-rbac.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: gateway-helm-certgen + namespace: 'envoy-gateway-system' + labels: + helm.sh/chart: gateway-helm-v0.0.0-latest + app.kubernetes.io/name: gateway-helm + app.kubernetes.io/instance: gateway-helm + app.kubernetes.io/version: "latest" + app.kubernetes.io/managed-by: Helm + annotations: + "helm.sh/hook": pre-install +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: 'gateway-helm-certgen' +subjects: +- kind: ServiceAccount + name: 'gateway-helm-certgen' + namespace: 'envoy-gateway-system' +--- +# Source: gateway-helm/templates/certgen.yaml +apiVersion: batch/v1 +kind: Job +metadata: + name: gateway-helm-certgen + namespace: 'envoy-gateway-system' + labels: + helm.sh/chart: gateway-helm-v0.0.0-latest + app.kubernetes.io/name: gateway-helm + app.kubernetes.io/instance: gateway-helm + app.kubernetes.io/version: "latest" + app.kubernetes.io/managed-by: Helm + annotations: + "helm.sh/hook": pre-install, pre-upgrade +spec: + backoffLimit: 1 + completions: 1 + parallelism: 1 + template: + metadata: + labels: + app: certgen + spec: + containers: + - command: + - envoy-gateway + - certgen + env: + - name: ENVOY_GATEWAY_NAMESPACE + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.namespace + - name: KUBERNETES_CLUSTER_DOMAIN + value: cluster.local + image: docker.io/envoyproxy/gateway-dev:latest + imagePullPolicy: Always + name: envoy-gateway-certgen + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + privileged: false + readOnlyRootFilesystem: true + runAsGroup: 1000 + runAsNonRoot: true + runAsUser: 1000 + seccompProfile: + type: RuntimeDefault + imagePullSecrets: [] + restartPolicy: Never + serviceAccountName: gateway-helm-certgen + ttlSecondsAfterFinished: 30 diff --git a/test/helm/gateway-helm/envoy-gateway-config.out.yaml b/test/helm/gateway-helm/envoy-gateway-config.out.yaml index e401a1062ee..fb1e51f2209 100644 --- a/test/helm/gateway-helm/envoy-gateway-config.out.yaml +++ b/test/helm/gateway-helm/envoy-gateway-config.out.yaml @@ -434,8 +434,8 @@ spec: drop: - ALL privileged: false - runAsNonRoot: true runAsGroup: 65532 + runAsNonRoot: true runAsUser: 65532 seccompProfile: type: RuntimeDefault @@ -565,8 +565,8 @@ spec: - ALL privileged: false readOnlyRootFilesystem: true - runAsNonRoot: true runAsGroup: 65534 + runAsNonRoot: true runAsUser: 65534 seccompProfile: type: RuntimeDefault diff --git a/test/helm/gateway-helm/global-images-config.out.yaml b/test/helm/gateway-helm/global-images-config.out.yaml index 14129b666b6..ebcda594b19 100644 --- a/test/helm/gateway-helm/global-images-config.out.yaml +++ b/test/helm/gateway-helm/global-images-config.out.yaml @@ -436,8 +436,8 @@ spec: drop: - ALL privileged: false - runAsNonRoot: true runAsGroup: 65532 + runAsNonRoot: true runAsUser: 65532 seccompProfile: type: RuntimeDefault @@ -569,8 +569,8 @@ spec: - ALL privileged: false readOnlyRootFilesystem: true - runAsNonRoot: true runAsGroup: 65534 + runAsNonRoot: true runAsUser: 65534 seccompProfile: type: RuntimeDefault diff --git a/test/helm/gateway-helm/service-annotations.out.yaml b/test/helm/gateway-helm/service-annotations.out.yaml index 64676e18497..9d37bdffcde 100644 --- a/test/helm/gateway-helm/service-annotations.out.yaml +++ b/test/helm/gateway-helm/service-annotations.out.yaml @@ -434,8 +434,8 @@ spec: drop: - ALL privileged: false - runAsNonRoot: true runAsGroup: 65532 + runAsNonRoot: true runAsUser: 65532 seccompProfile: type: RuntimeDefault @@ -565,8 +565,8 @@ spec: - ALL privileged: false readOnlyRootFilesystem: true - runAsNonRoot: true runAsGroup: 65534 + runAsNonRoot: true runAsUser: 65534 seccompProfile: type: RuntimeDefault diff --git a/tools/crd-ref-docs/config.yaml b/tools/crd-ref-docs/config.yaml index f63d53b2bf0..c29ec42ff40 100644 --- a/tools/crd-ref-docs/config.yaml +++ b/tools/crd-ref-docs/config.yaml @@ -1,7 +1,7 @@ processor: # RE2 regular expressions describing types that should be excluded from the generated documentation. ignoreTypes: - - "(EnvoyProxy)List$" + - "(.