diff --git a/.github/workflows/build_and_test.yaml b/.github/workflows/build_and_test.yaml index c00cb2e3211..dbbdbcd04ae 100644 --- a/.github/workflows/build_and_test.yaml +++ b/.github/workflows/build_and_test.yaml @@ -20,7 +20,7 @@ jobs: lint: runs-on: ubuntu-22.04 steps: - - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 + - uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0 - uses: ./tools/github-actions/setup-deps # Generate the installation manifests first, so it can check # for errors while running `make -k lint` @@ -31,14 +31,14 @@ jobs: gen-check: runs-on: ubuntu-22.04 steps: - - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 + - uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0 - uses: ./tools/github-actions/setup-deps - run: make -k gen-check license-check: runs-on: ubuntu-latest steps: - - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 + - uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0 - uses: ./tools/github-actions/setup-deps - run: make -k licensecheck @@ -48,26 +48,26 @@ jobs: contents: read # for actions/checkout id-token: write # for fetching OIDC token steps: - - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 + - uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0 - uses: ./tools/github-actions/setup-deps # test - name: Run Coverage Tests run: make go.test.coverage - name: Upload coverage to Codecov - uses: codecov/codecov-action@e28ff129e5465c2c0dcc6f003fc735cb6ae0c673 # v4.5.0 + uses: codecov/codecov-action@b9fd7d16f6d7d1b5d2bec1a2887e65ceed900238 # v4.6.0 with: fail_ci_if_error: true files: ./coverage.xml name: codecov-envoy-gateway verbose: true - use_oidc: true + use_oidc: ${{ !(github.event_name == 'pull_request' && github.event.pull_request.head.repo.fork) }} build: runs-on: ubuntu-latest needs: [lint, gen-check, license-check, coverage-test] steps: - - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 + - uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0 - uses: ./tools/github-actions/setup-deps - name: Build EG Multiarch Binaries @@ -87,7 +87,7 @@ jobs: matrix: version: [ v1.28.13, v1.29.8, v1.30.4, v1.31.0 ] steps: - - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 + - uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0 - uses: ./tools/github-actions/setup-deps - name: Download EG Binaries @@ -116,7 +116,7 @@ jobs: matrix: version: [ v1.28.13, v1.29.8, v1.30.4, v1.31.0 ] steps: - - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 + - uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0 - uses: ./tools/github-actions/setup-deps - name: Download EG Binaries @@ -143,7 +143,7 @@ jobs: if: ${{ ! startsWith(github.event_name, 'push') }} needs: [build] steps: - - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 + - uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0 - uses: ./tools/github-actions/setup-deps - name: Setup Graphviz @@ -170,7 +170,7 @@ jobs: runs-on: ubuntu-latest needs: [conformance-test, e2e-test] steps: - - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 + - uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0 - uses: ./tools/github-actions/setup-deps - name: Download EG Binaries diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index 90ad9f95da5..95262e597e5 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -32,18 +32,18 @@ jobs: steps: - name: Checkout repository - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 + uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0 - uses: ./tools/github-actions/setup-deps - name: Initialize CodeQL - uses: github/codeql-action/init@294a9d92911152fe08befb9ec03e240add280cb3 # v3.26.8 + uses: github/codeql-action/init@6db8d6351fd0be61f9ed8ebd12ccd35dcec51fea # v3.26.11 with: languages: ${{ matrix.language }} - name: Autobuild - uses: github/codeql-action/autobuild@294a9d92911152fe08befb9ec03e240add280cb3 # v3.26.8 + uses: github/codeql-action/autobuild@6db8d6351fd0be61f9ed8ebd12ccd35dcec51fea # v3.26.11 - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@294a9d92911152fe08befb9ec03e240add280cb3 # v3.26.8 + uses: github/codeql-action/analyze@6db8d6351fd0be61f9ed8ebd12ccd35dcec51fea # v3.26.11 with: category: "/language:${{matrix.language}}" diff --git a/.github/workflows/docs.yaml b/.github/workflows/docs.yaml index c30624a0493..57a8868ff7a 100644 --- a/.github/workflows/docs.yaml +++ b/.github/workflows/docs.yaml @@ -23,7 +23,7 @@ jobs: runs-on: ubuntu-22.04 steps: - name: Check out code - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 + uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0 with: ref: ${{ github.event.pull_request.head.sha }} @@ -48,7 +48,7 @@ jobs: contents: write steps: - name: Git checkout - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 + uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0 with: submodules: true ref: ${{ github.event.pull_request.head.sha }} diff --git a/.github/workflows/experimental_conformance.yaml b/.github/workflows/experimental_conformance.yaml index b45c7b8bf97..281bdbca9ae 100644 --- a/.github/workflows/experimental_conformance.yaml +++ b/.github/workflows/experimental_conformance.yaml @@ -21,7 +21,7 @@ jobs: matrix: version: [ v1.28.13, v1.29.8, v1.30.4, v1.31.0 ] steps: - - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 + - uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0 - uses: ./tools/github-actions/setup-deps # gateway api experimental conformance diff --git a/.github/workflows/latest_release.yaml b/.github/workflows/latest_release.yaml index 09a88ab41d5..875e0a508e5 100644 --- a/.github/workflows/latest_release.yaml +++ b/.github/workflows/latest_release.yaml @@ -22,7 +22,7 @@ jobs: benchmark-test: runs-on: ubuntu-latest steps: - - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 + - uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0 - uses: ./tools/github-actions/setup-deps - name: Setup Graphviz @@ -57,7 +57,7 @@ jobs: permissions: contents: write steps: - - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 + - uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0 - uses: ./tools/github-actions/setup-deps - name: Generate Release Manifests diff --git a/.github/workflows/license-scan.yml b/.github/workflows/license-scan.yml index 055050bcec0..ff3f8d31a02 100644 --- a/.github/workflows/license-scan.yml +++ b/.github/workflows/license-scan.yml @@ -16,11 +16,10 @@ jobs: runs-on: ubuntu-22.04 steps: - name: Checkout code - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 + uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0 - name: Run scanner - uses: google/osv-scanner-action/osv-scanner-action@f0e6719deb666cd19a0b56bc56d01161bd848b4f # v1.8.5 + uses: google/osv-scanner-action/osv-scanner-action@19ec1116569a47416e11a45848722b1af31a857b # v1.9.0 with: - # TODO enable call analysis once https://github.com/google/osv-scanner/issues/1220 is resolved scan-args: |- --skip-git --experimental-licenses=Apache-2.0,BSD-2-Clause,BSD-2-Clause-FreeBSD,BSD-3-Clause,MIT,ISC,Python-2.0,PostgreSQL,X11,Zlib diff --git a/.github/workflows/osv-scanner.yml b/.github/workflows/osv-scanner.yml index 5c50d8f1a82..e43942d85c7 100644 --- a/.github/workflows/osv-scanner.yml +++ b/.github/workflows/osv-scanner.yml @@ -19,7 +19,7 @@ permissions: jobs: scan-scheduled: if: ${{ github.event_name == 'push' || github.event_name == 'schedule' }} - uses: "google/osv-scanner-action/.github/workflows/osv-scanner-reusable.yml@f0e6719deb666cd19a0b56bc56d01161bd848b4f" # v1.8.5 + uses: "google/osv-scanner-action/.github/workflows/osv-scanner-reusable.yml@19ec1116569a47416e11a45848722b1af31a857b" # v1.9.0 permissions: actions: read contents: read @@ -33,13 +33,12 @@ jobs: scan-pr: if: ${{ github.event_name == 'pull_request' || github.event_name == 'merge_group' }} - uses: "google/osv-scanner-action/.github/workflows/osv-scanner-reusable-pr.yml@f0e6719deb666cd19a0b56bc56d01161bd848b4f" # v1.8.5 + uses: "google/osv-scanner-action/.github/workflows/osv-scanner-reusable-pr.yml@19ec1116569a47416e11a45848722b1af31a857b" # v1.9.0 permissions: actions: read contents: read security-events: write with: - # TODO enable call analysis once https://github.com/google/osv-scanner/issues/1220 is resolved scan-args: |- --skip-git --recursive diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml index d173a875bf0..48de6eb9489 100644 --- a/.github/workflows/release.yaml +++ b/.github/workflows/release.yaml @@ -15,7 +15,7 @@ jobs: benchmark-test: runs-on: ubuntu-latest steps: - - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 + - uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0 - uses: ./tools/github-actions/setup-deps - name: Setup Graphviz @@ -50,7 +50,7 @@ jobs: permissions: contents: write steps: - - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 + - uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0 - name: Extract Release Tag and Commit SHA id: vars diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml index 9c574f263df..88324734fb7 100644 --- a/.github/workflows/scorecard.yml +++ b/.github/workflows/scorecard.yml @@ -21,7 +21,7 @@ jobs: steps: - name: "Checkout code" - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 + uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0 with: persist-credentials: false @@ -40,6 +40,6 @@ jobs: retention-days: 5 - name: "Upload to code-scanning" - uses: github/codeql-action/upload-sarif@294a9d92911152fe08befb9ec03e240add280cb3 # v3.26.8 + uses: github/codeql-action/upload-sarif@6db8d6351fd0be61f9ed8ebd12ccd35dcec51fea # v3.26.11 with: sarif_file: results.sarif diff --git a/.github/workflows/trivy.yml b/.github/workflows/trivy.yml index 24570e7f064..21c50d56902 100644 --- a/.github/workflows/trivy.yml +++ b/.github/workflows/trivy.yml @@ -18,7 +18,7 @@ jobs: runs-on: ubuntu-22.04 steps: - name: Checkout code - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 + uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0 - name: Build an image from Dockerfile run: | diff --git a/README.md b/README.md index 25fa9af8d94..2260a1fa72c 100644 --- a/README.md +++ b/README.md @@ -7,6 +7,8 @@ [![OSV-Scanner](https://github.com/envoyproxy/gateway/actions/workflows/osv-scanner.yml/badge.svg)](https://github.com/envoyproxy/gateway/actions/workflows/osv-scanner.yml) [![Trivy](https://github.com/envoyproxy/gateway/actions/workflows/trivy.yml/badge.svg)](https://github.com/envoyproxy/gateway/actions/workflows/trivy.yml) +![Envoy Gateway Logo](https://github.com/cncf/artwork/blob/main/projects/envoy/envoy-gateway/horizontal/color/envoy-gateway-horizontal-color.svg) + Envoy Gateway is an open source project for managing Envoy Proxy as a standalone or Kubernetes-based application gateway. [Gateway API](https://gateway-api.sigs.k8s.io) resources are used to dynamically provision and configure the managed Envoy Proxies. diff --git a/api/v1alpha1/accesslogging_types.go b/api/v1alpha1/accesslogging_types.go index 3a3628e985f..edc19e97599 100644 --- a/api/v1alpha1/accesslogging_types.go +++ b/api/v1alpha1/accesslogging_types.go @@ -30,8 +30,30 @@ type ProxyAccessLogSetting struct { // +kubebuilder:validation:MinItems=1 // +kubebuilder:validation:MaxItems=50 Sinks []ProxyAccessLogSink `json:"sinks"` + // Type defines the component emitting the accesslog, such as Listener and Route. + // If type not defined, the setting would apply to: + // (1) All Routes. + // (2) Listeners if and only if Envoy does not find a matching route for a request. + // If type is defined, the accesslog settings would apply to the relevant component (as-is). + // +kubebuilder:validation:Enum=Listener;Route + // +optional + // +notImplementedHide + Type *ProxyAccessLogType `json:"type,omitempty"` } +type ProxyAccessLogType string + +const ( + // ProxyAccessLogTypeListener defines the accesslog for Listeners. + // https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/listener/v3/listener.proto#envoy-v3-api-field-config-listener-v3-listener-access-log + ProxyAccessLogTypeListener ProxyAccessLogType = "Listener" + // ProxyAccessLogTypeRoute defines the accesslog for HTTP, GRPC, UDP and TCP Routes. + // https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/filters/udp/udp_proxy/v3/udp_proxy.proto#envoy-v3-api-field-extensions-filters-udp-udp-proxy-v3-udpproxyconfig-access-log + // https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/filters/network/tcp_proxy/v3/tcp_proxy.proto#envoy-v3-api-field-extensions-filters-network-tcp-proxy-v3-tcpproxy-access-log + // https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/filters/network/http_connection_manager/v3/http_connection_manager.proto#envoy-v3-api-field-extensions-filters-network-http-connection-manager-v3-httpconnectionmanager-access-log + ProxyAccessLogTypeRoute ProxyAccessLogType = "Route" +) + type ProxyAccessLogFormatType string const ( diff --git a/api/v1alpha1/authorization_types.go b/api/v1alpha1/authorization_types.go index 2851cecf6d7..56e8d44e1b3 100644 --- a/api/v1alpha1/authorization_types.go +++ b/api/v1alpha1/authorization_types.go @@ -28,8 +28,11 @@ type Authorization struct { // AuthorizationRule defines a single authorization rule. type AuthorizationRule struct { // Name is a user-friendly name for the rule. - // If not specified, Envoy Gateway will generate a unique name for the rule.n + // If not specified, Envoy Gateway will generate a unique name for the rule. + // // +optional + // +kubebuilder:validation:MinLength=1 + // +kubebuilder:validation:MaxLength=253 Name *string `json:"name,omitempty"` // Action defines the action to be taken if the rule matches. @@ -45,7 +48,8 @@ type AuthorizationRule struct { // Principal specifies the client identity of a request. // A client identity can be a client IP, a JWT claim, username from the Authorization header, // or any other identity that can be extracted from a custom header. -// Currently, only the client IP is supported. + +// If there are multiple principal types, all principals must match for the rule to match. // // +kubebuilder:validation:XValidation:rule="(has(self.clientCIDRs) || has(self.jwt))",message="at least one of clientCIDRs or jwt must be specified" type Principal struct { @@ -60,7 +64,8 @@ type Principal struct { // You can use the `ClientIPDetection` or the `EnableProxyProtocol` field in // the `ClientTrafficPolicy` to configure how the client IP is detected. // +optional - ClientCIDRs []CIDR `json:"clientCIDRs"` + // +kubebuilder:validation:MinItems=1 + ClientCIDRs []CIDR `json:"clientCIDRs,omitempty"` // JWT authorize the request based on the JWT claims and scopes. // Note: in order to use JWT claims for authorization, you must configure the @@ -76,12 +81,23 @@ type Principal struct { // // +kubebuilder:validation:XValidation:rule="(has(self.claims) || has(self.scopes))",message="at least one of claims or scopes must be specified" type JWTPrincipal struct { + // Provider is the name of the JWT provider that used to verify the JWT token. + // In order to use JWT claims for authorization, you must configure the JWT + // authentication with the same provider in the same `SecurityPolicy`. + // + // +kubebuilder:validation:MinLength=1 + // +kubebuilder:validation:MaxLength=253 + Provider string `json:"provider"` + // Claims are the claims in a JWT token. // // If multiple claims are specified, all claims must match for the rule to match. // For example, if there are two claims: one for the audience and one for the issuer, // the rule will match only if both the audience and the issuer match. + // // +optional + // +kubebuilder:validation:MinItems=1 + // +kubebuilder:validation:MaxItems=16 Claims []JWTClaim `json:"claims,omitempty"` // Scopes are a special type of claim in a JWT token that represents the permissions of the client. @@ -90,8 +106,11 @@ type JWTPrincipal struct { // as defined in RFC 6749: https://datatracker.ietf.org/doc/html/rfc6749#page-23. // // If multiple scopes are specified, all scopes must match for the rule to match. + // // +optional - Scopes []string `json:"scopes,omitempty"` + // +kubebuilder:validation:MinItems=1 + // +kubebuilder:validation:MaxItems=16 + Scopes []JWTScope `json:"scopes,omitempty"` } // JWTClaim specifies a claim in a JWT token. @@ -101,10 +120,14 @@ type JWTClaim struct { // represent the full path to the claim. // For example, if the claim is in the "department" field in the "organization" field, // the name should be "organization.department". + // + // +kubebuilder:validation:MinLength=1 + // +kubebuilder:validation:MaxLength=253 Name string `json:"name"` // ValueType is the type of the claim value. // Only String and StringArray types are supported for now. + // // +kubebuilder:validation:Enum=String;StringArray // +kubebuilder:default=String // +unionDiscriminator @@ -115,9 +138,16 @@ type JWTClaim struct { // If the claim is a string type, the specified value must match exactly. // If the claim is a string array type, the specified value must match one of the values in the array. // If multiple values are specified, one of the values must match for the rule to match. + // + // +kubebuilder:validation:MinItems=1 + // +kubebuilder:validation:MaxItems=16 Values []string `json:"values"` } +// +kubebuilder:validation:MinLength=1 +// +kubebuilder:validation:MaxLength=253 +type JWTScope string + type JWTClaimValueType string const ( diff --git a/api/v1alpha1/backendtrafficpolicy_types.go b/api/v1alpha1/backendtrafficpolicy_types.go index 70a400015e9..4e6118e7035 100644 --- a/api/v1alpha1/backendtrafficpolicy_types.go +++ b/api/v1alpha1/backendtrafficpolicy_types.go @@ -69,6 +69,13 @@ type BackendTrafficPolicySpec struct { // +optional // +notImplementedHide Compression []*Compression `json:"compression,omitempty"` + + // ResponseOverride defines the configuration to override specific responses with a custom one. + // If multiple configurations are specified, the first one to match wins. + // + // +optional + // +notImplementedHide + ResponseOverride []*ResponseOverride `json:"responseOverride,omitempty"` } // +kubebuilder:object:root=true diff --git a/api/v1alpha1/envoyproxy_metric_types.go b/api/v1alpha1/envoyproxy_metric_types.go index 0e571ef23c9..f3fe7c3a5c0 100644 --- a/api/v1alpha1/envoyproxy_metric_types.go +++ b/api/v1alpha1/envoyproxy_metric_types.go @@ -27,11 +27,20 @@ type ProxyMetrics struct { Matches []StringMatch `json:"matches,omitempty"` // EnableVirtualHostStats enables envoy stat metrics for virtual hosts. - EnableVirtualHostStats bool `json:"enableVirtualHostStats,omitempty"` + // + // +optional + EnableVirtualHostStats *bool `json:"enableVirtualHostStats,omitempty"` // EnablePerEndpointStats enables per endpoint envoy stats metrics. // Please use with caution. - EnablePerEndpointStats bool `json:"enablePerEndpointStats,omitempty"` + // + // +optional + EnablePerEndpointStats *bool `json:"enablePerEndpointStats,omitempty"` + + // EnableRequestResponseSizesStats enables publishing of histograms tracking header and body sizes of requests and responses. + // + // +optional + EnableRequestResponseSizesStats *bool `json:"enableRequestResponseSizesStats,omitempty"` } // ProxyMetricSink defines the sink of metrics. diff --git a/api/v1alpha1/shared_types.go b/api/v1alpha1/shared_types.go index 56440f096ca..48e3471c77d 100644 --- a/api/v1alpha1/shared_types.go +++ b/api/v1alpha1/shared_types.go @@ -609,3 +609,82 @@ type HTTP2Settings struct { // +optional OnInvalidMessage *InvalidMessageAction `json:"onInvalidMessage,omitempty"` } + +// ResponseOverride defines the configuration to override specific responses with a custom one. +type ResponseOverride struct { + // Match configuration. + Match CustomResponseMatch `json:"match"` + // Response configuration. + Response CustomResponse `json:"response"` +} + +// CustomResponseMatch defines the configuration for matching a user response to return a custom one. +type CustomResponseMatch struct { + // Status code to match on. The match evaluates to true if any of the matches are successful. + StatusCode []StatusCodeMatch `json:"statusCode"` +} + +// StatusCodeValueType defines the types of values for the status code match supported by Envoy Gateway. +// +kubebuilder:validation:Enum=Value;Range +type StatusCodeValueType string + +type StatusCodeMatch struct { + // Type is the type of value. + // + // +kubebuilder:default=Value + // +unionDiscriminator + Type *StatusCodeValueType `json:"type"` + + // Value contains the value of the status code. + // + // +optional + Value *string `json:"value,omitempty"` + // ValueRef contains the contents of the body + // specified as a local object reference. + // Only a reference to ConfigMap is supported. + // + // +optional + Range *StatusCodeRange `json:"range,omitempty"` +} + +// StatusCodeRange defines the configuration for define a range of status codes. +type StatusCodeRange struct { + // Start of the range, including the start value. + Start int `json:"start"` + // End of the range, including the end value. + End int `json:"end"` +} + +// CustomResponse defines the configuration for returning a custom response. +type CustomResponse struct { + // Content Type of the response. This will be set in the Content-Type header. + // + // +optional + ContentType *string `json:"contentType,omitempty"` + + // Body of the Custom Response + Body CustomResponseBody `json:"body"` +} + +// ResponseValueType defines the types of values for the response body supported by Envoy Gateway. +// +kubebuilder:validation:Enum=Inline;ValueRef +type ResponseValueType string + +// CustomResponseBody +type CustomResponseBody struct { + // Type is the type of method to use to read the body value. + // + // +unionDiscriminator + Type *ResponseValueType `json:"type"` + + // Inline contains the value as an inline string. + // + // +optional + Inline *string `json:"inline,omitempty"` + // ValueRef contains the contents of the body + // specified as a local object reference. + // Only a reference to ConfigMap is supported. + // + // +optional + ValueRef *gwapiv1.LocalObjectReference `json:"valueRef,omitempty"` +} diff --git a/api/v1alpha1/tracing_types.go b/api/v1alpha1/tracing_types.go index 55fd63ef4e9..293664cddba 100644 --- a/api/v1alpha1/tracing_types.go +++ b/api/v1alpha1/tracing_types.go @@ -26,6 +26,7 @@ type TracingProviderType string const ( TracingProviderTypeOpenTelemetry TracingProviderType = "OpenTelemetry" TracingProviderTypeZipkin TracingProviderType = "Zipkin" + TracingProviderTypeDatadog TracingProviderType = "Datadog" ) // TracingProvider defines the tracing provider configuration. @@ -37,7 +38,7 @@ const ( type TracingProvider struct { BackendCluster `json:",inline"` // Type defines the tracing provider type. - // +kubebuilder:validation:Enum=OpenTelemetry;Zipkin + // +kubebuilder:validation:Enum=OpenTelemetry;Zipkin;Datadog // +kubebuilder:default=OpenTelemetry Type TracingProviderType `json:"type"` // Host define the provider service hostname. diff --git a/api/v1alpha1/zz_generated.deepcopy.go b/api/v1alpha1/zz_generated.deepcopy.go index d1c42376011..b6b944b3a14 100644 --- a/api/v1alpha1/zz_generated.deepcopy.go +++ b/api/v1alpha1/zz_generated.deepcopy.go @@ -556,6 +556,17 @@ func (in *BackendTrafficPolicySpec) DeepCopyInto(out *BackendTrafficPolicySpec) } } } + if in.ResponseOverride != nil { + in, out := &in.ResponseOverride, &out.ResponseOverride + *out = make([]*ResponseOverride, len(*in)) + for i := range *in { + if (*in)[i] != nil { + in, out := &(*in)[i], &(*out)[i] + *out = new(ResponseOverride) + (*in).DeepCopyInto(*out) + } + } + } } // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new BackendTrafficPolicySpec. @@ -1124,6 +1135,79 @@ func (in *CustomHeaderExtensionSettings) DeepCopy() *CustomHeaderExtensionSettin return out } +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *CustomResponse) DeepCopyInto(out *CustomResponse) { + *out = *in + if in.ContentType != nil { + in, out := &in.ContentType, &out.ContentType + *out = new(string) + **out = **in + } + in.Body.DeepCopyInto(&out.Body) +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CustomResponse. +func (in *CustomResponse) DeepCopy() *CustomResponse { + if in == nil { + return nil + } + out := new(CustomResponse) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *CustomResponseBody) DeepCopyInto(out *CustomResponseBody) { + *out = *in + if in.Type != nil { + in, out := &in.Type, &out.Type + *out = new(ResponseValueType) + **out = **in + } + if in.Inline != nil { + in, out := &in.Inline, &out.Inline + *out = new(string) + **out = **in + } + if in.ValueRef != nil { + in, out := &in.ValueRef, &out.ValueRef + *out = new(apisv1.LocalObjectReference) + **out = **in + } +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CustomResponseBody. +func (in *CustomResponseBody) DeepCopy() *CustomResponseBody { + if in == nil { + return nil + } + out := new(CustomResponseBody) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *CustomResponseMatch) DeepCopyInto(out *CustomResponseMatch) { + *out = *in + if in.StatusCode != nil { + in, out := &in.StatusCode, &out.StatusCode + *out = make([]StatusCodeMatch, len(*in)) + for i := range *in { + (*in)[i].DeepCopyInto(&(*out)[i]) + } + } +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CustomResponseMatch. +func (in *CustomResponseMatch) DeepCopy() *CustomResponseMatch { + if in == nil { + return nil + } + out := new(CustomResponseMatch) + in.DeepCopyInto(out) + return out +} + // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *CustomTag) DeepCopyInto(out *CustomTag) { *out = *in @@ -3109,7 +3193,7 @@ func (in *JWTPrincipal) DeepCopyInto(out *JWTPrincipal) { } if in.Scopes != nil { in, out := &in.Scopes, &out.Scopes - *out = make([]string, len(*in)) + *out = make([]JWTScope, len(*in)) copy(*out, *in) } } @@ -4039,6 +4123,11 @@ func (in *ProxyAccessLogSetting) DeepCopyInto(out *ProxyAccessLogSetting) { (*in)[i].DeepCopyInto(&(*out)[i]) } } + if in.Type != nil { + in, out := &in.Type, &out.Type + *out = new(ProxyAccessLogType) + **out = **in + } } // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ProxyAccessLogSetting. @@ -4177,6 +4266,21 @@ func (in *ProxyMetrics) DeepCopyInto(out *ProxyMetrics) { (*in)[i].DeepCopyInto(&(*out)[i]) } } + if in.EnableVirtualHostStats != nil { + in, out := &in.EnableVirtualHostStats, &out.EnableVirtualHostStats + *out = new(bool) + **out = **in + } + if in.EnablePerEndpointStats != nil { + in, out := &in.EnablePerEndpointStats, &out.EnablePerEndpointStats + *out = new(bool) + **out = **in + } + if in.EnableRequestResponseSizesStats != nil { + in, out := &in.EnableRequestResponseSizesStats, &out.EnableRequestResponseSizesStats + *out = new(bool) + **out = **in + } } // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ProxyMetrics. @@ -4634,6 +4738,23 @@ func (in *RequestHeaderCustomTag) DeepCopy() *RequestHeaderCustomTag { return out } +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *ResponseOverride) DeepCopyInto(out *ResponseOverride) { + *out = *in + in.Match.DeepCopyInto(&out.Match) + in.Response.DeepCopyInto(&out.Response) +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ResponseOverride. +func (in *ResponseOverride) DeepCopy() *ResponseOverride { + if in == nil { + return nil + } + out := new(ResponseOverride) + in.DeepCopyInto(out) + return out +} + // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *Retry) DeepCopyInto(out *Retry) { *out = *in @@ -4884,6 +5005,51 @@ func (in *SourceMatch) DeepCopy() *SourceMatch { return out } +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *StatusCodeMatch) DeepCopyInto(out *StatusCodeMatch) { + *out = *in + if in.Type != nil { + in, out := &in.Type, &out.Type + *out = new(StatusCodeValueType) + **out = **in + } + if in.Value != nil { + in, out := &in.Value, &out.Value + *out = new(string) + **out = **in + } + if in.Range != nil { + in, out := &in.Range, &out.Range + *out = new(StatusCodeRange) + **out = **in + } +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new StatusCodeMatch. +func (in *StatusCodeMatch) DeepCopy() *StatusCodeMatch { + if in == nil { + return nil + } + out := new(StatusCodeMatch) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *StatusCodeRange) DeepCopyInto(out *StatusCodeRange) { + *out = *in +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new StatusCodeRange. +func (in *StatusCodeRange) DeepCopy() *StatusCodeRange { + if in == nil { + return nil + } + out := new(StatusCodeRange) + in.DeepCopyInto(out) + return out +} + // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *StringMatch) DeepCopyInto(out *StringMatch) { *out = *in diff --git a/charts/gateway-addons-helm/README.md b/charts/gateway-addons-helm/README.md index 43082172180..ccbd26b983d 100644 --- a/charts/gateway-addons-helm/README.md +++ b/charts/gateway-addons-helm/README.md @@ -84,6 +84,7 @@ To uninstall the chart: | grafana.enabled | bool | `true` | | | grafana.fullnameOverride | string | `"grafana"` | | | grafana.service.type | string | `"LoadBalancer"` | | +| grafana.testFramework.enabled | bool | `false` | | | loki.backend.replicas | int | `0` | | | loki.deploymentMode | string | `"SingleBinary"` | | | loki.enabled | bool | `true` | | diff --git a/charts/gateway-addons-helm/dashboards/global-ratelimit.json b/charts/gateway-addons-helm/dashboards/global-ratelimit.json new file mode 100644 index 00000000000..3242aa62b7b --- /dev/null +++ b/charts/gateway-addons-helm/dashboards/global-ratelimit.json @@ -0,0 +1,633 @@ +{ + "annotations": { + "list": [ + { + "builtIn": 1, + "datasource": { + "type": "grafana", + "uid": "-- Grafana --" + }, + "enable": true, + "hide": true, + "iconColor": "rgba(0, 211, 255, 1)", + "name": "Annotations & Alerts", + "type": "dashboard" + } + ] + }, + "description": "Envoy Gateway monitoring Dashboard with exported metrics.", + "editable": true, + "fiscalYearStartMonth": 0, + "graphTooltip": 0, + "id": 6, + "links": [], + "panels": [ + { + "collapsed": false, + "gridPos": { + "h": 1, + "w": 24, + "x": 0, + "y": 0 + }, + "id": 273, + "panels": [], + "title": "Global Ratelimit", + "type": "row" + }, + { + "datasource": { + "type": "prometheus", + "uid": "PBFA97CFB590B2093" + }, + "description": "The fraction of this program's available CPU time used by the GC since the program started.", + "fieldConfig": { + "defaults": { + "color": { + "mode": "palette-classic" + }, + "custom": { + "axisBorderShow": false, + "axisCenteredZero": false, + "axisColorMode": "series", + "axisGridShow": false, + "axisLabel": "", + "axisPlacement": "auto", + "barAlignment": 0, + "drawStyle": "line", + "fillOpacity": 25, + "gradientMode": "none", + "hideFrom": { + "legend": false, + "tooltip": false, + "viz": false + }, + "insertNulls": false, + "lineInterpolation": "linear", + "lineWidth": 1, + "pointSize": 5, + "scaleDistribution": { + "type": "linear" + }, + "showPoints": "auto", + "spanNulls": false, + "stacking": { + "group": "A", + "mode": "none" + }, + "thresholdsStyle": { + "mode": "off" + } + }, + "mappings": [], + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "green", + "value": null + }, + { + "color": "red", + "value": 80 + } + ] + }, + "unit": "miu" + }, + "overrides": [] + }, + "gridPos": { + "h": 7, + "w": 8, + "x": 0, + "y": 1 + }, + "id": 274, + "options": { + "legend": { + "calcs": [], + "displayMode": "hidden", + "placement": "right", + "showLegend": false + }, + "tooltip": { + "maxHeight": 600, + "mode": "single", + "sort": "none" + } + }, + "pluginVersion": "11.0.0", + "targets": [ + { + "datasource": { + "type": "prometheus", + "uid": "PBFA97CFB590B2093" + }, + "disableTextWrap": false, + "editorMode": "code", + "exemplar": false, + "expr": "(go_memstats_gc_cpu_fraction)*1000000", + "format": "time_series", + "fullMetaSearch": false, + "includeNullMetadata": true, + "instant": false, + "legendFormat": "__auto", + "range": true, + "refId": "A", + "useBackend": false + } + ], + "title": "CPU Fraction", + "transparent": true, + "type": "timeseries" + }, + { + "datasource": { + "type": "prometheus", + "uid": "PBFA97CFB590B2093" + }, + "description": "Resident memory size", + "fieldConfig": { + "defaults": { + "color": { + "mode": "thresholds" + }, + "mappings": [], + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "green", + "value": null + } + ] + }, + "unit": "decmbytes" + }, + "overrides": [] + }, + "gridPos": { + "h": 7, + "w": 7, + "x": 9, + "y": 1 + }, + "id": 291, + "options": { + "minVizHeight": 75, + "minVizWidth": 75, + "orientation": "auto", + "reduceOptions": { + "calcs": [ + "lastNotNull" + ], + "fields": "", + "values": false + }, + "showThresholdLabels": false, + "showThresholdMarkers": false, + "sizing": "auto" + }, + "pluginVersion": "11.0.0", + "targets": [ + { + "datasource": { + "type": "prometheus", + "uid": "PBFA97CFB590B2093" + }, + "disableTextWrap": false, + "editorMode": "code", + "exemplar": false, + "expr": "(process_resident_memory_bytes{app_kubernetes_io_component=\"ratelimit\"})/1000000", + "fullMetaSearch": false, + "includeNullMetadata": true, + "instant": false, + "legendFormat": "__auto", + "range": true, + "refId": "A", + "useBackend": false + } + ], + "title": "Resident Memory", + "transparent": true, + "type": "gauge" + }, + { + "datasource": { + "type": "prometheus", + "uid": "PBFA97CFB590B2093" + }, + "description": "Virtual memory size", + "fieldConfig": { + "defaults": { + "color": { + "mode": "thresholds" + }, + "mappings": [], + "min": 0, + "thresholds": { + "mode": "percentage", + "steps": [ + { + "color": "green", + "value": null + } + ] + }, + "unit": "decmbytes" + }, + "overrides": [] + }, + "gridPos": { + "h": 7, + "w": 7, + "x": 16, + "y": 1 + }, + "id": 325, + "options": { + "minVizHeight": 75, + "minVizWidth": 75, + "orientation": "auto", + "reduceOptions": { + "calcs": [ + "lastNotNull" + ], + "fields": "", + "values": false + }, + "showThresholdLabels": false, + "showThresholdMarkers": false, + "sizing": "auto" + }, + "pluginVersion": "11.0.0", + "targets": [ + { + "datasource": { + "type": "prometheus", + "uid": "PBFA97CFB590B2093" + }, + "disableTextWrap": false, + "editorMode": "code", + "exemplar": false, + "expr": "(process_virtual_memory_bytes{app_kubernetes_io_component=\"ratelimit\"})/1000000", + "fullMetaSearch": false, + "includeNullMetadata": true, + "instant": false, + "legendFormat": "__auto", + "range": true, + "refId": "A", + "useBackend": false + } + ], + "title": "Virtual Memory", + "transparent": true, + "type": "gauge" + }, + { + "datasource": { + "type": "prometheus", + "uid": "PBFA97CFB590B2093" + }, + "description": "Number of ratelimit rule hits in total", + "fieldConfig": { + "defaults": { + "color": { + "fixedColor": "light-blue", + "mode": "shades" + }, + "fieldMinMax": false, + "mappings": [], + "noValue": "0", + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "green", + "value": null + } + ] + }, + "unit": "none" + }, + "overrides": [] + }, + "gridPos": { + "h": 7, + "w": 6, + "x": 0, + "y": 8 + }, + "id": 308, + "options": { + "colorMode": "value", + "graphMode": "none", + "justifyMode": "center", + "orientation": "auto", + "reduceOptions": { + "calcs": [ + "lastNotNull" + ], + "fields": "", + "values": false + }, + "showPercentChange": false, + "textMode": "value", + "wideLayout": false + }, + "pluginVersion": "11.0.0", + "targets": [ + { + "datasource": { + "type": "prometheus", + "uid": "PBFA97CFB590B2093" + }, + "disableTextWrap": false, + "editorMode": "builder", + "exemplar": false, + "expr": "ratelimit_service_rate_limit_total_hits{domain=\"$DefaultDomain\", key1=\"httproute/default/http-ratelimit/rule/0/match/0/ratelimit_example_httproute/default/http-ratelimit/rule/0/match/0/ratelimit_example\", key2=\"rule-0-match-0_rule-0-match-0\"}", + "fullMetaSearch": false, + "includeNullMetadata": true, + "instant": false, + "interval": "", + "legendFormat": "__auto", + "range": true, + "refId": "A", + "useBackend": false + } + ], + "title": "Total Hits", + "type": "stat" + }, + { + "datasource": { + "type": "prometheus", + "uid": "PBFA97CFB590B2093" + }, + "description": "Number of rule hits over the NearLimit ratio threshold (currently 80%) but under the threshold rate.", + "fieldConfig": { + "defaults": { + "color": { + "fixedColor": "light-blue", + "mode": "shades" + }, + "fieldMinMax": false, + "mappings": [], + "noValue": "0", + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "green", + "value": null + } + ] + }, + "unit": "none" + }, + "overrides": [] + }, + "gridPos": { + "h": 7, + "w": 6, + "x": 6, + "y": 8 + }, + "id": 326, + "options": { + "colorMode": "value", + "graphMode": "none", + "justifyMode": "center", + "orientation": "auto", + "reduceOptions": { + "calcs": [ + "lastNotNull" + ], + "fields": "", + "values": false + }, + "showPercentChange": false, + "textMode": "value", + "wideLayout": false + }, + "pluginVersion": "11.0.0", + "targets": [ + { + "datasource": { + "type": "prometheus", + "uid": "PBFA97CFB590B2093" + }, + "disableTextWrap": false, + "editorMode": "builder", + "exemplar": false, + "expr": "ratelimit_service_rate_limit_near_limit{domain=\"$DefaultDomain\", key1=\"httproute/default/http-ratelimit/rule/0/match/0/ratelimit_example_httproute/default/http-ratelimit/rule/0/match/0/ratelimit_example\", key2=\"rule-0-match-0_rule-0-match-0\"}", + "fullMetaSearch": false, + "includeNullMetadata": true, + "instant": false, + "interval": "", + "legendFormat": "__auto", + "range": true, + "refId": "A", + "useBackend": false + } + ], + "title": "Near Limit", + "type": "stat" + }, + { + "datasource": { + "type": "prometheus", + "uid": "PBFA97CFB590B2093" + }, + "description": "Number of rule hits exceeding the threshold rate", + "fieldConfig": { + "defaults": { + "color": { + "fixedColor": "light-blue", + "mode": "shades" + }, + "fieldMinMax": false, + "mappings": [], + "noValue": "0", + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "green", + "value": null + } + ] + }, + "unit": "none" + }, + "overrides": [] + }, + "gridPos": { + "h": 7, + "w": 6, + "x": 12, + "y": 8 + }, + "id": 327, + "options": { + "colorMode": "value", + "graphMode": "none", + "justifyMode": "center", + "orientation": "auto", + "reduceOptions": { + "calcs": [ + "lastNotNull" + ], + "fields": "", + "values": false + }, + "showPercentChange": false, + "textMode": "value", + "wideLayout": false + }, + "pluginVersion": "11.0.0", + "targets": [ + { + "datasource": { + "type": "prometheus", + "uid": "PBFA97CFB590B2093" + }, + "disableTextWrap": false, + "editorMode": "builder", + "exemplar": false, + "expr": "ratelimit_service_rate_limit_over_limit{domain=\"$DefaultDomain\", key1=\"httproute/default/http-ratelimit/rule/0/match/0/ratelimit_example_httproute/default/http-ratelimit/rule/0/match/0/ratelimit_example\", key2=\"rule-0-match-0_rule-0-match-0\"}", + "fullMetaSearch": false, + "includeNullMetadata": true, + "instant": false, + "interval": "", + "legendFormat": "__auto", + "range": true, + "refId": "A", + "useBackend": false + } + ], + "title": "Over Limit", + "type": "stat" + } + ], + "refresh": "", + "schemaVersion": 39, + "tags": [ + "Control Plane" + ], + "templating": { + "list": [ + { + "current": { + "selected": false, + "text": "Prometheus", + "value": "PBFA97CFB590B2093" + }, + "hide": 0, + "includeAll": false, + "multi": false, + "name": "datasource", + "options": [], + "query": "prometheus", + "refresh": 1, + "regex": "", + "skipUrlSync": false, + "type": "datasource" + }, + { + "allValue": ".*", + "current": { + "selected": false, + "text": "envoy-gateway-system", + "value": "envoy-gateway-system" + }, + "datasource": { + "type": "prometheus", + "uid": "$datasource" + }, + "definition": "label_values(watchable_depth,namespace)", + "hide": 0, + "includeAll": false, + "multi": false, + "name": "Namespace", + "options": [], + "query": { + "qryType": 1, + "query": "label_values(watchable_depth,namespace)", + "refId": "PrometheusVariableQueryEditor-VariableQuery" + }, + "refresh": 1, + "regex": "", + "skipUrlSync": false, + "sort": 0, + "type": "query" + }, + { + "allValue": ".*", + "current": { + "selected": true, + "text": [ + "All" + ], + "value": [ + "$__all" + ] + }, + "datasource": { + "type": "prometheus", + "uid": "$datasource" + }, + "definition": "label_values(watchable_depth,runner)", + "hide": 0, + "includeAll": true, + "multi": true, + "name": "Runner", + "options": [], + "query": { + "qryType": 1, + "query": "label_values(watchable_depth,runner)", + "refId": "PrometheusVariableQueryEditor-VariableQuery" + }, + "refresh": 2, + "regex": "", + "skipUrlSync": false, + "sort": 0, + "type": "query" + }, + { + "current": { + "selected": false, + "text": "default/eg/http", + "value": "default/eg/http" + }, + "description": "DefaultDomain is set to default/eg/http", + "hide": 0, + "includeAll": false, + "multi": false, + "name": "DefaultDomain", + "options": [ + { + "selected": true, + "text": "default/eg/http", + "value": "default/eg/http" + } + ], + "query": "default/eg/http", + "skipUrlSync": false, + "type": "custom" + } + ] + }, + "time": { + "from": "now-6h", + "to": "now" + }, + "timeRangeUpdatedDuringEditOrView": false, + "timepicker": {}, + "timezone": "browser", + "title": "Global Ratelimit", + "uid": "R2xvYmFsIFJhdGVsaW1pdAo", + "version": 4, + "weekStart": "" +} \ No newline at end of file diff --git a/charts/gateway-addons-helm/values.yaml b/charts/gateway-addons-helm/values.yaml index fa98354c5f0..55a02b68255 100644 --- a/charts/gateway-addons-helm/values.yaml +++ b/charts/gateway-addons-helm/values.yaml @@ -10,6 +10,8 @@ grafana: type: prometheus url: http://prometheus adminPassword: admin + testFramework: + enabled: false service: type: LoadBalancer dashboardProviders: diff --git a/charts/gateway-helm/README.md b/charts/gateway-helm/README.md index 2ef1455c1dc..a352ad78899 100644 --- a/charts/gateway-helm/README.md +++ b/charts/gateway-helm/README.md @@ -91,6 +91,7 @@ To uninstall the chart: | deployment.ports[3].name | string | `"metrics"` | | | deployment.ports[3].port | int | `19001` | | | deployment.ports[3].targetPort | int | `19001` | | +| deployment.priorityClassName | string | `nil` | | | deployment.replicas | int | `1` | | | global.images.envoyGateway.image | string | `nil` | | | global.images.envoyGateway.pullPolicy | string | `nil` | | @@ -100,4 +101,5 @@ To uninstall the chart: | global.images.ratelimit.pullSecrets | list | `[]` | | | kubernetesClusterDomain | string | `"cluster.local"` | | | podDisruptionBudget.minAvailable | int | `0` | | +| service.annotations | object | `{}` | | diff --git a/charts/gateway-helm/crds/gatewayapi-crds.yaml b/charts/gateway-helm/crds/gatewayapi-crds.yaml index 8a50a1fa26a..f19c1adb3b4 100644 --- a/charts/gateway-helm/crds/gatewayapi-crds.yaml +++ b/charts/gateway-helm/crds/gatewayapi-crds.yaml @@ -24,9 +24,11 @@ kind: CustomResourceDefinition metadata: annotations: api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/2997 - gateway.networking.k8s.io/bundle-version: v1.1.0 + gateway.networking.k8s.io/bundle-version: v1.2.0-rc2 gateway.networking.k8s.io/channel: experimental creationTimestamp: null + labels: + gateway.networking.k8s.io/policy: Direct name: backendlbpolicies.gateway.networking.k8s.io spec: group: gateway.networking.k8s.io @@ -77,7 +79,6 @@ spec: SessionPersistence defines and configures session persistence for the backend. - Support: Extended properties: absoluteTimeout: @@ -86,7 +87,6 @@ spec: session. Once the AbsoluteTimeout duration has elapsed, the session becomes invalid. - Support: Extended pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ type: string @@ -95,7 +95,6 @@ spec: CookieConfig provides configuration settings that are specific to cookie-based session persistence. - Support: Core properties: lifetimeType: @@ -107,20 +106,16 @@ spec: attributes, while a session cookie is deleted when the current session ends. - When set to "Permanent", AbsoluteTimeout indicates the cookie's lifetime via the Expires or Max-Age cookie attributes and is required. - When set to "Session", AbsoluteTimeout indicates the absolute lifetime of the cookie tracked by the gateway and is optional. - Support: Core for "Session" type - Support: Extended for "Permanent" type enum: - Permanent @@ -133,7 +128,6 @@ spec: Once the session has been idle for more than the specified IdleTimeout duration, the session becomes invalid. - Support: Extended pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ type: string @@ -144,7 +138,6 @@ spec: should avoid reusing session names to prevent unintended consequences, such as rejection or unpredictable behavior. - Support: Implementation-specific maxLength: 128 type: string @@ -155,10 +148,8 @@ spec: the use a header or cookie. Defaults to cookie based session persistence. - Support: Core for "Cookie" type - Support: Extended for "Header" type enum: - Cookie @@ -168,8 +159,8 @@ spec: x-kubernetes-validations: - message: AbsoluteTimeout must be specified when cookie lifetimeType is Permanent - rule: '!has(self.cookieConfig.lifetimeType) || self.cookieConfig.lifetimeType - != ''Permanent'' || has(self.absoluteTimeout)' + rule: '!has(self.cookieConfig) || !has(self.cookieConfig.lifetimeType) + || self.cookieConfig.lifetimeType != ''Permanent'' || has(self.absoluteTimeout)' targetRefs: description: |- TargetRef identifies an API object to apply policy to. @@ -228,27 +219,22 @@ spec: the controller first sees the policy and SHOULD update the entry as appropriate when the relevant ancestor is modified. - Note that choosing the relevant ancestor is left to the Policy designers; an important part of Policy design is designing the right object level at which to namespace this status. - Note also that implementations MUST ONLY populate ancestor status for the Ancestor resources they are responsible for. Implementations MUST use the ControllerName field to uniquely identify the entries in this list that they are responsible for. - Note that to achieve this, the list of PolicyAncestorStatus structs MUST be treated as a map with a composite key, made up of the AncestorRef and ControllerName fields combined. - A maximum of 16 ancestors will be represented in this list. An empty list means the Policy is not relevant for any ancestors. - If this slice is full, implementations MUST NOT add further entries. Instead they MUST consider the policy unimplementable and signal that on any related resources such as the ancestor that would be referenced @@ -260,7 +246,6 @@ spec: PolicyAncestorStatus describes the status of a route with respect to an associated Ancestor. - Ancestors refer to objects that are either the Target of a policy or above it in terms of object hierarchy. For example, if a policy targets a Service, the Policy's Ancestors are, in order, the Service, the HTTPRoute, the Gateway, and @@ -269,28 +254,23 @@ spec: SHOULD use Gateway as the PolicyAncestorStatus object unless the designers have a _very_ good reason otherwise. - In the context of policy attachment, the Ancestor is used to distinguish which resource results in a distinct application of this policy. For example, if a policy targets a Service, it may have a distinct result per attached Gateway. - Policies targeting the same resource may have different effects depending on the ancestors of those resources. For example, different Gateways targeting the same Service may have different capabilities, especially if they have different underlying implementations. - For example, in BackendTLSPolicy, the Policy attaches to a Service that is used as a backend in a HTTPRoute that is itself attached to a Gateway. In this case, the relevant object for status is the Gateway, and that is the ancestor object referred to in this status. - Note that a parent is also an ancestor, so for objects where the parent is the relevant object for status, this struct SHOULD still be used. - This struct is intended to be used in a slice that's effectively a map, with a composite key made up of the AncestorRef and the ControllerName. properties: @@ -307,7 +287,6 @@ spec: To set the core API group (such as for a "Service" kind referent), Group must be explicitly set to "" (empty string). - Support: Core maxLength: 253 pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ @@ -317,14 +296,11 @@ spec: description: |- Kind is kind of the referent. - There are two kinds of parent resources with "Core" support: - * Gateway (Gateway conformance profile) * Service (Mesh conformance profile, ClusterIP Services only) - Support for other resources is Implementation-Specific. maxLength: 63 minLength: 1 @@ -334,7 +310,6 @@ spec: description: |- Name is the name of the referent. - Support: Core maxLength: 253 minLength: 1 @@ -344,7 +319,6 @@ spec: Namespace is the namespace of the referent. When unspecified, this refers to the local namespace of the Route. - Note that there are specific rules for ParentRefs which cross namespace boundaries. Cross-namespace references are only valid if they are explicitly allowed by something in the namespace they are referring to. For example: @@ -352,12 +326,10 @@ spec: generic way to enable any other kind of cross-namespace reference. - ParentRefs from a Route to a Service in the same namespace are "producer" routes, which apply default routing rules to inbound connections from any namespace to the Service. - ParentRefs from a Route to a Service in a different namespace are "consumer" routes, and these routing rules are only applied to outbound connections originating from the same namespace as the Route, for which @@ -365,7 +337,6 @@ spec: ParentRef of the Route. - Support: Core maxLength: 63 minLength: 1 @@ -376,7 +347,6 @@ spec: Port is the network port this Route targets. It can be interpreted differently based on the type of parent resource. - When the parent resource is a Gateway, this targets all listeners listening on the specified port that also support this kind of Route(and select this Route). It's not recommended to set `Port` unless the @@ -386,18 +356,15 @@ spec: must match both specified values. - When the parent resource is a Service, this targets a specific port in the Service spec. When both Port (experimental) and SectionName are specified, the name and port of the selected port must match both specified values. - Implementations MAY choose to support other parent resources. Implementations supporting other types of parent resources MUST clearly document how/if Port is interpreted. - For the purpose of status, an attachment is considered successful as long as the parent resource accepts it partially. For example, Gateway listeners can restrict which Routes can attach to them by Route kind, @@ -406,7 +373,6 @@ spec: attached. If no Gateway listeners accept attachment from this Route, the Route MUST be considered detached from the Gateway. - Support: Extended format: int32 maximum: 65535 @@ -417,7 +383,6 @@ spec: SectionName is the name of a section within the target resource. In the following resources, SectionName is interpreted as the following: - * Gateway: Listener name. When both Port (experimental) and SectionName are specified, the name and port of the selected listener must match both specified values. @@ -425,12 +390,10 @@ spec: are specified, the name and port of the selected listener must match both specified values. - Implementations MAY choose to support attaching Routes to other resources. If that is the case, they MUST clearly document how SectionName is interpreted. - When unspecified (empty string), this will reference the entire resource. For the purpose of status, an attachment is considered successful if at least one section in the parent resource accepts it. For example, Gateway @@ -440,7 +403,6 @@ spec: attached. If no Gateway listeners accept attachment from this Route, the Route MUST be considered detached from the Gateway. - Support: Core maxLength: 253 minLength: 1 @@ -453,18 +415,8 @@ spec: description: Conditions describes the status of the Policy with respect to the given Ancestor. items: - description: "Condition contains details for one aspect of - the current state of this API Resource.\n---\nThis struct - is intended for direct use as an array at the field path - .status.conditions. For example,\n\n\n\ttype FooStatus - struct{\n\t // Represents the observations of a foo's - current state.\n\t // Known .status.conditions.type are: - \"Available\", \"Progressing\", and \"Degraded\"\n\t // - +patchMergeKey=type\n\t // +patchStrategy=merge\n\t // - +listType=map\n\t // +listMapKey=type\n\t Conditions - []metav1.Condition `json:\"conditions,omitempty\" patchStrategy:\"merge\" - patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t - \ // other fields\n\t}" + description: Condition contains details for one aspect of + the current state of this API Resource. properties: lastTransitionTime: description: |- @@ -506,12 +458,7 @@ spec: - Unknown type: string type: - description: |- - type of condition in CamelCase or in foo.example.com/CamelCase. - --- - Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be - useful (see .node.status.conditions), the ability to deconflict is important. - The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + description: type of condition in CamelCase or in foo.example.com/CamelCase. maxLength: 316 pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ type: string @@ -534,15 +481,12 @@ spec: controller that wrote this status. This corresponds with the controllerName field on GatewayClass. - Example: "example.net/gateway-controller". - The format of this field is DOMAIN "/" PATH, where DOMAIN and PATH are valid Kubernetes names (https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names). - Controllers MUST populate this field when writing status. Controllers should ensure that entries to status populated with their ControllerName are cleaned up when they are no longer necessary. @@ -581,7 +525,7 @@ kind: CustomResourceDefinition metadata: annotations: api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/2997 - gateway.networking.k8s.io/bundle-version: v1.1.0 + gateway.networking.k8s.io/bundle-version: v1.2.0-rc2 gateway.networking.k8s.io/channel: experimental creationTimestamp: null labels: @@ -631,6 +575,29 @@ spec: spec: description: Spec defines the desired state of BackendTLSPolicy. properties: + options: + additionalProperties: + description: |- + AnnotationValue is the value of an annotation in Gateway API. This is used + for validation of maps such as TLS options. This roughly matches Kubernetes + annotation validation, although the length validation in that case is based + on the entire size of the annotations struct. + maxLength: 4096 + minLength: 0 + type: string + description: |- + Options are a list of key/value pairs to enable extended TLS + configuration for each implementation. For example, configuring the + minimum TLS version or supported cipher suites. + + A set of common keys MAY be defined by the API in the future. To avoid + any ambiguity, implementation-specific definitions MUST use + domain-prefixed names, such as `example.com/my-custom-option`. + Un-prefixed names are reserved for key names defined by Gateway API. + + Support: Implementation-specific + maxProperties: 16 + type: object targetRefs: description: |- TargetRefs identifies an API object to apply the policy to. @@ -640,10 +607,8 @@ spec: by default, but this default may change in the future to provide a more granular application of the policy. - Support: Extended for Kubernetes Service - Support: Implementation-specific for any other resource items: description: |- @@ -653,7 +618,6 @@ spec: mode works, and a sample Policy resource, refer to the policy attachment documentation for Gateway API. - Note: This should only be used for direct policy attachment when references to SectionName are actually needed. In all other cases, LocalPolicyTargetReference should be used. @@ -680,12 +644,10 @@ spec: unspecified, this targetRef targets the entire resource. In the following resources, SectionName is interpreted as the following: - * Gateway: Listener name * HTTPRoute: HTTPRouteRule name * Service: Port name - If a SectionName is specified, but does not exist on the targeted object, the Policy must fail to attach, and the policy implementation should record a `ResolvedRefs` or similar Condition in the Policy's status. @@ -710,26 +672,21 @@ spec: contain a PEM-encoded TLS CA certificate bundle, which is used to validate a TLS handshake between the Gateway and backend Pod. - If CACertificateRefs is empty or unspecified, then WellKnownCACertificates must be specified. Only one of CACertificateRefs or WellKnownCACertificates may be specified, not both. If CACertifcateRefs is empty or unspecified, the configuration for WellKnownCACertificates MUST be honored instead if supported by the implementation. - References to a resource in a different namespace are invalid for the moment, although we will revisit this in the future. - A single CACertificateRef to a Kubernetes ConfigMap kind has "Core" support. Implementations MAY choose to support attaching multiple certificates to a backend, but this behavior is implementation-specific. - Support: Core - An optional single reference to a Kubernetes ConfigMap, with the CA certificate in a key named `ca.crt`. - Support: Implementation-specific (More than one reference, or other kinds of resources). items: @@ -739,7 +696,6 @@ spec: The API object must be valid in the cluster; the Group and Kind must be registered in the cluster for this reference to be valid. - References to objects with invalid Group and Kind are not valid, and must be rejected by the implementation, with appropriate Conditions set on the containing object. @@ -775,23 +731,84 @@ spec: Hostname is used for two purposes in the connection between Gateways and backends: - 1. Hostname MUST be used as the SNI to connect to the backend (RFC 6066). - 2. Hostname MUST be used for authentication and MUST match the certificate - served by the matching backend. - + 2. If SubjectAltNames is not specified, Hostname MUST be used for + authentication and MUST match the certificate served by the matching + backend. Support: Core maxLength: 253 minLength: 1 pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ type: string + subjectAltNames: + description: |- + SubjectAltNames contains one or more Subject Alternative Names. + When specified, the certificate served from the backend MUST have at least one + Subject Alternate Name matching one of the specified SubjectAltNames. + + Support: Core + items: + description: SubjectAltName represents Subject Alternative Name. + properties: + hostname: + description: |- + Hostname contains Subject Alternative Name specified in DNS name format. + Required when Type is set to Hostname, ignored otherwise. + + Support: Core + maxLength: 253 + minLength: 1 + pattern: ^(\*\.)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + type: + description: |- + Type determines the format of the Subject Alternative Name. Always required. + + Support: Core + enum: + - Hostname + - URI + type: string + uri: + description: |- + URI contains Subject Alternative Name specified in a full URI format. + It MUST include both a scheme (e.g., "http" or "ftp") and a scheme-specific-part. + Common values include SPIFFE IDs like "spiffe://mycluster.example.com/ns/myns/sa/svc1sa". + Required when Type is set to URI, ignored otherwise. + + Support: Core + maxLength: 253 + minLength: 1 + pattern: ^(([^:/?#]+):)(//([^/?#]*))([^?#]*)(\?([^#]*))?(#(.*))? + type: string + required: + - type + type: object + x-kubernetes-validations: + - message: SubjectAltName element must contain Hostname, if + Type is set to Hostname + rule: '!(self.type == "Hostname" && (!has(self.hostname) || + self.hostname == ""))' + - message: SubjectAltName element must not contain Hostname, + if Type is not set to Hostname + rule: '!(self.type != "Hostname" && has(self.hostname) && + self.hostname != "")' + - message: SubjectAltName element must contain URI, if Type + is set to URI + rule: '!(self.type == "URI" && (!has(self.uri) || self.uri + == ""))' + - message: SubjectAltName element must not contain URI, if Type + is not set to URI + rule: '!(self.type != "URI" && has(self.uri) && self.uri != + "")' + maxItems: 5 + type: array wellKnownCACertificates: description: |- WellKnownCACertificates specifies whether system CA certificates may be used in the TLS handshake between the gateway and backend pod. - If WellKnownCACertificates is unspecified or empty (""), then CACertificateRefs must be specified with at least one entry for a valid configuration. Only one of CACertificateRefs or WellKnownCACertificates may be specified, not both. If an @@ -799,7 +816,6 @@ spec: supplied is not supported, the Status Conditions on the Policy MUST be updated to include an Accepted: False Condition with Reason: Invalid. - Support: Implementation-specific enum: - System @@ -832,27 +848,22 @@ spec: the controller first sees the policy and SHOULD update the entry as appropriate when the relevant ancestor is modified. - Note that choosing the relevant ancestor is left to the Policy designers; an important part of Policy design is designing the right object level at which to namespace this status. - Note also that implementations MUST ONLY populate ancestor status for the Ancestor resources they are responsible for. Implementations MUST use the ControllerName field to uniquely identify the entries in this list that they are responsible for. - Note that to achieve this, the list of PolicyAncestorStatus structs MUST be treated as a map with a composite key, made up of the AncestorRef and ControllerName fields combined. - A maximum of 16 ancestors will be represented in this list. An empty list means the Policy is not relevant for any ancestors. - If this slice is full, implementations MUST NOT add further entries. Instead they MUST consider the policy unimplementable and signal that on any related resources such as the ancestor that would be referenced @@ -864,7 +875,6 @@ spec: PolicyAncestorStatus describes the status of a route with respect to an associated Ancestor. - Ancestors refer to objects that are either the Target of a policy or above it in terms of object hierarchy. For example, if a policy targets a Service, the Policy's Ancestors are, in order, the Service, the HTTPRoute, the Gateway, and @@ -873,28 +883,23 @@ spec: SHOULD use Gateway as the PolicyAncestorStatus object unless the designers have a _very_ good reason otherwise. - In the context of policy attachment, the Ancestor is used to distinguish which resource results in a distinct application of this policy. For example, if a policy targets a Service, it may have a distinct result per attached Gateway. - Policies targeting the same resource may have different effects depending on the ancestors of those resources. For example, different Gateways targeting the same Service may have different capabilities, especially if they have different underlying implementations. - For example, in BackendTLSPolicy, the Policy attaches to a Service that is used as a backend in a HTTPRoute that is itself attached to a Gateway. In this case, the relevant object for status is the Gateway, and that is the ancestor object referred to in this status. - Note that a parent is also an ancestor, so for objects where the parent is the relevant object for status, this struct SHOULD still be used. - This struct is intended to be used in a slice that's effectively a map, with a composite key made up of the AncestorRef and the ControllerName. properties: @@ -911,7 +916,6 @@ spec: To set the core API group (such as for a "Service" kind referent), Group must be explicitly set to "" (empty string). - Support: Core maxLength: 253 pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ @@ -921,14 +925,11 @@ spec: description: |- Kind is kind of the referent. - There are two kinds of parent resources with "Core" support: - * Gateway (Gateway conformance profile) * Service (Mesh conformance profile, ClusterIP Services only) - Support for other resources is Implementation-Specific. maxLength: 63 minLength: 1 @@ -938,7 +939,6 @@ spec: description: |- Name is the name of the referent. - Support: Core maxLength: 253 minLength: 1 @@ -948,7 +948,6 @@ spec: Namespace is the namespace of the referent. When unspecified, this refers to the local namespace of the Route. - Note that there are specific rules for ParentRefs which cross namespace boundaries. Cross-namespace references are only valid if they are explicitly allowed by something in the namespace they are referring to. For example: @@ -956,12 +955,10 @@ spec: generic way to enable any other kind of cross-namespace reference. - ParentRefs from a Route to a Service in the same namespace are "producer" routes, which apply default routing rules to inbound connections from any namespace to the Service. - ParentRefs from a Route to a Service in a different namespace are "consumer" routes, and these routing rules are only applied to outbound connections originating from the same namespace as the Route, for which @@ -969,7 +966,6 @@ spec: ParentRef of the Route. - Support: Core maxLength: 63 minLength: 1 @@ -980,7 +976,6 @@ spec: Port is the network port this Route targets. It can be interpreted differently based on the type of parent resource. - When the parent resource is a Gateway, this targets all listeners listening on the specified port that also support this kind of Route(and select this Route). It's not recommended to set `Port` unless the @@ -990,18 +985,15 @@ spec: must match both specified values. - When the parent resource is a Service, this targets a specific port in the Service spec. When both Port (experimental) and SectionName are specified, the name and port of the selected port must match both specified values. - Implementations MAY choose to support other parent resources. Implementations supporting other types of parent resources MUST clearly document how/if Port is interpreted. - For the purpose of status, an attachment is considered successful as long as the parent resource accepts it partially. For example, Gateway listeners can restrict which Routes can attach to them by Route kind, @@ -1010,7 +1002,6 @@ spec: attached. If no Gateway listeners accept attachment from this Route, the Route MUST be considered detached from the Gateway. - Support: Extended format: int32 maximum: 65535 @@ -1021,7 +1012,6 @@ spec: SectionName is the name of a section within the target resource. In the following resources, SectionName is interpreted as the following: - * Gateway: Listener name. When both Port (experimental) and SectionName are specified, the name and port of the selected listener must match both specified values. @@ -1029,12 +1019,10 @@ spec: are specified, the name and port of the selected listener must match both specified values. - Implementations MAY choose to support attaching Routes to other resources. If that is the case, they MUST clearly document how SectionName is interpreted. - When unspecified (empty string), this will reference the entire resource. For the purpose of status, an attachment is considered successful if at least one section in the parent resource accepts it. For example, Gateway @@ -1044,7 +1032,6 @@ spec: attached. If no Gateway listeners accept attachment from this Route, the Route MUST be considered detached from the Gateway. - Support: Core maxLength: 253 minLength: 1 @@ -1057,18 +1044,8 @@ spec: description: Conditions describes the status of the Policy with respect to the given Ancestor. items: - description: "Condition contains details for one aspect of - the current state of this API Resource.\n---\nThis struct - is intended for direct use as an array at the field path - .status.conditions. For example,\n\n\n\ttype FooStatus - struct{\n\t // Represents the observations of a foo's - current state.\n\t // Known .status.conditions.type are: - \"Available\", \"Progressing\", and \"Degraded\"\n\t // - +patchMergeKey=type\n\t // +patchStrategy=merge\n\t // - +listType=map\n\t // +listMapKey=type\n\t Conditions - []metav1.Condition `json:\"conditions,omitempty\" patchStrategy:\"merge\" - patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t - \ // other fields\n\t}" + description: Condition contains details for one aspect of + the current state of this API Resource. properties: lastTransitionTime: description: |- @@ -1110,12 +1087,7 @@ spec: - Unknown type: string type: - description: |- - type of condition in CamelCase or in foo.example.com/CamelCase. - --- - Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be - useful (see .node.status.conditions), the ability to deconflict is important. - The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + description: type of condition in CamelCase or in foo.example.com/CamelCase. maxLength: 316 pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ type: string @@ -1138,15 +1110,12 @@ spec: controller that wrote this status. This corresponds with the controllerName field on GatewayClass. - Example: "example.net/gateway-controller". - The format of this field is DOMAIN "/" PATH, where DOMAIN and PATH are valid Kubernetes names (https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names). - Controllers MUST populate this field when writing status. Controllers should ensure that entries to status populated with their ControllerName are cleaned up when they are no longer necessary. @@ -1185,7 +1154,7 @@ kind: CustomResourceDefinition metadata: annotations: api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/2997 - gateway.networking.k8s.io/bundle-version: v1.1.0 + gateway.networking.k8s.io/bundle-version: v1.2.0-rc2 gateway.networking.k8s.io/channel: experimental creationTimestamp: null name: gatewayclasses.gateway.networking.k8s.io @@ -1223,7 +1192,6 @@ spec: GatewayClass describes a class of Gateways available to the user for creating Gateway resources. - It is recommended that this resource be used as a template for Gateways. This means that a Gateway is based on the state of the GatewayClass at the time it was created and changes to the GatewayClass or associated parameters are not @@ -1232,13 +1200,11 @@ spec: If implementations choose to propagate GatewayClass changes to existing Gateways, that MUST be clearly documented by the implementation. - Whenever one or more Gateways are using a GatewayClass, implementations SHOULD add the `gateway-exists-finalizer.gateway.networking.k8s.io` finalizer on the associated GatewayClass. This ensures that a GatewayClass associated with a Gateway is not deleted while in use. - GatewayClass is a Cluster level resource. properties: apiVersion: @@ -1266,13 +1232,10 @@ spec: ControllerName is the name of the controller that is managing Gateways of this class. The value of this field MUST be a domain prefixed path. - Example: "example.net/gateway-controller". - This field is not mutable and cannot be empty. - Support: Core maxLength: 253 minLength: 1 @@ -1291,21 +1254,19 @@ spec: parameters corresponding to the GatewayClass. This is optional if the controller does not require any additional configuration. - ParametersRef can reference a standard Kubernetes resource, i.e. ConfigMap, or an implementation-specific custom resource. The resource can be cluster-scoped or namespace-scoped. - - If the referent cannot be found, the GatewayClass's "InvalidParameters" - status condition will be true. - + If the referent cannot be found, refers to an unsupported kind, or when + the data within that resource is malformed, the GatewayClass SHOULD be + rejected with the "Accepted" status condition set to "False" and an + "InvalidParameters" reason. A Gateway for this GatewayClass may provide its own `parametersRef`. When both are specified, the merging behavior is implementation specific. It is generally recommended that GatewayClass provides defaults that can be overridden by a Gateway. - Support: Implementation-specific properties: group: @@ -1346,13 +1307,12 @@ spec: conditions: - lastTransitionTime: "1970-01-01T00:00:00Z" message: Waiting for controller - reason: Waiting + reason: Pending status: Unknown type: Accepted description: |- Status defines the current state of GatewayClass. - Implementations MUST populate status on all GatewayClass resources which specify their controller name. properties: @@ -1367,20 +1327,11 @@ spec: Conditions is the current status from the controller for this GatewayClass. - Controllers should prefer to publish conditions using values of GatewayClassConditionType for the type of each Condition. items: - description: "Condition contains details for one aspect of the current - state of this API Resource.\n---\nThis struct is intended for - direct use as an array at the field path .status.conditions. For - example,\n\n\n\ttype FooStatus struct{\n\t // Represents the - observations of a foo's current state.\n\t // Known .status.conditions.type - are: \"Available\", \"Progressing\", and \"Degraded\"\n\t // - +patchMergeKey=type\n\t // +patchStrategy=merge\n\t // +listType=map\n\t - \ // +listMapKey=type\n\t Conditions []metav1.Condition `json:\"conditions,omitempty\" - patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t - \ // other fields\n\t}" + description: Condition contains details for one aspect of the current + state of this API Resource. properties: lastTransitionTime: description: |- @@ -1421,12 +1372,7 @@ spec: - Unknown type: string type: - description: |- - type of condition in CamelCase or in foo.example.com/CamelCase. - --- - Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be - useful (see .node.status.conditions), the ability to deconflict is important. - The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + description: type of condition in CamelCase or in foo.example.com/CamelCase. maxLength: 316 pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ type: string @@ -1445,15 +1391,22 @@ spec: supportedFeatures: description: | SupportedFeatures is the set of features the GatewayClass support. - It MUST be sorted in ascending alphabetical order. + It MUST be sorted in ascending alphabetical order by the Name key. items: - description: |- - SupportedFeature is used to describe distinct features that are covered by - conformance tests. - type: string + properties: + name: + description: |- + FeatureName is used to describe distinct features that are covered by + conformance tests. + type: string + required: + - name + type: object maxItems: 64 type: array - x-kubernetes-list-type: set + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map type: object required: - spec @@ -1483,7 +1436,6 @@ spec: GatewayClass describes a class of Gateways available to the user for creating Gateway resources. - It is recommended that this resource be used as a template for Gateways. This means that a Gateway is based on the state of the GatewayClass at the time it was created and changes to the GatewayClass or associated parameters are not @@ -1492,13 +1444,11 @@ spec: If implementations choose to propagate GatewayClass changes to existing Gateways, that MUST be clearly documented by the implementation. - Whenever one or more Gateways are using a GatewayClass, implementations SHOULD add the `gateway-exists-finalizer.gateway.networking.k8s.io` finalizer on the associated GatewayClass. This ensures that a GatewayClass associated with a Gateway is not deleted while in use. - GatewayClass is a Cluster level resource. properties: apiVersion: @@ -1526,13 +1476,10 @@ spec: ControllerName is the name of the controller that is managing Gateways of this class. The value of this field MUST be a domain prefixed path. - Example: "example.net/gateway-controller". - This field is not mutable and cannot be empty. - Support: Core maxLength: 253 minLength: 1 @@ -1551,21 +1498,19 @@ spec: parameters corresponding to the GatewayClass. This is optional if the controller does not require any additional configuration. - ParametersRef can reference a standard Kubernetes resource, i.e. ConfigMap, or an implementation-specific custom resource. The resource can be cluster-scoped or namespace-scoped. - - If the referent cannot be found, the GatewayClass's "InvalidParameters" - status condition will be true. - + If the referent cannot be found, refers to an unsupported kind, or when + the data within that resource is malformed, the GatewayClass SHOULD be + rejected with the "Accepted" status condition set to "False" and an + "InvalidParameters" reason. A Gateway for this GatewayClass may provide its own `parametersRef`. When both are specified, the merging behavior is implementation specific. It is generally recommended that GatewayClass provides defaults that can be overridden by a Gateway. - Support: Implementation-specific properties: group: @@ -1606,13 +1551,12 @@ spec: conditions: - lastTransitionTime: "1970-01-01T00:00:00Z" message: Waiting for controller - reason: Waiting + reason: Pending status: Unknown type: Accepted description: |- Status defines the current state of GatewayClass. - Implementations MUST populate status on all GatewayClass resources which specify their controller name. properties: @@ -1627,20 +1571,11 @@ spec: Conditions is the current status from the controller for this GatewayClass. - Controllers should prefer to publish conditions using values of GatewayClassConditionType for the type of each Condition. items: - description: "Condition contains details for one aspect of the current - state of this API Resource.\n---\nThis struct is intended for - direct use as an array at the field path .status.conditions. For - example,\n\n\n\ttype FooStatus struct{\n\t // Represents the - observations of a foo's current state.\n\t // Known .status.conditions.type - are: \"Available\", \"Progressing\", and \"Degraded\"\n\t // - +patchMergeKey=type\n\t // +patchStrategy=merge\n\t // +listType=map\n\t - \ // +listMapKey=type\n\t Conditions []metav1.Condition `json:\"conditions,omitempty\" - patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t - \ // other fields\n\t}" + description: Condition contains details for one aspect of the current + state of this API Resource. properties: lastTransitionTime: description: |- @@ -1681,12 +1616,7 @@ spec: - Unknown type: string type: - description: |- - type of condition in CamelCase or in foo.example.com/CamelCase. - --- - Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be - useful (see .node.status.conditions), the ability to deconflict is important. - The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + description: type of condition in CamelCase or in foo.example.com/CamelCase. maxLength: 316 pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ type: string @@ -1705,15 +1635,22 @@ spec: supportedFeatures: description: | SupportedFeatures is the set of features the GatewayClass support. - It MUST be sorted in ascending alphabetical order. + It MUST be sorted in ascending alphabetical order by the Name key. items: - description: |- - SupportedFeature is used to describe distinct features that are covered by - conformance tests. - type: string + properties: + name: + description: |- + FeatureName is used to describe distinct features that are covered by + conformance tests. + type: string + required: + - name + type: object maxItems: 64 type: array - x-kubernetes-list-type: set + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map type: object required: - spec @@ -1737,7 +1674,7 @@ kind: CustomResourceDefinition metadata: annotations: api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/2997 - gateway.networking.k8s.io/bundle-version: v1.1.0 + gateway.networking.k8s.io/bundle-version: v1.2.0-rc2 gateway.networking.k8s.io/channel: experimental creationTimestamp: null name: gateways.gateway.networking.k8s.io @@ -1801,27 +1738,22 @@ spec: requested address is invalid or unavailable, the implementation MUST indicate this in the associated entry in GatewayStatus.Addresses. - The Addresses field represents a request for the address(es) on the "outside of the Gateway", that traffic bound for this Gateway will use. This could be the IP address or hostname of an external load balancer or other networking infrastructure, or some other address that traffic will be sent to. - If no Addresses are specified, the implementation MAY schedule the Gateway in an implementation-specific manner, assigning an appropriate set of Addresses. - The implementation MUST bind all Listeners to every GatewayAddress that it assigns to the Gateway and add a corresponding entry in GatewayStatus.Addresses. - Support: Extended - items: description: GatewayAddress describes an address that can be bound to a Gateway. @@ -1852,7 +1784,6 @@ spec: Value of the address. The validity of the values will depend on the type and support by the controller. - Examples: `1.2.3.4`, `128::1`, `my-ip-address`. maxLength: 253 minLength: 1 @@ -1874,6 +1805,72 @@ spec: - message: Hostname values must be unique rule: 'self.all(a1, a1.type == ''Hostname'' ? self.exists_one(a2, a2.type == a1.type && a2.value == a1.value) : true )' + backendTLS: + description: |+ + BackendTLS configures TLS settings for when this Gateway is connecting to + backends with TLS. + + Support: Core + + properties: + clientCertificateRef: + description: |+ + ClientCertificateRef is a reference to an object that contains a Client + Certificate and the associated private key. + + References to a resource in different namespace are invalid UNLESS there + is a ReferenceGrant in the target namespace that allows the certificate + to be attached. If a ReferenceGrant does not allow this reference, the + "ResolvedRefs" condition MUST be set to False for this listener with the + "RefNotPermitted" reason. + + ClientCertificateRef can reference to standard Kubernetes resources, i.e. + Secret, or implementation-specific custom resources. + + This setting can be overridden on the service level by use of BackendTLSPolicy. + + Support: Core + + properties: + group: + default: "" + description: |- + Group is the group of the referent. For example, "gateway.networking.k8s.io". + When unspecified or empty string, core API group is inferred. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Secret + description: Kind is kind of the referent. For example "Secret". + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: |- + Namespace is the namespace of the referenced object. When unspecified, the local + namespace is inferred. + + Note that when a namespace different than the local namespace is specified, + a ReferenceGrant object is required in the referent namespace to allow that + namespace's owner to accept the reference. See the ReferenceGrant + documentation for details. + + Support: Core + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + required: + - name + type: object + type: object gatewayClassName: description: |- GatewayClassName used for this Gateway. This is the name of a @@ -1882,13 +1879,10 @@ spec: minLength: 1 type: string infrastructure: - description: |+ + description: |- Infrastructure defines infrastructure level attributes about this Gateway instance. - - Support: Core - - + Support: Extended properties: annotations: additionalProperties: @@ -1903,56 +1897,74 @@ spec: description: |- Annotations that SHOULD be applied to any resources created in response to this Gateway. - For implementations creating other Kubernetes objects, this should be the `metadata.annotations` field on resources. For other implementations, this refers to any relevant (implementation specific) "annotations" concepts. - An implementation may chose to add additional implementation-specific annotations as they see fit. - Support: Extended maxProperties: 8 type: object + x-kubernetes-validations: + - message: Annotation keys must be in the form of an optional + DNS subdomain prefix followed by a required name segment of + up to 63 characters. + rule: self.all(key, key.matches(r"""^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?([A-Za-z0-9][-A-Za-z0-9_.]{0,61})?[A-Za-z0-9]$""")) + - message: If specified, the annotation key's prefix must be a + DNS subdomain not longer than 253 characters in total. + rule: self.all(key, key.split("/")[0].size() < 253) labels: additionalProperties: description: |- - AnnotationValue is the value of an annotation in Gateway API. This is used - for validation of maps such as TLS options. This roughly matches Kubernetes - annotation validation, although the length validation in that case is based - on the entire size of the annotations struct. - maxLength: 4096 + LabelValue is the value of a label in the Gateway API. This is used for validation + of maps such as Gateway infrastructure labels. This matches the Kubernetes + label validation rules: + * must be 63 characters or less (can be empty), + * unless empty, must begin and end with an alphanumeric character ([a-z0-9A-Z]), + * could contain dashes (-), underscores (_), dots (.), and alphanumerics between. + + Valid values include: + + * MyValue + * my.name + * 123-my-value + maxLength: 63 minLength: 0 + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ type: string description: |- Labels that SHOULD be applied to any resources created in response to this Gateway. - For implementations creating other Kubernetes objects, this should be the `metadata.labels` field on resources. For other implementations, this refers to any relevant (implementation specific) "labels" concepts. - An implementation may chose to add additional implementation-specific labels as they see fit. + If an implementation maps these labels to Pods, or any other resource that would need to be recreated when labels + change, it SHOULD clearly warn about this behavior in documentation. Support: Extended maxProperties: 8 type: object + x-kubernetes-validations: + - message: Label keys must be in the form of an optional DNS subdomain + prefix followed by a required name segment of up to 63 characters. + rule: self.all(key, key.matches(r"""^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?