+)List$" # RE2 regular expressions describing type fields that should be excluded from the generated documentation. ignoreFields: - "TypeMeta$" diff --git a/tools/docker/envoy-gateway/Dockerfile b/tools/docker/envoy-gateway/Dockerfile index 1f5ad0cb8d0..5fef537da10 100644 --- a/tools/docker/envoy-gateway/Dockerfile +++ b/tools/docker/envoy-gateway/Dockerfile @@ -4,7 +4,7 @@ RUN mkdir -p /var/lib/eg # Use distroless as minimal base image to package the manager binary # Refer to https://github.com/GoogleContainerTools/distroless for more details -FROM gcr.io/distroless/static:nonroot@sha256:26f9b99f2463f55f20db19feb4d96eb88b056e0f1be7016bb9296a464a89d772 +FROM gcr.io/distroless/static:nonroot@sha256:3a03fc0826340c7deb82d4755ca391bef5adcedb8892e58412e1a6008199fa91 ARG TARGETPLATFORM COPY $TARGETPLATFORM/envoy-gateway /usr/local/bin/ COPY --from=source --chown=65532:65532 /var/lib /var/lib diff --git a/tools/github-actions/setup-deps/action.yaml b/tools/github-actions/setup-deps/action.yaml index 7de23aac7ec..6dca9f5e1c3 100644 --- a/tools/github-actions/setup-deps/action.yaml +++ b/tools/github-actions/setup-deps/action.yaml @@ -6,7 +6,7 @@ runs: steps: - shell: bash run: sudo apt-get install libbtrfs-dev -y - - uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.1 + - uses: actions/setup-go@41dfa10bad2bb2ae585af6ee5bb4d7d973ad74ed # v5.0.1 with: go-version: 1.23.x cache: true diff --git a/tools/make/common.mk b/tools/make/common.mk index 4d5d42a7626..4eca7ce06ec 100644 --- a/tools/make/common.mk +++ b/tools/make/common.mk @@ -79,6 +79,7 @@ include tools/make/kube.mk include tools/make/docs.mk include tools/make/helm.mk include tools/make/proto.mk +include tools/make/examples.mk # Log the running target LOG_TARGET = echo -e "\033[0;32m===========> Running $@ ... \033[0m" diff --git a/tools/make/examples.mk b/tools/make/examples.mk new file mode 100644 index 00000000000..5caf9846e63 --- /dev/null +++ b/tools/make/examples.mk @@ -0,0 +1,20 @@ + +EXAMPLE_APPS := grpc-ext-auth envoy-als grpc-ext-proc http-ext-auth preserve-case-backend +EXAMPLE_IMAGE_PREFIX ?= envoyproxy/gateway- +EXAMPLE_TAG ?= latest + +.PHONY: kube-build-examples-image +kube-build-examples-image: + @$(LOG_TARGET) + @for app in $(EXAMPLE_APPS); do \ + pushd $(ROOT_DIR)/examples/$$app; \ + make docker-buildx; \ + popd; \ + done + +.PHONY: kube-install-examples-image +kube-install-examples-image: kube-build-examples-image + @$(LOG_TARGET) + @for app in $(EXAMPLE_APPS); do \ + tools/hack/kind-load-image.sh $(EXAMPLE_IMAGE_PREFIX)$$app $(EXAMPLE_TAG); \ + done \ No newline at end of file diff --git a/tools/make/kube.mk b/tools/make/kube.mk index 430084dc544..d53c1931360 100644 --- a/tools/make/kube.mk +++ b/tools/make/kube.mk @@ -132,7 +132,9 @@ experimental-conformance: create-cluster kube-install-image kube-deploy run-expe benchmark: create-cluster kube-install-image kube-deploy-for-benchmark-test run-benchmark delete-cluster ## Create a kind cluster, deploy EG into it, run Envoy Gateway benchmark test, and clean up. .PHONY: e2e -e2e: create-cluster kube-install-image kube-deploy install-ratelimit install-e2e-telemetry run-e2e delete-cluster +e2e: create-cluster kube-install-image kube-deploy \ + install-ratelimit install-eg-addons kube-install-examples-image \ + run-e2e delete-cluster .PHONY: install-ratelimit install-ratelimit: @@ -188,10 +190,10 @@ uninstall-benchmark-server: ## Uninstall nighthawk server for benchmark test kubectl delete configmap test-server-config -n benchmark-test kubectl delete namespace benchmark-test -.PHONY: install-e2e-telemetry -install-e2e-telemetry: helm-generate.gateway-addons-helm +.PHONY: install-eg-addons +install-eg-addons: helm-generate.gateway-addons-helm @$(LOG_TARGET) - helm upgrade -i eg-addons charts/gateway-addons-helm --set grafana.enabled=false,opentelemetry-collector.enabled=true -n monitoring --create-namespace --timeout='$(WAIT_TIMEOUT)' --wait --wait-for-jobs + helm upgrade -i eg-addons charts/gateway-addons-helm -f test/helm/gateway-addons-helm/e2e.in.yaml -n monitoring --create-namespace --timeout='$(WAIT_TIMEOUT)' --wait --wait-for-jobs # Change loki service type from ClusterIP to LoadBalancer kubectl patch service loki -n monitoring -p '{"spec": {"type": "LoadBalancer"}}' # Wait service Ready @@ -202,8 +204,8 @@ install-e2e-telemetry: helm-generate.gateway-addons-helm kubectl rollout restart -n monitoring deployment/otel-collector kubectl rollout status --watch --timeout=5m -n monitoring deployment/otel-collector -.PHONY: uninstall-e2e-telemetry -uninstall-e2e-telemetry: +.PHONY: uninstall-eg-addons +uninstall-eg-addons: @$(LOG_TARGET) helm delete $(shell helm list -n monitoring -q) -n monitoring @@ -249,16 +251,7 @@ generate-manifests: helm-generate.gateway-helm ## Generate Kubernetes release ma @$(call log, "Added: $(OUTPUT_DIR)/quickstart.yaml") .PHONY: generate-artifacts -generate-artifacts: generate-manifests generate-egctl-releases ## Generate release artifacts. +generate-artifacts: generate-manifests ## Generate release artifacts. @$(LOG_TARGET) cp -r $(ROOT_DIR)/release-notes/$(TAG).yaml $(OUTPUT_DIR)/release-notes.yaml @$(call log, "Added: $(OUTPUT_DIR)/release-notes.yaml") - -.PHONY: generate-egctl-releases -generate-egctl-releases: ## Generate egctl releases - @$(LOG_TARGET) - mkdir -p $(OUTPUT_DIR)/ - curl -sSL https://github.com/envoyproxy/gateway/releases/download/latest/egctl_latest_darwin_amd64.tar.gz -o $(OUTPUT_DIR)/egctl_$(TAG)_darwin_amd64.tar.gz - curl -sSL https://github.com/envoyproxy/gateway/releases/download/latest/egctl_latest_darwin_arm64.tar.gz -o $(OUTPUT_DIR)/egctl_$(TAG)_darwin_arm64.tar.gz - curl -sSL https://github.com/envoyproxy/gateway/releases/download/latest/egctl_latest_linux_amd64.tar.gz -o $(OUTPUT_DIR)/egctl_$(TAG)_linux_amd64.tar.gz - curl -sSL https://github.com/envoyproxy/gateway/releases/download/latest/egctl_latest_linux_arm64.tar.gz -o $(OUTPUT_DIR)/egctl_$(TAG)_linux_arm64.tar.gz diff --git a/tools/src/buf/go.mod b/tools/src/buf/go.mod index b2022d8afde..d8bea4a9f7c 100644 --- a/tools/src/buf/go.mod +++ b/tools/src/buf/go.mod @@ -2,15 +2,15 @@ module local go 1.23.1 -require github.com/bufbuild/buf v1.45.0 +require github.com/bufbuild/buf v1.46.0 require ( - buf.build/gen/go/bufbuild/bufplugin/protocolbuffers/go v1.34.2-20240928190436-5e8abcfd7a7e.2 // indirect - buf.build/gen/go/bufbuild/protovalidate/protocolbuffers/go v1.34.2-20240920164238-5a7b106cbb87.2 // indirect - buf.build/gen/go/bufbuild/registry/connectrpc/go v1.17.0-20240925012807-1610ffa05635.1 // indirect - buf.build/gen/go/bufbuild/registry/protocolbuffers/go v1.34.2-20240925012807-1610ffa05635.2 // indirect - buf.build/gen/go/pluginrpc/pluginrpc/protocolbuffers/go v1.34.2-20240828222655-5345c0a56177.2 // indirect - buf.build/go/bufplugin v0.5.0 // indirect + buf.build/gen/go/bufbuild/bufplugin/protocolbuffers/go v1.35.1-20241023225133-42bdb4b67625.1 // indirect + buf.build/gen/go/bufbuild/protovalidate/protocolbuffers/go v1.35.1-20240920164238-5a7b106cbb87.1 // indirect + buf.build/gen/go/bufbuild/registry/connectrpc/go v1.17.0-20241025140216-aa40f2c93090.1 // indirect + buf.build/gen/go/bufbuild/registry/protocolbuffers/go v1.35.1-20241025140216-aa40f2c93090.1 // indirect + buf.build/gen/go/pluginrpc/pluginrpc/protocolbuffers/go v1.35.1-20241007202033-cf42259fcbfc.1 // indirect + buf.build/go/bufplugin v0.6.0 // indirect buf.build/go/protoyaml v0.2.0 // indirect buf.build/go/spdx v0.2.0 // indirect connectrpc.com/connect v1.17.0 // indirect @@ -21,11 +21,11 @@ require ( github.com/antlr4-go/antlr/v4 v4.13.1 // indirect github.com/bufbuild/protocompile v0.14.1 // indirect github.com/bufbuild/protoplugin v0.0.0-20240911180120-7bb73e41a54a // indirect - github.com/bufbuild/protovalidate-go v0.7.2 // indirect + github.com/bufbuild/protovalidate-go v0.7.3-0.20241015162221-1446f1e1d576 // indirect github.com/containerd/cgroups/v3 v3.0.3 // indirect - github.com/containerd/containerd v1.7.22 // indirect + github.com/containerd/containerd v1.7.23 // indirect github.com/containerd/continuity v0.4.3 // indirect - github.com/containerd/errdefs v0.2.0 // indirect + github.com/containerd/errdefs v0.3.0 // indirect github.com/containerd/log v0.1.0 // indirect github.com/containerd/platforms v0.2.1 // indirect github.com/containerd/stargz-snapshotter/estargz v0.15.1 // indirect @@ -50,12 +50,12 @@ require ( github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da // indirect github.com/google/cel-go v0.21.0 // indirect github.com/google/go-containerregistry v0.20.2 // indirect - github.com/google/pprof v0.0.0-20241001023024-f4c0cfd0cf1d // indirect + github.com/google/pprof v0.0.0-20241017200806-017d972448fc // indirect github.com/google/uuid v1.6.0 // indirect github.com/grpc-ecosystem/grpc-gateway/v2 v2.20.0 // indirect github.com/inconshreveable/mousetrap v1.1.0 // indirect github.com/jdx/go-netrc v1.0.0 // indirect - github.com/klauspost/compress v1.17.10 // indirect + github.com/klauspost/compress v1.17.11 // indirect github.com/klauspost/pgzip v1.2.6 // indirect github.com/mattn/go-isatty v0.0.20 // indirect github.com/mitchellh/go-homedir v1.1.0 // indirect @@ -77,7 +77,7 @@ require ( github.com/pkg/errors v0.9.1 // indirect github.com/pkg/profile v1.7.0 // indirect github.com/quic-go/qpack v0.5.1 // indirect - github.com/quic-go/quic-go v0.47.0 // indirect + github.com/quic-go/quic-go v0.48.1 // indirect github.com/rogpeppe/go-internal v1.10.0 // indirect github.com/rs/cors v1.11.1 // indirect github.com/russross/blackfriday/v2 v2.1.0 // indirect @@ -94,19 +94,19 @@ require ( go.lsp.dev/protocol v0.12.0 // indirect go.lsp.dev/uri v0.3.0 // indirect go.opencensus.io v0.24.0 // indirect - go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.55.0 // indirect - go.opentelemetry.io/otel v1.30.0 // indirect + go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.56.0 // indirect + go.opentelemetry.io/otel v1.31.0 // indirect go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.22.0 // indirect - go.opentelemetry.io/otel/metric v1.30.0 // indirect + go.opentelemetry.io/otel/metric v1.31.0 // indirect go.opentelemetry.io/otel/sdk v1.30.0 // indirect - go.opentelemetry.io/otel/trace v1.30.0 // indirect + go.opentelemetry.io/otel/trace v1.31.0 // indirect go.uber.org/atomic v1.11.0 // indirect - go.uber.org/mock v0.4.0 // indirect + go.uber.org/mock v0.5.0 // indirect go.uber.org/multierr v1.11.0 // indirect go.uber.org/zap v1.27.0 // indirect - go.uber.org/zap/exp v0.1.1-0.20240913022758-ede8e1888f83 // indirect + go.uber.org/zap/exp v0.3.0 // indirect golang.org/x/crypto v0.28.0 // indirect - golang.org/x/exp v0.0.0-20241004190924-225e2abe05e6 // indirect + golang.org/x/exp v0.0.0-20241009180824-f66d83c29e7c // indirect golang.org/x/mod v0.21.0 // indirect golang.org/x/net v0.30.0 // indirect golang.org/x/sync v0.8.0 // indirect @@ -117,7 +117,7 @@ require ( google.golang.org/genproto/googleapis/api v0.0.0-20240930140551-af27646dc61f // indirect google.golang.org/genproto/googleapis/rpc v0.0.0-20240930140551-af27646dc61f // indirect google.golang.org/grpc v1.67.1 // indirect - google.golang.org/protobuf v1.34.3-0.20240906163944-03df6c145d96 // indirect + google.golang.org/protobuf v1.35.1 // indirect gopkg.in/yaml.v3 v3.0.1 // indirect pluginrpc.com/pluginrpc v0.5.0 // indirect ) diff --git a/tools/src/buf/go.sum b/tools/src/buf/go.sum index 6fb21576d0e..b2a67028e40 100644 --- a/tools/src/buf/go.sum +++ b/tools/src/buf/go.sum @@ -1,15 +1,15 @@ -buf.build/gen/go/bufbuild/bufplugin/protocolbuffers/go v1.34.2-20240928190436-5e8abcfd7a7e.2 h1:BQVQ0fcYgqpe6F/2ZPJUR1rTN+nwdrj2z7IAbAu9XAQ= -buf.build/gen/go/bufbuild/bufplugin/protocolbuffers/go v1.34.2-20240928190436-5e8abcfd7a7e.2/go.mod h1:B+9TKHRYqoAUW57pLjhkLOnBCu0DQYMV+f7imQ9nXwI= -buf.build/gen/go/bufbuild/protovalidate/protocolbuffers/go v1.34.2-20240920164238-5a7b106cbb87.2 