([A-Za-z0-9][-A-Za-z0-9_.]{0,61})?[A-Za-z0-9]$""")) + - message: If specified, the label key's prefix must be a DNS + subdomain not longer than 253 characters in total. + rule: self.all(key, key.split("/")[0].size() < 253) parametersRef: description: |- ParametersRef is a reference to a resource that contains the configuration parameters corresponding to the Gateway. This is optional if the controller does not require any additional configuration. - This follows the same semantics as GatewayClass's `parametersRef`, but on a per-Gateway basis - The Gateway's GatewayClass may provide its own `parametersRef`. When both are specified, the merging behavior is implementation specific. It is generally recommended that GatewayClass provides defaults that can be overridden by a Gateway. - Support: Implementation-specific properties: group: @@ -1983,7 +1995,6 @@ spec: logical endpoints that are bound on this Gateway's addresses. At least one Listener MUST be specified. - Each Listener in a set of Listeners (for example, in a single Gateway) MUST be _distinct_, in that a traffic flow MUST be able to be assigned to exactly one listener. (This section uses "set of Listeners" rather than @@ -1991,42 +2002,32 @@ spec: from multiple Gateways onto a single data plane, and these rules _also_ apply in that case). - Practically, this means that each listener in a set MUST have a unique combination of Port, Protocol, and, if supported by the protocol, Hostname. - Some combinations of port, protocol, and TLS settings are considered Core support and MUST be supported by implementations based on their targeted conformance profile: - HTTP Profile - 1. HTTPRoute, Port: 80, Protocol: HTTP 2. HTTPRoute, Port: 443, Protocol: HTTPS, TLS Mode: Terminate, TLS keypair provided - TLS Profile - 1. TLSRoute, Port: 443, Protocol: TLS, TLS Mode: Passthrough - "Distinct" Listeners have the following property: - The implementation can match inbound requests to a single distinct Listener. When multiple Listeners share values for fields (for example, two Listeners with the same Port value), the implementation can match requests to only one of the Listeners using other Listener fields. - For example, the following Listener scenarios are distinct: - 1. Multiple Listeners with the same Port that all use the "HTTP" Protocol that all have unique Hostname values. 2. Multiple Listeners with the same Port that use either the "HTTPS" or @@ -2034,45 +2035,37 @@ spec: 3. A mixture of "TCP" and "UDP" Protocol Listeners, where no Listener with the same Protocol has the same Port value. - Some fields in the Listener struct have possible values that affect whether the Listener is distinct. Hostname is particularly relevant for HTTP or HTTPS protocols. - When using the Hostname value to select between same-Port, same-Protocol Listeners, the Hostname value must be different on each Listener for the Listener to be distinct. - When the Listeners are distinct based on Hostname, inbound request hostnames MUST match from the most specific to least specific Hostname values to choose the correct Listener and its associated set of Routes. - Exact matches must be processed before wildcard matches, and wildcard matches must be processed before fallback (empty Hostname value) matches. For example, `"foo.example.com"` takes precedence over `"*.example.com"`, and `"*.example.com"` takes precedence over `""`. - Additionally, if there are multiple wildcard entries, more specific wildcard entries must be processed before less specific wildcard entries. For example, `"*.foo.example.com"` takes precedence over `"*.example.com"`. The precise definition here is that the higher the number of dots in the hostname to the right of the wildcard character, the higher the precedence. - The wildcard character will match any number of characters _and dots_ to the left, however, so `"*.example.com"` will match both `"foo.bar.example.com"` _and_ `"bar.example.com"`. - If a set of Listeners contains Listeners that are not distinct, then those Listeners are Conflicted, and the implementation MUST set the "Conflicted" condition in the Listener Status to "True". - Implementations MAY choose to accept a Gateway with some Conflicted Listeners only if they only accept the partial Listener set that contains no Conflicted Listeners. To put this another way, implementations may @@ -2082,7 +2075,6 @@ spec: Listener in this case, otherwise it violates the requirement that at least one Listener must be present. - The implementation MUST set a "ListenersNotValid" condition on the Gateway Status when the Gateway contains Conflicted Listeners whether or not they accept the Gateway. That Condition SHOULD clearly @@ -2090,26 +2082,21 @@ spec: Accepted. Additionally, the Listener status for those listeners SHOULD indicate which Listeners are conflicted and not Accepted. - A Gateway's Listeners are considered "compatible" if: - 1. They are distinct. 2. The implementation can serve them in compliance with the Addresses requirement that all Listeners are available on all assigned addresses. - Compatible combinations in Extended support are expected to vary across implementations. A combination that is compatible for one implementation may not be compatible for another. - For example, an implementation that cannot serve both TCP and UDP listeners on the same address, or cannot mix HTTPS and generic TLS listens on the same port would not consider those cases compatible, even though they are distinct. - Note that requests SHOULD match at most one Listener. For example, if Listeners are defined for "foo.example.com" and "*.example.com", a request to "foo.example.com" SHOULD only be routed using routes attached @@ -2117,11 +2104,9 @@ spec: This concept is known as "Listener Isolation". Implementations that do not support Listener Isolation MUST clearly document this. - Implementations MAY merge separate Gateways onto a single set of Addresses if all Listeners across all Gateways are compatible. - Support: Core items: description: |- @@ -2137,12 +2122,10 @@ spec: Listener and the trusted namespaces where those Route resources MAY be present. - Although a client request may match multiple route rules, only one rule may ultimately receive the request. Matching precedence MUST be determined in order of the following criteria: - * The most specific match as defined by the Route type. * The oldest Route based on creation timestamp. For example, a Route with a creation timestamp of "2020-09-08 01:02:03" is given precedence over @@ -2151,7 +2134,6 @@ spec: alphabetical order (namespace/name) should be given precedence. For example, foo/bar is given precedence over foo/baz. - All valid rules within a Route attached to this Listener should be implemented. Invalid Route rules can be ignored (sometimes that will mean the full Route). If a Route rule transitions from valid to invalid, @@ -2159,7 +2141,6 @@ spec: example, even if a filter specified by a Route rule is invalid, the rest of the rules within that Route should still be supported. - Support: Core properties: kinds: @@ -2168,14 +2149,12 @@ spec: to this Gateway Listener. When unspecified or empty, the kinds of Routes selected are determined using the Listener protocol. - A RouteGroupKind MUST correspond to kinds of Routes that are compatible with the application protocol specified in the Listener's Protocol field. If an implementation does not support or recognize this resource type, it MUST set the "ResolvedRefs" condition to False for this Listener with the "InvalidRouteKinds" reason. - Support: Core items: description: RouteGroupKind indicates the group and kind @@ -2205,7 +2184,6 @@ spec: Namespaces indicates namespaces from which Routes may be attached to this Listener. This is restricted to the namespace of this Gateway by default. - Support: Core properties: from: @@ -2214,13 +2192,11 @@ spec: From indicates where Routes will be selected for this Gateway. Possible values are: - * All: Routes in all namespaces may be used by this Gateway. * Selector: Routes in namespaces selected by the selector may be used by this Gateway. * Same: Only Routes in the same namespace may be used by this Gateway. - Support: Core enum: - All @@ -2233,7 +2209,6 @@ spec: only Routes in Namespaces matching this Selector will be selected by this Gateway. This field is ignored for other values of "From". - Support: Core properties: matchExpressions: @@ -2288,11 +2263,9 @@ spec: field is ignored for protocols that don't require hostname based matching. - Implementations MUST apply Hostname matching appropriately for each of the following protocols: - * TLS: The Listener Hostname MUST match the SNI. * HTTP: The Listener Hostname MUST match the Host header of the request. * HTTPS: The Listener Hostname SHOULD match at both the TLS and HTTP @@ -2300,19 +2273,16 @@ spec: ensure that both the SNI and Host header match the Listener hostname, it MUST clearly document that. - For HTTPRoute and TLSRoute resources, there is an interaction with the `spec.hostnames` array. When both listener and route specify hostnames, there MUST be an intersection between the values for a Route to be accepted. For more information, refer to the Route specific Hostnames documentation. - Hostnames that are prefixed with a wildcard label (`*.`) are interpreted as a suffix match. That means that a match for `*.example.com` would match both `test.example.com`, and `foo.test.example.com`, but not `example.com`. - Support: Core maxLength: 253 minLength: 1 @@ -2323,7 +2293,6 @@ spec: Name is the name of the Listener. This name MUST be unique within a Gateway. - Support: Core maxLength: 253 minLength: 1 @@ -2334,7 +2303,6 @@ spec: Port is the network port. Multiple listeners may use the same port, subject to the Listener compatibility rules. - Support: Core format: int32 maximum: 65535 @@ -2344,11 +2312,10 @@ spec: description: |- Protocol specifies the network protocol this listener expects to receive. - Support: Core maxLength: 255 minLength: 1 - pattern: ^[a-zA-Z0-9]([-a-zSA-Z0-9]*[a-zA-Z0-9])?$|[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/[A-Za-z0-9]+$ + pattern: ^[a-zA-Z0-9]([-a-zA-Z0-9]*[a-zA-Z0-9])?$|[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/[A-Za-z0-9]+$ type: string tls: description: |- @@ -2356,15 +2323,12 @@ spec: the Protocol field is "HTTPS" or "TLS". It is invalid to set this field if the Protocol field is "HTTP", "TCP", or "UDP". - The association of SNIs to Certificate defined in GatewayTLSConfig is defined based on the Hostname field for this listener. - The GatewayClass MUST use the longest matching SNI out of all available certificates for any TLS handshake. - Support: Core properties: certificateRefs: @@ -2374,41 +2338,33 @@ spec: establish a TLS handshake for requests that match the hostname of the associated listener. - A single CertificateRef to a Kubernetes Secret has "Core" support. Implementations MAY choose to support attaching multiple certificates to a Listener, but this behavior is implementation-specific. - References to a resource in different namespace are invalid UNLESS there is a ReferenceGrant in the target namespace that allows the certificate to be attached. If a ReferenceGrant does not allow this reference, the "ResolvedRefs" condition MUST be set to False for this listener with the "RefNotPermitted" reason. - This field is required to have at least one element when the mode is set to "Terminate" (default) and is optional otherwise. - CertificateRefs can reference to standard Kubernetes resources, i.e. Secret, or implementation-specific custom resources. - Support: Core - A single reference to a Kubernetes Secret of type kubernetes.io/tls - Support: Implementation-specific (More than one reference or other resource types) items: description: |- SecretObjectReference identifies an API object including its namespace, defaulting to Secret. - The API object must be valid in the cluster; the Group and Kind must be registered in the cluster for this reference to be valid. - References to objects with invalid Group and Kind are not valid, and must be rejected by the implementation, with appropriate Conditions set on the containing object. @@ -2439,13 +2395,11 @@ spec: Namespace is the namespace of the referenced object. When unspecified, the local namespace is inferred. - Note that when a namespace different than the local namespace is specified, a ReferenceGrant object is required in the referent namespace to allow that namespace's owner to accept the reference. See the ReferenceGrant documentation for details. - Support: Core maxLength: 63 minLength: 1 @@ -2464,10 +2418,8 @@ spec: that requests a user to specify the client certificate. The maximum depth of a certificate chain accepted in verification is Implementation specific. - Support: Extended - properties: caCertificateRefs: description: |- @@ -2476,21 +2428,17 @@ spec: the Certificate Authorities that can be used as a trust anchor to validate the certificates presented by the client. - A single CA certificate reference to a Kubernetes ConfigMap has "Core" support. Implementations MAY choose to support attaching multiple CA certificates to a Listener, but this behavior is implementation-specific. - Support: Core - A single reference to a Kubernetes ConfigMap with the CA certificate in a key named `ca.crt`. - Support: Implementation-specific (More than one reference, or other kinds of resources). - References to a resource in a different namespace are invalid UNLESS there is a ReferenceGrant in the target namespace that allows the certificate to be attached. If a ReferenceGrant does not allow this reference, the @@ -2500,11 +2448,9 @@ spec: description: |- ObjectReference identifies an API object including its namespace. - The API object must be valid in the cluster; the Group and Kind must be registered in the cluster for this reference to be valid. - References to objects with invalid Group and Kind are not valid, and must be rejected by the implementation, with appropriate Conditions set on the containing object. @@ -2533,13 +2479,11 @@ spec: Namespace is the namespace of the referenced object. When unspecified, the local namespace is inferred. - Note that when a namespace different than the local namespace is specified, a ReferenceGrant object is required in the referent namespace to allow that namespace's owner to accept the reference. See the ReferenceGrant documentation for details. - Support: Core maxLength: 63 minLength: 1 @@ -2560,7 +2504,6 @@ spec: Mode defines the TLS behavior for the TLS session initiated by the client. There are two possible modes: - - Terminate: The TLS session between the downstream client and the Gateway is terminated at the Gateway. This mode requires certificates to be specified in some way, such as populating the certificateRefs @@ -2570,7 +2513,6 @@ spec: the ClientHello message of the TLS protocol. The certificateRefs field is ignored in this mode. - Support: Core enum: - Terminate @@ -2591,13 +2533,11 @@ spec: configuration for each implementation. For example, configuring the minimum TLS version or supported cipher suites. - A set of common keys MAY be defined by the API in the future. To avoid any ambiguity, implementation-specific definitions MUST use domain-prefixed names, such as `example.com/my-custom-option`. Un-prefixed names are reserved for key names defined by Gateway API. - Support: Implementation-specific maxProperties: 16 type: object @@ -2660,16 +2600,13 @@ spec: Addresses lists the network addresses that have been bound to the Gateway. - This list may differ from the addresses provided in the spec under some conditions: - * no addresses are specified, all addresses are dynamically assigned * a combination of specified and dynamic addresses are assigned * a specified address was unusable (e.g. already in use) - items: description: GatewayStatusAddress describes a network address that is bound to a Gateway. @@ -2700,7 +2637,6 @@ spec: Value of the address. The validity of the values will depend on the type and support by the controller. - Examples: `1.2.3.4`, `128::1`, `my-ip-address`. maxLength: 253 minLength: 1 @@ -2730,30 +2666,19 @@ spec: description: |- Conditions describe the current conditions of the Gateway. - Implementations should prefer to express Gateway conditions using the `GatewayConditionType` and `GatewayConditionReason` constants so that operators and tools can converge on a common vocabulary to describe Gateway state. - Known condition types are: - * "Accepted" * "Programmed" * "Ready" items: - description: "Condition contains details for one aspect of the current - state of this API Resource.\n---\nThis struct is intended for - direct use as an array at the field path .status.conditions. For - example,\n\n\n\ttype FooStatus struct{\n\t // Represents the - observations of a foo's current state.\n\t // Known .status.conditions.type - are: \"Available\", \"Progressing\", and \"Degraded\"\n\t // - +patchMergeKey=type\n\t // +patchStrategy=merge\n\t // +listType=map\n\t - \ // +listMapKey=type\n\t Conditions []metav1.Condition `json:\"conditions,omitempty\" - patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t - \ // other fields\n\t}" + description: Condition contains details for one aspect of the current + state of this API Resource. properties: lastTransitionTime: description: |- @@ -2794,12 +2719,7 @@ spec: - Unknown type: string type: - description: |- - type of condition in CamelCase or in foo.example.com/CamelCase. - --- - Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be - useful (see .node.status.conditions), the ability to deconflict is important. - The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + description: type of condition in CamelCase or in foo.example.com/CamelCase. maxLength: 316 pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ type: string @@ -2826,7 +2746,6 @@ spec: AttachedRoutes represents the total number of Routes that have been successfully attached to this Listener. - Successful attachment of a Route to a Listener is based solely on the combination of the AllowedRoutes field on the corresponding Listener and the Route's ParentRefs field. A Route is successfully attached to @@ -2839,7 +2758,6 @@ spec: for Listeners with condition Accepted: false and MUST count successfully attached Routes that may themselves have Accepted: false conditions. - Uses for this field include troubleshooting Route attachment and measuring blast radius/impact of changes to a Listener. format: int32 @@ -2848,18 +2766,8 @@ spec: description: Conditions describe the current condition of this listener. items: - description: "Condition contains details for one aspect of - the current state of this API Resource.\n---\nThis struct - is intended for direct use as an array at the field path - .status.conditions. For example,\n\n\n\ttype FooStatus - struct{\n\t // Represents the observations of a foo's - current state.\n\t // Known .status.conditions.type are: - \"Available\", \"Progressing\", and \"Degraded\"\n\t // - +patchMergeKey=type\n\t // +patchStrategy=merge\n\t // - +listType=map\n\t // +listMapKey=type\n\t Conditions - []metav1.Condition `json:\"conditions,omitempty\" patchStrategy:\"merge\" - patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t - \ // other fields\n\t}" + description: Condition contains details for one aspect of + the current state of this API Resource. properties: lastTransitionTime: description: |- @@ -2901,12 +2809,7 @@ spec: - Unknown type: string type: - description: |- - type of condition in CamelCase or in foo.example.com/CamelCase. - --- - Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be - useful (see .node.status.conditions), the ability to deconflict is important. - The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + description: type of condition in CamelCase or in foo.example.com/CamelCase. maxLength: 316 pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ type: string @@ -2935,7 +2838,6 @@ spec: listener. This MUST represent the kinds an implementation supports for that Listener configuration. - If kinds are specified in Spec that are not supported, they MUST NOT appear in this list and an implementation MUST set the "ResolvedRefs" condition to "False" with the "InvalidRouteKinds" reason. If both valid @@ -3028,27 +2930,22 @@ spec: requested address is invalid or unavailable, the implementation MUST indicate this in the associated entry in GatewayStatus.Addresses. - The Addresses field represents a request for the address(es) on the "outside of the Gateway", that traffic bound for this Gateway will use. This could be the IP address or hostname of an external load balancer or other networking infrastructure, or some other address that traffic will be sent to. - If no Addresses are specified, the implementation MAY schedule the Gateway in an implementation-specific manner, assigning an appropriate set of Addresses. - The implementation MUST bind all Listeners to every GatewayAddress that it assigns to the Gateway and add a corresponding entry in GatewayStatus.Addresses. - Support: Extended - items: description: GatewayAddress describes an address that can be bound to a Gateway. @@ -3079,7 +2976,6 @@ spec: Value of the address. The validity of the values will depend on the type and support by the controller. - Examples: `1.2.3.4`, `128::1`, `my-ip-address`. maxLength: 253 minLength: 1 @@ -3101,6 +2997,72 @@ spec: - message: Hostname values must be unique rule: 'self.all(a1, a1.type == ''Hostname'' ? self.exists_one(a2, a2.type == a1.type && a2.value == a1.value) : true )' + backendTLS: + description: |+ + BackendTLS configures TLS settings for when this Gateway is connecting to + backends with TLS. + + Support: Core + + properties: + clientCertificateRef: + description: |+ + ClientCertificateRef is a reference to an object that contains a Client + Certificate and the associated private key. + + References to a resource in different namespace are invalid UNLESS there + is a ReferenceGrant in the target namespace that allows the certificate + to be attached. If a ReferenceGrant does not allow this reference, the + "ResolvedRefs" condition MUST be set to False for this listener with the + "RefNotPermitted" reason. + + ClientCertificateRef can reference to standard Kubernetes resources, i.e. + Secret, or implementation-specific custom resources. + + This setting can be overridden on the service level by use of BackendTLSPolicy. + + Support: Core + + properties: + group: + default: "" + description: |- + Group is the group of the referent. For example, "gateway.networking.k8s.io". + When unspecified or empty string, core API group is inferred. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Secret + description: Kind is kind of the referent. For example "Secret". + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: |- + Namespace is the namespace of the referenced object. When unspecified, the local + namespace is inferred. + + Note that when a namespace different than the local namespace is specified, + a ReferenceGrant object is required in the referent namespace to allow that + namespace's owner to accept the reference. See the ReferenceGrant + documentation for details. + + Support: Core + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + required: + - name + type: object + type: object gatewayClassName: description: |- GatewayClassName used for this Gateway. This is the name of a @@ -3109,13 +3071,10 @@ spec: minLength: 1 type: string infrastructure: - description: |+ + description: |- Infrastructure defines infrastructure level attributes about this Gateway instance. - - Support: Core - - + Support: Extended properties: annotations: additionalProperties: @@ -3130,56 +3089,74 @@ spec: description: |- Annotations that SHOULD be applied to any resources created in response to this Gateway. - For implementations creating other Kubernetes objects, this should be the `metadata.annotations` field on resources. For other implementations, this refers to any relevant (implementation specific) "annotations" concepts. - An implementation may chose to add additional implementation-specific annotations as they see fit. - Support: Extended maxProperties: 8 type: object + x-kubernetes-validations: + - message: Annotation keys must be in the form of an optional + DNS subdomain prefix followed by a required name segment of + up to 63 characters. + rule: self.all(key, key.matches(r"""^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?([A-Za-z0-9][-A-Za-z0-9_.]{0,61})?[A-Za-z0-9]$""")) + - message: If specified, the annotation key's prefix must be a + DNS subdomain not longer than 253 characters in total. + rule: self.all(key, key.split("/")[0].size() < 253) labels: additionalProperties: description: |- - AnnotationValue is the value of an annotation in Gateway API. This is used - for validation of maps such as TLS options. This roughly matches Kubernetes - annotation validation, although the length validation in that case is based - on the entire size of the annotations struct. - maxLength: 4096 + LabelValue is the value of a label in the Gateway API. This is used for validation + of maps such as Gateway infrastructure labels. This matches the Kubernetes + label validation rules: + * must be 63 characters or less (can be empty), + * unless empty, must begin and end with an alphanumeric character ([a-z0-9A-Z]), + * could contain dashes (-), underscores (_), dots (.), and alphanumerics between. + + Valid values include: + + * MyValue + * my.name + * 123-my-value + maxLength: 63 minLength: 0 + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ type: string description: |- Labels that SHOULD be applied to any resources created in response to this Gateway. - For implementations creating other Kubernetes objects, this should be the `metadata.labels` field on resources. For other implementations, this refers to any relevant (implementation specific) "labels" concepts. - An implementation may chose to add additional implementation-specific labels as they see fit. + If an implementation maps these labels to Pods, or any other resource that would need to be recreated when labels + change, it SHOULD clearly warn about this behavior in documentation. Support: Extended maxProperties: 8 type: object + x-kubernetes-validations: + - message: Label keys must be in the form of an optional DNS subdomain + prefix followed by a required name segment of up to 63 characters. + rule: self.all(key, key.matches(r"""^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?([A-Za-z0-9][-A-Za-z0-9_.]{0,61})?[A-Za-z0-9]$""")) + - message: If specified, the label key's prefix must be a DNS + subdomain not longer than 253 characters in total. + rule: self.all(key, key.split("/")[0].size() < 253) parametersRef: description: |- ParametersRef is a reference to a resource that contains the configuration parameters corresponding to the Gateway. This is optional if the controller does not require any additional configuration. - This follows the same semantics as GatewayClass's `parametersRef`, but on a per-Gateway basis - The Gateway's GatewayClass may provide its own `parametersRef`. When both are specified, the merging behavior is implementation specific. It is generally recommended that GatewayClass provides defaults that can be overridden by a Gateway. - Support: Implementation-specific properties: group: @@ -3210,7 +3187,6 @@ spec: logical endpoints that are bound on this Gateway's addresses. At least one Listener MUST be specified. - Each Listener in a set of Listeners (for example, in a single Gateway) MUST be _distinct_, in that a traffic flow MUST be able to be assigned to exactly one listener. (This section uses "set of Listeners" rather than @@ -3218,42 +3194,32 @@ spec: from multiple Gateways onto a single data plane, and these rules _also_ apply in that case). - Practically, this means that each listener in a set MUST have a unique combination of Port, Protocol, and, if supported by the protocol, Hostname. - Some combinations of port, protocol, and TLS settings are considered Core support and MUST be supported by implementations based on their targeted conformance profile: - HTTP Profile - 1. HTTPRoute, Port: 80, Protocol: HTTP 2. HTTPRoute, Port: 443, Protocol: HTTPS, TLS Mode: Terminate, TLS keypair provided - TLS Profile - 1. TLSRoute, Port: 443, Protocol: TLS, TLS Mode: Passthrough - "Distinct" Listeners have the following property: - The implementation can match inbound requests to a single distinct Listener. When multiple Listeners share values for fields (for example, two Listeners with the same Port value), the implementation can match requests to only one of the Listeners using other Listener fields. - For example, the following Listener scenarios are distinct: - 1. Multiple Listeners with the same Port that all use the "HTTP" Protocol that all have unique Hostname values. 2. Multiple Listeners with the same Port that use either the "HTTPS" or @@ -3261,45 +3227,37 @@ spec: 3. A mixture of "TCP" and "UDP" Protocol Listeners, where no Listener with the same Protocol has the same Port value. - Some fields in the Listener struct have possible values that affect whether the Listener is distinct. Hostname is particularly relevant for HTTP or HTTPS protocols. - When using the Hostname value to select between same-Port, same-Protocol Listeners, the Hostname value must be different on each Listener for the Listener to be distinct. - When the Listeners are distinct based on Hostname, inbound request hostnames MUST match from the most specific to least specific Hostname values to choose the correct Listener and its associated set of Routes. - Exact matches must be processed before wildcard matches, and wildcard matches must be processed before fallback (empty Hostname value) matches. For example, `"foo.example.com"` takes precedence over `"*.example.com"`, and `"*.example.com"` takes precedence over `""`. - Additionally, if there are multiple wildcard entries, more specific wildcard entries must be processed before less specific wildcard entries. For example, `"*.foo.example.com"` takes precedence over `"*.example.com"`. The precise definition here is that the higher the number of dots in the hostname to the right of the wildcard character, the higher the precedence. - The wildcard character will match any number of characters _and dots_ to the left, however, so `"*.example.com"` will match both `"foo.bar.example.com"` _and_ `"bar.example.com"`. - If a set of Listeners contains Listeners that are not distinct, then those Listeners are Conflicted, and the implementation MUST set the "Conflicted" condition in the Listener Status to "True". - Implementations MAY choose to accept a Gateway with some Conflicted Listeners only if they only accept the partial Listener set that contains no Conflicted Listeners. To put this another way, implementations may @@ -3309,7 +3267,6 @@ spec: Listener in this case, otherwise it violates the requirement that at least one Listener must be present. - The implementation MUST set a "ListenersNotValid" condition on the Gateway Status when the Gateway contains Conflicted Listeners whether or not they accept the Gateway. That Condition SHOULD clearly @@ -3317,26 +3274,21 @@ spec: Accepted. Additionally, the Listener status for those listeners SHOULD indicate which Listeners are conflicted and not Accepted. - A Gateway's Listeners are considered "compatible" if: - 1. They are distinct. 2. The implementation can serve them in compliance with the Addresses requirement that all Listeners are available on all assigned addresses. - Compatible combinations in Extended support are expected to vary across implementations. A combination that is compatible for one implementation may not be compatible for another. - For example, an implementation that cannot serve both TCP and UDP listeners on the same address, or cannot mix HTTPS and generic TLS listens on the same port would not consider those cases compatible, even though they are distinct. - Note that requests SHOULD match at most one Listener. For example, if Listeners are defined for "foo.example.com" and "*.example.com", a request to "foo.example.com" SHOULD only be routed using routes attached @@ -3344,11 +3296,9 @@ spec: This concept is known as "Listener Isolation". Implementations that do not support Listener Isolation MUST clearly document this. - Implementations MAY merge separate Gateways onto a single set of Addresses if all Listeners across all Gateways are compatible. - Support: Core items: description: |- @@ -3364,12 +3314,10 @@ spec: Listener and the trusted namespaces where those Route resources MAY be present. - Although a client request may match multiple route rules, only one rule may ultimately receive the request. Matching precedence MUST be determined in order of the following criteria: - * The most specific match as defined by the Route type. * The oldest Route based on creation timestamp. For example, a Route with a creation timestamp of "2020-09-08 01:02:03" is given precedence over @@ -3378,7 +3326,6 @@ spec: alphabetical order (namespace/name) should be given precedence. For example, foo/bar is given precedence over foo/baz. - All valid rules within a Route attached to this Listener should be implemented. Invalid Route rules can be ignored (sometimes that will mean the full Route). If a Route rule transitions from valid to invalid, @@ -3386,7 +3333,6 @@ spec: example, even if a filter specified by a Route rule is invalid, the rest of the rules within that Route should still be supported. - Support: Core properties: kinds: @@ -3395,14 +3341,12 @@ spec: to this Gateway Listener. When unspecified or empty, the kinds of Routes selected are determined using the Listener protocol. - A RouteGroupKind MUST correspond to kinds of Routes that are compatible with the application protocol specified in the Listener's Protocol field. If an implementation does not support or recognize this resource type, it MUST set the "ResolvedRefs" condition to False for this Listener with the "InvalidRouteKinds" reason. - Support: Core items: description: RouteGroupKind indicates the group and kind @@ -3432,7 +3376,6 @@ spec: Namespaces indicates namespaces from which Routes may be attached to this Listener. This is restricted to the namespace of this Gateway by default. - Support: Core properties: from: @@ -3441,13 +3384,11 @@ spec: From indicates where Routes will be selected for this Gateway. Possible values are: - * All: Routes in all namespaces may be used by this Gateway. * Selector: Routes in namespaces selected by the selector may be used by this Gateway. * Same: Only Routes in the same namespace may be used by this Gateway. - Support: Core enum: - All @@ -3460,7 +3401,6 @@ spec: only Routes in Namespaces matching this Selector will be selected by this Gateway. This field is ignored for other values of "From". - Support: Core properties: matchExpressions: @@ -3515,11 +3455,9 @@ spec: field is ignored for protocols that don't require hostname based matching. - Implementations MUST apply Hostname matching appropriately for each of the following protocols: - * TLS: The Listener Hostname MUST match the SNI. * HTTP: The Listener Hostname MUST match the Host header of the request. * HTTPS: The Listener Hostname SHOULD match at both the TLS and HTTP @@ -3527,19 +3465,16 @@ spec: ensure that both the SNI and Host header match the Listener hostname, it MUST clearly document that. - For HTTPRoute and TLSRoute resources, there is an interaction with the `spec.hostnames` array. When both listener and route specify hostnames, there MUST be an intersection between the values for a Route to be accepted. For more information, refer to the Route specific Hostnames documentation. - Hostnames that are prefixed with a wildcard label (`*.`) are interpreted as a suffix match. That means that a match for `*.example.com` would match both `test.example.com`, and `foo.test.example.com`, but not `example.com`. - Support: Core maxLength: 253 minLength: 1 @@ -3550,7 +3485,6 @@ spec: Name is the name of the Listener. This name MUST be unique within a Gateway. - Support: Core maxLength: 253 minLength: 1 @@ -3561,7 +3495,6 @@ spec: Port is the network port. Multiple listeners may use the same port, subject to the Listener compatibility rules. - Support: Core format: int32 maximum: 65535 @@ -3571,11 +3504,10 @@ spec: description: |- Protocol specifies the network protocol this listener expects to receive. - Support: Core maxLength: 255 minLength: 1 - pattern: ^[a-zA-Z0-9]([-a-zSA-Z0-9]*[a-zA-Z0-9])?$|[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/[A-Za-z0-9]+$ + pattern: ^[a-zA-Z0-9]([-a-zA-Z0-9]*[a-zA-Z0-9])?$|[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/[A-Za-z0-9]+$ type: string tls: description: |- @@ -3583,15 +3515,12 @@ spec: the Protocol field is "HTTPS" or "TLS". It is invalid to set this field if the Protocol field is "HTTP", "TCP", or "UDP". - The association of SNIs to Certificate defined in GatewayTLSConfig is defined based on the Hostname field for this listener. - The GatewayClass MUST use the longest matching SNI out of all available certificates for any TLS handshake. - Support: Core properties: certificateRefs: @@ -3601,41 +3530,33 @@ spec: establish a TLS handshake for requests that match the hostname of the associated listener. - A single CertificateRef to a Kubernetes Secret has "Core" support. Implementations MAY choose to support attaching multiple certificates to a Listener, but this behavior is implementation-specific. - References to a resource in different namespace are invalid UNLESS there is a ReferenceGrant in the target namespace that allows the certificate to be attached. If a ReferenceGrant does not allow this reference, the "ResolvedRefs" condition MUST be set to False for this listener with the "RefNotPermitted" reason. - This field is required to have at least one element when the mode is set to "Terminate" (default) and is optional otherwise. - CertificateRefs can reference to standard Kubernetes resources, i.e. Secret, or implementation-specific custom resources. - Support: Core - A single reference to a Kubernetes Secret of type kubernetes.io/tls - Support: Implementation-specific (More than one reference or other resource types) items: description: |- SecretObjectReference identifies an API object including its namespace, defaulting to Secret. - The API object must be valid in the cluster; the Group and Kind must be registered in the cluster for this reference to be valid. - References to objects with invalid Group and Kind are not valid, and must be rejected by the implementation, with appropriate Conditions set on the containing object. @@ -3666,13 +3587,11 @@ spec: Namespace is the namespace of the referenced object. When unspecified, the local namespace is inferred. - Note that when a namespace different than the local namespace is specified, a ReferenceGrant object is required in the referent namespace to allow that namespace's owner to accept the reference. See the ReferenceGrant documentation for details. - Support: Core maxLength: 63 minLength: 1 @@ -3691,10 +3610,8 @@ spec: that requests a user to specify the client certificate. The maximum depth of a certificate chain accepted in verification is Implementation specific. - Support: Extended - properties: caCertificateRefs: description: |- @@ -3703,21 +3620,17 @@ spec: the Certificate Authorities that can be used as a trust anchor to validate the certificates presented by the client. - A single CA certificate reference to a Kubernetes ConfigMap has "Core" support. Implementations MAY choose to support attaching multiple CA certificates to a Listener, but this behavior is implementation-specific. - Support: Core - A single reference to a Kubernetes ConfigMap with the CA certificate in a key named `ca.crt`. - Support: Implementation-specific (More than one reference, or other kinds of resources). - References to a resource in a different namespace are invalid UNLESS there is a ReferenceGrant in the target namespace that allows the certificate to be attached. If a ReferenceGrant does not allow this reference, the @@ -3727,11 +3640,9 @@ spec: description: |- ObjectReference identifies an API object including its namespace. - The API object must be valid in the cluster; the Group and Kind must be registered in the cluster for this reference to be valid. - References to objects with invalid Group and Kind are not valid, and must be rejected by the implementation, with appropriate Conditions set on the containing object. @@ -3760,13 +3671,11 @@ spec: Namespace is the namespace of the referenced object. When unspecified, the local namespace is inferred. - Note that when a namespace different than the local namespace is specified, a ReferenceGrant object is required in the referent namespace to allow that namespace's owner to accept the reference. See the ReferenceGrant documentation for details. - Support: Core maxLength: 63 minLength: 1 @@ -3787,7 +3696,6 @@ spec: Mode defines the TLS behavior for the TLS session initiated by the client. There are two possible modes: - - Terminate: The TLS session between the downstream client and the Gateway is terminated at the Gateway. This mode requires certificates to be specified in some way, such as populating the certificateRefs @@ -3797,7 +3705,6 @@ spec: the ClientHello message of the TLS protocol. The certificateRefs field is ignored in this mode. - Support: Core enum: - Terminate @@ -3818,13 +3725,11 @@ spec: configuration for each implementation. For example, configuring the minimum TLS version or supported cipher suites. - A set of common keys MAY be defined by the API in the future. To avoid any ambiguity, implementation-specific definitions MUST use domain-prefixed names, such as `example.com/my-custom-option`. Un-prefixed names are reserved for key names defined by Gateway API. - Support: Implementation-specific maxProperties: 16 type: object @@ -3887,16 +3792,13 @@ spec: Addresses lists the network addresses that have been bound to the Gateway. - This list may differ from the addresses provided in the spec under some conditions: - * no addresses are specified, all addresses are dynamically assigned * a combination of specified and dynamic addresses are assigned * a specified address was unusable (e.g. already in use) - items: description: GatewayStatusAddress describes a network address that is bound to a Gateway. @@ -3927,7 +3829,6 @@ spec: Value of the address. The validity of the values will depend on the type and support by the controller. - Examples: `1.2.3.4`, `128::1`, `my-ip-address`. maxLength: 253 minLength: 1 @@ -3957,30 +3858,19 @@ spec: description: |- Conditions describe the current conditions of the Gateway. - Implementations should prefer to express Gateway conditions using the `GatewayConditionType` and `GatewayConditionReason` constants so that operators and tools can converge on a common vocabulary to describe Gateway state. - Known condition types are: - * "Accepted" * "Programmed" * "Ready" items: - description: "Condition contains details for one aspect of the current - state of this API Resource.\n---\nThis struct is intended for - direct use as an array at the field path .status.conditions. For - example,\n\n\n\ttype FooStatus struct{\n\t // Represents the - observations of a foo's current state.\n\t // Known .status.conditions.type - are: \"Available\", \"Progressing\", and \"Degraded\"\n\t // - +patchMergeKey=type\n\t // +patchStrategy=merge\n\t // +listType=map\n\t - \ // +listMapKey=type\n\t Conditions []metav1.Condition `json:\"conditions,omitempty\" - patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t - \ // other fields\n\t}" + description: Condition contains details for one aspect of the current + state of this API Resource. properties: lastTransitionTime: description: |- @@ -4021,12 +3911,7 @@ spec: - Unknown type: string type: - description: |- - type of condition in CamelCase or in foo.example.com/CamelCase. - --- - Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be - useful (see .node.status.conditions), the ability to deconflict is important. - The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + description: type of condition in CamelCase or in foo.example.com/CamelCase. maxLength: 316 pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ type: string @@ -4053,7 +3938,6 @@ spec: AttachedRoutes represents the total number of Routes that have been successfully attached to this Listener. - Successful attachment of a Route to a Listener is based solely on the combination of the AllowedRoutes field on the corresponding Listener and the Route's ParentRefs field. A Route is successfully attached to @@ -4066,7 +3950,6 @@ spec: for Listeners with condition Accepted: false and MUST count successfully attached Routes that may themselves have Accepted: false conditions. - Uses for this field include troubleshooting Route attachment and measuring blast radius/impact of changes to a Listener. format: int32 @@ -4075,18 +3958,8 @@ spec: description: Conditions describe the current condition of this listener. items: - description: "Condition contains details for one aspect of - the current state of this API Resource.\n---\nThis struct - is intended for direct use as an array at the field path - .status.conditions. For example,\n\n\n\ttype FooStatus - struct{\n\t // Represents the observations of a foo's - current state.\n\t // Known .status.conditions.type are: - \"Available\", \"Progressing\", and \"Degraded\"\n\t // - +patchMergeKey=type\n\t // +patchStrategy=merge\n\t // - +listType=map\n\t // +listMapKey=type\n\t Conditions - []metav1.Condition `json:\"conditions,omitempty\" patchStrategy:\"merge\" - patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t - \ // other fields\n\t}" + description: Condition contains details for one aspect of + the current state of this API Resource. properties: lastTransitionTime: description: |- @@ -4128,12 +4001,7 @@ spec: - Unknown type: string type: - description: |- - type of condition in CamelCase or in foo.example.com/CamelCase. - --- - Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be - useful (see .node.status.conditions), the ability to deconflict is important. - The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + description: type of condition in CamelCase or in foo.example.com/CamelCase. maxLength: 316 pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ type: string @@ -4162,7 +4030,6 @@ spec: listener. This MUST represent the kinds an implementation supports for that Listener configuration. - If kinds are specified in Spec that are not supported, they MUST NOT appear in this list and an implementation MUST set the "ResolvedRefs" condition to "False" with the "InvalidRouteKinds" reason. If both valid @@ -4223,7 +4090,7 @@ kind: CustomResourceDefinition metadata: annotations: api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/2997 - gateway.networking.k8s.io/bundle-version: v1.1.0 + gateway.networking.k8s.io/bundle-version: v1.2.0-rc2 gateway.networking.k8s.io/channel: experimental creationTimestamp: null name: grpcroutes.gateway.networking.k8s.io @@ -4254,14 +4121,12 @@ spec: Filters can be used to specify additional processing steps. Backends specify where matching requests will be routed. - GRPCRoute falls under extended support within the Gateway API. Within the following specification, the word "MUST" indicates that an implementation supporting GRPCRoute must conform to the indicated requirement, but an implementation not supporting this route type need not follow the requirement unless explicitly indicated. - Implementations supporting `GRPCRoute` with the `HTTPS` `ProtocolType` MUST accept HTTP/2 connections without an initial upgrade from HTTP/1.1, i.e. via ALPN. If the implementation does not support this, then it MUST set the @@ -4269,7 +4134,6 @@ spec: "UnsupportedProtocol". Implementations MAY also accept HTTP/2 connections with an upgrade from HTTP/1. - Implementations supporting `GRPCRoute` with the `HTTP` `ProtocolType` MUST support HTTP/2 over cleartext TCP (h2c, https://www.rfc-editor.org/rfc/rfc7540#section-3.1) without an initial @@ -4306,17 +4170,14 @@ spec: Host header to select a GRPCRoute to process the request. This matches the RFC 1123 definition of a hostname with 2 notable exceptions: - 1. IPs are not allowed. 2. A hostname may be prefixed with a wildcard label (`*.`). The wildcard label MUST appear by itself as the first label. - If a hostname is specified by both the Listener and GRPCRoute, there MUST be at least one intersecting hostname for the GRPCRoute to be attached to the Listener. For example: - * A Listener with `test.example.com` as the hostname matches GRPCRoutes that have either not specified any hostnames, or have specified at least one of `test.example.com` or `*.example.com`. @@ -4326,58 +4187,48 @@ spec: `test.example.com` and `*.example.com` would both match. On the other hand, `example.com` and `test.example.net` would not match. - Hostnames that are prefixed with a wildcard label (`*.`) are interpreted as a suffix match. That means that a match for `*.example.com` would match both `test.example.com`, and `foo.test.example.com`, but not `example.com`. - If both the Listener and GRPCRoute have specified hostnames, any GRPCRoute hostnames that do not match the Listener hostname MUST be ignored. For example, if a Listener specified `*.example.com`, and the GRPCRoute specified `test.example.com` and `test.example.net`, `test.example.net` MUST NOT be considered for a match. - If both the Listener and GRPCRoute have specified hostnames, and none match with the criteria above, then the GRPCRoute MUST NOT be accepted by the implementation. The implementation MUST raise an 'Accepted' Condition with a status of `False` in the corresponding RouteParentStatus. - If a Route (A) of type HTTPRoute or GRPCRoute is attached to a Listener and that listener already has another Route (B) of the other type attached and the intersection of the hostnames of A and B is non-empty, then the implementation MUST accept exactly one of these two routes, determined by the following criteria, in order: - * The oldest Route based on creation timestamp. * The Route appearing first in alphabetical order by "{namespace}/{name}". - The rejected Route MUST raise an 'Accepted' condition with a status of 'False' in the corresponding RouteParentStatus. - Support: Core items: description: |- Hostname is the fully qualified domain name of a network host. This matches the RFC 1123 definition of a hostname with 2 notable exceptions: - 1. IPs are not allowed. 2. A hostname may be prefixed with a wildcard label (`*.`). The wildcard label must appear by itself as the first label. - Hostname can be "precise" which is a domain name without the terminating dot of a network host (e.g. "foo.example.com") or "wildcard", which is a domain name prefixed with a single wildcard label (e.g. `*.example.com`). - Note that as per RFC1035 and RFC1123, a *label* must consist of lower case alphanumeric characters or '-', and must start and end with an alphanumeric character. No other punctuation is allowed. @@ -4400,21 +4251,16 @@ spec: create a "producer" route for a Service in a different namespace from the Route. - There are two kinds of parent resources with "Core" support: - * Gateway (Gateway conformance profile) * Service (Mesh conformance profile, ClusterIP Services only) - This API may be extended in the future to support additional kinds of parent resources. - ParentRefs must be _distinct_. This means either that: - * They select different objects. If this is the case, then parentRef entries are distinct. In terms of fields, this means that the multi-part key defined by `group`, `kind`, `namespace`, and `name` must @@ -4424,10 +4270,8 @@ spec: optional fields to different values. If one ParentRef sets a combination of optional fields, all must set the same combination. - Some examples: - * If one ParentRef sets `sectionName`, all ParentRefs referencing the same object must also set `sectionName`. * If one ParentRef sets `port`, all ParentRefs referencing the same @@ -4435,14 +4279,12 @@ spec: * If one ParentRef sets `sectionName` and `port`, all ParentRefs referencing the same object must also set `sectionName` and `port`. - It is possible to separately reference multiple distinct objects that may be collapsed by an implementation. For example, some implementations may choose to merge compatible Gateway Listeners together. If that is the case, the list of routes attached to those resources should also be merged. - Note that for ParentRefs that cross namespace boundaries, there are specific rules. Cross-namespace references are only valid if they are explicitly allowed by something in the namespace they are referring to. For example, @@ -4450,12 +4292,10 @@ spec: generic way to enable other kinds of cross-namespace reference. - ParentRefs from a Route to a Service in the same namespace are "producer" routes, which apply default routing rules to inbound connections from any namespace to the Service. - ParentRefs from a Route to a Service in a different namespace are "consumer" routes, and these routing rules are only applied to outbound connections originating from the same namespace as the Route, for which @@ -4466,22 +4306,18 @@ spec: - items: description: |- ParentReference identifies an API object (usually a Gateway) that can be considered a parent of this resource (usually a route). There are two kinds of parent resources with "Core" support: - * Gateway (Gateway conformance profile) * Service (Mesh conformance profile, ClusterIP Services only) - This API may be extended in the future to support additional kinds of parent resources. - The API object must be valid in the cluster; the Group and Kind must be registered in the cluster for this reference to be valid. properties: @@ -4493,7 +4329,6 @@ spec: To set the core API group (such as for a "Service" kind referent), Group must be explicitly set to "" (empty string). - Support: Core maxLength: 253 pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ @@ -4503,14 +4338,11 @@ spec: description: |- Kind is kind of the referent. - There are two kinds of parent resources with "Core" support: - * Gateway (Gateway conformance profile) * Service (Mesh conformance profile, ClusterIP Services only) - Support for other resources is Implementation-Specific. maxLength: 63 minLength: 1 @@ -4520,7 +4352,6 @@ spec: description: |- Name is the name of the referent. - Support: Core maxLength: 253 minLength: 1 @@ -4530,7 +4361,6 @@ spec: Namespace is the namespace of the referent. When unspecified, this refers to the local namespace of the Route. - Note that there are specific rules for ParentRefs which cross namespace boundaries. Cross-namespace references are only valid if they are explicitly allowed by something in the namespace they are referring to. For example: @@ -4538,12 +4368,10 @@ spec: generic way to enable any other kind of cross-namespace reference. - ParentRefs from a Route to a Service in the same namespace are "producer" routes, which apply default routing rules to inbound connections from any namespace to the Service. - ParentRefs from a Route to a Service in a different namespace are "consumer" routes, and these routing rules are only applied to outbound connections originating from the same namespace as the Route, for which @@ -4551,7 +4379,6 @@ spec: ParentRef of the Route. - Support: Core maxLength: 63 minLength: 1 @@ -4562,7 +4389,6 @@ spec: Port is the network port this Route targets. It can be interpreted differently based on the type of parent resource. - When the parent resource is a Gateway, this targets all listeners listening on the specified port that also support this kind of Route(and select this Route). It's not recommended to set `Port` unless the @@ -4572,18 +4398,15 @@ spec: must match both specified values. - When the parent resource is a Service, this targets a specific port in the Service spec. When both Port (experimental) and SectionName are specified, the name and port of the selected port must match both specified values. - Implementations MAY choose to support other parent resources. Implementations supporting other types of parent resources MUST clearly document how/if Port is interpreted. - For the purpose of status, an attachment is considered successful as long as the parent resource accepts it partially. For example, Gateway listeners can restrict which Routes can attach to them by Route kind, @@ -4592,7 +4415,6 @@ spec: attached. If no Gateway listeners accept attachment from this Route, the Route MUST be considered detached from the Gateway. - Support: Extended format: int32 maximum: 65535 @@ -4603,7 +4425,6 @@ spec: SectionName is the name of a section within the target resource. In the following resources, SectionName is interpreted as the following: - * Gateway: Listener name. When both Port (experimental) and SectionName are specified, the name and port of the selected listener must match both specified values. @@ -4611,12 +4432,10 @@ spec: are specified, the name and port of the selected listener must match both specified values. - Implementations MAY choose to support attaching Routes to other resources. If that is the case, they MUST clearly document how SectionName is interpreted. - When unspecified (empty string), this will reference the entire resource. For the purpose of status, an attachment is considered successful if at least one section in the parent resource accepts it. For example, Gateway @@ -4626,7 +4445,6 @@ spec: attached. If no Gateway listeners accept attachment from this Route, the Route MUST be considered detached from the Gateway. - Support: Core maxLength: 253 minLength: 1 @@ -4661,7 +4479,9 @@ spec: || p2.port == 0)) || (has(p1.port) && has(p2.port) && p1.port == p2.port)))) rules: - description: Rules are a list of GRPC matchers, filters and actions. + description: |+ + Rules are a list of GRPC matchers, filters and actions. + items: description: |- GRPCRouteRule defines the semantics for matching a gRPC request based on @@ -4673,71 +4493,56 @@ spec: BackendRefs defines the backend(s) where matching requests should be sent. - Failure behavior here depends on how many BackendRefs are specified and how many are invalid. - If *all* entries in BackendRefs are invalid, and there are also no filters specified in this route rule, *all* traffic which matches this rule MUST receive an `UNAVAILABLE` status. - See the GRPCBackendRef definition for the rules about what makes a single GRPCBackendRef invalid. - When a GRPCBackendRef is invalid, `UNAVAILABLE` statuses MUST be returned for requests that would have otherwise been routed to an invalid backend. If multiple backends are specified, and some are invalid, the proportion of requests that would otherwise have been routed to an invalid backend MUST receive an `UNAVAILABLE` status. - For example, if two backends are specified with equal weights, and one is invalid, 50 percent of traffic MUST receive an `UNAVAILABLE` status. Implementations may choose how that 50 percent is determined. - Support: Core for Kubernetes Service - Support: Implementation-specific for any other resource - Support for weight: Core items: description: |- GRPCBackendRef defines how a GRPCRoute forwards a gRPC request. - Note that when a namespace different than the local namespace is specified, a ReferenceGrant object is required in the referent namespace to allow that namespace's owner to accept the reference. See the ReferenceGrant documentation for details. - - When the BackendRef points to a Kubernetes Service, implementations SHOULD honor the appProtocol field if it is set for the target Service Port. - Implementations supporting appProtocol SHOULD recognize the Kubernetes Standard Application Protocols defined in KEP-3726. - If a Service appProtocol isn't specified, an implementation MAY infer the backend protocol through its own means. Implementations MAY infer the protocol from the Route type referring to the backend Service. - If a Route is not able to send traffic to the backend using the specified protocol then the backend is considered invalid. Implementations MUST set the "ResolvedRefs" condition to "False" with the "UnsupportedProtocol" reason. - properties: filters: @@ -4745,7 +4550,6 @@ spec: Filters defined at this level MUST be executed if and only if the request is being forwarded to the backend defined here. - Support: Implementation-specific (For broader support of filters, use the Filters field in GRPCRouteRule.) items: @@ -4764,10 +4568,8 @@ spec: "networking.example.net"). ExtensionRef MUST NOT be used for core and extended filters. - Support: Implementation-specific - This filter can be used multiple times within the same rule. properties: group: @@ -4799,7 +4601,6 @@ spec: RequestHeaderModifier defines a schema for a filter that modifies request headers. - Support: Core properties: add: @@ -4808,18 +4609,15 @@ spec: before the action. It appends to any existing values associated with the header name. - Input: GET /foo HTTP/1.1 my-header: foo - Config: add: - name: "my-header" value: "bar,baz" - Output: GET /foo HTTP/1.1 my-header: foo,bar,baz @@ -4833,7 +4631,6 @@ spec: Name is the name of the HTTP Header to be matched. Name matching MUST be case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). - If multiple entries specify equivalent header names, the first entry with an equivalent name MUST be considered for a match. Subsequent entries with an equivalent header name MUST be ignored. Due to the @@ -4865,18 +4662,15 @@ spec: names are case-insensitive (see https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). - Input: GET /foo HTTP/1.1 my-header1: foo my-header2: bar my-header3: baz - Config: remove: ["my-header1", "my-header3"] - Output: GET /foo HTTP/1.1 my-header2: bar @@ -4890,18 +4684,15 @@ spec: Set overwrites the request with the given header (name, value) before the action. - Input: GET /foo HTTP/1.1 my-header: foo - Config: set: - name: "my-header" value: "bar" - Output: GET /foo HTTP/1.1 my-header: bar @@ -4915,7 +4706,6 @@ spec: Name is the name of the HTTP Header to be matched. Name matching MUST be case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). - If multiple entries specify equivalent header names, the first entry with an equivalent name MUST be considered for a match. Subsequent entries with an equivalent header name MUST be ignored. Due to the @@ -4942,49 +4732,42 @@ spec: x-kubernetes-list-type: map type: object requestMirror: - description: |- + description: |+ RequestMirror defines a schema for a filter that mirrors requests. Requests are sent to the specified destination, but responses from that destination are ignored. - This filter can be used multiple times within the same rule. Note that not all implementations will be able to support mirroring to multiple backends. - Support: Extended + properties: backendRef: description: |- BackendRef references a resource where mirrored requests are sent. - Mirrored requests must be sent only to a single destination endpoint within this BackendRef, irrespective of how many endpoints are present within this BackendRef. - If the referent cannot be found, this BackendRef is invalid and must be dropped from the Gateway. The controller must ensure the "ResolvedRefs" condition on the Route status is set to `status: False` and not configure this backend in the underlying implementation. - If there is a cross-namespace reference to an *existing* object that is not allowed by a ReferenceGrant, the controller must ensure the "ResolvedRefs" condition on the Route is set to `status: False`, with the "RefNotPermitted" reason and not configure this backend in the underlying implementation. - In either error case, the Message of the `ResolvedRefs` Condition should be used to provide more detail about the problem. - Support: Extended for Kubernetes Service - Support: Implementation-specific for any other resource properties: group: @@ -5001,20 +4784,16 @@ spec: Kind is the Kubernetes resource kind of the referent. For example "Service". - Defaults to "Service" when not specified. - ExternalName services can refer to CNAME DNS records that may live outside of the cluster and as such are difficult to reason about in terms of conformance. They also may not be safe to forward to (see CVE-2021-25740 for more information). Implementations SHOULD NOT support ExternalName Services. - Support: Core (Services with a type other than ExternalName) - Support: Implementation-specific (Services with type ExternalName) maxLength: 63 minLength: 1 @@ -5030,13 +4809,11 @@ spec: Namespace is the namespace of the backend. When unspecified, the local namespace is inferred. - Note that when a namespace different than the local namespace is specified, a ReferenceGrant object is required in the referent namespace to allow that namespace's owner to accept the reference. See the ReferenceGrant documentation for details. - Support: Core maxLength: 63 minLength: 1 @@ -5060,15 +4837,56 @@ spec: - message: Must have port for Service reference rule: '(size(self.group) == 0 && self.kind == ''Service'') ? has(self.port) : true' + fraction: + description: |+ + Fraction represents the fraction of requests that should be + mirrored to BackendRef. + + Only one of Fraction or Percent may be specified. If neither field + is specified, 100% of requests will be mirrored. + + properties: + denominator: + default: 100 + format: int32 + minimum: 1 + type: integer + numerator: + format: int32 + minimum: 0 + type: integer + required: + - numerator + type: object + x-kubernetes-validations: + - message: numerator must be less than or equal + to denominator + rule: self.numerator <= self.denominator + percent: + description: |+ + Percent represents the percentage of requests that should be + mirrored to BackendRef. Its minimum value is 0 (indicating 0% of + requests) and its maximum value is 100 (indicating 100% of requests). + + Only one of Fraction or Percent may be specified. If neither field + is specified, 100% of requests will be mirrored. + + format: int32 + maximum: 100 + minimum: 0 + type: integer required: - backendRef type: object + x-kubernetes-validations: + - message: Only one of percent or fraction may be + specified in HTTPRequestMirrorFilter + rule: '!(has(self.percent) && has(self.fraction))' responseHeaderModifier: description: |- ResponseHeaderModifier defines a schema for a filter that modifies response headers. - Support: Extended properties: add: @@ -5077,18 +4895,15 @@ spec: before the action. It appends to any existing values associated with the header name. - Input: GET /foo HTTP/1.1 my-header: foo - Config: add: - name: "my-header" value: "bar,baz" - Output: GET /foo HTTP/1.1 my-header: foo,bar,baz @@ -5102,7 +4917,6 @@ spec: Name is the name of the HTTP Header to be matched. Name matching MUST be case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). - If multiple entries specify equivalent header names, the first entry with an equivalent name MUST be considered for a match. Subsequent entries with an equivalent header name MUST be ignored. Due to the @@ -5134,18 +4948,15 @@ spec: names are case-insensitive (see https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). - Input: GET /foo HTTP/1.1 my-header1: foo my-header2: bar my-header3: baz - Config: remove: ["my-header1", "my-header3"] - Output: GET /foo HTTP/1.1 my-header2: bar @@ -5159,18 +4970,15 @@ spec: Set overwrites the request with the given header (name, value) before the action. - Input: GET /foo HTTP/1.1 my-header: foo - Config: set: - name: "my-header" value: "bar" - Output: GET /foo HTTP/1.1 my-header: bar @@ -5184,7 +4992,6 @@ spec: Name is the name of the HTTP Header to be matched. Name matching MUST be case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). - If multiple entries specify equivalent header names, the first entry with an equivalent name MUST be considered for a match. Subsequent entries with an equivalent header name MUST be ignored. Due to the @@ -5215,17 +5022,14 @@ spec: Type identifies the type of filter to apply. As with other API fields, types are classified into three conformance levels: - - Core: Filter types and their corresponding configuration defined by "Support: Core" in this package, e.g. "RequestHeaderModifier". All implementations supporting GRPCRoute MUST support core filters. - - Extended: Filter types and their corresponding configuration defined by "Support: Extended" in this package, e.g. "RequestMirror". Implementers are encouraged to support extended filters. - - Implementation-specific: Filters that are defined and supported by specific vendors. In the future, filters showing convergence in behavior across multiple implementations will be considered for inclusion in extended or core @@ -5233,16 +5037,13 @@ spec: is specified using the ExtensionRef field. `Type` MUST be set to "ExtensionRef" for custom filters. - Implementers are encouraged to define custom implementation types to extend the core API with implementation-specific behavior. - If a reference to a custom filter type cannot be resolved, the filter MUST NOT be skipped. Instead, requests that would have been processed by that filter MUST receive a HTTP error response. - enum: - ResponseHeaderModifier - RequestHeaderModifier @@ -5305,20 +5106,16 @@ spec: Kind is the Kubernetes resource kind of the referent. For example "Service". - Defaults to "Service" when not specified. - ExternalName services can refer to CNAME DNS records that may live outside of the cluster and as such are difficult to reason about in terms of conformance. They also may not be safe to forward to (see CVE-2021-25740 for more information). Implementations SHOULD NOT support ExternalName Services. - Support: Core (Services with a type other than ExternalName) - Support: Implementation-specific (Services with type ExternalName) maxLength: 63 minLength: 1 @@ -5334,13 +5131,11 @@ spec: Namespace is the namespace of the backend. When unspecified, the local namespace is inferred. - Note that when a namespace different than the local namespace is specified, a ReferenceGrant object is required in the referent namespace to allow that namespace's owner to accept the reference. See the ReferenceGrant documentation for details. - Support: Core maxLength: 63 minLength: 1 @@ -5367,13 +5162,11 @@ spec: implementation supports. Weight is not a percentage and the sum of weights does not need to equal 100. - If only one backend is specified and it has a weight greater than 0, 100% of the traffic is forwarded to that backend. If weight is set to 0, no traffic should be forwarded for this entry. If unspecified, weight defaults to 1. - Support for this field varies based on the context where used. format: int32 maximum: 1000000 @@ -5393,32 +5186,26 @@ spec: Filters define the filters that are applied to requests that match this rule. - The effects of ordering of multiple behaviors are currently unspecified. This can change in the future based on feedback during the alpha stage. - Conformance-levels at this level are defined based on the type of filter: - - ALL core filters MUST be supported by all implementations that support GRPCRoute. - Implementers are encouraged to support extended filters. - Implementation-specific custom filters have no API guarantees across implementations. - Specifying the same filter multiple times is not supported unless explicitly indicated in the filter. - If an implementation can not support a combination of filters, it must clearly document that limitation. In cases where incompatible or unsupported filters are specified and cause the `Accepted` condition to be set to status `False`, implementations may use the `IncompatibleFilters` reason to specify this configuration error. - Support: Core items: description: |- @@ -5436,10 +5223,8 @@ spec: "networking.example.net"). ExtensionRef MUST NOT be used for core and extended filters. - Support: Implementation-specific - This filter can be used multiple times within the same rule. properties: group: @@ -5471,7 +5256,6 @@ spec: RequestHeaderModifier defines a schema for a filter that modifies request headers. - Support: Core properties: add: @@ -5480,18 +5264,15 @@ spec: before the action. It appends to any existing values associated with the header name. - Input: GET /foo HTTP/1.1 my-header: foo - Config: add: - name: "my-header" value: "bar,baz" - Output: GET /foo HTTP/1.1 my-header: foo,bar,baz @@ -5504,7 +5285,6 @@ spec: Name is the name of the HTTP Header to be matched. Name matching MUST be case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). - If multiple entries specify equivalent header names, the first entry with an equivalent name MUST be considered for a match. Subsequent entries with an equivalent header name MUST be ignored. Due to the @@ -5536,18 +5316,15 @@ spec: names are case-insensitive (see https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). - Input: GET /foo HTTP/1.1 my-header1: foo my-header2: bar my-header3: baz - Config: remove: ["my-header1", "my-header3"] - Output: GET /foo HTTP/1.1 my-header2: bar @@ -5561,18 +5338,15 @@ spec: Set overwrites the request with the given header (name, value) before the action. - Input: GET /foo HTTP/1.1 my-header: foo - Config: set: - name: "my-header" value: "bar" - Output: GET /foo HTTP/1.1 my-header: bar @@ -5585,7 +5359,6 @@ spec: Name is the name of the HTTP Header to be matched. Name matching MUST be case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). - If multiple entries specify equivalent header names, the first entry with an equivalent name MUST be considered for a match. Subsequent entries with an equivalent header name MUST be ignored. Due to the @@ -5612,49 +5385,42 @@ spec: x-kubernetes-list-type: map type: object requestMirror: - description: |- + description: |+ RequestMirror defines a schema for a filter that mirrors requests. Requests are sent to the specified destination, but responses from that destination are ignored. - This filter can be used multiple times within the same rule. Note that not all implementations will be able to support mirroring to multiple backends. - Support: Extended + properties: backendRef: description: |- BackendRef references a resource where mirrored requests are sent. - Mirrored requests must be sent only to a single destination endpoint within this BackendRef, irrespective of how many endpoints are present within this BackendRef. - If the referent cannot be found, this BackendRef is invalid and must be dropped from the Gateway. The controller must ensure the "ResolvedRefs" condition on the Route status is set to `status: False` and not configure this backend in the underlying implementation. - If there is a cross-namespace reference to an *existing* object that is not allowed by a ReferenceGrant, the controller must ensure the "ResolvedRefs" condition on the Route is set to `status: False`, with the "RefNotPermitted" reason and not configure this backend in the underlying implementation. - In either error case, the Message of the `ResolvedRefs` Condition should be used to provide more detail about the problem. - Support: Extended for Kubernetes Service - Support: Implementation-specific for any other resource properties: group: @@ -5671,20 +5437,16 @@ spec: Kind is the Kubernetes resource kind of the referent. For example "Service". - Defaults to "Service" when not specified. - ExternalName services can refer to CNAME DNS records that may live outside of the cluster and as such are difficult to reason about in terms of conformance. They also may not be safe to forward to (see CVE-2021-25740 for more information). Implementations SHOULD NOT support ExternalName Services. - Support: Core (Services with a type other than ExternalName) - Support: Implementation-specific (Services with type ExternalName) maxLength: 63 minLength: 1 @@ -5700,13 +5462,11 @@ spec: Namespace is the namespace of the backend. When unspecified, the local namespace is inferred. - Note that when a namespace different than the local namespace is specified, a ReferenceGrant object is required in the referent namespace to allow that namespace's owner to accept the reference. See the ReferenceGrant documentation for details. - Support: Core maxLength: 63 minLength: 1 @@ -5730,15 +5490,56 @@ spec: - message: Must have port for Service reference rule: '(size(self.group) == 0 && self.kind == ''Service'') ? has(self.port) : true' + fraction: + description: |+ + Fraction represents the fraction of requests that should be + mirrored to BackendRef. + + Only one of Fraction or Percent may be specified. If neither field + is specified, 100% of requests will be mirrored. + + properties: + denominator: + default: 100 + format: int32 + minimum: 1 + type: integer + numerator: + format: int32 + minimum: 0 + type: integer + required: + - numerator + type: object + x-kubernetes-validations: + - message: numerator must be less than or equal to + denominator + rule: self.numerator <= self.denominator + percent: + description: |+ + Percent represents the percentage of requests that should be + mirrored to BackendRef. Its minimum value is 0 (indicating 0% of + requests) and its maximum value is 100 (indicating 100% of requests). + + Only one of Fraction or Percent may be specified. If neither field + is specified, 100% of requests will be mirrored. + + format: int32 + maximum: 100 + minimum: 0 + type: integer required: - backendRef type: object + x-kubernetes-validations: + - message: Only one of percent or fraction may be specified + in HTTPRequestMirrorFilter + rule: '!(has(self.percent) && has(self.fraction))' responseHeaderModifier: description: |- ResponseHeaderModifier defines a schema for a filter that modifies response headers. - Support: Extended properties: add: @@ -5747,18 +5548,15 @@ spec: before the action. It appends to any existing values associated with the header name. - Input: GET /foo HTTP/1.1 my-header: foo - Config: add: - name: "my-header" value: "bar,baz" - Output: GET /foo HTTP/1.1 my-header: foo,bar,baz @@ -5771,7 +5569,6 @@ spec: Name is the name of the HTTP Header to be matched. Name matching MUST be case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). - If multiple entries specify equivalent header names, the first entry with an equivalent name MUST be considered for a match. Subsequent entries with an equivalent header name MUST be ignored. Due to the @@ -5803,18 +5600,15 @@ spec: names are case-insensitive (see https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). - Input: GET /foo HTTP/1.1 my-header1: foo my-header2: bar my-header3: baz - Config: remove: ["my-header1", "my-header3"] - Output: GET /foo HTTP/1.1 my-header2: bar @@ -5828,18 +5622,15 @@ spec: Set overwrites the request with the given header (name, value) before the action. - Input: GET /foo HTTP/1.1 my-header: foo - Config: set: - name: "my-header" value: "bar" - Output: GET /foo HTTP/1.1 my-header: bar @@ -5852,7 +5643,6 @@ spec: Name is the name of the HTTP Header to be matched. Name matching MUST be case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). - If multiple entries specify equivalent header names, the first entry with an equivalent name MUST be considered for a match. Subsequent entries with an equivalent header name MUST be ignored. Due to the @@ -5883,17 +5673,14 @@ spec: Type identifies the type of filter to apply. As with other API fields, types are classified into three conformance levels: - - Core: Filter types and their corresponding configuration defined by "Support: Core" in this package, e.g. "RequestHeaderModifier". All implementations supporting GRPCRoute MUST support core filters. - - Extended: Filter types and their corresponding configuration defined by "Support: Extended" in this package, e.g. "RequestMirror". Implementers are encouraged to support extended filters. - - Implementation-specific: Filters that are defined and supported by specific vendors. In the future, filters showing convergence in behavior across multiple implementations will be considered for inclusion in extended or core @@ -5901,16 +5688,13 @@ spec: is specified using the ExtensionRef field. `Type` MUST be set to "ExtensionRef" for custom filters. - Implementers are encouraged to define custom implementation types to extend the core API with implementation-specific behavior. - If a reference to a custom filter type cannot be resolved, the filter MUST NOT be skipped. Instead, requests that would have been processed by that filter MUST receive a HTTP error response. - enum: - ResponseHeaderModifier - RequestHeaderModifier @@ -5964,10 +5748,8 @@ spec: gRPC requests. Each match is independent, i.e. this rule will be matched if **any** one of the matches is satisfied. - For example, take the following matches configuration: - ``` matches: - method: @@ -5979,44 +5761,35 @@ spec: service: foo.bar.v2 ``` - For a request to match against this rule, it MUST satisfy EITHER of the two conditions: - - service of foo.bar AND contains the header `version: 2` - service of foo.bar.v2 - See the documentation for GRPCRouteMatch on how to specify multiple match conditions to be ANDed together. - If no matches are specified, the implementation MUST match every gRPC request. - Proxy or Load Balancer routing configuration generated from GRPCRoutes MUST prioritize rules based on the following criteria, continuing on ties. Merging MUST not be done between GRPCRoutes and HTTPRoutes. Precedence MUST be given to the rule with the largest number of: - * Characters in a matching non-wildcard hostname. * Characters in a matching hostname. * Characters in a matching service. * Characters in a matching method. * Header matches. - If ties still exist across multiple Routes, matching precedence MUST be determined in order of the following criteria, continuing on ties: - * The oldest Route based on creation timestamp. * The Route appearing first in alphabetical order by "{namespace}/{name}". - If ties still exist within the Route that has been given precedence, matching precedence MUST be granted to the first matching rule meeting the above criteria. @@ -6026,11 +5799,9 @@ spec: action. Multiple match types are ANDed together, i.e. the match will evaluate to true only if all conditions are satisfied. - For example, the match below will match a gRPC request only if its service is `foo` AND it contains the `version: v1` header: - ``` matches: - method: @@ -6040,7 +5811,6 @@ spec: - name: "version" value "v1" - ``` properties: headers: @@ -6057,7 +5827,6 @@ spec: description: |- Name is the name of the gRPC Header to be matched. - If multiple entries specify equivalent header names, only the first entry with an equivalent name MUST be considered for a match. Subsequent entries with an equivalent header name MUST be ignored. Due to the @@ -6100,7 +5869,6 @@ spec: Value of the method to match against. If left empty or omitted, will match all services. - At least one of Service and Method MUST be a non-empty string. maxLength: 1024 type: string @@ -6109,7 +5877,6 @@ spec: Value of the service to match against. If left empty or omitted, will match any service. - At least one of Service and Method MUST be a non-empty string. maxLength: 1024 type: string @@ -6119,10 +5886,8 @@ spec: Type specifies how to match against the service and/or method. Support: Core (Exact with service and method specified) - Support: Implementation-specific (Exact with method specified but no service specified) - Support: Implementation-specific (RegularExpression) enum: - Exact @@ -6147,15 +5912,22 @@ spec: type: object maxItems: 8 type: array + name: + description: | + Name is the name of the route rule. This name MUST be unique within a Route if it is set. + + Support: Extended + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string sessionPersistence: description: |+ SessionPersistence defines and configures session persistence for the route rule. - Support: Extended - properties: absoluteTimeout: description: |- @@ -6163,7 +5935,6 @@ spec: session. Once the AbsoluteTimeout duration has elapsed, the session becomes invalid. - Support: Extended pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ type: string @@ -6172,7 +5943,6 @@ spec: CookieConfig provides configuration settings that are specific to cookie-based session persistence. - Support: Core properties: lifetimeType: @@ -6184,20 +5954,16 @@ spec: attributes, while a session cookie is deleted when the current session ends. - When set to "Permanent", AbsoluteTimeout indicates the cookie's lifetime via the Expires or Max-Age cookie attributes and is required. - When set to "Session", AbsoluteTimeout indicates the absolute lifetime of the cookie tracked by the gateway and is optional. - Support: Core for "Session" type - Support: Extended for "Permanent" type enum: - Permanent @@ -6210,7 +5976,6 @@ spec: Once the session has been idle for more than the specified IdleTimeout duration, the session becomes invalid. - Support: Extended pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ type: string @@ -6221,7 +5986,6 @@ spec: should avoid reusing session names to prevent unintended consequences, such as rejection or unpredictable behavior. - Support: Implementation-specific maxLength: 128 type: string @@ -6232,10 +5996,8 @@ spec: the use a header or cookie. Defaults to cookie based session persistence. - Support: Core for "Cookie" type - Support: Extended for "Header" type enum: - Cookie @@ -6245,11 +6007,35 @@ spec: x-kubernetes-validations: - message: AbsoluteTimeout must be specified when cookie lifetimeType is Permanent - rule: '!has(self.cookieConfig.lifetimeType) || self.cookieConfig.lifetimeType - != ''Permanent'' || has(self.absoluteTimeout)' + rule: '!has(self.cookieConfig) || !has(self.cookieConfig.lifetimeType) + || self.cookieConfig.lifetimeType != ''Permanent'' || has(self.absoluteTimeout)' type: object maxItems: 16 type: array + x-kubernetes-validations: + - message: While 16 rules and 64 matches per rule are allowed, the + total number of matches across all rules in a route must be less + than 128 + rule: '(self.size() > 0 ? (has(self[0].matches) ? self[0].matches.size() + : 0) : 0) + (self.size() > 1 ? (has(self[1].matches) ? self[1].matches.size() + : 0) : 0) + (self.size() > 2 ? (has(self[2].matches) ? self[2].matches.size() + : 0) : 0) + (self.size() > 3 ? (has(self[3].matches) ? self[3].matches.size() + : 0) : 0) + (self.size() > 4 ? (has(self[4].matches) ? self[4].matches.size() + : 0) : 0) + (self.size() > 5 ? (has(self[5].matches) ? self[5].matches.size() + : 0) : 0) + (self.size() > 6 ? (has(self[6].matches) ? self[6].matches.size() + : 0) : 0) + (self.size() > 7 ? (has(self[7].matches) ? self[7].matches.size() + : 0) : 0) + (self.size() > 8 ? (has(self[8].matches) ? self[8].matches.size() + : 0) : 0) + (self.size() > 9 ? (has(self[9].matches) ? self[9].matches.size() + : 0) : 0) + (self.size() > 10 ? (has(self[10].matches) ? self[10].matches.size() + : 0) : 0) + (self.size() > 11 ? (has(self[11].matches) ? self[11].matches.size() + : 0) : 0) + (self.size() > 12 ? (has(self[12].matches) ? self[12].matches.size() + : 0) : 0) + (self.size() > 13 ? (has(self[13].matches) ? self[13].matches.size() + : 0) : 0) + (self.size() > 14 ? (has(self[14].matches) ? self[14].matches.size() + : 0) : 0) + (self.size() > 15 ? (has(self[15].matches) ? self[15].matches.size() + : 0) : 0) <= 128' + - message: Rule name must be unique within the route + rule: self.all(l1, !has(l1.name) || self.exists_one(l2, has(l2.name) + && l1.name == l2.name)) type: object status: description: Status defines the current state of GRPCRoute. @@ -6263,13 +6049,11 @@ spec: first sees the route and should update the entry as appropriate when the route or gateway is modified. - Note that parent references that cannot be resolved by an implementation of this API will not be added to this list. Implementations of this API can only populate Route status for the Gateways/parent resources they are responsible for. - A maximum of 32 Gateways will be represented in this list. An empty list means the route has not been attached to any Gateway. items: @@ -6283,38 +6067,24 @@ spec: Note that the route's availability is also subject to the Gateway's own status conditions and listener status. - If the Route's ParentRef specifies an existing Gateway that supports Routes of this kind AND that Gateway's controller has sufficient access, then that Gateway's controller MUST set the "Accepted" condition on the Route, to indicate whether the route has been accepted or rejected by the Gateway, and why. - A Route MUST be considered "Accepted" if at least one of the Route's rules is implemented by the Gateway. - There are a number of cases where the "Accepted" condition may not be set due to lack of controller visibility, that includes when: - * The Route refers to a non-existent parent. * The Route is of a type that the controller does not support. * The Route is in a namespace the controller does not have access to. items: - description: "Condition contains details for one aspect of - the current state of this API Resource.\n---\nThis struct - is intended for direct use as an array at the field path - .status.conditions. For example,\n\n\n\ttype FooStatus - struct{\n\t // Represents the observations of a foo's - current state.\n\t // Known .status.conditions.type are: - \"Available\", \"Progressing\", and \"Degraded\"\n\t // - +patchMergeKey=type\n\t // +patchStrategy=merge\n\t // - +listType=map\n\t // +listMapKey=type\n\t Conditions - []metav1.Condition `json:\"conditions,omitempty\" patchStrategy:\"merge\" - patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t - \ // other fields\n\t}" + description: Condition contains details for one aspect of + the current state of this API Resource. properties: lastTransitionTime: description: |- @@ -6356,12 +6126,7 @@ spec: - Unknown type: string type: - description: |- - type of condition in CamelCase or in foo.example.com/CamelCase. - --- - Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be - useful (see .node.status.conditions), the ability to deconflict is important. - The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + description: type of condition in CamelCase or in foo.example.com/CamelCase. maxLength: 316 pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ type: string @@ -6384,15 +6149,12 @@ spec: controller that wrote this status. This corresponds with the controllerName field on GatewayClass. - Example: "example.net/gateway-controller". - The format of this field is DOMAIN "/" PATH, where DOMAIN and PATH are valid Kubernetes names (https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names). - Controllers MUST populate this field when writing status. Controllers should ensure that entries to status populated with their ControllerName are cleaned up when they are no longer necessary. @@ -6413,7 +6175,6 @@ spec: To set the core API group (such as for a "Service" kind referent), Group must be explicitly set to "" (empty string). - Support: Core maxLength: 253 pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ @@ -6423,14 +6184,11 @@ spec: description: |- Kind is kind of the referent. - There are two kinds of parent resources with "Core" support: - * Gateway (Gateway conformance profile) * Service (Mesh conformance profile, ClusterIP Services only) - Support for other resources is Implementation-Specific. maxLength: 63 minLength: 1 @@ -6440,7 +6198,6 @@ spec: description: |- Name is the name of the referent. - Support: Core maxLength: 253 minLength: 1 @@ -6450,7 +6207,6 @@ spec: Namespace is the namespace of the referent. When unspecified, this refers to the local namespace of the Route. - Note that there are specific rules for ParentRefs which cross namespace boundaries. Cross-namespace references are only valid if they are explicitly allowed by something in the namespace they are referring to. For example: @@ -6458,12 +6214,10 @@ spec: generic way to enable any other kind of cross-namespace reference. - ParentRefs from a Route to a Service in the same namespace are "producer" routes, which apply default routing rules to inbound connections from any namespace to the Service. - ParentRefs from a Route to a Service in a different namespace are "consumer" routes, and these routing rules are only applied to outbound connections originating from the same namespace as the Route, for which @@ -6471,7 +6225,6 @@ spec: ParentRef of the Route. - Support: Core maxLength: 63 minLength: 1 @@ -6482,7 +6235,6 @@ spec: Port is the network port this Route targets. It can be interpreted differently based on the type of parent resource. - When the parent resource is a Gateway, this targets all listeners listening on the specified port that also support this kind of Route(and select this Route). It's not recommended to set `Port` unless the @@ -6492,18 +6244,15 @@ spec: must match both specified values. - When the parent resource is a Service, this targets a specific port in the Service spec. When both Port (experimental) and SectionName are specified, the name and port of the selected port must match both specified values. - Implementations MAY choose to support other parent resources. Implementations supporting other types of parent resources MUST clearly document how/if Port is interpreted. - For the purpose of status, an attachment is considered successful as long as the parent resource accepts it partially. For example, Gateway listeners can restrict which Routes can attach to them by Route kind, @@ -6512,7 +6261,6 @@ spec: attached. If no Gateway listeners accept attachment from this Route, the Route MUST be considered detached from the Gateway. - Support: Extended format: int32 maximum: 65535 @@ -6523,7 +6271,6 @@ spec: SectionName is the name of a section within the target resource. In the following resources, SectionName is interpreted as the following: - * Gateway: Listener name. When both Port (experimental) and SectionName are specified, the name and port of the selected listener must match both specified values. @@ -6531,12 +6278,10 @@ spec: are specified, the name and port of the selected listener must match both specified values. - Implementations MAY choose to support attaching Routes to other resources. If that is the case, they MUST clearly document how SectionName is interpreted. - When unspecified (empty string), this will reference the entire resource. For the purpose of status, an attachment is considered successful if at least one section in the parent resource accepts it. For example, Gateway @@ -6546,7 +6291,6 @@ spec: attached. If no Gateway listeners accept attachment from this Route, the Route MUST be considered detached from the Gateway. - Support: Core maxLength: 253 minLength: 1 @@ -6569,2331 +6313,6 @@ spec: storage: true subresources: status: {} - - deprecated: true - deprecationWarning: The v1alpha2 version of GRPCRoute has been deprecated and - will be removed in a future release of the API. Please upgrade to v1. - name: v1alpha2 - schema: - openAPIV3Schema: - description: |- - GRPCRoute provides a way to route gRPC requests. This includes the capability - to match requests by hostname, gRPC service, gRPC method, or HTTP/2 header. - Filters can be used to specify additional processing steps. Backends specify - where matching requests will be routed. - - - GRPCRoute falls under extended support within the Gateway API. Within the - following specification, the word "MUST" indicates that an implementation - supporting GRPCRoute must conform to the indicated requirement, but an - implementation not supporting this route type need not follow the requirement - unless explicitly indicated. - - - Implementations supporting `GRPCRoute` with the `HTTPS` `ProtocolType` MUST - accept HTTP/2 connections without an initial upgrade from HTTP/1.1, i.e. via - ALPN. If the implementation does not support this, then it MUST set the - "Accepted" condition to "False" for the affected listener with a reason of - "UnsupportedProtocol". Implementations MAY also accept HTTP/2 connections - with an upgrade from HTTP/1. - - - Implementations supporting `GRPCRoute` with the `HTTP` `ProtocolType` MUST - support HTTP/2 over cleartext TCP (h2c, - https://www.rfc-editor.org/rfc/rfc7540#section-3.1) without an initial - upgrade from HTTP/1.1, i.e. with prior knowledge - (https://www.rfc-editor.org/rfc/rfc7540#section-3.4). If the implementation - does not support this, then it MUST set the "Accepted" condition to "False" - for the affected listener with a reason of "UnsupportedProtocol". - Implementations MAY also accept HTTP/2 connections with an upgrade from - HTTP/1, i.e. without prior knowledge. - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: Spec defines the desired state of GRPCRoute. - properties: - hostnames: - description: |- - Hostnames defines a set of hostnames to match against the GRPC - Host header to select a GRPCRoute to process the request. This matches - the RFC 1123 definition of a hostname with 2 notable exceptions: - - - 1. IPs are not allowed. - 2. A hostname may be prefixed with a wildcard label (`*.`). The wildcard - label MUST appear by itself as the first label. - - - If a hostname is specified by both the Listener and GRPCRoute, there - MUST be at least one intersecting hostname for the GRPCRoute to be - attached to the Listener. For example: - - - * A Listener with `test.example.com` as the hostname matches GRPCRoutes - that have either not specified any hostnames, or have specified at - least one of `test.example.com` or `*.example.com`. - * A Listener with `*.example.com` as the hostname matches GRPCRoutes - that have either not specified any hostnames or have specified at least - one hostname that matches the Listener hostname. For example, - `test.example.com` and `*.example.com` would both match. On the other - hand, `example.com` and `test.example.net` would not match. - - - Hostnames that are prefixed with a wildcard label (`*.`) are interpreted - as a suffix match. That means that a match for `*.example.com` would match - both `test.example.com`, and `foo.test.example.com`, but not `example.com`. - - - If both the Listener and GRPCRoute have specified hostnames, any - GRPCRoute hostnames that do not match the Listener hostname MUST be - ignored. For example, if a Listener specified `*.example.com`, and the - GRPCRoute specified `test.example.com` and `test.example.net`, - `test.example.net` MUST NOT be considered for a match. - - - If both the Listener and GRPCRoute have specified hostnames, and none - match with the criteria above, then the GRPCRoute MUST NOT be accepted by - the implementation. The implementation MUST raise an 'Accepted' Condition - with a status of `False` in the corresponding RouteParentStatus. - - - If a Route (A) of type HTTPRoute or GRPCRoute is attached to a - Listener and that listener already has another Route (B) of the other - type attached and the intersection of the hostnames of A and B is - non-empty, then the implementation MUST accept exactly one of these two - routes, determined by the following criteria, in order: - - - * The oldest Route based on creation timestamp. - * The Route appearing first in alphabetical order by - "{namespace}/{name}". - - - The rejected Route MUST raise an 'Accepted' condition with a status of - 'False' in the corresponding RouteParentStatus. - - - Support: Core - items: - description: |- - Hostname is the fully qualified domain name of a network host. This matches - the RFC 1123 definition of a hostname with 2 notable exceptions: - - - 1. IPs are not allowed. - 2. A hostname may be prefixed with a wildcard label (`*.`). The wildcard - label must appear by itself as the first label. - - - Hostname can be "precise" which is a domain name without the terminating - dot of a network host (e.g. "foo.example.com") or "wildcard", which is a - domain name prefixed with a single wildcard label (e.g. `*.example.com`). - - - Note that as per RFC1035 and RFC1123, a *label* must consist of lower case - alphanumeric characters or '-', and must start and end with an alphanumeric - character. No other punctuation is allowed. - maxLength: 253 - minLength: 1 - pattern: ^(\*\.)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - maxItems: 16 - type: array - parentRefs: - description: |+ - ParentRefs references the resources (usually Gateways) that a Route wants - to be attached to. Note that the referenced parent resource needs to - allow this for the attachment to be complete. For Gateways, that means - the Gateway needs to allow attachment from Routes of this kind and - namespace. For Services, that means the Service must either be in the same - namespace for a "producer" route, or the mesh implementation must support - and allow "consumer" routes for the referenced Service. ReferenceGrant is - not applicable for governing ParentRefs to Services - it is not possible to - create a "producer" route for a Service in a different namespace from the - Route. - - - There are two kinds of parent resources with "Core" support: - - - * Gateway (Gateway conformance profile) - * Service (Mesh conformance profile, ClusterIP Services only) - - - This API may be extended in the future to support additional kinds of parent - resources. - - - ParentRefs must be _distinct_. This means either that: - - - * They select different objects. If this is the case, then parentRef - entries are distinct. In terms of fields, this means that the - multi-part key defined by `group`, `kind`, `namespace`, and `name` must - be unique across all parentRef entries in the Route. - * They do not select different objects, but for each optional field used, - each ParentRef that selects the same object must set the same set of - optional fields to different values. If one ParentRef sets a - combination of optional fields, all must set the same combination. - - - Some examples: - - - * If one ParentRef sets `sectionName`, all ParentRefs referencing the - same object must also set `sectionName`. - * If one ParentRef sets `port`, all ParentRefs referencing the same - object must also set `port`. - * If one ParentRef sets `sectionName` and `port`, all ParentRefs - referencing the same object must also set `sectionName` and `port`. - - - It is possible to separately reference multiple distinct objects that may - be collapsed by an implementation. For example, some implementations may - choose to merge compatible Gateway Listeners together. If that is the - case, the list of routes attached to those resources should also be - merged. - - - Note that for ParentRefs that cross namespace boundaries, there are specific - rules. Cross-namespace references are only valid if they are explicitly - allowed by something in the namespace they are referring to. For example, - Gateway has the AllowedRoutes field, and ReferenceGrant provides a - generic way to enable other kinds of cross-namespace reference. - - - - ParentRefs from a Route to a Service in the same namespace are "producer" - routes, which apply default routing rules to inbound connections from - any namespace to the Service. - - - ParentRefs from a Route to a Service in a different namespace are - "consumer" routes, and these routing rules are only applied to outbound - connections originating from the same namespace as the Route, for which - the intended destination of the connections are a Service targeted as a - ParentRef of the Route. - - - - - - - items: - description: |- - ParentReference identifies an API object (usually a Gateway) that can be considered - a parent of this resource (usually a route). There are two kinds of parent resources - with "Core" support: - - - * Gateway (Gateway conformance profile) - * Service (Mesh conformance profile, ClusterIP Services only) - - - This API may be extended in the future to support additional kinds of parent - resources. - - - The API object must be valid in the cluster; the Group and Kind must - be registered in the cluster for this reference to be valid. - properties: - group: - default: gateway.networking.k8s.io - description: |- - Group is the group of the referent. - When unspecified, "gateway.networking.k8s.io" is inferred. - To set the core API group (such as for a "Service" kind referent), - Group must be explicitly set to "" (empty string). - - - Support: Core - maxLength: 253 - pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - kind: - default: Gateway - description: |- - Kind is kind of the referent. - - - There are two kinds of parent resources with "Core" support: - - - * Gateway (Gateway conformance profile) - * Service (Mesh conformance profile, ClusterIP Services only) - - - Support for other resources is Implementation-Specific. - maxLength: 63 - minLength: 1 - pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ - type: string - name: - description: |- - Name is the name of the referent. - - - Support: Core - maxLength: 253 - minLength: 1 - type: string - namespace: - description: |- - Namespace is the namespace of the referent. When unspecified, this refers - to the local namespace of the Route. - - - Note that there are specific rules for ParentRefs which cross namespace - boundaries. Cross-namespace references are only valid if they are explicitly - allowed by something in the namespace they are referring to. For example: - Gateway has the AllowedRoutes field, and ReferenceGrant provides a - generic way to enable any other kind of cross-namespace reference. - - - - ParentRefs from a Route to a Service in the same namespace are "producer" - routes, which apply default routing rules to inbound connections from - any namespace to the Service. - - - ParentRefs from a Route to a Service in a different namespace are - "consumer" routes, and these routing rules are only applied to outbound - connections originating from the same namespace as the Route, for which - the intended destination of the connections are a Service targeted as a - ParentRef of the Route. - - - - Support: Core - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - port: - description: |- - Port is the network port this Route targets. It can be interpreted - differently based on the type of parent resource. - - - When the parent resource is a Gateway, this targets all listeners - listening on the specified port that also support this kind of Route(and - select this Route). It's not recommended to set `Port` unless the - networking behaviors specified in a Route must apply to a specific port - as opposed to a listener(s) whose port(s) may be changed. When both Port - and SectionName are specified, the name and port of the selected listener - must match both specified values. - - - - When the parent resource is a Service, this targets a specific port in the - Service spec. When both Port (experimental) and SectionName are specified, - the name and port of the selected port must match both specified values. - - - - Implementations MAY choose to support other parent resources. - Implementations supporting other types of parent resources MUST clearly - document how/if Port is interpreted. - - - For the purpose of status, an attachment is considered successful as - long as the parent resource accepts it partially. For example, Gateway - listeners can restrict which Routes can attach to them by Route kind, - namespace, or hostname. If 1 of 2 Gateway listeners accept attachment - from the referencing Route, the Route MUST be considered successfully - attached. If no Gateway listeners accept attachment from this Route, - the Route MUST be considered detached from the Gateway. - - - Support: Extended - format: int32 - maximum: 65535 - minimum: 1 - type: integer - sectionName: - description: |- - SectionName is the name of a section within the target resource. In the - following resources, SectionName is interpreted as the following: - - - * Gateway: Listener name. When both Port (experimental) and SectionName - are specified, the name and port of the selected listener must match - both specified values. - * Service: Port name. When both Port (experimental) and SectionName - are specified, the name and port of the selected listener must match - both specified values. - - - Implementations MAY choose to support attaching Routes to other resources. - If that is the case, they MUST clearly document how SectionName is - interpreted. - - - When unspecified (empty string), this will reference the entire resource. - For the purpose of status, an attachment is considered successful if at - least one section in the parent resource accepts it. For example, Gateway - listeners can restrict which Routes can attach to them by Route kind, - namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from - the referencing Route, the Route MUST be considered successfully - attached. If no Gateway listeners accept attachment from this Route, the - Route MUST be considered detached from the Gateway. - - - Support: Core - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - required: - - name - type: object - maxItems: 32 - type: array - x-kubernetes-validations: - - message: sectionName or port must be specified when parentRefs includes - 2 or more references to the same parent - rule: 'self.all(p1, self.all(p2, p1.group == p2.group && p1.kind - == p2.kind && p1.name == p2.name && (((!has(p1.__namespace__) - || p1.__namespace__ == '''') && (!has(p2.__namespace__) || p2.__namespace__ - == '''')) || (has(p1.__namespace__) && has(p2.__namespace__) && - p1.__namespace__ == p2.__namespace__)) ? ((!has(p1.sectionName) - || p1.sectionName == '''') == (!has(p2.sectionName) || p2.sectionName - == '''') && (!has(p1.port) || p1.port == 0) == (!has(p2.port) - || p2.port == 0)): true))' - - message: sectionName or port must be unique when parentRefs includes - 2 or more references to the same parent - rule: self.all(p1, self.exists_one(p2, p1.group == p2.group && p1.kind - == p2.kind && p1.name == p2.name && (((!has(p1.__namespace__) - || p1.__namespace__ == '') && (!has(p2.__namespace__) || p2.__namespace__ - == '')) || (has(p1.__namespace__) && has(p2.__namespace__) && - p1.__namespace__ == p2.__namespace__ )) && (((!has(p1.sectionName) - || p1.sectionName == '') && (!has(p2.sectionName) || p2.sectionName - == '')) || ( has(p1.sectionName) && has(p2.sectionName) && p1.sectionName - == p2.sectionName)) && (((!has(p1.port) || p1.port == 0) && (!has(p2.port) - || p2.port == 0)) || (has(p1.port) && has(p2.port) && p1.port - == p2.port)))) - rules: - description: Rules are a list of GRPC matchers, filters and actions. - items: - description: |- - GRPCRouteRule defines the semantics for matching a gRPC request based on - conditions (matches), processing it (filters), and forwarding the request to - an API object (backendRefs). - properties: - backendRefs: - description: |- - BackendRefs defines the backend(s) where matching requests should be - sent. - - - Failure behavior here depends on how many BackendRefs are specified and - how many are invalid. - - - If *all* entries in BackendRefs are invalid, and there are also no filters - specified in this route rule, *all* traffic which matches this rule MUST - receive an `UNAVAILABLE` status. - - - See the GRPCBackendRef definition for the rules about what makes a single - GRPCBackendRef invalid. - - - When a GRPCBackendRef is invalid, `UNAVAILABLE` statuses MUST be returned for - requests that would have otherwise been routed to an invalid backend. If - multiple backends are specified, and some are invalid, the proportion of - requests that would otherwise have been routed to an invalid backend - MUST receive an `UNAVAILABLE` status. - - - For example, if two backends are specified with equal weights, and one is - invalid, 50 percent of traffic MUST receive an `UNAVAILABLE` status. - Implementations may choose how that 50 percent is determined. - - - Support: Core for Kubernetes Service - - - Support: Implementation-specific for any other resource - - - Support for weight: Core - items: - description: |- - GRPCBackendRef defines how a GRPCRoute forwards a gRPC request. - - - Note that when a namespace different than the local namespace is specified, a - ReferenceGrant object is required in the referent namespace to allow that - namespace's owner to accept the reference. See the ReferenceGrant - documentation for details. - - - - - - When the BackendRef points to a Kubernetes Service, implementations SHOULD - honor the appProtocol field if it is set for the target Service Port. - - - Implementations supporting appProtocol SHOULD recognize the Kubernetes - Standard Application Protocols defined in KEP-3726. - - - If a Service appProtocol isn't specified, an implementation MAY infer the - backend protocol through its own means. Implementations MAY infer the - protocol from the Route type referring to the backend Service. - - - If a Route is not able to send traffic to the backend using the specified - protocol then the backend is considered invalid. Implementations MUST set the - "ResolvedRefs" condition to "False" with the "UnsupportedProtocol" reason. - - - - properties: - filters: - description: |- - Filters defined at this level MUST be executed if and only if the - request is being forwarded to the backend defined here. - - - Support: Implementation-specific (For broader support of filters, use the - Filters field in GRPCRouteRule.) - items: - description: |- - GRPCRouteFilter defines processing steps that must be completed during the - request or response lifecycle. GRPCRouteFilters are meant as an extension - point to express processing that may be done in Gateway implementations. Some - examples include request or response modification, implementing - authentication strategies, rate-limiting, and traffic shaping. API - guarantee/conformance is defined based on the type of the filter. - properties: - extensionRef: - description: |- - ExtensionRef is an optional, implementation-specific extension to the - "filter" behavior. For example, resource "myroutefilter" in group - "networking.example.net"). ExtensionRef MUST NOT be used for core and - extended filters. - - - Support: Implementation-specific - - - This filter can be used multiple times within the same rule. - properties: - group: - description: |- - Group is the group of the referent. For example, "gateway.networking.k8s.io". - When unspecified or empty string, core API group is inferred. - maxLength: 253 - pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - kind: - description: Kind is kind of the referent. For - example "HTTPRoute" or "Service". - maxLength: 63 - minLength: 1 - pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ - type: string - name: - description: Name is the name of the referent. - maxLength: 253 - minLength: 1 - type: string - required: - - group - - kind - - name - type: object - requestHeaderModifier: - description: |- - RequestHeaderModifier defines a schema for a filter that modifies request - headers. - - - Support: Core - properties: - add: - description: |- - Add adds the given header(s) (name, value) to the request - before the action. It appends to any existing values associated - with the header name. - - - Input: - GET /foo HTTP/1.1 - my-header: foo - - - Config: - add: - - name: "my-header" - value: "bar,baz" - - - Output: - GET /foo HTTP/1.1 - my-header: foo,bar,baz - items: - description: HTTPHeader represents an HTTP - Header name and value as defined by RFC - 7230. - properties: - name: - description: |- - Name is the name of the HTTP Header to be matched. Name matching MUST be - case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). - - - If multiple entries specify equivalent header names, the first entry with - an equivalent name MUST be considered for a match. Subsequent entries - with an equivalent header name MUST be ignored. Due to the - case-insensitivity of header names, "foo" and "Foo" are considered - equivalent. - maxLength: 256 - minLength: 1 - pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ - type: string - value: - description: Value is the value of HTTP - Header to be matched. - maxLength: 4096 - minLength: 1 - type: string - required: - - name - - value - type: object - maxItems: 16 - type: array - x-kubernetes-list-map-keys: - - name - x-kubernetes-list-type: map - remove: - description: |- - Remove the given header(s) from the HTTP request before the action. The - value of Remove is a list of HTTP header names. Note that the header - names are case-insensitive (see - https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). - - - Input: - GET /foo HTTP/1.1 - my-header1: foo - my-header2: bar - my-header3: baz - - - Config: - remove: ["my-header1", "my-header3"] - - - Output: - GET /foo HTTP/1.1 - my-header2: bar - items: - type: string - maxItems: 16 - type: array - x-kubernetes-list-type: set - set: - description: |- - Set overwrites the request with the given header (name, value) - before the action. - - - Input: - GET /foo HTTP/1.1 - my-header: foo - - - Config: - set: - - name: "my-header" - value: "bar" - - - Output: - GET /foo HTTP/1.1 - my-header: bar - items: - description: HTTPHeader represents an HTTP - Header name and value as defined by RFC - 7230. - properties: - name: - description: |- - Name is the name of the HTTP Header to be matched. Name matching MUST be - case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). - - - If multiple entries specify equivalent header names, the first entry with - an equivalent name MUST be considered for a match. Subsequent entries - with an equivalent header name MUST be ignored. Due to the - case-insensitivity of header names, "foo" and "Foo" are considered - equivalent. - maxLength: 256 - minLength: 1 - pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ - type: string - value: - description: Value is the value of HTTP - Header to be matched. - maxLength: 4096 - minLength: 1 - type: string - required: - - name - - value - type: object - maxItems: 16 - type: array - x-kubernetes-list-map-keys: - - name - x-kubernetes-list-type: map - type: object - requestMirror: - description: |- - RequestMirror defines a schema for a filter that mirrors requests. - Requests are sent to the specified destination, but responses from - that destination are ignored. - - - This filter can be used multiple times within the same rule. Note that - not all implementations will be able to support mirroring to multiple - backends. - - - Support: Extended - properties: - backendRef: - description: |- - BackendRef references a resource where mirrored requests are sent. - - - Mirrored requests must be sent only to a single destination endpoint - within this BackendRef, irrespective of how many endpoints are present - within this BackendRef. - - - If the referent cannot be found, this BackendRef is invalid and must be - dropped from the Gateway. The controller must ensure the "ResolvedRefs" - condition on the Route status is set to `status: False` and not configure - this backend in the underlying implementation. - - - If there is a cross-namespace reference to an *existing* object - that is not allowed by a ReferenceGrant, the controller must ensure the - "ResolvedRefs" condition on the Route is set to `status: False`, - with the "RefNotPermitted" reason and not configure this backend in the - underlying implementation. - - - In either error case, the Message of the `ResolvedRefs` Condition - should be used to provide more detail about the problem. - - - Support: Extended for Kubernetes Service - - - Support: Implementation-specific for any other resource - properties: - group: - default: "" - description: |- - Group is the group of the referent. For example, "gateway.networking.k8s.io". - When unspecified or empty string, core API group is inferred. - maxLength: 253 - pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - kind: - default: Service - description: |- - Kind is the Kubernetes resource kind of the referent. For example - "Service". - - - Defaults to "Service" when not specified. - - - ExternalName services can refer to CNAME DNS records that may live - outside of the cluster and as such are difficult to reason about in - terms of conformance. They also may not be safe to forward to (see - CVE-2021-25740 for more information). Implementations SHOULD NOT - support ExternalName Services. - - - Support: Core (Services with a type other than ExternalName) - - - Support: Implementation-specific (Services with type ExternalName) - maxLength: 63 - minLength: 1 - pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ - type: string - name: - description: Name is the name of the referent. - maxLength: 253 - minLength: 1 - type: string - namespace: - description: |- - Namespace is the namespace of the backend. When unspecified, the local - namespace is inferred. - - - Note that when a namespace different than the local namespace is specified, - a ReferenceGrant object is required in the referent namespace to allow that - namespace's owner to accept the reference. See the ReferenceGrant - documentation for details. - - - Support: Core - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - port: - description: |- - Port specifies the destination port number to use for this resource. - Port is required when the referent is a Kubernetes Service. In this - case, the port number is the service port number, not the target port. - For other resources, destination port might be derived from the referent - resource or this field. - format: int32 - maximum: 65535 - minimum: 1 - type: integer - required: - - name - type: object - x-kubernetes-validations: - - message: Must have port for Service reference - rule: '(size(self.group) == 0 && self.kind - == ''Service'') ? has(self.port) : true' - required: - - backendRef - type: object - responseHeaderModifier: - description: |- - ResponseHeaderModifier defines a schema for a filter that modifies response - headers. - - - Support: Extended - properties: - add: - description: |- - Add adds the given header(s) (name, value) to the request - before the action. It appends to any existing values associated - with the header name. - - - Input: - GET /foo HTTP/1.1 - my-header: foo - - - Config: - add: - - name: "my-header" - value: "bar,baz" - - - Output: - GET /foo HTTP/1.1 - my-header: foo,bar,baz - items: - description: HTTPHeader represents an HTTP - Header name and value as defined by RFC - 7230. - properties: - name: - description: |- - Name is the name of the HTTP Header to be matched. Name matching MUST be - case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). - - - If multiple entries specify equivalent header names, the first entry with - an equivalent name MUST be considered for a match. Subsequent entries - with an equivalent header name MUST be ignored. Due to the - case-insensitivity of header names, "foo" and "Foo" are considered - equivalent. - maxLength: 256 - minLength: 1 - pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ - type: string - value: - description: Value is the value of HTTP - Header to be matched. - maxLength: 4096 - minLength: 1 - type: string - required: - - name - - value - type: object - maxItems: 16 - type: array - x-kubernetes-list-map-keys: - - name - x-kubernetes-list-type: map - remove: - description: |- - Remove the given header(s) from the HTTP request before the action. The - value of Remove is a list of HTTP header names. Note that the header - names are case-insensitive (see - https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). - - - Input: - GET /foo HTTP/1.1 - my-header1: foo - my-header2: bar - my-header3: baz - - - Config: - remove: ["my-header1", "my-header3"] - - - Output: - GET /foo HTTP/1.1 - my-header2: bar - items: - type: string - maxItems: 16 - type: array - x-kubernetes-list-type: set - set: - description: |- - Set overwrites the request with the given header (name, value) - before the action. - - - Input: - GET /foo HTTP/1.1 - my-header: foo - - - Config: - set: - - name: "my-header" - value: "bar" - - - Output: - GET /foo HTTP/1.1 - my-header: bar - items: - description: HTTPHeader represents an HTTP - Header name and value as defined by RFC - 7230. - properties: - name: - description: |- - Name is the name of the HTTP Header to be matched. Name matching MUST be - case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). - - - If multiple entries specify equivalent header names, the first entry with - an equivalent name MUST be considered for a match. Subsequent entries - with an equivalent header name MUST be ignored. Due to the - case-insensitivity of header names, "foo" and "Foo" are considered - equivalent. - maxLength: 256 - minLength: 1 - pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ - type: string - value: - description: Value is the value of HTTP - Header to be matched. - maxLength: 4096 - minLength: 1 - type: string - required: - - name - - value - type: object - maxItems: 16 - type: array - x-kubernetes-list-map-keys: - - name - x-kubernetes-list-type: map - type: object - type: - description: |+ - Type identifies the type of filter to apply. As with other API fields, - types are classified into three conformance levels: - - - - Core: Filter types and their corresponding configuration defined by - "Support: Core" in this package, e.g. "RequestHeaderModifier". All - implementations supporting GRPCRoute MUST support core filters. - - - - Extended: Filter types and their corresponding configuration defined by - "Support: Extended" in this package, e.g. "RequestMirror". Implementers - are encouraged to support extended filters. - - - - Implementation-specific: Filters that are defined and supported by specific vendors. - In the future, filters showing convergence in behavior across multiple - implementations will be considered for inclusion in extended or core - conformance levels. Filter-specific configuration for such filters - is specified using the ExtensionRef field. `Type` MUST be set to - "ExtensionRef" for custom filters. - - - Implementers are encouraged to define custom implementation types to - extend the core API with implementation-specific behavior. - - - If a reference to a custom filter type cannot be resolved, the filter - MUST NOT be skipped. Instead, requests that would have been processed by - that filter MUST receive a HTTP error response. - - - enum: - - ResponseHeaderModifier - - RequestHeaderModifier - - RequestMirror - - ExtensionRef - type: string - required: - - type - type: object - x-kubernetes-validations: - - message: filter.requestHeaderModifier must be nil - if the filter.type is not RequestHeaderModifier - rule: '!(has(self.requestHeaderModifier) && self.type - != ''RequestHeaderModifier'')' - - message: filter.requestHeaderModifier must be specified - for RequestHeaderModifier filter.type - rule: '!(!has(self.requestHeaderModifier) && self.type - == ''RequestHeaderModifier'')' - - message: filter.responseHeaderModifier must be nil - if the filter.type is not ResponseHeaderModifier - rule: '!(has(self.responseHeaderModifier) && self.type - != ''ResponseHeaderModifier'')' - - message: filter.responseHeaderModifier must be specified - for ResponseHeaderModifier filter.type - rule: '!(!has(self.responseHeaderModifier) && self.type - == ''ResponseHeaderModifier'')' - - message: filter.requestMirror must be nil if the filter.type - is not RequestMirror - rule: '!(has(self.requestMirror) && self.type != ''RequestMirror'')' - - message: filter.requestMirror must be specified for - RequestMirror filter.type - rule: '!(!has(self.requestMirror) && self.type == - ''RequestMirror'')' - - message: filter.extensionRef must be nil if the filter.type - is not ExtensionRef - rule: '!(has(self.extensionRef) && self.type != ''ExtensionRef'')' - - message: filter.extensionRef must be specified for - ExtensionRef filter.type - rule: '!(!has(self.extensionRef) && self.type == ''ExtensionRef'')' - maxItems: 16 - type: array - x-kubernetes-validations: - - message: RequestHeaderModifier filter cannot be repeated - rule: self.filter(f, f.type == 'RequestHeaderModifier').size() - <= 1 - - message: ResponseHeaderModifier filter cannot be repeated - rule: self.filter(f, f.type == 'ResponseHeaderModifier').size() - <= 1 - group: - default: "" - description: |- - Group is the group of the referent. For example, "gateway.networking.k8s.io". - When unspecified or empty string, core API group is inferred. - maxLength: 253 - pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - kind: - default: Service - description: |- - Kind is the Kubernetes resource kind of the referent. For example - "Service". - - - Defaults to "Service" when not specified. - - - ExternalName services can refer to CNAME DNS records that may live - outside of the cluster and as such are difficult to reason about in - terms of conformance. They also may not be safe to forward to (see - CVE-2021-25740 for more information). Implementations SHOULD NOT - support ExternalName Services. - - - Support: Core (Services with a type other than ExternalName) - - - Support: Implementation-specific (Services with type ExternalName) - maxLength: 63 - minLength: 1 - pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ - type: string - name: - description: Name is the name of the referent. - maxLength: 253 - minLength: 1 - type: string - namespace: - description: |- - Namespace is the namespace of the backend. When unspecified, the local - namespace is inferred. - - - Note that when a namespace different than the local namespace is specified, - a ReferenceGrant object is required in the referent namespace to allow that - namespace's owner to accept the reference. See the ReferenceGrant - documentation for details. - - - Support: Core - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - port: - description: |- - Port specifies the destination port number to use for this resource. - Port is required when the referent is a Kubernetes Service. In this - case, the port number is the service port number, not the target port. - For other resources, destination port might be derived from the referent - resource or this field. - format: int32 - maximum: 65535 - minimum: 1 - type: integer - weight: - default: 1 - description: |- - Weight specifies the proportion of requests forwarded to the referenced - backend. This is computed as weight/(sum of all weights in this - BackendRefs list). For non-zero values, there may be some epsilon from - the exact proportion defined here depending on the precision an - implementation supports. Weight is not a percentage and the sum of - weights does not need to equal 100. - - - If only one backend is specified and it has a weight greater than 0, 100% - of the traffic is forwarded to that backend. If weight is set to 0, no - traffic should be forwarded for this entry. If unspecified, weight - defaults to 1. - - - Support for this field varies based on the context where used. - format: int32 - maximum: 1000000 - minimum: 0 - type: integer - required: - - name - type: object - x-kubernetes-validations: - - message: Must have port for Service reference - rule: '(size(self.group) == 0 && self.kind == ''Service'') - ? has(self.port) : true' - maxItems: 16 - type: array - filters: - description: |- - Filters define the filters that are applied to requests that match - this rule. - - - The effects of ordering of multiple behaviors are currently unspecified. - This can change in the future based on feedback during the alpha stage. - - - Conformance-levels at this level are defined based on the type of filter: - - - - ALL core filters MUST be supported by all implementations that support - GRPCRoute. - - Implementers are encouraged to support extended filters. - - Implementation-specific custom filters have no API guarantees across - implementations. - - - Specifying the same filter multiple times is not supported unless explicitly - indicated in the filter. - - - If an implementation can not support a combination of filters, it must clearly - document that limitation. In cases where incompatible or unsupported - filters are specified and cause the `Accepted` condition to be set to status - `False`, implementations may use the `IncompatibleFilters` reason to specify - this configuration error. - - - Support: Core - items: - description: |- - GRPCRouteFilter defines processing steps that must be completed during the - request or response lifecycle. GRPCRouteFilters are meant as an extension - point to express processing that may be done in Gateway implementations. Some - examples include request or response modification, implementing - authentication strategies, rate-limiting, and traffic shaping. API - guarantee/conformance is defined based on the type of the filter. - properties: - extensionRef: - description: |- - ExtensionRef is an optional, implementation-specific extension to the - "filter" behavior. For example, resource "myroutefilter" in group - "networking.example.net"). ExtensionRef MUST NOT be used for core and - extended filters. - - - Support: Implementation-specific - - - This filter can be used multiple times within the same rule. - properties: - group: - description: |- - Group is the group of the referent. For example, "gateway.networking.k8s.io". - When unspecified or empty string, core API group is inferred. - maxLength: 253 - pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - kind: - description: Kind is kind of the referent. For example - "HTTPRoute" or "Service". - maxLength: 63 - minLength: 1 - pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ - type: string - name: - description: Name is the name of the referent. - maxLength: 253 - minLength: 1 - type: string - required: - - group - - kind - - name - type: object - requestHeaderModifier: - description: |- - RequestHeaderModifier defines a schema for a filter that modifies request - headers. - - - Support: Core - properties: - add: - description: |- - Add adds the given header(s) (name, value) to the request - before the action. It appends to any existing values associated - with the header name. - - - Input: - GET /foo HTTP/1.1 - my-header: foo - - - Config: - add: - - name: "my-header" - value: "bar,baz" - - - Output: - GET /foo HTTP/1.1 - my-header: foo,bar,baz - items: - description: HTTPHeader represents an HTTP Header - name and value as defined by RFC 7230. - properties: - name: - description: |- - Name is the name of the HTTP Header to be matched. Name matching MUST be - case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). - - - If multiple entries specify equivalent header names, the first entry with - an equivalent name MUST be considered for a match. Subsequent entries - with an equivalent header name MUST be ignored. Due to the - case-insensitivity of header names, "foo" and "Foo" are considered - equivalent. - maxLength: 256 - minLength: 1 - pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ - type: string - value: - description: Value is the value of HTTP Header - to be matched. - maxLength: 4096 - minLength: 1 - type: string - required: - - name - - value - type: object - maxItems: 16 - type: array - x-kubernetes-list-map-keys: - - name - x-kubernetes-list-type: map - remove: - description: |- - Remove the given header(s) from the HTTP request before the action. The - value of Remove is a list of HTTP header names. Note that the header - names are case-insensitive (see - https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). - - - Input: - GET /foo HTTP/1.1 - my-header1: foo - my-header2: bar - my-header3: baz - - - Config: - remove: ["my-header1", "my-header3"] - - - Output: - GET /foo HTTP/1.1 - my-header2: bar - items: - type: string - maxItems: 16 - type: array - x-kubernetes-list-type: set - set: - description: |- - Set overwrites the request with the given header (name, value) - before the action. - - - Input: - GET /foo HTTP/1.1 - my-header: foo - - - Config: - set: - - name: "my-header" - value: "bar" - - - Output: - GET /foo HTTP/1.1 - my-header: bar - items: - description: HTTPHeader represents an HTTP Header - name and value as defined by RFC 7230. - properties: - name: - description: |- - Name is the name of the HTTP Header to be matched. Name matching MUST be - case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). - - - If multiple entries specify equivalent header names, the first entry with - an equivalent name MUST be considered for a match. Subsequent entries - with an equivalent header name MUST be ignored. Due to the - case-insensitivity of header names, "foo" and "Foo" are considered - equivalent. - maxLength: 256 - minLength: 1 - pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ - type: string - value: - description: Value is the value of HTTP Header - to be matched. - maxLength: 4096 - minLength: 1 - type: string - required: - - name - - value - type: object - maxItems: 16 - type: array - x-kubernetes-list-map-keys: - - name - x-kubernetes-list-type: map - type: object - requestMirror: - description: |- - RequestMirror defines a schema for a filter that mirrors requests. - Requests are sent to the specified destination, but responses from - that destination are ignored. - - - This filter can be used multiple times within the same rule. Note that - not all implementations will be able to support mirroring to multiple - backends. - - - Support: Extended - properties: - backendRef: - description: |- - BackendRef references a resource where mirrored requests are sent. - - - Mirrored requests must be sent only to a single destination endpoint - within this BackendRef, irrespective of how many endpoints are present - within this BackendRef. - - - If the referent cannot be found, this BackendRef is invalid and must be - dropped from the Gateway. The controller must ensure the "ResolvedRefs" - condition on the Route status is set to `status: False` and not configure - this backend in the underlying implementation. - - - If there is a cross-namespace reference to an *existing* object - that is not allowed by a ReferenceGrant, the controller must ensure the - "ResolvedRefs" condition on the Route is set to `status: False`, - with the "RefNotPermitted" reason and not configure this backend in the - underlying implementation. - - - In either error case, the Message of the `ResolvedRefs` Condition - should be used to provide more detail about the problem. - - - Support: Extended for Kubernetes Service - - - Support: Implementation-specific for any other resource - properties: - group: - default: "" - description: |- - Group is the group of the referent. For example, "gateway.networking.k8s.io". - When unspecified or empty string, core API group is inferred. - maxLength: 253 - pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - kind: - default: Service - description: |- - Kind is the Kubernetes resource kind of the referent. For example - "Service". - - - Defaults to "Service" when not specified. - - - ExternalName services can refer to CNAME DNS records that may live - outside of the cluster and as such are difficult to reason about in - terms of conformance. They also may not be safe to forward to (see - CVE-2021-25740 for more information). Implementations SHOULD NOT - support ExternalName Services. - - - Support: Core (Services with a type other than ExternalName) - - - Support: Implementation-specific (Services with type ExternalName) - maxLength: 63 - minLength: 1 - pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ - type: string - name: - description: Name is the name of the referent. - maxLength: 253 - minLength: 1 - type: string - namespace: - description: |- - Namespace is the namespace of the backend. When unspecified, the local - namespace is inferred. - - - Note that when a namespace different than the local namespace is specified, - a ReferenceGrant object is required in the referent namespace to allow that - namespace's owner to accept the reference. See the ReferenceGrant - documentation for details. - - - Support: Core - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - port: - description: |- - Port specifies the destination port number to use for this resource. - Port is required when the referent is a Kubernetes Service. In this - case, the port number is the service port number, not the target port. - For other resources, destination port might be derived from the referent - resource or this field. - format: int32 - maximum: 65535 - minimum: 1 - type: integer - required: - - name - type: object - x-kubernetes-validations: - - message: Must have port for Service reference - rule: '(size(self.group) == 0 && self.kind == ''Service'') - ? has(self.port) : true' - required: - - backendRef - type: object - responseHeaderModifier: - description: |- - ResponseHeaderModifier defines a schema for a filter that modifies response - headers. - - - Support: Extended - properties: - add: - description: |- - Add adds the given header(s) (name, value) to the request - before the action. It appends to any existing values associated - with the header name. - - - Input: - GET /foo HTTP/1.1 - my-header: foo - - - Config: - add: - - name: "my-header" - value: "bar,baz" - - - Output: - GET /foo HTTP/1.1 - my-header: foo,bar,baz - items: - description: HTTPHeader represents an HTTP Header - name and value as defined by RFC 7230. - properties: - name: - description: |- - Name is the name of the HTTP Header to be matched. Name matching MUST be - case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). - - - If multiple entries specify equivalent header names, the first entry with - an equivalent name MUST be considered for a match. Subsequent entries - with an equivalent header name MUST be ignored. Due to the - case-insensitivity of header names, "foo" and "Foo" are considered - equivalent. - maxLength: 256 - minLength: 1 - pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ - type: string - value: - description: Value is the value of HTTP Header - to be matched. - maxLength: 4096 - minLength: 1 - type: string - required: - - name - - value - type: object - maxItems: 16 - type: array - x-kubernetes-list-map-keys: - - name - x-kubernetes-list-type: map - remove: - description: |- - Remove the given header(s) from the HTTP request before the action. The - value of Remove is a list of HTTP header names. Note that the header - names are case-insensitive (see - https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). - - - Input: - GET /foo HTTP/1.1 - my-header1: foo - my-header2: bar - my-header3: baz - - - Config: - remove: ["my-header1", "my-header3"] - - - Output: - GET /foo HTTP/1.1 - my-header2: bar - items: - type: string - maxItems: 16 - type: array - x-kubernetes-list-type: set - set: - description: |- - Set overwrites the request with the given header (name, value) - before the action. - - - Input: - GET /foo HTTP/1.1 - my-header: foo - - - Config: - set: - - name: "my-header" - value: "bar" - - - Output: - GET /foo HTTP/1.1 - my-header: bar - items: - description: HTTPHeader represents an HTTP Header - name and value as defined by RFC 7230. - properties: - name: - description: |- - Name is the name of the HTTP Header to be matched. Name matching MUST be - case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). - - - If multiple entries specify equivalent header names, the first entry with - an equivalent name MUST be considered for a match. Subsequent entries - with an equivalent header name MUST be ignored. Due to the - case-insensitivity of header names, "foo" and "Foo" are considered - equivalent. - maxLength: 256 - minLength: 1 - pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ - type: string - value: - description: Value is the value of HTTP Header - to be matched. - maxLength: 4096 - minLength: 1 - type: string - required: - - name - - value - type: object - maxItems: 16 - type: array - x-kubernetes-list-map-keys: - - name - x-kubernetes-list-type: map - type: object - type: - description: |+ - Type identifies the type of filter to apply. As with other API fields, - types are classified into three conformance levels: - - - - Core: Filter types and their corresponding configuration defined by - "Support: Core" in this package, e.g. "RequestHeaderModifier". All - implementations supporting GRPCRoute MUST support core filters. - - - - Extended: Filter types and their corresponding configuration defined by - "Support: Extended" in this package, e.g. "RequestMirror". Implementers - are encouraged to support extended filters. - - - - Implementation-specific: Filters that are defined and supported by specific vendors. - In the future, filters showing convergence in behavior across multiple - implementations will be considered for inclusion in extended or core - conformance levels. Filter-specific configuration for such filters - is specified using the ExtensionRef field. `Type` MUST be set to - "ExtensionRef" for custom filters. - - - Implementers are encouraged to define custom implementation types to - extend the core API with implementation-specific behavior. - - - If a reference to a custom filter type cannot be resolved, the filter - MUST NOT be skipped. Instead, requests that would have been processed by - that filter MUST receive a HTTP error response. - - - enum: - - ResponseHeaderModifier - - RequestHeaderModifier - - RequestMirror - - ExtensionRef - type: string - required: - - type - type: object - x-kubernetes-validations: - - message: filter.requestHeaderModifier must be nil if the - filter.type is not RequestHeaderModifier - rule: '!(has(self.requestHeaderModifier) && self.type != - ''RequestHeaderModifier'')' - - message: filter.requestHeaderModifier must be specified - for RequestHeaderModifier filter.type - rule: '!(!has(self.requestHeaderModifier) && self.type == - ''RequestHeaderModifier'')' - - message: filter.responseHeaderModifier must be nil if the - filter.type is not ResponseHeaderModifier - rule: '!(has(self.responseHeaderModifier) && self.type != - ''ResponseHeaderModifier'')' - - message: filter.responseHeaderModifier must be specified - for ResponseHeaderModifier filter.type - rule: '!(!has(self.responseHeaderModifier) && self.type - == ''ResponseHeaderModifier'')' - - message: filter.requestMirror must be nil if the filter.type - is not RequestMirror - rule: '!(has(self.requestMirror) && self.type != ''RequestMirror'')' - - message: filter.requestMirror must be specified for RequestMirror - filter.type - rule: '!(!has(self.requestMirror) && self.type == ''RequestMirror'')' - - message: filter.extensionRef must be nil if the filter.type - is not ExtensionRef - rule: '!(has(self.extensionRef) && self.type != ''ExtensionRef'')' - - message: filter.extensionRef must be specified for ExtensionRef - filter.type - rule: '!(!has(self.extensionRef) && self.type == ''ExtensionRef'')' - maxItems: 16 - type: array - x-kubernetes-validations: - - message: RequestHeaderModifier filter cannot be repeated - rule: self.filter(f, f.type == 'RequestHeaderModifier').size() - <= 1 - - message: ResponseHeaderModifier filter cannot be repeated - rule: self.filter(f, f.type == 'ResponseHeaderModifier').size() - <= 1 - matches: - description: |- - Matches define conditions used for matching the rule against incoming - gRPC requests. Each match is independent, i.e. this rule will be matched - if **any** one of the matches is satisfied. - - - For example, take the following matches configuration: - - - ``` - matches: - - method: - service: foo.bar - headers: - values: - version: 2 - - method: - service: foo.bar.v2 - ``` - - - For a request to match against this rule, it MUST satisfy - EITHER of the two conditions: - - - - service of foo.bar AND contains the header `version: 2` - - service of foo.bar.v2 - - - See the documentation for GRPCRouteMatch on how to specify multiple - match conditions to be ANDed together. - - - If no matches are specified, the implementation MUST match every gRPC request. - - - Proxy or Load Balancer routing configuration generated from GRPCRoutes - MUST prioritize rules based on the following criteria, continuing on - ties. Merging MUST not be done between GRPCRoutes and HTTPRoutes. - Precedence MUST be given to the rule with the largest number of: - - - * Characters in a matching non-wildcard hostname. - * Characters in a matching hostname. - * Characters in a matching service. - * Characters in a matching method. - * Header matches. - - - If ties still exist across multiple Routes, matching precedence MUST be - determined in order of the following criteria, continuing on ties: - - - * The oldest Route based on creation timestamp. - * The Route appearing first in alphabetical order by - "{namespace}/{name}". - - - If ties still exist within the Route that has been given precedence, - matching precedence MUST be granted to the first matching rule meeting - the above criteria. - items: - description: |- - GRPCRouteMatch defines the predicate used to match requests to a given - action. Multiple match types are ANDed together, i.e. the match will - evaluate to true only if all conditions are satisfied. - - - For example, the match below will match a gRPC request only if its service - is `foo` AND it contains the `version: v1` header: - - - ``` - matches: - - method: - type: Exact - service: "foo" - headers: - - name: "version" - value "v1" - - - ``` - properties: - headers: - description: |- - Headers specifies gRPC request header matchers. Multiple match values are - ANDed together, meaning, a request MUST match all the specified headers - to select the route. - items: - description: |- - GRPCHeaderMatch describes how to select a gRPC route by matching gRPC request - headers. - properties: - name: - description: |- - Name is the name of the gRPC Header to be matched. - - - If multiple entries specify equivalent header names, only the first - entry with an equivalent name MUST be considered for a match. Subsequent - entries with an equivalent header name MUST be ignored. Due to the - case-insensitivity of header names, "foo" and "Foo" are considered - equivalent. - maxLength: 256 - minLength: 1 - pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ - type: string - type: - default: Exact - description: Type specifies how to match against - the value of the header. - enum: - - Exact - - RegularExpression - type: string - value: - description: Value is the value of the gRPC Header - to be matched. - maxLength: 4096 - minLength: 1 - type: string - required: - - name - - value - type: object - maxItems: 16 - type: array - x-kubernetes-list-map-keys: - - name - x-kubernetes-list-type: map - method: - description: |- - Method specifies a gRPC request service/method matcher. If this field is - not specified, all services and methods will match. - properties: - method: - description: |- - Value of the method to match against. If left empty or omitted, will - match all services. - - - At least one of Service and Method MUST be a non-empty string. - maxLength: 1024 - type: string - service: - description: |- - Value of the service to match against. If left empty or omitted, will - match any service. - - - At least one of Service and Method MUST be a non-empty string. - maxLength: 1024 - type: string - type: - default: Exact - description: |- - Type specifies how to match against the service and/or method. - Support: Core (Exact with service and method specified) - - - Support: Implementation-specific (Exact with method specified but no service specified) - - - Support: Implementation-specific (RegularExpression) - enum: - - Exact - - RegularExpression - type: string - type: object - x-kubernetes-validations: - - message: One or both of 'service' or 'method' must be - specified - rule: 'has(self.type) ? has(self.service) || has(self.method) - : true' - - message: service must only contain valid characters - (matching ^(?i)\.?[a-z_][a-z_0-9]*(\.[a-z_][a-z_0-9]*)*$) - rule: '(!has(self.type) || self.type == ''Exact'') && - has(self.service) ? self.service.matches(r"""^(?i)\.?[a-z_][a-z_0-9]*(\.[a-z_][a-z_0-9]*)*$"""): - true' - - message: method must only contain valid characters (matching - ^[A-Za-z_][A-Za-z_0-9]*$) - rule: '(!has(self.type) || self.type == ''Exact'') && - has(self.method) ? self.method.matches(r"""^[A-Za-z_][A-Za-z_0-9]*$"""): - true' - type: object - maxItems: 8 - type: array - sessionPersistence: - description: |+ - SessionPersistence defines and configures session persistence - for the route rule. - - - Support: Extended - - - properties: - absoluteTimeout: - description: |- - AbsoluteTimeout defines the absolute timeout of the persistent - session. Once the AbsoluteTimeout duration has elapsed, the - session becomes invalid. - - - Support: Extended - pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ - type: string - cookieConfig: - description: |- - CookieConfig provides configuration settings that are specific - to cookie-based session persistence. - - - Support: Core - properties: - lifetimeType: - default: Session - description: |- - LifetimeType specifies whether the cookie has a permanent or - session-based lifetime. A permanent cookie persists until its - specified expiry time, defined by the Expires or Max-Age cookie - attributes, while a session cookie is deleted when the current - session ends. - - - When set to "Permanent", AbsoluteTimeout indicates the - cookie's lifetime via the Expires or Max-Age cookie attributes - and is required. - - - When set to "Session", AbsoluteTimeout indicates the - absolute lifetime of the cookie tracked by the gateway and - is optional. - - - Support: Core for "Session" type - - - Support: Extended for "Permanent" type - enum: - - Permanent - - Session - type: string - type: object - idleTimeout: - description: |- - IdleTimeout defines the idle timeout of the persistent session. - Once the session has been idle for more than the specified - IdleTimeout duration, the session becomes invalid. - - - Support: Extended - pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ - type: string - sessionName: - description: |- - SessionName defines the name of the persistent session token - which may be reflected in the cookie or the header. Users - should avoid reusing session names to prevent unintended - consequences, such as rejection or unpredictable behavior. - - - Support: Implementation-specific - maxLength: 128 - type: string - type: - default: Cookie - description: |- - Type defines the type of session persistence such as through - the use a header or cookie. Defaults to cookie based session - persistence. - - - Support: Core for "Cookie" type - - - Support: Extended for "Header" type - enum: - - Cookie - - Header - type: string - type: object - x-kubernetes-validations: - - message: AbsoluteTimeout must be specified when cookie lifetimeType - is Permanent - rule: '!has(self.cookieConfig.lifetimeType) || self.cookieConfig.lifetimeType - != ''Permanent'' || has(self.absoluteTimeout)' - type: object - maxItems: 16 - type: array - type: object - status: - description: Status defines the current state of GRPCRoute. - properties: - parents: - description: |- - Parents is a list of parent resources (usually Gateways) that are - associated with the route, and the status of the route with respect to - each parent. When this route attaches to a parent, the controller that - manages the parent must add an entry to this list when the controller - first sees the route and should update the entry as appropriate when the - route or gateway is modified. - - - Note that parent references that cannot be resolved by an implementation - of this API will not be added to this list. Implementations of this API - can only populate Route status for the Gateways/parent resources they are - responsible for. - - - A maximum of 32 Gateways will be represented in this list. An empty list - means the route has not been attached to any Gateway. - items: - description: |- - RouteParentStatus describes the status of a route with respect to an - associated Parent. - properties: - conditions: - description: |- - Conditions describes the status of the route with respect to the Gateway. - Note that the route's availability is also subject to the Gateway's own - status conditions and listener status. - - - If the Route's ParentRef specifies an existing Gateway that supports - Routes of this kind AND that Gateway's controller has sufficient access, - then that Gateway's controller MUST set the "Accepted" condition on the - Route, to indicate whether the route has been accepted or rejected by the - Gateway, and why. - - - A Route MUST be considered "Accepted" if at least one of the Route's - rules is implemented by the Gateway. - - - There are a number of cases where the "Accepted" condition may not be set - due to lack of controller visibility, that includes when: - - - * The Route refers to a non-existent parent. - * The Route is of a type that the controller does not support. - * The Route is in a namespace the controller does not have access to. - items: - description: "Condition contains details for one aspect of - the current state of this API Resource.\n---\nThis struct - is intended for direct use as an array at the field path - .status.conditions. For example,\n\n\n\ttype FooStatus - struct{\n\t // Represents the observations of a foo's - current state.\n\t // Known .status.conditions.type are: - \"Available\", \"Progressing\", and \"Degraded\"\n\t // - +patchMergeKey=type\n\t // +patchStrategy=merge\n\t // - +listType=map\n\t // +listMapKey=type\n\t Conditions - []metav1.Condition `json:\"conditions,omitempty\" patchStrategy:\"merge\" - patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t - \ // other fields\n\t}" - properties: - lastTransitionTime: - description: |- - lastTransitionTime is the last time the condition transitioned from one status to another. - This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. - format: date-time - type: string - message: - description: |- - message is a human readable message indicating details about the transition. - This may be an empty string. - maxLength: 32768 - type: string - observedGeneration: - description: |- - observedGeneration represents the .metadata.generation that the condition was set based upon. - For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date - with respect to the current state of the instance. - format: int64 - minimum: 0 - type: integer - reason: - description: |- - reason contains a programmatic identifier indicating the reason for the condition's last transition. - Producers of specific condition types may define expected values and meanings for this field, - and whether the values are considered a guaranteed API. - The value should be a CamelCase string. - This field may not be empty. - maxLength: 1024 - minLength: 1 - pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ - type: string - status: - description: status of the condition, one of True, False, - Unknown. - enum: - - "True" - - "False" - - Unknown - type: string - type: - description: |- - type of condition in CamelCase or in foo.example.com/CamelCase. - --- - Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be - useful (see .node.status.conditions), the ability to deconflict is important. - The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) - maxLength: 316 - pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ - type: string - required: - - lastTransitionTime - - message - - reason - - status - - type - type: object - maxItems: 8 - minItems: 1 - type: array - x-kubernetes-list-map-keys: - - type - x-kubernetes-list-type: map - controllerName: - description: |- - ControllerName is a domain/path string that indicates the name of the - controller that wrote this status. This corresponds with the - controllerName field on GatewayClass. - - - Example: "example.net/gateway-controller". - - - The format of this field is DOMAIN "/" PATH, where DOMAIN and PATH are - valid Kubernetes names - (https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names). - - - Controllers MUST populate this field when writing status. Controllers should ensure that - entries to status populated with their ControllerName are cleaned up when they are no - longer necessary. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/[A-Za-z0-9\/\-._~%!$&'()*+,;=:]+$ - type: string - parentRef: - description: |- - ParentRef corresponds with a ParentRef in the spec that this - RouteParentStatus struct describes the status of. - properties: - group: - default: gateway.networking.k8s.io - description: |- - Group is the group of the referent. - When unspecified, "gateway.networking.k8s.io" is inferred. - To set the core API group (such as for a "Service" kind referent), - Group must be explicitly set to "" (empty string). - - - Support: Core - maxLength: 253 - pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - kind: - default: Gateway - description: |- - Kind is kind of the referent. - - - There are two kinds of parent resources with "Core" support: - - - * Gateway (Gateway conformance profile) - * Service (Mesh conformance profile, ClusterIP Services only) - - - Support for other resources is Implementation-Specific. - maxLength: 63 - minLength: 1 - pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ - type: string - name: - description: |- - Name is the name of the referent. - - - Support: Core - maxLength: 253 - minLength: 1 - type: string - namespace: - description: |- - Namespace is the namespace of the referent. When unspecified, this refers - to the local namespace of the Route. - - - Note that there are specific rules for ParentRefs which cross namespace - boundaries. Cross-namespace references are only valid if they are explicitly - allowed by something in the namespace they are referring to. For example: - Gateway has the AllowedRoutes field, and ReferenceGrant provides a - generic way to enable any other kind of cross-namespace reference. - - - - ParentRefs from a Route to a Service in the same namespace are "producer" - routes, which apply default routing rules to inbound connections from - any namespace to the Service. - - - ParentRefs from a Route to a Service in a different namespace are - "consumer" routes, and these routing rules are only applied to outbound - connections originating from the same namespace as the Route, for which - the intended destination of the connections are a Service targeted as a - ParentRef of the Route. - - - - Support: Core - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - port: - description: |- - Port is the network port this Route targets. It can be interpreted - differently based on the type of parent resource. - - - When the parent resource is a Gateway, this targets all listeners - listening on the specified port that also support this kind of Route(and - select this Route). It's not recommended to set `Port` unless the - networking behaviors specified in a Route must apply to a specific port - as opposed to a listener(s) whose port(s) may be changed. When both Port - and SectionName are specified, the name and port of the selected listener - must match both specified values. - - - - When the parent resource is a Service, this targets a specific port in the - Service spec. When both Port (experimental) and SectionName are specified, - the name and port of the selected port must match both specified values. - - - - Implementations MAY choose to support other parent resources. - Implementations supporting other types of parent resources MUST clearly - document how/if Port is interpreted. - - - For the purpose of status, an attachment is considered successful as - long as the parent resource accepts it partially. For example, Gateway - listeners can restrict which Routes can attach to them by Route kind, - namespace, or hostname. If 1 of 2 Gateway listeners accept attachment - from the referencing Route, the Route MUST be considered successfully - attached. If no Gateway listeners accept attachment from this Route, - the Route MUST be considered detached from the Gateway. - - - Support: Extended - format: int32 - maximum: 65535 - minimum: 1 - type: integer - sectionName: - description: |- - SectionName is the name of a section within the target resource. In the - following resources, SectionName is interpreted as the following: - - - * Gateway: Listener name. When both Port (experimental) and SectionName - are specified, the name and port of the selected listener must match - both specified values. - * Service: Port name. When both Port (experimental) and SectionName - are specified, the name and port of the selected listener must match - both specified values. - - - Implementations MAY choose to support attaching Routes to other resources. - If that is the case, they MUST clearly document how SectionName is - interpreted. - - - When unspecified (empty string), this will reference the entire resource. - For the purpose of status, an attachment is considered successful if at - least one section in the parent resource accepts it. For example, Gateway - listeners can restrict which Routes can attach to them by Route kind, - namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from - the referencing Route, the Route MUST be considered successfully - attached. If no Gateway listeners accept attachment from this Route, the - Route MUST be considered detached from the Gateway. - - - Support: Core - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - required: - - name - type: object - required: - - controllerName - - parentRef - type: object - maxItems: 32 - type: array - required: - - parents - type: object - type: object - served: true - storage: false status: acceptedNames: kind: "" @@ -8909,7 +6328,7 @@ kind: CustomResourceDefinition metadata: annotations: api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/2997 - gateway.networking.k8s.io/bundle-version: v1.1.0 + gateway.networking.k8s.io/bundle-version: v1.2.0-rc2 gateway.networking.k8s.io/channel: experimental creationTimestamp: null name: httproutes.gateway.networking.k8s.io @@ -8968,21 +6387,17 @@ spec: performing a match and (absent of any applicable header modification configuration) MUST forward this header unmodified to the backend. - Valid values for Hostnames are determined by RFC 1123 definition of a hostname with 2 notable exceptions: - 1. IPs are not allowed. 2. A hostname may be prefixed with a wildcard label (`*.`). The wildcard label must appear by itself as the first label. - If a hostname is specified by both the Listener and HTTPRoute, there must be at least one intersecting hostname for the HTTPRoute to be attached to the Listener. For example: - * A Listener with `test.example.com` as the hostname matches HTTPRoutes that have either not specified any hostnames, or have specified at least one of `test.example.com` or `*.example.com`. @@ -8993,55 +6408,45 @@ spec: all match. On the other hand, `example.com` and `test.example.net` would not match. - Hostnames that are prefixed with a wildcard label (`*.`) are interpreted as a suffix match. That means that a match for `*.example.com` would match both `test.example.com`, and `foo.test.example.com`, but not `example.com`. - If both the Listener and HTTPRoute have specified hostnames, any HTTPRoute hostnames that do not match the Listener hostname MUST be ignored. For example, if a Listener specified `*.example.com`, and the HTTPRoute specified `test.example.com` and `test.example.net`, `test.example.net` must not be considered for a match. - If both the Listener and HTTPRoute have specified hostnames, and none match with the criteria above, then the HTTPRoute is not accepted. The implementation must raise an 'Accepted' Condition with a status of `False` in the corresponding RouteParentStatus. - In the event that multiple HTTPRoutes specify intersecting hostnames (e.g. overlapping wildcard matching and exact matching hostnames), precedence must be given to rules from the HTTPRoute with the largest number of: - * Characters in a matching non-wildcard hostname. * Characters in a matching hostname. - If ties exist across multiple Routes, the matching precedence rules for HTTPRouteMatches takes over. - Support: Core items: description: |- Hostname is the fully qualified domain name of a network host. This matches the RFC 1123 definition of a hostname with 2 notable exceptions: - 1. IPs are not allowed. 2. A hostname may be prefixed with a wildcard label (`*.