h1:hl0FrmGlNpQZIGvU1/jDz0lsPDd0BhCE0QDRwPfLZcA= -buf.build/gen/go/bufbuild/protovalidate/protocolbuffers/go v1.34.2-20240920164238-5a7b106cbb87.2/go.mod h1:ylS4c28ACSI59oJrOdW4pHS4n0Hw4TgSPHn8rpHl4Yw= -buf.build/gen/go/bufbuild/registry/connectrpc/go v1.17.0-20240925012807-1610ffa05635.1 h1:p4A9QnhBrKjCquBt1mKqfO37QseLwgWqQp+Wb9ZjasE= -buf.build/gen/go/bufbuild/registry/connectrpc/go v1.17.0-20240925012807-1610ffa05635.1/go.mod h1:7WtU+waNF+dyxDsuNaqmG3d0w3y2poNju8cvun1/jLs= -buf.build/gen/go/bufbuild/registry/protocolbuffers/go v1.34.2-20240925012807-1610ffa05635.2 h1:3sSS9z8k6zVe7rNNt9R6DN2fOFBVClEflmICIjbXwms= -buf.build/gen/go/bufbuild/registry/protocolbuffers/go v1.34.2-20240925012807-1610ffa05635.2/go.mod h1:psseUmlKRo9v5LZJtR/aTpdTLuyp9o3X7rnLT87SZEo= -buf.build/gen/go/pluginrpc/pluginrpc/protocolbuffers/go v1.34.2-20240828222655-5345c0a56177.2 h1:oSi+Adw4xvIjXrW8eY8QGR3sBdfWeY5HN/RefnRt52M= -buf.build/gen/go/pluginrpc/pluginrpc/protocolbuffers/go v1.34.2-20240828222655-5345c0a56177.2/go.mod h1:GjH0gjlY/ns16X8d6eaXV2W+6IFwsO5Ly9WVnzyd1E0= -buf.build/go/bufplugin v0.5.0 h1:pmK1AloAMp+4woH5hEisK9qVmDdLySzIKexUUVZLJ2Q= -buf.build/go/bufplugin v0.5.0/go.mod h1:r7Y8tpqpErLtUXUecEgwAHnjihY03YbN0IaBFNJF/x0= +buf.build/gen/go/bufbuild/bufplugin/protocolbuffers/go v1.35.1-20241023225133-42bdb4b67625.1 h1:O31Hu5Oho5suEWOD7FuMU9vfzeQT07ukTu4YuBVjLbw= +buf.build/gen/go/bufbuild/bufplugin/protocolbuffers/go v1.35.1-20241023225133-42bdb4b67625.1/go.mod h1:rYPnjsUZ2lGpoQ/T322HWZQil9/MIZF2njP+/u/0GKg= +buf.build/gen/go/bufbuild/protovalidate/protocolbuffers/go v1.35.1-20240920164238-5a7b106cbb87.1 h1:9wP6ZZYWnF2Z0TxmII7m3XNykxnP4/w8oXeth6ekcRI= +buf.build/gen/go/bufbuild/protovalidate/protocolbuffers/go v1.35.1-20240920164238-5a7b106cbb87.1/go.mod h1:Duw/9JoXkXIydyASnLYIiufkzySThoqavOsF+IihqvM= +buf.build/gen/go/bufbuild/registry/connectrpc/go v1.17.0-20241025140216-aa40f2c93090.1 h1:FHQXg3T7S2jp8yc7/bQJgqEH1yza/rrDHXITUK2Tm0g= +buf.build/gen/go/bufbuild/registry/connectrpc/go v1.17.0-20241025140216-aa40f2c93090.1/go.mod h1:5iwF5l+9lKCnvr1zLvDgUHrv6X+vU5nNPjvig1sbnao= +buf.build/gen/go/bufbuild/registry/protocolbuffers/go v1.35.1-20241025140216-aa40f2c93090.1 h1:PyqnJojY+BXNuJHp5aEfN9wPiP1dzrobXVmgLrUMe+A= +buf.build/gen/go/bufbuild/registry/protocolbuffers/go v1.35.1-20241025140216-aa40f2c93090.1/go.mod h1:x5Mti5bhMO87zJxCkcEbr7Lz+bHiFsqpxnpqSB1okG0= +buf.build/gen/go/pluginrpc/pluginrpc/protocolbuffers/go v1.35.1-20241007202033-cf42259fcbfc.1 h1:rPi3qs3qpDIXIl5QW2IPOaYZhppRkvuVKwEZrfhpy78= +buf.build/gen/go/pluginrpc/pluginrpc/protocolbuffers/go v1.35.1-20241007202033-cf42259fcbfc.1/go.mod h1:4IVMTaeh4JIjBYcGFLlTorfWpKVEXDjDfHAgKTeR0Ds= +buf.build/go/bufplugin v0.6.0 h1:3lhoh+0z+IUPS3ZajTPn/27LaLIkero2BDVnV7yXD1s= +buf.build/go/bufplugin v0.6.0/go.mod h1:hWCjxxv24xdR6F5pNlQavZV2oo0J3uF4Ff1XEoyV6vU= buf.build/go/protoyaml v0.2.0 h1:2g3OHjtLDqXBREIOjpZGHmQ+U/4mkN1YiQjxNB68Ip8= buf.build/go/protoyaml v0.2.0/go.mod h1:L/9QvTDkTWcDTzAL6HMfN+mYC6CmZRm2KnsUA054iL0= buf.build/go/spdx v0.2.0 h1:IItqM0/cMxvFJJumcBuP8NrsIzMs/UYjp/6WSpq8LTw= @@ -30,14 +30,14 @@ github.com/Microsoft/hcsshim v0.12.7 h1:MP6R1spmjxTE4EU4J3YsrTxn8CjvN9qwjTKJXldF github.com/Microsoft/hcsshim v0.12.7/go.mod h1:HPbAuJ9BvQYYZbB4yEQcyGIsTP5L4yHKeO9XO149AEM= github.com/antlr4-go/antlr/v4 v4.13.1 h1:SqQKkuVZ+zWkMMNkjy5FZe5mr5WURWnlpmOuzYWrPrQ= github.com/antlr4-go/antlr/v4 v4.13.1/go.mod h1:GKmUxMtwp6ZgGwZSva4eWPC5mS6vUAmOABFgjdkM7Nw= -github.com/bufbuild/buf v1.45.0 h1:WdaM5OCjqEURmzOiz3h9gVilFXqWpt6X+zbOVqKti1A= -github.com/bufbuild/buf v1.45.0/go.mod h1:j+GjGIKS+CvubKtPiC0KpEiHAd3wS9/5sn2/U5WlA20= +github.com/bufbuild/buf v1.46.0 h1:QqlFiy2l0F+hhyTF9xm7j91E7ovGyZVnneG2y38F0rk= +github.com/bufbuild/buf v1.46.0/go.mod h1:oN16LKwdlgji2eHLn3R07dxnQjxm9Q0pdUor5VXj3H8= github.com/bufbuild/protocompile v0.14.1 h1:iA73zAf/fyljNjQKwYzUHD6AD4R8KMasmwa/FBatYVw= github.com/bufbuild/protocompile v0.14.1/go.mod h1:ppVdAIhbr2H8asPk6k4pY7t9zB1OU5DoEw9xY/FUi1c= github.com/bufbuild/protoplugin v0.0.0-20240911180120-7bb73e41a54a h1:l3RhVoG0RtC61h6TVWnkniGj4TgBebuyPQRdleFAmTg= github.com/bufbuild/protoplugin v0.0.0-20240911180120-7bb73e41a54a/go.mod h1:c5D8gWRIZ2HLWO3gXYTtUfw/hbJyD8xikv2ooPxnklQ= -github.com/bufbuild/protovalidate-go v0.7.2 h1:UuvKyZHl5p7u3ztEjtRtqtDxOjRKX5VUOgKFq6p6ETk= -github.com/bufbuild/protovalidate-go v0.7.2/go.mod h1:PHV5pFuWlRzdDW02/cmVyNzdiQ+RNNwo7idGxdzS7o4= +github.com/bufbuild/protovalidate-go v0.7.3-0.20241015162221-1446f1e1d576 h1:A4TfjZJqApnAvGKDgxHqA1rG6BK1OswyNcTcnSrDbJc= +github.com/bufbuild/protovalidate-go v0.7.3-0.20241015162221-1446f1e1d576/go.mod h1:R/UFeIPyFAh0eH7Ic/JJbO2ABdkxFuZZKDbzsI5UiwM= github.com/cenkalti/backoff/v4 v4.3.0 h1:MyRJ/UdXutAwSAT+s3wNd7MfTIcy71VQueUuFK343L8= github.com/cenkalti/backoff/v4 v4.3.0/go.mod h1:Y3VNntkOUPxTVeUxJ/G5vcM//AlwfmyYozVcomhLiZE= github.com/census-instrumentation/opencensus-proto v0.2.1/go.mod h1:f6KPmirojxKA12rnyqOA5BBL4O983OfeGPqjHWSTneU= @@ -54,12 +54,12 @@ github.com/client9/misspell v0.3.4/go.mod h1:qj6jICC3Q7zFZvVWo7KLAzC3yx5G7kyvSDk github.com/cncf/udpa/go v0.0.0-20191209042840-269d4d468f6f/go.mod h1:M8M6+tZqaGXZJjfX53e64911xZQV5JYwmTeXPW+k8Sc= github.com/containerd/cgroups/v3 v3.0.3 h1:S5ByHZ/h9PMe5IOQoN7E+nMc2UcLEM/V48DGDJ9kip0= github.com/containerd/cgroups/v3 v3.0.3/go.mod h1:8HBe7V3aWGLFPd/k03swSIsGjZhHI2WzJmticMgVuz0= -github.com/containerd/containerd v1.7.22 h1:nZuNnNRA6T6jB975rx2RRNqqH2k6ELYKDZfqTHqwyy0= -github.com/containerd/containerd v1.7.22/go.mod h1:e3Jz1rYRUZ2Lt51YrH9Rz0zPyJBOlSvB3ghr2jbVD8g= +github.com/containerd/containerd v1.7.23 h1:H2CClyUkmpKAGlhQp95g2WXHfLYc7whAuvZGBNYOOwQ= +github.com/containerd/containerd v1.7.23/go.mod h1:7QUzfURqZWCZV7RLNEn1XjUCQLEf0bkaK4GjUaZehxw= github.com/containerd/continuity v0.4.3 h1:6HVkalIp+2u1ZLH1J/pYX2oBVXlJZvh1X1A7bEZ9Su8= github.com/containerd/continuity v0.4.3/go.mod h1:F6PTNCKepoxEaXLQp3wDAjygEnImnZ/7o4JzpodfroQ= -github.com/containerd/errdefs v0.2.0 h1:XllDESRfJtVrMwMmR2mCabxyvBK4UlbyyiWI3MvRw0o= -github.com/containerd/errdefs v0.2.0/go.mod h1:C28ixlj3dKhQS9hsQ13b+HIb4X7+s2G4FYhbSPcRDLM= +github.com/containerd/errdefs v0.3.0 h1:FSZgGOeK4yuT/+DnF07/Olde/q4KBoMsaamhXxIMDp4= +github.com/containerd/errdefs v0.3.0/go.mod h1:+YBYIdtsnF4Iw6nWZhJcqGSg/dwvV7tyJ/kCkyJ2k+M= github.com/containerd/log v0.1.0 h1:TCJt7ioM2cr/tfR8GPbGf9/VRAX8D2B4PjzCpfX540I= github.com/containerd/log v0.1.0/go.mod h1:VRRf09a7mHDIRezVKTRCrOq78v577GXq3bSa3EhrzVo= github.com/containerd/platforms v0.2.1 h1:zvwtM3rz2YHPQsF2CHYM8+KtB5dvhISiXh5ZpSBQv6A= @@ -147,8 +147,8 @@ github.com/google/go-containerregistry v0.20.2 h1:B1wPJ1SN/S7pB+ZAimcciVD+r+yV/l github.com/google/go-containerregistry v0.20.2/go.mod h1:z38EKdKh4h7IP2gSfUUqEvalZBqs6AoLeWfUy34nQC8= github.com/google/pprof v0.0.0-20211214055906-6f57359322fd/go.mod h1:KgnwoLYCZ8IQu3XUZ8Nc/bM9CCZFOyjUNOSygVozoDg= github.com/google/pprof v0.0.0-20240227163752-401108e1b7e7/go.mod h1:czg5+yv1E0ZGTi6S6vVK1mke0fV+FaUhNGcd6VRS9Ik= -github.com/google/pprof v0.0.0-20241001023024-f4c0cfd0cf1d h1:Jaz2JzpQaQXyET0AjLBXShrthbpqMkhGiEfkcQAiAUs= -github.com/google/pprof v0.0.0-20241001023024-f4c0cfd0cf1d/go.mod h1:vavhavw2zAxS5dIdcRluK6cSGGPlZynqzFM8NdvU144= +github.com/google/pprof v0.0.0-20241017200806-017d972448fc h1:NGyrhhFhwvRAZg02jnYVg3GBQy0qGBKmFQJwaPmpmxs= +github.com/google/pprof v0.0.0-20241017200806-017d972448fc/go.mod h1:vavhavw2zAxS5dIdcRluK6cSGGPlZynqzFM8NdvU144= github.com/google/uuid v1.1.2/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo= github.com/google/uuid v1.6.0 h1:NIvaJDMOsjHA8n1jAhLSgzrAzy1Hgr+hNrb57e+94F0= github.com/google/uuid v1.6.