`). The wildcard label must appear by itself as the first label. - Hostname can be "precise" which is a domain name without the terminating dot of a network host (e.g. "foo.example.com") or "wildcard", which is a domain name prefixed with a single wildcard label (e.g. `*.example.com`). - Note that as per RFC1035 and RFC1123, a *label* must consist of lower case alphanumeric characters or '-', and must start and end with an alphanumeric character. No other punctuation is allowed. @@ -9064,21 +6469,16 @@ spec: create a "producer" route for a Service in a different namespace from the Route. - There are two kinds of parent resources with "Core" support: - * Gateway (Gateway conformance profile) * Service (Mesh conformance profile, ClusterIP Services only) - This API may be extended in the future to support additional kinds of parent resources. - ParentRefs must be _distinct_. This means either that: - * They select different objects. If this is the case, then parentRef entries are distinct. In terms of fields, this means that the multi-part key defined by `group`, `kind`, `namespace`, and `name` must @@ -9088,10 +6488,8 @@ spec: optional fields to different values. If one ParentRef sets a combination of optional fields, all must set the same combination. - Some examples: - * If one ParentRef sets `sectionName`, all ParentRefs referencing the same object must also set `sectionName`. * If one ParentRef sets `port`, all ParentRefs referencing the same @@ -9099,14 +6497,12 @@ spec: * If one ParentRef sets `sectionName` and `port`, all ParentRefs referencing the same object must also set `sectionName` and `port`. - It is possible to separately reference multiple distinct objects that may be collapsed by an implementation. For example, some implementations may choose to merge compatible Gateway Listeners together. If that is the case, the list of routes attached to those resources should also be merged. - Note that for ParentRefs that cross namespace boundaries, there are specific rules. Cross-namespace references are only valid if they are explicitly allowed by something in the namespace they are referring to. For example, @@ -9114,12 +6510,10 @@ spec: generic way to enable other kinds of cross-namespace reference. - ParentRefs from a Route to a Service in the same namespace are "producer" routes, which apply default routing rules to inbound connections from any namespace to the Service. - ParentRefs from a Route to a Service in a different namespace are "consumer" routes, and these routing rules are only applied to outbound connections originating from the same namespace as the Route, for which @@ -9130,22 +6524,18 @@ spec: - items: description: |- ParentReference identifies an API object (usually a Gateway) that can be considered a parent of this resource (usually a route). There are two kinds of parent resources with "Core" support: - * Gateway (Gateway conformance profile) * Service (Mesh conformance profile, ClusterIP Services only) - This API may be extended in the future to support additional kinds of parent resources. - The API object must be valid in the cluster; the Group and Kind must be registered in the cluster for this reference to be valid. properties: @@ -9157,7 +6547,6 @@ spec: To set the core API group (such as for a "Service" kind referent), Group must be explicitly set to "" (empty string). - Support: Core maxLength: 253 pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ @@ -9167,14 +6556,11 @@ spec: description: |- Kind is kind of the referent. - There are two kinds of parent resources with "Core" support: - * Gateway (Gateway conformance profile) * Service (Mesh conformance profile, ClusterIP Services only) - Support for other resources is Implementation-Specific. maxLength: 63 minLength: 1 @@ -9184,7 +6570,6 @@ spec: description: |- Name is the name of the referent. - Support: Core maxLength: 253 minLength: 1 @@ -9194,7 +6579,6 @@ spec: Namespace is the namespace of the referent. When unspecified, this refers to the local namespace of the Route. - Note that there are specific rules for ParentRefs which cross namespace boundaries. Cross-namespace references are only valid if they are explicitly allowed by something in the namespace they are referring to. For example: @@ -9202,12 +6586,10 @@ spec: generic way to enable any other kind of cross-namespace reference. - ParentRefs from a Route to a Service in the same namespace are "producer" routes, which apply default routing rules to inbound connections from any namespace to the Service. - ParentRefs from a Route to a Service in a different namespace are "consumer" routes, and these routing rules are only applied to outbound connections originating from the same namespace as the Route, for which @@ -9215,7 +6597,6 @@ spec: ParentRef of the Route. - Support: Core maxLength: 63 minLength: 1 @@ -9226,7 +6607,6 @@ spec: Port is the network port this Route targets. It can be interpreted differently based on the type of parent resource. - When the parent resource is a Gateway, this targets all listeners listening on the specified port that also support this kind of Route(and select this Route). It's not recommended to set `Port` unless the @@ -9236,18 +6616,15 @@ spec: must match both specified values. - When the parent resource is a Service, this targets a specific port in the Service spec. When both Port (experimental) and SectionName are specified, the name and port of the selected port must match both specified values. - Implementations MAY choose to support other parent resources. Implementations supporting other types of parent resources MUST clearly document how/if Port is interpreted. - For the purpose of status, an attachment is considered successful as long as the parent resource accepts it partially. For example, Gateway listeners can restrict which Routes can attach to them by Route kind, @@ -9256,7 +6633,6 @@ spec: attached. If no Gateway listeners accept attachment from this Route, the Route MUST be considered detached from the Gateway. - Support: Extended format: int32 maximum: 65535 @@ -9267,7 +6643,6 @@ spec: SectionName is the name of a section within the target resource. In the following resources, SectionName is interpreted as the following: - * Gateway: Listener name. When both Port (experimental) and SectionName are specified, the name and port of the selected listener must match both specified values. @@ -9275,12 +6650,10 @@ spec: are specified, the name and port of the selected listener must match both specified values. - Implementations MAY choose to support attaching Routes to other resources. If that is the case, they MUST clearly document how SectionName is interpreted. - When unspecified (empty string), this will reference the entire resource. For the purpose of status, an attachment is considered successful if at least one section in the parent resource accepts it. For example, Gateway @@ -9290,7 +6663,6 @@ spec: attached. If no Gateway listeners accept attachment from this Route, the Route MUST be considered detached from the Gateway. - Support: Core maxLength: 253 minLength: 1 @@ -9330,7 +6702,9 @@ spec: - path: type: PathPrefix value: / - description: Rules are a list of HTTP matchers, filters and actions. + description: |+ + Rules are a list of HTTP matchers, filters and actions. + items: description: |- HTTPRouteRule defines semantics for matching an HTTP request based on @@ -9342,74 +6716,63 @@ spec: BackendRefs defines the backend(s) where matching requests should be sent. - Failure behavior here depends on how many BackendRefs are specified and how many are invalid. - If *all* entries in BackendRefs are invalid, and there are also no filters specified in this route rule, *all* traffic which matches this rule MUST receive a 500 status code. - See the HTTPBackendRef definition for the rules about what makes a single HTTPBackendRef invalid. - When a HTTPBackendRef is invalid, 500 status codes MUST be returned for requests that would have otherwise been routed to an invalid backend. If multiple backends are specified, and some are invalid, the proportion of requests that would otherwise have been routed to an invalid backend MUST receive a 500 status code. - For example, if two backends are specified with equal weights, and one is invalid, 50 percent of traffic must receive a 500. Implementations may choose how that 50 percent is determined. + When a HTTPBackendRef refers to a Service that has no ready endpoints, + implementations SHOULD return a 503 for requests to that backend instead. + If an implementation chooses to do this, all of the above rules for 500 responses + MUST also apply for responses that return a 503. Support: Core for Kubernetes Service - Support: Extended for Kubernetes ServiceImport - Support: Implementation-specific for any other resource - Support for weight: Core items: description: |- HTTPBackendRef defines how a HTTPRoute forwards a HTTP request. - Note that when a namespace different than the local namespace is specified, a ReferenceGrant object is required in the referent namespace to allow that namespace's owner to accept the reference. See the ReferenceGrant documentation for details. - - When the BackendRef points to a Kubernetes Service, implementations SHOULD honor the appProtocol field if it is set for the target Service Port. - Implementations supporting appProtocol SHOULD recognize the Kubernetes Standard Application Protocols defined in KEP-3726. - If a Service appProtocol isn't specified, an implementation MAY infer the backend protocol through its own means. Implementations MAY infer the protocol from the Route type referring to the backend Service. - If a Route is not able to send traffic to the backend using the specified protocol then the backend is considered invalid. Implementations MUST set the "ResolvedRefs" condition to "False" with the "UnsupportedProtocol" reason. - properties: filters: @@ -9417,7 +6780,6 @@ spec: Filters defined at this level should be executed if and only if the request is being forwarded to the backend defined here. - Support: Implementation-specific (For broader support of filters, use the Filters field in HTTPRouteRule.) items: @@ -9436,10 +6798,8 @@ spec: "networking.example.net"). ExtensionRef MUST NOT be used for core and extended filters. - This filter can be used multiple times within the same rule. - Support: Implementation-specific properties: group: @@ -9471,7 +6831,6 @@ spec: RequestHeaderModifier defines a schema for a filter that modifies request headers. - Support: Core properties: add: @@ -9480,18 +6839,15 @@ spec: before the action. It appends to any existing values associated with the header name. - Input: GET /foo HTTP/1.1 my-header: foo - Config: add: - name: "my-header" value: "bar,baz" - Output: GET /foo HTTP/1.1 my-header: foo,bar,baz @@ -9505,7 +6861,6 @@ spec: Name is the name of the HTTP Header to be matched. Name matching MUST be case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). - If multiple entries specify equivalent header names, the first entry with an equivalent name MUST be considered for a match. Subsequent entries with an equivalent header name MUST be ignored. Due to the @@ -9537,18 +6892,15 @@ spec: names are case-insensitive (see https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). - Input: GET /foo HTTP/1.1 my-header1: foo my-header2: bar my-header3: baz - Config: remove: ["my-header1", "my-header3"] - Output: GET /foo HTTP/1.1 my-header2: bar @@ -9562,18 +6914,15 @@ spec: Set overwrites the request with the given header (name, value) before the action. - Input: GET /foo HTTP/1.1 my-header: foo - Config: set: - name: "my-header" value: "bar" - Output: GET /foo HTTP/1.1 my-header: bar @@ -9587,7 +6936,6 @@ spec: Name is the name of the HTTP Header to be matched. Name matching MUST be case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). - If multiple entries specify equivalent header names, the first entry with an equivalent name MUST be considered for a match. Subsequent entries with an equivalent header name MUST be ignored. Due to the @@ -9614,49 +6962,42 @@ spec: x-kubernetes-list-type: map type: object requestMirror: - description: |- + description: |+ RequestMirror defines a schema for a filter that mirrors requests. Requests are sent to the specified destination, but responses from that destination are ignored. - This filter can be used multiple times within the same rule. Note that not all implementations will be able to support mirroring to multiple backends. - Support: Extended + properties: backendRef: description: |- BackendRef references a resource where mirrored requests are sent. - Mirrored requests must be sent only to a single destination endpoint within this BackendRef, irrespective of how many endpoints are present within this BackendRef. - If the referent cannot be found, this BackendRef is invalid and must be dropped from the Gateway. The controller must ensure the "ResolvedRefs" condition on the Route status is set to `status: False` and not configure this backend in the underlying implementation. - If there is a cross-namespace reference to an *existing* object that is not allowed by a ReferenceGrant, the controller must ensure the "ResolvedRefs" condition on the Route is set to `status: False`, with the "RefNotPermitted" reason and not configure this backend in the underlying implementation. - In either error case, the Message of the `ResolvedRefs` Condition should be used to provide more detail about the problem. - Support: Extended for Kubernetes Service - Support: Implementation-specific for any other resource properties: group: @@ -9673,20 +7014,16 @@ spec: Kind is the Kubernetes resource kind of the referent. For example "Service". - Defaults to "Service" when not specified. - ExternalName services can refer to CNAME DNS records that may live outside of the cluster and as such are difficult to reason about in terms of conformance. They also may not be safe to forward to (see CVE-2021-25740 for more information). Implementations SHOULD NOT support ExternalName Services. - Support: Core (Services with a type other than ExternalName) - Support: Implementation-specific (Services with type ExternalName) maxLength: 63 minLength: 1 @@ -9702,13 +7039,11 @@ spec: Namespace is the namespace of the backend. When unspecified, the local namespace is inferred. - Note that when a namespace different than the local namespace is specified, a ReferenceGrant object is required in the referent namespace to allow that namespace's owner to accept the reference. See the ReferenceGrant documentation for details. - Support: Core maxLength: 63 minLength: 1 @@ -9732,15 +7067,56 @@ spec: - message: Must have port for Service reference rule: '(size(self.group) == 0 && self.kind == ''Service'') ? has(self.port) : true' + fraction: + description: |+ + Fraction represents the fraction of requests that should be + mirrored to BackendRef. + + Only one of Fraction or Percent may be specified. If neither field + is specified, 100% of requests will be mirrored. + + properties: + denominator: + default: 100 + format: int32 + minimum: 1 + type: integer + numerator: + format: int32 + minimum: 0 + type: integer + required: + - numerator + type: object + x-kubernetes-validations: + - message: numerator must be less than or equal + to denominator + rule: self.numerator <= self.denominator + percent: + description: |+ + Percent represents the percentage of requests that should be + mirrored to BackendRef. Its minimum value is 0 (indicating 0% of + requests) and its maximum value is 100 (indicating 100% of requests). + + Only one of Fraction or Percent may be specified. If neither field + is specified, 100% of requests will be mirrored. + + format: int32 + maximum: 100 + minimum: 0 + type: integer required: - backendRef type: object + x-kubernetes-validations: + - message: Only one of percent or fraction may be + specified in HTTPRequestMirrorFilter + rule: '!(has(self.percent) && has(self.fraction))' requestRedirect: description: |- RequestRedirect defines a schema for a filter that responds to the request with an HTTP redirection. - Support: Core properties: hostname: @@ -9749,7 +7125,6 @@ spec: header in the response. When empty, the hostname in the `Host` header of the request is used. - Support: Core maxLength: 253 minLength: 1 @@ -9761,7 +7136,6 @@ spec: The modified path is then used to construct the `Location` header. When empty, the request path is used as-is. - Support: Extended properties: replaceFullPath: @@ -9777,32 +7151,17 @@ spec: to "/foo/bar" with a prefix match of "/foo" and a ReplacePrefixMatch of "/xyz" would be modified to "/xyz/bar". - Note that this matches the behavior of the PathPrefix match type. This matches full path elements. A path element refers to the list of labels in the path split by the `/` separator. When specified, a trailing `/` is ignored. For example, the paths `/abc`, `/abc/`, and `/abc/def` would all match the prefix `/abc`, but the path `/abcd` would not. - ReplacePrefixMatch is only compatible with a `PathPrefix` HTTPRouteMatch. Using any other HTTPRouteMatch type on the same HTTPRouteRule will result in the implementation setting the Accepted Condition for the Route to `status: False`. - Request Path | Prefix Match | Replace Prefix | Modified Path - -------------|--------------|----------------|---------- - /foo/bar | /foo | /xyz | /xyz/bar - /foo/bar | /foo | /xyz/ | /xyz/bar - /foo/bar | /foo/ | /xyz | /xyz/bar - /foo/bar | /foo/ | /xyz/ | /xyz/bar - /foo | /foo | /xyz | /xyz - /foo/ | /foo | /xyz | /xyz/ - /foo/bar | /foo | | /bar - /foo/ | /foo | | / - /foo | /foo | | / - /foo/ | /foo | / | / - /foo | /foo | / | / maxLength: 1024 type: string type: @@ -9810,11 +7169,9 @@ spec: Type defines the type of path modifier. Additional types may be added in a future release of the API. - Note that values may be added to this enum, implementations must ensure that unknown values will not cause a crash. - Unknown values here must result in the implementation setting the Accepted Condition for the Route to `status: False`, with a Reason of `UnsupportedValue`. @@ -9847,11 +7204,9 @@ spec: Port is the port to be used in the value of the `Location` header in the response. - If no port is specified, the redirect port MUST be derived using the following rules: - * If redirect scheme is not-empty, the redirect port MUST be the well-known port associated with the redirect scheme. Specifically "http" to port 80 and "https" to port 443. If the redirect scheme does not have a @@ -9859,17 +7214,14 @@ spec: * If redirect scheme is empty, the redirect port MUST be the Gateway Listener port. - Implementations SHOULD NOT add the port number in the 'Location' header in the following cases: - * A Location header that will use HTTP (whether that is determined via the Listener protocol or the Scheme field) _and_ use port 80. * A Location header that will use HTTPS (whether that is determined via the Listener protocol or the Scheme field) _and_ use port 443. - Support: Extended format: int32 maximum: 65535 @@ -9880,20 +7232,16 @@ spec: Scheme is the scheme to be used in the value of the `Location` header in the response. When empty, the scheme of the request is used. - Scheme redirects can affect the port of the redirect, for more information, refer to the documentation for the port field of this filter. - Note that values may be added to this enum, implementations must ensure that unknown values will not cause a crash. - Unknown values here must result in the implementation setting the Accepted Condition for the Route to `status: False`, with a Reason of `UnsupportedValue`. - Support: Extended enum: - http @@ -9904,16 +7252,13 @@ spec: description: |- StatusCode is the HTTP status code to be used in response. - Note that values may be added to this enum, implementations must ensure that unknown values will not cause a crash. - Unknown values here must result in the implementation setting the Accepted Condition for the Route to `status: False`, with a Reason of `UnsupportedValue`. - Support: Core enum: - 301 @@ -9925,7 +7270,6 @@ spec: ResponseHeaderModifier defines a schema for a filter that modifies response headers. - Support: Extended properties: add: @@ -9934,18 +7278,15 @@ spec: before the action. It appends to any existing values associated with the header name. - Input: GET /foo HTTP/1.1 my-header: foo - Config: add: - name: "my-header" value: "bar,baz" - Output: GET /foo HTTP/1.1 my-header: foo,bar,baz @@ -9959,7 +7300,6 @@ spec: Name is the name of the HTTP Header to be matched. Name matching MUST be case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). - If multiple entries specify equivalent header names, the first entry with an equivalent name MUST be considered for a match. Subsequent entries with an equivalent header name MUST be ignored. Due to the @@ -9991,18 +7331,15 @@ spec: names are case-insensitive (see https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). - Input: GET /foo HTTP/1.1 my-header1: foo my-header2: bar my-header3: baz - Config: remove: ["my-header1", "my-header3"] - Output: GET /foo HTTP/1.1 my-header2: bar @@ -10016,18 +7353,15 @@ spec: Set overwrites the request with the given header (name, value) before the action. - Input: GET /foo HTTP/1.1 my-header: foo - Config: set: - name: "my-header" value: "bar" - Output: GET /foo HTTP/1.1 my-header: bar @@ -10041,7 +7375,6 @@ spec: Name is the name of the HTTP Header to be matched. Name matching MUST be case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). - If multiple entries specify equivalent header names, the first entry with an equivalent name MUST be considered for a match. Subsequent entries with an equivalent header name MUST be ignored. Due to the @@ -10072,17 +7405,14 @@ spec: Type identifies the type of filter to apply. As with other API fields, types are classified into three conformance levels: - - Core: Filter types and their corresponding configuration defined by "Support: Core" in this package, e.g. "RequestHeaderModifier". All implementations must support core filters. - - Extended: Filter types and their corresponding configuration defined by "Support: Extended" in this package, e.g. "RequestMirror". Implementers are encouraged to support extended filters. - - Implementation-specific: Filters that are defined and supported by specific vendors. In the future, filters showing convergence in behavior across multiple @@ -10091,20 +7421,16 @@ spec: is specified using the ExtensionRef field. `Type` should be set to "ExtensionRef" for custom filters. - Implementers are encouraged to define custom implementation types to extend the core API with implementation-specific behavior. - If a reference to a custom filter type cannot be resolved, the filter MUST NOT be skipped. Instead, requests that would have been processed by that filter MUST receive a HTTP error response. - Note that values may be added to this enum, implementations must ensure that unknown values will not cause a crash. - Unknown values here must result in the implementation setting the Accepted Condition for the Route to `status: False`, with a Reason of `UnsupportedValue`. @@ -10120,7 +7446,6 @@ spec: description: |- URLRewrite defines a schema for a filter that modifies a request during forwarding. - Support: Extended properties: hostname: @@ -10128,7 +7453,6 @@ spec: Hostname is the value to be used to replace the Host header value during forwarding. - Support: Extended maxLength: 253 minLength: 1 @@ -10138,7 +7462,6 @@ spec: description: |- Path defines a path rewrite. - Support: Extended properties: replaceFullPath: @@ -10154,32 +7477,17 @@ spec: to "/foo/bar" with a prefix match of "/foo" and a ReplacePrefixMatch of "/xyz" would be modified to "/xyz/bar". - Note that this matches the behavior of the PathPrefix match type. This matches full path elements. A path element refers to the list of labels in the path split by the `/` separator. When specified, a trailing `/` is ignored. For example, the paths `/abc`, `/abc/`, and `/abc/def` would all match the prefix `/abc`, but the path `/abcd` would not. - ReplacePrefixMatch is only compatible with a `PathPrefix` HTTPRouteMatch. Using any other HTTPRouteMatch type on the same HTTPRouteRule will result in the implementation setting the Accepted Condition for the Route to `status: False`. - Request Path | Prefix Match | Replace Prefix | Modified Path - -------------|--------------|----------------|---------- - /foo/bar | /foo | /xyz | /xyz/bar - /foo/bar | /foo | /xyz/ | /xyz/bar - /foo/bar | /foo/ | /xyz | /xyz/bar - /foo/bar | /foo/ | /xyz/ | /xyz/bar - /foo | /foo | /xyz | /xyz - /foo/ | /foo | /xyz | /xyz/ - /foo/bar | /foo | | /bar - /foo/ | /foo | | / - /foo | /foo | | / - /foo/ | /foo | / | / - /foo | /foo | / | / maxLength: 1024 type: string type: @@ -10187,11 +7495,9 @@ spec: Type defines the type of path modifier. Additional types may be added in a future release of the API. - Note that values may be added to this enum, implementations must ensure that unknown values will not cause a crash. - Unknown values here must result in the implementation setting the Accepted Condition for the Route to `status: False`, with a Reason of `UnsupportedValue`. @@ -10304,20 +7610,16 @@ spec: Kind is the Kubernetes resource kind of the referent. For example "Service". - Defaults to "Service" when not specified. - ExternalName services can refer to CNAME DNS records that may live outside of the cluster and as such are difficult to reason about in terms of conformance. They also may not be safe to forward to (see CVE-2021-25740 for more information). Implementations SHOULD NOT support ExternalName Services. - Support: Core (Services with a type other than ExternalName) - Support: Implementation-specific (Services with type ExternalName) maxLength: 63 minLength: 1 @@ -10333,13 +7635,11 @@ spec: Namespace is the namespace of the backend. When unspecified, the local namespace is inferred. - Note that when a namespace different than the local namespace is specified, a ReferenceGrant object is required in the referent namespace to allow that namespace's owner to accept the reference. See the ReferenceGrant documentation for details. - Support: Core maxLength: 63 minLength: 1 @@ -10366,13 +7666,11 @@ spec: implementation supports. Weight is not a percentage and the sum of weights does not need to equal 100. - If only one backend is specified and it has a weight greater than 0, 100% of the traffic is forwarded to that backend. If weight is set to 0, no traffic should be forwarded for this entry. If unspecified, weight defaults to 1. - Support for this field varies based on the context where used. format: int32 maximum: 1000000 @@ -10392,37 +7690,30 @@ spec: Filters define the filters that are applied to requests that match this rule. - Wherever possible, implementations SHOULD implement filters in the order they are specified. - Implementations MAY choose to implement this ordering strictly, rejecting any combination or order of filters that can not be supported. If implementations choose a strict interpretation of filter ordering, they MUST clearly document that behavior. - To reject an invalid combination or order of filters, implementations SHOULD consider the Route Rules with this configuration invalid. If all Route Rules in a Route are invalid, the entire Route would be considered invalid. If only a portion of Route Rules are invalid, implementations MUST set the "PartiallyInvalid" condition for the Route. - Conformance-levels at this level are defined based on the type of filter: - - ALL core filters MUST be supported by all implementations. - Implementers are encouraged to support extended filters. - Implementation-specific custom filters have no API guarantees across implementations. - Specifying the same filter multiple times is not supported unless explicitly indicated in the filter. - All filters are expected to be compatible with each other except for the URLRewrite and RequestRedirect filters, which may not be combined. If an implementation can not support other combinations of filters, they must clearly @@ -10431,7 +7722,6 @@ spec: `False`, implementations may use the `IncompatibleFilters` reason to specify this configuration error. - Support: Core items: description: |- @@ -10449,10 +7739,8 @@ spec: "networking.example.net"). ExtensionRef MUST NOT be used for core and extended filters. - This filter can be used multiple times within the same rule. - Support: Implementation-specific properties: group: @@ -10484,7 +7772,6 @@ spec: RequestHeaderModifier defines a schema for a filter that modifies request headers. - Support: Core properties: add: @@ -10493,18 +7780,15 @@ spec: before the action. It appends to any existing values associated with the header name. - Input: GET /foo HTTP/1.1 my-header: foo - Config: add: - name: "my-header" value: "bar,baz" - Output: GET /foo HTTP/1.1 my-header: foo,bar,baz @@ -10517,7 +7801,6 @@ spec: Name is the name of the HTTP Header to be matched. Name matching MUST be case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). - If multiple entries specify equivalent header names, the first entry with an equivalent name MUST be considered for a match. Subsequent entries with an equivalent header name MUST be ignored. Due to the @@ -10549,18 +7832,15 @@ spec: names are case-insensitive (see https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). - Input: GET /foo HTTP/1.1 my-header1: foo my-header2: bar my-header3: baz - Config: remove: ["my-header1", "my-header3"] - Output: GET /foo HTTP/1.1 my-header2: bar @@ -10574,18 +7854,15 @@ spec: Set overwrites the request with the given header (name, value) before the action. - Input: GET /foo HTTP/1.1 my-header: foo - Config: set: - name: "my-header" value: "bar" - Output: GET /foo HTTP/1.1 my-header: bar @@ -10598,7 +7875,6 @@ spec: Name is the name of the HTTP Header to be matched. Name matching MUST be case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). - If multiple entries specify equivalent header names, the first entry with an equivalent name MUST be considered for a match. Subsequent entries with an equivalent header name MUST be ignored. Due to the @@ -10625,49 +7901,42 @@ spec: x-kubernetes-list-type: map type: object requestMirror: - description: |- + description: |+ RequestMirror defines a schema for a filter that mirrors requests. Requests are sent to the specified destination, but responses from that destination are ignored. - This filter can be used multiple times within the same rule. Note that not all implementations will be able to support mirroring to multiple backends. - Support: Extended + properties: backendRef: description: |- BackendRef references a resource where mirrored requests are sent. - Mirrored requests must be sent only to a single destination endpoint within this BackendRef, irrespective of how many endpoints are present within this BackendRef. - If the referent cannot be found, this BackendRef is invalid and must be dropped from the Gateway. The controller must ensure the "ResolvedRefs" condition on the Route status is set to `status: False` and not configure this backend in the underlying implementation. - If there is a cross-namespace reference to an *existing* object that is not allowed by a ReferenceGrant, the controller must ensure the "ResolvedRefs" condition on the Route is set to `status: False`, with the "RefNotPermitted" reason and not configure this backend in the underlying implementation. - In either error case, the Message of the `ResolvedRefs` Condition should be used to provide more detail about the problem. - Support: Extended for Kubernetes Service - Support: Implementation-specific for any other resource properties: group: @@ -10684,20 +7953,16 @@ spec: Kind is the Kubernetes resource kind of the referent. For example "Service". - Defaults to "Service" when not specified. - ExternalName services can refer to CNAME DNS records that may live outside of the cluster and as such are difficult to reason about in terms of conformance. They also may not be safe to forward to (see CVE-2021-25740 for more information). Implementations SHOULD NOT support ExternalName Services. - Support: Core (Services with a type other than ExternalName) - Support: Implementation-specific (Services with type ExternalName) maxLength: 63 minLength: 1 @@ -10713,13 +7978,11 @@ spec: Namespace is the namespace of the backend. When unspecified, the local namespace is inferred. - Note that when a namespace different than the local namespace is specified, a ReferenceGrant object is required in the referent namespace to allow that namespace's owner to accept the reference. See the ReferenceGrant documentation for details. - Support: Core maxLength: 63 minLength: 1 @@ -10743,15 +8006,56 @@ spec: - message: Must have port for Service reference rule: '(size(self.group) == 0 && self.kind == ''Service'') ? has(self.port) : true' + fraction: + description: |+ + Fraction represents the fraction of requests that should be + mirrored to BackendRef. + + Only one of Fraction or Percent may be specified. If neither field + is specified, 100% of requests will be mirrored. + + properties: + denominator: + default: 100 + format: int32 + minimum: 1 + type: integer + numerator: + format: int32 + minimum: 0 + type: integer + required: + - numerator + type: object + x-kubernetes-validations: + - message: numerator must be less than or equal to + denominator + rule: self.numerator <= self.denominator + percent: + description: |+ + Percent represents the percentage of requests that should be + mirrored to BackendRef. Its minimum value is 0 (indicating 0% of + requests) and its maximum value is 100 (indicating 100% of requests). + + Only one of Fraction or Percent may be specified. If neither field + is specified, 100% of requests will be mirrored. + + format: int32 + maximum: 100 + minimum: 0 + type: integer required: - backendRef type: object + x-kubernetes-validations: + - message: Only one of percent or fraction may be specified + in HTTPRequestMirrorFilter + rule: '!(has(self.percent) && has(self.fraction))' requestRedirect: description: |- RequestRedirect defines a schema for a filter that responds to the request with an HTTP redirection. - Support: Core properties: hostname: @@ -10760,7 +8064,6 @@ spec: header in the response. When empty, the hostname in the `Host` header of the request is used. - Support: Core maxLength: 253 minLength: 1 @@ -10772,7 +8075,6 @@ spec: The modified path is then used to construct the `Location` header. When empty, the request path is used as-is. - Support: Extended properties: replaceFullPath: @@ -10788,32 +8090,17 @@ spec: to "/foo/bar" with a prefix match of "/foo" and a ReplacePrefixMatch of "/xyz" would be modified to "/xyz/bar". - Note that this matches the behavior of the PathPrefix match type. This matches full path elements. A path element refers to the list of labels in the path split by the `/` separator. When specified, a trailing `/` is ignored. For example, the paths `/abc`, `/abc/`, and `/abc/def` would all match the prefix `/abc`, but the path `/abcd` would not. - ReplacePrefixMatch is only compatible with a `PathPrefix` HTTPRouteMatch. Using any other HTTPRouteMatch type on the same HTTPRouteRule will result in the implementation setting the Accepted Condition for the Route to `status: False`. - Request Path | Prefix Match | Replace Prefix | Modified Path - -------------|--------------|----------------|---------- - /foo/bar | /foo | /xyz | /xyz/bar - /foo/bar | /foo | /xyz/ | /xyz/bar - /foo/bar | /foo/ | /xyz | /xyz/bar - /foo/bar | /foo/ | /xyz/ | /xyz/bar - /foo | /foo | /xyz | /xyz - /foo/ | /foo | /xyz | /xyz/ - /foo/bar | /foo | | /bar - /foo/ | /foo | | / - /foo | /foo | | / - /foo/ | /foo | / | / - /foo | /foo | / | / maxLength: 1024 type: string type: @@ -10821,11 +8108,9 @@ spec: Type defines the type of path modifier. Additional types may be added in a future release of the API. - Note that values may be added to this enum, implementations must ensure that unknown values will not cause a crash. - Unknown values here must result in the implementation setting the Accepted Condition for the Route to `status: False`, with a Reason of `UnsupportedValue`. @@ -10858,11 +8143,9 @@ spec: Port is the port to be used in the value of the `Location` header in the response. - If no port is specified, the redirect port MUST be derived using the following rules: - * If redirect scheme is not-empty, the redirect port MUST be the well-known port associated with the redirect scheme. Specifically "http" to port 80 and "https" to port 443. If the redirect scheme does not have a @@ -10870,17 +8153,14 @@ spec: * If redirect scheme is empty, the redirect port MUST be the Gateway Listener port. - Implementations SHOULD NOT add the port number in the 'Location' header in the following cases: - * A Location header that will use HTTP (whether that is determined via the Listener protocol or the Scheme field) _and_ use port 80. * A Location header that will use HTTPS (whether that is determined via the Listener protocol or the Scheme field) _and_ use port 443. - Support: Extended format: int32 maximum: 65535 @@ -10891,20 +8171,16 @@ spec: Scheme is the scheme to be used in the value of the `Location` header in the response. When empty, the scheme of the request is used. - Scheme redirects can affect the port of the redirect, for more information, refer to the documentation for the port field of this filter. - Note that values may be added to this enum, implementations must ensure that unknown values will not cause a crash. - Unknown values here must result in the implementation setting the Accepted Condition for the Route to `status: False`, with a Reason of `UnsupportedValue`. - Support: Extended enum: - http @@ -10915,16 +8191,13 @@ spec: description: |- StatusCode is the HTTP status code to be used in response. - Note that values may be added to this enum, implementations must ensure that unknown values will not cause a crash. - Unknown values here must result in the implementation setting the Accepted Condition for the Route to `status: False`, with a Reason of `UnsupportedValue`. - Support: Core enum: - 301 @@ -10936,7 +8209,6 @@ spec: ResponseHeaderModifier defines a schema for a filter that modifies response headers. - Support: Extended properties: add: @@ -10945,18 +8217,15 @@ spec: before the action. It appends to any existing values associated with the header name. - Input: GET /foo HTTP/1.1 my-header: foo - Config: add: - name: "my-header" value: "bar,baz" - Output: GET /foo HTTP/1.1 my-header: foo,bar,baz @@ -10969,7 +8238,6 @@ spec: Name is the name of the HTTP Header to be matched. Name matching MUST be case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). - If multiple entries specify equivalent header names, the first entry with an equivalent name MUST be considered for a match. Subsequent entries with an equivalent header name MUST be ignored. Due to the @@ -11001,18 +8269,15 @@ spec: names are case-insensitive (see https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). - Input: GET /foo HTTP/1.1 my-header1: foo my-header2: bar my-header3: baz - Config: remove: ["my-header1", "my-header3"] - Output: GET /foo HTTP/1.1 my-header2: bar @@ -11026,18 +8291,15 @@ spec: Set overwrites the request with the given header (name, value) before the action. - Input: GET /foo HTTP/1.1 my-header: foo - Config: set: - name: "my-header" value: "bar" - Output: GET /foo HTTP/1.1 my-header: bar @@ -11050,7 +8312,6 @@ spec: Name is the name of the HTTP Header to be matched. Name matching MUST be case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). - If multiple entries specify equivalent header names, the first entry with an equivalent name MUST be considered for a match. Subsequent entries with an equivalent header name MUST be ignored. Due to the @@ -11081,17 +8342,14 @@ spec: Type identifies the type of filter to apply. As with other API fields, types are classified into three conformance levels: - - Core: Filter types and their corresponding configuration defined by "Support: Core" in this package, e.g. "RequestHeaderModifier". All implementations must support core filters. - - Extended: Filter types and their corresponding configuration defined by "Support: Extended" in this package, e.g. "RequestMirror". Implementers are encouraged to support extended filters. - - Implementation-specific: Filters that are defined and supported by specific vendors. In the future, filters showing convergence in behavior across multiple @@ -11100,20 +8358,16 @@ spec: is specified using the ExtensionRef field. `Type` should be set to "ExtensionRef" for custom filters. - Implementers are encouraged to define custom implementation types to extend the core API with implementation-specific behavior. - If a reference to a custom filter type cannot be resolved, the filter MUST NOT be skipped. Instead, requests that would have been processed by that filter MUST receive a HTTP error response. - Note that values may be added to this enum, implementations must ensure that unknown values will not cause a crash. - Unknown values here must result in the implementation setting the Accepted Condition for the Route to `status: False`, with a Reason of `UnsupportedValue`. @@ -11129,7 +8383,6 @@ spec: description: |- URLRewrite defines a schema for a filter that modifies a request during forwarding. - Support: Extended properties: hostname: @@ -11137,7 +8390,6 @@ spec: Hostname is the value to be used to replace the Host header value during forwarding. - Support: Extended maxLength: 253 minLength: 1 @@ -11147,7 +8399,6 @@ spec: description: |- Path defines a path rewrite. - Support: Extended properties: replaceFullPath: @@ -11163,32 +8414,17 @@ spec: to "/foo/bar" with a prefix match of "/foo" and a ReplacePrefixMatch of "/xyz" would be modified to "/xyz/bar". - Note that this matches the behavior of the PathPrefix match type. This matches full path elements. A path element refers to the list of labels in the path split by the `/` separator. When specified, a trailing `/` is ignored. For example, the paths `/abc`, `/abc/`, and `/abc/def` would all match the prefix `/abc`, but the path `/abcd` would not. - ReplacePrefixMatch is only compatible with a `PathPrefix` HTTPRouteMatch. Using any other HTTPRouteMatch type on the same HTTPRouteRule will result in the implementation setting the Accepted Condition for the Route to `status: False`. - Request Path | Prefix Match | Replace Prefix | Modified Path - -------------|--------------|----------------|---------- - /foo/bar | /foo | /xyz | /xyz/bar - /foo/bar | /foo | /xyz/ | /xyz/bar - /foo/bar | /foo/ | /xyz | /xyz/bar - /foo/bar | /foo/ | /xyz/ | /xyz/bar - /foo | /foo | /xyz | /xyz - /foo/ | /foo | /xyz | /xyz/ - /foo/bar | /foo | | /bar - /foo/ | /foo | | / - /foo | /foo | | / - /foo/ | /foo | / | / - /foo | /foo | / | / maxLength: 1024 type: string type: @@ -11196,11 +8432,9 @@ spec: Type defines the type of path modifier. Additional types may be added in a future release of the API. - Note that values may be added to this enum, implementations must ensure that unknown values will not cause a crash. - Unknown values here must result in the implementation setting the Accepted Condition for the Route to `status: False`, with a Reason of `UnsupportedValue`. @@ -11301,10 +8535,8 @@ spec: HTTP requests. Each match is independent, i.e. this rule will be matched if **any** one of the matches is satisfied. - For example, take the following matches configuration: - ``` matches: - path: @@ -11316,65 +8548,54 @@ spec: value: "/v2/foo" ``` - For a request to match against this rule, a request must satisfy EITHER of the two conditions: - - path prefixed with `/foo` AND contains the header `version: v2` - path prefix of `/v2/foo` - See the documentation for HTTPRouteMatch on how to specify multiple match conditions that should be ANDed together. - If no matches are specified, the default is a prefix path match on "/", which has the effect of matching every HTTP request. - Proxy or Load Balancer routing configuration generated from HTTPRoutes MUST prioritize matches based on the following criteria, continuing on ties. Across all rules specified on applicable Routes, precedence must be given to the match having: - * "Exact" path match. * "Prefix" path match with largest number of characters. * Method match. * Largest number of header matches. * Largest number of query param matches. - Note: The precedence of RegularExpression path matches are implementation-specific. - If ties still exist across multiple Routes, matching precedence MUST be determined in order of the following criteria, continuing on ties: - * The oldest Route based on creation timestamp. * The Route appearing first in alphabetical order by "{namespace}/{name}". - If ties still exist within an HTTPRoute, matching precedence MUST be granted to the FIRST matching rule (in list order) with a match meeting the above criteria. - When no rules matching a request have been successfully attached to the parent a request is coming from, a HTTP 404 status code MUST be returned. items: description: "HTTPRouteMatch defines the predicate used to match requests to a given\naction. Multiple match types are ANDed together, i.e. the match will\nevaluate to true - only if all conditions are satisfied.\n\n\nFor example, - the match below will match a HTTP request only if its path\nstarts - with `/foo` AND it contains the `version: v1` header:\n\n\n```\nmatch:\n\n\n\tpath:\n\t + only if all conditions are satisfied.\n\nFor example, the + match below will match a HTTP request only if its path\nstarts + with `/foo` AND it contains the `version: v1` header:\n\n```\nmatch:\n\n\tpath:\n\t \ value: \"/foo\"\n\theaders:\n\t- name: \"version\"\n\t - \ value \"v1\"\n\n\n```" + \ value \"v1\"\n\n```" properties: headers: description: |- @@ -11391,14 +8612,12 @@ spec: Name is the name of the HTTP Header to be matched. Name matching MUST be case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). - If multiple entries specify equivalent header names, only the first entry with an equivalent name MUST be considered for a match. Subsequent entries with an equivalent header name MUST be ignored. Due to the case-insensitivity of header names, "foo" and "Foo" are considered equivalent. - When a header is repeated in an HTTP request, it is implementation-specific behavior as to how this is represented. Generally, proxies should follow the guidance from the RFC: @@ -11413,13 +8632,10 @@ spec: description: |- Type specifies how to match against the value of the header. - Support: Core (Exact) - Support: Implementation-specific (RegularExpression) - Since RegularExpression HeaderMatchType has implementation-specific conformance, implementations can support POSIX, PCRE or any other dialects of regular expressions. Please read the implementation's documentation to @@ -11449,7 +8665,6 @@ spec: When specified, this route will be matched only if the request has the specified method. - Support: Extended enum: - GET @@ -11475,10 +8690,8 @@ spec: description: |- Type specifies how to match against the path Value. - Support: Core (Exact, PathPrefix) - Support: Implementation-specific (RegularExpression) enum: - Exact @@ -11543,7 +8756,6 @@ spec: values are ANDed together, meaning, a request must match all the specified query parameters to select the route. - Support: Extended items: description: |- @@ -11556,12 +8768,10 @@ spec: exact string match. (See https://tools.ietf.org/html/rfc7230#section-2.7.3). - If multiple entries specify equivalent query param names, only the first entry with an equivalent name MUST be considered for a match. Subsequent entries with an equivalent query param name MUST be ignored. - If a query param is repeated in an HTTP request, the behavior is purposely left undefined, since different data planes have different capabilities. However, it is *recommended* that implementations should @@ -11569,7 +8779,6 @@ spec: as this behavior is expected in other load balancing contexts outside of the Gateway API. - Users SHOULD NOT route traffic based on repeated query params to guard themselves against potential differences in the implementations. maxLength: 256 @@ -11581,13 +8790,10 @@ spec: description: |- Type specifies how to match against the value of the query parameter. - Support: Extended (Exact) - Support: Implementation-specific (RegularExpression) - Since RegularExpression QueryParamMatchType has Implementation-specific conformance, implementations can support POSIX, PCRE or any other dialects of regular expressions. Please read the implementation's @@ -11612,17 +8818,114 @@ spec: - name x-kubernetes-list-type: map type: object - maxItems: 8 + maxItems: 64 type: array + name: + description: | + Name is the name of the route rule. This name MUST be unique within a Route if it is set. + + Support: Extended + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + retry: + description: |+ + Retry defines the configuration for when to retry an HTTP request. + + Support: Extended + + properties: + attempts: + description: |- + Attempts specifies the maxmimum number of times an individual request + from the gateway to a backend should be retried. + + If the maximum number of retries has been attempted without a successful + response from the backend, the Gateway MUST return an error. + + When this field is unspecified, the number of times to attempt to retry + a backend request is implementation-specific. + + Support: Extended + type: integer + backoff: + description: |- + Backoff specifies the minimum duration a Gateway should wait between + retry attempts and is represented in Gateway API Duration formatting. + + For example, setting the `rules[].retry.backoff` field to the value + `100ms` will cause a backend request to first be retried approximately + 100 milliseconds after timing out or receiving a response code configured + to be retryable. + + An implementation MAY use an exponential or alternative backoff strategy + for subsequent retry attempts, MAY cap the maximum backoff duration to + some amount greater than the specified minimum, and MAY add arbitrary + jitter to stagger requests, as long as unsuccessful backend requests are + not retried before the configured minimum duration. + + If a Request timeout (`rules[].timeouts.request`) is configured on the + route, the entire duration of the initial request and any retry attempts + MUST not exceed the Request timeout duration. If any retry attempts are + still in progress when the Request timeout duration has been reached, + these SHOULD be canceled if possible and the Gateway MUST immediately + return a timeout error. + + If a BackendRequest timeout (`rules[].timeouts.backendRequest`) is + configured on the route, any retry attempts which reach the configured + BackendRequest timeout duration without a response SHOULD be canceled if + possible and the Gateway should wait for at least the specified backoff + duration before attempting to retry the backend request again. + + If a BackendRequest timeout is _not_ configured on the route, retry + attempts MAY time out after an implementation default duration, or MAY + remain pending until a configured Request timeout or implementation + default duration for total request time is reached. + + When this field is unspecified, the time to wait between retry attempts + is implementation-specific. + + Support: Extended + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ + type: string + codes: + description: |- + Codes defines the HTTP response status codes for which a backend request + should be retried. + + Support: Extended + items: + description: |- + HTTPRouteRetryStatusCode defines an HTTP response status code for + which a backend request should be retried. + + Implementations MUST support the following status codes as retryable: + + * 500 + * 502 + * 503 + * 504 + + Implementations MAY support specifying additional discrete values in the + 500-599 range. + + Implementations MAY support specifying discrete values in the 400-499 range, + which are often inadvisable to retry. + + + maximum: 599 + minimum: 400 + type: integer + type: array + type: object sessionPersistence: description: |+ SessionPersistence defines and configures session persistence for the route rule. - Support: Extended - properties: absoluteTimeout: description: |- @@ -11630,7 +8933,6 @@ spec: session. Once the AbsoluteTimeout duration has elapsed, the session becomes invalid. - Support: Extended pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ type: string @@ -11639,7 +8941,6 @@ spec: CookieConfig provides configuration settings that are specific to cookie-based session persistence. - Support: Core properties: lifetimeType: @@ -11651,20 +8952,16 @@ spec: attributes, while a session cookie is deleted when the current session ends. - When set to "Permanent", AbsoluteTimeout indicates the cookie's lifetime via the Expires or Max-Age cookie attributes and is required. - When set to "Session", AbsoluteTimeout indicates the absolute lifetime of the cookie tracked by the gateway and is optional. - Support: Core for "Session" type - Support: Extended for "Permanent" type enum: - Permanent @@ -11677,7 +8974,6 @@ spec: Once the session has been idle for more than the specified IdleTimeout duration, the session becomes invalid. - Support: Extended pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ type: string @@ -11688,7 +8984,6 @@ spec: should avoid reusing session names to prevent unintended consequences, such as rejection or unpredictable behavior. - Support: Implementation-specific maxLength: 128 type: string @@ -11699,10 +8994,8 @@ spec: the use a header or cookie. Defaults to cookie based session persistence. - Support: Core for "Cookie" type - Support: Extended for "Header" type enum: - Cookie @@ -11712,16 +9005,13 @@ spec: x-kubernetes-validations: - message: AbsoluteTimeout must be specified when cookie lifetimeType is Permanent - rule: '!has(self.cookieConfig.lifetimeType) || self.cookieConfig.lifetimeType - != ''Permanent'' || has(self.absoluteTimeout)' + rule: '!has(self.cookieConfig) || !has(self.cookieConfig.lifetimeType) + || self.cookieConfig.lifetimeType != ''Permanent'' || has(self.absoluteTimeout)' timeouts: - description: |+ + description: |- Timeouts defines the timeouts that can be configured for an HTTP request. - Support: Extended - - properties: backendRequest: description: |- @@ -11729,21 +9019,19 @@ spec: to a backend. This covers the time from when the request first starts being sent from the gateway to when the full response has been received from the backend. - Setting a timeout to the zero duration (e.g. "0s") SHOULD disable the timeout completely. Implementations that cannot completely disable the timeout MUST instead interpret the zero duration as the longest possible value to which the timeout can be set. - An entire client HTTP transaction with a gateway, covered by the Request timeout, may result in more than one call from the gateway to the destination backend, for example, if automatic retries are supported. - - Because the Request timeout encompasses the BackendRequest timeout, the value of - BackendRequest must be <= the value of Request timeout. - + The value of BackendRequest must be a Gateway API Duration string as defined by + GEP-2257. When this field is unspecified, its behavior is implementation-specific; + when specified, the value of BackendRequest must be no more than the value of the + Request timeout (since the Request timeout encompasses the BackendRequest timeout). Support: Extended pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ @@ -11754,26 +9042,22 @@ spec: If the gateway has not been able to respond before this deadline is met, the gateway MUST return a timeout error. - For example, setting the `rules.timeouts.request` field to the value `10s` in an `HTTPRoute` will cause a timeout if a client request is taking longer than 10 seconds to complete. - Setting a timeout to the zero duration (e.g. "0s") SHOULD disable the timeout completely. Implementations that cannot completely disable the timeout MUST instead interpret the zero duration as the longest possible value to which the timeout can be set. - This timeout is intended to cover as close to the whole request-response transaction as possible although an implementation MAY choose to start the timeout after the entire request stream has been received instead of immediately after the transaction is initiated by the client. - - When this field is unspecified, request timeout behavior is implementation-specific. - + The value of Request is a Gateway API Duration string as defined by GEP-2257. When this + field is unspecified, request timeout behavior is implementation-specific. Support: Extended pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ @@ -11828,6 +9112,24 @@ spec: != ''PathPrefix'') ? false : true) : true' maxItems: 16 type: array + x-kubernetes-validations: + - message: While 16 rules and 64 matches per rule are allowed, the + total number of matches across all rules in a route must be less + than 128 + rule: '(self.size() > 0 ? self[0].matches.size() : 0) + (self.size() + > 1 ? self[1].matches.size() : 0) + (self.size() > 2 ? self[2].matches.size() + : 0) + (self.size() > 3 ? self[3].matches.size() : 0) + (self.size() + > 4 ? self[4].matches.size() : 0) + (self.size() > 5 ? self[5].matches.size() + : 0) + (self.size() > 6 ? self[6].matches.size() : 0) + (self.size() + > 7 ? self[7].matches.size() : 0) + (self.size() > 8 ? self[8].matches.size() + : 0) + (self.size() > 9 ? self[9].matches.size() : 0) + (self.size() + > 10 ? self[10].matches.size() : 0) + (self.size() > 11 ? self[11].matches.size() + : 0) + (self.size() > 12 ? self[12].matches.size() : 0) + (self.size() + > 13 ? self[13].matches.size() : 0) + (self.size() > 14 ? self[14].matches.size() + : 0) + (self.size() > 15 ? self[15].matches.size() : 0) <= 128' + - message: Rule name must be unique within the route + rule: self.all(l1, !has(l1.name) || self.exists_one(l2, has(l2.name) + && l1.name == l2.name)) type: object status: description: Status defines the current state of HTTPRoute. @@ -11841,13 +9143,11 @@ spec: first sees the route and should update the entry as appropriate when the route or gateway is modified. - Note that parent references that cannot be resolved by an implementation of this API will not be added to this list. Implementations of this API can only populate Route status for the Gateways/parent resources they are responsible for. - A maximum of 32 Gateways will be represented in this list. An empty list means the route has not been attached to any Gateway. items: @@ -11861,38 +9161,24 @@ spec: Note that the route's availability is also subject to the Gateway's own status conditions and listener status. - If the Route's ParentRef specifies an existing Gateway that supports Routes of this kind AND that Gateway's controller has sufficient access, then that Gateway's controller MUST set the "Accepted" condition on the Route, to indicate whether the route has been accepted or rejected by the Gateway, and why. - A Route MUST be considered "Accepted" if at least one of the Route's rules is implemented by the Gateway. - There are a number of cases where the "Accepted" condition may not be set due to lack of controller visibility, that includes when: - * The Route refers to a non-existent parent. * The Route is of a type that the controller does not support. * The Route is in a namespace the controller does not have access to. items: - description: "Condition contains details for one aspect of - the current state of this API Resource.\n---\nThis struct - is intended for direct use as an array at the field path - .status.conditions. For example,\n\n\n\ttype FooStatus - struct{\n\t // Represents the observations of a foo's - current state.\n\t // Known .status.conditions.type are: - \"Available\", \"Progressing\", and \"Degraded\"\n\t // - +patchMergeKey=type\n\t // +patchStrategy=merge\n\t // - +listType=map\n\t // +listMapKey=type\n\t Conditions - []metav1.Condition `json:\"conditions,omitempty\" patchStrategy:\"merge\" - patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t - \ // other fields\n\t}" + description: Condition contains details for one aspect of + the current state of this API Resource. properties: lastTransitionTime: description: |- @@ -11934,12 +9220,7 @@ spec: - Unknown type: string type: - description: |- - type of condition in CamelCase or in foo.example.com/CamelCase. - --- - Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be - useful (see .node.status.conditions), the ability to deconflict is important. - The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + description: type of condition in CamelCase or in foo.example.com/CamelCase. maxLength: 316 pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ type: string @@ -11962,15 +9243,12 @@ spec: controller that wrote this status. This corresponds with the controllerName field on GatewayClass. - Example: "example.net/gateway-controller". - The format of this field is DOMAIN "/" PATH, where DOMAIN and PATH are valid Kubernetes names (https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names). - Controllers MUST populate this field when writing status. Controllers should ensure that entries to status populated with their ControllerName are cleaned up when they are no longer necessary. @@ -11991,7 +9269,6 @@ spec: To set the core API group (such as for a "Service" kind referent), Group must be explicitly set to "" (empty string). - Support: Core maxLength: 253 pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ @@ -12001,14 +9278,11 @@ spec: description: |- Kind is kind of the referent. - There are two kinds of parent resources with "Core" support: - * Gateway (Gateway conformance profile) * Service (Mesh conformance profile, ClusterIP Services only) - Support for other resources is Implementation-Specific. maxLength: 63 minLength: 1 @@ -12018,7 +9292,6 @@ spec: description: |- Name is the name of the referent. - Support: Core maxLength: 253 minLength: 1 @@ -12028,7 +9301,6 @@ spec: Namespace is the namespace of the referent. When unspecified, this refers to the local namespace of the Route. - Note that there are specific rules for ParentRefs which cross namespace boundaries. Cross-namespace references are only valid if they are explicitly allowed by something in the namespace they are referring to. For example: @@ -12036,12 +9308,10 @@ spec: generic way to enable any other kind of cross-namespace reference. - ParentRefs from a Route to a Service in the same namespace are "producer" routes, which apply default routing rules to inbound connections from any namespace to the Service. - ParentRefs from a Route to a Service in a different namespace are "consumer" routes, and these routing rules are only applied to outbound connections originating from the same namespace as the Route, for which @@ -12049,7 +9319,6 @@ spec: ParentRef of the Route. - Support: Core maxLength: 63 minLength: 1 @@ -12060,7 +9329,6 @@ spec: Port is the network port this Route targets. It can be interpreted differently based on the type of parent resource. - When the parent resource is a Gateway, this targets all listeners listening on the specified port that also support this kind of Route(and select this Route). It's not recommended to set `Port` unless the @@ -12070,18 +9338,15 @@ spec: must match both specified values. - When the parent resource is a Service, this targets a specific port in the Service spec. When both Port (experimental) and SectionName are specified, the name and port of the selected port must match both specified values. - Implementations MAY choose to support other parent resources. Implementations supporting other types of parent resources MUST clearly document how/if Port is interpreted. - For the purpose of status, an attachment is considered successful as long as the parent resource accepts it partially. For example, Gateway listeners can restrict which Routes can attach to them by Route kind, @@ -12090,7 +9355,6 @@ spec: attached. If no Gateway listeners accept attachment from this Route, the Route MUST be considered detached from the Gateway. - Support: Extended format: int32 maximum: 65535 @@ -12101,7 +9365,6 @@ spec: SectionName is the name of a section within the target resource. In the following resources, SectionName is interpreted as the following: - * Gateway: Listener name. When both Port (experimental) and SectionName are specified, the name and port of the selected listener must match both specified values. @@ -12109,12 +9372,10 @@ spec: are specified, the name and port of the selected listener must match both specified values. - Implementations MAY choose to support attaching Routes to other resources. If that is the case, they MUST clearly document how SectionName is interpreted. - When unspecified (empty string), this will reference the entire resource. For the purpose of status, an attachment is considered successful if at least one section in the parent resource accepts it. For example, Gateway @@ -12124,7 +9385,6 @@ spec: attached. If no Gateway listeners accept attachment from this Route, the Route MUST be considered detached from the Gateway. - Support: Core maxLength: 253 minLength: 1 @@ -12193,21 +9453,17 @@ spec: performing a match and (absent of any applicable header modification configuration) MUST forward this header unmodified to the backend. - Valid values for Hostnames are determined by RFC 1123 definition of a hostname with 2 notable exceptions: - 1. IPs are not allowed. 2. A hostname may be prefixed with a wildcard label (`*.`). The wildcard label must appear by itself as the first label. - If a hostname is specified by both the Listener and HTTPRoute, there must be at least one intersecting hostname for the HTTPRoute to be attached to the Listener. For example: - * A Listener with `test.example.com` as the hostname matches HTTPRoutes that have either not specified any hostnames, or have specified at least one of `test.example.com` or `*.example.com`. @@ -12218,55 +9474,45 @@ spec: all match. On the other hand, `example.com` and `test.example.net` would not match. - Hostnames that are prefixed with a wildcard label (`*.`) are interpreted as a suffix match. That means that a match for `*.example.com` would match both `test.example.com`, and `foo.test.example.com`, but not `example.com`. - If both the Listener and HTTPRoute have specified hostnames, any HTTPRoute hostnames that do not match the Listener hostname MUST be ignored. For example, if a Listener specified `*.example.com`, and the HTTPRoute specified `test.example.com` and `test.example.net`, `test.example.net` must not be considered for a match. - If both the Listener and HTTPRoute have specified hostnames, and none match with the criteria above, then the HTTPRoute is not accepted. The implementation must raise an 'Accepted' Condition with a status of `False` in the corresponding RouteParentStatus. - In the event that multiple HTTPRoutes specify intersecting hostnames (e.g. overlapping wildcard matching and exact matching hostnames), precedence must be given to rules from the HTTPRoute with the largest number of: - * Characters in a matching non-wildcard hostname. * Characters in a matching hostname. - If ties exist across multiple Routes, the matching precedence rules for HTTPRouteMatches takes over. - Support: Core items: description: |- Hostname is the fully qualified domain name of a network host. This matches the RFC 1123 definition of a hostname with 2 notable exceptions: - 1. IPs are not allowed. 2. A hostname may be prefixed with a wildcard label (`*.`). The wildcard label must appear by itself as the first label. - Hostname can be "precise" which is a domain name without the terminating dot of a network host (e.g. "foo.example.com") or "wildcard", which is a domain name prefixed with a single wildcard label (e.g. `*.example.com`). - Note that as per RFC1035 and RFC1123, a *label* must consist of lower case alphanumeric characters or '-', and must start and end with an alphanumeric character. No other punctuation is allowed. @@ -12289,21 +9535,16 @@ spec: create a "producer" route for a Service in a different namespace from the Route. - There are two kinds of parent resources with "Core" support: - * Gateway (Gateway conformance profile) * Service (Mesh conformance profile, ClusterIP Services only) - This API may be extended in the future to support additional kinds of parent resources. - ParentRefs must be _distinct_. This means either that: - * They select different objects. If this is the case, then parentRef entries are distinct. In terms of fields, this means that the multi-part key defined by `group`, `kind`, `namespace`, and `name` must @@ -12313,10 +9554,8 @@ spec: optional fields to different values. If one ParentRef sets a combination of optional fields, all must set the same combination. - Some examples: - * If one ParentRef sets `sectionName`, all ParentRefs referencing the same object must also set `sectionName`. * If one ParentRef sets `port`, all ParentRefs referencing the same @@ -12324,14 +9563,12 @@ spec: * If one ParentRef sets `sectionName` and `port`, all ParentRefs referencing the same object must also set `sectionName` and `port`. - It is possible to separately reference multiple distinct objects that may be collapsed by an implementation. For example, some implementations may choose to merge compatible Gateway Listeners together. If that is the case, the list of routes attached to those resources should also be merged. - Note that for ParentRefs that cross namespace boundaries, there are specific rules. Cross-namespace references are only valid if they are explicitly allowed by something in the namespace they are referring to. For example, @@ -12339,12 +9576,10 @@ spec: generic way to enable other kinds of cross-namespace reference. - ParentRefs from a Route to a Service in the same namespace are "producer" routes, which apply default routing rules to inbound connections from any namespace to the Service. - ParentRefs from a Route to a Service in a different namespace are "consumer" routes, and these routing rules are only applied to outbound connections originating from the same namespace as the Route, for which @@ -12355,22 +9590,18 @@ spec: - items: description: |- ParentReference identifies an API object (usually a Gateway) that can be considered a parent of this resource (usually a route). There are two kinds of parent resources with "Core" support: - * Gateway (Gateway conformance profile) * Service (Mesh conformance profile, ClusterIP Services only) - This API may be extended in the future to support additional kinds of parent resources. - The API object must be valid in the cluster; the Group and Kind must be registered in the cluster for this reference to be valid. properties: @@ -12382,7 +9613,6 @@ spec: To set the core API group (such as for a "Service" kind referent), Group must be explicitly set to "" (empty string). - Support: Core maxLength: 253 pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ @@ -12392,14 +9622,11 @@ spec: description: |- Kind is kind of the referent. - There are two kinds of parent resources with "Core" support: - * Gateway (Gateway conformance profile) * Service (Mesh conformance profile, ClusterIP Services only) - Support for other resources is Implementation-Specific. maxLength: 63 minLength: 1 @@ -12409,7 +9636,6 @@ spec: description: |- Name is the name of the referent. - Support: Core maxLength: 253 minLength: 1 @@ -12419,7 +9645,6 @@ spec: Namespace is the namespace of the referent. When unspecified, this refers to the local namespace of the Route. - Note that there are specific rules for ParentRefs which cross namespace boundaries. Cross-namespace references are only valid if they are explicitly allowed by something in the namespace they are referring to. For example: @@ -12427,12 +9652,10 @@ spec: generic way to enable any other kind of cross-namespace reference. - ParentRefs from a Route to a Service in the same namespace are "producer" routes, which apply default routing rules to inbound connections from any namespace to the Service. - ParentRefs from a Route to a Service in a different namespace are "consumer" routes, and these routing rules are only applied to outbound connections originating from the same namespace as the Route, for which @@ -12440,7 +9663,6 @@ spec: ParentRef of the Route. - Support: Core maxLength: 63 minLength: 1 @@ -12451,7 +9673,6 @@ spec: Port is the network port this Route targets. It can be interpreted differently based on the type of parent resource. - When the parent resource is a Gateway, this targets all listeners listening on the specified port that also support this kind of Route(and select this Route). It's not recommended to set `Port` unless the @@ -12461,18 +9682,15 @@ spec: must match both specified values. - When the parent resource is a Service, this targets a specific port in the Service spec. When both Port (experimental) and SectionName are specified, the name and port of the selected port must match both specified values. - Implementations MAY choose to support other parent resources. Implementations supporting other types of parent resources MUST clearly document how/if Port is interpreted. - For the purpose of status, an attachment is considered successful as long as the parent resource accepts it partially. For example, Gateway listeners can restrict which Routes can attach to them by Route kind, @@ -12481,7 +9699,6 @@ spec: attached. If no Gateway listeners accept attachment from this Route, the Route MUST be considered detached from the Gateway. - Support: Extended format: int32 maximum: 65535 @@ -12492,7 +9709,6 @@ spec: SectionName is the name of a section within the target resource. In the following resources, SectionName is interpreted as the following: - * Gateway: Listener name. When both Port (experimental) and SectionName are specified, the name and port of the selected listener must match both specified values. @@ -12500,12 +9716,10 @@ spec: are specified, the name and port of the selected listener must match both specified values. - Implementations MAY choose to support attaching Routes to other resources. If that is the case, they MUST clearly document how SectionName is interpreted. - When unspecified (empty string), this will reference the entire resource. For the purpose of status, an attachment is considered successful if at least one section in the parent resource accepts it. For example, Gateway @@ -12515,7 +9729,6 @@ spec: attached. If no Gateway listeners accept attachment from this Route, the Route MUST be considered detached from the Gateway. - Support: Core maxLength: 253 minLength: 1 @@ -12555,7 +9768,9 @@ spec: - path: type: PathPrefix value: / - description: Rules are a list of HTTP matchers, filters and actions. + description: |+ + Rules are a list of HTTP matchers, filters and actions. + items: description: |- HTTPRouteRule defines semantics for matching an HTTP request based on @@ -12567,74 +9782,63 @@ spec: BackendRefs defines the backend(s) where matching requests should be sent. - Failure behavior here depends on how many BackendRefs are specified and how many are invalid. - If *all* entries in BackendRefs are invalid, and there are also no filters specified in this route rule, *all* traffic which matches this rule MUST receive a 500 status code. - See the HTTPBackendRef definition for the rules about what makes a single HTTPBackendRef invalid. - When a HTTPBackendRef is invalid, 500 status codes MUST be returned for requests that would have otherwise been routed to an invalid backend. If multiple backends are specified, and some are invalid, the proportion of requests that would otherwise have been routed to an invalid backend MUST receive a 500 status code. - For example, if two backends are specified with equal weights, and one is invalid, 50 percent of traffic must receive a 500. Implementations may choose how that 50 percent is determined. + When a HTTPBackendRef refers to a Service that has no ready endpoints, + implementations SHOULD return a 503 for requests to that backend instead. + If an implementation chooses to do this, all of the above rules for 500 responses + MUST also apply for responses that return a 503. Support: Core for Kubernetes Service - Support: Extended for Kubernetes ServiceImport - Support: Implementation-specific for any other resource - Support for weight: Core items: description: |- HTTPBackendRef defines how a HTTPRoute forwards a HTTP request. - Note that when a namespace different than the local namespace is specified, a ReferenceGrant object is required in the referent namespace to allow that namespace's owner to accept the reference. See the ReferenceGrant documentation for details. - - When the BackendRef points to a Kubernetes Service, implementations SHOULD honor the appProtocol field if it is set for the target Service Port. - Implementations supporting appProtocol SHOULD recognize the Kubernetes Standard Application Protocols defined in KEP-3726. - If a Service appProtocol isn't specified, an implementation MAY infer the backend protocol through its own means. Implementations MAY infer the protocol from the Route type referring to the backend Service. - If a Route is not able to send traffic to the backend using the specified protocol then the backend is considered invalid. Implementations MUST set the "ResolvedRefs" condition to "False" with the "UnsupportedProtocol" reason. - properties: filters: @@ -12642,7 +9846,6 @@ spec: Filters defined at this level should be executed if and only if the request is being forwarded to the backend defined here. - Support: Implementation-specific (For broader support of filters, use the Filters field in HTTPRouteRule.) items: @@ -12661,10 +9864,8 @@ spec: "networking.example.net"). ExtensionRef MUST NOT be used for core and extended filters. - This filter can be used multiple times within the same rule. - Support: Implementation-specific properties: group: @@ -12696,7 +9897,6 @@ spec: RequestHeaderModifier defines a schema for a filter that modifies request headers. - Support: Core properties: add: @@ -12705,18 +9905,15 @@ spec: before the action. It appends to any existing values associated with the header name. - Input: GET /foo HTTP/1.1 my-header: foo - Config: add: - name: "my-header" value: "bar,baz" - Output: GET /foo HTTP/1.1 my-header: foo,bar,baz @@ -12730,7 +9927,6 @@ spec: Name is the name of the HTTP Header to be matched. Name matching MUST be case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). - If multiple entries specify equivalent header names, the first entry with an equivalent name MUST be considered for a match. Subsequent entries with an equivalent header name MUST be ignored. Due to the @@ -12762,18 +9958,15 @@ spec: names are case-insensitive (see https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). - Input: GET /foo HTTP/1.1 my-header1: foo my-header2: bar my-header3: baz - Config: remove: ["my-header1", "my-header3"] - Output: GET /foo HTTP/1.1 my-header2: bar @@ -12787,18 +9980,15 @@ spec: Set overwrites the request with the given header (name, value) before the action. - Input: GET /foo HTTP/1.1 my-header: foo - Config: set: - name: "my-header" value: "bar" - Output: GET /foo HTTP/1.1 my-header: bar @@ -12812,7 +10002,6 @@ spec: Name is the name of the HTTP Header to be matched. Name matching MUST be case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). - If multiple entries specify equivalent header names, the first entry with an equivalent name MUST be considered for a match. Subsequent entries with an equivalent header name MUST be ignored. Due to the @@ -12839,49 +10028,42 @@ spec: x-kubernetes-list-type: map type: object requestMirror: - description: |- + description: |+ RequestMirror defines a schema for a filter that mirrors requests. Requests are sent to the specified destination, but responses from that destination are ignored. - This filter can be used multiple times within the same rule. Note that not all implementations will be able to support mirroring to multiple backends. - Support: Extended + properties: backendRef: description: |- BackendRef references a resource where mirrored requests are sent. - Mirrored requests must be sent only to a single destination endpoint within this BackendRef, irrespective of how many endpoints are present within this BackendRef. - If the referent cannot be found, this BackendRef is invalid and must be dropped from the Gateway. The controller must ensure the "ResolvedRefs" condition on the Route status is set to `status: False` and not configure this backend in the underlying implementation. - If there is a cross-namespace reference to an *existing* object that is not allowed by a ReferenceGrant, the controller must ensure the "ResolvedRefs" condition on the Route is set to `status: False`, with the "RefNotPermitted" reason and not configure this backend in the underlying implementation. - In either error case, the Message of the `ResolvedRefs` Condition should be used to provide more detail about the problem. - Support: Extended for Kubernetes Service - Support: Implementation-specific for any other resource properties: group: @@ -12898,20 +10080,16 @@ spec: Kind is the Kubernetes resource kind of the referent. For example "Service". - Defaults to "Service" when not specified. - ExternalName services can refer to CNAME DNS records that may live outside of the cluster and as such are difficult to reason about in terms of conformance. They also may not be safe to forward to (see CVE-2021-25740 for more information). Implementations SHOULD NOT support ExternalName Services. - Support: Core (Services with a type other than ExternalName) - Support: Implementation-specific (Services with type ExternalName) maxLength: 63 minLength: 1 @@ -12927,13 +10105,11 @@ spec: Namespace is the namespace of the backend. When unspecified, the local namespace is inferred. - Note that when a namespace different than the local namespace is specified, a ReferenceGrant object is required in the referent namespace to allow that namespace's owner to accept the reference. See the ReferenceGrant documentation for details. - Support: Core maxLength: 63 minLength: 1 @@ -12957,15 +10133,56 @@ spec: - message: Must have port for Service reference rule: '(size(self.group) == 0 && self.kind == ''Service'') ? has(self.port) : true' + fraction: + description: |+ + Fraction represents the fraction of requests that should be + mirrored to BackendRef. + + Only one of Fraction or Percent may be specified. If neither field + is specified, 100% of requests will be mirrored. + + properties: + denominator: + default: 100 + format: int32 + minimum: 1 + type: integer + numerator: + format: int32 + minimum: 0 + type: integer + required: + - numerator + type: object + x-kubernetes-validations: + - message: numerator must be less than or equal + to denominator + rule: self.numerator <= self.denominator + percent: + description: |+ + Percent represents the percentage of requests that should be + mirrored to BackendRef. Its minimum value is 0 (indicating 0% of + requests) and its maximum value is 100 (indicating 100% of requests). + + Only one of Fraction or Percent may be specified. If neither field + is specified, 100% of requests will be mirrored. + + format: int32 + maximum: 100 + minimum: 0 + type: integer required: - backendRef type: object + x-kubernetes-validations: + - message: Only one of percent or fraction may be + specified in HTTPRequestMirrorFilter + rule: '!(has(self.percent) && has(self.fraction))' requestRedirect: description: |- RequestRedirect defines a schema for a filter that responds to the request with an HTTP redirection. - Support: Core properties: hostname: @@ -12974,7 +10191,6 @@ spec: header in the response. When empty, the hostname in the `Host` header of the request is used. - Support: Core maxLength: 253 minLength: 1 @@ -12986,7 +10202,6 @@ spec: The modified path is then used to construct the `Location` header. When empty, the request path is used as-is. - Support: Extended properties: replaceFullPath: @@ -13002,32 +10217,17 @@ spec: to "/foo/bar" with a prefix match of "/foo" and a ReplacePrefixMatch of "/xyz" would be modified to "/xyz/bar". - Note that this matches the behavior of the PathPrefix match type. This matches full path elements. A path element refers to the list of labels in the path split by the `/` separator. When specified, a trailing `/` is ignored. For example, the paths `/abc`, `/abc/`, and `/abc/def` would all match the prefix `/abc`, but the path `/abcd` would not. - ReplacePrefixMatch is only compatible with a `PathPrefix` HTTPRouteMatch. Using any other HTTPRouteMatch type on the same HTTPRouteRule will result in the implementation setting the Accepted Condition for the Route to `status: False`. - Request Path | Prefix Match | Replace Prefix | Modified Path - -------------|--------------|----------------|---------- - /foo/bar | /foo | /xyz | /xyz/bar - /foo/bar | /foo | /xyz/ | /xyz/bar - /foo/bar | /foo/ | /xyz | /xyz/bar - /foo/bar | /foo/ | /xyz/ | /xyz/bar - /foo | /foo | /xyz | /xyz - /foo/ | /foo | /xyz | /xyz/ - /foo/bar | /foo | | /bar - /foo/ | /foo | | / - /foo | /foo | | / - /foo/ | /foo | / | / - /foo | /foo | / | / maxLength: 1024 type: string type: @@ -13035,11 +10235,9 @@ spec: Type defines the type of path modifier. Additional types may be added in a future release of the API. - Note that values may be added to this enum, implementations must ensure that unknown values will not cause a crash. - Unknown values here must result in the implementation setting the Accepted Condition for the Route to `status: False`, with a Reason of `UnsupportedValue`. @@ -13072,11 +10270,9 @@ spec: Port is the port to be used in the value of the `Location` header in the response. - If no port is specified, the redirect port MUST be derived using the following rules: - * If redirect scheme is not-empty, the redirect port MUST be the well-known port associated with the redirect scheme. Specifically "http" to port 80 and "https" to port 443. If the redirect scheme does not have a @@ -13084,17 +10280,14 @@ spec: * If redirect scheme is empty, the redirect port MUST be the Gateway Listener port. - Implementations SHOULD NOT add the port number in the 'Location' header in the following cases: - * A Location header that will use HTTP (whether that is determined via the Listener protocol or the Scheme field) _and_ use port 80. * A Location header that will use HTTPS (whether that is determined via the Listener protocol or the Scheme field) _and_ use port 443. - Support: Extended format: int32 maximum: 65535 @@ -13105,20 +10298,16 @@ spec: Scheme is the scheme to be used in the value of the `Location` header in the response. When empty, the scheme of the request is used. - Scheme redirects can affect the port of the redirect, for more information, refer to the documentation for the port field of this filter. - Note that values may be added to this enum, implementations must ensure that unknown values will not cause a crash. - Unknown values here must result in the implementation setting the Accepted Condition for the Route to `status: False`, with a Reason of `UnsupportedValue`. - Support: Extended enum: - http @@ -13129,16 +10318,13 @@ spec: description: |- StatusCode is the HTTP status code to be used in response. - Note that values may be added to this enum, implementations must ensure that unknown values will not cause a crash. - Unknown values here must result in the implementation setting the Accepted Condition for the Route to `status: False`, with a Reason of `UnsupportedValue`. - Support: Core enum: - 301 @@ -13150,7 +10336,6 @@ spec: ResponseHeaderModifier defines a schema for a filter that modifies response headers. - Support: Extended properties: add: @@ -13159,18 +10344,15 @@ spec: before the action. It appends to any existing values associated with the header name. - Input: GET /foo HTTP/1.1 my-header: foo - Config: add: - name: "my-header" value: "bar,baz" - Output: GET /foo HTTP/1.1 my-header: foo,bar,baz @@ -13184,7 +10366,6 @@ spec: Name is the name of the HTTP Header to be matched. Name matching MUST be case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). - If multiple entries specify equivalent header names, the first entry with an equivalent name MUST be considered for a match. Subsequent entries with an equivalent header name MUST be ignored. Due to the @@ -13216,18 +10397,15 @@ spec: names are case-insensitive (see https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). - Input: GET /foo HTTP/1.1 my-header1: foo my-header2: bar my-header3: baz - Config: remove: ["my-header1", "my-header3"] - Output: GET /foo HTTP/1.1 my-header2: bar @@ -13241,18 +10419,15 @@ spec: Set overwrites the request with the given header (name, value) before the action. - Input: GET /foo HTTP/1.1 my-header: foo - Config: set: - name: "my-header" value: "bar" - Output: GET /foo HTTP/1.1 my-header: bar @@ -13266,7 +10441,6 @@ spec: Name is the name of the HTTP Header to be matched. Name matching MUST be case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). - If multiple entries specify equivalent header names, the first entry with an equivalent name MUST be considered for a match. Subsequent entries with an equivalent header name MUST be ignored. Due to the @@ -13297,17 +10471,14 @@ spec: Type identifies the type of filter to apply. As with other API fields, types are classified into three conformance levels: - - Core: Filter types and their corresponding configuration defined by "Support: Core" in this package, e.g. "RequestHeaderModifier". All implementations must support core filters. - - Extended: Filter types and their corresponding configuration defined by "Support: Extended" in this package, e.g. "RequestMirror". Implementers are encouraged to support extended filters. - - Implementation-specific: Filters that are defined and supported by specific vendors. In the future, filters showing convergence in behavior across multiple @@ -13316,20 +10487,16 @@ spec: is specified using the ExtensionRef field. `Type` should be set to "ExtensionRef" for custom filters. - Implementers are encouraged to define custom implementation types to extend the core API with implementation-specific behavior. - If a reference to a custom filter type cannot be resolved, the filter MUST NOT be skipped. Instead, requests that would have been processed by that filter MUST receive a HTTP error response. - Note that values may be added to this enum, implementations must ensure that unknown values will not cause a crash. - Unknown values here must result in the implementation setting the Accepted Condition for the Route to `status: False`, with a Reason of `UnsupportedValue`. @@ -13345,7 +10512,6 @@ spec: description: |- URLRewrite defines a schema for a filter that modifies a request during forwarding. - Support: Extended properties: hostname: @@ -13353,7 +10519,6 @@ spec: Hostname is the value to be used to replace the Host header value during forwarding. - Support: Extended maxLength: 253 minLength: 1 @@ -13363,7 +10528,6 @@ spec: description: |- Path defines a path rewrite. - Support: Extended properties: replaceFullPath: @@ -13379,32 +10543,17 @@ spec: to "/foo/bar" with a prefix match of "/foo" and a ReplacePrefixMatch of "/xyz" would be modified to "/xyz/bar". - Note that this matches the behavior of the PathPrefix match type. This matches full path elements. A path element refers to the list of labels in the path split by the `/` separator. When specified, a trailing `/` is ignored. For example, the paths `/abc`, `/abc/`, and `/abc/def` would all match the prefix `/abc`, but the path `/abcd` would not. - ReplacePrefixMatch is only compatible with a `PathPrefix` HTTPRouteMatch. Using any other HTTPRouteMatch type on the same HTTPRouteRule will result in the implementation setting the Accepted Condition for the Route to `status: False`. - Request Path | Prefix Match | Replace Prefix | Modified Path - -------------|--------------|----------------|---------- - /foo/bar | /foo | /xyz | /xyz/bar - /foo/bar | /foo | /xyz/ | /xyz/bar - /foo/bar | /foo/ | /xyz | /xyz/bar - /foo/bar | /foo/ | /xyz/ | /xyz/bar - /foo | /foo | /xyz | /xyz - /foo/ | /foo | /xyz | /xyz/ - /foo/bar | /foo | | /bar - /foo/ | /foo | | / - /foo | /foo | | / - /foo/ | /foo | / | / - /foo | /foo | / | / maxLength: 1024 type: string type: @@ -13412,11 +10561,9 @@ spec: Type defines the type of path modifier. Additional types may be added in a future release of the API. - Note that values may be added to this enum, implementations must ensure that unknown values will not cause a crash. - Unknown values here must result in the implementation setting the Accepted Condition for the Route to `status: False`, with a Reason of `UnsupportedValue`. @@ -13529,20 +10676,16 @@ spec: Kind is the Kubernetes resource kind of the referent. For example "Service". - Defaults to "Service" when not specified. - ExternalName services can refer to CNAME DNS records that may live outside of the cluster and as such are difficult to reason about in terms of conformance. They also may not be safe to forward to (see CVE-2021-25740 for more information). Implementations SHOULD NOT support ExternalName Services. - Support: Core (Services with a type other than ExternalName) - Support: Implementation-specific (Services with type ExternalName) maxLength: 63 minLength: 1 @@ -13558,13 +10701,11 @@ spec: Namespace is the namespace of the backend. When unspecified, the local namespace is inferred. - Note that when a namespace different than the local namespace is specified, a ReferenceGrant object is required in the referent namespace to allow that namespace's owner to accept the reference. See the ReferenceGrant documentation for details. - Support: Core maxLength: 63 minLength: 1 @@ -13591,13 +10732,11 @@ spec: implementation supports. Weight is not a percentage and the sum of weights does not need to equal 100. - If only one backend is specified and it has a weight greater than 0, 100% of the traffic is forwarded to that backend. If weight is set to 0, no traffic should be forwarded for this entry. If unspecified, weight defaults to 1. - Support for this field varies based on the context where used. format: int32 maximum: 1000000 @@ -13617,37 +10756,30 @@ spec: Filters define the filters that are applied to requests that match this rule. - Wherever possible, implementations SHOULD implement filters in the order they are specified. - Implementations MAY choose to implement this ordering strictly, rejecting any combination or order of filters that can not be supported. If implementations choose a strict interpretation of filter ordering, they MUST clearly document that behavior. - To reject an invalid combination or order of filters, implementations SHOULD consider the Route Rules with this configuration invalid. If all Route Rules in a Route are invalid, the entire Route would be considered invalid. If only a portion of Route Rules are invalid, implementations MUST set the "PartiallyInvalid" condition for the Route. - Conformance-levels at this level are defined based on the type of filter: - - ALL core filters MUST be supported by all implementations. - Implementers are encouraged to support extended filters. - Implementation-specific custom filters have no API guarantees across implementations. - Specifying the same filter multiple times is not supported unless explicitly indicated in the filter. - All filters are expected to be compatible with each other except for the URLRewrite and RequestRedirect filters, which may not be combined. If an implementation can not support other combinations of filters, they must clearly @@ -13656,7 +10788,6 @@ spec: `False`, implementations may use the `IncompatibleFilters` reason to specify this configuration error. - Support: Core items: description: |- @@ -13674,10 +10805,8 @@ spec: "networking.example.net"). ExtensionRef MUST NOT be used for core and extended filters. - This filter can be used multiple times within the same rule. - Support: Implementation-specific properties: group: @@ -13709,7 +10838,6 @@ spec: RequestHeaderModifier defines a schema for a filter that modifies request headers. - Support: Core properties: add: @@ -13718,18 +10846,15 @@ spec: before the action. It appends to any existing values associated with the header name. - Input: GET /foo HTTP/1.1 my-header: foo - Config: add: - name: "my-header" value: "bar,baz" - Output: GET /foo HTTP/1.1 my-header: foo,bar,baz @@ -13742,7 +10867,6 @@ spec: Name is the name of the HTTP Header to be matched. Name matching MUST be case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). - If multiple entries specify equivalent header names, the first entry with an equivalent name MUST be considered for a match. Subsequent entries with an equivalent header name MUST be ignored. Due to the @@ -13774,18 +10898,15 @@ spec: names are case-insensitive (see https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). - Input: GET /foo HTTP/1.1 my-header1: foo my-header2: bar my-header3: baz - Config: remove: ["my-header1", "my-header3"] - Output: GET /foo HTTP/1.1 my-header2: bar @@ -13799,18 +10920,15 @@ spec: Set overwrites the request with the given header (name, value) before the action. - Input: GET /foo HTTP/1.1 my-header: foo - Config: set: - name: "my-header" value: "bar" - Output: GET /foo HTTP/1.1 my-header: bar @@ -13823,7 +10941,6 @@ spec: Name is the name of the HTTP Header to be matched. Name matching MUST be case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). - If multiple entries specify equivalent header names, the first entry with an equivalent name MUST be considered for a match. Subsequent entries with an equivalent header name MUST be ignored. Due to the @@ -13850,49 +10967,42 @@ spec: x-kubernetes-list-type: map type: object requestMirror: - description: |- + description: |+ RequestMirror defines a schema for a filter that mirrors requests. Requests are sent to the specified destination, but responses from that destination are ignored. - This filter can be used multiple times within the same rule. Note that not all implementations will be able to support mirroring to multiple backends. - Support: Extended + properties: backendRef: description: |- BackendRef references a resource where mirrored requests are sent. - Mirrored requests must be sent only to a single destination endpoint within this BackendRef, irrespective of how many endpoints are present within this BackendRef. - If the referent cannot be found, this BackendRef is invalid and must be dropped from the Gateway. The controller must ensure the "ResolvedRefs" condition on the Route status is set to `status: False` and not configure this backend in the underlying implementation. - If there is a cross-namespace reference to an *existing* object that is not allowed by a ReferenceGrant, the controller must ensure the "ResolvedRefs" condition on the Route is set to `status: False`, with the "RefNotPermitted" reason and not configure this backend in the underlying implementation. - In either error case, the Message of the `ResolvedRefs` Condition should be used to provide more detail about the problem. - Support: Extended for Kubernetes Service - Support: Implementation-specific for any other resource properties: group: @@ -13909,20 +11019,16 @@ spec: Kind is the Kubernetes resource kind of the referent. For example "Service". - Defaults to "Service" when not specified. - ExternalName services can refer to CNAME DNS records that may live outside of the cluster and as such are difficult to reason about in terms of conformance. They also may not be safe to forward to (see CVE-2021-25740 for more information). Implementations SHOULD NOT support ExternalName Services. - Support: Core (Services with a type other than ExternalName) - Support: Implementation-specific (Services with type ExternalName) maxLength: 63 minLength: 1 @@ -13938,13 +11044,11 @@ spec: Namespace is the namespace of the backend. When unspecified, the local namespace is inferred. - Note that when a namespace different than the local namespace is specified, a ReferenceGrant object is required in the referent namespace to allow that namespace's owner to accept the reference. See the ReferenceGrant documentation for details. - Support: Core maxLength: 63 minLength: 1 @@ -13968,15 +11072,56 @@ spec: - message: Must have port for Service reference rule: '(size(self.group) == 0 && self.kind == ''Service'') ? has(self.port) : true' + fraction: + description: |+ + Fraction represents the fraction of requests that should be + mirrored to BackendRef. + + Only one of Fraction or Percent may be specified. If neither field + is specified, 100% of requests will be mirrored. + + properties: + denominator: + default: 100 + format: int32 + minimum: 1 + type: integer + numerator: + format: int32 + minimum: 0 + type: integer + required: + - numerator + type: object + x-kubernetes-validations: + - message: numerator must be less than or equal to + denominator + rule: self.numerator <= self.denominator + percent: + description: |+ + Percent represents the percentage of requests that should be + mirrored to BackendRef. Its minimum value is 0 (indicating 0% of + requests) and its maximum value is 100 (indicating 100% of requests). + + Only one of Fraction or Percent may be specified. If neither field + is specified, 100% of requests will be mirrored. + + format: int32 + maximum: 100 + minimum: 0 + type: integer required: - backendRef type: object + x-kubernetes-validations: + - message: Only one of percent or fraction may be specified + in HTTPRequestMirrorFilter + rule: '!(has(self.percent) && has(self.fraction))' requestRedirect: description: |- RequestRedirect defines a schema for a filter that responds to the request with an HTTP redirection. - Support: Core properties: hostname: @@ -13985,7 +11130,6 @@ spec: header in the response. When empty, the hostname in the `Host` header of the request is used. - Support: Core maxLength: 253 minLength: 1 @@ -13997,7 +11141,6 @@ spec: The modified path is then used to construct the `Location` header. When empty, the request path is used as-is. - Support: Extended properties: replaceFullPath: @@ -14013,32 +11156,17 @@ spec: to "/foo/bar" with a prefix match of "/foo" and a ReplacePrefixMatch of "/xyz" would be modified to "/xyz/bar". - Note that this matches the behavior of the PathPrefix match type. This matches full path elements. A path element refers to the list of labels in the path split by the `/` separator. When specified, a trailing `/` is ignored. For example, the paths `/abc`, `/abc/`, and `/abc/def` would all match the prefix `/abc`, but the path `/abcd` would not. - ReplacePrefixMatch is only compatible with a `PathPrefix` HTTPRouteMatch. Using any other HTTPRouteMatch type on the same HTTPRouteRule will result in the implementation setting the Accepted Condition for the Route to `status: False`. - Request Path | Prefix Match | Replace Prefix | Modified Path - -------------|--------------|----------------|---------- - /foo/bar | /foo | /xyz | /xyz/bar - /foo/bar | /foo | /xyz/ | /xyz/bar - /foo/bar | /foo/ | /xyz | /xyz/bar - /foo/bar | /foo/ | /xyz/ | /xyz/bar - /foo | /foo | /xyz | /xyz - /foo/ | /foo | /xyz | /xyz/ - /foo/bar | /foo | | /bar - /foo/ | /foo | | / - /foo | /foo | | / - /foo/ | /foo | / | / - /foo | /foo | / | / maxLength: 1024 type: string type: @@ -14046,11 +11174,9 @@ spec: Type defines the type of path modifier. Additional types may be added in a future release of the API. - Note that values may be added to this enum, implementations must ensure that unknown values will not cause a crash. - Unknown values here must result in the implementation setting the Accepted Condition for the Route to `status: False`, with a Reason of `UnsupportedValue`. @@ -14083,11 +11209,9 @@ spec: Port is the port to be used in the value of the `Location` header in the response. - If no port is specified, the redirect port MUST be derived using the following rules: - * If redirect scheme is not-empty, the redirect port MUST be the well-known port associated with the redirect scheme. Specifically "http" to port 80 and "https" to port 443. If the redirect scheme does not have a @@ -14095,17 +11219,14 @@ spec: * If redirect scheme is empty, the redirect port MUST be the Gateway Listener port. - Implementations SHOULD NOT add the port number in the 'Location' header in the following cases: - * A Location header that will use HTTP (whether that is determined via the Listener protocol or the Scheme field) _and_ use port 80. * A Location header that will use HTTPS (whether that is determined via the Listener protocol or the Scheme field) _and_ use port 443. - Support: Extended format: int32 maximum: 65535 @@ -14116,20 +11237,16 @@ spec: Scheme is the scheme to be used in the value of the `Location` header in the response. When empty, the scheme of the request is used. - Scheme redirects can affect the port of the redirect, for more information, refer to the documentation for the port field of this filter. - Note that values may be added to this enum, implementations must ensure that unknown values will not cause a crash. - Unknown values here must result in the implementation setting the Accepted Condition for the Route to `status: False`, with a Reason of `UnsupportedValue`. - Support: Extended enum: - http @@ -14140,16 +11257,13 @@ spec: description: |- StatusCode is the HTTP status code to be used in response. - Note that values may be added to this enum, implementations must ensure that unknown values will not cause a crash. - Unknown values here must result in the implementation setting the Accepted Condition for the Route to `status: False`, with a Reason of `UnsupportedValue`. - Support: Core enum: - 301 @@ -14161,7 +11275,6 @@ spec: ResponseHeaderModifier defines a schema for a filter that modifies response headers. - Support: Extended properties: add: @@ -14170,18 +11283,15 @@ spec: before the action. It appends to any existing values associated with the header name. - Input: GET /foo HTTP/1.1 my-header: foo - Config: add: - name: "my-header" value: "bar,baz" - Output: GET /foo HTTP/1.1 my-header: foo,bar,baz @@ -14194,7 +11304,6 @@ spec: Name is the name of the HTTP Header to be matched. Name matching MUST be case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). - If multiple entries specify equivalent header names, the first entry with an equivalent name MUST be considered for a match. Subsequent entries with an equivalent header name MUST be ignored. Due to the @@ -14226,18 +11335,15 @@ spec: names are case-insensitive (see https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). - Input: GET /foo HTTP/1.1 my-header1: foo my-header2: bar my-header3: baz - Config: remove: ["my-header1", "my-header3"] - Output: GET /foo HTTP/1.1 my-header2: bar @@ -14251,18 +11357,15 @@ spec: Set overwrites the request with the given header (name, value) before the action. - Input: GET /foo HTTP/1.1 my-header: foo - Config: set: - name: "my-header" value: "bar" - Output: GET /foo HTTP/1.1 my-header: bar @@ -14275,7 +11378,6 @@ spec: Name is the name of the HTTP Header to be matched. Name matching MUST be case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). - If multiple entries specify equivalent header names, the first entry with an equivalent name MUST be considered for a match. Subsequent entries with an equivalent header name MUST be ignored. Due to the @@ -14306,17 +11408,14 @@ spec: Type identifies the type of filter to apply. As with other API fields, types are classified into three conformance levels: - - Core: Filter types and their corresponding configuration defined by "Support: Core" in this package, e.g. "RequestHeaderModifier". All implementations must support core filters. - - Extended: Filter types and their corresponding configuration defined by "Support: Extended" in this package, e.g. "RequestMirror". Implementers are encouraged to support extended filters. - - Implementation-specific: Filters that are defined and supported by specific vendors. In the future, filters showing convergence in behavior across multiple @@ -14325,20 +11424,16 @@ spec: is specified using the ExtensionRef field. `Type` should be set to "ExtensionRef" for custom filters. - Implementers are encouraged to define custom implementation types to extend the core API with implementation-specific behavior. - If a reference to a custom filter type cannot be resolved, the filter MUST NOT be skipped. Instead, requests that would have been processed by that filter MUST receive a HTTP error response. - Note that values may be added to this enum, implementations must ensure that unknown values will not cause a crash. - Unknown values here must result in the implementation setting the Accepted Condition for the Route to `status: False`, with a Reason of `UnsupportedValue`. @@ -14354,7 +11449,6 @@ spec: description: |- URLRewrite defines a schema for a filter that modifies a request during forwarding. - Support: Extended properties: hostname: @@ -14362,7 +11456,6 @@ spec: Hostname is the value to be used to replace the Host header value during forwarding. - Support: Extended maxLength: 253 minLength: 1 @@ -14372,7 +11465,6 @@ spec: description: |- Path defines a path rewrite. - Support: Extended properties: replaceFullPath: @@ -14388,32 +11480,17 @@ spec: to "/foo/bar" with a prefix match of "/foo" and a ReplacePrefixMatch of "/xyz" would be modified to "/xyz/bar". - Note that this matches the behavior of the PathPrefix match type. This matches full path elements. A path element refers to the list of labels in the path split by the `/` separator. When specified, a trailing `/` is ignored. For example, the paths `/abc`, `/abc/`, and `/abc/def` would all match the prefix `/abc`, but the path `/abcd` would not. - ReplacePrefixMatch is only compatible with a `PathPrefix` HTTPRouteMatch. Using any other HTTPRouteMatch type on the same HTTPRouteRule will result in the implementation setting the Accepted Condition for the Route to `status: False`. - Request Path | Prefix Match | Replace Prefix | Modified Path - -------------|--------------|----------------|---------- - /foo/bar | /foo | /xyz | /xyz/bar - /foo/bar | /foo | /xyz/ | /xyz/bar - /foo/bar | /foo/ | /xyz | /xyz/bar - /foo/bar | /foo/ | /xyz/ | /xyz/bar - /foo | /foo | /xyz | /xyz - /foo/ | /foo | /xyz | /xyz/ - /foo/bar | /foo | | /bar - /foo/ | /foo | | / - /foo | /foo | | / - /foo/ | /foo | / | / - /foo | /foo | / | / maxLength: 1024 type: string type: @@ -14421,11 +11498,9 @@ spec: Type defines the type of path modifier. Additional types may be added in a future release of the API. - Note that values may be added to this enum, implementations must ensure that unknown values will not cause a crash. - Unknown values here must result in the implementation setting the Accepted Condition for the Route to `status: False`, with a Reason of `UnsupportedValue`. @@ -14526,10 +11601,8 @@ spec: HTTP requests. Each match is independent, i.e. this rule will be matched if **any** one of the matches is satisfied. - For example, take the following matches configuration: - ``` matches: - path: @@ -14541,65 +11614,54 @@ spec: value: "/v2/foo" ``` - For a request to match against this rule, a request must satisfy EITHER of the two conditions: - - path prefixed with `/foo` AND contains the header `version: v2` - path prefix of `/v2/foo` - See the documentation for HTTPRouteMatch on how to specify multiple match conditions that should be ANDed together. - If no matches are specified, the default is a prefix path match on "/", which has the effect of matching every HTTP request. - Proxy or Load Balancer routing configuration generated from HTTPRoutes MUST prioritize matches based on the following criteria, continuing on ties. Across all rules specified on applicable Routes, precedence must be given to the match having: - * "Exact" path match. * "Prefix" path match with largest number of characters. * Method match. * Largest number of header matches. * Largest number of query param matches. - Note: The precedence of RegularExpression path matches are implementation-specific. - If ties still exist across multiple Routes, matching precedence MUST be determined in order of the following criteria, continuing on ties: - * The oldest Route based on creation timestamp. * The Route appearing first in alphabetical order by "{namespace}/{name}". - If ties still exist within an HTTPRoute, matching precedence MUST be granted to the FIRST matching rule (in list order) with a match meeting the above criteria. - When no rules matching a request have been successfully attached to the parent a request is coming from, a HTTP 404 status code MUST be returned. items: description: "HTTPRouteMatch defines the predicate used to match requests to a given\naction. Multiple match types are ANDed together, i.e. the match will\nevaluate to true - only if all conditions are satisfied.\n\n\nFor example, - the match below will match a HTTP request only if its path\nstarts - with `/foo` AND it contains the `version: v1` header:\n\n\n```\nmatch:\n\n\n\tpath:\n\t + only if all conditions are satisfied.\n\nFor example, the + match below will match a HTTP request only if its path\nstarts + with `/foo` AND it contains the `version: v1` header:\n\n```\nmatch:\n\n\tpath:\n\t \ value: \"/foo\"\n\theaders:\n\t- name: \"version\"\n\t - \ value \"v1\"\n\n\n```" + \ value \"v1\"\n\n```" properties: headers: description: |- @@ -14616,14 +11678,12 @@ spec: Name is the name of the HTTP Header to be matched. Name matching MUST be case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). - If multiple entries specify equivalent header names, only the first entry with an equivalent name MUST be considered for a match. Subsequent entries with an equivalent header name MUST be ignored. Due to the case-insensitivity of header names, "foo" and "Foo" are considered equivalent. - When a header is repeated in an HTTP request, it is implementation-specific behavior as to how this is represented. Generally, proxies should follow the guidance from the RFC: @@ -14638,13 +11698,10 @@ spec: description: |- Type specifies how to match against the value of the header. - Support: Core (Exact) - Support: Implementation-specific (RegularExpression) - Since RegularExpression HeaderMatchType has implementation-specific conformance, implementations can support POSIX, PCRE or any other dialects of regular expressions. Please read the implementation's documentation to @@ -14674,7 +11731,6 @@ spec: When specified, this route will be matched only if the request has the specified method. - Support: Extended enum: - GET @@ -14700,10 +11756,8 @@ spec: description: |- Type specifies how to match against the path Value. - Support: Core (Exact, PathPrefix) - Support: Implementation-specific (RegularExpression) enum: - Exact @@ -14768,7 +11822,6 @@ spec: values are ANDed together, meaning, a request must match all the specified query parameters to select the route. - Support: Extended items: description: |- @@ -14781,12 +11834,10 @@ spec: exact string match. (See https://tools.ietf.org/html/rfc7230#section-2.7.3). - If multiple entries specify equivalent query param names, only the first entry with an equivalent name MUST be considered for a match. Subsequent entries with an equivalent query param name MUST be ignored. - If a query param is repeated in an HTTP request, the behavior is purposely left undefined, since different data planes have different capabilities. However, it is *recommended* that implementations should @@ -14794,7 +11845,6 @@ spec: as this behavior is expected in other load balancing contexts outside of the Gateway API. - Users SHOULD NOT route traffic based on repeated query params to guard themselves against potential differences in the implementations. maxLength: 256 @@ -14806,13 +11856,10 @@ spec: description: |- Type specifies how to match against the value of the query parameter. - Support: Extended (Exact) - Support: Implementation-specific (RegularExpression) - Since RegularExpression QueryParamMatchType has Implementation-specific conformance, implementations can support POSIX, PCRE or any other dialects of regular expressions. Please read the implementation's @@ -14837,17 +11884,114 @@ spec: - name x-kubernetes-list-type: map type: object - maxItems: 8 + maxItems: 64 type: array + name: + description: | + Name is the name of the route rule. This name MUST be unique within a Route if it is set. + + Support: Extended + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + retry: + description: |+ + Retry defines the configuration for when to retry an HTTP request. + + Support: Extended + + properties: + attempts: + description: |- + Attempts specifies the maxmimum number of times an individual request + from the gateway to a backend should be retried. + + If the maximum number of retries has been attempted without a successful + response from the backend, the Gateway MUST return an error. + + When this field is unspecified, the number of times to attempt to retry + a backend request is implementation-specific. + + Support: Extended + type: integer + backoff: + description: |- + Backoff specifies the minimum duration a Gateway should wait between + retry attempts and is represented in Gateway API Duration formatting. + + For example, setting the `rules[].retry.backoff` field to the value + `100ms` will cause a backend request to first be retried approximately + 100 milliseconds after timing out or receiving a response code configured + to be retryable. + + An implementation MAY use an exponential or alternative backoff strategy + for subsequent retry attempts, MAY cap the maximum backoff duration to + some amount greater than the specified minimum, and MAY add arbitrary + jitter to stagger requests, as long as unsuccessful backend requests are + not retried before the configured minimum duration. + + If a Request timeout (`rules[].timeouts.request`) is configured on the + route, the entire duration of the initial request and any retry attempts + MUST not exceed the Request timeout duration. If any retry attempts are + still in progress when the Request timeout duration has been reached, + these SHOULD be canceled if possible and the Gateway MUST immediately + return a timeout error. + + If a BackendRequest timeout (`rules[].timeouts.backendRequest`) is + configured on the route, any retry attempts which reach the configured + BackendRequest timeout duration without a response SHOULD be canceled if + possible and the Gateway should wait for at least the specified backoff + duration before attempting to retry the backend request again. + + If a BackendRequest timeout is _not_ configured on the route, retry + attempts MAY time out after an implementation default duration, or MAY + remain pending until a configured Request timeout or implementation + default duration for total request time is reached. + + When this field is unspecified, the time to wait between retry attempts + is implementation-specific. + + Support: Extended + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ + type: string + codes: + description: |- + Codes defines the HTTP response status codes for which a backend request + should be retried. + + Support: Extended + items: + description: |- + HTTPRouteRetryStatusCode defines an HTTP response status code for + which a backend request should be retried. + + Implementations MUST support the following status codes as retryable: + + * 500 + * 502 + * 503 + * 504 + + Implementations MAY support specifying additional discrete values in the + 500-599 range. + + Implementations MAY support specifying discrete values in the 400-499 range, + which are often inadvisable to retry. + + + maximum: 599 + minimum: 400 + type: integer + type: array + type: object sessionPersistence: description: |+ SessionPersistence defines and configures session persistence for the route rule. - Support: Extended - properties: absoluteTimeout: description: |- @@ -14855,7 +11999,6 @@ spec: session. Once the AbsoluteTimeout duration has elapsed, the session becomes invalid. - Support: Extended pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ type: string @@ -14864,7 +12007,6 @@ spec: CookieConfig provides configuration settings that are specific to cookie-based session persistence. - Support: Core properties: lifetimeType: @@ -14876,20 +12018,16 @@ spec: attributes, while a session cookie is deleted when the current session ends. - When set to "Permanent", AbsoluteTimeout indicates the cookie's lifetime via the Expires or Max-Age cookie attributes and is required. - When set to "Session", AbsoluteTimeout indicates the absolute lifetime of the cookie tracked by the gateway and is optional. - Support: Core for "Session" type - Support: Extended for "Permanent" type enum: - Permanent @@ -14902,7 +12040,6 @@ spec: Once the session has been idle for more than the specified IdleTimeout duration, the session becomes invalid. - Support: Extended pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ type: string @@ -14913,7 +12050,6 @@ spec: should avoid reusing session names to prevent unintended consequences, such as rejection or unpredictable behavior. - Support: Implementation-specific maxLength: 128 type: string @@ -14924,10 +12060,8 @@ spec: the use a header or cookie. Defaults to cookie based session persistence. - Support: Core for "Cookie" type - Support: Extended for "Header" type enum: - Cookie @@ -14937,16 +12071,13 @@ spec: x-kubernetes-validations: - message: AbsoluteTimeout must be specified when cookie lifetimeType is Permanent - rule: '!has(self.cookieConfig.lifetimeType) || self.cookieConfig.lifetimeType - != ''Permanent'' || has(self.absoluteTimeout)' + rule: '!has(self.cookieConfig) || !has(self.cookieConfig.lifetimeType) + || self.cookieConfig.lifetimeType != ''Permanent'' || has(self.absoluteTimeout)' timeouts: - description: |+ + description: |- Timeouts defines the timeouts that can be configured for an HTTP request. - Support: Extended - - properties: backendRequest: description: |- @@ -14954,21 +12085,19 @@ spec: to a backend. This covers the time from when the request first starts being sent from the gateway to when the full response has been received from the backend. - Setting a timeout to the zero duration (e.g. "0s") SHOULD disable the timeout completely. Implementations that cannot completely disable the timeout MUST instead interpret the zero duration as the longest possible value to which the timeout can be set. - An entire client HTTP transaction with a gateway, covered by the Request timeout, may result in more than one call from the gateway to the destination backend, for example, if automatic retries are supported. - - Because the Request timeout encompasses the BackendRequest timeout, the value of - BackendRequest must be <= the value of Request timeout. - + The value of BackendRequest must be a Gateway API Duration string as defined by + GEP-2257. When this field is unspecified, its behavior is implementation-specific; + when specified, the value of BackendRequest must be no more than the value of the + Request timeout (since the Request timeout encompasses the BackendRequest timeout). Support: Extended pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ @@ -14979,26 +12108,22 @@ spec: If the gateway has not been able to respond before this deadline is met, the gateway MUST return a timeout error. - For example, setting the `rules.timeouts.request` field to the value `10s` in an `HTTPRoute` will cause a timeout if a client request is taking longer than 10 seconds to complete. - Setting a timeout to the zero duration (e.g. "0s") SHOULD disable the timeout completely. Implementations that cannot completely disable the timeout MUST instead interpret the zero duration as the longest possible value to which the timeout can be set. - This timeout is intended to cover as close to the whole request-response transaction as possible although an implementation MAY choose to start the timeout after the entire request stream has been received instead of immediately after the transaction is initiated by the client. - - When this field is unspecified, request timeout behavior is implementation-specific. - + The value of Request is a Gateway API Duration string as defined by GEP-2257. When this + field is unspecified, request timeout behavior is implementation-specific. Support: Extended pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ @@ -15053,6 +12178,24 @@ spec: != ''PathPrefix'') ? false : true) : true' maxItems: 16 type: array + x-kubernetes-validations: + - message: While 16 rules and 64 matches per rule are allowed, the + total number of matches across all rules in a route must be less + than 128 + rule: '(self.size() > 0 ? self[0].matches.size() : 0) + (self.size() + > 1 ? self[1].matches.size() : 0) + (self.size() > 2 ? self[2].matches.size() + : 0) + (self.size() > 3 ? self[3].matches.size() : 0) + (self.size() + > 4 ? self[4].matches.size() : 0) + (self.size() > 5 ? self[5].matches.size() + : 0) + (self.size() > 6 ? self[6].matches.size() : 0) + (self.size() + > 7 ? self[7].matches.size() : 0) + (self.size() > 8 ? self[8].matches.size() + : 0) + (self.size() > 9 ? self[9].matches.size() : 0) + (self.size() + > 10 ? self[10].matches.size() : 0) + (self.size() > 11 ? self[11].matches.size() + : 0) + (self.size() > 12 ? self[12].matches.size() : 0) + (self.size() + > 13 ? self[13].matches.size() : 0) + (self.size() > 14 ? self[14].matches.size() + : 0) + (self.size() > 15 ? self[15].matches.size() : 0) <= 128' + - message: Rule name must be unique within the route + rule: self.all(l1, !has(l1.name) || self.exists_one(l2, has(l2.name) + && l1.name == l2.name)) type: object status: description: Status defines the current state of HTTPRoute. @@ -15066,13 +12209,11 @@ spec: first sees the route and should update the entry as appropriate when the route or gateway is modified. - Note that parent references that cannot be resolved by an implementation of this API will not be added to this list. Implementations of this API can only populate Route status for the Gateways/parent resources they are responsible for. - A maximum of 32 Gateways will be represented in this list. An empty list means the route has not been attached to any Gateway. items: @@ -15086,38 +12227,24 @@ spec: Note that the route's availability is also subject to the Gateway's own status conditions and listener status. - If the Route's ParentRef specifies an existing Gateway that supports Routes of this kind AND that Gateway's controller has sufficient access, then that Gateway's controller MUST set the "Accepted" condition on the Route, to indicate whether the route has been accepted or rejected by the Gateway, and why. - A Route MUST be considered "Accepted" if at least one of the Route's rules is implemented by the Gateway. - There are a number of cases where the "Accepted" condition may not be set due to lack of controller visibility, that includes when: - * The Route refers to a non-existent parent. * The Route is of a type that the controller does not support. * The Route is in a namespace the controller does not have access to. items: - description: "Condition contains details for one aspect of - the current state of this API Resource.\n---\nThis struct - is intended for direct use as an array at the field path - .status.conditions. For example,\n\n\n\ttype FooStatus - struct{\n\t // Represents the observations of a foo's - current state.\n\t // Known .status.conditions.type are: - \"Available\", \"Progressing\", and \"Degraded\"\n\t // - +patchMergeKey=type\n\t // +patchStrategy=merge\n\t // - +listType=map\n\t // +listMapKey=type\n\t Conditions - []metav1.Condition `json:\"conditions,omitempty\" patchStrategy:\"merge\" - patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t - \ // other fields\n\t}" + description: Condition contains details for one aspect of + the current state of this API Resource. properties: lastTransitionTime: description: |- @@ -15159,12 +12286,7 @@ spec: - Unknown type: string type: - description: |- - type of condition in CamelCase or in foo.example.com/CamelCase. - --- - Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be - useful (see .node.status.conditions), the ability to deconflict is important. - The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + description: type of condition in CamelCase or in foo.example.com/CamelCase. maxLength: 316 pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ type: string @@ -15187,15 +12309,12 @@ spec: controller that wrote this status. This corresponds with the controllerName field on GatewayClass. - Example: "example.net/gateway-controller". - The format of this field is DOMAIN "/" PATH, where DOMAIN and PATH are valid Kubernetes names (https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names). - Controllers MUST populate this field when writing status. Controllers should ensure that entries to status populated with their ControllerName are cleaned up when they are no longer necessary. @@ -15216,7 +12335,6 @@ spec: To set the core API group (such as for a "Service" kind referent), Group must be explicitly set to "" (empty string). - Support: Core maxLength: 253 pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ @@ -15226,14 +12344,11 @@ spec: description: |- Kind is kind of the referent. - There are two kinds of parent resources with "Core" support: - * Gateway (Gateway conformance profile) * Service (Mesh conformance profile, ClusterIP Services only) - Support for other resources is Implementation-Specific. maxLength: 63 minLength: 1 @@ -15243,7 +12358,6 @@ spec: description: |- Name is the name of the referent. - Support: Core maxLength: 253 minLength: 1 @@ -15253,7 +12367,6 @@ spec: Namespace is the namespace of the referent. When unspecified, this refers to the local namespace of the Route. - Note that there are specific rules for ParentRefs which cross namespace boundaries. Cross-namespace references are only valid if they are explicitly allowed by something in the namespace they are referring to. For example: @@ -15261,12 +12374,10 @@ spec: generic way to enable any other kind of cross-namespace reference. - ParentRefs from a Route to a Service in the same namespace are "producer" routes, which apply default routing rules to inbound connections from any namespace to the Service. - ParentRefs from a Route to a Service in a different namespace are "consumer" routes, and these routing rules are only applied to outbound connections originating from the same namespace as the Route, for which @@ -15274,7 +12385,6 @@ spec: ParentRef of the Route. - Support: Core maxLength: 63 minLength: 1 @@ -15285,7 +12395,6 @@ spec: Port is the network port this Route targets. It can be interpreted differently based on the type of parent resource. - When the parent resource is a Gateway, this targets all listeners listening on the specified port that also support this kind of Route(and select this Route). It's not recommended to set `Port` unless the @@ -15295,18 +12404,15 @@ spec: must match both specified values. - When the parent resource is a Service, this targets a specific port in the Service spec. When both Port (experimental) and SectionName are specified, the name and port of the selected port must match both specified values. - Implementations MAY choose to support other parent resources. Implementations supporting other types of parent resources MUST clearly document how/if Port is interpreted. - For the purpose of status, an attachment is considered successful as long as the parent resource accepts it partially. For example, Gateway listeners can restrict which Routes can attach to them by Route kind, @@ -15315,7 +12421,6 @@ spec: attached. If no Gateway listeners accept attachment from this Route, the Route MUST be considered detached from the Gateway. - Support: Extended format: int32 maximum: 65535 @@ -15326,7 +12431,6 @@ spec: SectionName is the name of a section within the target resource. In the following resources, SectionName is interpreted as the following: - * Gateway: Listener name. When both Port (experimental) and SectionName are specified, the name and port of the selected listener must match both specified values. @@ -15334,12 +12438,10 @@ spec: are specified, the name and port of the selected listener must match both specified values. - Implementations MAY choose to support attaching Routes to other resources. If that is the case, they MUST clearly document how SectionName is interpreted. - When unspecified (empty string), this will reference the entire resource. For the purpose of status, an attachment is considered successful if at least one section in the parent resource accepts it. For example, Gateway @@ -15349,7 +12451,6 @@ spec: attached. If no Gateway listeners accept attachment from this Route, the Route MUST be considered detached from the Gateway. - Support: Core maxLength: 253 minLength: 1 @@ -15389,7 +12490,7 @@ kind: CustomResourceDefinition metadata: annotations: api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/2997 - gateway.networking.k8s.io/bundle-version: v1.1.0 + gateway.networking.k8s.io/bundle-version: v1.2.0-rc2 gateway.networking.k8s.io/channel: experimental creationTimestamp: null name: referencegrants.gateway.networking.k8s.io @@ -15406,187 +12507,6 @@ spec: singular: referencegrant scope: Namespaced versions: - - additionalPrinterColumns: - - jsonPath: .metadata.creationTimestamp - name: Age - type: date - deprecated: true - deprecationWarning: The v1alpha2 version of ReferenceGrant has been deprecated - and will be removed in a future release of the API. Please upgrade to v1beta1. - name: v1alpha2 - schema: - openAPIV3Schema: - description: |- - ReferenceGrant identifies kinds of resources in other namespaces that are - trusted to reference the specified kinds of resources in the same namespace - as the policy. - - - Each ReferenceGrant can be used to represent a unique trust relationship. - Additional Reference Grants can be used to add to the set of trusted - sources of inbound references for the namespace they are defined within. - - - A ReferenceGrant is required for all cross-namespace references in Gateway API - (with the exception of cross-namespace Route-Gateway attachment, which is - governed by the AllowedRoutes configuration on the Gateway, and cross-namespace - Service ParentRefs on a "consumer" mesh Route, which defines routing rules - applicable only to workloads in the Route namespace). ReferenceGrants allowing - a reference from a Route to a Service are only applicable to BackendRefs. - - - ReferenceGrant is a form of runtime verification allowing users to assert - which cross-namespace object references are permitted. Implementations that - support ReferenceGrant MUST NOT permit cross-namespace references which have - no grant, and MUST respond to the removal of a grant by revoking the access - that the grant allowed. - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: Spec defines the desired state of ReferenceGrant. - properties: - from: - description: |- - From describes the trusted namespaces and kinds that can reference the - resources described in "To". Each entry in this list MUST be considered - to be an additional place that references can be valid from, or to put - this another way, entries MUST be combined using OR. - - - Support: Core - items: - description: ReferenceGrantFrom describes trusted namespaces and - kinds. - properties: - group: - description: |- - Group is the group of the referent. - When empty, the Kubernetes core API group is inferred. - - - Support: Core - maxLength: 253 - pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - kind: - description: |- - Kind is the kind of the referent. Although implementations may support - additional resources, the following types are part of the "Core" - support level for this field. - - - When used to permit a SecretObjectReference: - - - * Gateway - - - When used to permit a BackendObjectReference: - - - * GRPCRoute - * HTTPRoute - * TCPRoute - * TLSRoute - * UDPRoute - maxLength: 63 - minLength: 1 - pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ - type: string - namespace: - description: |- - Namespace is the namespace of the referent. - - - Support: Core - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - required: - - group - - kind - - namespace - type: object - maxItems: 16 - minItems: 1 - type: array - to: - description: |- - To describes the resources that may be referenced by the resources - described in "From". Each entry in this list MUST be considered to be an - additional place that references can be valid to, or to put this another - way, entries MUST be combined using OR. - - - Support: Core - items: - description: |- - ReferenceGrantTo describes what Kinds are allowed as targets of the - references. - properties: - group: - description: |- - Group is the group of the referent. - When empty, the Kubernetes core API group is inferred. - - - Support: Core - maxLength: 253 - pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - kind: - description: |- - Kind is the kind of the referent. Although implementations may support - additional resources, the following types are part of the "Core" - support level for this field: - - - * Secret when used to permit a SecretObjectReference - * Service when used to permit a BackendObjectReference - maxLength: 63 - minLength: 1 - pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ - type: string - name: - description: |- - Name is the name of the referent. When unspecified, this policy - refers to all resources of the specified Group and Kind in the local - namespace. - maxLength: 253 - minLength: 1 - type: string - required: - - group - - kind - type: object - maxItems: 16 - minItems: 1 - type: array - required: - - from - - to - type: object - type: object - served: true - storage: false - subresources: {} - additionalPrinterColumns: - jsonPath: .metadata.creationTimestamp name: Age @@ -15599,16 +12519,13 @@ spec: trusted to reference the specified kinds of resources in the same namespace as the policy. - Each ReferenceGrant can be used to represent a unique trust relationship. Additional Reference Grants can be used to add to the set of trusted sources of inbound references for the namespace they are defined within. - All cross-namespace references in Gateway API (with the exception of cross-namespace Gateway-route attachment) require a ReferenceGrant. - ReferenceGrant is a form of runtime verification allowing users to assert which cross-namespace object references are permitted. Implementations that support ReferenceGrant MUST NOT permit cross-namespace references which have @@ -15642,7 +12559,6 @@ spec: to be an additional place that references can be valid from, or to put this another way, entries MUST be combined using OR. - Support: Core items: description: ReferenceGrantFrom describes trusted namespaces and @@ -15653,7 +12569,6 @@ spec: Group is the group of the referent. When empty, the Kubernetes core API group is inferred. - Support: Core maxLength: 253 pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ @@ -15664,16 +12579,12 @@ spec: additional resources, the following types are part of the "Core" support level for this field. - When used to permit a SecretObjectReference: - * Gateway - When used to permit a BackendObjectReference: - * GRPCRoute * HTTPRoute * TCPRoute @@ -15687,7 +12598,6 @@ spec: description: |- Namespace is the namespace of the referent. - Support: Core maxLength: 63 minLength: 1 @@ -15708,7 +12618,6 @@ spec: additional place that references can be valid to, or to put this another way, entries MUST be combined using OR. - Support: Core items: description: |- @@ -15720,7 +12629,6 @@ spec: Group is the group of the referent. When empty, the Kubernetes core API group is inferred. - Support: Core maxLength: 253 pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ @@ -15731,7 +12639,6 @@ spec: additional resources, the following types are part of the "Core" support level for this field: - * Secret when used to permit a SecretObjectReference * Service when used to permit a BackendObjectReference maxLength: 63 @@ -15776,7 +12683,7 @@ kind: CustomResourceDefinition metadata: annotations: api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/2997 - gateway.networking.k8s.io/bundle-version: v1.1.0 + gateway.networking.k8s.io/bundle-version: v1.2.0-rc2 gateway.networking.k8s.io/channel: experimental creationTimestamp: null name: tcproutes.gateway.networking.k8s.io @@ -15836,21 +12743,16 @@ spec: create a "producer" route for a Service in a different namespace from the Route. - There are two kinds of parent resources with "Core" support: - * Gateway (Gateway conformance profile) * Service (Mesh conformance profile, ClusterIP Services only) - This API may be extended in the future to support additional kinds of parent resources. - ParentRefs must be _distinct_. This means either that: - * They select different objects. If this is the case, then parentRef entries are distinct. In terms of fields, this means that the multi-part key defined by `group`, `kind`, `namespace`, and `name` must @@ -15860,10 +12762,8 @@ spec: optional fields to different values. If one ParentRef sets a combination of optional fields, all must set the same combination. - Some examples: - * If one ParentRef sets `sectionName`, all ParentRefs referencing the same object must also set `sectionName`. * If one ParentRef sets `port`, all ParentRefs referencing the same @@ -15871,14 +12771,12 @@ spec: * If one ParentRef sets `sectionName` and `port`, all ParentRefs referencing the same object must also set `sectionName` and `port`. - It is possible to separately reference multiple distinct objects that may be collapsed by an implementation. For example, some implementations may choose to merge compatible Gateway Listeners together. If that is the case, the list of routes attached to those resources should also be merged. - Note that for ParentRefs that cross namespace boundaries, there are specific rules. Cross-namespace references are only valid if they are explicitly allowed by something in the namespace they are referring to. For example, @@ -15886,12 +12784,10 @@ spec: generic way to enable other kinds of cross-namespace reference. - ParentRefs from a Route to a Service in the same namespace are "producer" routes, which apply default routing rules to inbound connections from any namespace to the Service. - ParentRefs from a Route to a Service in a different namespace are "consumer" routes, and these routing rules are only applied to outbound connections originating from the same namespace as the Route, for which @@ -15902,22 +12798,18 @@ spec: - items: description: |- ParentReference identifies an API object (usually a Gateway) that can be considered a parent of this resource (usually a route). There are two kinds of parent resources with "Core" support: - * Gateway (Gateway conformance profile) * Service (Mesh conformance profile, ClusterIP Services only) - This API may be extended in the future to support additional kinds of parent resources. - The API object must be valid in the cluster; the Group and Kind must be registered in the cluster for this reference to be valid. properties: @@ -15929,7 +12821,6 @@ spec: To set the core API group (such as for a "Service" kind referent), Group must be explicitly set to "" (empty string). - Support: Core maxLength: 253 pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ @@ -15939,14 +12830,11 @@ spec: description: |- Kind is kind of the referent. - There are two kinds of parent resources with "Core" support: - * Gateway (Gateway conformance profile) * Service (Mesh conformance profile, ClusterIP Services only) - Support for other resources is Implementation-Specific. maxLength: 63 minLength: 1 @@ -15956,7 +12844,6 @@ spec: description: |- Name is the name of the referent. - Support: Core maxLength: 253 minLength: 1 @@ -15966,7 +12853,6 @@ spec: Namespace is the namespace of the referent. When unspecified, this refers to the local namespace of the Route. - Note that there are specific rules for ParentRefs which cross namespace boundaries. Cross-namespace references are only valid if they are explicitly allowed by something in the namespace they are referring to. For example: @@ -15974,12 +12860,10 @@ spec: generic way to enable any other kind of cross-namespace reference. - ParentRefs from a Route to a Service in the same namespace are "producer" routes, which apply default routing rules to inbound connections from any namespace to the Service. - ParentRefs from a Route to a Service in a different namespace are "consumer" routes, and these routing rules are only applied to outbound connections originating from the same namespace as the Route, for which @@ -15987,7 +12871,6 @@ spec: ParentRef of the Route. - Support: Core maxLength: 63 minLength: 1 @@ -15998,7 +12881,6 @@ spec: Port is the network port this Route targets. It can be interpreted differently based on the type of parent resource. - When the parent resource is a Gateway, this targets all listeners listening on the specified port that also support this kind of Route(and select this Route). It's not recommended to set `Port` unless the @@ -16008,18 +12890,15 @@ spec: must match both specified values. - When the parent resource is a Service, this targets a specific port in the Service spec. When both Port (experimental) and SectionName are specified, the name and port of the selected port must match both specified values. - Implementations MAY choose to support other parent resources. Implementations supporting other types of parent resources MUST clearly document how/if Port is interpreted. - For the purpose of status, an attachment is considered successful as long as the parent resource accepts it partially. For example, Gateway listeners can restrict which Routes can attach to them by Route kind, @@ -16028,7 +12907,6 @@ spec: attached. If no Gateway listeners accept attachment from this Route, the Route MUST be considered detached from the Gateway. - Support: Extended format: int32 maximum: 65535 @@ -16039,7 +12917,6 @@ spec: SectionName is the name of a section within the target resource. In the following resources, SectionName is interpreted as the following: - * Gateway: Listener name. When both Port (experimental) and SectionName are specified, the name and port of the selected listener must match both specified values. @@ -16047,12 +12924,10 @@ spec: are specified, the name and port of the selected listener must match both specified values. - Implementations MAY choose to support attaching Routes to other resources. If that is the case, they MUST clearly document how SectionName is interpreted. - When unspecified (empty string), this will reference the entire resource. For the purpose of status, an attachment is considered successful if at least one section in the parent resource accepts it. For example, Gateway @@ -16062,7 +12937,6 @@ spec: attached. If no Gateway listeners accept attachment from this Route, the Route MUST be considered detached from the Gateway. - Support: Core maxLength: 253 minLength: 1 @@ -16097,7 +12971,9 @@ spec: || p2.port == 0)) || (has(p1.port) && has(p2.port) && p1.port == p2.port)))) rules: - description: Rules are a list of TCP matchers and actions. + description: |+ + Rules are a list of TCP matchers and actions. + items: description: TCPRouteRule is the configuration for a given rule. properties: @@ -16110,53 +12986,41 @@ spec: respect weight; if an invalid backend is requested to have 80% of connections, then 80% of connections must be rejected instead. - Support: Core for Kubernetes Service - Support: Extended for Kubernetes ServiceImport - Support: Implementation-specific for any other resource - Support for weight: Extended items: description: |- BackendRef defines how a Route should forward a request to a Kubernetes resource. - Note that when a namespace different than the local namespace is specified, a ReferenceGrant object is required in the referent namespace to allow that namespace's owner to accept the reference. See the ReferenceGrant documentation for details. - - When the BackendRef points to a Kubernetes Service, implementations SHOULD honor the appProtocol field if it is set for the target Service Port. - Implementations supporting appProtocol SHOULD recognize the Kubernetes Standard Application Protocols defined in KEP-3726. - If a Service appProtocol isn't specified, an implementation MAY infer the backend protocol through its own means. Implementations MAY infer the protocol from the Route type referring to the backend Service. - If a Route is not able to send traffic to the backend using the specified protocol then the backend is considered invalid. Implementations MUST set the "ResolvedRefs" condition to "False" with the "UnsupportedProtocol" reason. - - Note that when the BackendTLSPolicy object is enabled by the implementation, there are some extra rules about validity to consider here. See the fields where this struct is used for more information about the exact behavior. @@ -16175,20 +13039,16 @@ spec: Kind is the Kubernetes resource kind of the referent. For example "Service". - Defaults to "Service" when not specified. - ExternalName services can refer to CNAME DNS records that may live outside of the cluster and as such are difficult to reason about in terms of conformance. They also may not be safe to forward to (see CVE-2021-25740 for more information). Implementations SHOULD NOT support ExternalName Services. - Support: Core (Services with a type other than ExternalName) - Support: Implementation-specific (Services with type ExternalName) maxLength: 63 minLength: 1 @@ -16204,13 +13064,11 @@ spec: Namespace is the namespace of the backend. When unspecified, the local namespace is inferred. - Note that when a namespace different than the local namespace is specified, a ReferenceGrant object is required in the referent namespace to allow that namespace's owner to accept the reference. See the ReferenceGrant documentation for details. - Support: Core maxLength: 63 minLength: 1 @@ -16237,13 +13095,11 @@ spec: implementation supports. Weight is not a percentage and the sum of weights does not need to equal 100. - If only one backend is specified and it has a weight greater than 0, 100% of the traffic is forwarded to that backend. If weight is set to 0, no traffic should be forwarded for this entry. If unspecified, weight defaults to 1. - Support for this field varies based on the context where used. format: int32 maximum: 1000000 @@ -16259,10 +13115,23 @@ spec: maxItems: 16 minItems: 1 type: array + name: + description: |- + Name is the name of the route rule. This name MUST be unique within a Route if it is set. + + Support: Extended + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string type: object maxItems: 16 minItems: 1 type: array + x-kubernetes-validations: + - message: Rule name must be unique within the route + rule: self.all(l1, !has(l1.name) || self.exists_one(l2, has(l2.name) + && l1.name == l2.name)) required: - rules type: object @@ -16278,13 +13147,11 @@ spec: first sees the route and should update the entry as appropriate when the route or gateway is modified. - Note that parent references that cannot be resolved by an implementation of this API will not be added to this list. Implementations of this API can only populate Route status for the Gateways/parent resources they are responsible for. - A maximum of 32 Gateways will be represented in this list. An empty list means the route has not been attached to any Gateway. items: @@ -16298,38 +13165,24 @@ spec: Note that the route's availability is also subject to the Gateway's own status conditions and listener status. - If the Route's ParentRef specifies an existing Gateway that supports Routes of this kind AND that Gateway's controller has sufficient access, then that Gateway's controller MUST set the "Accepted" condition on the Route, to indicate whether the route has been accepted or rejected by the Gateway, and why. - A Route MUST be considered "Accepted" if at least one of the Route's rules is implemented by the Gateway. - There are a number of cases where the "Accepted" condition may not be set due to lack of controller visibility, that includes when: - * The Route refers to a non-existent parent. * The Route is of a type that the controller does not support. * The Route is in a namespace the controller does not have access to. items: - description: "Condition contains details for one aspect of - the current state of this API Resource.\n---\nThis struct - is intended for direct use as an array at the field path - .status.conditions. For example,\n\n\n\ttype FooStatus - struct{\n\t // Represents the observations of a foo's - current state.\n\t // Known .status.conditions.type are: - \"Available\", \"Progressing\", and \"Degraded\"\n\t // - +patchMergeKey=type\n\t // +patchStrategy=merge\n\t // - +listType=map\n\t // +listMapKey=type\n\t Conditions - []metav1.Condition `json:\"conditions,omitempty\" patchStrategy:\"merge\" - patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t - \ // other fields\n\t}" + description: Condition contains details for one aspect of + the current state of this API Resource. properties: lastTransitionTime: description: |- @@ -16371,12 +13224,7 @@ spec: - Unknown type: string type: - description: |- - type of condition in CamelCase or in foo.example.com/CamelCase. - --- - Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be - useful (see .node.status.conditions), the ability to deconflict is important. - The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + description: type of condition in CamelCase or in foo.example.com/CamelCase. maxLength: 316 pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ type: string @@ -16399,15 +13247,12 @@ spec: controller that wrote this status. This corresponds with the controllerName field on GatewayClass. - Example: "example.net/gateway-controller". - The format of this field is DOMAIN "/" PATH, where DOMAIN and PATH are valid Kubernetes names (https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names). - Controllers MUST populate this field when writing status. Controllers should ensure that entries to status populated with their ControllerName are cleaned up when they are no longer necessary. @@ -16428,7 +13273,6 @@ spec: To set the core API group (such as for a "Service" kind referent), Group must be explicitly set to "" (empty string). - Support: Core maxLength: 253 pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ @@ -16438,14 +13282,11 @@ spec: description: |- Kind is kind of the referent. - There are two kinds of parent resources with "Core" support: - * Gateway (Gateway conformance profile) * Service (Mesh conformance profile, ClusterIP Services only) - Support for other resources is Implementation-Specific. maxLength: 63 minLength: 1 @@ -16455,7 +13296,6 @@ spec: description: |- Name is the name of the referent. - Support: Core maxLength: 253 minLength: 1 @@ -16465,7 +13305,6 @@ spec: Namespace is the namespace of the referent. When unspecified, this refers to the local namespace of the Route. - Note that there are specific rules for ParentRefs which cross namespace boundaries. Cross-namespace references are only valid if they are explicitly allowed by something in the namespace they are referring to. For example: @@ -16473,12 +13312,10 @@ spec: generic way to enable any other kind of cross-namespace reference. - ParentRefs from a Route to a Service in the same namespace are "producer" routes, which apply default routing rules to inbound connections from any namespace to the Service. - ParentRefs from a Route to a Service in a different namespace are "consumer" routes, and these routing rules are only applied to outbound connections originating from the same namespace as the Route, for which @@ -16486,7 +13323,6 @@ spec: ParentRef of the Route. - Support: Core maxLength: 63 minLength: 1 @@ -16497,7 +13333,6 @@ spec: Port is the network port this Route targets. It can be interpreted differently based on the type of parent resource. - When the parent resource is a Gateway, this targets all listeners listening on the specified port that also support this kind of Route(and select this Route). It's not recommended to set `Port` unless the @@ -16507,18 +13342,15 @@ spec: must match both specified values. - When the parent resource is a Service, this targets a specific port in the Service spec. When both Port (experimental) and SectionName are specified, the name and port of the selected port must match both specified values. - Implementations MAY choose to support other parent resources. Implementations supporting other types of parent resources MUST clearly document how/if Port is interpreted. - For the purpose of status, an attachment is considered successful as long as the parent resource accepts it partially. For example, Gateway listeners can restrict which Routes can attach to them by Route kind, @@ -16527,7 +13359,6 @@ spec: attached. If no Gateway listeners accept attachment from this Route, the Route MUST be considered detached from the Gateway. - Support: Extended format: int32 maximum: 65535 @@ -16538,7 +13369,6 @@ spec: SectionName is the name of a section within the target resource. In the following resources, SectionName is interpreted as the following: - * Gateway: Listener name. When both Port (experimental) and SectionName are specified, the name and port of the selected listener must match both specified values. @@ -16546,12 +13376,10 @@ spec: are specified, the name and port of the selected listener must match both specified values. - Implementations MAY choose to support attaching Routes to other resources. If that is the case, they MUST clearly document how SectionName is interpreted. - When unspecified (empty string), this will reference the entire resource. For the purpose of status, an attachment is considered successful if at least one section in the parent resource accepts it. For example, Gateway @@ -16561,7 +13389,6 @@ spec: attached. If no Gateway listeners accept attachment from this Route, the Route MUST be considered detached from the Gateway. - Support: Core maxLength: 253 minLength: 1 @@ -16601,7 +13428,7 @@ kind: CustomResourceDefinition metadata: annotations: api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/2997 - gateway.networking.k8s.io/bundle-version: v1.1.0 + gateway.networking.k8s.io/bundle-version: v1.2.0-rc2 gateway.networking.k8s.io/channel: experimental creationTimestamp: null name: tlsroutes.gateway.networking.k8s.io @@ -16628,7 +13455,6 @@ spec: to match against TLS-specific metadata. This allows more flexibility in matching streams for a given TLS listener. - If you need to forward traffic to a single target for a TLS listener, you could choose to use a TCPRoute with a TLS listener. properties: @@ -16658,17 +13484,14 @@ spec: SNI attribute of TLS ClientHello message in TLS handshake. This matches the RFC 1123 definition of a hostname with 2 notable exceptions: - 1. IPs are not allowed in SNI names per RFC 6066. 2. A hostname may be prefixed with a wildcard label (`*.`). The wildcard label must appear by itself as the first label. - If a hostname is specified by both the Listener and TLSRoute, there must be at least one intersecting hostname for the TLSRoute to be attached to the Listener. For example: - * A Listener with `test.example.com` as the hostname matches TLSRoutes that have either not specified any hostnames, or have specified at least one of `test.example.com` or `*.example.com`. @@ -16678,37 +13501,31 @@ spec: `test.example.com` and `*.example.com` would both match. On the other hand, `example.com` and `test.example.net` would not match. - If both the Listener and TLSRoute have specified hostnames, any TLSRoute hostnames that do not match the Listener hostname MUST be ignored. For example, if a Listener specified `*.example.com`, and the TLSRoute specified `test.example.com` and `test.example.net`, `test.example.net` must not be considered for a match. - If both the Listener and TLSRoute have specified hostnames, and none match with the criteria above, then the TLSRoute is not accepted. The implementation must raise an 'Accepted' Condition with a status of `False` in the corresponding RouteParentStatus. - Support: Core items: description: |- Hostname is the fully qualified domain name of a network host. This matches the RFC 1123 definition of a hostname with 2 notable exceptions: - 1. IPs are not allowed. 2. A hostname may be prefixed with a wildcard label (`*.`). The wildcard label must appear by itself as the first label. - Hostname can be "precise" which is a domain name without the terminating dot of a network host (e.g. "foo.example.com") or "wildcard", which is a domain name prefixed with a single wildcard label (e.g. `*.example.com`). - Note that as per RFC1035 and RFC1123, a *label* must consist of lower case alphanumeric characters or '-', and must start and end with an alphanumeric character. No other punctuation is allowed. @@ -16731,21 +13548,16 @@ spec: create a "producer" route for a Service in a different namespace from the Route. - There are two kinds of parent resources with "Core" support: - * Gateway (Gateway conformance profile) * Service (Mesh conformance profile, ClusterIP Services only) - This API may be extended in the future to support additional kinds of parent resources. - ParentRefs must be _distinct_. This means either that: - * They select different objects. If this is the case, then parentRef entries are distinct. In terms of fields, this means that the multi-part key defined by `group`, `kind`, `namespace`, and `name` must @@ -16755,10 +13567,8 @@ spec: optional fields to different values. If one ParentRef sets a combination of optional fields, all must set the same combination. - Some examples: - * If one ParentRef sets `sectionName`, all ParentRefs referencing the same object must also set `sectionName`. * If one ParentRef sets `port`, all ParentRefs referencing the same @@ -16766,14 +13576,12 @@ spec: * If one ParentRef sets `sectionName` and `port`, all ParentRefs referencing the same object must also set `sectionName` and `port`. - It is possible to separately reference multiple distinct objects that may be collapsed by an implementation. For example, some implementations may choose to merge compatible Gateway Listeners together. If that is the case, the list of routes attached to those resources should also be merged. - Note that for ParentRefs that cross namespace boundaries, there are specific rules. Cross-namespace references are only valid if they are explicitly allowed by something in the namespace they are referring to. For example, @@ -16781,12 +13589,10 @@ spec: generic way to enable other kinds of cross-namespace reference. - ParentRefs from a Route to a Service in the same namespace are "producer" routes, which apply default routing rules to inbound connections from any namespace to the Service. - ParentRefs from a Route to a Service in a different namespace are "consumer" routes, and these routing rules are only applied to outbound connections originating from the same namespace as the Route, for which @@ -16797,22 +13603,18 @@ spec: - items: description: |- ParentReference identifies an API object (usually a Gateway) that can be considered a parent of this resource (usually a route). There are two kinds of parent resources with "Core" support: - * Gateway (Gateway conformance profile) * Service (Mesh conformance profile, ClusterIP Services only) - This API may be extended in the future to support additional kinds of parent resources. - The API object must be valid in the cluster; the Group and Kind must be registered in the cluster for this reference to be valid. properties: @@ -16824,7 +13626,6 @@ spec: To set the core API group (such as for a "Service" kind referent), Group must be explicitly set to "" (empty string). - Support: Core maxLength: 253 pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ @@ -16834,14 +13635,11 @@ spec: description: |- Kind is kind of the referent. - There are two kinds of parent resources with "Core" support: - * Gateway (Gateway conformance profile) * Service (Mesh conformance profile, ClusterIP Services only) - Support for other resources is Implementation-Specific. maxLength: 63 minLength: 1 @@ -16851,7 +13649,6 @@ spec: description: |- Name is the name of the referent. - Support: Core maxLength: 253 minLength: 1 @@ -16861,7 +13658,6 @@ spec: Namespace is the namespace of the referent. When unspecified, this refers to the local namespace of the Route. - Note that there are specific rules for ParentRefs which cross namespace boundaries. Cross-namespace references are only valid if they are explicitly allowed by something in the namespace they are referring to. For example: @@ -16869,12 +13665,10 @@ spec: generic way to enable any other kind of cross-namespace reference. - ParentRefs from a Route to a Service in the same namespace are "producer" routes, which apply default routing rules to inbound connections from any namespace to the Service. - ParentRefs from a Route to a Service in a different namespace are "consumer" routes, and these routing rules are only applied to outbound connections originating from the same namespace as the Route, for which @@ -16882,7 +13676,6 @@ spec: ParentRef of the Route. - Support: Core maxLength: 63 minLength: 1 @@ -16893,7 +13686,6 @@ spec: Port is the network port this Route targets. It can be interpreted differently based on the type of parent resource. - When the parent resource is a Gateway, this targets all listeners listening on the specified port that also support this kind of Route(and select this Route). It's not recommended to set `Port` unless the @@ -16903,18 +13695,15 @@ spec: must match both specified values. - When the parent resource is a Service, this targets a specific port in the Service spec. When both Port (experimental) and SectionName are specified, the name and port of the selected port must match both specified values. - Implementations MAY choose to support other parent resources. Implementations supporting other types of parent resources MUST clearly document how/if Port is interpreted. - For the purpose of status, an attachment is considered successful as long as the parent resource accepts it partially. For example, Gateway listeners can restrict which Routes can attach to them by Route kind, @@ -16923,7 +13712,6 @@ spec: attached. If no Gateway listeners accept attachment from this Route, the Route MUST be considered detached from the Gateway. - Support: Extended format: int32 maximum: 65535 @@ -16934,7 +13722,6 @@ spec: SectionName is the name of a section within the target resource. In the following resources, SectionName is interpreted as the following: - * Gateway: Listener name. When both Port (experimental) and SectionName are specified, the name and port of the selected listener must match both specified values. @@ -16942,12 +13729,10 @@ spec: are specified, the name and port of the selected listener must match both specified values. - Implementations MAY choose to support attaching Routes to other resources. If that is the case, they MUST clearly document how SectionName is interpreted. - When unspecified (empty string), this will reference the entire resource. For the purpose of status, an attachment is considered successful if at least one section in the parent resource accepts it. For example, Gateway @@ -16957,7 +13742,6 @@ spec: attached. If no Gateway listeners accept attachment from this Route, the Route MUST be considered detached from the Gateway. - Support: Core maxLength: 253 minLength: 1 @@ -16992,7 +13776,9 @@ spec: || p2.port == 0)) || (has(p1.port) && has(p2.port) && p1.port == p2.port)))) rules: - description: Rules are a list of TLS matchers and actions. + description: |+ + Rules are a list of TLS matchers and actions. + items: description: TLSRouteRule is the configuration for a given rule. properties: @@ -17008,53 +13794,41 @@ spec: requested to have 80% of requests, then 80% of requests must be rejected instead. - Support: Core for Kubernetes Service - Support: Extended for Kubernetes ServiceImport - Support: Implementation-specific for any other resource - Support for weight: Extended items: description: |- BackendRef defines how a Route should forward a request to a Kubernetes resource. - Note that when a namespace different than the local namespace is specified, a ReferenceGrant object is required in the referent namespace to allow that namespace's owner to accept the reference. See the ReferenceGrant documentation for details. - - When the BackendRef points to a Kubernetes Service, implementations SHOULD honor the appProtocol field if it is set for the target Service Port. - Implementations supporting appProtocol SHOULD recognize the Kubernetes Standard Application Protocols defined in KEP-3726. - If a Service appProtocol isn't specified, an implementation MAY infer the backend protocol through its own means. Implementations MAY infer the protocol from the Route type referring to the backend Service. - If a Route is not able to send traffic to the backend using the specified protocol then the backend is considered invalid. Implementations MUST set the "ResolvedRefs" condition to "False" with the "UnsupportedProtocol" reason. - - Note that when the BackendTLSPolicy object is enabled by the implementation, there are some extra rules about validity to consider here. See the fields where this struct is used for more information about the exact behavior. @@ -17073,20 +13847,16 @@ spec: Kind is the Kubernetes resource kind of the referent. For example "Service". - Defaults to "Service" when not specified. - ExternalName services can refer to CNAME DNS records that may live outside of the cluster and as such are difficult to reason about in terms of conformance. They also may not be safe to forward to (see CVE-2021-25740 for more information). Implementations SHOULD NOT support ExternalName Services. - Support: Core (Services with a type other than ExternalName) - Support: Implementation-specific (Services with type ExternalName) maxLength: 63 minLength: 1 @@ -17102,13 +13872,11 @@ spec: Namespace is the namespace of the backend. When unspecified, the local namespace is inferred. - Note that when a namespace different than the local namespace is specified, a ReferenceGrant object is required in the referent namespace to allow that namespace's owner to accept the reference. See the ReferenceGrant documentation for details. - Support: Core maxLength: 63 minLength: 1 @@ -17135,13 +13903,11 @@ spec: implementation supports. Weight is not a percentage and the sum of weights does not need to equal 100. - If only one backend is specified and it has a weight greater than 0, 100% of the traffic is forwarded to that backend. If weight is set to 0, no traffic should be forwarded for this entry. If unspecified, weight defaults to 1. - Support for this field varies based on the context where used. format: int32 maximum: 1000000 @@ -17157,10 +13923,23 @@ spec: maxItems: 16 minItems: 1 type: array + name: + description: |- + Name is the name of the route rule. This name MUST be unique within a Route if it is set. + + Support: Extended + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string type: object maxItems: 16 minItems: 1 type: array + x-kubernetes-validations: + - message: Rule name must be unique within the route + rule: self.all(l1, !has(l1.name) || self.exists_one(l2, has(l2.name) + && l1.name == l2.name)) required: - rules type: object @@ -17176,13 +13955,11 @@ spec: first sees the route and should update the entry as appropriate when the route or gateway is modified. - Note that parent references that cannot be resolved by an implementation of this API will not be added to this list. Implementations of this API can only populate Route status for the Gateways/parent resources they are responsible for. - A maximum of 32 Gateways will be represented in this list. An empty list means the route has not been attached to any Gateway. items: @@ -17196,38 +13973,24 @@ spec: Note that the route's availability is also subject to the Gateway's own status conditions and listener status. - If the Route's ParentRef specifies an existing Gateway that supports Routes of this kind AND that Gateway's controller has sufficient access, then that Gateway's controller MUST set the "Accepted" condition on the Route, to indicate whether the route has been accepted or rejected by the Gateway, and why. - A Route MUST be considered "Accepted" if at least one of the Route's rules is implemented by the Gateway. - There are a number of cases where the "Accepted" condition may not be set due to lack of controller visibility, that includes when: - * The Route refers to a non-existent parent. * The Route is of a type that the controller does not support. * The Route is in a namespace the controller does not have access to. items: - description: "Condition contains details for one aspect of - the current state of this API Resource.\n---\nThis struct - is intended for direct use as an array at the field path - .status.conditions. For example,\n\n\n\ttype FooStatus - struct{\n\t // Represents the observations of a foo's - current state.