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo= @@ -165,8 +165,8 @@ github.com/jhump/protoreflect/v2 v2.0.0-beta.2/go.mod h1:4tnOYkB/mq7QTyS3YKtVtNr github.com/josharian/intern v1.0.0/go.mod h1:5DoeVV0s6jJacbCEi61lwdGj/aVlrQvzHFFd8Hwg//Y= github.com/kisielk/errcheck v1.5.0/go.mod h1:pFxgyoBC7bSaBwPgfKdkLd5X25qrDl4LWUI2bnpBCr8= github.com/kisielk/gotool v1.0.0/go.mod h1:XhKaO+MFFWcvkIS/tQcRk01m1F5IRFswLeQ+oQHNcck= -github.com/klauspost/compress v1.17.10 h1:oXAz+Vh0PMUvJczoi+flxpnBEPxoER1IaAnU/NMPtT0= -github.com/klauspost/compress v1.17.10/go.mod h1:pMDklpSncoRMuLFrf1W9Ss9KT+0rH90U12bZKk7uwG0= +github.com/klauspost/compress v1.17.11 h1:In6xLpyWOi1+C7tXUUWv2ot1QvBjxevKAaI6IXrJmUc= +github.com/klauspost/compress v1.17.11/go.mod h1:pMDklpSncoRMuLFrf1W9Ss9KT+0rH90U12bZKk7uwG0= github.com/klauspost/pgzip v1.2.6 h1:8RXeL5crjEUFnR2/Sn6GJNWtSQ3Dk8pq4CL3jvdDyjU= github.com/klauspost/pgzip v1.2.6/go.mod h1:Ch1tH69qFZu15pkjo5kYi6mth2Zzwzt50oCQKQE9RUs= github.com/kr/pretty v0.3.1 h1:flRD4NNwYAUpkphVc1HcthR4KEIFJ65n8Mw5qdRn3LE= @@ -225,8 +225,8 @@ github.com/prometheus/procfs v0.15.1 h1:YagwOFzUgYfKKHX6Dr+sHT7km/hxC76UB0leargg github.com/prometheus/procfs v0.15.1/go.mod h1:fB45yRUv8NstnjriLhBQLuOUt+WW4BsoGhij/e3PBqk= github.com/quic-go/qpack v0.5.1 h1:giqksBPnT/HDtZ6VhtFKgoLOWmlyo9Ei6u9PqzIMbhI= github.com/quic-go/qpack v0.5.1/go.mod h1:+PC4XFrEskIVkcLzpEkbLqq1uCoxPhQuvK5rH1ZgaEg= -github.com/quic-go/quic-go v0.47.0 h1:yXs3v7r2bm1wmPTYNLKAAJTHMYkPEsfYJmTazXrCZ7Y= -github.com/quic-go/quic-go v0.47.0/go.mod h1:3bCapYsJvXGZcipOHuu7plYtaV6tnF+z7wIFsU0WK9E= +github.com/quic-go/quic-go v0.48.1 h1:y/8xmfWI9qmGTc+lBr4jKRUWLGSlSigv847ULJ4hYXA= +github.com/quic-go/quic-go v0.48.1/go.mod h1:yBgs3rWBOADpga7F+jJsb6Ybg1LSYiQvwWlLX+/6HMs= github.com/rogpeppe/go-internal v1.10.0 h1:TMyTOH3F/DB16zRVcYyreMH6GnZZrwQVAoYjRBZyWFQ= github.com/rogpeppe/go-internal v1.10.0/go.mod h1:UQnix2H7Ngw/k4C5ijL5+65zddjncjaFoBhdsK/akog= github.com/rs/cors v1.11.1 h1:eU3gRzXLRK57F5rKMGMZURNdIG4EoAmX8k94r9wXWHA= @@ -270,44 +270,44 @@ go.lsp.dev/uri v0.3.0 h1:KcZJmh6nFIBeJzTugn5JTU6OOyG0lDOo3R9KwTxTYbo= go.lsp.dev/uri v0.3.0/go.mod h1:P5sbO1IQR+qySTWOCnhnK7phBx+W3zbLqSMDJNTw88I= go.opencensus.io v0.24.0 h1:y73uSU6J157QMP2kn2r30vwW1A2W2WFwSCGnAVxeaD0= go.opencensus.io v0.24.0/go.mod h1:vNK8G9p7aAivkbmorf4v+7Hgx+Zs0yY+0fOtgBfjQKo= -go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.55.0 h1:ZIg3ZT/aQ7AfKqdwp7ECpOK6vHqquXXuyTjIO8ZdmPs= -go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.55.0/go.mod h1:DQAwmETtZV00skUwgD6+0U89g80NKsJE3DCKeLLPQMI= -go.opentelemetry.io/otel v1.30.0 h1:F2t8sK4qf1fAmY9ua4ohFS/K+FUuOPemHUIXHtktrts= -go.opentelemetry.io/otel v1.30.0/go.mod h1:tFw4Br9b7fOS+uEao81PJjVMjW/5fvNCbpsDIXqP0pc= +go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.56.0 h1:UP6IpuHFkUgOQL9FFQFrZ+5LiwhhYRbi7VZSIx6Nj5s= +go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.56.0/go.mod h1:qxuZLtbq5QDtdeSHsS7bcf6EH6uO6jUAgk764zd3rhM= +go.opentelemetry.io/otel v1.31.0 h1:NsJcKPIW0D0H3NgzPDHmo0WW6SptzPdqg/L1zsIm2hY= +go.opentelemetry.io/otel v1.31.0/go.mod h1:O0C14Yl9FgkjqcCZAsE053C13OaddMYr/hz6clDkEJE= go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.22.0 h1:9M3+rhx7kZCIQQhQRYaZCdNu1V73tm4TvXs2ntl98C4= go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.22.0/go.mod h1:noq80iT8rrHP1SfybmPiRGc9dc5M8RPmGvtwo7Oo7tc= go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp v1.19.0 h1:IeMeyr1aBvBiPVYihXIaeIZba6b8E1bYp7lbdxK8CQg= go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp v1.19.0/go.mod h1:oVdCUtjq9MK9BlS7TtucsQwUcXcymNiEDjgDD2jMtZU= -go.opentelemetry.io/otel/metric v1.30.0 h1:4xNulvn9gjzo4hjg+wzIKG7iNFEaBMX00Qd4QIZs7+w= -go.opentelemetry.io/otel/metric v1.30.0/go.mod h1:aXTfST94tswhWEb+5QjlSqG+cZlmyXy/u8jFpor3WqQ= +go.opentelemetry.io/otel/metric v1.31.0 h1:FSErL0ATQAmYHUIzSezZibnyVlft1ybhy4ozRPcF2fE= +go.opentelemetry.io/otel/metric v1.31.0/go.mod h1:C3dEloVbLuYoX41KpmAhOqNriGbA+qqH6PQ5E5mUfnY= go.opentelemetry.io/otel/sdk v1.30.0 h1:cHdik6irO49R5IysVhdn8oaiR9m8XluDaJAs4DfOrYE= go.opentelemetry.io/otel/sdk v1.30.0/go.mod h1:p14X4Ok8S+sygzblytT1nqG98QG2KYKv++HE0LY/mhg= go.opentelemetry.io/otel/sdk/metric v1.19.0 h1:EJoTO5qysMsYCa+w4UghwFV/ptQgqSL/8Ni+hx+8i1k= go.opentelemetry.io/otel/sdk/metric v1.19.0/go.mod h1:XjG0jQyFJrv2PbMvwND7LwCEhsJzCzV5210euduKcKY= -go.opentelemetry.io/otel/trace v1.30.0 h1:7UBkkYzeg3C7kQX8VAidWh2biiQbtAKjyIML8dQ9wmc= -go.opentelemetry.io/otel/trace v1.30.0/go.mod h1:5EyKqTzzmyqB9bwtCCq6pDLktPK6fmGf/Dph+8VI02o= +go.opentelemetry.io/otel/trace v1.31.0 h1:ffjsj1aRouKewfr85U2aGagJ46+MvodynlQ1HYdmJys= +go.opentelemetry.io/otel/trace v1.31.0/go.mod h1:TXZkRk7SM2ZQLtR6eoAWQFIHPvzQ06FJAsO1tJg480A= go.opentelemetry.io/proto/otlp v1.0.0 h1:T0TX0tmXU8a3CbNXzEKGeU5mIVOdf0oykP+u2lIVU/I= go.opentelemetry.io/proto/otlp v1.0.0/go.mod h1:Sy6pihPLfYHkr3NkUbEhGHFhINUSI/v80hjKIs5JXpM= go.uber.org/atomic v1.11.0 h1:ZvwS0R+56ePWxUNi+Atn9dWONBPp/AUETXlHW0DxSjE= go.uber.org/atomic v1.11.0/go.mod h1:LUxbIzbOniOlMKjJjyPfpl4v+PKK2cNJn91OQbhoJI0= go.uber.org/goleak v1.3.0 h1:2K3zAYmnTNqV73imy9J1T3WC+gmCePx2hEGkimedGto= go.uber.org/goleak v1.3.0/go.mod h1:CoHD4mav9JJNrW/WLlf7HGZPjdw8EucARQHekz1X6bE= -go.uber.org/mock v0.4.0 h1:VcM4ZOtdbR4f6VXfiOpwpVJDL6lCReaZ6mw31wqh7KU= -go.uber.org/mock v0.4.0/go.mod h1:a6FSlNadKUHUa9IP5Vyt1zh4fC7uAwxMutEAscFbkZc= +go.uber.org/mock v0.5.0 h1:KAMbZvZPyBPWgD14IrIQ38QCyjwpvVVV6K/bHl1IwQU= +go.uber.org/mock v0.5.0/go.mod h1:ge71pBPLYDk7QIi1LupWxdAykm7KIEFchiOqd6z7qMM= go.uber.org/multierr v1.11.0 h1:blXXJkSxSSfBVBlC76pxqeO+LN3aDfLQo+309xJstO0= go.uber.org/multierr v1.11.0/go.mod h1:20+QtiLqy0Nd6FdQB9TLXag12DsQkrbs3htMFfDN80Y= go.uber.org/zap v1.27.0 h1:aJMhYGrd5QSmlpLMr2MftRKl7t8J8PTZPA732ud/XR8= go.uber.org/zap v1.27.0/go.mod h1:GB2qFLM7cTU87MWRP2mPIjqfIDnGu+VIO4V/SdhGo2E= -go.uber.org/zap/exp v0.1.1-0.20240913022758-ede8e1888f83 h1:wpjRiPjppWaUIH+GC0bRvsdaH2K4Dw49dEJa7MX01Mk= -go.uber.org/zap/exp v0.1.1-0.20240913022758-ede8e1888f83/go.mod h1:5I384qq7XGxYyByIhHm6jg5CHkGY0nsTfbDLgDDlgJQ= +go.uber.org/zap/exp v0.3.0 h1:6JYzdifzYkGmTdRR59oYH+Ng7k49H9qVpWwNSsGJj3U= +go.uber.org/zap/exp v0.3.0/go.mod h1:5I384qq7XGxYyByIhHm6jg5CHkGY0nsTfbDLgDDlgJQ= golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w= golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI= golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto= golang.org/x/crypto v0.28.0 h1:GBDwsMXVQi34v5CCYUm2jkJvu4cbtru2U4TN2PSyQnw= golang.org/x/crypto v0.28.0/go.mod h1:rmgy+3RHxRZMyY0jjAJShp2zgEdOqj2AO7U0pYmeQ7U= golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA= -golang.org/x/exp v0.0.0-20241004190924-225e2abe05e6 h1:1wqE9dj9NpSm04INVsJhhEUzhuDVjbcyKH91sVyPATw= -golang.org/x/exp v0.0.0-20241004190924-225e2abe05e6/go.mod h1:NQtJDoLvd6faHhE7m4T/1IY708gDefGGjR/iUW8yQQ8= +golang.org/x/exp v0.0.0-20241009180824-f66d83c29e7c h1:7dEasQXItcW1xKJ2+gg5VOiBnqWrJc+rq0DPKyvvdbY= +golang.org/x/exp v0.0.0-20241009180824-f66d83c29e7c/go.mod h1:NQtJDoLvd6faHhE7m4T/1IY708gDefGGjR/iUW8yQQ8= golang.org/x/lint v0.0.0-20181026193005-c67002cb31c3/go.mod h1:UVdnD1Gm6xHRNCYTkRU2/jEulfH38KcIWyp/GAMgvoE= golang.org/x/lint v0.0.0-20190227174305-5b3e6a55c961/go.mod h1:wehouNa3lNwaWXcvxsM5YxQ5yQlVC4a0KAMCusXpPoU= golang.org/x/lint v0.0.0-20190313153728-d0100b6bd8b3/go.mod h1:6SW0HCj/g11FgYtHlgUYUwCkIfeOF89ocIRzGO/8vkc= @@ -393,8 +393,8 @@ google.golang.org/protobuf v1.22.0/go.mod h1:EGpADcykh3NcUnDUJcl1+ZksZNG86OlYog2 google.golang.org/protobuf v1.23.0/go.mod h1:EGpADcykh3NcUnDUJcl1+ZksZNG86OlYog2l/sGQquU= google.golang.org/protobuf v1.23.1-0.20200526195155-81db48ad09cc/go.mod h1:EGpADcykh3NcUnDUJcl1+ZksZNG86OlYog2l/sGQquU= google.golang.org/protobuf v1.25.0/go.mod h1:9JNX74DMeImyA3h4bdi1ymwjUzf21/xIlbajtzgsN7c= -google.golang.org/protobuf v1.34.3-0.20240906163944-03df6c145d96 h1:gqpvySYmKe3qf25lfA3WIEMTXBU+lfISbNkPH2BA844= -google.golang.org/protobuf v1.34.3-0.20240906163944-03df6c145d96/go.mod h1:9fA7Ob0pmnwhb644+1+CVWFRbNajQ6iRojtC/QF5bRE= +google.golang.org/protobuf v1.35.1 h1:m3LfL6/Ca+fqnjnlqQXNpFPABW1UD7mjh8KO2mKFytA= +google.golang.org/protobuf v1.35.1/go.mod h1:9fA7Ob0pmnwhb644+1+CVWFRbNajQ6iRojtC/QF5bRE= gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c h1:Hei/4ADfdWqJk1ZMxUNpqntNwaWcugrBjAiHlqqRiVk= gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c/go.mod h1:JHkPIbrfpd72SG/EVd6muEfDQjcINNoR0C8j2r3qZ4Q=