\n\t // Known .status.conditions.type are: - \"Available\", \"Progressing\", and \"Degraded\"\n\t // - +patchMergeKey=type\n\t // +patchStrategy=merge\n\t // - +listType=map\n\t // +listMapKey=type\n\t Conditions - []metav1.Condition `json:\"conditions,omitempty\" patchStrategy:\"merge\" - patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t - \ // other fields\n\t}" + description: Condition contains details for one aspect of + the current state of this API Resource. properties: lastTransitionTime: description: |- @@ -17269,12 +14032,7 @@ spec: - Unknown type: string type: - description: |- - type of condition in CamelCase or in foo.example.com/CamelCase. - --- - Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be - useful (see .node.status.conditions), the ability to deconflict is important. - The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + description: type of condition in CamelCase or in foo.example.com/CamelCase. maxLength: 316 pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ type: string @@ -17297,15 +14055,12 @@ spec: controller that wrote this status. This corresponds with the controllerName field on GatewayClass. - Example: "example.net/gateway-controller". - The format of this field is DOMAIN "/" PATH, where DOMAIN and PATH are valid Kubernetes names (https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names). - Controllers MUST populate this field when writing status. Controllers should ensure that entries to status populated with their ControllerName are cleaned up when they are no longer necessary. @@ -17326,7 +14081,6 @@ spec: To set the core API group (such as for a "Service" kind referent), Group must be explicitly set to "" (empty string). - Support: Core maxLength: 253 pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ @@ -17336,14 +14090,11 @@ spec: description: |- Kind is kind of the referent. - There are two kinds of parent resources with "Core" support: - * Gateway (Gateway conformance profile) * Service (Mesh conformance profile, ClusterIP Services only) - Support for other resources is Implementation-Specific. maxLength: 63 minLength: 1 @@ -17353,7 +14104,6 @@ spec: description: |- Name is the name of the referent. - Support: Core maxLength: 253 minLength: 1 @@ -17363,7 +14113,6 @@ spec: Namespace is the namespace of the referent. When unspecified, this refers to the local namespace of the Route. - Note that there are specific rules for ParentRefs which cross namespace boundaries. Cross-namespace references are only valid if they are explicitly allowed by something in the namespace they are referring to. For example: @@ -17371,12 +14120,10 @@ spec: generic way to enable any other kind of cross-namespace reference. - ParentRefs from a Route to a Service in the same namespace are "producer" routes, which apply default routing rules to inbound connections from any namespace to the Service. - ParentRefs from a Route to a Service in a different namespace are "consumer" routes, and these routing rules are only applied to outbound connections originating from the same namespace as the Route, for which @@ -17384,7 +14131,6 @@ spec: ParentRef of the Route. - Support: Core maxLength: 63 minLength: 1 @@ -17395,7 +14141,6 @@ spec: Port is the network port this Route targets. It can be interpreted differently based on the type of parent resource. - When the parent resource is a Gateway, this targets all listeners listening on the specified port that also support this kind of Route(and select this Route). It's not recommended to set `Port` unless the @@ -17405,18 +14150,15 @@ spec: must match both specified values. - When the parent resource is a Service, this targets a specific port in the Service spec. When both Port (experimental) and SectionName are specified, the name and port of the selected port must match both specified values. - Implementations MAY choose to support other parent resources. Implementations supporting other types of parent resources MUST clearly document how/if Port is interpreted. - For the purpose of status, an attachment is considered successful as long as the parent resource accepts it partially. For example, Gateway listeners can restrict which Routes can attach to them by Route kind, @@ -17425,7 +14167,6 @@ spec: attached. If no Gateway listeners accept attachment from this Route, the Route MUST be considered detached from the Gateway. - Support: Extended format: int32 maximum: 65535 @@ -17436,7 +14177,6 @@ spec: SectionName is the name of a section within the target resource. In the following resources, SectionName is interpreted as the following: - * Gateway: Listener name. When both Port (experimental) and SectionName are specified, the name and port of the selected listener must match both specified values. @@ -17444,12 +14184,10 @@ spec: are specified, the name and port of the selected listener must match both specified values. - Implementations MAY choose to support attaching Routes to other resources. If that is the case, they MUST clearly document how SectionName is interpreted. - When unspecified (empty string), this will reference the entire resource. For the purpose of status, an attachment is considered successful if at least one section in the parent resource accepts it. For example, Gateway @@ -17459,7 +14197,6 @@ spec: attached. If no Gateway listeners accept attachment from this Route, the Route MUST be considered detached from the Gateway. - Support: Core maxLength: 253 minLength: 1 @@ -17499,7 +14236,7 @@ kind: CustomResourceDefinition metadata: annotations: api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/2997 - gateway.networking.k8s.io/bundle-version: v1.1.0 + gateway.networking.k8s.io/bundle-version: v1.2.0-rc2 gateway.networking.k8s.io/channel: experimental creationTimestamp: null name: udproutes.gateway.networking.k8s.io @@ -17559,21 +14296,16 @@ spec: create a "producer" route for a Service in a different namespace from the Route. - There are two kinds of parent resources with "Core" support: - * Gateway (Gateway conformance profile) * Service (Mesh conformance profile, ClusterIP Services only) - This API may be extended in the future to support additional kinds of parent resources. - ParentRefs must be _distinct_. This means either that: - * They select different objects. If this is the case, then parentRef entries are distinct. In terms of fields, this means that the multi-part key defined by `group`, `kind`, `namespace`, and `name` must @@ -17583,10 +14315,8 @@ spec: optional fields to different values. If one ParentRef sets a combination of optional fields, all must set the same combination. - Some examples: - * If one ParentRef sets `sectionName`, all ParentRefs referencing the same object must also set `sectionName`. * If one ParentRef sets `port`, all ParentRefs referencing the same @@ -17594,14 +14324,12 @@ spec: * If one ParentRef sets `sectionName` and `port`, all ParentRefs referencing the same object must also set `sectionName` and `port`. - It is possible to separately reference multiple distinct objects that may be collapsed by an implementation. For example, some implementations may choose to merge compatible Gateway Listeners together. If that is the case, the list of routes attached to those resources should also be merged. - Note that for ParentRefs that cross namespace boundaries, there are specific rules. Cross-namespace references are only valid if they are explicitly allowed by something in the namespace they are referring to. For example, @@ -17609,12 +14337,10 @@ spec: generic way to enable other kinds of cross-namespace reference. - ParentRefs from a Route to a Service in the same namespace are "producer" routes, which apply default routing rules to inbound connections from any namespace to the Service. - ParentRefs from a Route to a Service in a different namespace are "consumer" routes, and these routing rules are only applied to outbound connections originating from the same namespace as the Route, for which @@ -17625,22 +14351,18 @@ spec: - items: description: |- ParentReference identifies an API object (usually a Gateway) that can be considered a parent of this resource (usually a route). There are two kinds of parent resources with "Core" support: - * Gateway (Gateway conformance profile) * Service (Mesh conformance profile, ClusterIP Services only) - This API may be extended in the future to support additional kinds of parent resources. - The API object must be valid in the cluster; the Group and Kind must be registered in the cluster for this reference to be valid. properties: @@ -17652,7 +14374,6 @@ spec: To set the core API group (such as for a "Service" kind referent), Group must be explicitly set to "" (empty string). - Support: Core maxLength: 253 pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ @@ -17662,14 +14383,11 @@ spec: description: |- Kind is kind of the referent. - There are two kinds of parent resources with "Core" support: - * Gateway (Gateway conformance profile) * Service (Mesh conformance profile, ClusterIP Services only) - Support for other resources is Implementation-Specific. maxLength: 63 minLength: 1 @@ -17679,7 +14397,6 @@ spec: description: |- Name is the name of the referent. - Support: Core maxLength: 253 minLength: 1 @@ -17689,7 +14406,6 @@ spec: Namespace is the namespace of the referent. When unspecified, this refers to the local namespace of the Route. - Note that there are specific rules for ParentRefs which cross namespace boundaries. Cross-namespace references are only valid if they are explicitly allowed by something in the namespace they are referring to. For example: @@ -17697,12 +14413,10 @@ spec: generic way to enable any other kind of cross-namespace reference. - ParentRefs from a Route to a Service in the same namespace are "producer" routes, which apply default routing rules to inbound connections from any namespace to the Service. - ParentRefs from a Route to a Service in a different namespace are "consumer" routes, and these routing rules are only applied to outbound connections originating from the same namespace as the Route, for which @@ -17710,7 +14424,6 @@ spec: ParentRef of the Route. - Support: Core maxLength: 63 minLength: 1 @@ -17721,7 +14434,6 @@ spec: Port is the network port this Route targets. It can be interpreted differently based on the type of parent resource. - When the parent resource is a Gateway, this targets all listeners listening on the specified port that also support this kind of Route(and select this Route). It's not recommended to set `Port` unless the @@ -17731,18 +14443,15 @@ spec: must match both specified values. - When the parent resource is a Service, this targets a specific port in the Service spec. When both Port (experimental) and SectionName are specified, the name and port of the selected port must match both specified values. - Implementations MAY choose to support other parent resources. Implementations supporting other types of parent resources MUST clearly document how/if Port is interpreted. - For the purpose of status, an attachment is considered successful as long as the parent resource accepts it partially. For example, Gateway listeners can restrict which Routes can attach to them by Route kind, @@ -17751,7 +14460,6 @@ spec: attached. If no Gateway listeners accept attachment from this Route, the Route MUST be considered detached from the Gateway. - Support: Extended format: int32 maximum: 65535 @@ -17762,7 +14470,6 @@ spec: SectionName is the name of a section within the target resource. In the following resources, SectionName is interpreted as the following: - * Gateway: Listener name. When both Port (experimental) and SectionName are specified, the name and port of the selected listener must match both specified values. @@ -17770,12 +14477,10 @@ spec: are specified, the name and port of the selected listener must match both specified values. - Implementations MAY choose to support attaching Routes to other resources. If that is the case, they MUST clearly document how SectionName is interpreted. - When unspecified (empty string), this will reference the entire resource. For the purpose of status, an attachment is considered successful if at least one section in the parent resource accepts it. For example, Gateway @@ -17785,7 +14490,6 @@ spec: attached. If no Gateway listeners accept attachment from this Route, the Route MUST be considered detached from the Gateway. - Support: Core maxLength: 253 minLength: 1 @@ -17820,7 +14524,9 @@ spec: || p2.port == 0)) || (has(p1.port) && has(p2.port) && p1.port == p2.port)))) rules: - description: Rules are a list of UDP matchers and actions. + description: |+ + Rules are a list of UDP matchers and actions. + items: description: UDPRouteRule is the configuration for a given rule. properties: @@ -17833,53 +14539,41 @@ spec: respect weight; if an invalid backend is requested to have 80% of the packets, then 80% of packets must be dropped instead. - Support: Core for Kubernetes Service - Support: Extended for Kubernetes ServiceImport - Support: Implementation-specific for any other resource - Support for weight: Extended items: description: |- BackendRef defines how a Route should forward a request to a Kubernetes resource. - Note that when a namespace different than the local namespace is specified, a ReferenceGrant object is required in the referent namespace to allow that namespace's owner to accept the reference. See the ReferenceGrant documentation for details. - - When the BackendRef points to a Kubernetes Service, implementations SHOULD honor the appProtocol field if it is set for the target Service Port. - Implementations supporting appProtocol SHOULD recognize the Kubernetes Standard Application Protocols defined in KEP-3726. - If a Service appProtocol isn't specified, an implementation MAY infer the backend protocol through its own means. Implementations MAY infer the protocol from the Route type referring to the backend Service. - If a Route is not able to send traffic to the backend using the specified protocol then the backend is considered invalid. Implementations MUST set the "ResolvedRefs" condition to "False" with the "UnsupportedProtocol" reason. - - Note that when the BackendTLSPolicy object is enabled by the implementation, there are some extra rules about validity to consider here. See the fields where this struct is used for more information about the exact behavior. @@ -17898,20 +14592,16 @@ spec: Kind is the Kubernetes resource kind of the referent. For example "Service". - Defaults to "Service" when not specified. - ExternalName services can refer to CNAME DNS records that may live outside of the cluster and as such are difficult to reason about in terms of conformance. They also may not be safe to forward to (see CVE-2021-25740 for more information). Implementations SHOULD NOT support ExternalName Services. - Support: Core (Services with a type other than ExternalName) - Support: Implementation-specific (Services with type ExternalName) maxLength: 63 minLength: 1 @@ -17927,13 +14617,11 @@ spec: Namespace is the namespace of the backend. When unspecified, the local namespace is inferred. - Note that when a namespace different than the local namespace is specified, a ReferenceGrant object is required in the referent namespace to allow that namespace's owner to accept the reference. See the ReferenceGrant documentation for details. - Support: Core maxLength: 63 minLength: 1 @@ -17960,13 +14648,11 @@ spec: implementation supports. Weight is not a percentage and the sum of weights does not need to equal 100. - If only one backend is specified and it has a weight greater than 0, 100% of the traffic is forwarded to that backend. If weight is set to 0, no traffic should be forwarded for this entry. If unspecified, weight defaults to 1. - Support for this field varies based on the context where used. format: int32 maximum: 1000000 @@ -17982,10 +14668,23 @@ spec: maxItems: 16 minItems: 1 type: array + name: + description: |- + Name is the name of the route rule. This name MUST be unique within a Route if it is set. + + Support: Extended + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string type: object maxItems: 16 minItems: 1 type: array + x-kubernetes-validations: + - message: Rule name must be unique within the route + rule: self.all(l1, !has(l1.name) || self.exists_one(l2, has(l2.name) + && l1.name == l2.name)) required: - rules type: object @@ -18001,13 +14700,11 @@ spec: first sees the route and should update the entry as appropriate when the route or gateway is modified. - Note that parent references that cannot be resolved by an implementation of this API will not be added to this list. Implementations of this API can only populate Route status for the Gateways/parent resources they are responsible for. - A maximum of 32 Gateways will be represented in this list. An empty list means the route has not been attached to any Gateway. items: @@ -18021,38 +14718,24 @@ spec: Note that the route's availability is also subject to the Gateway's own status conditions and listener status. - If the Route's ParentRef specifies an existing Gateway that supports Routes of this kind AND that Gateway's controller has sufficient access, then that Gateway's controller MUST set the "Accepted" condition on the Route, to indicate whether the route has been accepted or rejected by the Gateway, and why. - A Route MUST be considered "Accepted" if at least one of the Route's rules is implemented by the Gateway. - There are a number of cases where the "Accepted" condition may not be set due to lack of controller visibility, that includes when: - * The Route refers to a non-existent parent. * The Route is of a type that the controller does not support. * The Route is in a namespace the controller does not have access to. items: - description: "Condition contains details for one aspect of - the current state of this API Resource.\n---\nThis struct - is intended for direct use as an array at the field path - .status.conditions. For example,\n\n\n\ttype FooStatus - struct{\n\t // Represents the observations of a foo's - current state.\n\t // Known .status.conditions.type are: - \"Available\", \"Progressing\", and \"Degraded\"\n\t // - +patchMergeKey=type\n\t // +patchStrategy=merge\n\t // - +listType=map\n\t // +listMapKey=type\n\t Conditions - []metav1.Condition `json:\"conditions,omitempty\" patchStrategy:\"merge\" - patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t - \ // other fields\n\t}" + description: Condition contains details for one aspect of + the current state of this API Resource. properties: lastTransitionTime: description: |- @@ -18094,12 +14777,7 @@ spec: - Unknown type: string type: - description: |- - type of condition in CamelCase or in foo.example.com/CamelCase. - --- - Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be - useful (see .node.status.conditions), the ability to deconflict is important. - The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + description: type of condition in CamelCase or in foo.example.com/CamelCase. maxLength: 316 pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ type: string @@ -18122,15 +14800,12 @@ spec: controller that wrote this status. This corresponds with the controllerName field on GatewayClass. - Example: "example.net/gateway-controller". - The format of this field is DOMAIN "/" PATH, where DOMAIN and PATH are valid Kubernetes names (https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names). - Controllers MUST populate this field when writing status. Controllers should ensure that entries to status populated with their ControllerName are cleaned up when they are no longer necessary. @@ -18151,7 +14826,6 @@ spec: To set the core API group (such as for a "Service" kind referent), Group must be explicitly set to "" (empty string). - Support: Core maxLength: 253 pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ @@ -18161,14 +14835,11 @@ spec: description: |- Kind is kind of the referent. - There are two kinds of parent resources with "Core" support: - * Gateway (Gateway conformance profile) * Service (Mesh conformance profile, ClusterIP Services only) - Support for other resources is Implementation-Specific. maxLength: 63 minLength: 1 @@ -18178,7 +14849,6 @@ spec: description: |- Name is the name of the referent. - Support: Core maxLength: 253 minLength: 1 @@ -18188,7 +14858,6 @@ spec: Namespace is the namespace of the referent. When unspecified, this refers to the local namespace of the Route. - Note that there are specific rules for ParentRefs which cross namespace boundaries. Cross-namespace references are only valid if they are explicitly allowed by something in the namespace they are referring to. For example: @@ -18196,12 +14865,10 @@ spec: generic way to enable any other kind of cross-namespace reference. - ParentRefs from a Route to a Service in the same namespace are "producer" routes, which apply default routing rules to inbound connections from any namespace to the Service. - ParentRefs from a Route to a Service in a different namespace are "consumer" routes, and these routing rules are only applied to outbound connections originating from the same namespace as the Route, for which @@ -18209,7 +14876,6 @@ spec: ParentRef of the Route. - Support: Core maxLength: 63 minLength: 1 @@ -18220,7 +14886,6 @@ spec: Port is the network port this Route targets. It can be interpreted differently based on the type of parent resource. - When the parent resource is a Gateway, this targets all listeners listening on the specified port that also support this kind of Route(and select this Route). It's not recommended to set `Port` unless the @@ -18230,18 +14895,15 @@ spec: must match both specified values. - When the parent resource is a Service, this targets a specific port in the Service spec. When both Port (experimental) and SectionName are specified, the name and port of the selected port must match both specified values. - Implementations MAY choose to support other parent resources. Implementations supporting other types of parent resources MUST clearly document how/if Port is interpreted. - For the purpose of status, an attachment is considered successful as long as the parent resource accepts it partially. For example, Gateway listeners can restrict which Routes can attach to them by Route kind, @@ -18250,7 +14912,6 @@ spec: attached. If no Gateway listeners accept attachment from this Route, the Route MUST be considered detached from the Gateway. - Support: Extended format: int32 maximum: 65535 @@ -18261,7 +14922,6 @@ spec: SectionName is the name of a section within the target resource. In the following resources, SectionName is interpreted as the following: - * Gateway: Listener name. When both Port (experimental) and SectionName are specified, the name and port of the selected listener must match both specified values. @@ -18269,12 +14929,10 @@ spec: are specified, the name and port of the selected listener must match both specified values. - Implementations MAY choose to support attaching Routes to other resources. If that is the case, they MUST clearly document how SectionName is interpreted. - When unspecified (empty string), this will reference the entire resource. For the purpose of status, an attachment is considered successful if at least one section in the parent resource accepts it. For example, Gateway @@ -18284,7 +14942,6 @@ spec: attached. If no Gateway listeners accept attachment from this Route, the Route MUST be considered detached from the Gateway. - Support: Core maxLength: 253 minLength: 1 diff --git a/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_backendtrafficpolicies.yaml b/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_backendtrafficpolicies.yaml index 77133a803fc..7b13e2a123f 100644 --- a/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_backendtrafficpolicies.yaml +++ b/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_backendtrafficpolicies.yaml @@ -945,6 +945,120 @@ spec: required: - type type: object + responseOverride: + description: |- + ResponseOverride defines the configuration to override specific responses with a custom one. + If multiple configurations are specified, the first one to match wins. + items: + description: ResponseOverride defines the configuration to override + specific responses with a custom one. + properties: + match: + description: Match configuration. + properties: + statusCode: + description: Status code to match on. The match evaluates + to true if any of the matches are successful. + items: + properties: + range: + description: |- + ValueRef contains the contents of the body + specified as a local object reference. + Only a reference to ConfigMap is supported. + properties: + end: + description: End of the range, including the end + value. + type: integer + start: + description: Start of the range, including the + start value. + type: integer + required: + - end + - start + type: object + type: + default: Value + description: Type is the type of value. + enum: + - Value + - Range + type: string + value: + description: Value contains the value of the status + code. + type: string + required: + - type + type: object + type: array + required: + - statusCode + type: object + response: + description: Response configuration. + properties: + body: + description: Body of the Custom Response + properties: + inline: + description: Inline contains the value as an inline + string. + type: string + type: + description: Type is the type of method to use to read + the body value. + enum: + - Inline + - ValueRef + type: string + valueRef: + description: |- + ValueRef contains the contents of the body + specified as a local object reference. + Only a reference to ConfigMap is supported. + properties: + group: + description: |- + Group is the group of the referent. For example, "gateway.networking.k8s.io". + When unspecified or empty string, core API group is inferred. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + description: Kind is kind of the referent. For example + "HTTPRoute" or "Service". + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + required: + - group + - kind + - name + type: object + required: + - type + type: object + contentType: + description: Content Type of the response. This will be + set in the Content-Type header. + type: string + required: + - body + type: object + required: + - match + - response + type: object + type: array retry: description: |- Retry provides more advanced usage, allowing users to customize the number of retries, retry fallback strategy, and retry triggering conditions. diff --git a/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_envoyproxies.yaml b/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_envoyproxies.yaml index e5488fd636b..1b18890cd27 100644 --- a/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_envoyproxies.yaml +++ b/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_envoyproxies.yaml @@ -12255,6 +12255,17 @@ spec: maxItems: 50 minItems: 1 type: array + type: + description: |- + Type defines the component emitting the accesslog, such as Listener and Route. + If type not defined, the setting would apply to: + (1) All Routes. + (2) Listeners if and only if Envoy does not find a matching route for a request. + If type is defined, the accesslog settings would apply to the relevant component (as-is). + enum: + - Listener + - Route + type: string required: - sinks type: object @@ -12271,6 +12282,11 @@ spec: EnablePerEndpointStats enables per endpoint envoy stats metrics. Please use with caution. type: boolean + enableRequestResponseSizesStats: + description: EnableRequestResponseSizesStats enables publishing + of histograms tracking header and body sizes of requests + and responses. + type: boolean enableVirtualHostStats: description: EnableVirtualHostStats enables envoy stat metrics for virtual hosts. @@ -14204,6 +14220,7 @@ spec: enum: - OpenTelemetry - Zipkin + - Datadog type: string zipkin: description: Zipkin defines the Zipkin tracing provider diff --git a/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_securitypolicies.yaml b/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_securitypolicies.yaml index d3d18a0089f..8c4debcef0a 100644 --- a/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_securitypolicies.yaml +++ b/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_securitypolicies.yaml @@ -82,7 +82,9 @@ spec: name: description: |- Name is a user-friendly name for the rule. - If not specified, Envoy Gateway will generate a unique name for the rule.n + If not specified, Envoy Gateway will generate a unique name for the rule. + maxLength: 253 + minLength: 1 type: string principal: description: |- @@ -109,6 +111,7 @@ spec: A CIDR can be an IPv4 address range such as "192.168.1.0/24" or an IPv6 address range such as "2001:0db8:11a3:09d7::/64". pattern: ((25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\/([0-9]+))|((([0-9a-fA-F]{1,4}:){7,7}[0-9a-fA-F]{1,4}|([0-9a-fA-F]{1,4}:){1,7}:|([0-9a-fA-F]{1,4}:){1,6}:[0-9a-fA-F]{1,4}|([0-9a-fA-F]{1,4}:){1,5}(:[0-9a-fA-F]{1,4}){1,2}|([0-9a-fA-F]{1,4}:){1,4}(:[0-9a-fA-F]{1,4}){1,3}|([0-9a-fA-F]{1,4}:){1,3}(:[0-9a-fA-F]{1,4}){1,4}|([0-9a-fA-F]{1,4}:){1,2}(:[0-9a-fA-F]{1,4}){1,5}|[0-9a-fA-F]{1,4}:((:[0-9a-fA-F]{1,4}){1,6})|:((:[0-9a-fA-F]{1,4}){1,7}|:)|fe80:(:[0-9a-fA-F]{0,4}){0,4}%[0-9a-zA-Z]{1,}|::(ffff(:0{1,4}){0,1}:){0,1}((25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9])\.){3,3}(25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9])|([0-9a-fA-F]{1,4}:){1,4}:((25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9])\.){3,3}(25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9]))\/([0-9]+)) type: string + minItems: 1 type: array jwt: description: |- @@ -134,6 +137,8 @@ spec: represent the full path to the claim. For example, if the claim is in the "department" field in the "organization" field, the name should be "organization.department". + maxLength: 253 + minLength: 1 type: string valueType: default: String @@ -152,12 +157,24 @@ spec: If multiple values are specified, one of the values must match for the rule to match. items: type: string + maxItems: 16 + minItems: 1 type: array required: - name - values type: object + maxItems: 16 + minItems: 1 type: array + provider: + description: |- + Provider is the name of the JWT provider that used to verify the JWT token. + In order to use JWT claims for authorization, you must configure the JWT + authentication with the same provider in the same `SecurityPolicy`. + maxLength: 253 + minLength: 1 + type: string scopes: description: |- Scopes are a special type of claim in a JWT token that represents the permissions of the client. @@ -167,8 +184,14 @@ spec: If multiple scopes are specified, all scopes must match for the rule to match. items: + maxLength: 253 + minLength: 1 type: string + maxItems: 16 + minItems: 1 type: array + required: + - provider type: object x-kubernetes-validations: - message: at least one of claims or scopes must be diff --git a/charts/gateway-helm/templates/envoy-gateway-deployment.yaml b/charts/gateway-helm/templates/envoy-gateway-deployment.yaml index af5cd116961..0be895fe76f 100644 --- a/charts/gateway-helm/templates/envoy-gateway-deployment.yaml +++ b/charts/gateway-helm/templates/envoy-gateway-deployment.yaml @@ -94,6 +94,9 @@ spec: name: certs readOnly: true {{- include "eg.image.pullSecrets" . | nindent 6 }} + {{- with .Values.deployment.priorityClassName }} + priorityClassName: {{ . | quote }} + {{- end }} serviceAccountName: envoy-gateway terminationGracePeriodSeconds: 10 volumes: diff --git a/charts/gateway-helm/templates/envoy-gateway-service.yaml b/charts/gateway-helm/templates/envoy-gateway-service.yaml index 099129477f7..39b30ea6710 100644 --- a/charts/gateway-helm/templates/envoy-gateway-service.yaml +++ b/charts/gateway-helm/templates/envoy-gateway-service.yaml @@ -3,6 +3,10 @@ kind: Service metadata: name: envoy-gateway namespace: '{{ .Release.Namespace }}' + {{- with .Values.service.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} labels: control-plane: envoy-gateway {{- include "eg.labels" . | nindent 4 }} diff --git a/charts/gateway-helm/values.tmpl.yaml b/charts/gateway-helm/values.tmpl.yaml index 2bce089d2dc..a06f9f232ba 100644 --- a/charts/gateway-helm/values.tmpl.yaml +++ b/charts/gateway-helm/values.tmpl.yaml @@ -49,6 +49,7 @@ deployment: - name: metrics port: 19001 targetPort: 19001 + priorityClassName: null replicas: 1 pod: affinity: {} @@ -60,6 +61,9 @@ deployment: tolerations: [] nodeSelector: {} +service: + annotations: {} + config: envoyGateway: gateway: diff --git a/embed.go b/embed.go new file mode 100644 index 00000000000..97f2e3bf547 --- /dev/null +++ b/embed.go @@ -0,0 +1,52 @@ +// Copyright Envoy Gateway Authors +// SPDX-License-Identifier: Apache-2.0 +// The full text of the Apache license is available in the LICENSE file at +// the root of the repo. + +package envoygateway + +import ( + "bytes" + _ "embed" +) + +var ( + //go:embed charts/gateway-helm/crds/gatewayapi-crds.yaml + gatewayAPICRDs []byte + + //go:embed charts/gateway-helm/crds/generated/gateway.envoyproxy.io_backends.yaml + backendCRD []byte + + //go:embed charts/gateway-helm/crds/generated/gateway.envoyproxy.io_backendtrafficpolicies.yaml + backendTrafficPolicyCRD []byte + + //go:embed charts/gateway-helm/crds/generated/gateway.envoyproxy.io_clienttrafficpolicies.yaml + clientTrafficPolicyCRD []byte + + //go:embed charts/gateway-helm/crds/generated/gateway.envoyproxy.io_envoyextensionpolicies.yaml + envoyExtensionPolicyCRD []byte + + //go:embed charts/gateway-helm/crds/generated/gateway.envoyproxy.io_envoypatchpolicies.yaml + envoyPatchPolicyCRD []byte + + //go:embed charts/gateway-helm/crds/generated/gateway.envoyproxy.io_envoyproxies.yaml + envoyProxyCRD []byte + + //go:embed charts/gateway-helm/crds/generated/gateway.envoyproxy.io_httproutefilters.yaml + httpRouteFilterCRD []byte + + //go:embed charts/gateway-helm/crds/generated/gateway.envoyproxy.io_securitypolicies.yaml + securityPolicyCRD []byte +) + +var GatewayCRDs = bytes.Join([][]byte{ + gatewayAPICRDs, + backendCRD, + backendTrafficPolicyCRD, + clientTrafficPolicyCRD, + envoyExtensionPolicyCRD, + envoyPatchPolicyCRD, + envoyProxyCRD, + httpRouteFilterCRD, + securityPolicyCRD, +}, []byte("")) diff --git a/examples/extension-server/cmd/extension-server/main.go b/examples/extension-server/cmd/extension-server/main.go index 9df1f4a885c..4a6b0474621 100644 --- a/examples/extension-server/cmd/extension-server/main.go +++ b/examples/extension-server/cmd/extension-server/main.go @@ -56,7 +56,6 @@ func main() { }, } app.Run(os.Args) - } var grpcServer *grpc.Server @@ -65,7 +64,7 @@ func handleSignals(cCtx *cli.Context) error { c := make(chan os.Signal, 1) signal.Notify(c, os.Interrupt, syscall.SIGQUIT) go func() { - for _ = range c { + for range c { if grpcServer != nil { grpcServer.Stop() os.Exit(0) diff --git a/examples/extension-server/go.mod b/examples/extension-server/go.mod index c4d2cbcf728..d6f03677ed6 100644 --- a/examples/extension-server/go.mod +++ b/examples/extension-server/go.mod @@ -5,12 +5,12 @@ go 1.23.1 require ( github.com/envoyproxy/gateway v1.0.2 github.com/envoyproxy/go-control-plane v0.13.1-0.20240917224354-20d038a70568 - github.com/urfave/cli/v2 v2.27.2 - google.golang.org/grpc v1.67.0 + github.com/urfave/cli/v2 v2.27.4 + google.golang.org/grpc v1.67.1 google.golang.org/protobuf v1.34.2 k8s.io/apimachinery v0.31.1 sigs.k8s.io/controller-runtime v0.19.0 - sigs.k8s.io/gateway-api v1.1.0 + sigs.k8s.io/gateway-api v1.2.0 ) require ( @@ -30,16 +30,16 @@ require ( github.com/planetscale/vtprotobuf v0.6.1-0.20240319094008-0393e58bdf10 // indirect github.com/russross/blackfriday/v2 v2.1.0 // indirect github.com/x448/float16 v0.8.4 // indirect - github.com/xrash/smetrics v0.0.0-20240312152122-5f08fbb34913 // indirect - golang.org/x/net v0.29.0 // indirect - golang.org/x/sys v0.25.0 // indirect - golang.org/x/text v0.18.0 // indirect - google.golang.org/genproto/googleapis/api v0.0.0-20240903143218-8af14fe29dc1 // indirect - google.golang.org/genproto/googleapis/rpc v0.0.0-20240903143218-8af14fe29dc1 // indirect + github.com/xrash/smetrics v0.0.0-20240521201337-686a1a2994c1 // indirect + golang.org/x/net v0.30.0 // indirect + golang.org/x/sys v0.26.0 // indirect + golang.org/x/text v0.19.0 // indirect + google.golang.org/genproto/googleapis/api v0.0.0-20240924160255-9d4c2d233b61 // indirect + google.golang.org/genproto/googleapis/rpc v0.0.0-20240924160255-9d4c2d233b61 // indirect gopkg.in/inf.v0 v0.9.1 // indirect gopkg.in/yaml.v2 v2.4.0 // indirect k8s.io/klog/v2 v2.130.1 // indirect - k8s.io/utils v0.0.0-20240711033017-18e509b52bc8 // indirect + k8s.io/utils v0.0.0-20240821151609-f90d01438635 // indirect sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd // indirect sigs.k8s.io/structured-merge-diff/v4 v4.4.1 // indirect ) diff --git a/examples/extension-server/go.sum b/examples/extension-server/go.sum index 99b3fb50e28..fd1ecc8f322 100644 --- a/examples/extension-server/go.sum +++ b/examples/extension-server/go.sum @@ -64,12 +64,12 @@ github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+ github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UVUgZn+9EI= github.com/stretchr/testify v1.9.0 h1:HtqpIVDClZ4nwg75+f6Lvsy/wHu+3BoSGCbBAcpTsTg= github.com/stretchr/testify v1.9.0/go.mod h1:r2ic/lqez/lEtzL7wO/rwa5dbSLXVDPFyf8C91i36aY= -github.com/urfave/cli/v2 v2.27.2 h1:6e0H+AkS+zDckwPCUrZkKX38mRaau4nL2uipkJpbkcI= -github.com/urfave/cli/v2 v2.27.2/go.mod h1:g0+79LmHHATl7DAcHO99smiR/T7uGLw84w8Y42x+4eM= +github.com/urfave/cli/v2 v2.27.4 h1:o1owoI+02Eb+K107p27wEX9Bb8eqIoZCfLXloLUSWJ8= +github.com/urfave/cli/v2 v2.27.4/go.mod h1:m4QzxcD2qpra4z7WhzEGn74WZLViBnMpb1ToCAKdGRQ= github.com/x448/float16 v0.8.4 h1:qLwI1I70+NjRFUR3zs1JPUCgaCXSh3SW62uAKT1mSBM= github.com/x448/float16 v0.8.4/go.mod h1:14CWIYCyZA/cWjXOioeEpHeN/83MdbZDRQHoFcYsOfg= -github.com/xrash/smetrics v0.0.0-20240312152122-5f08fbb34913 h1:+qGGcbkzsfDQNPPe9UDgpxAWQrhbbBXOYJFQDq/dtJw= -github.com/xrash/smetrics v0.0.0-20240312152122-5f08fbb34913/go.mod h1:4aEEwZQutDLsQv2Deui4iYQ6DWTxR14g6m8Wv88+Xqk= +github.com/xrash/smetrics v0.0.0-20240521201337-686a1a2994c1 h1:gEOO8jv9F4OT7lGCjxCBTO/36wtF6j2nSip77qHd4x4= +github.com/xrash/smetrics v0.0.0-20240521201337-686a1a2994c1/go.mod h1:Ohn+xnUBiLI6FVj/9LpzZWtj1/D6lUovWYBkxHVV3aM= github.com/yuin/goldmark v1.1.27/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74= github.com/yuin/goldmark v1.2.1/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74= golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w= @@ -81,20 +81,20 @@ golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= golang.org/x/net v0.0.0-20200226121028-0de0cce0169b/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= golang.org/x/net v0.0.0-20201021035429-f5854403a974/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU= -golang.org/x/net v0.29.0 h1:5ORfpBpCs4HzDYoodCDBbwHzdR5UrLBZ3sOnUJmFoHo= -golang.org/x/net v0.29.0/go.mod h1:gLkgy8jTGERgjzMic6DS9+SP0ajcu6Xu3Orq/SpETg0= +golang.org/x/net v0.30.0 h1:AcW1SDZMkb8IpzCdQUaIq2sP4sZ4zw+55h6ynffypl4= +golang.org/x/net v0.30.0/go.mod h1:2wGyMJ5iFasEhkwi13ChkO/t1ECNC4X4eBKkVFyYFlU= golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20190911185100-cd5d95a43a6e/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20201020160332-67f06af15bc9/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20200930185726-fdedc70b468f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.25.0 h1:r+8e+loiHxRqhXVl6ML1nO3l1+oFoWbnlu2Ehimmi34= -golang.org/x/sys v0.25.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= +golang.org/x/sys v0.26.0 h1:KHjCJyddX0LoSTb3J+vWpupP9p0oznkqVk/IfjymZbo= +golang.org/x/sys v0.26.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= -golang.org/x/text v0.18.0 h1:XvMDiNzPAl0jr17s6W9lcaIhGUfUORdGCNsuLmPG224= -golang.org/x/text v0.18.0/go.mod h1:BuEKDfySbSR4drPmRPG/7iBdf8hvFMuRexcpahXilzY= +golang.org/x/text v0.19.0 h1:kTxAhCbGbxhK0IwgSKiMO5awPoDQ0RpfiVYBfK860YM= +golang.org/x/text v0.19.0/go.mod h1:BuEKDfySbSR4drPmRPG/7iBdf8hvFMuRexcpahXilzY= golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo= golang.org/x/tools v0.0.0-20200619180055-7c47624df98f/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE= @@ -105,12 +105,12 @@ golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8T golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= -google.golang.org/genproto/googleapis/api v0.0.0-20240903143218-8af14fe29dc1 h1:hjSy6tcFQZ171igDaN5QHOw2n6vx40juYbC/x67CEhc= -google.golang.org/genproto/googleapis/api v0.0.0-20240903143218-8af14fe29dc1/go.mod h1:qpvKtACPCQhAdu3PyQgV4l3LMXZEtft7y8QcarRsp9I= -google.golang.org/genproto/googleapis/rpc v0.0.0-20240903143218-8af14fe29dc1 h1:pPJltXNxVzT4pK9yD8vR9X75DaWYYmLGMsEvBfFQZzQ= -google.golang.org/genproto/googleapis/rpc v0.0.0-20240903143218-8af14fe29dc1/go.mod h1:UqMtugtsSgubUsoxbuAoiCXvqvErP7Gf0so0mK9tHxU= -google.golang.org/grpc v1.67.0 h1:IdH9y6PF5MPSdAntIcpjQ+tXO41pcQsfZV2RxtQgVcw= -google.golang.org/grpc v1.67.0/go.mod h1:1gLDyUQU7CTLJI90u3nXZ9ekeghjeM7pTDZlqFNg2AA= +google.golang.org/genproto/googleapis/api v0.0.0-20240924160255-9d4c2d233b61 h1:pAjq8XSSzXoP9ya73v/w+9QEAAJNluLrpmMq5qFJQNY= +google.golang.org/genproto/googleapis/api v0.0.0-20240924160255-9d4c2d233b61/go.mod h1:O6rP0uBq4k0mdi/b4ZEMAZjkhYWhS815kCvaMha4VN8= +google.golang.org/genproto/googleapis/rpc v0.0.0-20240924160255-9d4c2d233b61 h1:N9BgCIAUvn/M+p4NJccWPWb3BWh88+zyL0ll9HgbEeM= +google.golang.org/genproto/googleapis/rpc v0.0.0-20240924160255-9d4c2d233b61/go.mod h1:UqMtugtsSgubUsoxbuAoiCXvqvErP7Gf0so0mK9tHxU= +google.golang.org/grpc v1.67.1 h1:zWnc1Vrcno+lHZCOofnIMvycFcc0QRGIzm9dhnDX68E= +google.golang.org/grpc v1.67.1/go.mod h1:1gLDyUQU7CTLJI90u3nXZ9ekeghjeM7pTDZlqFNg2AA= google.golang.org/protobuf v1.34.2 h1:6xV6lTsCfpGD21XK49h7MhtcApnLqkfYgPcdHftf6hg= google.golang.org/protobuf v1.34.2/go.mod h1:qYOHts0dSfpeUzUFpOMr/WGzszTmLH+DiWniOlNbLDw= gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= @@ -129,12 +129,12 @@ k8s.io/apimachinery v0.31.1 h1:mhcUBbj7KUjaVhyXILglcVjuS4nYXiwC+KKFBgIVy7U= k8s.io/apimachinery v0.31.1/go.mod h1:rsPdaZJfTfLsNJSQzNHQvYoTmxhoOEofxtOsF3rtsMo= k8s.io/klog/v2 v2.130.1 h1:n9Xl7H1Xvksem4KFG4PYbdQCQxqc/tTUyrgXaOhHSzk= k8s.io/klog/v2 v2.130.1/go.mod h1:3Jpz1GvMt720eyJH1ckRHK1EDfpxISzJ7I9OYgaDtPE= -k8s.io/utils v0.0.0-20240711033017-18e509b52bc8 h1:pUdcCO1Lk/tbT5ztQWOBi5HBgbBP1J8+AsQnQCKsi8A= -k8s.io/utils v0.0.0-20240711033017-18e509b52bc8/go.mod h1:OLgZIPagt7ERELqWJFomSt595RzquPNLL48iOWgYOg0= +k8s.io/utils v0.0.0-20240821151609-f90d01438635 h1:2wThSvJoW/Ncn9TmQEYXRnevZXi2duqHWf5OX9S3zjI= +k8s.io/utils v0.0.0-20240821151609-f90d01438635/go.mod h1:OLgZIPagt7ERELqWJFomSt595RzquPNLL48iOWgYOg0= sigs.k8s.io/controller-runtime v0.19.0 h1:nWVM7aq+Il2ABxwiCizrVDSlmDcshi9llbaFbC0ji/Q= sigs.k8s.io/controller-runtime v0.19.0/go.mod h1:iRmWllt8IlaLjvTTDLhRBXIEtkCK6hwVBJJsYS9Ajf4= -sigs.k8s.io/gateway-api v1.1.0 h1:DsLDXCi6jR+Xz8/xd0Z1PYl2Pn0TyaFMOPPZIj4inDM= -sigs.k8s.io/gateway-api v1.1.0/go.mod h1:ZH4lHrL2sDi0FHZ9jjneb8kKnGzFWyrTya35sWUTrRs= +sigs.k8s.io/gateway-api v1.2.0 h1:LrToiFwtqKTKZcZtoQPTuo3FxhrrhTgzQG0Te+YGSo8= +sigs.k8s.io/gateway-api v1.2.0/go.mod h1:EpNfEXNjiYfUJypf0eZ0P5iXA9ekSGWaS1WgPaM42X0= sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd h1:EDPBXCAspyGV4jQlpZSudPeMmr1bNJefnuqLsRAsHZo= sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd/go.mod h1:B8JuhiUyNFVKdsE8h686QcCxMaH6HrOAZj4vswFpcB0= sigs.k8s.io/structured-merge-diff/v4 v4.4.1 h1:150L+0vs/8DA78h1u02ooW1/fFq/Lwr+sGiqlzvrtq4= diff --git a/examples/extension-server/tools/src/controller-gen/pin.go b/examples/extension-server/tools/src/controller-gen/pin.go index 82c8d1cf3c5..a3fbfac77f7 100644 --- a/examples/extension-server/tools/src/controller-gen/pin.go +++ b/examples/extension-server/tools/src/controller-gen/pin.go @@ -4,7 +4,6 @@ // the root of the repo. //go:build pin -// +build pin package ignore diff --git a/go.mod b/go.mod index bbe504923c8..a07ab071892 100644 --- a/go.mod +++ b/go.mod @@ -8,7 +8,7 @@ require ( fortio.org/fortio v1.66.3 fortio.org/log v1.16.0 github.com/Masterminds/semver/v3 v3.3.0 - github.com/cncf/xds/go v0.0.0-20240423153145-555b57ec207b + github.com/cncf/xds/go v0.0.0-20240723142845-024c85f92f20 github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc github.com/docker/cli v27.3.1+incompatible github.com/dominikbraun/graph v0.23.0 @@ -44,7 +44,7 @@ require ( go.opentelemetry.io/proto/otlp v1.3.1 go.uber.org/zap v1.27.0 golang.org/x/exp v0.0.0-20240904232852-e7e105dedf7e - golang.org/x/sys v0.25.0 + golang.org/x/sys v0.26.0 google.golang.org/protobuf v1.34.2 gopkg.in/yaml.v3 v3.0.1 helm.sh/helm/v3 v3.16.1 @@ -54,21 +54,22 @@ require ( k8s.io/cli-runtime v0.31.1 k8s.io/client-go v0.31.1 k8s.io/kubectl v0.31.1 - k8s.io/utils v0.0.0-20240711033017-18e509b52bc8 + k8s.io/utils v0.0.0-20240821151609-f90d01438635 sigs.k8s.io/controller-runtime v0.19.0 - sigs.k8s.io/gateway-api v1.1.0 + sigs.k8s.io/gateway-api v1.2.0-rc2 sigs.k8s.io/mcs-api v0.1.0 sigs.k8s.io/yaml v1.4.0 ) require ( github.com/docker/docker v27.3.1+incompatible - github.com/replicatedhq/troubleshoot v0.102.0 - google.golang.org/grpc v1.66.2 + github.com/replicatedhq/troubleshoot v0.105.2 + google.golang.org/grpc v1.67.1 + sigs.k8s.io/kubectl-validate v0.0.5-0.20240827210056-ce13d95db263 ) require ( - cel.dev/expr v0.15.0 // indirect + cel.dev/expr v0.16.0 // indirect dario.cat/mergo v1.0.1 // indirect filippo.io/edwards25519 v1.1.0 // indirect fortio.org/cli v1.9.0 // indirect @@ -84,6 +85,7 @@ require ( github.com/Masterminds/squirrel v1.5.4 // indirect github.com/Microsoft/go-winio v0.6.2 // indirect github.com/Microsoft/hcsshim v0.12.5 // indirect + github.com/NYTimes/gziphandler v1.1.1 // indirect github.com/antlr4-go/antlr/v4 v4.13.0 // indirect github.com/apparentlymart/go-cidr v1.1.0 // indirect github.com/asaskevich/govalidator v0.0.0-20230301143203-a9d515a09cc2 // indirect @@ -100,6 +102,7 @@ require ( github.com/containers/libtrust v0.0.0-20230121012942-c1716e8a8d01 // indirect github.com/containers/ocicrypt v1.2.0 // indirect github.com/containers/storage v1.55.0 // indirect + github.com/coreos/go-semver v0.3.1 // indirect github.com/coreos/go-systemd/v22 v22.5.0 // indirect github.com/cyphar/filepath-securejoin v0.3.1 // indirect github.com/distribution/distribution/v3 v3.0.0-beta.1 // indirect @@ -123,16 +126,18 @@ require ( github.com/gorilla/handlers v1.5.2 // indirect github.com/gorilla/mux v1.8.1 // indirect github.com/gosuri/uitable v0.0.4 // indirect + github.com/grpc-ecosystem/go-grpc-prometheus v1.2.0 // indirect github.com/hashicorp/errwrap v1.1.0 // indirect github.com/hashicorp/hcl v1.0.0 // indirect github.com/huandu/xstrings v1.5.0 // indirect github.com/jackc/pgpassfile v1.0.0 // indirect github.com/jackc/pgservicefile v0.0.0-20240606120523-5a60cdf6a761 // indirect - github.com/jackc/pgx/v5 v5.7.0 // indirect + github.com/jackc/pgx/v5 v5.7.1 // indirect github.com/jmoiron/sqlx v1.4.0 // indirect github.com/klauspost/compress v1.17.9 // indirect github.com/klauspost/pgzip v1.2.6 // indirect github.com/kortschak/goroutine v1.1.2 // indirect + github.com/kylelemons/godebug v1.1.0 // indirect github.com/lann/builder v0.0.0-20180802200727-47ae307949d0 // indirect github.com/lann/ps v0.0.0-20150810152359-62de8c46ede0 // indirect github.com/lib/pq v1.10.9 // indirect @@ -176,7 +181,7 @@ require ( github.com/spf13/afero v1.11.0 // indirect github.com/spf13/cast v1.7.0 // indirect github.com/spf13/viper v1.19.0 // indirect - github.com/stoewer/go-strcase v1.2.0 // indirect + github.com/stoewer/go-strcase v1.3.0 // indirect github.com/subosito/gotenv v1.6.0 // indirect github.com/sylabs/sif/v2 v2.18.0 // indirect github.com/syndtr/gocapability v0.0.0-20200815063812-42c35b437635 // indirect @@ -190,9 +195,15 @@ require ( github.com/xeipuuv/gojsonreference v0.0.0-20180127040603-bd5ef7bd5415 // indirect github.com/xeipuuv/gojsonschema v1.2.0 // indirect github.com/yusufpapurcu/wmi v1.2.4 // indirect + go.etcd.io/etcd/api/v3 v3.5.14 // indirect + go.etcd.io/etcd/client/pkg/v3 v3.5.14 // indirect + go.etcd.io/etcd/client/v3 v3.5.14 // indirect go.opencensus.io v0.24.0 // indirect + go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.53.0 // indirect go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.53.0 // indirect - golang.org/x/crypto v0.27.0 // indirect + go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.28.0 // indirect + go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.27.0 // indirect + golang.org/x/crypto v0.28.0 // indirect golang.org/x/crypto/x509roots/fallback v0.0.0-20240904212608-c9da6b9a4008 // indirect gopkg.in/evanphx/json-patch.v4 v4.12.0 // indirect gopkg.in/ini.v1 v1.67.0 // indirect @@ -200,6 +211,7 @@ require ( k8s.io/metrics v0.31.1 // indirect oras.land/oras-go v1.2.6 // indirect periph.io/x/host/v3 v3.8.2 // indirect + sigs.k8s.io/apiserver-network-proxy/konnectivity-client v0.30.3 // indirect ) require ( @@ -260,16 +272,16 @@ require ( go.starlark.net v0.0.0-20240520160348-046347dcd104 // indirect go.uber.org/multierr v1.11.0 // indirect golang.org/x/mod v0.21.0 // indirect - golang.org/x/net v0.29.0 + golang.org/x/net v0.30.0 golang.org/x/oauth2 v0.22.0 // indirect golang.org/x/sync v0.8.0 // indirect - golang.org/x/term v0.24.0 // indirect - golang.org/x/text v0.18.0 // indirect + golang.org/x/term v0.25.0 // indirect + golang.org/x/text v0.19.0 // indirect golang.org/x/time v0.5.0 // indirect golang.org/x/tools v0.24.0 // indirect gomodules.xyz/jsonpatch/v2 v2.4.0 // indirect google.golang.org/genproto/googleapis/api v0.0.0-20240903143218-8af14fe29dc1 // indirect - google.golang.org/genproto/googleapis/rpc v0.0.0-20240903143218-8af14fe29dc1 // indirect + google.golang.org/genproto/googleapis/rpc v0.0.0-20240924160255-9d4c2d233b61 // indirect gopkg.in/inf.v0 v0.9.1 // indirect gopkg.in/yaml.v2 v2.4.0 // indirect k8s.io/component-base v0.31.1 // indirect diff --git a/go.sum b/go.sum index 603355075db..6e355f58e24 100644 --- a/go.sum +++ b/go.sum @@ -1,5 +1,5 @@ -cel.dev/expr v0.15.0 h1:O1jzfJCQBfL5BFoYktaxwIhuttaQPsVWerH9/EEKx0w= -cel.dev/expr v0.15.0/go.mod h1:TRSuuV7DlVCE/uwv5QbAiW/v8l5O8C4eEPHeu7gf7Sg= +cel.dev/expr v0.16.0 h1:yloc84fytn4zmJX2GU3TkXGsaieaV7dQ057Qs4sIG2Y= +cel.dev/expr v0.16.0/go.mod h1:TRSuuV7DlVCE/uwv5QbAiW/v8l5O8C4eEPHeu7gf7Sg= cloud.google.com/go v0.26.0/go.mod h1:aQUYkXzVsufM+DwF1aE+0xfcU+56JwCaLick0ClmMTw= cloud.google.com/go v0.34.0/go.mod h1:aQUYkXzVsufM+DwF1aE+0xfcU+56JwCaLick0ClmMTw= cloud.google.com/go v0.38.0/go.mod h1:990N+gfupTy94rShfmMCWGDn0LpTmnzTp2qbd1dvSRU= @@ -71,6 +71,8 @@ github.com/Microsoft/go-winio v0.6.2/go.mod h1:yd8OoFMLzJbo9gZq8j5qaps8bJ9aShtEA github.com/Microsoft/hcsshim v0.12.5 h1:bpTInLlDy/nDRWFVcefDZZ1+U8tS+rz3MxjKgu9boo0= github.com/Microsoft/hcsshim v0.12.5/go.mod h1:tIUGego4G1EN5Hb6KC90aDYiUI2dqLSTTOCjVNpOgZ8= github.com/NYTimes/gziphandler v0.0.0-20170623195520-56545f4a5d46/go.mod h1:3wb06e3pkSAbeQ52E9H9iFoQsEEwGN64994WTCIhntQ= +github.com/NYTimes/gziphandler v1.1.1 h1:ZUDjpQae29j0ryrS0u/B8HZfJBtBQHjqw2rQ2cqUQ3I= +github.com/NYTimes/gziphandler v1.1.1/go.mod h1:n/CVRwUEOgIxrgPvAQhUUr9oeUtvrhMomdKFjzJNB0c= github.com/OneOfOne/xxhash v1.2.2/go.mod h1:HSdplMjZKSmBqAxg5vPj2TmRDmfkzw+cTzAElWljhcU= github.com/PuerkitoBio/purell v1.0.0/go.mod h1:c11w/QuzBsJSee3cPx9rAFu61PvFxuPbtSwDGJws/X0= github.com/PuerkitoBio/purell v1.1.0/go.mod h1:c11w/QuzBsJSee3cPx9rAFu61PvFxuPbtSwDGJws/X0= @@ -119,8 +121,8 @@ github.com/cilium/ebpf v0.16.0 h1:+BiEnHL6Z7lXnlGUsXQPPAE7+kenAd4ES8MQ5min0Ok= github.com/cilium/ebpf v0.16.0/go.mod h1:L7u2Blt2jMM/vLAVgjxluxtBKlz3/GWjB0dMOEngfwE= github.com/client9/misspell v0.3.4/go.mod h1:qj6jICC3Q7zFZvVWo7KLAzC3yx5G7kyvSDkc90ppPyw= github.com/cncf/udpa/go v0.0.0-20191209042840-269d4d468f6f/go.mod h1:M8M6+tZqaGXZJjfX53e64911xZQV5JYwmTeXPW+k8Sc= -github.com/cncf/xds/go v0.0.0-20240423153145-555b57ec207b h1:ga8SEFjZ60pxLcmhnThWgvH2wg8376yUJmPhEH4H3kw= -github.com/cncf/xds/go v0.0.0-20240423153145-555b57ec207b/go.mod h1:W+zGtBO5Y1IgJhy4+A9GOqVhqLpfZi+vwmdNXUehLA8= +github.com/cncf/xds/go v0.0.0-20240723142845-024c85f92f20 h1:N+3sFI5GUjRKBi+i0TxYVST9h4Ie192jJWpHvthBBgg= +github.com/cncf/xds/go v0.0.0-20240723142845-024c85f92f20/go.mod h1:W+zGtBO5Y1IgJhy4+A9GOqVhqLpfZi+vwmdNXUehLA8= github.com/cockroachdb/datadriven v0.0.0-20190809214429-80d97fb3cbaa/go.mod h1:zn76sxSg3SzpJ0PPJaLDCu+Bu0Lg3sKTORVIj19EIF8= github.com/containerd/cgroups/v3 v3.0.3 h1:S5ByHZ/h9PMe5IOQoN7E+nMc2UcLEM/V48DGDJ9kip0= github.com/containerd/cgroups/v3 v3.0.3/go.mod h1:8HBe7V3aWGLFPd/k03swSIsGjZhHI2WzJmticMgVuz0= @@ -150,6 +152,8 @@ github.com/coreos/go-etcd v2.0.0+incompatible/go.mod h1:Jez6KQU2B/sWsbdaef3ED8Nz github.com/coreos/go-oidc v2.1.0+incompatible/go.mod h1:CgnwVTmzoESiwO9qyAFEMiHoZ1nMCKZlZ9V6mm3/LKc= github.com/coreos/go-semver v0.2.0/go.mod h1:nnelYz7RCh+5ahJtPPxZlU+153eP4D4r3EedlOD2RNk= github.com/coreos/go-semver v0.3.0/go.mod h1:nnelYz7RCh+5ahJtPPxZlU+153eP4D4r3EedlOD2RNk= +github.com/coreos/go-semver v0.3.1 h1:yi21YpKnrx1gt5R+la8n5WgS0kCrsPp33dmEyHReZr4= +github.com/coreos/go-semver v0.3.1/go.mod h1:irMmmIw/7yzSRPWryHsK7EYSg09caPQL03VsM8rvUec= github.com/coreos/go-systemd v0.0.0-20180511133405-39ca1b05acc7/go.mod h1:F5haX7vjVVG0kc13fIWeqUViNPyEJxv/OmvnBo0Yme4= github.com/coreos/go-systemd v0.0.0-20190321100706-95778dfbb74e/go.mod h1:F5haX7vjVVG0kc13fIWeqUViNPyEJxv/OmvnBo0Yme4= github.com/coreos/go-systemd/v22 v22.5.0 h1:RrqgGjYQKalulkV8NGVIfkXQf6YYmOyiJKk8iXXhfZs= @@ -206,6 +210,8 @@ github.com/dominikbraun/graph v0.23.0 h1:TdZB4pPqCLFxYhdyMFb1TBdFxp8XLcJfTTBQucV github.com/dominikbraun/graph v0.23.0/go.mod h1:yOjYyogZLY1LSG9E33JWZJiq5k83Qy2C6POAuiViluc= github.com/dustin/go-humanize v0.0.0-20171111073723-bb3d318650d4/go.mod h1:HtrtbFcZ19U5GC7JDqmcUSB87Iq5E25KnS6fMYU6eOk= github.com/dustin/go-humanize v1.0.0/go.mod h1:HtrtbFcZ19U5GC7JDqmcUSB87Iq5E25KnS6fMYU6eOk= +github.com/dustin/go-humanize v1.0.1 h1:GzkhY7T5VNhEkwH0PVJgjz+fX1rhBrR7pRT3mDkpeCY= +github.com/dustin/go-humanize v1.0.1/go.mod h1:Mu1zIs6XwVuF/gI1OepvI0qD18qycQx+mFykh5fBlto= github.com/elazarl/goproxy v0.0.0-20180725130230-947c36da3153/go.mod h1:/Zj4wYkgs4iZTTu3o/KG3Itv/qCCa8VVMlb3i9OVuzc= github.com/emicklei/go-restful v0.0.0-20170410110728-ff4f55a20633/go.mod h1:otzb+WCGbkyDHkqmQmT5YD2WR4BBwUdeQoFo8l/7tVs= github.com/emicklei/go-restful v2.9.5+incompatible/go.mod h1:otzb+WCGbkyDHkqmQmT5YD2WR4BBwUdeQoFo8l/7tVs= @@ -343,6 +349,8 @@ github.com/gogo/protobuf v1.2.1/go.mod h1:hp+jE20tsWTFYpLwKvXlhS1hjn+gTNwPg2I6zV github.com/gogo/protobuf v1.3.1/go.mod h1:SlYgWuQ5SjCEi6WLHjHCa1yvBfUnHcTbrrZtXPKa29o= github.com/gogo/protobuf v1.3.2 h1:Ov1cvc58UF3b5XjBnZv7+opcTcQFZebYjWzi34vdm4Q= github.com/gogo/protobuf v1.3.2/go.mod h1:P1XiOD3dCwIKUDQYPy72D8LYyHL2YPYrpS2s69NZV8Q= +github.com/golang-jwt/jwt/v4 v4.5.0 h1:7cYmW1XlMY7h7ii7UhUyChSgS5wUJEnm9uZVTGqOWzg= +github.com/golang-jwt/jwt/v4 v4.5.0/go.mod h1:m21LjoU+eqJr34lmDMbreY2eSTRJ1cv77w39/MY0Ch0= github.com/golang-jwt/jwt/v5 v5.2.1 h1:OuVbFODueb089Lh128TAcimifWaLhJwVflnrgM17wHk= github.com/golang-jwt/jwt/v5 v5.2.1/go.mod h1:pqrtFR0X4osieyHYxtmOUWsAWrfe1Q5UVIyoH402zdk= github.com/golang-sql/civil v0.0.0-20220223132316-b832511892a9 h1:au07oEsX2xN0ktxqI+Sida1w446QrXBRJ0nee3SNZlA= @@ -429,9 +437,14 @@ github.com/gregjones/httpcache v0.0.0-20190611155906-901d90724c79 h1:+ngKgrYPPJr github.com/gregjones/httpcache v0.0.0-20190611155906-901d90724c79/go.mod h1:FecbI9+v66THATjSRHfNgh1IVFe/9kFxbXtjV0ctIMA= github.com/grpc-ecosystem/go-grpc-middleware v1.0.0/go.mod h1:FiyG127CGDf3tlThmgyCl78X/SZQqEOJBCDaAfeWzPs= github.com/grpc-ecosystem/go-grpc-middleware v1.0.1-0.20190118093823-f849b5445de4/go.mod h1:FiyG127CGDf3tlThmgyCl78X/SZQqEOJBCDaAfeWzPs= +github.com/grpc-ecosystem/go-grpc-middleware v1.3.0 h1:+9834+KizmvFV7pXQGSXQTsaWhq2GjuNUt0aUU0YBYw= +github.com/grpc-ecosystem/go-grpc-middleware v1.3.0/go.mod h1:z0ButlSOZa5vEBq9m2m2hlwIgKw+rp3sdCBRoJY+30Y= +github.com/grpc-ecosystem/go-grpc-prometheus v1.2.0 h1:Ovs26xHkKqVztRpIrF/92BcuyuQ/YW4NSIpoGtfXNho= github.com/grpc-ecosystem/go-grpc-prometheus v1.2.0/go.mod h1:8NvIoxWQoOIhqOTXgfV/d3M/q6VIi02HzZEHgUlZvzk= github.com/grpc-ecosystem/grpc-gateway v1.9.0/go.mod h1:vNeuVxBJEsws4ogUvrchl83t/GYV9WGTSLVdBhOQFDY= github.com/grpc-ecosystem/grpc-gateway v1.9.5/go.mod h1:vNeuVxBJEsws4ogUvrchl83t/GYV9WGTSLVdBhOQFDY= +github.com/grpc-ecosystem/grpc-gateway v1.16.0 h1:gmcG1KaJ57LophUzW0Hy8NmPhnMZb4M0+kPpLofRdBo= +github.com/grpc-ecosystem/grpc-gateway v1.16.0/go.mod h1:BDjrQk3hbvj6Nolgz8mAMFbcEtjT1g+wF4CSlocrBnw= github.com/grpc-ecosystem/grpc-gateway/v2 v2.22.0 h1:asbCHRVmodnJTuQ3qamDwqVOIjwqUPTYmYuemVOx+Ys= github.com/grpc-ecosystem/grpc-gateway/v2 v2.22.0/go.mod h1:ggCgvZ2r7uOoQjOyu2Y1NhHmEPPzzuhWgcza5M1Ji1I= github.com/hashicorp/errwrap v1.0.0/go.mod h1:YH+1FKiLXxHSkmPseP+kNlulaMuP3n2brvKWEqk/Jc4= @@ -461,14 +474,16 @@ github.com/jackc/pgpassfile v1.0.0 h1:/6Hmqy13Ss2zCq62VdNG8tM1wchn8zjSGOBJ6icpsI github.com/jackc/pgpassfile v1.0.0/go.mod h1:CEx0iS5ambNFdcRtxPj5JhEz+xB6uRky5eyVu/W2HEg= github.com/jackc/pgservicefile v0.0.0-20240606120523-5a60cdf6a761 h1:iCEnooe7UlwOQYpKFhBabPMi4aNAfoODPEFNiAnClxo= github.com/jackc/pgservicefile v0.0.0-20240606120523-5a60cdf6a761/go.mod h1:5TJZWKEWniPve33vlWYSoGYefn3gLQRzjfDlhSJ9ZKM= -github.com/jackc/pgx/v5 v5.7.0 h1:FG6VLIdzvAPhnYqP14sQ2xhFLkiUQHCs6ySqO91kF4g= -github.com/jackc/pgx/v5 v5.7.0/go.mod h1:awP1KNnjylvpxHuHP63gzjhnGkI1iw+PMoIwvoleN/8= -github.com/jackc/puddle/v2 v2.2.1 h1:RhxXJtFG022u4ibrCSMSiu5aOq1i77R3OHKNJj77OAk= -github.com/jackc/puddle/v2 v2.2.1/go.mod h1:vriiEXHvEE654aYKXXjOvZM39qJ0q+azkZFrfEOc3H4= +github.com/jackc/pgx/v5 v5.7.1 h1:x7SYsPBYDkHDksogeSmZZ5xzThcTgRz++I5E+ePFUcs= +github.com/jackc/pgx/v5 v5.7.1/go.mod h1:e7O26IywZZ+naJtWWos6i6fvWK+29etgITqrqHLfoZA= +github.com/jackc/puddle/v2 v2.2.2 h1:PR8nw+E/1w0GLuRFSmiioY6UooMp6KJv0/61nB7icHo= +github.com/jackc/puddle/v2 v2.2.2/go.mod h1:vriiEXHvEE654aYKXXjOvZM39qJ0q+azkZFrfEOc3H4= github.com/jessevdk/go-flags v1.4.0/go.mod h1:4FA24M0QyGHXBuZZK/XkWh8h0e1EYbRYJSGM75WSRxI= github.com/jmoiron/sqlx v1.4.0 h1:1PLqN7S1UYp5t4SrVVnt4nUVNemrDAtxlulVe+Qgm3o= github.com/jmoiron/sqlx v1.4.0/go.mod h1:ZrZ7UsYB/weZdl2Bxg6jCRO9c3YHl8r3ahlKmRT4JLY= github.com/jonboulle/clockwork v0.1.0/go.mod h1:Ii8DK3G1RaLaWxj9trq07+26W01tbo22gdxWY5EU2bo= +github.com/jonboulle/clockwork v0.2.2 h1:UOGuzwb1PwsrDAObMuhUnj0p5ULPj8V/xJ7Kx9qUBdQ= +github.com/jonboulle/clockwork v0.2.2/go.mod h1:Pkfl5aHPm1nk2H9h0bjmnJD/BcgbGXUBGnn1kMkgxc8= github.com/josharian/intern v1.0.0 h1:vlS4z54oSdjm0bgjRigI+G1HpF+tI+9rE5LLzOg8HmY= github.com/josharian/intern v1.0.0/go.mod h1:5DoeVV0s6jJacbCEi61lwdGj/aVlrQvzHFFd8Hwg//Y= github.com/josharian/native v1.1.0 h1:uuaP0hAbW7Y4l0ZRQ6C9zfb7Mg1mbFKry/xzDAfmtLA= @@ -700,8 +715,8 @@ github.com/redis/go-redis/extra/redisotel/v9 v9.0.5 h1:EfpWLLCyXw8PSM2/XNJLjI3Pb github.com/redis/go-redis/extra/redisotel/v9 v9.0.5/go.mod h1:WZjPDy7VNzn77AAfnAfVjZNvfJTYfPetfZk5yoSTLaQ= github.com/redis/go-redis/v9 v9.1.0 h1:137FnGdk+EQdCbye1FW+qOEcY5S+SpY9T0NiuqvtfMY= github.com/redis/go-redis/v9 v9.1.0/go.mod h1:urWj3He21Dj5k4TK1y59xH8Uj6ATueP8AH1cY3lZl4c= -github.com/replicatedhq/troubleshoot v0.102.0 h1:qPuLdio9JnZHXQ+ah1uJDbkZyh5gR9NEM88aZBkQyq0= -github.com/replicatedhq/troubleshoot v0.102.0/go.mod h1:zw25eyvPPj6SUnoVGEUjFzWOlhH097UeJgakWLDYo9k= +github.com/replicatedhq/troubleshoot v0.105.2 h1:Fm1kKdzhPw+J7UnpLByxYJ3XAVV4IkylUIDt0eaUTFE= +github.com/replicatedhq/troubleshoot v0.105.2/go.mod h1:WqquTbNHLnZiSWsu6Mzo3rwez5kZ/A+1Hq4K/yq0HBo= github.com/rivo/uniseg v0.2.0/go.mod h1:J6wj4VEh+S6ZtnVlnTBMWIodfgj8LQOQFoIToxlJtxc= github.com/rivo/uniseg v0.4.7 h1:WUdvkW8uEhrYfLC4ZzdpI2ztxP1I582+49Oc5Mq64VQ= github.com/rivo/uniseg v0.4.7/go.mod h1:FN3SvrM+Zdj16jyLfmOkMNblXMcoc8DfTHruCPUcx88= @@ -740,6 +755,8 @@ github.com/sirupsen/logrus v1.4.2/go.mod h1:tLMulIdttU9McNUspp0xgXVQah82FyeX6Mwd github.com/sirupsen/logrus v1.9.3 h1:dueUQJ1C2q9oE3F7wvmSGAaVtTmUizReu6fjN8uqzbQ= github.com/sirupsen/logrus v1.9.3/go.mod h1:naHLuLoDiP4jHNo9R0sCBMtWGeIprob74mVsIT4qYEQ= github.com/soheilhy/cmux v0.1.4/go.mod h1:IM3LyeVVIOuxMH7sFAkER9+bJ4dT7Ms6E4xg4kGIyLM= +github.com/soheilhy/cmux v0.1.5 h1:jjzc5WVemNEDTLwv9tlmemhC73tI08BNOIGwBOo10Js= +github.com/soheilhy/cmux v0.1.5/go.mod h1:T7TcVDs9LWfQgPlPsdngu6I6QIoyIFZDDC6sNE1GqG0= github.com/sourcegraph/conc v0.3.0 h1:OQTbbt6P72L20UqAkXXuLOj79LfEanQ+YQFNpLA9ySo= github.com/sourcegraph/conc v0.3.0/go.mod h1:Sdozi7LEKbFPqYX2/J+iBAM6HpqSLTASQIKqDmF7Mt0= github.com/spaolacci/murmur3 v0.0.0-20180118202830-f09979ecbc72/go.mod h1:JwIasOWyU6f++ZhiEuf87xNszmSA2myDM2Kzu9HwQUA= @@ -765,8 +782,8 @@ github.com/spf13/viper v1.3.2/go.mod h1:ZiWeW+zYFKm7srdB9IoDzzZXaJaI5eL9QjNiN/DM github.com/spf13/viper v1.4.0/go.mod h1:PTJ7Z/lr49W6bUbkmS1V3by4uWynFiR9p7+dSq/yZzE= github.com/spf13/viper v1.19.0 h1:RWq5SEjt8o25SROyN3z2OrDB9l7RPd3lwTWU8EcEdcI= github.com/spf13/viper v1.19.0/go.mod h1:GQUN9bilAbhU/jgc1bKs99f/suXKeUMct8Adx5+Ntkg= -github.com/stoewer/go-strcase v1.2.0 h1:Z2iHWqGXH00XYgqDmNgQbIBxf3wrNq0F3feEy0ainaU= -github.com/stoewer/go-strcase v1.2.0/go.mod h1:IBiWB2sKIp3wVVQ3Y035++gc+knqhUQag1KpM8ahLw8= +github.com/stoewer/go-strcase v1.3.0 h1:g0eASXYtp+yvN9fK8sH94oCIk0fau9uV1/ZdJ0AVEzs= +github.com/stoewer/go-strcase v1.3.0/go.mod h1:fAH5hQ5pehh+j3nZfvwdk2RgEgQjAoM8wodgtPmh1xo= github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME= github.com/stretchr/objx v0.1.1/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME= github.com/stretchr/objx v0.2.0/go.mod h1:qt09Ya8vawLte6SNmTgCsAVtYtaKzEcn8ATUoHMkEqE= @@ -805,6 +822,8 @@ github.com/tklauser/numcpus v0.6.1 h1:ng9scYS7az0Bk4OZLvrNXNSAO2Pxr1XXRAPyjhIx+F github.com/tklauser/numcpus v0.6.1/go.mod h1:1XfjsgE2zo8GVw7POkMbHENHzVg3GzmoZ9fESEdAacY= github.com/tmc/grpc-websocket-proxy v0.0.0-20170815181823-89b8d40f7ca8/go.mod h1:ncp9v5uamzpCO7NfCPTXjqaC+bZgJeR0sMTm6dMHP7U= github.com/tmc/grpc-websocket-proxy v0.0.0-20190109142713-0ad062ec5ee5/go.mod h1:ncp9v5uamzpCO7NfCPTXjqaC+bZgJeR0sMTm6dMHP7U= +github.com/tmc/grpc-websocket-proxy v0.0.0-20220101234140-673ab2c3ae75 h1:6fotK7otjonDflCTK0BCfls4SPy3NcCVb5dqqmbRknE= +github.com/tmc/grpc-websocket-proxy v0.0.0-20220101234140-673ab2c3ae75/go.mod h1:KO6IkyS8Y3j8OdNO85qEYBsRPuteD+YciPomcXdrMnk= github.com/tsaarni/certyaml v0.9.3 h1:m8HHbuUzWVUOmv8IQU9HgVZZ8r5ICExKm++54DJKCs0= github.com/tsaarni/certyaml v0.9.3/go.mod h1:hhuU1qYr5re488geArUP4gZWqMUMqGlj4HA2qUyGYLk= github.com/tsaarni/x500dn v1.0.0 h1:LvaWTkqRpse4VHBhB5uwf3wytokK4vF9IOyNAEyiA+U= @@ -826,6 +845,7 @@ github.com/xeipuuv/gojsonreference v0.0.0-20180127040603-bd5ef7bd5415 h1:EzJWgHo github.com/xeipuuv/gojsonreference v0.0.0-20180127040603-bd5ef7bd5415/go.mod h1:GwrjFmJcFw6At/Gs6z4yjiIwzuJ1/+UwLxMQDVQXShQ= github.com/xeipuuv/gojsonschema v1.2.0 h1:LhYJRs+L4fBtjZUfuSZIKGeVu0QRy8e5Xi7D17UxZ74= github.com/xeipuuv/gojsonschema v1.2.0/go.mod h1:anYRn/JVcOK2ZgGU+IjEV4nwlhoK5sQluxsYJ78Id3Y= +github.com/xiang90/probing v0.0.0-20190116061207-43a291ad63a2 h1:eY9dn8+vbi4tKz5Qo6v2eYzo7kUS51QINcR5jNpbZS8= github.com/xiang90/probing v0.0.0-20190116061207-43a291ad63a2/go.mod h1:UETIi67q53MR2AWcXfiuqkDkRtnGDLqkBTpCHuJHxtU= github.com/xlab/treeprint v1.2.0 h1:HzHnuAF1plUN2zGlAFHbSQP2qJ0ZAD3XF5XD7OesXRQ= github.com/xlab/treeprint v1.2.0/go.mod h1:gj5Gd3gPdKtR1ikdDK6fnFLdmIS0X30kTTuNd/WEJu0= @@ -836,7 +856,24 @@ github.com/yusufpapurcu/wmi v1.2.4 h1:zFUKzehAFReQwLys1b/iSMl+JQGSCSjtVqQn9bBrPo github.com/yusufpapurcu/wmi v1.2.4/go.mod h1:SBZ9tNy3G9/m5Oi98Zks0QjeHVDvuK0qfxQmPyzfmi0= go.etcd.io/bbolt v1.3.2/go.mod h1:IbVyRI1SCnLcuJnV2u8VeU0CEYM7e686BmAb1XKL+uU= go.etcd.io/bbolt v1.3.3/go.mod h1:IbVyRI1SCnLcuJnV2u8VeU0CEYM7e686BmAb1XKL+uU= +go.etcd.io/bbolt v1.3.10 h1:+BqfJTcCzTItrop8mq/lbzL8wSGtj94UO/3U31shqG0= +go.etcd.io/bbolt v1.3.10/go.mod h1:bK3UQLPJZly7IlNmV7uVHJDxfe5aK9Ll93e/74Y9oEQ= +go.etcd.io/etcd v0.0.0-20191023171146-3cf2f69b5738 h1:VcrIfasaLFkyjk6KNlXQSzO+B0fZcnECiDrKJsfxka0= go.etcd.io/etcd v0.0.0-20191023171146-3cf2f69b5738/go.mod h1:dnLIgRNXwCJa5e+c6mIZCrds/GIG4ncV9HhK5PX7jPg= +go.etcd.io/etcd/api/v3 v3.5.14 h1:vHObSCxyB9zlF60w7qzAdTcGaglbJOpSj1Xj9+WGxq0= +go.etcd.io/etcd/api/v3 v3.5.14/go.mod h1:BmtWcRlQvwa1h3G2jvKYwIQy4PkHlDej5t7uLMUdJUU= +go.etcd.io/etcd/client/pkg/v3 v3.5.14 h1:SaNH6Y+rVEdxfpA2Jr5wkEvN6Zykme5+YnbCkxvuWxQ= +go.etcd.io/etcd/client/pkg/v3 v3.5.14/go.mod h1:8uMgAokyG1czCtIdsq+AGyYQMvpIKnSvPjFMunkgeZI= +go.etcd.io/etcd/client/v2 v2.305.13 h1:RWfV1SX5jTU0lbCvpVQe3iPQeAHETWdOTb6pxhd77C8= +go.etcd.io/etcd/client/v2 v2.305.13/go.mod h1:iQnL7fepbiomdXMb3om1rHq96htNNGv2sJkEcZGDRRg= +go.etcd.io/etcd/client/v3 v3.5.14 h1:CWfRs4FDaDoSz81giL7zPpZH2Z35tbOrAJkkjMqOupg= +go.etcd.io/etcd/client/v3 v3.5.14/go.mod h1:k3XfdV/VIHy/97rqWjoUzrj9tk7GgJGH9J8L4dNXmAk= +go.etcd.io/etcd/pkg/v3 v3.5.13 h1:st9bDWNsKkBNpP4PR1MvM/9NqUPfvYZx/YXegsYEH8M= +go.etcd.io/etcd/pkg/v3 v3.5.13/go.mod h1:N+4PLrp7agI/Viy+dUYpX7iRtSPvKq+w8Y14d1vX+m0= +go.etcd.io/etcd/raft/v3 v3.5.13 h1:7r/NKAOups1YnKcfro2RvGGo2PTuizF/xh26Z2CTAzA= +go.etcd.io/etcd/raft/v3 v3.5.13/go.mod h1:uUFibGLn2Ksm2URMxN1fICGhk8Wu96EfDQyuLhAcAmw= +go.etcd.io/etcd/server/v3 v3.5.13 h1:V6KG+yMfMSqWt+lGnhFpP5z5dRUj1BDRJ5k1fQ9DFok= +go.etcd.io/etcd/server/v3 v3.5.13/go.mod h1:K/8nbsGupHqmr5MkgaZpLlH1QdX1pcNQLAkODy44XcQ= go.mongodb.org/mongo-driver v1.0.3/go.mod h1:u7ryQJ+DOzQmeO7zB6MHyr8jkEQvC8vH7qLUO4lqsUM= go.mongodb.org/mongo-driver v1.1.1/go.mod h1:u7ryQJ+DOzQmeO7zB6MHyr8jkEQvC8vH7qLUO4lqsUM= go.mongodb.org/mongo-driver v1.1.2/go.mod h1:u7ryQJ+DOzQmeO7zB6MHyr8jkEQvC8vH7qLUO4lqsUM= @@ -845,6 +882,8 @@ go.opencensus.io v0.24.0 h1:y73uSU6J157QMP2kn2r30vwW1A2W2WFwSCGnAVxeaD0= go.opencensus.io v0.24.0/go.mod h1:vNK8G9p7aAivkbmorf4v+7Hgx+Zs0yY+0fOtgBfjQKo= go.opentelemetry.io/contrib/exporters/autoexport v0.46.1 h1:ysCfPZB9AjUlMa1UHYup3c9dAOCMQX/6sxSfPBUoxHw= go.opentelemetry.io/contrib/exporters/autoexport v0.46.1/go.mod h1:ha0aiYm+DOPsLHjh0zoQ8W8sLT+LJ58J3j47lGpSLrU= +go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.53.0 h1:9G6E0TXzGFVfTnawRzrPl83iHOAV7L8NJiR8RSGYV1g= +go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.53.0/go.mod h1:azvtTADFQJA8mX80jIH/akaE7h+dbm/sVuaHqN13w74= go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.53.0 h1:4K4tsIXefpVJtvA/8srF4V4y0akAoPHkIslgAkjixJA= go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.53.0/go.mod h1:jjdQuTGVsXV4vSs+CJ2qYDeDPf9yIJV23qlIzBm73Vg= go.opentelemetry.io/otel v1.30.0 h1:F2t8sK4qf1fAmY9ua4ohFS/K+FUuOPemHUIXHtktrts= @@ -897,8 +936,8 @@ golang.org/x/crypto v0.0.0-20190617133340-57b3e21c3d56/go.mod h1:yigFU9vqHzYiE8U golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI= golang.org/x/crypto v0.0.0-20200220183623-bac4c82f6975/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto= golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto= -golang.org/x/crypto v0.27.0 h1:GXm2NjJrPaiv/h1tb2UH8QfgC/hOf/+z0p6PT8o1w7A= -golang.org/x/crypto v0.27.0/go.mod h1:1Xngt8kV6Dvbssa53Ziq6Eqn0HqbZi5Z6R0ZpwQzt70= +golang.org/x/crypto v0.28.0 h1:GBDwsMXVQi34v5CCYUm2jkJvu4cbtru2U4TN2PSyQnw= +golang.org/x/crypto v0.28.0/go.mod h1:rmgy+3RHxRZMyY0jjAJShp2zgEdOqj2AO7U0pYmeQ7U= golang.org/x/crypto/x509roots/fallback v0.0.0-20240904212608-c9da6b9a4008 h1:vKHSxFhPLnBEYu9R8DcQ4gXq9EqU0VVhC9pq9wmtYsg= golang.org/x/crypto/x509roots/fallback v0.0.0-20240904212608-c9da6b9a4008/go.mod h1:kNa9WdvYnzFwC79zRpLRMJbdEFlhyM5RPFBBZp/wWH8= golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA= @@ -935,8 +974,8 @@ golang.org/x/net v0.0.0-20200226121028-0de0cce0169b/go.mod h1:z5CRVTTTmAJ677TzLL golang.org/x/net v0.0.0-20200520004742-59133d7f0dd7/go.mod h1:qpuaurCH72eLCgpAm/N6yyVIVM9cpaDIP3A8BGJEC5A= golang.org/x/net v0.0.0-20201021035429-f5854403a974/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU= golang.org/x/net v0.0.0-20201110031124-69a78807bb2b/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU= -golang.org/x/net v0.29.0 h1:5ORfpBpCs4HzDYoodCDBbwHzdR5UrLBZ3sOnUJmFoHo= -golang.org/x/net v0.29.0/go.mod h1:gLkgy8jTGERgjzMic6DS9+SP0ajcu6Xu3Orq/SpETg0= +golang.org/x/net v0.30.0 h1:AcW1SDZMkb8IpzCdQUaIq2sP4sZ4zw+55h6ynffypl4= +golang.org/x/net v0.30.0/go.mod h1:2wGyMJ5iFasEhkwi13ChkO/t1ECNC4X4eBKkVFyYFlU= golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U= golang.org/x/oauth2 v0.0.0-20190226205417-e64efc72b421/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw= golang.org/x/oauth2 v0.0.0-20190604053449-0f29369cfe45/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw= @@ -988,17 +1027,17 @@ golang.org/x/sys v0.1.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.8.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.11.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= -golang.org/x/sys v0.25.0 h1:r+8e+loiHxRqhXVl6ML1nO3l1+oFoWbnlu2Ehimmi34= -golang.org/x/sys v0.25.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= -golang.org/x/term v0.24.0 h1:Mh5cbb+Zk2hqqXNO7S1iTjEphVL+jb8ZWaqh/g+JWkM= -golang.org/x/term v0.24.0/go.mod h1:lOBK/LVxemqiMij05LGJ0tzNr8xlmwBRJ81PX6wVLH8= +golang.org/x/sys v0.26.0 h1:KHjCJyddX0LoSTb3J+vWpupP9p0oznkqVk/IfjymZbo= +golang.org/x/sys v0.26.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= +golang.org/x/term v0.25.0 h1:WtHI/ltw4NvSUig5KARz9h521QvRC8RmF/cuYqifU24= +golang.org/x/term v0.25.0/go.mod h1:RPyXicDX+6vLxogjjRxjgD2TKtmAO6NZBsBRfrOLu7M= golang.org/x/text v0.0.0-20160726164857-2910a502d2bf/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= golang.org/x/text v0.3.1-0.20180807135948-17ff2d5776d2/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= golang.org/x/text v0.3.2/go.mod h1:bEr9sfX3Q8Zfm5fL9x+3itogRgK3+ptLWKqgva+5dAk= golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= -golang.org/x/text v0.18.0 h1:XvMDiNzPAl0jr17s6W9lcaIhGUfUORdGCNsuLmPG224= -golang.org/x/text v0.18.0/go.mod h1:BuEKDfySbSR4drPmRPG/7iBdf8hvFMuRexcpahXilzY= +golang.org/x/text v0.19.0 h1:kTxAhCbGbxhK0IwgSKiMO5awPoDQ0RpfiVYBfK860YM= +golang.org/x/text v0.19.0/go.mod h1:BuEKDfySbSR4drPmRPG/7iBdf8hvFMuRexcpahXilzY= golang.org/x/time v0.0.0-20180412165947-fbb02b2291d2/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= golang.org/x/time v0.0.0-20181108054448-85acf8d2951c/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= golang.org/x/time v0.0.0-20190308202827-9d24e82272b4/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= @@ -1039,10 +1078,12 @@ google.golang.org/genproto v0.0.0-20190307195333-5fe7a883aa19/go.mod h1:VzzqZJRn google.golang.org/genproto v0.0.0-20190418145605-e7d98fc518a7/go.mod h1:VzzqZJRnGkLBvHegQrXjBqPurQTc5/KpmUdxsrq26oE= google.golang.org/genproto v0.0.0-20190819201941-24fa4b261c55/go.mod h1:DMBHOl98Agz4BDEuKkezgsaosCRResVns1a3J2ZsMNc= google.golang.org/genproto v0.0.0-20200526211855-cb27e3aa2013/go.mod h1:NbSheEEYHJ7i3ixzK3sjbqSGDJWnxyFXZblF3eUsNvo= +google.golang.org/genproto v0.0.0-20240227224415-6ceb2ff114de h1:F6qOa9AZTYJXOUEr4jDysRDLrm4PHePlge4v4TGAlxY= +google.golang.org/genproto v0.0.0-20240227224415-6ceb2ff114de/go.mod h1:VUhTRKeHn9wwcdrk73nvdC9gF178Tzhmt/qyaFcPLSo= google.golang.org/genproto/googleapis/api v0.0.0-20240903143218-8af14fe29dc1 h1:hjSy6tcFQZ171igDaN5QHOw2n6vx40juYbC/x67CEhc= google.golang.org/genproto/googleapis/api v0.0.0-20240903143218-8af14fe29dc1/go.mod h1:qpvKtACPCQhAdu3PyQgV4l3LMXZEtft7y8QcarRsp9I= -google.golang.org/genproto/googleapis/rpc v0.0.0-20240903143218-8af14fe29dc1 h1:pPJltXNxVzT4pK9yD8vR9X75DaWYYmLGMsEvBfFQZzQ= -google.golang.org/genproto/googleapis/rpc v0.0.0-20240903143218-8af14fe29dc1/go.mod h1:UqMtugtsSgubUsoxbuAoiCXvqvErP7Gf0so0mK9tHxU= +google.golang.org/genproto/googleapis/rpc v0.0.0-20240924160255-9d4c2d233b61 h1:N9BgCIAUvn/M+p4NJccWPWb3BWh88+zyL0ll9HgbEeM= +google.golang.org/genproto/googleapis/rpc v0.0.0-20240924160255-9d4c2d233b61/go.mod h1:UqMtugtsSgubUsoxbuAoiCXvqvErP7Gf0so0mK9tHxU= google.golang.org/grpc v1.19.0/go.mod h1:mqu4LbDTu4XGKhr4mRzUsmM4RtVoemTSY81AxZiDr8c= google.golang.org/grpc v1.21.0/go.mod h1:oYelfM1adQP15Ek0mdvEgi9Df8B9CZIaU1084ijfRaM= google.golang.org/grpc v1.23.0/go.mod h1:Y5yQAOtifL1yxbo5wqy6BxZv8vAUGQwXBOALyacEbxg= @@ -1051,8 +1092,8 @@ google.golang.org/grpc v1.25.1/go.mod h1:c3i+UQWmh7LiEpx4sFZnkU36qjEYZ0imhYfXVyQ google.golang.org/grpc v1.26.0/go.mod h1:qbnxyOmOxrQa7FizSgH+ReBfzJrCY1pSN7KXBS8abTk= google.golang.org/grpc v1.27.0/go.mod h1:qbnxyOmOxrQa7FizSgH+ReBfzJrCY1pSN7KXBS8abTk= google.golang.org/grpc v1.33.2/go.mod h1:JMHMWHQWaTccqQQlmk3MJZS+GWXOdAesneDmEnv2fbc= -google.golang.org/grpc v1.66.2 h1:3QdXkuq3Bkh7w+ywLdLvM56cmGvQHUMZpiCzt6Rqaoo= -google.golang.org/grpc v1.66.2/go.mod h1:s3/l6xSSCURdVfAnL+TqCNMyTDAGN6+lZeVxnZR128Y= +google.golang.org/grpc v1.67.1 h1:zWnc1Vrcno+lHZCOofnIMvycFcc0QRGIzm9dhnDX68E= +google.golang.org/grpc v1.67.1/go.mod h1:1gLDyUQU7CTLJI90u3nXZ9ekeghjeM7pTDZlqFNg2AA= google.golang.org/protobuf v0.0.0-20200109180630-ec00e32a8dfd/go.mod h1:DFci5gLYBciE7Vtevhsrf46CRTquxDuWsQurQQe4oz8= google.golang.org/protobuf v0.0.0-20200221191635-4d8936d0db64/go.mod h1:kwYJMbMJ01Woi6D6+Kah6886xMZcty6N08ah7+eCXa0= google.golang.org/protobuf v0.0.0-20200228230310-ab0ca4ff8a60/go.mod h1:cfTl7dwQJ+fmap5saPgwCLgHXTUD7jkjRqWcaiX5VyM= @@ -1080,6 +1121,8 @@ gopkg.in/inf.v0 v0.9.1/go.mod h1:cWUDdTG/fYaXco+Dcufb5Vnc6Gp2YChqWtbxRZE0mXw= gopkg.in/ini.v1 v1.67.0 h1:Dgnx+6+nfE+IfzjUEISNeydPJh9AXNNsWbGP9KzCsOA= gopkg.in/ini.v1 v1.67.0/go.mod h1:pNLf8WUiyNEtQjuu5G5vTm06TEv9tsIgeAvK8hOrP4k= gopkg.in/natefinch/lumberjack.v2 v2.0.0/go.mod h1:l0ndWWf7gzL7RNwBG7wST/UCcT4T24xpD6X8LsfU/+k= +gopkg.in/natefinch/lumberjack.v2 v2.2.1 h1:bBRl1b0OH9s/DuPhuXpNl+VtCaJXFZ5/uEFST95x9zc= +gopkg.in/natefinch/lumberjack.v2 v2.2.1/go.mod h1:YD8tP3GAjkrDg1eZH7EGmyESg/lsYskCTPBJVb9jqSc= gopkg.in/resty.v1 v1.12.0/go.mod h1:mDo4pnntr5jdWRML875a/NmxYqAlA73dVijT2AXvQQo= gopkg.in/square/go-jose.v2 v2.2.2/go.mod h1:M9dMgbHiYLoDGQrXy7OpJDJWiKiU//h+vD76mk0e1AI= gopkg.in/tomb.v1 v1.0.0-20141024135613-dd632973f1e7 h1:uRGJdciOHaEIrze2W8Q3AKkepLTh2hOroT7a+7czfdQ= @@ -1142,6 +1185,8 @@ k8s.io/klog v1.0.0/go.mod h1:4Bi6QPql/J/LkTDqv7R/cd3hPo4k2DG6Ptcz060Ez5I= k8s.io/klog/v2 v2.0.0/go.mod h1:PBfzABfn139FHAV07az/IF9Wp1bkk3vpT2XSJ76fSDE= k8s.io/klog/v2 v2.130.1 h1:n9Xl7H1Xvksem4KFG4PYbdQCQxqc/tTUyrgXaOhHSzk= k8s.io/klog/v2 v2.130.1/go.mod h1:3Jpz1GvMt720eyJH1ckRHK1EDfpxISzJ7I9OYgaDtPE= +k8s.io/kms v0.31.1 h1:cGLyV3cIwb0ovpP/jtyIe2mEuQ/MkbhmeBF2IYCA9Io= +k8s.io/kms v0.31.1/go.mod h1:OZKwl1fan3n3N5FFxnW5C4V3ygrah/3YXeJWS3O6+94= k8s.io/kube-openapi v0.0.0-20200121204235-bf4fb3bd569c/go.mod h1:GRQhZsXIAJ1xR0C9bd8UpWHZ5plfAS9fzPjJuQ6JL3E= k8s.io/kube-openapi v0.0.0-20200410145947-61e04a5be9a6/go.mod h1:GRQhZsXIAJ1xR0C9bd8UpWHZ5plfAS9fzPjJuQ6JL3E= k8s.io/kube-openapi v0.0.0-20240521193020-835d969ad83a h1:zD1uj3Jf+mD4zmA7W+goE5TxDkI7OGJjBNBzq5fJtLA= @@ -1152,22 +1197,26 @@ k8s.io/metrics v0.31.1 h1:h4I4dakgh/zKflWYAOQhwf0EXaqy8LxAIyE/GBvxqRc= k8s.io/metrics v0.31.1/go.mod h1:JuH1S9tJiH9q1VCY0yzSCawi7kzNLsDzlWDJN4xR+iA= k8s.io/utils v0.0.0-20200324210504-a9aa75ae1b89/go.mod h1:sZAwmy6armz5eXlNoLmJcl4F1QuKu7sr+mFQ0byX7Ew= k8s.io/utils v0.0.0-20200603063816-c1c6865ac451/go.mod h1:jPW/WVKK9YHAvNhRxK0md/EJ228hCsBRufyofKtW8HA= -k8s.io/utils v0.0.0-20240711033017-18e509b52bc8 h1:pUdcCO1Lk/tbT5ztQWOBi5HBgbBP1J8+AsQnQCKsi8A= -k8s.io/utils v0.0.0-20240711033017-18e509b52bc8/go.mod h1:OLgZIPagt7ERELqWJFomSt595RzquPNLL48iOWgYOg0= +k8s.io/utils v0.0.0-20240821151609-f90d01438635 h1:2wThSvJoW/Ncn9TmQEYXRnevZXi2duqHWf5OX9S3zjI= +k8s.io/utils v0.0.0-20240821151609-f90d01438635/go.mod h1:OLgZIPagt7ERELqWJFomSt595RzquPNLL48iOWgYOg0= oras.land/oras-go v1.2.6 h1:z8cmxQXBU8yZ4mkytWqXfo6tZcamPwjsuxYU81xJ8Lk= oras.land/oras-go v1.2.6/go.mod h1:OVPc1PegSEe/K8YiLfosrlqlqTN9PUyFvOw5Y9gwrT8= periph.io/x/host/v3 v3.8.2 h1:ayKUDzgUCN0g8+/xM9GTkWaOBhSLVcVHGTfjAOi8OsQ= periph.io/x/host/v3 v3.8.2/go.mod h1:yFL76AesNHR68PboofSWYaQTKmvPXsQH2Apvp/ls/K4= sigs.k8s.io/apiserver-network-proxy/konnectivity-client v0.0.7/go.mod h1:PHgbrJT7lCHcxMU+mDHEm+nx46H4zuuHZkDP6icnhu0= +sigs.k8s.io/apiserver-network-proxy/konnectivity-client v0.30.3 h1:2770sDpzrjjsAtVhSeUFseziht227YAWYHLGNM8QPwY= +sigs.k8s.io/apiserver-network-proxy/konnectivity-client v0.30.3/go.mod h1:Ve9uj1L+deCXFrPOk1LpFXqTg7LCFzFso6PA48q/XZw= sigs.k8s.io/controller-runtime v0.6.1/go.mod h1:XRYBPdbf5XJu9kpS84VJiZ7h/u1hF3gEORz0efEja7A= sigs.k8s.io/controller-runtime v0.19.0 h1:nWVM7aq+Il2ABxwiCizrVDSlmDcshi9llbaFbC0ji/Q= sigs.k8s.io/controller-runtime v0.19.0/go.mod h1:iRmWllt8IlaLjvTTDLhRBXIEtkCK6hwVBJJsYS9Ajf4= sigs.k8s.io/controller-tools v0.3.0/go.mod h1:enhtKGfxZD1GFEoMgP8Fdbu+uKQ/cq1/WGJhdVChfvI= -sigs.k8s.io/gateway-api v1.1.0 h1:DsLDXCi6jR+Xz8/xd0Z1PYl2Pn0TyaFMOPPZIj4inDM= -sigs.k8s.io/gateway-api v1.1.0/go.mod h1:ZH4lHrL2sDi0FHZ9jjneb8kKnGzFWyrTya35sWUTrRs= +sigs.k8s.io/gateway-api v1.2.0-rc2 h1:v7V7JzaBuzwOLWWyyqlkqiqBi3ANBuZGV+uyyKzwmE8= +sigs.k8s.io/gateway-api v1.2.0-rc2/go.mod h1:EpNfEXNjiYfUJypf0eZ0P5iXA9ekSGWaS1WgPaM42X0= sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd h1:EDPBXCAspyGV4jQlpZSudPeMmr1bNJefnuqLsRAsHZo= sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd/go.mod h1:B8JuhiUyNFVKdsE8h686QcCxMaH6HrOAZj4vswFpcB0= sigs.k8s.io/kind v0.8.1/go.mod h1:oNKTxUVPYkV9lWzY6CVMNluVq8cBsyq+UgPJdvA3uu4= +sigs.k8s.io/kubectl-validate v0.0.5-0.20240827210056-ce13d95db263 h1:ju7xWt2VnWuZPh0ffWJtsC40ki1BW/pLy6DZRyoEB30= +sigs.k8s.io/kubectl-validate v0.0.5-0.20240827210056-ce13d95db263/go.mod h1:ex3aZREdgXoEH7+v6azT7Xm0J9rpWIDr1micQCzdomY= sigs.k8s.io/kustomize/api v0.17.2 h1:E7/Fjk7V5fboiuijoZHgs4aHuexi5Y2loXlVOAVAG5g= sigs.k8s.io/kustomize/api v0.17.2/go.mod h1:UWTz9Ct+MvoeQsHcJ5e+vziRRkwimm3HytpZgIYqye0= sigs.k8s.io/kustomize/kyaml v0.17.1 h1:TnxYQxFXzbmNG6gOINgGWQt09GghzgTP6mIurOgrLCQ= diff --git a/internal/admin/server.go b/internal/admin/server.go index 0569513033e..f71619a2238 100644 --- a/internal/admin/server.go +++ b/internal/admin/server.go @@ -12,13 +12,9 @@ import ( "github.com/davecgh/go-spew/spew" - egv1a1 "github.com/envoyproxy/gateway/api/v1alpha1" "github.com/envoyproxy/gateway/internal/envoygateway/config" - "github.com/envoyproxy/gateway/internal/logging" ) -var adminLogger = logging.DefaultLogger(egv1a1.LogLevelInfo).WithName("admin") - func Init(cfg *config.Server) error { if cfg.EnvoyGateway.GetEnvoyGatewayAdmin().EnableDumpConfig { spewConfig := spew.NewDefaultConfig() @@ -34,6 +30,7 @@ func start(cfg *config.Server) error { address := cfg.EnvoyGateway.GetEnvoyGatewayAdminAddress() enablePprof := cfg.EnvoyGateway.GetEnvoyGatewayAdmin().EnablePprof + adminLogger := cfg.Logger.WithName("admin") adminLogger.Info("starting admin server", "address", address, "enablePprof", enablePprof) if enablePprof { @@ -57,7 +54,7 @@ func start(cfg *config.Server) error { // Listen And Serve Admin Server. go func() { if err := adminServer.ListenAndServe(); err != nil { - cfg.Logger.Error(err, "start admin server failed") + adminLogger.Error(err, "start admin server failed") } }() diff --git a/internal/admin/server_test.go b/internal/admin/server_test.go index 2280738c235..a07291d8ba1 100644 --- a/internal/admin/server_test.go +++ b/internal/admin/server_test.go @@ -12,6 +12,7 @@ import ( egv1a1 "github.com/envoyproxy/gateway/api/v1alpha1" "github.com/envoyproxy/gateway/internal/envoygateway/config" + "github.com/envoyproxy/gateway/internal/logging" ) func TestInitAdminServer(t *testing.T) { @@ -20,6 +21,8 @@ func TestInitAdminServer(t *testing.T) { EnvoyGatewaySpec: egv1a1.EnvoyGatewaySpec{}, }, } + + svrConfig.Logger = logging.NewLogger(egv1a1.DefaultEnvoyGatewayLogging()) err := Init(svrConfig) require.NoError(t, err) } diff --git a/internal/cmd/egctl/experimental.go b/internal/cmd/egctl/experimental.go index 70f46650ff3..9af7e76f04a 100644 --- a/internal/cmd/egctl/experimental.go +++ b/internal/cmd/egctl/experimental.go @@ -29,6 +29,7 @@ func newExperimentalCommand() *cobra.Command { experimentalCommand.AddCommand(newInstallCommand()) experimentalCommand.AddCommand(newUnInstallCommand()) experimentalCommand.AddCommand(newCollectCommand()) + experimentalCommand.AddCommand(newValidateCommand()) return experimentalCommand } diff --git a/internal/cmd/egctl/testdata/translate/in/default-resources.yaml b/internal/cmd/egctl/testdata/translate/in/default-resources.yaml index 1cdb52f993a..bf2af30da40 100644 --- a/internal/cmd/egctl/testdata/translate/in/default-resources.yaml +++ b/internal/cmd/egctl/testdata/translate/in/default-resources.yaml @@ -1,3 +1,4 @@ +--- apiVersion: gateway.networking.k8s.io/v1 kind: GatewayClass metadata: @@ -113,7 +114,7 @@ spec: type: PathPrefix value: / --- -apiVersion: gateway.networking.k8s.io/v1alpha2 +apiVersion: gateway.networking.k8s.io/v1 kind: GRPCRoute metadata: name: backend diff --git a/internal/cmd/egctl/testdata/translate/in/from-gateway-api-to-xds.yaml b/internal/cmd/egctl/testdata/translate/in/from-gateway-api-to-xds.yaml index b13096a2e3a..b501a74a758 100644 --- a/internal/cmd/egctl/testdata/translate/in/from-gateway-api-to-xds.yaml +++ b/internal/cmd/egctl/testdata/translate/in/from-gateway-api-to-xds.yaml @@ -145,7 +145,7 @@ spec: type: PathPrefix value: / --- -apiVersion: gateway.networking.k8s.io/v1alpha2 +apiVersion: gateway.networking.k8s.io/v1 kind: GRPCRoute metadata: name: backend diff --git a/internal/cmd/egctl/testdata/translate/in/invalid-envoyproxy.yaml b/internal/cmd/egctl/testdata/translate/in/invalid-envoyproxy.yaml index 9e31a94aa6a..5c72cb4f1bd 100644 --- a/internal/cmd/egctl/testdata/translate/in/invalid-envoyproxy.yaml +++ b/internal/cmd/egctl/testdata/translate/in/invalid-envoyproxy.yaml @@ -170,7 +170,7 @@ spec: type: PathPrefix value: / --- -apiVersion: gateway.networking.k8s.io/v1alpha2 +apiVersion: gateway.networking.k8s.io/v1 kind: GRPCRoute metadata: name: backend diff --git a/internal/cmd/egctl/testdata/translate/in/valid-envoyproxy.yaml b/internal/cmd/egctl/testdata/translate/in/valid-envoyproxy.yaml index bb9ca9478f9..ba8c25e2352 100644 --- a/internal/cmd/egctl/testdata/translate/in/valid-envoyproxy.yaml +++ b/internal/cmd/egctl/testdata/translate/in/valid-envoyproxy.yaml @@ -163,7 +163,7 @@ spec: type: PathPrefix value: / --- -apiVersion: gateway.networking.k8s.io/v1alpha2 +apiVersion: gateway.networking.k8s.io/v1 kind: GRPCRoute metadata: name: backend diff --git a/internal/cmd/egctl/testdata/translate/out/default-resources.all.yaml b/internal/cmd/egctl/testdata/translate/out/default-resources.all.yaml index 963a856e5bf..df12da2e2c1 100644 --- a/internal/cmd/egctl/testdata/translate/out/default-resources.all.yaml +++ b/internal/cmd/egctl/testdata/translate/out/default-resources.all.yaml @@ -178,6 +178,7 @@ envoyProxyForGatewayClass: logging: {} status: {} gatewayClass: + kind: GatewayClass metadata: creationTimestamp: null name: eg @@ -197,7 +198,8 @@ gatewayClass: status: "True" type: Accepted gateways: -- metadata: +- kind: Gateway + metadata: creationTimestamp: null name: eg namespace: default @@ -1133,7 +1135,7 @@ xds: filterMetadata: envoy-gateway: resources: - - kind: "" + - kind: Gateway name: eg namespace: default sectionName: http @@ -1164,7 +1166,7 @@ xds: filterMetadata: envoy-gateway: resources: - - kind: "" + - kind: Gateway name: eg namespace: default sectionName: grpc diff --git a/internal/cmd/egctl/testdata/translate/out/echo-gateway-api.cluster.yaml b/internal/cmd/egctl/testdata/translate/out/echo-gateway-api.cluster.yaml index 3d88f20f51d..f88b74ed0c4 100644 --- a/internal/cmd/egctl/testdata/translate/out/echo-gateway-api.cluster.yaml +++ b/internal/cmd/egctl/testdata/translate/out/echo-gateway-api.cluster.yaml @@ -1,4 +1,5 @@ gatewayClass: + kind: GatewayClass metadata: creationTimestamp: null name: eg @@ -13,7 +14,8 @@ gatewayClass: status: "True" type: Accepted gateways: -- metadata: +- kind: Gateway + metadata: creationTimestamp: null name: eg namespace: envoy-gateway-system diff --git a/internal/cmd/egctl/testdata/translate/out/echo-gateway-api.route.json b/internal/cmd/egctl/testdata/translate/out/echo-gateway-api.route.json index 41dfd6683e7..f069c670afb 100644 --- a/internal/cmd/egctl/testdata/translate/out/echo-gateway-api.route.json +++ b/internal/cmd/egctl/testdata/translate/out/echo-gateway-api.route.json @@ -1,5 +1,6 @@ { "gatewayClass": { + "kind": "GatewayClass", "metadata": { "name": "eg", "namespace": "envoy-gateway-system", @@ -22,6 +23,7 @@ }, "gateways": [ { + "kind": "Gateway", "metadata": { "name": "eg", "namespace": "envoy-gateway-system", diff --git a/internal/cmd/egctl/testdata/translate/out/from-gateway-api-to-xds.all.json b/internal/cmd/egctl/testdata/translate/out/from-gateway-api-to-xds.all.json index 55437eba8ab..81f8f2b8c3d 100644 --- a/internal/cmd/egctl/testdata/translate/out/from-gateway-api-to-xds.all.json +++ b/internal/cmd/egctl/testdata/translate/out/from-gateway-api-to-xds.all.json @@ -1034,7 +1034,7 @@ "envoy-gateway": { "resources": [ { - "kind": "", + "kind": "Gateway", "name": "eg", "namespace": "default", "sectionName": "http" @@ -1092,7 +1092,7 @@ "envoy-gateway": { "resources": [ { - "kind": "", + "kind": "Gateway", "name": "eg", "namespace": "default", "sectionName": "grpc" diff --git a/internal/cmd/egctl/testdata/translate/out/from-gateway-api-to-xds.all.yaml b/internal/cmd/egctl/testdata/translate/out/from-gateway-api-to-xds.all.yaml index 1bad66a8512..d4ceef84de2 100644 --- a/internal/cmd/egctl/testdata/translate/out/from-gateway-api-to-xds.all.yaml +++ b/internal/cmd/egctl/testdata/translate/out/from-gateway-api-to-xds.all.yaml @@ -614,7 +614,7 @@ xds: filterMetadata: envoy-gateway: resources: - - kind: "" + - kind: Gateway name: eg namespace: default sectionName: http @@ -645,7 +645,7 @@ xds: filterMetadata: envoy-gateway: resources: - - kind: "" + - kind: Gateway name: eg namespace: default sectionName: grpc diff --git a/internal/cmd/egctl/testdata/translate/out/from-gateway-api-to-xds.route.yaml b/internal/cmd/egctl/testdata/translate/out/from-gateway-api-to-xds.route.yaml index 2163c6fb6bf..8ef62d3bf70 100644 --- a/internal/cmd/egctl/testdata/translate/out/from-gateway-api-to-xds.route.yaml +++ b/internal/cmd/egctl/testdata/translate/out/from-gateway-api-to-xds.route.yaml @@ -13,7 +13,7 @@ xds: filterMetadata: envoy-gateway: resources: - - kind: "" + - kind: Gateway name: eg namespace: default sectionName: http @@ -44,7 +44,7 @@ xds: filterMetadata: envoy-gateway: resources: - - kind: "" + - kind: Gateway name: eg namespace: default sectionName: grpc diff --git a/internal/cmd/egctl/testdata/translate/out/invalid-envoyproxy.all.yaml b/internal/cmd/egctl/testdata/translate/out/invalid-envoyproxy.all.yaml index 81df01be9e4..bd4ac1d198d 100644 --- a/internal/cmd/egctl/testdata/translate/out/invalid-envoyproxy.all.yaml +++ b/internal/cmd/egctl/testdata/translate/out/invalid-envoyproxy.all.yaml @@ -1,4 +1,5 @@ envoyProxyForGatewayClass: + kind: EnvoyProxy metadata: creationTimestamp: null name: example @@ -6,7 +7,7 @@ envoyProxyForGatewayClass: spec: bootstrap: type: Replace - value: |- + value: | admin: access_log: - name: envoy.access_loggers.file @@ -20,6 +21,7 @@ envoyProxyForGatewayClass: logging: {} status: {} gatewayClass: + kind: GatewayClass metadata: creationTimestamp: null name: eg @@ -39,7 +41,8 @@ gatewayClass: status: "False" type: Accepted gateways: -- metadata: +- kind: Gateway + metadata: creationTimestamp: null name: eg namespace: default diff --git a/internal/cmd/egctl/testdata/translate/out/jwt-single-route-single-match-to-xds.all.json b/internal/cmd/egctl/testdata/translate/out/jwt-single-route-single-match-to-xds.all.json index bac479d41d6..782775f605f 100644 --- a/internal/cmd/egctl/testdata/translate/out/jwt-single-route-single-match-to-xds.all.json +++ b/internal/cmd/egctl/testdata/translate/out/jwt-single-route-single-match-to-xds.all.json @@ -499,6 +499,12 @@ "providers": { "httproute/envoy-gateway-system/backend/rule/0/match/0/www_example_com/example": { "forward": true, + "normalizePayloadInMetadata": { + "spaceDelimitedClaims": [ + "scope" + ] + }, + "payloadInMetadata": "example", "remoteJwks": { "asyncFetch": {}, "cacheDuration": "300s", @@ -569,7 +575,7 @@ "envoy-gateway": { "resources": [ { - "kind": "", + "kind": "Gateway", "name": "eg", "namespace": "envoy-gateway-system", "sectionName": "http" diff --git a/internal/cmd/egctl/testdata/translate/out/jwt-single-route-single-match-to-xds.all.yaml b/internal/cmd/egctl/testdata/translate/out/jwt-single-route-single-match-to-xds.all.yaml index 651c46f8f76..7579be57f5f 100644 --- a/internal/cmd/egctl/testdata/translate/out/jwt-single-route-single-match-to-xds.all.yaml +++ b/internal/cmd/egctl/testdata/translate/out/jwt-single-route-single-match-to-xds.all.yaml @@ -293,6 +293,10 @@ xds: providers: httproute/envoy-gateway-system/backend/rule/0/match/0/www_example_com/example: forward: true + normalizePayloadInMetadata: + spaceDelimitedClaims: + - scope + payloadInMetadata: example remoteJwks: asyncFetch: {} cacheDuration: 300s @@ -335,7 +339,7 @@ xds: filterMetadata: envoy-gateway: resources: - - kind: "" + - kind: Gateway name: eg namespace: envoy-gateway-system sectionName: http diff --git a/internal/cmd/egctl/testdata/translate/out/jwt-single-route-single-match-to-xds.listener.yaml b/internal/cmd/egctl/testdata/translate/out/jwt-single-route-single-match-to-xds.listener.yaml index 7fdd4a247e3..347f3302124 100644 --- a/internal/cmd/egctl/testdata/translate/out/jwt-single-route-single-match-to-xds.listener.yaml +++ b/internal/cmd/egctl/testdata/translate/out/jwt-single-route-single-match-to-xds.listener.yaml @@ -49,6 +49,10 @@ xds: providers: httproute/envoy-gateway-system/backend/rule/0/match/0/www_example_com/example: forward: true + normalizePayloadInMetadata: + spaceDelimitedClaims: + - scope + payloadInMetadata: example remoteJwks: asyncFetch: {} cacheDuration: 300s diff --git a/internal/cmd/egctl/testdata/translate/out/jwt-single-route-single-match-to-xds.route.yaml b/internal/cmd/egctl/testdata/translate/out/jwt-single-route-single-match-to-xds.route.yaml index 7e8a1adeed0..bac80f6e5d3 100644 --- a/internal/cmd/egctl/testdata/translate/out/jwt-single-route-single-match-to-xds.route.yaml +++ b/internal/cmd/egctl/testdata/translate/out/jwt-single-route-single-match-to-xds.route.yaml @@ -13,7 +13,7 @@ xds: filterMetadata: envoy-gateway: resources: - - kind: "" + - kind: Gateway name: eg namespace: envoy-gateway-system sectionName: http diff --git a/internal/cmd/egctl/testdata/translate/out/multiple-xds.route.json b/internal/cmd/egctl/testdata/translate/out/multiple-xds.route.json index 335fffb6d41..7748851144e 100644 --- a/internal/cmd/egctl/testdata/translate/out/multiple-xds.route.json +++ b/internal/cmd/egctl/testdata/translate/out/multiple-xds.route.json @@ -18,7 +18,7 @@ "envoy-gateway": { "resources": [ { - "kind": "", + "kind": "Gateway", "name": "eg", "namespace": "default", "sectionName": "http" @@ -81,7 +81,7 @@ "envoy-gateway": { "resources": [ { - "kind": "", + "kind": "Gateway", "name": "eg2", "namespace": "default", "sectionName": "http" diff --git a/internal/cmd/egctl/testdata/translate/out/no-service-cluster-ip.all.yaml b/internal/cmd/egctl/testdata/translate/out/no-service-cluster-ip.all.yaml index 0ed9f3e6893..e6e91b9ec45 100644 --- a/internal/cmd/egctl/testdata/translate/out/no-service-cluster-ip.all.yaml +++ b/internal/cmd/egctl/testdata/translate/out/no-service-cluster-ip.all.yaml @@ -280,7 +280,7 @@ xds: filterMetadata: envoy-gateway: resources: - - kind: "" + - kind: Gateway name: eg namespace: envoy-gateway-system sectionName: http diff --git a/internal/cmd/egctl/testdata/translate/out/quickstart.all.yaml b/internal/cmd/egctl/testdata/translate/out/quickstart.all.yaml index 9f9515e8e58..de96e757e8e 100644 --- a/internal/cmd/egctl/testdata/translate/out/quickstart.all.yaml +++ b/internal/cmd/egctl/testdata/translate/out/quickstart.all.yaml @@ -1,5 +1,6 @@ gateways: -- metadata: +- kind: Gateway + metadata: creationTimestamp: null name: eg namespace: envoy-gateway-system @@ -99,6 +100,7 @@ xdsIR: - '*' isHTTP2: false metadata: + kind: Gateway name: eg namespace: envoy-gateway-system sectionName: http diff --git a/internal/cmd/egctl/testdata/translate/out/quickstart.route.yaml b/internal/cmd/egctl/testdata/translate/out/quickstart.route.yaml index a9149572285..7043ed9a5b7 100644 --- a/internal/cmd/egctl/testdata/translate/out/quickstart.route.yaml +++ b/internal/cmd/egctl/testdata/translate/out/quickstart.route.yaml @@ -13,7 +13,7 @@ xds: filterMetadata: envoy-gateway: resources: - - kind: "" + - kind: Gateway name: eg namespace: envoy-gateway-system sectionName: http diff --git a/internal/cmd/egctl/testdata/translate/out/rejected-http-route.route.yaml b/internal/cmd/egctl/testdata/translate/out/rejected-http-route.route.yaml index c578d14aef5..18e5910acc2 100644 --- a/internal/cmd/egctl/testdata/translate/out/rejected-http-route.route.yaml +++ b/internal/cmd/egctl/testdata/translate/out/rejected-http-route.route.yaml @@ -1,4 +1,5 @@ gatewayClass: + kind: GatewayClass metadata: creationTimestamp: null name: eg @@ -13,7 +14,8 @@ gatewayClass: status: "True" type: Accepted gateways: -- metadata: +- kind: Gateway + metadata: creationTimestamp: null name: eg namespace: envoy-gateway-system diff --git a/internal/cmd/egctl/testdata/translate/out/valid-envoyproxy.all.yaml b/internal/cmd/egctl/testdata/translate/out/valid-envoyproxy.all.yaml index 638390ff440..fe1b452f291 100644 --- a/internal/cmd/egctl/testdata/translate/out/valid-envoyproxy.all.yaml +++ b/internal/cmd/egctl/testdata/translate/out/valid-envoyproxy.all.yaml @@ -1,4 +1,5 @@ envoyProxyForGatewayClass: + kind: EnvoyProxy metadata: creationTimestamp: null name: example @@ -13,6 +14,7 @@ envoyProxyForGatewayClass: type: Kubernetes status: {} gatewayClass: + kind: GatewayClass metadata: creationTimestamp: null name: eg @@ -32,7 +34,8 @@ gatewayClass: status: "True" type: Accepted gateways: -- metadata: +- kind: Gateway + metadata: creationTimestamp: null name: eg namespace: default diff --git a/internal/cmd/egctl/testdata/validate/invalid-resources.yaml b/internal/cmd/egctl/testdata/validate/invalid-resources.yaml new file mode 100644 index 00000000000..b7815b10707 --- /dev/null +++ b/internal/cmd/egctl/testdata/validate/invalid-resources.yaml @@ -0,0 +1,161 @@ +apiVersion: gateway.networking.k8s.io/v1 +kind: GatewayClass +metadata: + name: eg +spec: + controllerName: gateway.envoyproxy.io/gatewayclass-controller +--- +apiVersion: gateway.networking.k8s.io/v1 +kind: Gateway +metadata: + name: eg1 + namespace: default +spec: + gatewayClassName: eg + listeners: + - name: http + protocol: HTTP + port: 88888 # invalid port +--- +apiVersion: gateway.networking.k8s.io/v1 +kind: Gateway +metadata: + name: eg2 + namespace: default +spec: + gatewayClassName: eg + listeners: + - name: tcp + protocol: TCP + port: 1234 + - name: tcp + protocol: TCP + port: 1234 + - name: tls-passthrough + protocol: TLS + port: 8443 + hostname: foo.com + tls: + mode: Passthrough + - name: http + protocol: HTTP + port: 80 + allowedRoutes: + kinds: + - kind: HTTPRoute + group: gateway.networking.k8s.io + - name: grpc + protocol: HTTP + port: 8080 + allowedRoutes: + kinds: + - kind: GRPCRoute + group: gateway.networking.k8s.io +--- +apiVersion: gateway.networking.k8s.io/v1 +kind: HTTPRoute +metadata: + name: backend + namespace: default +spec: + parentRefs: + - name: eg + hostnames: + - ".;'.';[]" + rules: + - backendRefs: + - group: "" + kind: Service + name: backend + port: 3000 + weight: 1 + matches: + - path: + type: PathPrefix + value: / +--- +apiVersion: gateway.envoyproxy.io/v1alpha1 +kind: EnvoyPatchPolicy +metadata: + name: ratelimit-patch-policy +spec: + targetRef: + group: gateway.networking.k8s.io + kind: Gateway + name: eg + type: JSONPatch + jsonPatches: + - type: "type.googleapis.com/envoy.config.listener.v3.Listener" + # The listener name is of the form // + name: default/eg/http + operation: + op: add + path: "/default_filter_chain/filters/0/typed_config/http_filters/0" + value: + name: "envoy.filters.http.ratelimit" + typed_config: + "@type": "type.googleapis.com/envoy.extensions.filters.http.ratelimit.v3.RateLimit" + domain: "eag-ratelimit" + failure_mode_deny: true + timeout: 1s + rate_limit_service: + grpc_service: + envoy_grpc: + cluster_name: rate-limit-cluster + transport_api_version: V3 + - type: "type.googleapis.com/envoy.config.route.v3.RouteConfiguration" + # The route name is of the form // + name: default/eg/http + operation: + op: add + path: "/virtual_hosts/0/rate_limits" + value: + - actions: + - remote_address: {} + - type: "type.googleapis.com/envoy.config.cluster.v3.Cluster" + name: rate-limit-cluster + operation: + op: add + path: "" + value: + name: rate-limit-cluster + type: STRICT_DNS + connect_timeout: 10s + lb_policy: ROUND_ROBIN + http2_protocol_options: {} + load_assignment: + cluster_name: rate-limit-cluster + endpoints: + - lb_endpoints: + - endpoint: + address: + socket_address: + address: ratelimit.svc.cluster.local + port_value: 8081 +--- +apiVersion: gateway.envoyproxy.io/v1alpha1 +kind: Backend +metadata: + name: backend-1 + namespace: default +spec: + endpoints: + - ip: + address: a.b.c.d + port: 3001 +--- +apiVersion: gateway.envoyproxy.io/v1alpha1 +kind: Backend +metadata: + name: backend-2 + namespace: default +spec: + endpoints: + - ip: + address: 1.1.1.1 + port: 3001 + - unix: + path: test.sock + - fqdn: + hostname: foo.bar + port: 8080 diff --git a/internal/cmd/egctl/translate.go b/internal/cmd/egctl/translate.go index 25811d600c3..7be07c4cfe2 100644 --- a/internal/cmd/egctl/translate.go +++ b/internal/cmd/egctl/translate.go @@ -224,7 +224,7 @@ func translate(w io.Writer, inFile, inType string, outTypes []string, output, re if inType == gatewayAPIType { // Unmarshal input - resources, err := resource.LoadResourcesFromYAMLString(string(inBytes), addMissingResources) + resources, err := resource.LoadResourcesFromYAMLBytes(inBytes, addMissingResources) if err != nil { return fmt.Errorf("unable to unmarshal input: %w", err) } diff --git a/internal/cmd/egctl/validate.go b/internal/cmd/egctl/validate.go new file mode 100644 index 00000000000..faae65bdd4a --- /dev/null +++ b/internal/cmd/egctl/validate.go @@ -0,0 +1,71 @@ +// Copyright Envoy Gateway Authors +// SPDX-License-Identifier: Apache-2.0 +// The full text of the Apache license is available in the LICENSE file at +// the root of the repo. + +package egctl + +import ( + "bytes" + "fmt" + "io" + + "github.com/spf13/cobra" + + "github.com/envoyproxy/gateway/internal/gatewayapi/resource" +) + +func newValidateCommand() *cobra.Command { + var inFile string + + validateCommand := &cobra.Command{ + Use: "validate", + Short: "Validate Gateway API Resources from the given file, return all the errors if got any.", + Example: ` # Validate Gateway API Resources + egctl x validate -f +`, + RunE: func(cmd *cobra.Command, args []string) error { + if len(inFile) == 0 { + return fmt.Errorf("-f/--file must be specified") + } + + return runValidate(cmd.OutOrStdout(), inFile) + }, + } + + validateCommand.PersistentFlags().StringVarP(&inFile, "file", "f", "", "Location of input file.") + if err := validateCommand.MarkPersistentFlagRequired("file"); err != nil { + return nil + } + + return validateCommand +} + +func runValidate(w io.Writer, inFile string) error { + inBytes, err := getInputBytes(inFile) + if err != nil { + return fmt.Errorf("unable to read input file: %w", err) + } + + noErr := true + _ = resource.IterYAMLBytes(inBytes, func(yamlByte []byte) error { + // Passing each resource as YAML string and get all their errors from local validator. + _, err = resource.LoadResourcesFromYAMLBytes(yamlByte, false) + if err != nil { + noErr = false + yamlRows := bytes.Split(yamlByte, []byte("\n")) + if len(yamlRows) > 6 { + yamlRows = append(yamlRows[:6], []byte("...")) + } + _, err = fmt.Fprintf(w, "%s\n%s\n\n", + bytes.Join(yamlRows, []byte("\n")), err.Error()) + } + return nil + }) + + if noErr { + _, err = fmt.Fprintln(w, "\033[32mOK\033[0m") + } + + return err +} diff --git a/internal/cmd/egctl/validate_test.go b/internal/cmd/egctl/validate_test.go new file mode 100644 index 00000000000..c71342e0fcb --- /dev/null +++ b/internal/cmd/egctl/validate_test.go @@ -0,0 +1,94 @@ +// Copyright Envoy Gateway Authors +// SPDX-License-Identifier: Apache-2.0 +// The full text of the Apache license is available in the LICENSE file at +// the root of the repo. + +package egctl + +import ( + "bytes" + "context" + "io" + "path" + "testing" + + "github.com/stretchr/testify/require" +) + +func TestRunValidate(t *testing.T) { + testCases := []struct { + name string + output string + }{ + { + name: "invalid-resources", + output: `apiVersion: gateway.networking.k8s.io/v1 +kind: Gateway +metadata: + name: eg1 + namespace: default +spec: +... +local validation error: Gateway.gateway.networking.k8s.io "eg1" is invalid: spec.listeners[0].port: Invalid value: 88888: spec.listeners[0].port in body should be less than or equal to 65535 + +apiVersion: gateway.networking.k8s.io/v1 +kind: Gateway +metadata: + name: eg2 + namespace: default +spec: +... +local validation error: Gateway.gateway.networking.k8s.io "eg2" is invalid: [spec.listeners[1]: Duplicate value: map[string]interface {}{"name":"tcp"}, spec.listeners: Invalid value: "array": Listener name must be unique within the Gateway, spec.listeners: Invalid value: "array": Combination of port, protocol and hostname must be unique for each listener] + +apiVersion: gateway.networking.k8s.io/v1 +kind: HTTPRoute +metadata: + name: backend + namespace: default +spec: +... +local validation error: HTTPRoute.gateway.networking.k8s.io "backend" is invalid: spec.hostnames[0]: Invalid value: ".;'.';[]": spec.hostnames[0] in body should match '^(\*\.)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$' + +apiVersion: gateway.envoyproxy.io/v1alpha1 +kind: Backend +metadata: + name: backend-1 + namespace: default +spec: +... +local validation error: Backend.gateway.envoyproxy.io "backend-1" is invalid: spec.endpoints[0].ip.address: Invalid value: "a.b.c.d": spec.endpoints[0].ip.address in body should match '^((25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)$' + +apiVersion: gateway.envoyproxy.io/v1alpha1 +kind: Backend +metadata: + name: backend-2 + namespace: default +spec: +... +local validation error: Backend.gateway.envoyproxy.io "backend-2" is invalid: spec.endpoints: Invalid value: "array": fqdn addresses cannot be mixed with other address types + +`, + }, + } + + for _, tc := range testCases { + t.Run(tc.name, func(t *testing.T) { + b := bytes.NewBufferString("") + root := newValidateCommand() + root.SetOut(b) + root.SetErr(b) + args := []string{ + "--file", + path.Join("testdata", "validate", tc.name+".yaml"), + } + + root.SetArgs(args) + err := root.ExecuteContext(context.Background()) + require.NoError(t, err) + + out, err := io.ReadAll(b) + require.NoError(t, err) + require.Equal(t, tc.output, string(out)) + }) + } +} diff --git a/internal/gatewayapi/conformance/suite.go b/internal/gatewayapi/conformance/suite.go index 4fafa008983..90181246b69 100644 --- a/internal/gatewayapi/conformance/suite.go +++ b/internal/gatewayapi/conformance/suite.go @@ -15,6 +15,7 @@ import ( // SkipTests is a list of tests that are skipped in the conformance suite. var SkipTests = []suite.ConformanceTest{ tests.GatewayStaticAddresses, + tests.GatewayInfrastructure, } func skipTestsShortNames(skipTests []suite.ConformanceTest) []string { @@ -27,9 +28,26 @@ func skipTestsShortNames(skipTests []suite.ConformanceTest) []string { // EnvoyGatewaySuite is the conformance suite configuration for the Gateway API. var EnvoyGatewaySuite = suite.ConformanceOptions{ - SupportedFeatures: features.AllFeatures, - ExemptFeatures: sets.New[features.SupportedFeature](). - Insert(features.MeshCoreFeatures.UnsortedList()...). - Insert(features.MeshExtendedFeatures.UnsortedList()...), - SkipTests: skipTestsShortNames(SkipTests), + SupportedFeatures: allFeatures(), + ExemptFeatures: meshFeatures(), + SkipTests: skipTestsShortNames(SkipTests), +} + +func allFeatures() sets.Set[features.FeatureName] { + allFeatures := sets.New[features.FeatureName]() + for _, feature := range features.AllFeatures.UnsortedList() { + allFeatures.Insert(feature.Name) + } + return allFeatures +} + +func meshFeatures() sets.Set[features.FeatureName] { + meshFeatures := sets.New[features.FeatureName]() + for _, feature := range features.MeshCoreFeatures.UnsortedList() { + meshFeatures.Insert(feature.Name) + } + for _, feature := range features.MeshExtendedFeatures.UnsortedList() { + meshFeatures.Insert(feature.Name) + } + return meshFeatures } diff --git a/internal/gatewayapi/conformance/support_level.go b/internal/gatewayapi/conformance/support_level.go index 938b90dcf00..cb3e8d317ae 100644 --- a/internal/gatewayapi/conformance/support_level.go +++ b/internal/gatewayapi/conformance/support_level.go @@ -26,10 +26,18 @@ const ( ) // ExtendedFeatures is a list of supported Gateway-API features that are considered Extended. -var ExtendedFeatures = sets.New[features.SupportedFeature](). - Insert(features.GatewayExtendedFeatures.UnsortedList()...). - Insert(features.HTTPRouteExtendedFeatures.UnsortedList()...). - Insert(features.MeshExtendedFeatures.UnsortedList()...) +var ExtendedFeatures = sets.New[features.FeatureName]() + +func init() { + featureLists := sets.New[features.Feature](). + Insert(features.GatewayExtendedFeatures.UnsortedList()...). + Insert(features.HTTPRouteExtendedFeatures.UnsortedList()...). + Insert(features.MeshExtendedFeatures.UnsortedList()...) + + for _, feature := range featureLists.UnsortedList() { + ExtendedFeatures.Insert(feature.Name) + } +} // GetTestSupportLevel returns the SupportLevel for a conformance test. // The support level is determined by the highest support level of the features. @@ -44,7 +52,7 @@ func GetTestSupportLevel(test suite.ConformanceTest) SupportLevel { } // GetFeatureSupportLevel returns the SupportLevel for a feature. -func GetFeatureSupportLevel(feature features.SupportedFeature) SupportLevel { +func GetFeatureSupportLevel(feature features.FeatureName) SupportLevel { supportLevel := Core if ExtendedFeatures.Has(feature) { diff --git a/internal/gatewayapi/contexts.go b/internal/gatewayapi/contexts.go index 7d6aee73d99..fbd4c588f9b 100644 --- a/internal/gatewayapi/contexts.go +++ b/internal/gatewayapi/contexts.go @@ -76,7 +76,8 @@ type ListenerContext struct { } func (l *ListenerContext) SetSupportedKinds(kinds ...gwapiv1.RouteGroupKind) { - l.gateway.Status.Listeners[l.listenerStatusIdx].SupportedKinds = kinds + l.gateway.Status.Listeners[l.listenerStatusIdx].SupportedKinds = make([]gwapiv1.RouteGroupKind, 0, len(kinds)) + l.gateway.Status.Listeners[l.listenerStatusIdx].SupportedKinds = append(l.gateway.Status.Listeners[l.listenerStatusIdx].SupportedKinds, kinds...) } func (l *ListenerContext) IncrementAttachedRoutes() { diff --git a/internal/gatewayapi/helpers.go b/internal/gatewayapi/helpers.go index 9c5626d7524..21cb9142de0 100644 --- a/internal/gatewayapi/helpers.go +++ b/internal/gatewayapi/helpers.go @@ -82,6 +82,7 @@ var ( PathMatchTypeDerefOr = ptr.Deref[gwapiv1.PathMatchType] GRPCMethodMatchTypeDerefOr = ptr.Deref[gwapiv1.GRPCMethodMatchType] HeaderMatchTypeDerefOr = ptr.Deref[gwapiv1.HeaderMatchType] + GRPCHeaderMatchTypeDerefOr = ptr.Deref[gwapiv1.GRPCHeaderMatchType] QueryParamMatchTypeDerefOr = ptr.Deref[gwapiv1.QueryParamMatchType] ) diff --git a/internal/gatewayapi/listener.go b/internal/gatewayapi/listener.go index 88667b8ef6d..0c69d7b3097 100644 --- a/internal/gatewayapi/listener.go +++ b/internal/gatewayapi/listener.go @@ -74,6 +74,7 @@ func (t *Translator) ProcessListeners(gateways []*GatewayContext, xdsIR resource case gwapiv1.UDPProtocolType: t.validateAllowedRoutes(listener, resource.KindUDPRoute) default: + listener.SetSupportedKinds() status.SetGatewayListenerStatusCondition(listener.gateway.Gateway, listener.listenerStatusIdx, gwapiv1.ListenerConditionAccepted, @@ -465,8 +466,9 @@ func (t *Translator) processMetrics(envoyproxy *egv1a1.EnvoyProxy, resources *re } return &ir.Metrics{ - EnableVirtualHostStats: envoyproxy.Spec.Telemetry.Metrics.EnableVirtualHostStats, - EnablePerEndpointStats: envoyproxy.Spec.Telemetry.Metrics.EnablePerEndpointStats, + EnableVirtualHostStats: envoyproxy.Spec.Telemetry.Metrics.EnableVirtualHostStats != nil && *envoyproxy.Spec.Telemetry.Metrics.EnableVirtualHostStats, + EnablePerEndpointStats: envoyproxy.Spec.Telemetry.Metrics.EnablePerEndpointStats != nil && *envoyproxy.Spec.Telemetry.Metrics.EnablePerEndpointStats, + EnableRequestResponseSizesStats: envoyproxy.Spec.Telemetry.Metrics.EnableRequestResponseSizesStats != nil && *envoyproxy.Spec.Telemetry.Metrics.EnableRequestResponseSizesStats, }, nil } diff --git a/internal/gatewayapi/resource/fs.go b/internal/gatewayapi/resource/fs.go new file mode 100644 index 00000000000..09fdcb1ab20 --- /dev/null +++ b/internal/gatewayapi/resource/fs.go @@ -0,0 +1,73 @@ +// Copyright Envoy Gateway Authors +// SPDX-License-Identifier: Apache-2.0 +// The full text of the Apache license is available in the LICENSE file at +// the root of the repo. + +package resource + +import ( + "bytes" + "io" + "io/fs" + "time" + + "github.com/envoyproxy/gateway" // nolint:goimports +) + +var ( + // gatewayCRDsFS is a virtual/mocked FS used for OpenAPI client. + gatewayCRDsFS = memGatewayCRDsFS{} + + _ fs.FS = memGatewayCRDsFS{} + _ fs.ReadDirFile = memGatewayCRDsFile{} + _ fs.FileInfo = memGatewayCRDsFileInfo{} + _ fs.DirEntry = memGatewayCRDsDirEntry{} +) + +// memGatewayCRDsFS is a mocked fs.FS for OpenAPI to read gatewayCRDs from. +type memGatewayCRDsFS struct{} + +func (m memGatewayCRDsFS) Open(_ string) (fs.File, error) { + return &memGatewayCRDsFile{}, nil +} + +// memGatewayCRDsFile is mocked fs.ReadDirFile for memGatewayCRDsFS. +type memGatewayCRDsFile struct{} + +func (m memGatewayCRDsFile) Stat() (fs.FileInfo, error) { + return &memGatewayCRDsFileInfo{}, nil +} + +func (m memGatewayCRDsFile) Close() error { + return nil +} + +func (m memGatewayCRDsFile) Read(b []byte) (int, error) { + fi, _ := m.Stat() + if int64(len(b)) >= fi.Size() { + return bytes.NewReader(envoygateway.GatewayCRDs).Read(b) + } + return 0, io.EOF +} + +func (m memGatewayCRDsFile) ReadDir(_ int) ([]fs.DirEntry, error) { + return []fs.DirEntry{&memGatewayCRDsDirEntry{}}, nil +} + +// memGatewayCRDsDirEntry is a mocked fs.DirEntry for memGatewayCRDsFile. +type memGatewayCRDsDirEntry struct { + memGatewayCRDsFileInfo +} + +func (m memGatewayCRDsDirEntry) Type() fs.FileMode { return 0o444 } +func (m memGatewayCRDsDirEntry) Info() (fs.FileInfo, error) { return &memGatewayCRDsFileInfo{}, nil } + +// memGatewayCRDsFileInfo is a mocked fs.FileInfo for memGatewayCRDsFile. +type memGatewayCRDsFileInfo struct{} + +func (m memGatewayCRDsFileInfo) Name() string { return "gateway-crds.yaml" } +func (m memGatewayCRDsFileInfo) Size() int64 { return int64(len(envoygateway.GatewayCRDs)) } +func (m memGatewayCRDsFileInfo) Mode() fs.FileMode { return 0o444 } +func (m memGatewayCRDsFileInfo) ModTime() time.Time { return time.Now() } +func (m memGatewayCRDsFileInfo) IsDir() bool { return false } +func (m memGatewayCRDsFileInfo) Sys() any { return nil } diff --git a/internal/gatewayapi/resource/fs_test.go b/internal/gatewayapi/resource/fs_test.go new file mode 100644 index 00000000000..c8742a02c84 --- /dev/null +++ b/internal/gatewayapi/resource/fs_test.go @@ -0,0 +1,46 @@ +// Copyright Envoy Gateway Authors +// SPDX-License-Identifier: Apache-2.0 +// The full text of the Apache license is available in the LICENSE file at +// the root of the repo. + +package resource + +import ( + "io/fs" + "testing" + + "github.com/stretchr/testify/require" + + "github.com/envoyproxy/gateway" // nolint:goimports +) + +func TestOpenAndReadGatewayCRDsFS(t *testing.T) { + crds, err := gatewayCRDsFS.Open("") + require.NoError(t, err) + defer crds.Close() + + buf := make([]byte, len(envoygateway.GatewayCRDs)) + cur, err := crds.Read(buf) + require.NoError(t, err) + require.Positive(t, cur) +} + +func TestReadGatewayCRDsDirFS(t *testing.T) { + dirEntries, err := fs.ReadDir(gatewayCRDsFS, ".") + require.NoError(t, err) + require.Len(t, dirEntries, 1) + + dirEntry := dirEntries[0] + require.Equal(t, fs.FileMode(0o444), dirEntry.Type()) + + fileInfo, err := dirEntry.Info() + require.NoError(t, err) + require.Equal(t, "gateway-crds.yaml", fileInfo.Name()) + require.NotNil(t, fileInfo.ModTime()) + require.Nil(t, fileInfo.Sys()) + require.False(t, fileInfo.IsDir()) + + fileBytes, err := fs.ReadFile(gatewayCRDsFS, fileInfo.Name()) + require.NoError(t, err) + require.Equal(t, fileInfo.Size(), int64(len(fileBytes))) +} diff --git a/internal/gatewayapi/resource/load.go b/internal/gatewayapi/resource/load.go index 317ad93418c..2445a459c74 100644 --- a/internal/gatewayapi/resource/load.go +++ b/internal/gatewayapi/resource/load.go @@ -6,14 +6,18 @@ package resource import ( + "bufio" + "bytes" + "errors" "fmt" + "io" "reflect" - "strings" corev1 "k8s.io/api/core/v1" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" "k8s.io/apimachinery/pkg/apis/meta/v1/unstructured" "k8s.io/apimachinery/pkg/util/sets" + utilyaml "k8s.io/apimachinery/pkg/util/yaml" gwapiv1 "sigs.k8s.io/gateway-api/apis/v1" gwapiv1a2 "sigs.k8s.io/gateway-api/apis/v1alpha2" "sigs.k8s.io/yaml" @@ -21,18 +25,16 @@ import ( egv1a1 "github.com/envoyproxy/gateway/api/v1alpha1" "github.com/envoyproxy/gateway/internal/envoygateway" "github.com/envoyproxy/gateway/internal/envoygateway/config" + "github.com/envoyproxy/gateway/internal/ir" "github.com/envoyproxy/gateway/internal/xds/bootstrap" ) const dummyClusterIP = "1.2.3.4" -// LoadResourcesFromYAMLString will load Resources from given Kubernetes YAML string. -// TODO: This function should be able to process arbitrary number of resources, -// -// tracked by https://github.com/envoyproxy/gateway/issues/3207 -func LoadResourcesFromYAMLString(yamlStr string, addMissingResources bool) (*Resources, error) { - // TODO(sh2): Add local validations - r, err := kubernetesYAMLToResources(yamlStr, addMissingResources) +// LoadResourcesFromYAMLBytes will load Resources from given Kubernetes YAML string. +// TODO: This function should be able to process arbitrary number of resources, tracked by https://github.com/envoyproxy/gateway/issues/3207. +func LoadResourcesFromYAMLBytes(yamlBytes []byte, addMissingResources bool) (*Resources, error) { + r, err := loadKubernetesYAMLToResources(yamlBytes, addMissingResources) if err != nil { return nil, err } @@ -40,48 +42,57 @@ func LoadResourcesFromYAMLString(yamlStr string, addMissingResources bool) (*Res return r, nil } -// kubernetesYAMLToResources converts a Kubernetes YAML string into GatewayAPI Resources. -func kubernetesYAMLToResources(str string, addMissingResources bool) (*Resources, error) { +// loadKubernetesYAMLToResources converts a Kubernetes YAML string into GatewayAPI Resources. +// TODO: add support for kind: +// - Backend (gateway.envoyproxy.io/v1alpha1) +// - EnvoyExtensionPolicy (gateway.envoyproxy.io/v1alpha1) +// - HTTPRouteFilter (gateway.envoyproxy.io/v1alpha1) +// - BackendLPPolicy (gateway.networking.k8s.io/v1alpha2) +// - BackendTLSPolicy (gateway.networking.k8s.io/v1alpha3) +// - ReferenceGrant (gateway.networking.k8s.io/v1alpha2) +// - TLSRoute (gateway.networking.k8s.io/v1alpha2) +func loadKubernetesYAMLToResources(input []byte, addMissingResources bool) (*Resources, error) { resources := NewResources() var useDefaultNamespace bool providedNamespaceMap := sets.New[string]() requiredNamespaceMap := sets.New[string]() - yamls := strings.Split(str, "\n---") combinedScheme := envoygateway.GetScheme() - for _, y := range yamls { - if strings.TrimSpace(y) == "" { - continue - } + + if err := IterYAMLBytes(input, func(yamlByte []byte) error { var obj map[string]interface{} - err := yaml.Unmarshal([]byte(y), &obj) + err := yaml.Unmarshal(yamlByte, &obj) if err != nil { - return nil, err + return err } un := unstructured.Unstructured{Object: obj} gvk := un.GroupVersionKind() name, namespace := un.GetName(), un.GetNamespace() - if namespace == "" { - // When kubectl applies a resource in yaml which doesn't have a namespace, - // the current namespace is applied. Here we do the same thing before translating - // the GatewayAPI resource. Otherwise, the resource can't pass the namespace validation + if len(namespace) == 0 { useDefaultNamespace = true namespace = config.DefaultNamespace } + // Perform local validation for gateway-api related resources only. + if gvk.Group == egv1a1.GroupName || gvk.Group == gwapiv1.GroupName { + if err = defaultValidator.Validate(yamlByte); err != nil { + return fmt.Errorf("local validation error: %w", err) + } + } + requiredNamespaceMap.Insert(namespace) kobj, err := combinedScheme.New(gvk) if err != nil { - return nil, err + return err } err = combinedScheme.Convert(&un, kobj, nil) if err != nil { - return nil, err + return err } objType := reflect.TypeOf(kobj) if objType.Kind() != reflect.Ptr { - return nil, fmt.Errorf("expected pointer type, but got %s", objType.Kind().String()) + return fmt.Errorf("expected pointer type, but got %s", objType.Kind().String()) } kobjVal := reflect.ValueOf(kobj).Elem() spec := kobjVal.FieldByName("Spec") @@ -90,6 +101,9 @@ func kubernetesYAMLToResources(str string, addMissingResources bool) (*Resources case KindEnvoyProxy: typedSpec := spec.Interface() envoyProxy := &egv1a1.EnvoyProxy{ + TypeMeta: metav1.TypeMeta{ + Kind: KindEnvoyProxy, + }, ObjectMeta: metav1.ObjectMeta{ Name: name, Namespace: namespace, @@ -101,6 +115,9 @@ func kubernetesYAMLToResources(str string, addMissingResources bool) (*Resources case KindGatewayClass: typedSpec := spec.Interface() gatewayClass := &gwapiv1.GatewayClass{ + TypeMeta: metav1.TypeMeta{ + Kind: KindGatewayClass, + }, ObjectMeta: metav1.ObjectMeta{ Name: name, Namespace: namespace, @@ -115,6 +132,9 @@ func kubernetesYAMLToResources(str string, addMissingResources bool) (*Resources case KindGateway: typedSpec := spec.Interface() gateway := &gwapiv1.Gateway{ + TypeMeta: metav1.TypeMeta{ + Kind: KindGateway, + }, ObjectMeta: metav1.ObjectMeta{ Name: name, Namespace: namespace, @@ -213,12 +233,11 @@ func kubernetesYAMLToResources(str string, addMissingResources bool) (*Resources typedSpec := spec.Interface() envoyPatchPolicy := &egv1a1.EnvoyPatchPolicy{ TypeMeta: metav1.TypeMeta{ - Kind: egv1a1.KindEnvoyPatchPolicy, - APIVersion: egv1a1.GroupVersion.String(), + Kind: egv1a1.KindEnvoyPatchPolicy, }, ObjectMeta: metav1.ObjectMeta{ - Namespace: namespace, Name: name, + Namespace: namespace, }, Spec: typedSpec.(egv1a1.EnvoyPatchPolicySpec), } @@ -227,12 +246,11 @@ func kubernetesYAMLToResources(str string, addMissingResources bool) (*Resources typedSpec := spec.Interface() clientTrafficPolicy := &egv1a1.ClientTrafficPolicy{ TypeMeta: metav1.TypeMeta{ - Kind: KindClientTrafficPolicy, - APIVersion: egv1a1.GroupVersion.String(), + Kind: KindClientTrafficPolicy, }, ObjectMeta: metav1.ObjectMeta{ - Namespace: namespace, Name: name, + Namespace: namespace, }, Spec: typedSpec.(egv1a1.ClientTrafficPolicySpec), } @@ -241,12 +259,11 @@ func kubernetesYAMLToResources(str string, addMissingResources bool) (*Resources typedSpec := spec.Interface() backendTrafficPolicy := &egv1a1.BackendTrafficPolicy{ TypeMeta: metav1.TypeMeta{ - Kind: KindBackendTrafficPolicy, - APIVersion: egv1a1.GroupVersion.String(), + Kind: KindBackendTrafficPolicy, }, ObjectMeta: metav1.ObjectMeta{ - Namespace: namespace, Name: name, + Namespace: namespace, }, Spec: typedSpec.(egv1a1.BackendTrafficPolicySpec), } @@ -255,12 +272,11 @@ func kubernetesYAMLToResources(str string, addMissingResources bool) (*Resources typedSpec := spec.Interface() securityPolicy := &egv1a1.SecurityPolicy{ TypeMeta: metav1.TypeMeta{ - Kind: KindSecurityPolicy, - APIVersion: egv1a1.GroupVersion.String(), + Kind: KindSecurityPolicy, }, ObjectMeta: metav1.ObjectMeta{ - Namespace: namespace, Name: name, + Namespace: namespace, }, Spec: typedSpec.(egv1a1.SecurityPolicySpec), } @@ -280,6 +296,10 @@ func kubernetesYAMLToResources(str string, addMissingResources bool) (*Resources } resources.HTTPRouteFilters = append(resources.HTTPRouteFilters, httpRouteFilter) } + + return nil + }); err != nil { + return nil, err } if useDefaultNamespace { @@ -352,7 +372,7 @@ func kubernetesYAMLToResources(str string, addMissingResources bool) (*Resources } } - // Add EnvoyProxy if it does not exist + // Add EnvoyProxy if it does not exist. if resources.EnvoyProxyForGatewayClass == nil { if err := addDefaultEnvoyProxy(resources); err != nil { return nil, err @@ -365,7 +385,7 @@ func kubernetesYAMLToResources(str string, addMissingResources bool) (*Resources func addMissingServices(requiredServices map[string]*corev1.Service, obj interface{}) { var objNamespace string - protocol := corev1.Protocol("TCP") + protocol := ir.TCPProtocolType var refs []gwapiv1.BackendRef switch route := obj.(type) { @@ -394,7 +414,7 @@ func addMissingServices(requiredServices map[string]*corev1.Service, obj interfa refs = append(refs, rule.BackendRefs...) } case *gwapiv1a2.UDPRoute: - protocol = "UDP" + protocol = ir.UDPProtocolType objNamespace = route.Namespace for _, rule := range route.Spec.Rules { refs = append(refs, rule.BackendRefs...) @@ -416,7 +436,7 @@ func addMissingServices(requiredServices map[string]*corev1.Service, obj interfa port := int32(*ref.Port) servicePort := corev1.ServicePort{ Name: fmt.Sprintf("%s-%d", protocol, port), - Protocol: protocol, + Protocol: corev1.Protocol(protocol), Port: port, } if service, found := requiredServices[key]; !found { @@ -480,3 +500,21 @@ func addDefaultEnvoyProxy(resources *Resources) error { } return nil } + +// IterYAMLBytes iters every valid YAML resource from YAML bytes +// and process each of them by calling `handle` callback. +func IterYAMLBytes(input []byte, handle func([]byte) error) error { + reader := utilyaml.NewYAMLReader(bufio.NewReader(bytes.NewBuffer(input))) + for { + yamlBytes, err := reader.Read() + if errors.Is(err, io.EOF) || len(yamlBytes) == 0 { + break + } else if err != nil { + return err + } + if err = handle(yamlBytes); err != nil { + return err + } + } + return nil +} diff --git a/internal/gatewayapi/resource/load_test.go b/internal/gatewayapi/resource/load_test.go new file mode 100644 index 00000000000..df3629251e9 --- /dev/null +++ b/internal/gatewayapi/resource/load_test.go @@ -0,0 +1,39 @@ +// Copyright Envoy Gateway Authors +// SPDX-License-Identifier: Apache-2.0 +// The full text of the Apache license is available in the LICENSE file at +// the root of the repo. + +package resource + +import ( + "testing" + + "github.com/stretchr/testify/require" + "sigs.k8s.io/yaml" +) + +func TestIterYAMLBytes(t *testing.T) { + inputs := `test: foo1 +--- +test: foo2 +--- +# This is comment. +test: foo3 +--- +--- +` + + names := make([]string, 0) + err := IterYAMLBytes([]byte(inputs), func(bytes []byte) error { + var obj map[string]string + err := yaml.Unmarshal(bytes, &obj) + require.NoError(t, err) + + if name, ok := obj["test"]; ok { + names = append(names, name) + } + return nil + }) + require.NoError(t, err) + require.ElementsMatch(t, names, []string{"foo1", "foo2", "foo3"}) +} diff --git a/internal/gatewayapi/resource/validator.go b/internal/gatewayapi/resource/validator.go new file mode 100644 index 00000000000..beac7564e2a --- /dev/null +++ b/internal/gatewayapi/resource/validator.go @@ -0,0 +1,30 @@ +// Copyright Envoy Gateway Authors +// SPDX-License-Identifier: Apache-2.0 +// The full text of the Apache license is available in the LICENSE file at +// the root of the repo. + +package resource + +import ( + kvalidate "sigs.k8s.io/kubectl-validate/pkg/cmd" + "sigs.k8s.io/kubectl-validate/pkg/openapiclient" + "sigs.k8s.io/kubectl-validate/pkg/validator" +) + +var defaultValidator = newDefaultValidator() + +// Validator is a local/offline Kubernetes resources validator. +type Validator struct { + resolver *validator.Validator +} + +// newDefaultValidator init a default validator for internal usage. +func newDefaultValidator() *Validator { + factory, _ := validator.New(openapiclient.NewLocalCRDFiles(gatewayCRDsFS)) + return &Validator{resolver: factory} +} + +// Validate validates one Kubernetes resource. +func (v Validator) Validate(content []byte) error { + return kvalidate.ValidateDocument(content, v.resolver) +} diff --git a/internal/gatewayapi/resource/validator_test.go b/internal/gatewayapi/resource/validator_test.go new file mode 100644 index 00000000000..bbcd267dce3 --- /dev/null +++ b/internal/gatewayapi/resource/validator_test.go @@ -0,0 +1,31 @@ +// Copyright Envoy Gateway Authors +// SPDX-License-Identifier: Apache-2.0 +// The full text of the Apache license is available in the LICENSE file at +// the root of the repo. + +package resource + +import ( + "testing" + + "github.com/stretchr/testify/require" + "sigs.k8s.io/kubectl-validate/pkg/openapiclient" +) + +func TestNewOpenAPIClient(t *testing.T) { + apiClient := openapiclient.NewLocalCRDFiles(gatewayCRDsFS) + gvs, err := apiClient.Paths() + require.NoError(t, err) + + groups := make([]string, 0, len(gvs)) + for g := range gvs { + groups = append(groups, g) + } + require.ElementsMatch(t, groups, []string{ + "apis/gateway.envoyproxy.io/v1alpha1", + "apis/gateway.networking.k8s.io/v1", + "apis/gateway.networking.k8s.io/v1alpha2", + "apis/gateway.networking.k8s.io/v1alpha3", + "apis/gateway.networking.k8s.io/v1beta1", + }) +} diff --git a/internal/gatewayapi/route.go b/internal/gatewayapi/route.go index 743337591bb..1239caadc91 100644 --- a/internal/gatewayapi/route.go +++ b/internal/gatewayapi/route.go @@ -608,13 +608,13 @@ func (t *Translator) processGRPCRouteRule(grpcRoute *GRPCRouteContext, ruleIdx i } for _, headerMatch := range match.Headers { - switch HeaderMatchTypeDerefOr(headerMatch.Type, gwapiv1.HeaderMatchExact) { - case gwapiv1.HeaderMatchExact: + switch GRPCHeaderMatchTypeDerefOr(headerMatch.Type, gwapiv1.GRPCHeaderMatchExact) { + case gwapiv1.GRPCHeaderMatchExact: irRoute.HeaderMatches = append(irRoute.HeaderMatches, &ir.StringMatch{ Name: string(headerMatch.Name), Exact: ptr.To(headerMatch.Value), }) - case gwapiv1.HeaderMatchRegularExpression: + case gwapiv1.GRPCHeaderMatchRegularExpression: if err := regex.Validate(headerMatch.Value); err != nil { return nil, err } diff --git a/internal/gatewayapi/runner/runner.go b/internal/gatewayapi/runner/runner.go index f9068b68dcf..f8f7b2a6965 100644 --- a/internal/gatewayapi/runner/runner.go +++ b/internal/gatewayapi/runner/runner.go @@ -564,6 +564,7 @@ func (r *Runner) tlsConfig() (*tls.Config, error) { // Configure the server to require client certificates return &tls.Config{ Certificates: []tls.Certificate{serverCert}, + NextProtos: []string{"h2"}, ClientAuth: tls.RequireAndVerifyClientCert, ClientCAs: caCertPool, MinVersion: tls.VersionTLS13, diff --git a/internal/gatewayapi/securitypolicy.go b/internal/gatewayapi/securitypolicy.go index 86d39602f01..2ab9670d501 100644 --- a/internal/gatewayapi/securitypolicy.go +++ b/internal/gatewayapi/securitypolicy.go @@ -942,6 +942,8 @@ func (t *Translator) buildAuthorization(policy *egv1a1.SecurityPolicy) (*ir.Auth principal.ClientCIDRs = append(principal.ClientCIDRs, cidrMatch) } + principal.JWT = rule.Principal.JWT + var name string if rule.Name != nil && *rule.Name != "" { name = *rule.Name diff --git a/internal/gatewayapi/status/gatewayclass.go b/internal/gatewayapi/status/gatewayclass.go index 490fc61b9fe..ee49b49345d 100644 --- a/internal/gatewayapi/status/gatewayclass.go +++ b/internal/gatewayapi/status/gatewayclass.go @@ -82,12 +82,19 @@ func getSupportedFeatures(gatewaySuite suite.ConformanceOptions, skippedTests [] ret := sets.New[gwapiv1.SupportedFeature]() for _, feature := range supportedFeatures.UnsortedList() { - ret.Insert(gwapiv1.SupportedFeature(feature)) + ret.Insert(gwapiv1.SupportedFeature{ + Name: gwapiv1.FeatureName(feature), + }) } - return sets.List(ret) + + var featureList []gwapiv1.SupportedFeature + for feature := range ret { + featureList = append(featureList, feature) + } + return featureList } -func getUnsupportedFeatures(gatewaySuite suite.ConformanceOptions, skippedTests []suite.ConformanceTest) []features.SupportedFeature { +func getUnsupportedFeatures(gatewaySuite suite.ConformanceOptions, skippedTests []suite.ConformanceTest) []features.FeatureName { unsupportedFeatures := gatewaySuite.ExemptFeatures.UnsortedList() for _, skippedTest := range skippedTests { diff --git a/internal/gatewayapi/status/gatewayclass_test.go b/internal/gatewayapi/status/gatewayclass_test.go index f2a9dfa42e1..c9f573c9250 100644 --- a/internal/gatewayapi/status/gatewayclass_test.go +++ b/internal/gatewayapi/status/gatewayclass_test.go @@ -80,63 +80,76 @@ func TestGetSupportedFeatures(t *testing.T) { { name: "No exempt features", gatewaySuite: suite.ConformanceOptions{ - SupportedFeatures: sets.New[features.SupportedFeature]("Gateway", "HTTPRoute"), - ExemptFeatures: sets.New[features.SupportedFeature](), + SupportedFeatures: sets.New[features.FeatureName]("Gateway", "HTTPRoute"), + ExemptFeatures: sets.New[features.FeatureName](), + }, + expectedResult: []gwapiv1.SupportedFeature{ + {Name: "Gateway"}, + {Name: "HTTPRoute"}, }, - expectedResult: []gwapiv1.SupportedFeature{"Gateway", "HTTPRoute"}, }, { name: "All features exempt", gatewaySuite: suite.ConformanceOptions{ - SupportedFeatures: sets.New[features.SupportedFeature]("Gateway", "HTTPRoute"), - ExemptFeatures: sets.New[features.SupportedFeature]("Gateway", "HTTPRoute"), + SupportedFeatures: sets.New[features.FeatureName]("Gateway", "HTTPRoute"), + ExemptFeatures: sets.New[features.FeatureName]("Gateway", "HTTPRoute"), }, expectedResult: []gwapiv1.SupportedFeature{}, }, { name: "Some features exempt", gatewaySuite: suite.ConformanceOptions{ - SupportedFeatures: sets.New[features.SupportedFeature]("Gateway", "HTTPRoute", "GRPCRoute"), - ExemptFeatures: sets.New[features.SupportedFeature]("GRPCRoute"), + SupportedFeatures: sets.New[features.FeatureName]("Gateway", "HTTPRoute", "GRPCRoute"), + ExemptFeatures: sets.New[features.FeatureName]("GRPCRoute"), + }, + expectedResult: []gwapiv1.SupportedFeature{ + {Name: "Gateway"}, + {Name: "HTTPRoute"}, }, - expectedResult: []gwapiv1.SupportedFeature{"Gateway", "HTTPRoute"}, }, { name: "Some features exempt with skipped tests", gatewaySuite: suite.ConformanceOptions{ - SupportedFeatures: sets.New[features.SupportedFeature]("Gateway", "HTTPRoute", "GRPCRoute"), - ExemptFeatures: sets.New[features.SupportedFeature]("GRPCRoute"), + SupportedFeatures: sets.New[features.FeatureName]("Gateway", "HTTPRoute", "GRPCRoute"), + ExemptFeatures: sets.New[features.FeatureName]("GRPCRoute"), }, skippedTests: []suite.ConformanceTest{ { - Features: []features.SupportedFeature{"HTTPRoute"}, + Features: []features.FeatureName{"HTTPRoute"}, }, }, - expectedResult: []gwapiv1.SupportedFeature{"Gateway"}, + expectedResult: []gwapiv1.SupportedFeature{ + {Name: "Gateway"}, + }, }, { name: "Core features remain supported with skipped extended tests", gatewaySuite: suite.ConformanceOptions{ - SupportedFeatures: sets.New[features.SupportedFeature]("Gateway", "HTTPRoute", "GatewayHTTPListenerIsolation"), + SupportedFeatures: sets.New[features.FeatureName]("Gateway", "HTTPRoute", "GatewayHTTPListenerIsolation"), }, skippedTests: []suite.ConformanceTest{ { - Features: []features.SupportedFeature{"Gateway", "GatewayHTTPListenerIsolation", "HTTPRoute"}, + Features: []features.FeatureName{"Gateway", "GatewayHTTPListenerIsolation", "HTTPRoute"}, }, }, - expectedResult: []gwapiv1.SupportedFeature{"Gateway", "HTTPRoute"}, + expectedResult: []gwapiv1.SupportedFeature{ + {Name: "Gateway"}, + {Name: "HTTPRoute"}, + }, }, { name: "Core feature removed when skipping core test", gatewaySuite: suite.ConformanceOptions{ - SupportedFeatures: sets.New[features.SupportedFeature]("Gateway", "HTTPRoute"), + SupportedFeatures: sets.New[features.FeatureName]("Gateway", "HTTPRoute"), }, skippedTests: []suite.ConformanceTest{ { - Features: []features.SupportedFeature{"HTTPRoute"}, + Features: []features.FeatureName{"HTTPRoute"}, }, }, - expectedResult: []gwapiv1.SupportedFeature{"Gateway"}, + expectedResult: []gwapiv1.SupportedFeature{ + {Name: "Gateway"}, + }, }, } diff --git a/internal/gatewayapi/testdata/envoyproxy-metric-backend.out.yaml b/internal/gatewayapi/testdata/envoyproxy-metric-backend.out.yaml index 262d55065a9..4bff8f998d5 100644 --- a/internal/gatewayapi/testdata/envoyproxy-metric-backend.out.yaml +++ b/internal/gatewayapi/testdata/envoyproxy-metric-backend.out.yaml @@ -144,4 +144,5 @@ xdsIR: port: 10080 metrics: enablePerEndpointStats: false + enableRequestResponseSizesStats: false enableVirtualHostStats: false diff --git a/internal/gatewayapi/testdata/envoyproxy-metric-enabled-backend.in.yaml b/internal/gatewayapi/testdata/envoyproxy-metric-enabled-backend.in.yaml new file mode 100644 index 00000000000..e958af1e119 --- /dev/null +++ b/internal/gatewayapi/testdata/envoyproxy-metric-enabled-backend.in.yaml @@ -0,0 +1,82 @@ +envoyProxyForGatewayClass: + apiVersion: gateway.envoyproxy.io/v1alpha1 + kind: EnvoyProxy + metadata: + namespace: envoy-gateway-system + name: test + spec: + telemetry: + metrics: + sinks: + - type: OpenTelemetry + openTelemetry: + backendRefs: + - name: otel-collector + namespace: monitoring + port: 4317 + enableVirtualHostStats: true + enablePerEndpointStats: true + enableRequestResponseSizesStats: true + provider: + type: Kubernetes + kubernetes: + envoyService: + type: LoadBalancer + envoyDeployment: + replicas: 2 + container: + env: + - name: env_a + value: env_a_value + - name: env_b + value: env_b_name + image: "envoyproxy/envoy:distroless-dev" + resources: + requests: + cpu: 100m + memory: 512Mi + securityContext: + runAsUser: 2000 + allowPrivilegeEscalation: false + pod: + annotations: + key1: val1 + key2: val2 + affinity: + nodeAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchExpressions: + - key: cloud.google.com/gke-nodepool + operator: In + values: + - router-node + tolerations: + - effect: NoSchedule + key: node-type + operator: Exists + value: "router" + securityContext: + runAsUser: 1000 + runAsGroup: 3000 + fsGroup: 2000 + fsGroupChangePolicy: "OnRootMismatch" + volumes: + - name: certs + secret: + secretName: envoy-cert +gateways: +- apiVersion: gateway.networking.k8s.io/v1 + kind: Gateway + metadata: + namespace: envoy-gateway + name: gateway-1 + spec: + gatewayClassName: envoy-gateway-class + listeners: + - name: http + protocol: HTTP + port: 80 + allowedRoutes: + namespaces: + from: Same diff --git a/internal/gatewayapi/testdata/envoyproxy-metric-enabled-backend.out.yaml b/internal/gatewayapi/testdata/envoyproxy-metric-enabled-backend.out.yaml new file mode 100644 index 00000000000..7605114bf22 --- /dev/null +++ b/internal/gatewayapi/testdata/envoyproxy-metric-enabled-backend.out.yaml @@ -0,0 +1,151 @@ +gateways: +- apiVersion: gateway.networking.k8s.io/v1 + kind: Gateway + metadata: + creationTimestamp: null + name: gateway-1 + namespace: envoy-gateway + spec: + gatewayClassName: envoy-gateway-class + listeners: + - allowedRoutes: + namespaces: + from: Same + name: http + port: 80 + protocol: HTTP + status: + listeners: + - attachedRoutes: 0 + conditions: + - lastTransitionTime: null + message: Sending translated listener configuration to the data plane + reason: Programmed + status: "True" + type: Programmed + - lastTransitionTime: null + message: Listener has been successfully translated + reason: Accepted + status: "True" + type: Accepted + - lastTransitionTime: null + message: Listener references have been resolved + reason: ResolvedRefs + status: "True" + type: ResolvedRefs + name: http + supportedKinds: + - group: gateway.networking.k8s.io + kind: HTTPRoute + - group: gateway.networking.k8s.io + kind: GRPCRoute +infraIR: + envoy-gateway/gateway-1: + proxy: + config: + apiVersion: gateway.envoyproxy.io/v1alpha1 + kind: EnvoyProxy + metadata: + creationTimestamp: null + name: test + namespace: envoy-gateway-system + spec: + logging: {} + provider: + kubernetes: + envoyDeployment: + container: + env: + - name: env_a + value: env_a_value + - name: env_b + value: env_b_name + image: envoyproxy/envoy:distroless-dev + resources: + requests: + cpu: 100m + memory: 512Mi + securityContext: + allowPrivilegeEscalation: false + runAsUser: 2000 + pod: + affinity: + nodeAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchExpressions: + - key: cloud.google.com/gke-nodepool + operator: In + values: + - router-node + annotations: + key1: val1 + key2: val2 + securityContext: + fsGroup: 2000 + fsGroupChangePolicy: OnRootMismatch + runAsGroup: 3000 + runAsUser: 1000 + tolerations: + - effect: NoSchedule + key: node-type + operator: Exists + value: router + volumes: + - name: certs + secret: + secretName: envoy-cert + replicas: 2 + envoyService: + type: LoadBalancer + type: Kubernetes + telemetry: + metrics: + enablePerEndpointStats: true + enableRequestResponseSizesStats: true + enableVirtualHostStats: true + sinks: + - openTelemetry: + backendRefs: + - name: otel-collector + namespace: monitoring + port: 4317 + type: OpenTelemetry + status: {} + listeners: + - address: null + name: envoy-gateway/gateway-1/http + ports: + - containerPort: 10080 + name: http-80 + protocol: HTTP + servicePort: 80 + metadata: + labels: + gateway.envoyproxy.io/owning-gateway-name: gateway-1 + gateway.envoyproxy.io/owning-gateway-namespace: envoy-gateway + name: envoy-gateway/gateway-1 +xdsIR: + envoy-gateway/gateway-1: + accessLog: + text: + - path: /dev/stdout + http: + - address: 0.0.0.0 + hostnames: + - '*' + isHTTP2: false + metadata: + kind: Gateway + name: gateway-1 + namespace: envoy-gateway + sectionName: http + name: envoy-gateway/gateway-1/http + path: + escapedSlashesAction: UnescapeAndRedirect + mergeSlashes: true + port: 10080 + metrics: + enablePerEndpointStats: true + enableRequestResponseSizesStats: true + enableVirtualHostStats: true diff --git a/internal/gatewayapi/testdata/gateway-with-listener-with-unsupported-protocol.out.yaml b/internal/gatewayapi/testdata/gateway-with-listener-with-unsupported-protocol.out.yaml index 123a0171cb6..0875ec2454d 100644 --- a/internal/gatewayapi/testdata/gateway-with-listener-with-unsupported-protocol.out.yaml +++ b/internal/gatewayapi/testdata/gateway-with-listener-with-unsupported-protocol.out.yaml @@ -34,7 +34,7 @@ gateways: status: "True" type: ResolvedRefs name: unsupported - supportedKinds: null + supportedKinds: [] httpRoutes: - apiVersion: gateway.networking.k8s.io/v1 kind: HTTPRoute diff --git a/internal/gatewayapi/testdata/securitypolicy-with-authoriztion.in.yaml b/internal/gatewayapi/testdata/securitypolicy-with-authoriztion-client-cidr.in.yaml similarity index 100% rename from internal/gatewayapi/testdata/securitypolicy-with-authoriztion.in.yaml rename to internal/gatewayapi/testdata/securitypolicy-with-authoriztion-client-cidr.in.yaml diff --git a/internal/gatewayapi/testdata/securitypolicy-with-authoriztion.out.yaml b/internal/gatewayapi/testdata/securitypolicy-with-authoriztion-client-cidr.out.yaml similarity index 100% rename from internal/gatewayapi/testdata/securitypolicy-with-authoriztion.out.yaml rename to internal/gatewayapi/testdata/securitypolicy-with-authoriztion-client-cidr.out.yaml diff --git a/internal/gatewayapi/testdata/securitypolicy-with-authoriztion-jwt-claim.in.yaml b/internal/gatewayapi/testdata/securitypolicy-with-authoriztion-jwt-claim.in.yaml new file mode 100644 index 00000000000..b9aec9c8fd8 --- /dev/null +++ b/internal/gatewayapi/testdata/securitypolicy-with-authoriztion-jwt-claim.in.yaml @@ -0,0 +1,74 @@ +gateways: +- apiVersion: gateway.networking.k8s.io/v1 + kind: Gateway + metadata: + namespace: envoy-gateway + name: gateway-1 + spec: + gatewayClassName: envoy-gateway-class + listeners: + - name: http + protocol: HTTP + port: 80 + allowedRoutes: + namespaces: + from: All +httpRoutes: +- apiVersion: gateway.networking.k8s.io/v1 + kind: HTTPRoute + metadata: + namespace: default + name: httproute-1 + spec: + hostnames: + - www.example.com + parentRefs: + - namespace: envoy-gateway + name: gateway-1 + sectionName: http + rules: + - matches: + - path: + value: "/foo" + backendRefs: + - name: service-1 + port: 8080 +securityPolicies: +- apiVersion: gateway.envoyproxy.io/v1alpha1 + kind: SecurityPolicy + metadata: + namespace: envoy-gateway + name: policy-for-gateway # This policy should attach httproute-2 + spec: + targetRef: + group: gateway.networking.k8s.io + kind: Gateway + name: gateway-1 + jwt: + providers: + - name: example1 + issuer: https://two.example.com + audiences: + - two.foo.com + remoteJWKS: + uri: https://two.example.com/jwt/public-key/jwks.json + authorization: + defaultAction: Deny + rules: + - name: "allow-jwt-claim" + action: Deny + principal: + jwt: + provider: example1 + scopes: + - "foo" + - "bar" + claims: + - name: "sub" + values: + - "1234567890" + - name: "roles" + valueType: "StringArray" + values: + - "admin" + - "superuser" diff --git a/internal/gatewayapi/testdata/securitypolicy-with-authoriztion-jwt-claim.out.yaml b/internal/gatewayapi/testdata/securitypolicy-with-authoriztion-jwt-claim.out.yaml new file mode 100644 index 00000000000..ed422e70031 --- /dev/null +++ b/internal/gatewayapi/testdata/securitypolicy-with-authoriztion-jwt-claim.out.yaml @@ -0,0 +1,220 @@ +gateways: +- apiVersion: gateway.networking.k8s.io/v1 + kind: Gateway + metadata: + creationTimestamp: null + name: gateway-1 + namespace: envoy-gateway + spec: + gatewayClassName: envoy-gateway-class + listeners: + - allowedRoutes: + namespaces: + from: All + name: http + port: 80 + protocol: HTTP + status: + listeners: + - attachedRoutes: 1 + conditions: + - lastTransitionTime: null + message: Sending translated listener configuration to the data plane + reason: Programmed + status: "True" + type: Programmed + - lastTransitionTime: null + message: Listener has been successfully translated + reason: Accepted + status: "True" + type: Accepted + - lastTransitionTime: null + message: Listener references have been resolved + reason: ResolvedRefs + status: "True" + type: ResolvedRefs + name: http + supportedKinds: + - group: gateway.networking.k8s.io + kind: HTTPRoute + - group: gateway.networking.k8s.io + kind: GRPCRoute +httpRoutes: +- apiVersion: gateway.networking.k8s.io/v1 + kind: HTTPRoute + metadata: + creationTimestamp: null + name: httproute-1 + namespace: default + spec: + hostnames: + - www.example.com + parentRefs: + - name: gateway-1 + namespace: envoy-gateway + sectionName: http + rules: + - backendRefs: + - name: service-1 + port: 8080 + matches: + - path: + value: /foo + status: + parents: + - conditions: + - lastTransitionTime: null + message: Route is accepted + reason: Accepted + status: "True" + type: Accepted + - lastTransitionTime: null + message: Resolved all the Object references for the Route + reason: ResolvedRefs + status: "True" + type: ResolvedRefs + controllerName: gateway.envoyproxy.io/gatewayclass-controller + parentRef: + name: gateway-1 + namespace: envoy-gateway + sectionName: http +infraIR: + envoy-gateway/gateway-1: + proxy: + listeners: + - address: null + name: envoy-gateway/gateway-1/http + ports: + - containerPort: 10080 + name: http-80 + protocol: HTTP + servicePort: 80 + metadata: + labels: + gateway.envoyproxy.io/owning-gateway-name: gateway-1 + gateway.envoyproxy.io/owning-gateway-namespace: envoy-gateway + name: envoy-gateway/gateway-1 +securityPolicies: +- apiVersion: gateway.envoyproxy.io/v1alpha1 + kind: SecurityPolicy + metadata: + creationTimestamp: null + name: policy-for-gateway + namespace: envoy-gateway + spec: + authorization: + defaultAction: Deny + rules: + - action: Deny + name: allow-jwt-claim + principal: + jwt: + claims: + - name: sub + values: + - "1234567890" + - name: roles + valueType: StringArray + values: + - admin + - superuser + provider: example1 + scopes: + - foo + - bar + jwt: + providers: + - audiences: + - two.foo.com + issuer: https://two.example.com + name: example1 + remoteJWKS: + uri: https://two.example.com/jwt/public-key/jwks.json + targetRef: + group: gateway.networking.k8s.io + kind: Gateway + name: gateway-1 + status: + ancestors: + - ancestorRef: + group: gateway.networking.k8s.io + kind: Gateway + name: gateway-1 + namespace: envoy-gateway + conditions: + - lastTransitionTime: null + message: Policy has been accepted. + reason: Accepted + status: "True" + type: Accepted + controllerName: gateway.envoyproxy.io/gatewayclass-controller +xdsIR: + envoy-gateway/gateway-1: + accessLog: + text: + - path: /dev/stdout + http: + - address: 0.0.0.0 + hostnames: + - '*' + isHTTP2: false + metadata: + kind: Gateway + name: gateway-1 + namespace: envoy-gateway + sectionName: http + name: envoy-gateway/gateway-1/http + path: + escapedSlashesAction: UnescapeAndRedirect + mergeSlashes: true + port: 10080 + routes: + - destination: + name: httproute/default/httproute-1/rule/0 + settings: + - addressType: IP + endpoints: + - host: 7.7.7.7 + port: 8080 + protocol: HTTP + weight: 1 + hostname: www.example.com + isHTTP2: false + metadata: + kind: HTTPRoute + name: httproute-1 + namespace: default + name: httproute/default/httproute-1/rule/0/match/0/www_example_com + pathMatch: + distinct: false + name: "" + prefix: /foo + security: + authorization: + defaultAction: Deny + rules: + - action: Deny + name: allow-jwt-claim + principal: + jwt: + claims: + - name: sub + values: + - "1234567890" + - name: roles + valueType: StringArray + values: + - admin + - superuser + provider: example1 + scopes: + - foo + - bar + jwt: + providers: + - audiences: + - two.foo.com + issuer: https://two.example.com + name: example1 + remoteJWKS: + uri: https://two.example.com/jwt/public-key/jwks.json diff --git a/internal/globalratelimit/runner/runner.go b/internal/globalratelimit/runner/runner.go index ffccb1ab3a3..baaaaacd6b7 100644 --- a/internal/globalratelimit/runner/runner.go +++ b/internal/globalratelimit/runner/runner.go @@ -213,6 +213,7 @@ func (r *Runner) tlsConfig(cert, key, ca string) *tls.Config { return &tls.Config{ Certificates: []tls.Certificate{cert}, + NextProtos: []string{"h2"}, ClientAuth: tls.RequireAndVerifyClientCert, ClientCAs: certPool, MinVersion: tls.VersionTLS13, diff --git a/internal/infrastructure/kubernetes/infra.go b/internal/infrastructure/kubernetes/infra.go index 6d90b3ac342..fed1f17cbe7 100644 --- a/internal/infrastructure/kubernetes/infra.go +++ b/internal/infrastructure/kubernetes/infra.go @@ -17,8 +17,14 @@ import ( egv1a1 "github.com/envoyproxy/gateway/api/v1alpha1" "github.com/envoyproxy/gateway/internal/envoygateway/config" + "github.com/envoyproxy/gateway/internal/infrastructure/kubernetes/proxy" + "github.com/envoyproxy/gateway/internal/infrastructure/kubernetes/ratelimit" ) +var _ ResourceRender = &proxy.ResourceRender{} + +var _ ResourceRender = &ratelimit.ResourceRender{} + // ResourceRender renders Kubernetes infrastructure resources // based on Infra IR resources. type ResourceRender interface { @@ -27,9 +33,13 @@ type ResourceRender interface { Service() (*corev1.Service, error) ConfigMap() (*corev1.ConfigMap, error) Deployment() (*appsv1.Deployment, error) + DeploymentSpec() (*egv1a1.KubernetesDeploymentSpec, error) DaemonSet() (*appsv1.DaemonSet, error) + DaemonSetSpec() (*egv1a1.KubernetesDaemonSetSpec, error) HorizontalPodAutoscaler() (*autoscalingv2.HorizontalPodAutoscaler, error) + HorizontalPodAutoscalerSpec() (*egv1a1.KubernetesHorizontalPodAutoscalerSpec, error) PodDisruptionBudget() (*policyv1.PodDisruptionBudget, error) + PodDisruptionBudgetSpec() (*egv1a1.KubernetesPodDisruptionBudgetSpec, error) } // Infra manages the creation and deletion of Kubernetes infrastructure diff --git a/internal/infrastructure/kubernetes/infra_resource.go b/internal/infrastructure/kubernetes/infra_resource.go index bf32ecfd127..9966f5ebdd4 100644 --- a/internal/infrastructure/kubernetes/infra_resource.go +++ b/internal/infrastructure/kubernetes/infra_resource.go @@ -90,6 +90,11 @@ func (i *Infra) createOrUpdateConfigMap(ctx context.Context, r ResourceRender) ( // createOrUpdateDeployment creates a Deployment in the kube api server based on the provided // ResourceRender, if it doesn't exist and updates it if it does. func (i *Infra) createOrUpdateDeployment(ctx context.Context, r ResourceRender) (err error) { + // If deployment config is nil,ignore Deployment. + if deploymentConfig, er := r.DeploymentSpec(); deploymentConfig == nil { + return er + } + var ( deployment *appsv1.Deployment startTime = time.Now() @@ -166,6 +171,11 @@ func (i *Infra) createOrUpdateDeployment(ctx context.Context, r ResourceRender) // createOrUpdateDaemonSet creates a DaemonSet in the kube api server based on the provided // ResourceRender, if it doesn't exist and updates it if it does. func (i *Infra) createOrUpdateDaemonSet(ctx context.Context, r ResourceRender) (err error) { + // If daemonset config is nil, ignore DaemonSet. + if daemonSetConfig, er := r.DaemonSetSpec(); daemonSetConfig == nil { + return er + } + var ( daemonSet *appsv1.DaemonSet startTime = time.Now() @@ -248,6 +258,11 @@ func isSelectorMatch(labelselector *metav1.LabelSelector, l map[string]string) ( } func (i *Infra) createOrUpdatePodDisruptionBudget(ctx context.Context, r ResourceRender) (err error) { + // If podDisruptionBudget config is nil or MinAvailable is nil, ignore PodDisruptionBudget. + if podDisruptionBudget, er := r.PodDisruptionBudgetSpec(); podDisruptionBudget == nil { + return er + } + var ( pdb *policyv1.PodDisruptionBudget startTime = time.Now() @@ -285,6 +300,11 @@ func (i *Infra) createOrUpdatePodDisruptionBudget(ctx context.Context, r Resourc // the provided ResourceRender, if it doesn't exist and updates it if it does, // and delete hpa if not set. func (i *Infra) createOrUpdateHPA(ctx context.Context, r ResourceRender) (err error) { + // If hpa config is nil, ignore HorizontalPodAutoscaler. + if hpaConfig, er := r.HorizontalPodAutoscalerSpec(); hpaConfig == nil { + return er + } + var ( hpa *autoscalingv2.HorizontalPodAutoscaler startTime = time.Now() @@ -380,6 +400,11 @@ func (i *Infra) deleteServiceAccount(ctx context.Context, r ResourceRender) (err // deleteDeployment deletes the Envoy Deployment in the kube api server, if it exists. func (i *Infra) deleteDeployment(ctx context.Context, r ResourceRender) (err error) { + // If deployment config is nil,ignore Deployment. + if deploymentConfig, er := r.DeploymentSpec(); deploymentConfig == nil { + return er + } + var ( name, ns = r.Name(), i.Namespace deployment = &appsv1.Deployment{ @@ -410,6 +435,11 @@ func (i *Infra) deleteDeployment(ctx context.Context, r ResourceRender) (err err // deleteDaemonSet deletes the Envoy DaemonSet in the kube api server, if it exists. func (i *Infra) deleteDaemonSet(ctx context.Context, r ResourceRender) (err error) { + // If daemonset config is nil, ignore DaemonSet. + if daemonSetConfig, er := r.DaemonSetSpec(); daemonSetConfig == nil { + return er + } + var ( name, ns = r.Name(), i.Namespace daemonSet = &appsv1.DaemonSet{ @@ -500,6 +530,11 @@ func (i *Infra) deleteService(ctx context.Context, r ResourceRender) (err error) // deleteHpa deletes the Horizontal Pod Autoscaler associated to its renderer, if it exists. func (i *Infra) deleteHPA(ctx context.Context, r ResourceRender) (err error) { + // If hpa config is nil, ignore HorizontalPodAutoscaler. + if hpaConfig, er := r.HorizontalPodAutoscalerSpec(); hpaConfig == nil { + return er + } + var ( name, ns = r.Name(), i.Namespace hpa = &autoscalingv2.HorizontalPodAutoscaler{ @@ -530,6 +565,11 @@ func (i *Infra) deleteHPA(ctx context.Context, r ResourceRender) (err error) { // deletePDB deletes the PodDistribution budget associated to its renderer, if it exists. func (i *Infra) deletePDB(ctx context.Context, r ResourceRender) (err error) { + // If podDisruptionBudget config is nil or MinAvailable is nil, ignore PodDisruptionBudget. + if podDisruptionBudget, er := r.PodDisruptionBudgetSpec(); podDisruptionBudget == nil { + return er + } + var ( name, ns = r.Name(), i.Namespace pdb = &policyv1.PodDisruptionBudget{ diff --git a/internal/infrastructure/kubernetes/proxy/resource_provider.go b/internal/infrastructure/kubernetes/proxy/resource_provider.go index 27edd2949b3..768ed7514ba 100644 --- a/internal/infrastructure/kubernetes/proxy/resource_provider.go +++ b/internal/infrastructure/kubernetes/proxy/resource_provider.go @@ -205,8 +205,8 @@ func (r *ResourceRender) stableSelector() *metav1.LabelSelector { return resource.GetSelector(envoyLabels(labels)) } -// Deployment returns the expected Deployment based on the provided infra. -func (r *ResourceRender) Deployment() (*appsv1.Deployment, error) { +// DeploymentSpec returns the `Deployment` sets spec. +func (r *ResourceRender) DeploymentSpec() (*egv1a1.KubernetesDeploymentSpec, error) { proxyConfig := r.infra.GetProxyConfig() // Get the EnvoyProxy config to configure the deployment. @@ -214,13 +214,21 @@ func (r *ResourceRender) Deployment() (*appsv1.Deployment, error) { if provider.Type != egv1a1.ProviderTypeKubernetes { return nil, fmt.Errorf("invalid provider type %v for Kubernetes infra manager", provider.Type) } + deploymentConfig := provider.GetEnvoyProxyKubeProvider().EnvoyDeployment - // If deployment config is nil, it's not Deployment installation. + return deploymentConfig, nil +} + +// Deployment returns the expected Deployment based on the provided infra. +func (r *ResourceRender) Deployment() (*appsv1.Deployment, error) { + deploymentConfig, er := r.DeploymentSpec() + // If deployment config is nil,ignore Deployment. if deploymentConfig == nil { - return nil, nil + return nil, er } + proxyConfig := r.infra.GetProxyConfig() // Get expected bootstrap configurations rendered ProxyContainers containers, err := expectedProxyContainers(r.infra, deploymentConfig.Container, proxyConfig.Spec.Shutdown, r.ShutdownManager) if err != nil { @@ -286,6 +294,8 @@ func (r *ResourceRender) Deployment() (*appsv1.Deployment, error) { deployment.ObjectMeta.Name = r.Name() } + provider := proxyConfig.GetEnvoyProxyProvider() + // omit the deployment replicas if HPA is being set if provider.GetEnvoyProxyKubeProvider().EnvoyHpa != nil { deployment.Spec.Replicas = nil @@ -299,7 +309,8 @@ func (r *ResourceRender) Deployment() (*appsv1.Deployment, error) { return deployment, nil } -func (r *ResourceRender) DaemonSet() (*appsv1.DaemonSet, error) { +// DaemonSetSpec returns the `DaemonSet` sets spec. +func (r *ResourceRender) DaemonSetSpec() (*egv1a1.KubernetesDaemonSetSpec, error) { proxyConfig := r.infra.GetProxyConfig() // Get the EnvoyProxy config to configure the daemonset. @@ -308,13 +319,18 @@ func (r *ResourceRender) DaemonSet() (*appsv1.DaemonSet, error) { return nil, fmt.Errorf("invalid provider type %v for Kubernetes infra manager", provider.Type) } - daemonSetConfig := provider.GetEnvoyProxyKubeProvider().EnvoyDaemonSet + return provider.GetEnvoyProxyKubeProvider().EnvoyDaemonSet, nil +} - // If daemonset config is nil, it's not DaemonSet installation. +func (r *ResourceRender) DaemonSet() (*appsv1.DaemonSet, error) { + daemonSetConfig, err := r.DaemonSetSpec() + // If daemonset config is nil, ignore DaemonSet. if daemonSetConfig == nil { - return nil, nil + return nil, err } + proxyConfig := r.infra.GetProxyConfig() + // Get expected bootstrap configurations rendered ProxyContainers containers, err := expectedProxyContainers(r.infra, daemonSetConfig.Container, proxyConfig.Spec.Shutdown, r.ShutdownManager) if err != nil { @@ -369,7 +385,8 @@ func (r *ResourceRender) DaemonSet() (*appsv1.DaemonSet, error) { return daemonSet, nil } -func (r *ResourceRender) PodDisruptionBudget() (*policyv1.PodDisruptionBudget, error) { +// PodDisruptionBudgetSpec returns the `PodDisruptionBudget` sets spec. +func (r *ResourceRender) PodDisruptionBudgetSpec() (*egv1a1.KubernetesPodDisruptionBudgetSpec, error) { provider := r.infra.GetProxyConfig().GetEnvoyProxyProvider() if provider.Type != egv1a1.ProviderTypeKubernetes { return nil, fmt.Errorf("invalid provider type %v for Kubernetes infra manager", provider.Type) @@ -380,6 +397,16 @@ func (r *ResourceRender) PodDisruptionBudget() (*policyv1.PodDisruptionBudget, e return nil, nil } + return podDisruptionBudget, nil +} + +func (r *ResourceRender) PodDisruptionBudget() (*policyv1.PodDisruptionBudget, error) { + podDisruptionBudget, er := r.PodDisruptionBudgetSpec() + // If podDisruptionBudget config is nil or MinAvailable is nil, ignore PodDisruptionBudget. + if podDisruptionBudget == nil { + return nil, er + } + return &policyv1.PodDisruptionBudget{ ObjectMeta: metav1.ObjectMeta{ Name: r.Name(), @@ -396,15 +423,22 @@ func (r *ResourceRender) PodDisruptionBudget() (*policyv1.PodDisruptionBudget, e }, nil } -func (r *ResourceRender) HorizontalPodAutoscaler() (*autoscalingv2.HorizontalPodAutoscaler, error) { +// HorizontalPodAutoscalerSpec returns the `HorizontalPodAutoscaler` sets spec. +func (r *ResourceRender) HorizontalPodAutoscalerSpec() (*egv1a1.KubernetesHorizontalPodAutoscalerSpec, error) { provider := r.infra.GetProxyConfig().GetEnvoyProxyProvider() if provider.Type != egv1a1.ProviderTypeKubernetes { return nil, fmt.Errorf("invalid provider type %v for Kubernetes infra manager", provider.Type) } hpaConfig := provider.GetEnvoyProxyKubeProvider().EnvoyHpa + return hpaConfig, nil +} + +func (r *ResourceRender) HorizontalPodAutoscaler() (*autoscalingv2.HorizontalPodAutoscaler, error) { + hpaConfig, err := r.HorizontalPodAutoscalerSpec() + // If hpa config is nil, ignore HorizontalPodAutoscaler. if hpaConfig == nil { - return nil, nil + return nil, err } hpa := &autoscalingv2.HorizontalPodAutoscaler{ @@ -430,6 +464,8 @@ func (r *ResourceRender) HorizontalPodAutoscaler() (*autoscalingv2.HorizontalPod }, } + provider := r.infra.GetProxyConfig().GetEnvoyProxyProvider() + // set deployment target ref name deploymentConfig := provider.GetEnvoyProxyKubeProvider().EnvoyDeployment if deploymentConfig.Name != nil { diff --git a/internal/infrastructure/kubernetes/ratelimit/resource_provider.go b/internal/infrastructure/kubernetes/ratelimit/resource_provider.go index e7519bb2569..50c5c8bf7f2 100644 --- a/internal/infrastructure/kubernetes/ratelimit/resource_provider.go +++ b/internal/infrastructure/kubernetes/ratelimit/resource_provider.go @@ -9,6 +9,7 @@ import ( _ "embed" "strconv" + "golang.org/x/exp/maps" appsv1 "k8s.io/api/apps/v1" autoscalingv2 "k8s.io/api/autoscaling/v2" corev1 "k8s.io/api/core/v1" @@ -183,22 +184,43 @@ func (r *ResourceRender) ServiceAccount() (*corev1.ServiceAccount, error) { return sa, nil } +// DeploymentSpec returns the `Deployment` sets spec. +func (r *ResourceRender) DeploymentSpec() (*egv1a1.KubernetesDeploymentSpec, error) { + return r.rateLimitDeployment, nil +} + // Deployment returns the expected rate limit Deployment based on the provided infra. func (r *ResourceRender) Deployment() (*appsv1.Deployment, error) { + // If deployment config is nil,ignore Deployment. + if deploymentConfig, er := r.DeploymentSpec(); deploymentConfig == nil { + return nil, er + } + containers := expectedRateLimitContainers(r.rateLimit, r.rateLimitDeployment, r.Namespace) - labels := rateLimitLabels() - selector := resource.GetSelector(labels) + selector := resource.GetSelector(rateLimitLabels()) + + podLabels := rateLimitLabels() + if r.rateLimitDeployment.Pod.Labels != nil { + maps.Copy(podLabels, r.rateLimitDeployment.Pod.Labels) + // Copy overwrites values in the dest map if they exist in the src map https://pkg.go.dev/maps#Copy + // It's applied again with the rateLimitLabels that are used as deployment selector to ensure those are not overwritten by user input + maps.Copy(podLabels, rateLimitLabels()) + } - var annotations map[string]string + var podAnnotations map[string]string if enablePrometheus(r.rateLimit) { - annotations = map[string]string{ + podAnnotations = map[string]string{ "prometheus.io/path": "/metrics", "prometheus.io/port": strconv.Itoa(PrometheusPort), "prometheus.io/scrape": "true", } } if r.rateLimitDeployment.Pod.Annotations != nil { - annotations = r.rateLimitDeployment.Pod.Annotations + if podAnnotations != nil { + maps.Copy(podAnnotations, r.rateLimitDeployment.Pod.Annotations) + } else { + podAnnotations = r.rateLimitDeployment.Pod.Annotations + } } deployment := &appsv1.Deployment{ @@ -208,7 +230,7 @@ func (r *ResourceRender) Deployment() (*appsv1.Deployment, error) { }, ObjectMeta: metav1.ObjectMeta{ Namespace: r.Namespace, - Labels: labels, + Labels: rateLimitLabels(), }, Spec: appsv1.DeploymentSpec{ Replicas: r.rateLimitDeployment.Replicas, @@ -216,8 +238,8 @@ func (r *ResourceRender) Deployment() (*appsv1.Deployment, error) { Selector: selector, Template: corev1.PodTemplateSpec{ ObjectMeta: metav1.ObjectMeta{ - Labels: selector.MatchLabels, - Annotations: annotations, + Labels: podLabels, + Annotations: podAnnotations, }, Spec: corev1.PodSpec{ Containers: containers, @@ -270,15 +292,30 @@ func (r *ResourceRender) Deployment() (*appsv1.Deployment, error) { return deployment, nil } +// DaemonSetSpec returns the `DaemonSet` sets spec. +func (r *ResourceRender) DaemonSetSpec() (*egv1a1.KubernetesDaemonSetSpec, error) { + return nil, nil +} + // TODO: implement this method func (r *ResourceRender) DaemonSet() (*appsv1.DaemonSet, error) { return nil, nil } +// HorizontalPodAutoscalerSpec returns the `HorizontalPodAutoscaler` sets spec. +func (r *ResourceRender) HorizontalPodAutoscalerSpec() (*egv1a1.KubernetesHorizontalPodAutoscalerSpec, error) { + return nil, nil +} + func (r *ResourceRender) HorizontalPodAutoscaler() (*autoscalingv2.HorizontalPodAutoscaler, error) { return nil, nil } +// PodDisruptionBudgetSpec returns the `PodDisruptionBudget` sets spec. +func (r *ResourceRender) PodDisruptionBudgetSpec() (*egv1a1.KubernetesPodDisruptionBudgetSpec, error) { + return nil, nil +} + func (r *ResourceRender) PodDisruptionBudget() (*policyv1.PodDisruptionBudget, error) { return nil, nil } diff --git a/internal/infrastructure/kubernetes/ratelimit/resource_provider_test.go b/internal/infrastructure/kubernetes/ratelimit/resource_provider_test.go index 47c4901e198..c7aa23f7943 100644 --- a/internal/infrastructure/kubernetes/ratelimit/resource_provider_test.go +++ b/internal/infrastructure/kubernetes/ratelimit/resource_provider_test.go @@ -9,6 +9,7 @@ import ( "flag" "fmt" "os" + "strconv" "testing" "github.com/stretchr/testify/assert" @@ -678,6 +679,50 @@ func TestDeployment(t *testing.T) { }, }, }, + { + caseName: "merge-labels", + rateLimit: &egv1a1.RateLimit{ + Backend: egv1a1.RateLimitDatabaseBackend{ + Type: egv1a1.RedisBackendType, + Redis: &egv1a1.RateLimitRedisSettings{ + URL: "redis.redis.svc:6379", + }, + }, + }, + deploy: &egv1a1.KubernetesDeploymentSpec{ + Pod: &egv1a1.KubernetesPodSpec{ + Labels: map[string]string{ + "app.kubernetes.io/name": InfraName, + "app.kubernetes.io/component": "ratelimit", + "app.kubernetes.io/managed-by": "envoy-gateway", + "key1": "value1", + "key2": "value2", + }, + }, + }, + }, + { + caseName: "merge-annotations", + rateLimit: &egv1a1.RateLimit{ + Backend: egv1a1.RateLimitDatabaseBackend{ + Type: egv1a1.RedisBackendType, + Redis: &egv1a1.RateLimitRedisSettings{ + URL: "redis.redis.svc:6379", + }, + }, + }, + deploy: &egv1a1.KubernetesDeploymentSpec{ + Pod: &egv1a1.KubernetesPodSpec{ + Annotations: map[string]string{ + "prometheus.io/path": "/metrics", + "prometheus.io/port": strconv.Itoa(PrometheusPort), + "prometheus.io/scrape": "true", + "key1": "value1", + "key2": "value2", + }, + }, + }, + }, } for _, tc := range cases { t.Run(tc.caseName, func(t *testing.T) { diff --git a/internal/infrastructure/kubernetes/ratelimit/testdata/deployments/custom.yaml b/internal/infrastructure/kubernetes/ratelimit/testdata/deployments/custom.yaml index bd75907c7af..0c1be549e83 100644 --- a/internal/infrastructure/kubernetes/ratelimit/testdata/deployments/custom.yaml +++ b/internal/infrastructure/kubernetes/ratelimit/testdata/deployments/custom.yaml @@ -27,6 +27,8 @@ spec: template: metadata: annotations: + prometheus.io/path: /metrics + prometheus.io/port: "19001" prometheus.io/scrape: "true" creationTimestamp: null labels: diff --git a/internal/infrastructure/kubernetes/ratelimit/testdata/deployments/default-env.yaml b/internal/infrastructure/kubernetes/ratelimit/testdata/deployments/default-env.yaml index bd75907c7af..0c1be549e83 100644 --- a/internal/infrastructure/kubernetes/ratelimit/testdata/deployments/default-env.yaml +++ b/internal/infrastructure/kubernetes/ratelimit/testdata/deployments/default-env.yaml @@ -27,6 +27,8 @@ spec: template: metadata: annotations: + prometheus.io/path: /metrics + prometheus.io/port: "19001" prometheus.io/scrape: "true" creationTimestamp: null labels: diff --git a/internal/infrastructure/kubernetes/ratelimit/testdata/deployments/extension-env.yaml b/internal/infrastructure/kubernetes/ratelimit/testdata/deployments/extension-env.yaml index 972dd635a38..65c68972f9d 100644 --- a/internal/infrastructure/kubernetes/ratelimit/testdata/deployments/extension-env.yaml +++ b/internal/infrastructure/kubernetes/ratelimit/testdata/deployments/extension-env.yaml @@ -27,6 +27,8 @@ spec: template: metadata: annotations: + prometheus.io/path: /metrics + prometheus.io/port: "19001" prometheus.io/scrape: "true" creationTimestamp: null labels: diff --git a/internal/infrastructure/kubernetes/ratelimit/testdata/deployments/merge-annotations.yaml b/internal/infrastructure/kubernetes/ratelimit/testdata/deployments/merge-annotations.yaml new file mode 100644 index 00000000000..4bc241198c6 --- /dev/null +++ b/internal/infrastructure/kubernetes/ratelimit/testdata/deployments/merge-annotations.yaml @@ -0,0 +1,156 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + creationTimestamp: null + labels: + app.kubernetes.io/component: ratelimit + app.kubernetes.io/managed-by: envoy-gateway + app.kubernetes.io/name: envoy-ratelimit + name: envoy-ratelimit + namespace: envoy-gateway-system + ownerReferences: + - apiVersion: apps/v1 + kind: Deployment + name: envoy-gateway + uid: test-owner-reference-uid-for-deployment +spec: + progressDeadlineSeconds: 600 + revisionHistoryLimit: 10 + selector: + matchLabels: + app.kubernetes.io/component: ratelimit + app.kubernetes.io/managed-by: envoy-gateway + app.kubernetes.io/name: envoy-ratelimit + strategy: + type: RollingUpdate + template: + metadata: + annotations: + key1: value1 + key2: value2 + prometheus.io/path: /metrics + prometheus.io/port: "19001" + prometheus.io/scrape: "true" + creationTimestamp: null + labels: + app.kubernetes.io/component: ratelimit + app.kubernetes.io/managed-by: envoy-gateway + app.kubernetes.io/name: envoy-ratelimit + spec: + automountServiceAccountToken: false + containers: + - command: + - /bin/ratelimit + env: + - name: RUNTIME_ROOT + value: /data + - name: RUNTIME_SUBDIRECTORY + value: ratelimit + - name: RUNTIME_IGNOREDOTFILES + value: "true" + - name: RUNTIME_WATCH_ROOT + value: "false" + - name: LOG_LEVEL + value: info + - name: USE_STATSD + value: "false" + - name: CONFIG_TYPE + value: GRPC_XDS_SOTW + - name: CONFIG_GRPC_XDS_SERVER_URL + value: envoy-gateway:18001 + - name: CONFIG_GRPC_XDS_NODE_ID + value: envoy-ratelimit + - name: GRPC_SERVER_USE_TLS + value: "true" + - name: GRPC_SERVER_TLS_CERT + value: /certs/tls.crt + - name: GRPC_SERVER_TLS_KEY + value: /certs/tls.key + - name: GRPC_SERVER_TLS_CA_CERT + value: /certs/ca.crt + - name: CONFIG_GRPC_XDS_SERVER_USE_TLS + value: "true" + - name: CONFIG_GRPC_XDS_CLIENT_TLS_CERT + value: /certs/tls.crt + - name: CONFIG_GRPC_XDS_CLIENT_TLS_KEY + value: /certs/tls.key + - name: CONFIG_GRPC_XDS_SERVER_TLS_CACERT + value: /certs/ca.crt + - name: FORCE_START_WITHOUT_INITIAL_CONFIG + value: "true" + - name: REDIS_SOCKET_TYPE + value: tcp + - name: REDIS_URL + value: redis.redis.svc:6379 + - name: USE_PROMETHEUS + value: "true" + - name: PROMETHEUS_ADDR + value: :19001 + - name: PROMETHEUS_MAPPER_YAML + value: /etc/statsd-exporter/conf.yaml + image: envoyproxy/ratelimit:master + imagePullPolicy: IfNotPresent + name: envoy-ratelimit + ports: + - containerPort: 8081 + name: grpc + protocol: TCP + readinessProbe: + failureThreshold: 1 + httpGet: + path: /healthcheck + port: 8080 + scheme: HTTP + periodSeconds: 5 + successThreshold: 1 + timeoutSeconds: 1 + resources: + requests: + cpu: 100m + memory: 512Mi + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + privileged: false + readOnlyRootFilesystem: true + runAsGroup: 65534 + runAsNonRoot: true + runAsUser: 65534 + seccompProfile: + type: RuntimeDefault + startupProbe: + failureThreshold: 30 + httpGet: + path: /healthcheck + port: 8080 + scheme: HTTP + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 1 + terminationMessagePath: /dev/termination-log + terminationMessagePolicy: File + volumeMounts: + - mountPath: /certs + name: certs + readOnly: true + - mountPath: /etc/statsd-exporter + name: statsd-exporter-config + readOnly: true + dnsPolicy: ClusterFirst + restartPolicy: Always + schedulerName: default-scheduler + serviceAccountName: envoy-ratelimit + terminationGracePeriodSeconds: 300 + volumes: + - name: certs + secret: + defaultMode: 420 + secretName: envoy-rate-limit + - configMap: + defaultMode: 420 + name: statsd-exporter-config + optional: true + name: statsd-exporter-config +status: {} diff --git a/internal/infrastructure/kubernetes/ratelimit/testdata/deployments/merge-labels.yaml b/internal/infrastructure/kubernetes/ratelimit/testdata/deployments/merge-labels.yaml new file mode 100644 index 00000000000..6681232eeb8 --- /dev/null +++ b/internal/infrastructure/kubernetes/ratelimit/testdata/deployments/merge-labels.yaml @@ -0,0 +1,156 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + creationTimestamp: null + labels: + app.kubernetes.io/component: ratelimit + app.kubernetes.io/managed-by: envoy-gateway + app.kubernetes.io/name: envoy-ratelimit + name: envoy-ratelimit + namespace: envoy-gateway-system + ownerReferences: + - apiVersion: apps/v1 + kind: Deployment + name: envoy-gateway + uid: test-owner-reference-uid-for-deployment +spec: + progressDeadlineSeconds: 600 + revisionHistoryLimit: 10 + selector: + matchLabels: + app.kubernetes.io/component: ratelimit + app.kubernetes.io/managed-by: envoy-gateway + app.kubernetes.io/name: envoy-ratelimit + strategy: + type: RollingUpdate + template: + metadata: + annotations: + prometheus.io/path: /metrics + prometheus.io/port: "19001" + prometheus.io/scrape: "true" + creationTimestamp: null + labels: + app.kubernetes.io/component: ratelimit + app.kubernetes.io/managed-by: envoy-gateway + app.kubernetes.io/name: envoy-ratelimit + key1: value1 + key2: value2 + spec: + automountServiceAccountToken: false + containers: + - command: + - /bin/ratelimit + env: + - name: RUNTIME_ROOT + value: /data + - name: RUNTIME_SUBDIRECTORY + value: ratelimit + - name: RUNTIME_IGNOREDOTFILES + value: "true" + - name: RUNTIME_WATCH_ROOT + value: "false" + - name: LOG_LEVEL + value: info + - name: USE_STATSD + value: "false" + - name: CONFIG_TYPE + value: GRPC_XDS_SOTW + - name: CONFIG_GRPC_XDS_SERVER_URL + value: envoy-gateway:18001 + - name: CONFIG_GRPC_XDS_NODE_ID + value: envoy-ratelimit + - name: GRPC_SERVER_USE_TLS + value: "true" + - name: GRPC_SERVER_TLS_CERT + value: /certs/tls.crt + - name: GRPC_SERVER_TLS_KEY + value: /certs/tls.key + - name: GRPC_SERVER_TLS_CA_CERT + value: /certs/ca.crt + - name: CONFIG_GRPC_XDS_SERVER_USE_TLS + value: "true" + - name: CONFIG_GRPC_XDS_CLIENT_TLS_CERT + value: /certs/tls.crt + - name: CONFIG_GRPC_XDS_CLIENT_TLS_KEY + value: /certs/tls.key + - name: CONFIG_GRPC_XDS_SERVER_TLS_CACERT + value: /certs/ca.crt + - name: FORCE_START_WITHOUT_INITIAL_CONFIG + value: "true" + - name: REDIS_SOCKET_TYPE + value: tcp + - name: REDIS_URL + value: redis.redis.svc:6379 + - name: USE_PROMETHEUS + value: "true" + - name: PROMETHEUS_ADDR + value: :19001 + - name: PROMETHEUS_MAPPER_YAML + value: /etc/statsd-exporter/conf.yaml + image: envoyproxy/ratelimit:master + imagePullPolicy: IfNotPresent + name: envoy-ratelimit + ports: + - containerPort: 8081 + name: grpc + protocol: TCP + readinessProbe: + failureThreshold: 1 + httpGet: + path: /healthcheck + port: 8080 + scheme: HTTP + periodSeconds: 5 + successThreshold: 1 + timeoutSeconds: 1 + resources: + requests: + cpu: 100m + memory: 512Mi + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + privileged: false + readOnlyRootFilesystem: true + runAsGroup: 65534 + runAsNonRoot: true + runAsUser: 65534 + seccompProfile: + type: RuntimeDefault + startupProbe: + failureThreshold: 30 + httpGet: + path: /healthcheck + port: 8080 + scheme: HTTP + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 1 + terminationMessagePath: /dev/termination-log + terminationMessagePolicy: File + volumeMounts: + - mountPath: /certs + name: certs + readOnly: true + - mountPath: /etc/statsd-exporter + name: statsd-exporter-config + readOnly: true + dnsPolicy: ClusterFirst + restartPolicy: Always + schedulerName: default-scheduler + serviceAccountName: envoy-ratelimit + terminationGracePeriodSeconds: 300 + volumes: + - name: certs + secret: + defaultMode: 420 + secretName: envoy-rate-limit + - configMap: + defaultMode: 420 + name: statsd-exporter-config + optional: true + name: statsd-exporter-config +status: {} diff --git a/internal/infrastructure/kubernetes/ratelimit/testdata/deployments/override-env.yaml b/internal/infrastructure/kubernetes/ratelimit/testdata/deployments/override-env.yaml index 8d076381d71..0c0f73f3c83 100644 --- a/internal/infrastructure/kubernetes/ratelimit/testdata/deployments/override-env.yaml +++ b/internal/infrastructure/kubernetes/ratelimit/testdata/deployments/override-env.yaml @@ -27,6 +27,8 @@ spec: template: metadata: annotations: + prometheus.io/path: /metrics + prometheus.io/port: "19001" prometheus.io/scrape: "true" creationTimestamp: null labels: diff --git a/internal/infrastructure/kubernetes/ratelimit/testdata/deployments/redis-tls-settings.yaml b/internal/infrastructure/kubernetes/ratelimit/testdata/deployments/redis-tls-settings.yaml index 7fc4a4ec4ca..29428fc447b 100644 --- a/internal/infrastructure/kubernetes/ratelimit/testdata/deployments/redis-tls-settings.yaml +++ b/internal/infrastructure/kubernetes/ratelimit/testdata/deployments/redis-tls-settings.yaml @@ -27,6 +27,8 @@ spec: template: metadata: annotations: + prometheus.io/path: /metrics + prometheus.io/port: "19001" prometheus.io/scrape: "true" creationTimestamp: null labels: diff --git a/internal/infrastructure/kubernetes/ratelimit/testdata/deployments/tolerations.yaml b/internal/infrastructure/kubernetes/ratelimit/testdata/deployments/tolerations.yaml index 685f5a76385..a2478222625 100644 --- a/internal/infrastructure/kubernetes/ratelimit/testdata/deployments/tolerations.yaml +++ b/internal/infrastructure/kubernetes/ratelimit/testdata/deployments/tolerations.yaml @@ -27,6 +27,8 @@ spec: template: metadata: annotations: + prometheus.io/path: /metrics + prometheus.io/port: "19001" prometheus.io/scrape: "true" creationTimestamp: null labels: diff --git a/internal/infrastructure/kubernetes/ratelimit/testdata/deployments/volumes.yaml b/internal/infrastructure/kubernetes/ratelimit/testdata/deployments/volumes.yaml index 3659647a89a..30d8852d642 100644 --- a/internal/infrastructure/kubernetes/ratelimit/testdata/deployments/volumes.yaml +++ b/internal/infrastructure/kubernetes/ratelimit/testdata/deployments/volumes.yaml @@ -27,6 +27,8 @@ spec: template: metadata: annotations: + prometheus.io/path: /metrics + prometheus.io/port: "19001" prometheus.io/scrape: "true" creationTimestamp: null labels: diff --git a/internal/ir/infra.go b/internal/ir/infra.go index ae46560d534..8bf433785fb 100644 --- a/internal/ir/infra.go +++ b/internal/ir/infra.go @@ -30,13 +30,13 @@ type Infra struct { Proxy *ProxyInfra `json:"proxy" yaml:"proxy"` } -func (i Infra) YAMLString() string { - y, _ := yaml.Marshal(&i) +func (i *Infra) YAMLString() string { + y, _ := yaml.Marshal(i) return string(y) } -func (i Infra) JSONString() string { - j, _ := json.MarshalIndent(&i, "", "\t") +func (i *Infra) JSONString() string { + j, _ := json.MarshalIndent(i, "", "\t") return string(j) } diff --git a/internal/ir/xds.go b/internal/ir/xds.go index 86a2d39569f..9750680f387 100644 --- a/internal/ir/xds.go +++ b/internal/ir/xds.go @@ -126,7 +126,7 @@ func (x *Xds) sort() { } // Validate the fields within the Xds structure. -func (x Xds) Validate() error { +func (x *Xds) Validate() error { var errs error for _, http := range x.HTTP { if err := http.Validate(); err != nil { @@ -146,7 +146,7 @@ func (x Xds) Validate() error { return errs } -func (x Xds) GetHTTPListener(name string) *HTTPListener { +func (x *Xds) GetHTTPListener(name string) *HTTPListener { for _, listener := range x.HTTP { if listener.Name == name { return listener @@ -155,7 +155,7 @@ func (x Xds) GetHTTPListener(name string) *HTTPListener { return nil } -func (x Xds) GetTCPListener(name string) *TCPListener { +func (x *Xds) GetTCPListener(name string) *TCPListener { for _, listener := range x.TCP { if listener.Name == name { return listener @@ -164,7 +164,7 @@ func (x Xds) GetTCPListener(name string) *TCPListener { return nil } -func (x Xds) GetUDPListener(name string) *UDPListener { +func (x *Xds) GetUDPListener(name string) *UDPListener { for _, listener := range x.UDP { if listener.Name == name { return listener @@ -173,18 +173,18 @@ func (x Xds) GetUDPListener(name string) *UDPListener { return nil } -func (x Xds) YAMLString() string { +func (x *Xds) YAMLString() string { y, _ := yaml.Marshal(x.Printable()) return string(y) } -func (x Xds) JSONString() string { +func (x *Xds) JSONString() string { j, _ := json.MarshalIndent(x.Printable(), "", "\t") return string(j) } // Printable returns a deep copy of the resource that can be safely logged. -func (x Xds) Printable() *Xds { +func (x *Xds) Printable() *Xds { out := x.DeepCopy() for _, listener := range out.HTTP { // Omit field @@ -978,6 +978,8 @@ type AuthorizationRule struct { type Principal struct { // ClientCIDRs defines the client CIDRs to be matched. ClientCIDRs []*CIDRMatch `json:"clientCIDRs,omitempty"` + // JWT defines the JWT principal to be matched. + JWT *egv1a1.JWTPrincipal `json:"jwt,omitempty"` } // FaultInjection defines the schema for injecting faults into requests. @@ -1926,8 +1928,9 @@ type Tracing struct { // Metrics defines the configuration for metrics generated by Envoy // +k8s:deepcopy-gen=true type Metrics struct { - EnableVirtualHostStats bool `json:"enableVirtualHostStats" yaml:"enableVirtualHostStats"` - EnablePerEndpointStats bool `json:"enablePerEndpointStats" yaml:"enablePerEndpointStats"` + EnableVirtualHostStats bool `json:"enableVirtualHostStats" yaml:"enableVirtualHostStats"` + EnablePerEndpointStats bool `json:"enablePerEndpointStats" yaml:"enablePerEndpointStats"` + EnableRequestResponseSizesStats bool `json:"enableRequestResponseSizesStats" yaml:"enableRequestResponseSizesStats"` } // TCPKeepalive define the TCP Keepalive configuration. diff --git a/internal/ir/zz_generated.deepcopy.go b/internal/ir/zz_generated.deepcopy.go index 0b964d5fc41..5afb29d12ce 100644 --- a/internal/ir/zz_generated.deepcopy.go +++ b/internal/ir/zz_generated.deepcopy.go @@ -2092,6 +2092,11 @@ func (in *Principal) DeepCopyInto(out *Principal) { } } } + if in.JWT != nil { + in, out := &in.JWT, &out.JWT + *out = new(v1alpha1.JWTPrincipal) + (*in).DeepCopyInto(*out) + } } // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Principal. diff --git a/internal/metrics/metadata.go b/internal/metrics/metadata.go index c6daf9e94da..5b5fd045d52 100644 --- a/internal/metrics/metadata.go +++ b/internal/metrics/metadata.go @@ -12,21 +12,10 @@ import ( "go.opentelemetry.io/otel" api "go.opentelemetry.io/otel/metric" "go.opentelemetry.io/otel/sdk/metric" - - egv1a1 "github.com/envoyproxy/gateway/api/v1alpha1" - log "github.com/envoyproxy/gateway/internal/logging" -) - -var ( - meter = func() api.Meter { - return otel.GetMeterProvider().Meter("envoy-gateway") - } - - metricsLogger = log.DefaultLogger(egv1a1.LogLevelInfo).WithName("metrics") ) -func init() { - otel.SetLogger(metricsLogger.Logger) +var meter = func() api.Meter { + return otel.GetMeterProvider().Meter("envoy-gateway") } // MetricType is the type of a metric. @@ -56,7 +45,7 @@ type Metadata struct { Bounds []float64 } -// metrics stores stores metrics +// metrics stores metrics type store struct { started bool mu sync.Mutex diff --git a/internal/metrics/register.go b/internal/metrics/register.go index f4e9e7a34cc..1f4c0a483f0 100644 --- a/internal/metrics/register.go +++ b/internal/metrics/register.go @@ -23,14 +23,20 @@ import ( egv1a1 "github.com/envoyproxy/gateway/api/v1alpha1" "github.com/envoyproxy/gateway/internal/envoygateway/config" + log "github.com/envoyproxy/gateway/internal/logging" ) const ( defaultEndpoint = "/metrics" ) +var metricsLogger log.Logger + // Init initializes and registers the global metrics server. func Init(cfg *config.Server) error { + metricsLogger = cfg.Logger.WithName("metrics") + otel.SetLogger(metricsLogger.Logger) + options, err := newOptions(cfg) if err != nil { return err diff --git a/internal/provider/file/resources.go b/internal/provider/file/resources.go index a89f3ae1686..ac80863f740 100644 --- a/internal/provider/file/resources.go +++ b/internal/provider/file/resources.go @@ -51,7 +51,7 @@ func loadFromFile(path string) (*resource.Resources, error) { return nil, err } - return resource.LoadResourcesFromYAMLString(string(bytes), false) + return resource.LoadResourcesFromYAMLBytes(bytes, false) } // loadFromDir loads resources from all the files under a specific directory excluding subdirectories. diff --git a/internal/provider/kubernetes/kubernetes_test.go b/internal/provider/kubernetes/kubernetes_test.go index 669a790af55..135de799948 100644 --- a/internal/provider/kubernetes/kubernetes_test.go +++ b/internal/provider/kubernetes/kubernetes_test.go @@ -1,5 +1,4 @@ //go:build integration -// +build integration // Copyright Envoy Gateway Authors // SPDX-License-Identifier: Apache-2.0 diff --git a/internal/provider/kubernetes/status_updater.go b/internal/provider/kubernetes/status_updater.go index 9da708f1b02..24adaedd563 100644 --- a/internal/provider/kubernetes/status_updater.go +++ b/internal/provider/kubernetes/status_updater.go @@ -56,7 +56,6 @@ func (m MutatorFunc) Mutate(old client.Object) client.Object { type UpdateHandler struct { log logr.Logger client client.Client - sendUpdates chan struct{} updateChannel chan Update } @@ -64,7 +63,6 @@ func NewUpdateHandler(log logr.Logger, client client.Client) *UpdateHandler { return &UpdateHandler{ log: log, client: client, - sendUpdates: make(chan struct{}), updateChannel: make(chan Update, 100), } } @@ -129,9 +127,6 @@ func (u *UpdateHandler) Start(ctx context.Context) error { u.log.Info("started status update handler") defer u.log.Info("stopped status update handler") - // Enable Updaters to start sending updates to this handler. - close(u.sendUpdates) - for { select { case <-ctx.Done(): @@ -148,7 +143,6 @@ func (u *UpdateHandler) Start(ctx context.Context) error { // Writer retrieves the interface that should be used to write to the UpdateHandler. func (u *UpdateHandler) Writer() Updater { return &UpdateWriter{ - enabled: u.sendUpdates, updateChannel: u.updateChannel, } } @@ -160,18 +154,13 @@ type Updater interface { // UpdateWriter takes status updates and sends these to the UpdateHandler via a channel. type UpdateWriter struct { - enabled <-chan struct{} updateChannel chan<- Update } // Send sends the given Update off to the update channel for writing by the UpdateHandler. func (u *UpdateWriter) Send(update Update) { // Non-blocking receive to see if we should pass along update. - select { - case <-u.enabled: - u.updateChannel <- update - default: - } + u.updateChannel <- update } // isStatusEqual checks if two objects have equivalent status. diff --git a/internal/xds/server/runner/runner.go b/internal/xds/server/runner/runner.go index d8acab8d951..19c4076d458 100644 --- a/internal/xds/server/runner/runner.go +++ b/internal/xds/server/runner/runner.go @@ -180,6 +180,7 @@ func (r *Runner) tlsConfig(cert, key, ca string) *tls.Config { return &tls.Config{ Certificates: []tls.Certificate{cert}, + NextProtos: []string{"h2"}, ClientAuth: tls.RequireAndVerifyClientCert, ClientCAs: certPool, MinVersion: tls.VersionTLS13, diff --git a/internal/xds/server/runner/runner_test.go b/internal/xds/server/runner/runner_test.go index 74bf30f2caf..1a3e9322c68 100644 --- a/internal/xds/server/runner/runner_test.go +++ b/internal/xds/server/runner/runner_test.go @@ -10,6 +10,7 @@ import ( "crypto/tls" "crypto/x509" "errors" + "io" "net" "os" "path/filepath" @@ -156,6 +157,7 @@ func tryConnect(address string, clientCert tls.Certificate, caCertPool *x509.Cer ServerName: "localhost", MinVersion: tls.VersionTLS13, Certificates: []tls.Certificate{clientCert}, + NextProtos: []string{"h2"}, RootCAs: caCertPool, } conn, err := tls.Dial("tcp", address, clientConfig) @@ -180,6 +182,10 @@ func peekError(conn net.Conn) error { _ = conn.SetReadDeadline(time.Now().Add(100 * time.Millisecond)) _, err := conn.Read(make([]byte, 1)) if err != nil { + if errors.Is(err, io.EOF) { + return nil + } + var netErr net.Error if !errors.As(netErr, &netErr) || !netErr.Timeout() { return err diff --git a/internal/xds/translator/authorization.go b/internal/xds/translator/authorization.go index e3a61b1641e..0d2d19dc571 100644 --- a/internal/xds/translator/authorization.go +++ b/internal/xds/translator/authorization.go @@ -8,6 +8,7 @@ package translator import ( "errors" "fmt" + "strings" cncfv3 "github.com/cncf/xds/go/xds/core/v3" matcherv3 "github.com/cncf/xds/go/xds/type/matcher/v3" @@ -18,6 +19,8 @@ import ( hcmv3 "github.com/envoyproxy/go-control-plane/envoy/extensions/filters/network/http_connection_manager/v3" networkinput "github.com/envoyproxy/go-control-plane/envoy/extensions/matching/common_inputs/network/v3" ipmatcherv3 "github.com/envoyproxy/go-control-plane/envoy/extensions/matching/input_matchers/ip/v3" + metadatav3 "github.com/envoyproxy/go-control-plane/envoy/extensions/matching/input_matchers/metadata/v3" + envoymatcherv3 "github.com/envoyproxy/go-control-plane/envoy/type/matcher/v3" "google.golang.org/protobuf/types/known/anypb" "google.golang.org/protobuf/types/known/wrapperspb" @@ -121,13 +124,35 @@ func (*rbac) patchRoute(route *routev3.Route, irRoute *ir.HTTPRoute) error { } var ( - authorization = irRoute.Security.Authorization - allowAction *anypb.Any - denyAction *anypb.Any - sourceIPInput *anypb.Any - ipMatcher *anypb.Any - matcherList []*matcherv3.Matcher_MatcherList_FieldMatcher - err error + rbacPerRoute *rbacv3.RBACPerRoute + cfgAny *anypb.Any + err error + ) + + if rbacPerRoute, err = buildRBACPerRoute(irRoute.Security.Authorization); err != nil { + return err + } + + if cfgAny, err = anypb.New(rbacPerRoute); err != nil { + return err + } + + if filterCfg == nil { + route.TypedPerFilterConfig = make(map[string]*anypb.Any) + } + + route.TypedPerFilterConfig[egv1a1.EnvoyFilterRBAC.String()] = cfgAny + + return nil +} + +func buildRBACPerRoute(authorization *ir.Authorization) (*rbacv3.RBACPerRoute, error) { + var ( + rbac *rbacv3.RBACPerRoute + allowAction *anypb.Any + denyAction *anypb.Any + matcherList []*matcherv3.Matcher_MatcherList_FieldMatcher + err error ) allow := &rbacconfigv3.Action{ @@ -135,7 +160,7 @@ func (*rbac) patchRoute(route *routev3.Route, irRoute *ir.HTTPRoute) error { Action: rbacconfigv3.RBAC_ALLOW, } if allowAction, err = anypb.New(allow); err != nil { - return err + return nil, err } deny := &rbacconfigv3.Action{ @@ -143,7 +168,7 @@ func (*rbac) patchRoute(route *routev3.Route, irRoute *ir.HTTPRoute) error { Action: rbacconfigv3.RBAC_DENY, } if denyAction, err = anypb.New(deny); err != nil { - return err + return nil, err } // Build a list of matchers based on the rules. @@ -152,52 +177,71 @@ func (*rbac) patchRoute(route *routev3.Route, irRoute *ir.HTTPRoute) error { // skipped. // If no matcher matches, the default action will be used. for _, rule := range authorization.Rules { - // Build the IPMatcher based on the client CIDRs. - ipRangeMatcher := &ipmatcherv3.Ip{ - StatPrefix: "client_ip", - } + var ( + ipPredicate *matcherv3.Matcher_MatcherList_Predicate_SinglePredicate_ + jwtPredicate []*matcherv3.Matcher_MatcherList_Predicate + predicate *matcherv3.Matcher_MatcherList_Predicate + ) - for _, cidr := range rule.Principal.ClientCIDRs { - ipRangeMatcher.CidrRanges = append(ipRangeMatcher.CidrRanges, &configv3.CidrRange{ - AddressPrefix: cidr.IP, - PrefixLen: &wrapperspb.UInt32Value{ - Value: cidr.MaskLen, - }, - }) + // Determine the action for the current rule. + ruleAction := allowAction + if rule.Action == egv1a1.AuthorizationActionDeny { + ruleAction = denyAction } - if ipMatcher, err = anypb.New(ipRangeMatcher); err != nil { - return err + if len(rule.Principal.ClientCIDRs) > 0 { + if ipPredicate, err = buildIPPredicate(rule.Principal.ClientCIDRs); err != nil { + return nil, err + } } - if sourceIPInput, err = anypb.New(&networkinput.SourceIPInput{}); err != nil { - return err + if rule.Principal.JWT != nil { + if jwtPredicate, err = buildJWTPredicate(*rule.Principal.JWT); err != nil { + return nil, err + } } - // Determine the action for the current rule. - ruleAction := allowAction - if rule.Action == egv1a1.AuthorizationActionDeny { - ruleAction = denyAction + // Build the predicate for the current rule. + switch { + // If both IP and JWT predicates are present, AND them together. + case ipPredicate != nil && jwtPredicate != nil: + predicates := []*matcherv3.Matcher_MatcherList_Predicate{ + { + MatchType: ipPredicate, + }, + } + predicates = append(predicates, jwtPredicate...) + + predicate = &matcherv3.Matcher_MatcherList_Predicate{ + MatchType: &matcherv3.Matcher_MatcherList_Predicate_AndMatcher{ + AndMatcher: &matcherv3.Matcher_MatcherList_Predicate_PredicateList{ + Predicate: predicates, + }, + }, + } + case ipPredicate != nil: + predicate = &matcherv3.Matcher_MatcherList_Predicate{ + MatchType: ipPredicate, + } + case jwtPredicate != nil: + // If there are multiple JWT predicates, AND them together. + if len(jwtPredicate) > 1 { + predicate = &matcherv3.Matcher_MatcherList_Predicate{ + MatchType: &matcherv3.Matcher_MatcherList_Predicate_AndMatcher{ + AndMatcher: &matcherv3.Matcher_MatcherList_Predicate_PredicateList{ + Predicate: jwtPredicate, + }, + }, + } + } else if len(jwtPredicate) == 1 { + predicate = jwtPredicate[0] + } } // Add the matcher generated with the current rule to the matcher list. + // The first matcher that matches will be used to determine the action. matcherList = append(matcherList, &matcherv3.Matcher_MatcherList_FieldMatcher{ - Predicate: &matcherv3.Matcher_MatcherList_Predicate{ - MatchType: &matcherv3.Matcher_MatcherList_Predicate_SinglePredicate_{ - SinglePredicate: &matcherv3.Matcher_MatcherList_Predicate_SinglePredicate{ - Input: &cncfv3.TypedExtensionConfig{ - Name: "client_ip", - TypedConfig: sourceIPInput, - }, - Matcher: &matcherv3.Matcher_MatcherList_Predicate_SinglePredicate_CustomMatch{ - CustomMatch: &cncfv3.TypedExtensionConfig{ - Name: "ip_matcher", - TypedConfig: ipMatcher, - }, - }, - }, - }, - }, + Predicate: predicate, OnMatch: &matcherv3.Matcher_OnMatch{ OnMatch: &matcherv3.Matcher_OnMatch_Action{ Action: &cncfv3.TypedExtensionConfig{ @@ -215,7 +259,7 @@ func (*rbac) patchRoute(route *routev3.Route, irRoute *ir.HTTPRoute) error { defaultAction = allowAction } - routeCfgProto := &rbacv3.RBACPerRoute{ + rbac = &rbacv3.RBACPerRoute{ Rbac: &rbacv3.RBAC{ Matcher: &matcherv3.Matcher{ MatcherType: &matcherv3.Matcher_MatcherList_{ @@ -240,26 +284,260 @@ func (*rbac) patchRoute(route *routev3.Route, irRoute *ir.HTTPRoute) error { // Setting the matcher type to nil since Proto validation will fail if the list // is empty. if len(matcherList) == 0 { - routeCfgProto.Rbac.Matcher.MatcherType = nil + rbac.Rbac.Matcher.MatcherType = nil } // We need to validate the RBACPerRoute message before converting it to an Any. - if err = routeCfgProto.ValidateAll(); err != nil { - return err + if err = rbac.ValidateAll(); err != nil { + return nil, err } - routeCfgAny, err := anypb.New(routeCfgProto) - if err != nil { - return err + return rbac, nil +} + +func buildIPPredicate(clientCIDRs []*ir.CIDRMatch) (*matcherv3.Matcher_MatcherList_Predicate_SinglePredicate_, error) { + var ( + sourceIPInput *anypb.Any + ipMatcher *anypb.Any + err error + ) + + // Build the IPMatcher based on the client CIDRs. + ipRangeMatcher := &ipmatcherv3.Ip{ + StatPrefix: "client_ip", } - if filterCfg == nil { - route.TypedPerFilterConfig = make(map[string]*anypb.Any) + for _, cidr := range clientCIDRs { + ipRangeMatcher.CidrRanges = append(ipRangeMatcher.CidrRanges, &configv3.CidrRange{ + AddressPrefix: cidr.IP, + PrefixLen: &wrapperspb.UInt32Value{ + Value: cidr.MaskLen, + }, + }) } - route.TypedPerFilterConfig[egv1a1.EnvoyFilterRBAC.String()] = routeCfgAny + if ipMatcher, err = anypb.New(ipRangeMatcher); err != nil { + return nil, err + } - return nil + if sourceIPInput, err = anypb.New(&networkinput.SourceIPInput{}); err != nil { + return nil, err + } + + return &matcherv3.Matcher_MatcherList_Predicate_SinglePredicate_{ + SinglePredicate: &matcherv3.Matcher_MatcherList_Predicate_SinglePredicate{ + Input: &cncfv3.TypedExtensionConfig{ + Name: "client_ip", + TypedConfig: sourceIPInput, + }, + Matcher: &matcherv3.Matcher_MatcherList_Predicate_SinglePredicate_CustomMatch{ + CustomMatch: &cncfv3.TypedExtensionConfig{ + Name: "ip_matcher", + TypedConfig: ipMatcher, + }, + }, + }, + }, nil +} + +func buildJWTPredicate(jwt egv1a1.JWTPrincipal) ([]*matcherv3.Matcher_MatcherList_Predicate, error) { + jwtPredicate := []*matcherv3.Matcher_MatcherList_Predicate{} + + // Build the scope matchers. + // Multiple scopes are ANDed together. + for _, scope := range jwt.Scopes { + var ( + inputPb *anypb.Any + matcherPb *anypb.Any + err error + ) + + input := &networkinput.DynamicMetadataInput{ + Filter: "envoy.filters.http.jwt_authn", + Path: []*networkinput.DynamicMetadataInput_PathSegment{ + { + Segment: &networkinput.DynamicMetadataInput_PathSegment_Key{ + Key: jwt.Provider, // The name of the jwt provider is used as the `payload_in_metadata` in the JWT Authn filter. + }, + }, + { + Segment: &networkinput.DynamicMetadataInput_PathSegment_Key{ + Key: "scope", + }, + }, + }, + } + + // The scope has already been normalized to a string array in the JWT Authn filter. + scopeMatcher := &metadatav3.Metadata{ + Value: &envoymatcherv3.ValueMatcher{ + MatchPattern: &envoymatcherv3.ValueMatcher_ListMatch{ + ListMatch: &envoymatcherv3.ListMatcher{ + MatchPattern: &envoymatcherv3.ListMatcher_OneOf{ + OneOf: &envoymatcherv3.ValueMatcher{ + MatchPattern: &envoymatcherv3.ValueMatcher_StringMatch{ + StringMatch: &envoymatcherv3.StringMatcher{ + MatchPattern: &envoymatcherv3.StringMatcher_Exact{ + Exact: string(scope), + }, + }, + }, + }, + }, + }, + }, + }, + } + + if inputPb, err = anypb.New(input); err != nil { + return nil, err + } + + if matcherPb, err = anypb.New(scopeMatcher); err != nil { + return nil, err + } + + scopePredicate := matcherv3.Matcher_MatcherList_Predicate_SinglePredicate{ + Input: &cncfv3.TypedExtensionConfig{ + Name: "scope", + TypedConfig: inputPb, + }, + Matcher: &matcherv3.Matcher_MatcherList_Predicate_SinglePredicate_CustomMatch{ + CustomMatch: &cncfv3.TypedExtensionConfig{ + Name: "scope_matcher", + TypedConfig: matcherPb, + }, + }, + } + + jwtPredicate = append(jwtPredicate, + &matcherv3.Matcher_MatcherList_Predicate{ + MatchType: &matcherv3.Matcher_MatcherList_Predicate_SinglePredicate_{ + SinglePredicate: &scopePredicate, + }, + }, + ) + } + + // Build the claim matchers. + // Multiple claims are ANDed together. + // Multiple values for a claim are ORed together. + // For example, if we have two claims: "claim1" with values ["value1", "value2"], and "claim2" with values ["value3", "value4"], + // the resulting matcher will be: (claim1 == value1 OR claim1 == value2) AND (claim2 == value3 OR claim2 == value4). + predicateForAllClaims := []*matcherv3.Matcher_MatcherList_Predicate{} + for _, claim := range jwt.Claims { + var ( + inputPb *anypb.Any + matcherPb *anypb.Any + err error + ) + + path := []*networkinput.DynamicMetadataInput_PathSegment{ + { + Segment: &networkinput.DynamicMetadataInput_PathSegment_Key{ + Key: jwt.Provider, // The name of the jwt provider is used as the `payload_in_metadata` in the JWT Authn filter. + }, + }, + } + + // A nested claim is represented as a dot-separated string, e.g., "user.email". + for _, segment := range strings.Split(claim.Name, ".") { + path = append(path, &networkinput.DynamicMetadataInput_PathSegment{ + Segment: &networkinput.DynamicMetadataInput_PathSegment_Key{ + Key: segment, + }, + }) + } + + input := &networkinput.DynamicMetadataInput{ + Filter: "envoy.filters.http.jwt_authn", + Path: path, + } + + if inputPb, err = anypb.New(input); err != nil { + return nil, err + } + + predicateForOneClaim := []*matcherv3.Matcher_MatcherList_Predicate{} + for _, value := range claim.Values { + var valueMatcher *envoymatcherv3.ValueMatcher + + if claim.ValueType != nil && *claim.ValueType == egv1a1.JWTClaimValueTypeStringArray { + valueMatcher = &envoymatcherv3.ValueMatcher{ + MatchPattern: &envoymatcherv3.ValueMatcher_ListMatch{ + ListMatch: &envoymatcherv3.ListMatcher{ + MatchPattern: &envoymatcherv3.ListMatcher_OneOf{ + OneOf: &envoymatcherv3.ValueMatcher{ + MatchPattern: &envoymatcherv3.ValueMatcher_StringMatch{ + StringMatch: &envoymatcherv3.StringMatcher{ + MatchPattern: &envoymatcherv3.StringMatcher_Exact{ + Exact: value, + }, + }, + }, + }, + }, + }, + }, + } + } else { + valueMatcher = &envoymatcherv3.ValueMatcher{ + MatchPattern: &envoymatcherv3.ValueMatcher_StringMatch{ + StringMatch: &envoymatcherv3.StringMatcher{ + MatchPattern: &envoymatcherv3.StringMatcher_Exact{ + Exact: value, + }, + }, + }, + } + } + + if matcherPb, err = anypb.New(&metadatav3.Metadata{ + Value: valueMatcher, + }); err != nil { + return nil, err + } + + predicateForOneClaim = append(predicateForOneClaim, &matcherv3.Matcher_MatcherList_Predicate{ + MatchType: &matcherv3.Matcher_MatcherList_Predicate_SinglePredicate_{ + SinglePredicate: &matcherv3.Matcher_MatcherList_Predicate_SinglePredicate{ + Input: &cncfv3.TypedExtensionConfig{ + Name: "claim", + TypedConfig: inputPb, + }, + Matcher: &matcherv3.Matcher_MatcherList_Predicate_SinglePredicate_CustomMatch{ + CustomMatch: &cncfv3.TypedExtensionConfig{ + Name: "claim_matcher", + TypedConfig: matcherPb, + }, + }, + }, + }, + }) + } + + // For a claim to match, one of the values must match. + // If there are multiple values for a claim, OR them together. + if len(predicateForOneClaim) > 1 { + predicateForAllClaims = append(predicateForAllClaims, &matcherv3.Matcher_MatcherList_Predicate{ + MatchType: &matcherv3.Matcher_MatcherList_Predicate_OrMatcher{ + OrMatcher: &matcherv3.Matcher_MatcherList_Predicate_PredicateList{ + Predicate: predicateForOneClaim, + }, + }, + }) + } else if len(predicateForOneClaim) == 1 { + predicateForAllClaims = append(predicateForAllClaims, &matcherv3.Matcher_MatcherList_Predicate{ + MatchType: predicateForOneClaim[0].MatchType.(*matcherv3.Matcher_MatcherList_Predicate_SinglePredicate_), + }) + } + } + + // For a JWT principal to match, all the specified claims and scopes must match. + // And all the claims and scopes together. + jwtPredicate = append(jwtPredicate, predicateForAllClaims...) + + return jwtPredicate, nil } func (c *rbac) patchResources(*types.ResourceVersionTable, []*ir.HTTPRoute) error { diff --git a/internal/xds/translator/cluster.go b/internal/xds/translator/cluster.go index 75bfc532b61..409de7e2180 100644 --- a/internal/xds/translator/cluster.go +++ b/internal/xds/translator/cluster.go @@ -94,10 +94,19 @@ func buildXdsCluster(args *xdsClusterArgs) *clusterv3.Cluster { } cluster.ConnectTimeout = buildConnectTimeout(args.timeout) - // set peer endpoint stats - if args.metrics != nil && args.metrics.EnablePerEndpointStats { - cluster.TrackClusterStats = &clusterv3.TrackClusterStats{ - PerEndpointStats: args.metrics.EnablePerEndpointStats, + + // Initialize TrackClusterStats if any metrics are enabled + if args.metrics != nil && (args.metrics.EnablePerEndpointStats || args.metrics.EnableRequestResponseSizesStats) { + cluster.TrackClusterStats = &clusterv3.TrackClusterStats{} + + // Set per endpoint stats if enabled + if args.metrics.EnablePerEndpointStats { + cluster.TrackClusterStats.PerEndpointStats = args.metrics.EnablePerEndpointStats + } + + // Set request response sizes stats if enabled + if args.metrics.EnableRequestResponseSizesStats { + cluster.TrackClusterStats.RequestResponseSizes = args.metrics.EnableRequestResponseSizesStats } } diff --git a/internal/xds/translator/jwt.go b/internal/xds/translator/jwt.go index 4d3a8583756..53a20808ff6 100644 --- a/internal/xds/translator/jwt.go +++ b/internal/xds/translator/jwt.go @@ -139,9 +139,13 @@ func buildJWTAuthn(irListener *ir.HTTPListener) (*jwtauthnv3.JwtAuthentication, Issuer: irProvider.Issuer, Audiences: irProvider.Audiences, JwksSourceSpecifier: remote, - PayloadInMetadata: irProvider.Issuer, + PayloadInMetadata: irProvider.Name, ClaimToHeaders: claimToHeaders, Forward: true, + NormalizePayloadInMetadata: &jwtauthnv3.JwtProvider_NormalizePayload{ + // Normalize the scopes to facilitate matching in Authorization. + SpaceDelimitedClaims: []string{"scope"}, + }, } if irProvider.RecomputeRoute != nil { diff --git a/internal/xds/translator/testdata/in/xds-ir/authorization.yaml b/internal/xds/translator/testdata/in/xds-ir/authorization-client-cidr.yaml similarity index 100% rename from internal/xds/translator/testdata/in/xds-ir/authorization.yaml rename to internal/xds/translator/testdata/in/xds-ir/authorization-client-cidr.yaml diff --git a/internal/xds/translator/testdata/in/xds-ir/authorization-jwt-claim.yaml b/internal/xds/translator/testdata/in/xds-ir/authorization-jwt-claim.yaml new file mode 100644 index 00000000000..f952f20cc26 --- /dev/null +++ b/internal/xds/translator/testdata/in/xds-ir/authorization-jwt-claim.yaml @@ -0,0 +1,99 @@ +http: +- address: 0.0.0.0 + hostnames: + - '*' + isHTTP2: false + metadata: + kind: Gateway + name: gateway-1 + namespace: envoy-gateway + sectionName: http + name: envoy-gateway/gateway-1/http + path: + escapedSlashesAction: UnescapeAndRedirect + mergeSlashes: true + port: 10080 + routes: + - destination: + name: httproute/default/httproute-1/rule/0 + settings: + - addressType: IP + endpoints: + - host: 7.7.7.7 + port: 8080 + protocol: HTTP + weight: 1 + hostname: www.example.com + isHTTP2: false + metadata: + kind: HTTPRoute + name: httproute-1 + namespace: default + name: httproute/default/httproute-1/rule/0/match/0/www_example_com + pathMatch: + distinct: false + name: "" + prefix: /foo + security: + authorization: + defaultAction: Deny + rules: + - action: Deny + name: allow-claim-roles + principal: + jwt: + provider: example1 + claims: + - name: user.name + values: ["alice", "bob"] + jwt: + providers: + - audiences: + - two.foo.com + issuer: https://two.example.com + name: example1 + remoteJWKS: + uri: https://two.example.com/jwt/public-key/jwks.json + - destination: + name: httproute/default/httproute-2/rule/0 + settings: + - addressType: IP + endpoints: + - host: 7.7.7.7 + port: 8080 + protocol: HTTP + weight: 1 + hostname: www.example.com + isHTTP2: false + metadata: + kind: HTTPRoute + name: httproute-2 + namespace: default + name: httproute/default/httproute-2/rule/0/match/0/www_example_com + pathMatch: + distinct: false + name: "" + prefix: /bar + security: + authorization: + defaultAction: Deny + rules: + - action: Deny + name: allow-claim-roles + principal: + jwt: + provider: example1 + claims: + - name: roles + valueType: StringArray + values: ["admin", "superuser"] + - name: department + values: ["engineering"] + jwt: + providers: + - audiences: + - one.foo.com + issuer: https://one.example.com + name: example1 + remoteJWKS: + uri: https://one.example.com/jwt/public-key/jwks.json diff --git a/internal/xds/translator/testdata/in/xds-ir/authorization-jwt-scope.yaml b/internal/xds/translator/testdata/in/xds-ir/authorization-jwt-scope.yaml new file mode 100644 index 00000000000..332060147c4 --- /dev/null +++ b/internal/xds/translator/testdata/in/xds-ir/authorization-jwt-scope.yaml @@ -0,0 +1,95 @@ +http: +- address: 0.0.0.0 + hostnames: + - '*' + isHTTP2: false + metadata: + kind: Gateway + name: gateway-1 + namespace: envoy-gateway + sectionName: http + name: envoy-gateway/gateway-1/http + path: + escapedSlashesAction: UnescapeAndRedirect + mergeSlashes: true + port: 10080 + routes: + - destination: + name: httproute/default/httproute-1/rule/0 + settings: + - addressType: IP + endpoints: + - host: 7.7.7.7 + port: 8080 + protocol: HTTP + weight: 1 + hostname: www.example.com + isHTTP2: false + metadata: + kind: HTTPRoute + name: httproute-1 + namespace: default + name: httproute/default/httproute-1/rule/0/match/0/www_example_com + pathMatch: + distinct: false + name: "" + prefix: /foo + security: + authorization: + defaultAction: Deny + rules: + - action: Deny + name: allow-scope-foo-bar + principal: + jwt: + provider: example1 + scopes: + - foo + - bar + jwt: + providers: + - audiences: + - two.foo.com + issuer: https://two.example.com + name: example1 + remoteJWKS: + uri: https://two.example.com/jwt/public-key/jwks.json + - destination: + name: httproute/default/httproute-2/rule/0 + settings: + - addressType: IP + endpoints: + - host: 7.7.7.7 + port: 8080 + protocol: HTTP + weight: 1 + hostname: www.example.com + isHTTP2: false + metadata: + kind: HTTPRoute + name: httproute-2 + namespace: default + name: httproute/default/httproute-2/rule/0/match/0/www_example_com + pathMatch: + distinct: false + name: "" + prefix: /bar + security: + authorization: + defaultAction: Deny + rules: + - action: Deny + name: allow-scope-foo + principal: + jwt: + provider: example1 + scopes: + - foo + jwt: + providers: + - audiences: + - one.foo.com + issuer: https://one.example.com + name: example1 + remoteJWKS: + uri: https://one.example.com/jwt/public-key/jwks.json diff --git a/internal/xds/translator/testdata/in/xds-ir/authorization-multiple-principals.yaml b/internal/xds/translator/testdata/in/xds-ir/authorization-multiple-principals.yaml new file mode 100644 index 00000000000..c93708b4c8a --- /dev/null +++ b/internal/xds/translator/testdata/in/xds-ir/authorization-multiple-principals.yaml @@ -0,0 +1,80 @@ +http: +- address: 0.0.0.0 + hostnames: + - '*' + isHTTP2: false + name: envoy-gateway/gateway-1/http + path: + escapedSlashesAction: UnescapeAndRedirect + mergeSlashes: true + port: 10080 + routes: + - destination: + name: httproute/default/httproute-1/rule/0 + settings: + - addressType: IP + endpoints: + - host: 7.7.7.7 + port: 8080 + protocol: HTTP + weight: 1 + hostname: www.example.com + isHTTP2: false + name: httproute/default/httproute-1/rule/0/match/0/www_example_com + pathMatch: + distinct: false + name: "" + prefix: /foo + security: + authorization: + defaultAction: Deny + rules: + - action: Allow + name: allow-rule-1 + principal: + clientCIDRs: + - cidr: 192.168.1.0/24 + distinct: false + ip: 192.168.1.0 + isIPv6: false + maskLen: 24 + - cidr: 192.168.2.0/24 + distinct: false + ip: 192.168.2.0 + isIPv6: false + maskLen: 24 + jwt: + issuer: https://one.example.com + scopes: + - foo + claims: + - name: roles + valueType: StringArray + values: ["admin", "superuser"] + - name: department + values: ["engineering"] + - action: Allow + name: allow-rule-2 + principal: + clientCIDRs: + - cidr: 10.0.1.0/24 + distinct: false + ip: 10.0.1.0 + isIPv6: false + maskLen: 24 + - cidr: 10.0.2.0/24 + distinct: false + ip: 10.0.2.0 + isIPv6: false + maskLen: 24 + jwt: + issuer: https://two.example.com + scopes: + - for + - bar + claims: + - name: roles + valueType: StringArray + values: ["admin", "superuser"] + - name: name + values: ["alice", "bob"] diff --git a/internal/xds/translator/testdata/in/xds-ir/http-req-resp-sizes-stats.yaml b/internal/xds/translator/testdata/in/xds-ir/http-req-resp-sizes-stats.yaml new file mode 100644 index 00000000000..5c174e363ef --- /dev/null +++ b/internal/xds/translator/testdata/in/xds-ir/http-req-resp-sizes-stats.yaml @@ -0,0 +1,21 @@ +name: "metrics-req-resp-sizes-stats" +metrics: + enableRequestResponseSizesStats: true +http: + - name: "listener-enable-req-resp-sizes-stats" + address: "0.0.0.0" + port: 10080 + hostnames: + - "*" + path: + mergeSlashes: true + escapedSlashesAction: UnescapeAndRedirect + routes: + - name: "first-route" + hostname: "*" + destination: + name: "first-route-dest" + settings: + - endpoints: + - host: "1.2.3.4" + port: 50000 diff --git a/internal/xds/translator/testdata/in/xds-ir/tcp-req-resp-sizes-stats.yaml b/internal/xds/translator/testdata/in/xds-ir/tcp-req-resp-sizes-stats.yaml new file mode 100644 index 00000000000..6d5d7fac73c --- /dev/null +++ b/internal/xds/translator/testdata/in/xds-ir/tcp-req-resp-sizes-stats.yaml @@ -0,0 +1,15 @@ +name: "metrics-req-resp-sizes-stats" +metrics: + enableRequestResponseSizesStats: true +tcp: +- name: "tcp-route-enable-req-resp-sizes-stats" + address: "0.0.0.0" + port: 10080 + destination: + name: "tcp-route-simple-dest" + settings: + - endpoints: + - host: "1.2.3.4" + port: 50000 + - host: "5.6.7.8" + port: 50001 diff --git a/internal/xds/translator/testdata/in/xds-ir/tracing-datadog.yaml b/internal/xds/translator/testdata/in/xds-ir/tracing-datadog.yaml new file mode 100644 index 00000000000..1cc60f85e0e --- /dev/null +++ b/internal/xds/translator/testdata/in/xds-ir/tracing-datadog.yaml @@ -0,0 +1,49 @@ +name: "tracing" +tracing: + serviceName: "fake-name.fake-ns" + samplingRate: 90 + customTags: + "literal1": + type: Literal + literal: + value: "value1" + "env1": + type: Environment + environment: + name: "env1" + defaultValue: "-" + "req1": + type: RequestHeader + requestHeader: + name: "X-Request-Id" + defaultValue: "-" + authority: "datadog-agent.default.svc.cluster.local" + destination: + name: "tracing-0" + settings: + - endpoints: + - host: "datadog-agent.default.svc.cluster.local" + port: 8126 + provider: + type: Datadog +http: + - name: "first-listener" + address: "0.0.0.0" + port: 10080 + hostnames: + - "*" + path: + mergeSlashes: true + escapedSlashesAction: UnescapeAndRedirect + routes: + - name: "direct-route" + hostname: "*" + destination: + name: "direct-route-dest" + settings: + - endpoints: + - host: "1.2.3.4" + port: 50000 + directResponse: + body: "Unknown custom filter type: UnsupportedType" + statusCode: 500 diff --git a/internal/xds/translator/testdata/in/xds-ir/tracing-unknown-provider-type.yaml b/internal/xds/translator/testdata/in/xds-ir/tracing-unknown-provider-type.yaml index 45f669ef643..02623bc0c7a 100644 --- a/internal/xds/translator/testdata/in/xds-ir/tracing-unknown-provider-type.yaml +++ b/internal/xds/translator/testdata/in/xds-ir/tracing-unknown-provider-type.yaml @@ -17,17 +17,17 @@ tracing: requestHeader: name: "X-Request-Id" defaultValue: "-" - authority: "datadog-agent.default.svc.cluster.local" + authority: "awesome-agent.default.svc.cluster.local" destination: name: "tracing-0" settings: - endpoints: - - host: "datadog-agent.default.svc.cluster.local" - port: 8126 + - host: "awesome-agent.default.svc.cluster.local" + port: 1357 provider: - host: datadog-agent.monitoring.svc.cluster.local - port: 8126 - type: Datadog + host: awesome-agent.monitoring.svc.cluster.local + port: 1357 + type: AwesomeTelemetry http: - name: "first-listener" address: "0.0.0.0" diff --git a/internal/xds/translator/testdata/in/xds-ir/udp-req-resp-sizes-stats.yaml b/internal/xds/translator/testdata/in/xds-ir/udp-req-resp-sizes-stats.yaml new file mode 100644 index 00000000000..1e7e0d9fb53 --- /dev/null +++ b/internal/xds/translator/testdata/in/xds-ir/udp-req-resp-sizes-stats.yaml @@ -0,0 +1,17 @@ +name: "metrics-req-resp-sizes-stats" +metrics: + enableRequestResponseSizesStats: true +udp: +- name: "udp-route-enable-req-resp-sizes-stats" + address: "0.0.0.0" + port: 10080 + route: + name: "udp-route" + destination: + name: "udp-route-dest" + settings: + - endpoints: + - host: "1.2.3.4" + port: 50000 + - host: "5.6.7.8" + port: 50001 diff --git a/internal/xds/translator/testdata/out/xds-ir/authorization-client-cidr.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/authorization-client-cidr.clusters.yaml new file mode 100644 index 00000000000..b3f75f0e04e --- /dev/null +++ b/internal/xds/translator/testdata/out/xds-ir/authorization-client-cidr.clusters.yaml @@ -0,0 +1,51 @@ +- circuitBreakers: + thresholds: + - maxRetries: 1024 + commonLbConfig: + localityWeightedLbConfig: {} + connectTimeout: 10s + dnsLookupFamily: V4_ONLY + edsClusterConfig: + edsConfig: + ads: {} + resourceApiVersion: V3 + serviceName: httproute/default/httproute-3/rule/0 + lbPolicy: LEAST_REQUEST + name: httproute/default/httproute-3/rule/0 + outlierDetection: {} + perConnectionBufferLimitBytes: 32768 + type: EDS +- circuitBreakers: + thresholds: + - maxRetries: 1024 + commonLbConfig: + localityWeightedLbConfig: {} + connectTimeout: 10s + dnsLookupFamily: V4_ONLY + edsClusterConfig: + edsConfig: + ads: {} + resourceApiVersion: V3 + serviceName: httproute/default/httproute-1/rule/0 + lbPolicy: LEAST_REQUEST + name: httproute/default/httproute-1/rule/0 + outlierDetection: {} + perConnectionBufferLimitBytes: 32768 + type: EDS +- circuitBreakers: + thresholds: + - maxRetries: 1024 + commonLbConfig: + localityWeightedLbConfig: {} + connectTimeout: 10s + dnsLookupFamily: V4_ONLY + edsClusterConfig: + edsConfig: + ads: {} + resourceApiVersion: V3 + serviceName: httproute/default/httproute-2/rule/0 + lbPolicy: LEAST_REQUEST + name: httproute/default/httproute-2/rule/0 + outlierDetection: {} + perConnectionBufferLimitBytes: 32768 + type: EDS diff --git a/internal/xds/translator/testdata/out/xds-ir/authorization-client-cidr.endpoints.yaml b/internal/xds/translator/testdata/out/xds-ir/authorization-client-cidr.endpoints.yaml new file mode 100644 index 00000000000..24596d841a3 --- /dev/null +++ b/internal/xds/translator/testdata/out/xds-ir/authorization-client-cidr.endpoints.yaml @@ -0,0 +1,36 @@ +- clusterName: httproute/default/httproute-3/rule/0 + endpoints: + - lbEndpoints: + - endpoint: + address: + socketAddress: + address: 7.7.7.7 + portValue: 8080 + loadBalancingWeight: 1 + loadBalancingWeight: 1 + locality: + region: httproute/default/httproute-3/rule/0/backend/0 +- clusterName: httproute/default/httproute-1/rule/0 + endpoints: + - lbEndpoints: + - endpoint: + address: + socketAddress: + address: 7.7.7.7 + portValue: 8080 + loadBalancingWeight: 1 + loadBalancingWeight: 1 + locality: + region: httproute/default/httproute-1/rule/0/backend/0 +- clusterName: httproute/default/httproute-2/rule/0 + endpoints: + - lbEndpoints: + - endpoint: + address: + socketAddress: + address: 7.7.7.7 + portValue: 8080 + loadBalancingWeight: 1 + loadBalancingWeight: 1 + locality: + region: httproute/default/httproute-2/rule/0/backend/0 diff --git a/internal/xds/translator/testdata/out/xds-ir/authorization-client-cidr.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/authorization-client-cidr.listeners.yaml new file mode 100644 index 00000000000..907d28f78b7 --- /dev/null +++ b/internal/xds/translator/testdata/out/xds-ir/authorization-client-cidr.listeners.yaml @@ -0,0 +1,37 @@ +- address: + socketAddress: + address: 0.0.0.0 + portValue: 10080 + defaultFilterChain: + filters: + - name: envoy.filters.network.http_connection_manager + typedConfig: + '@type': type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager + commonHttpProtocolOptions: + headersWithUnderscoresAction: REJECT_REQUEST + http2ProtocolOptions: + initialConnectionWindowSize: 1048576 + initialStreamWindowSize: 65536 + maxConcurrentStreams: 100 + httpFilters: + - name: envoy.filters.http.rbac + typedConfig: + '@type': type.googleapis.com/envoy.extensions.filters.http.rbac.v3.RBAC + - name: envoy.filters.http.router + typedConfig: + '@type': type.googleapis.com/envoy.extensions.filters.http.router.v3.Router + suppressEnvoyHeaders: true + mergeSlashes: true + normalizePath: true + pathWithEscapedSlashesAction: UNESCAPE_AND_REDIRECT + rds: + configSource: + ads: {} + resourceApiVersion: V3 + routeConfigName: envoy-gateway/gateway-1/http + serverHeaderTransformation: PASS_THROUGH + statPrefix: http-10080 + useRemoteAddress: true + name: envoy-gateway/gateway-1/http + name: envoy-gateway/gateway-1/http + perConnectionBufferLimitBytes: 32768 diff --git a/internal/xds/translator/testdata/out/xds-ir/authorization-client-cidr.routes.yaml b/internal/xds/translator/testdata/out/xds-ir/authorization-client-cidr.routes.yaml new file mode 100644 index 00000000000..141d60a15dd --- /dev/null +++ b/internal/xds/translator/testdata/out/xds-ir/authorization-client-cidr.routes.yaml @@ -0,0 +1,135 @@ +- ignorePortInHostMatching: true + name: envoy-gateway/gateway-1/http + virtualHosts: + - domains: + - www.example.com + name: envoy-gateway/gateway-1/http/www_example_com + routes: + - match: + pathSeparatedPrefix: /test + name: httproute/default/httproute-3/rule/0/match/0/www_example_com + route: + cluster: httproute/default/httproute-3/rule/0 + upgradeConfigs: + - upgradeType: websocket + typedPerFilterConfig: + envoy.filters.http.rbac: + '@type': type.googleapis.com/envoy.extensions.filters.http.rbac.v3.RBACPerRoute + rbac: + matcher: + onNoMatch: + action: + name: default + typedConfig: + '@type': type.googleapis.com/envoy.config.rbac.v3.Action + action: DENY + name: DENY + - match: + pathSeparatedPrefix: /foo + name: httproute/default/httproute-1/rule/0/match/0/www_example_com + route: + cluster: httproute/default/httproute-1/rule/0 + upgradeConfigs: + - upgradeType: websocket + typedPerFilterConfig: + envoy.filters.http.rbac: + '@type': type.googleapis.com/envoy.extensions.filters.http.rbac.v3.RBACPerRoute + rbac: + matcher: + matcherList: + matchers: + - onMatch: + action: + name: deny-location-1 + typedConfig: + '@type': type.googleapis.com/envoy.config.rbac.v3.Action + action: DENY + name: DENY + predicate: + singlePredicate: + customMatch: + name: ip_matcher + typedConfig: + '@type': type.googleapis.com/envoy.extensions.matching.input_matchers.ip.v3.Ip + cidrRanges: + - addressPrefix: 192.168.1.0 + prefixLen: 24 + - addressPrefix: 192.168.2.0 + prefixLen: 24 + statPrefix: client_ip + input: + name: client_ip + typedConfig: + '@type': type.googleapis.com/envoy.extensions.matching.common_inputs.network.v3.SourceIPInput + - onMatch: + action: + name: deny-location-2 + typedConfig: + '@type': type.googleapis.com/envoy.config.rbac.v3.Action + action: DENY + name: DENY + predicate: + singlePredicate: + customMatch: + name: ip_matcher + typedConfig: + '@type': type.googleapis.com/envoy.extensions.matching.input_matchers.ip.v3.Ip + cidrRanges: + - addressPrefix: 10.75.1.0 + prefixLen: 24 + - addressPrefix: 10.75.2.0 + prefixLen: 24 + statPrefix: client_ip + input: + name: client_ip + typedConfig: + '@type': type.googleapis.com/envoy.extensions.matching.common_inputs.network.v3.SourceIPInput + onNoMatch: + action: + name: default + typedConfig: + '@type': type.googleapis.com/envoy.config.rbac.v3.Action + name: ALLOW + - match: + pathSeparatedPrefix: /bar + name: httproute/default/httproute-2/rule/0/match/0/www_example_com + route: + cluster: httproute/default/httproute-2/rule/0 + upgradeConfigs: + - upgradeType: websocket + typedPerFilterConfig: + envoy.filters.http.rbac: + '@type': type.googleapis.com/envoy.extensions.filters.http.rbac.v3.RBACPerRoute + rbac: + matcher: + matcherList: + matchers: + - onMatch: + action: + name: securitypolicy/envoy-gateway/policy-for-gateway/authorization/rule/0 + typedConfig: + '@type': type.googleapis.com/envoy.config.rbac.v3.Action + name: ALLOW + predicate: + singlePredicate: + customMatch: + name: ip_matcher + typedConfig: + '@type': type.googleapis.com/envoy.extensions.matching.input_matchers.ip.v3.Ip + cidrRanges: + - addressPrefix: 10.0.1.0 + prefixLen: 24 + - addressPrefix: 10.0.2.0 + prefixLen: 24 + statPrefix: client_ip + input: + name: client_ip + typedConfig: + '@type': type.googleapis.com/envoy.extensions.matching.common_inputs.network.v3.SourceIPInput + onNoMatch: + action: + name: default + typedConfig: + '@type': type.googleapis.com/envoy.config.rbac.v3.Action + action: DENY + name: DENY diff --git a/internal/xds/translator/testdata/out/xds-ir/authorization-jwt-claim.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/authorization-jwt-claim.clusters.yaml new file mode 100644 index 00000000000..660d4f6b224 --- /dev/null +++ b/internal/xds/translator/testdata/out/xds-ir/authorization-jwt-claim.clusters.yaml @@ -0,0 +1,106 @@ +- circuitBreakers: + thresholds: + - maxRetries: 1024 + commonLbConfig: + localityWeightedLbConfig: {} + connectTimeout: 10s + dnsLookupFamily: V4_ONLY + edsClusterConfig: + edsConfig: + ads: {} + resourceApiVersion: V3 + serviceName: httproute/default/httproute-1/rule/0 + lbPolicy: LEAST_REQUEST + name: httproute/default/httproute-1/rule/0 + outlierDetection: {} + perConnectionBufferLimitBytes: 32768 + type: EDS +- circuitBreakers: + thresholds: + - maxRetries: 1024 + commonLbConfig: + localityWeightedLbConfig: {} + connectTimeout: 10s + dnsLookupFamily: V4_ONLY + edsClusterConfig: + edsConfig: + ads: {} + resourceApiVersion: V3 + serviceName: httproute/default/httproute-2/rule/0 + lbPolicy: LEAST_REQUEST + name: httproute/default/httproute-2/rule/0 + outlierDetection: {} + perConnectionBufferLimitBytes: 32768 + type: EDS +- circuitBreakers: + thresholds: + - maxRetries: 1024 + commonLbConfig: + localityWeightedLbConfig: {} + connectTimeout: 10s + dnsLookupFamily: V4_ONLY + dnsRefreshRate: 30s + lbPolicy: LEAST_REQUEST + loadAssignment: + clusterName: two_example_com_443 + endpoints: + - lbEndpoints: + - endpoint: + address: + socketAddress: + address: two.example.com + portValue: 443 + loadBalancingWeight: 1 + loadBalancingWeight: 1 + locality: + region: two_example_com_443/backend/0 + name: two_example_com_443 + outlierDetection: {} + perConnectionBufferLimitBytes: 32768 + respectDnsTtl: true + transportSocket: + name: envoy.transport_sockets.tls + typedConfig: + '@type': type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.UpstreamTlsContext + commonTlsContext: + validationContext: + trustedCa: + filename: /etc/ssl/certs/ca-certificates.crt + sni: two.example.com + type: STRICT_DNS +- circuitBreakers: + thresholds: + - maxRetries: 1024 + commonLbConfig: + localityWeightedLbConfig: {} + connectTimeout: 10s + dnsLookupFamily: V4_ONLY + dnsRefreshRate: 30s + lbPolicy: LEAST_REQUEST + loadAssignment: + clusterName: one_example_com_443 + endpoints: + - lbEndpoints: + - endpoint: + address: + socketAddress: + address: one.example.com + portValue: 443 + loadBalancingWeight: 1 + loadBalancingWeight: 1 + locality: + region: one_example_com_443/backend/0 + name: one_example_com_443 + outlierDetection: {} + perConnectionBufferLimitBytes: 32768 + respectDnsTtl: true + transportSocket: + name: envoy.transport_sockets.tls + typedConfig: + '@type': type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.UpstreamTlsContext + commonTlsContext: + validationContext: + trustedCa: + filename: /etc/ssl/certs/ca-certificates.crt + sni: one.example.com + type: STRICT_DNS diff --git a/internal/xds/translator/testdata/out/xds-ir/authorization-jwt-claim.endpoints.yaml b/internal/xds/translator/testdata/out/xds-ir/authorization-jwt-claim.endpoints.yaml new file mode 100644 index 00000000000..05442a9a15b --- /dev/null +++ b/internal/xds/translator/testdata/out/xds-ir/authorization-jwt-claim.endpoints.yaml @@ -0,0 +1,24 @@ +- clusterName: httproute/default/httproute-1/rule/0 + endpoints: + - lbEndpoints: + - endpoint: + address: + socketAddress: + address: 7.7.7.7 + portValue: 8080 + loadBalancingWeight: 1 + loadBalancingWeight: 1 + locality: + region: httproute/default/httproute-1/rule/0/backend/0 +- clusterName: httproute/default/httproute-2/rule/0 + endpoints: + - lbEndpoints: + - endpoint: + address: + socketAddress: + address: 7.7.7.7 + portValue: 8080 + loadBalancingWeight: 1 + loadBalancingWeight: 1 + locality: + region: httproute/default/httproute-2/rule/0/backend/0 diff --git a/internal/xds/translator/testdata/out/xds-ir/authorization-jwt-claim.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/authorization-jwt-claim.listeners.yaml new file mode 100644 index 00000000000..f34bcbe362f --- /dev/null +++ b/internal/xds/translator/testdata/out/xds-ir/authorization-jwt-claim.listeners.yaml @@ -0,0 +1,80 @@ +- address: + socketAddress: + address: 0.0.0.0 + portValue: 10080 + defaultFilterChain: + filters: + - name: envoy.filters.network.http_connection_manager + typedConfig: + '@type': type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager + commonHttpProtocolOptions: + headersWithUnderscoresAction: REJECT_REQUEST + http2ProtocolOptions: + initialConnectionWindowSize: 1048576 + initialStreamWindowSize: 65536 + maxConcurrentStreams: 100 + httpFilters: + - name: envoy.filters.http.jwt_authn + typedConfig: + '@type': type.googleapis.com/envoy.extensions.filters.http.jwt_authn.v3.JwtAuthentication + providers: + httproute/default/httproute-1/rule/0/match/0/www_example_com/example1: + audiences: + - two.foo.com + forward: true + issuer: https://two.example.com + normalizePayloadInMetadata: + spaceDelimitedClaims: + - scope + payloadInMetadata: example1 + remoteJwks: + asyncFetch: {} + cacheDuration: 300s + httpUri: + cluster: two_example_com_443 + timeout: 10s + uri: https://two.example.com/jwt/public-key/jwks.json + retryPolicy: {} + httproute/default/httproute-2/rule/0/match/0/www_example_com/example1: + audiences: + - one.foo.com + forward: true + issuer: https://one.example.com + normalizePayloadInMetadata: + spaceDelimitedClaims: + - scope + payloadInMetadata: example1 + remoteJwks: + asyncFetch: {} + cacheDuration: 300s + httpUri: + cluster: one_example_com_443 + timeout: 10s + uri: https://one.example.com/jwt/public-key/jwks.json + retryPolicy: {} + requirementMap: + httproute/default/httproute-1/rule/0/match/0/www_example_com: + providerName: httproute/default/httproute-1/rule/0/match/0/www_example_com/example1 + httproute/default/httproute-2/rule/0/match/0/www_example_com: + providerName: httproute/default/httproute-2/rule/0/match/0/www_example_com/example1 + - name: envoy.filters.http.rbac + typedConfig: + '@type': type.googleapis.com/envoy.extensions.filters.http.rbac.v3.RBAC + - name: envoy.filters.http.router + typedConfig: + '@type': type.googleapis.com/envoy.extensions.filters.http.router.v3.Router + suppressEnvoyHeaders: true + mergeSlashes: true + normalizePath: true + pathWithEscapedSlashesAction: UNESCAPE_AND_REDIRECT + rds: + configSource: + ads: {} + resourceApiVersion: V3 + routeConfigName: envoy-gateway/gateway-1/http + serverHeaderTransformation: PASS_THROUGH + statPrefix: http-10080 + useRemoteAddress: true + name: envoy-gateway/gateway-1/http + name: envoy-gateway/gateway-1/http + perConnectionBufferLimitBytes: 32768 diff --git a/internal/xds/translator/testdata/out/xds-ir/authorization-jwt-claim.routes.yaml b/internal/xds/translator/testdata/out/xds-ir/authorization-jwt-claim.routes.yaml new file mode 100644 index 00000000000..5a465cded12 --- /dev/null +++ b/internal/xds/translator/testdata/out/xds-ir/authorization-jwt-claim.routes.yaml @@ -0,0 +1,185 @@ +- ignorePortInHostMatching: true + name: envoy-gateway/gateway-1/http + virtualHosts: + - domains: + - www.example.com + metadata: + filterMetadata: + envoy-gateway: + resources: + - kind: Gateway + name: gateway-1 + namespace: envoy-gateway + sectionName: http + name: envoy-gateway/gateway-1/http/www_example_com + routes: + - match: + pathSeparatedPrefix: /foo + metadata: + filterMetadata: + envoy-gateway: + resources: + - kind: HTTPRoute + name: httproute-1 + namespace: default + name: httproute/default/httproute-1/rule/0/match/0/www_example_com + route: + cluster: httproute/default/httproute-1/rule/0 + upgradeConfigs: + - upgradeType: websocket + typedPerFilterConfig: + envoy.filters.http.jwt_authn: + '@type': type.googleapis.com/envoy.extensions.filters.http.jwt_authn.v3.PerRouteConfig + requirementName: httproute/default/httproute-1/rule/0/match/0/www_example_com + envoy.filters.http.rbac: + '@type': type.googleapis.com/envoy.extensions.filters.http.rbac.v3.RBACPerRoute + rbac: + matcher: + matcherList: + matchers: + - onMatch: + action: + name: allow-claim-roles + typedConfig: + '@type': type.googleapis.com/envoy.config.rbac.v3.Action + action: DENY + name: DENY + predicate: + orMatcher: + predicate: + - singlePredicate: + customMatch: + name: claim_matcher + typedConfig: + '@type': type.googleapis.com/envoy.extensions.matching.input_matchers.metadata.v3.Metadata + value: + stringMatch: + exact: alice + input: + name: claim + typedConfig: + '@type': type.googleapis.com/envoy.extensions.matching.common_inputs.network.v3.DynamicMetadataInput + filter: envoy.filters.http.jwt_authn + path: + - key: example1 + - key: user + - key: name + - singlePredicate: + customMatch: + name: claim_matcher + typedConfig: + '@type': type.googleapis.com/envoy.extensions.matching.input_matchers.metadata.v3.Metadata + value: + stringMatch: + exact: bob + input: + name: claim + typedConfig: + '@type': type.googleapis.com/envoy.extensions.matching.common_inputs.network.v3.DynamicMetadataInput + filter: envoy.filters.http.jwt_authn + path: + - key: example1 + - key: user + - key: name + onNoMatch: + action: + name: default + typedConfig: + '@type': type.googleapis.com/envoy.config.rbac.v3.Action + action: DENY + name: DENY + - match: + pathSeparatedPrefix: /bar + metadata: + filterMetadata: + envoy-gateway: + resources: + - kind: HTTPRoute + name: httproute-2 + namespace: default + name: httproute/default/httproute-2/rule/0/match/0/www_example_com + route: + cluster: httproute/default/httproute-2/rule/0 + upgradeConfigs: + - upgradeType: websocket + typedPerFilterConfig: + envoy.filters.http.jwt_authn: + '@type': type.googleapis.com/envoy.extensions.filters.http.jwt_authn.v3.PerRouteConfig + requirementName: httproute/default/httproute-2/rule/0/match/0/www_example_com + envoy.filters.http.rbac: + '@type': type.googleapis.com/envoy.extensions.filters.http.rbac.v3.RBACPerRoute + rbac: + matcher: + matcherList: + matchers: + - onMatch: + action: + name: allow-claim-roles + typedConfig: + '@type': type.googleapis.com/envoy.config.rbac.v3.Action + action: DENY + name: DENY + predicate: + andMatcher: + predicate: + - orMatcher: + predicate: + - singlePredicate: + customMatch: + name: claim_matcher + typedConfig: + '@type': type.googleapis.com/envoy.extensions.matching.input_matchers.metadata.v3.Metadata + value: + listMatch: + oneOf: + stringMatch: + exact: admin + input: + name: claim + typedConfig: + '@type': type.googleapis.com/envoy.extensions.matching.common_inputs.network.v3.DynamicMetadataInput + filter: envoy.filters.http.jwt_authn + path: + - key: example1 + - key: roles + - singlePredicate: + customMatch: + name: claim_matcher + typedConfig: + '@type': type.googleapis.com/envoy.extensions.matching.input_matchers.metadata.v3.Metadata + value: + listMatch: + oneOf: + stringMatch: + exact: superuser + input: + name: claim + typedConfig: + '@type': type.googleapis.com/envoy.extensions.matching.common_inputs.network.v3.DynamicMetadataInput + filter: envoy.filters.http.jwt_authn + path: + - key: example1 + - key: roles + - singlePredicate: + customMatch: + name: claim_matcher + typedConfig: + '@type': type.googleapis.com/envoy.extensions.matching.input_matchers.metadata.v3.Metadata + value: + stringMatch: + exact: engineering + input: + name: claim + typedConfig: + '@type': type.googleapis.com/envoy.extensions.matching.common_inputs.network.v3.DynamicMetadataInput + filter: envoy.filters.http.jwt_authn + path: + - key: example1 + - key: department + onNoMatch: + action: + name: default + typedConfig: + '@type': type.googleapis.com/envoy.config.rbac.v3.Action + action: DENY + name: DENY diff --git a/internal/xds/translator/testdata/out/xds-ir/authorization-jwt-scope.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/authorization-jwt-scope.clusters.yaml new file mode 100644 index 00000000000..660d4f6b224 --- /dev/null +++ b/internal/xds/translator/testdata/out/xds-ir/authorization-jwt-scope.clusters.yaml @@ -0,0 +1,106 @@ +- circuitBreakers: + thresholds: + - maxRetries: 1024 + commonLbConfig: + localityWeightedLbConfig: {} + connectTimeout: 10s + dnsLookupFamily: V4_ONLY + edsClusterConfig: + edsConfig: + ads: {} + resourceApiVersion: V3 + serviceName: httproute/default/httproute-1/rule/0 + lbPolicy: LEAST_REQUEST + name: httproute/default/httproute-1/rule/0 + outlierDetection: {} + perConnectionBufferLimitBytes: 32768 + type: EDS +- circuitBreakers: + thresholds: + - maxRetries: 1024 + commonLbConfig: + localityWeightedLbConfig: {} + connectTimeout: 10s + dnsLookupFamily: V4_ONLY + edsClusterConfig: + edsConfig: + ads: {} + resourceApiVersion: V3 + serviceName: httproute/default/httproute-2/rule/0 + lbPolicy: LEAST_REQUEST + name: httproute/default/httproute-2/rule/0 + outlierDetection: {} + perConnectionBufferLimitBytes: 32768 + type: EDS +- circuitBreakers: + thresholds: + - maxRetries: 1024 + commonLbConfig: + localityWeightedLbConfig: {} + connectTimeout: 10s + dnsLookupFamily: V4_ONLY + dnsRefreshRate: 30s + lbPolicy: LEAST_REQUEST + loadAssignment: + clusterName: two_example_com_443 + endpoints: + - lbEndpoints: + - endpoint: + address: + socketAddress: + address: two.example.com + portValue: 443 + loadBalancingWeight: 1 + loadBalancingWeight: 1 + locality: + region: two_example_com_443/backend/0 + name: two_example_com_443 + outlierDetection: {} + perConnectionBufferLimitBytes: 32768 + respectDnsTtl: true + transportSocket: + name: envoy.transport_sockets.tls + typedConfig: + '@type': type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.UpstreamTlsContext + commonTlsContext: + validationContext: + trustedCa: + filename: /etc/ssl/certs/ca-certificates.crt + sni: two.example.com + type: STRICT_DNS +- circuitBreakers: + thresholds: + - maxRetries: 1024 + commonLbConfig: + localityWeightedLbConfig: {} + connectTimeout: 10s + dnsLookupFamily: V4_ONLY + dnsRefreshRate: 30s + lbPolicy: LEAST_REQUEST + loadAssignment: + clusterName: one_example_com_443 + endpoints: + - lbEndpoints: + - endpoint: + address: + socketAddress: + address: one.example.com + portValue: 443 + loadBalancingWeight: 1 + loadBalancingWeight: 1 + locality: + region: one_example_com_443/backend/0 + name: one_example_com_443 + outlierDetection: {} + perConnectionBufferLimitBytes: 32768 + respectDnsTtl: true + transportSocket: + name: envoy.transport_sockets.tls + typedConfig: + '@type': type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.UpstreamTlsContext + commonTlsContext: + validationContext: + trustedCa: + filename: /etc/ssl/certs/ca-certificates.crt + sni: one.example.com + type: STRICT_DNS diff --git a/internal/xds/translator/testdata/out/xds-ir/authorization-jwt-scope.endpoints.yaml b/internal/xds/translator/testdata/out/xds-ir/authorization-jwt-scope.endpoints.yaml new file mode 100644 index 00000000000..05442a9a15b --- /dev/null +++ b/internal/xds/translator/testdata/out/xds-ir/authorization-jwt-scope.endpoints.yaml @@ -0,0 +1,24 @@ +- clusterName: httproute/default/httproute-1/rule/0 + endpoints: + - lbEndpoints: + - endpoint: + address: + socketAddress: + address: 7.7.7.7 + portValue: 8080 + loadBalancingWeight: 1 + loadBalancingWeight: 1 + locality: + region: httproute/default/httproute-1/rule/0/backend/0 +- clusterName: httproute/default/httproute-2/rule/0 + endpoints: + - lbEndpoints: + - endpoint: + address: + socketAddress: + address: 7.7.7.7 + portValue: 8080 + loadBalancingWeight: 1 + loadBalancingWeight: 1 + locality: + region: httproute/default/httproute-2/rule/0/backend/0 diff --git a/internal/xds/translator/testdata/out/xds-ir/authorization-jwt-scope.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/authorization-jwt-scope.listeners.yaml new file mode 100644 index 00000000000..f34bcbe362f --- /dev/null +++ b/internal/xds/translator/testdata/out/xds-ir/authorization-jwt-scope.listeners.yaml @@ -0,0 +1,80 @@ +- address: + socketAddress: + address: 0.0.0.0 + portValue: 10080 + defaultFilterChain: + filters: + - name: envoy.filters.network.http_connection_manager + typedConfig: + '@type': type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager + commonHttpProtocolOptions: + headersWithUnderscoresAction: REJECT_REQUEST + http2ProtocolOptions: + initialConnectionWindowSize: 1048576 + initialStreamWindowSize: 65536 + maxConcurrentStreams: 100 + httpFilters: + - name: envoy.filters.http.jwt_authn + typedConfig: + '@type': type.googleapis.com/envoy.extensions.filters.http.jwt_authn.v3.JwtAuthentication + providers: + httproute/default/httproute-1/rule/0/match/0/www_example_com/example1: + audiences: + - two.foo.com + forward: true + issuer: https://two.example.com + normalizePayloadInMetadata: + spaceDelimitedClaims: + - scope + payloadInMetadata: example1 + remoteJwks: + asyncFetch: {} + cacheDuration: 300s + httpUri: + cluster: two_example_com_443 + timeout: 10s + uri: https://two.example.com/jwt/public-key/jwks.json + retryPolicy: {} + httproute/default/httproute-2/rule/0/match/0/www_example_com/example1: + audiences: + - one.foo.com + forward: true + issuer: https://one.example.com + normalizePayloadInMetadata: + spaceDelimitedClaims: + - scope + payloadInMetadata: example1 + remoteJwks: + asyncFetch: {} + cacheDuration: 300s + httpUri: + cluster: one_example_com_443 + timeout: 10s + uri: https://one.example.com/jwt/public-key/jwks.json + retryPolicy: {} + requirementMap: + httproute/default/httproute-1/rule/0/match/0/www_example_com: + providerName: httproute/default/httproute-1/rule/0/match/0/www_example_com/example1 + httproute/default/httproute-2/rule/0/match/0/www_example_com: + providerName: httproute/default/httproute-2/rule/0/match/0/www_example_com/example1 + - name: envoy.filters.http.rbac + typedConfig: + '@type': type.googleapis.com/envoy.extensions.filters.http.rbac.v3.RBAC + - name: envoy.filters.http.router + typedConfig: + '@type': type.googleapis.com/envoy.extensions.filters.http.router.v3.Router + suppressEnvoyHeaders: true + mergeSlashes: true + normalizePath: true + pathWithEscapedSlashesAction: UNESCAPE_AND_REDIRECT + rds: + configSource: + ads: {} + resourceApiVersion: V3 + routeConfigName: envoy-gateway/gateway-1/http + serverHeaderTransformation: PASS_THROUGH + statPrefix: http-10080 + useRemoteAddress: true + name: envoy-gateway/gateway-1/http + name: envoy-gateway/gateway-1/http + perConnectionBufferLimitBytes: 32768 diff --git a/internal/xds/translator/testdata/out/xds-ir/authorization-jwt-scope.routes.yaml b/internal/xds/translator/testdata/out/xds-ir/authorization-jwt-scope.routes.yaml new file mode 100644 index 00000000000..cfb4a62ec65 --- /dev/null +++ b/internal/xds/translator/testdata/out/xds-ir/authorization-jwt-scope.routes.yaml @@ -0,0 +1,149 @@ +- ignorePortInHostMatching: true + name: envoy-gateway/gateway-1/http + virtualHosts: + - domains: + - www.example.com + metadata: + filterMetadata: + envoy-gateway: + resources: + - kind: Gateway + name: gateway-1 + namespace: envoy-gateway + sectionName: http + name: envoy-gateway/gateway-1/http/www_example_com + routes: + - match: + pathSeparatedPrefix: /foo + metadata: + filterMetadata: + envoy-gateway: + resources: + - kind: HTTPRoute + name: httproute-1 + namespace: default + name: httproute/default/httproute-1/rule/0/match/0/www_example_com + route: + cluster: httproute/default/httproute-1/rule/0 + upgradeConfigs: + - upgradeType: websocket + typedPerFilterConfig: + envoy.filters.http.jwt_authn: + '@type': type.googleapis.com/envoy.extensions.filters.http.jwt_authn.v3.PerRouteConfig + requirementName: httproute/default/httproute-1/rule/0/match/0/www_example_com + envoy.filters.http.rbac: + '@type': type.googleapis.com/envoy.extensions.filters.http.rbac.v3.RBACPerRoute + rbac: + matcher: + matcherList: + matchers: + - onMatch: + action: + name: allow-scope-foo-bar + typedConfig: + '@type': type.googleapis.com/envoy.config.rbac.v3.Action + action: DENY + name: DENY + predicate: + andMatcher: + predicate: + - singlePredicate: + customMatch: + name: scope_matcher + typedConfig: + '@type': type.googleapis.com/envoy.extensions.matching.input_matchers.metadata.v3.Metadata + value: + listMatch: + oneOf: + stringMatch: + exact: foo + input: + name: scope + typedConfig: + '@type': type.googleapis.com/envoy.extensions.matching.common_inputs.network.v3.DynamicMetadataInput + filter: envoy.filters.http.jwt_authn + path: + - key: example1 + - key: scope + - singlePredicate: + customMatch: + name: scope_matcher + typedConfig: + '@type': type.googleapis.com/envoy.extensions.matching.input_matchers.metadata.v3.Metadata + value: + listMatch: + oneOf: + stringMatch: + exact: bar + input: + name: scope + typedConfig: + '@type': type.googleapis.com/envoy.extensions.matching.common_inputs.network.v3.DynamicMetadataInput + filter: envoy.filters.http.jwt_authn + path: + - key: example1 + - key: scope + onNoMatch: + action: + name: default + typedConfig: + '@type': type.googleapis.com/envoy.config.rbac.v3.Action + action: DENY + name: DENY + - match: + pathSeparatedPrefix: /bar + metadata: + filterMetadata: + envoy-gateway: + resources: + - kind: HTTPRoute + name: httproute-2 + namespace: default + name: httproute/default/httproute-2/rule/0/match/0/www_example_com + route: + cluster: httproute/default/httproute-2/rule/0 + upgradeConfigs: + - upgradeType: websocket + typedPerFilterConfig: + envoy.filters.http.jwt_authn: + '@type': type.googleapis.com/envoy.extensions.filters.http.jwt_authn.v3.PerRouteConfig + requirementName: httproute/default/httproute-2/rule/0/match/0/www_example_com + envoy.filters.http.rbac: + '@type': type.googleapis.com/envoy.extensions.filters.http.rbac.v3.RBACPerRoute + rbac: + matcher: + matcherList: + matchers: + - onMatch: + action: + name: allow-scope-foo + typedConfig: + '@type': type.googleapis.com/envoy.config.rbac.v3.Action + action: DENY + name: DENY + predicate: + singlePredicate: + customMatch: + name: scope_matcher + typedConfig: + '@type': type.googleapis.com/envoy.extensions.matching.input_matchers.metadata.v3.Metadata + value: + listMatch: + oneOf: + stringMatch: + exact: foo + input: + name: scope + typedConfig: + '@type': type.googleapis.com/envoy.extensions.matching.common_inputs.network.v3.DynamicMetadataInput + filter: envoy.filters.http.jwt_authn + path: + - key: example1 + - key: scope + onNoMatch: + action: + name: default + typedConfig: + '@type': type.googleapis.com/envoy.config.rbac.v3.Action + action: DENY + name: DENY diff --git a/internal/xds/translator/testdata/out/xds-ir/authorization-multiple-principals.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/authorization-multiple-principals.clusters.yaml new file mode 100644 index 00000000000..9714612e3de --- /dev/null +++ b/internal/xds/translator/testdata/out/xds-ir/authorization-multiple-principals.clusters.yaml @@ -0,0 +1,17 @@ +- circuitBreakers: + thresholds: + - maxRetries: 1024 + commonLbConfig: + localityWeightedLbConfig: {} + connectTimeout: 10s + dnsLookupFamily: V4_ONLY + edsClusterConfig: + edsConfig: + ads: {} + resourceApiVersion: V3 + serviceName: httproute/default/httproute-1/rule/0 + lbPolicy: LEAST_REQUEST + name: httproute/default/httproute-1/rule/0 + outlierDetection: {} + perConnectionBufferLimitBytes: 32768 + type: EDS diff --git a/internal/xds/translator/testdata/out/xds-ir/authorization-multiple-principals.endpoints.yaml b/internal/xds/translator/testdata/out/xds-ir/authorization-multiple-principals.endpoints.yaml new file mode 100644 index 00000000000..29bb6b4e444 --- /dev/null +++ b/internal/xds/translator/testdata/out/xds-ir/authorization-multiple-principals.endpoints.yaml @@ -0,0 +1,12 @@ +- clusterName: httproute/default/httproute-1/rule/0 + endpoints: + - lbEndpoints: + - endpoint: + address: + socketAddress: + address: 7.7.7.7 + portValue: 8080 + loadBalancingWeight: 1 + loadBalancingWeight: 1 + locality: + region: httproute/default/httproute-1/rule/0/backend/0 diff --git a/internal/xds/translator/testdata/out/xds-ir/authorization-multiple-principals.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/authorization-multiple-principals.listeners.yaml new file mode 100644 index 00000000000..907d28f78b7 --- /dev/null +++ b/internal/xds/translator/testdata/out/xds-ir/authorization-multiple-principals.listeners.yaml @@ -0,0 +1,37 @@ +- address: + socketAddress: + address: 0.0.0.0 + portValue: 10080 + defaultFilterChain: + filters: + - name: envoy.filters.network.http_connection_manager + typedConfig: + '@type': type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager + commonHttpProtocolOptions: + headersWithUnderscoresAction: REJECT_REQUEST + http2ProtocolOptions: + initialConnectionWindowSize: 1048576 + initialStreamWindowSize: 65536 + maxConcurrentStreams: 100 + httpFilters: + - name: envoy.filters.http.rbac + typedConfig: + '@type': type.googleapis.com/envoy.extensions.filters.http.rbac.v3.RBAC + - name: envoy.filters.http.router + typedConfig: + '@type': type.googleapis.com/envoy.extensions.filters.http.router.v3.Router + suppressEnvoyHeaders: true + mergeSlashes: true + normalizePath: true + pathWithEscapedSlashesAction: UNESCAPE_AND_REDIRECT + rds: + configSource: + ads: {} + resourceApiVersion: V3 + routeConfigName: envoy-gateway/gateway-1/http + serverHeaderTransformation: PASS_THROUGH + statPrefix: http-10080 + useRemoteAddress: true + name: envoy-gateway/gateway-1/http + name: envoy-gateway/gateway-1/http + perConnectionBufferLimitBytes: 32768 diff --git a/internal/xds/translator/testdata/out/xds-ir/authorization-multiple-principals.routes.yaml b/internal/xds/translator/testdata/out/xds-ir/authorization-multiple-principals.routes.yaml new file mode 100644 index 00000000000..c6510f63778 --- /dev/null +++ b/internal/xds/translator/testdata/out/xds-ir/authorization-multiple-principals.routes.yaml @@ -0,0 +1,256 @@ +- ignorePortInHostMatching: true + name: envoy-gateway/gateway-1/http + virtualHosts: + - domains: + - www.example.com + name: envoy-gateway/gateway-1/http/www_example_com + routes: + - match: + pathSeparatedPrefix: /foo + name: httproute/default/httproute-1/rule/0/match/0/www_example_com + route: + cluster: httproute/default/httproute-1/rule/0 + upgradeConfigs: + - upgradeType: websocket + typedPerFilterConfig: + envoy.filters.http.rbac: + '@type': type.googleapis.com/envoy.extensions.filters.http.rbac.v3.RBACPerRoute + rbac: + matcher: + matcherList: + matchers: + - onMatch: + action: + name: allow-rule-1 + typedConfig: + '@type': type.googleapis.com/envoy.config.rbac.v3.Action + name: ALLOW + predicate: + andMatcher: + predicate: + - singlePredicate: + customMatch: + name: ip_matcher + typedConfig: + '@type': type.googleapis.com/envoy.extensions.matching.input_matchers.ip.v3.Ip + cidrRanges: + - addressPrefix: 192.168.1.0 + prefixLen: 24 + - addressPrefix: 192.168.2.0 + prefixLen: 24 + statPrefix: client_ip + input: + name: client_ip + typedConfig: + '@type': type.googleapis.com/envoy.extensions.matching.common_inputs.network.v3.SourceIPInput + - singlePredicate: + customMatch: + name: scope_matcher + typedConfig: + '@type': type.googleapis.com/envoy.extensions.matching.input_matchers.metadata.v3.Metadata + value: + listMatch: + oneOf: + stringMatch: + exact: foo + input: + name: scope + typedConfig: + '@type': type.googleapis.com/envoy.extensions.matching.common_inputs.network.v3.DynamicMetadataInput + filter: envoy.filters.http.jwt_authn + path: + - key: "" + - key: scope + - orMatcher: + predicate: + - singlePredicate: + customMatch: + name: claim_matcher + typedConfig: + '@type': type.googleapis.com/envoy.extensions.matching.input_matchers.metadata.v3.Metadata + value: + listMatch: + oneOf: + stringMatch: + exact: admin + input: + name: claim + typedConfig: + '@type': type.googleapis.com/envoy.extensions.matching.common_inputs.network.v3.DynamicMetadataInput + filter: envoy.filters.http.jwt_authn + path: + - key: "" + - key: roles + - singlePredicate: + customMatch: + name: claim_matcher + typedConfig: + '@type': type.googleapis.com/envoy.extensions.matching.input_matchers.metadata.v3.Metadata + value: + listMatch: + oneOf: + stringMatch: + exact: superuser + input: + name: claim + typedConfig: + '@type': type.googleapis.com/envoy.extensions.matching.common_inputs.network.v3.DynamicMetadataInput + filter: envoy.filters.http.jwt_authn + path: + - key: "" + - key: roles + - singlePredicate: + customMatch: + name: claim_matcher + typedConfig: + '@type': type.googleapis.com/envoy.extensions.matching.input_matchers.metadata.v3.Metadata + value: + stringMatch: + exact: engineering + input: + name: claim + typedConfig: + '@type': type.googleapis.com/envoy.extensions.matching.common_inputs.network.v3.DynamicMetadataInput + filter: envoy.filters.http.jwt_authn + path: + - key: "" + - key: department + - onMatch: + action: + name: allow-rule-2 + typedConfig: + '@type': type.googleapis.com/envoy.config.rbac.v3.Action + name: ALLOW + predicate: + andMatcher: + predicate: + - singlePredicate: + customMatch: + name: ip_matcher + typedConfig: + '@type': type.googleapis.com/envoy.extensions.matching.input_matchers.ip.v3.Ip + cidrRanges: + - addressPrefix: 10.0.1.0 + prefixLen: 24 + - addressPrefix: 10.0.2.0 + prefixLen: 24 + statPrefix: client_ip + input: + name: client_ip + typedConfig: + '@type': type.googleapis.com/envoy.extensions.matching.common_inputs.network.v3.SourceIPInput + - singlePredicate: + customMatch: + name: scope_matcher + typedConfig: + '@type': type.googleapis.com/envoy.extensions.matching.input_matchers.metadata.v3.Metadata + value: + listMatch: + oneOf: + stringMatch: + exact: for + input: + name: scope + typedConfig: + '@type': type.googleapis.com/envoy.extensions.matching.common_inputs.network.v3.DynamicMetadataInput + filter: envoy.filters.http.jwt_authn + path: + - key: "" + - key: scope + - singlePredicate: + customMatch: + name: scope_matcher + typedConfig: + '@type': type.googleapis.com/envoy.extensions.matching.input_matchers.metadata.v3.Metadata + value: + listMatch: + oneOf: + stringMatch: + exact: bar + input: + name: scope + typedConfig: + '@type': type.googleapis.com/envoy.extensions.matching.common_inputs.network.v3.DynamicMetadataInput + filter: envoy.filters.http.jwt_authn + path: + - key: "" + - key: scope + - orMatcher: + predicate: + - singlePredicate: + customMatch: + name: claim_matcher + typedConfig: + '@type': type.googleapis.com/envoy.extensions.matching.input_matchers.metadata.v3.Metadata + value: + listMatch: + oneOf: + stringMatch: + exact: admin + input: + name: claim + typedConfig: + '@type': type.googleapis.com/envoy.extensions.matching.common_inputs.network.v3.DynamicMetadataInput + filter: envoy.filters.http.jwt_authn + path: + - key: "" + - key: roles + - singlePredicate: + customMatch: + name: claim_matcher + typedConfig: + '@type': type.googleapis.com/envoy.extensions.matching.input_matchers.metadata.v3.Metadata + value: + listMatch: + oneOf: + stringMatch: + exact: superuser + input: + name: claim + typedConfig: + '@type': type.googleapis.com/envoy.extensions.matching.common_inputs.network.v3.DynamicMetadataInput + filter: envoy.filters.http.jwt_authn + path: + - key: "" + - key: roles + - orMatcher: + predicate: + - singlePredicate: + customMatch: + name: claim_matcher + typedConfig: + '@type': type.googleapis.com/envoy.extensions.matching.input_matchers.metadata.v3.Metadata + value: + stringMatch: + exact: alice + input: + name: claim + typedConfig: + '@type': type.googleapis.com/envoy.extensions.matching.common_inputs.network.v3.DynamicMetadataInput + filter: envoy.filters.http.jwt_authn + path: + - key: "" + - key: name + - singlePredicate: + customMatch: + name: claim_matcher + typedConfig: + '@type': type.googleapis.com/envoy.extensions.matching.input_matchers.metadata.v3.Metadata + value: + stringMatch: + exact: bob + input: + name: claim + typedConfig: + '@type': type.googleapis.com/envoy.extensions.matching.common_inputs.network.v3.DynamicMetadataInput + filter: envoy.filters.http.jwt_authn + path: + - key: "" + - key: name + onNoMatch: + action: + name: default + typedConfig: + '@type': type.googleapis.com/envoy.config.rbac.v3.Action + action: DENY + name: DENY diff --git a/internal/xds/translator/testdata/out/xds-ir/custom-filter-order.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/custom-filter-order.listeners.yaml index 46157814e38..0a50c1bb280 100644 --- a/internal/xds/translator/testdata/out/xds-ir/custom-filter-order.listeners.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/custom-filter-order.listeners.yaml @@ -73,7 +73,10 @@ headerName: one-route-example-key forward: true issuer: https://one.example.com - payloadInMetadata: https://one.example.com + normalizePayloadInMetadata: + spaceDelimitedClaims: + - scope + payloadInMetadata: example1 remoteJwks: asyncFetch: {} cacheDuration: 300s @@ -90,7 +93,10 @@ headerName: two-route-example-key forward: true issuer: http://two.example.com - payloadInMetadata: http://two.example.com + normalizePayloadInMetadata: + spaceDelimitedClaims: + - scope + payloadInMetadata: example2 remoteJwks: asyncFetch: {} cacheDuration: 300s diff --git a/internal/xds/translator/testdata/out/xds-ir/http-req-resp-sizes-stats.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/http-req-resp-sizes-stats.clusters.yaml new file mode 100644 index 00000000000..7d112afb676 --- /dev/null +++ b/internal/xds/translator/testdata/out/xds-ir/http-req-resp-sizes-stats.clusters.yaml @@ -0,0 +1,19 @@ +- circuitBreakers: + thresholds: + - maxRetries: 1024 + commonLbConfig: + localityWeightedLbConfig: {} + connectTimeout: 10s + dnsLookupFamily: V4_ONLY + edsClusterConfig: + edsConfig: + ads: {} + resourceApiVersion: V3 + serviceName: first-route-dest + lbPolicy: LEAST_REQUEST + name: first-route-dest + outlierDetection: {} + perConnectionBufferLimitBytes: 32768 + trackClusterStats: + requestResponseSizes: true + type: EDS diff --git a/internal/xds/translator/testdata/out/xds-ir/http-req-resp-sizes-stats.endpoints.yaml b/internal/xds/translator/testdata/out/xds-ir/http-req-resp-sizes-stats.endpoints.yaml new file mode 100644 index 00000000000..3b3f2d09076 --- /dev/null +++ b/internal/xds/translator/testdata/out/xds-ir/http-req-resp-sizes-stats.endpoints.yaml @@ -0,0 +1,12 @@ +- clusterName: first-route-dest + endpoints: + - lbEndpoints: + - endpoint: + address: + socketAddress: + address: 1.2.3.4 + portValue: 50000 + loadBalancingWeight: 1 + loadBalancingWeight: 1 + locality: + region: first-route-dest/backend/0 diff --git a/internal/xds/translator/testdata/out/xds-ir/http-req-resp-sizes-stats.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/http-req-resp-sizes-stats.listeners.yaml new file mode 100644 index 00000000000..2d688753f05 --- /dev/null +++ b/internal/xds/translator/testdata/out/xds-ir/http-req-resp-sizes-stats.listeners.yaml @@ -0,0 +1,34 @@ +- address: + socketAddress: + address: 0.0.0.0 + portValue: 10080 + defaultFilterChain: + filters: + - name: envoy.filters.network.http_connection_manager + typedConfig: + '@type': type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager + commonHttpProtocolOptions: + headersWithUnderscoresAction: REJECT_REQUEST + http2ProtocolOptions: + initialConnectionWindowSize: 1048576 + initialStreamWindowSize: 65536 + maxConcurrentStreams: 100 + httpFilters: + - name: envoy.filters.http.router + typedConfig: + '@type': type.googleapis.com/envoy.extensions.filters.http.router.v3.Router + suppressEnvoyHeaders: true + mergeSlashes: true + normalizePath: true + pathWithEscapedSlashesAction: UNESCAPE_AND_REDIRECT + rds: + configSource: + ads: {} + resourceApiVersion: V3 + routeConfigName: listener-enable-req-resp-sizes-stats + serverHeaderTransformation: PASS_THROUGH + statPrefix: http-10080 + useRemoteAddress: true + name: listener-enable-req-resp-sizes-stats + name: listener-enable-req-resp-sizes-stats + perConnectionBufferLimitBytes: 32768 diff --git a/internal/xds/translator/testdata/out/xds-ir/http-req-resp-sizes-stats.routes.yaml b/internal/xds/translator/testdata/out/xds-ir/http-req-resp-sizes-stats.routes.yaml new file mode 100644 index 00000000000..63cbc847197 --- /dev/null +++ b/internal/xds/translator/testdata/out/xds-ir/http-req-resp-sizes-stats.routes.yaml @@ -0,0 +1,14 @@ +- ignorePortInHostMatching: true + name: listener-enable-req-resp-sizes-stats + virtualHosts: + - domains: + - '*' + name: listener-enable-req-resp-sizes-stats/* + routes: + - match: + prefix: / + name: first-route + route: + cluster: first-route-dest + upgradeConfigs: + - upgradeType: websocket diff --git a/internal/xds/translator/testdata/out/xds-ir/jwt-custom-extractor.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/jwt-custom-extractor.listeners.yaml index 524800c6480..9172af8519b 100644 --- a/internal/xds/translator/testdata/out/xds-ir/jwt-custom-extractor.listeners.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/jwt-custom-extractor.listeners.yaml @@ -30,7 +30,10 @@ fromParams: - token issuer: https://www.example.com - payloadInMetadata: https://www.example.com + normalizePayloadInMetadata: + spaceDelimitedClaims: + - scope + payloadInMetadata: example remoteJwks: asyncFetch: {} cacheDuration: 300s diff --git a/internal/xds/translator/testdata/out/xds-ir/jwt-multi-route-multi-provider.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/jwt-multi-route-multi-provider.listeners.yaml index 4c45106ab61..bbfa00a53ea 100644 --- a/internal/xds/translator/testdata/out/xds-ir/jwt-multi-route-multi-provider.listeners.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/jwt-multi-route-multi-provider.listeners.yaml @@ -26,7 +26,10 @@ headerName: one-route-example-key1 forward: true issuer: https://www.example.com - payloadInMetadata: https://www.example.com + normalizePayloadInMetadata: + spaceDelimitedClaims: + - scope + payloadInMetadata: example remoteJwks: asyncFetch: {} cacheDuration: 300s @@ -47,7 +50,10 @@ clearRouteCache: true forward: true issuer: https://www.two.example.com - payloadInMetadata: https://www.two.example.com + normalizePayloadInMetadata: + spaceDelimitedClaims: + - scope + payloadInMetadata: example2 remoteJwks: asyncFetch: {} cacheDuration: 300s @@ -64,7 +70,10 @@ headerName: second-route-example-key1 forward: true issuer: https://www.example.com - payloadInMetadata: https://www.example.com + normalizePayloadInMetadata: + spaceDelimitedClaims: + - scope + payloadInMetadata: example remoteJwks: asyncFetch: {} cacheDuration: 300s @@ -79,7 +88,10 @@ - two.foo.com forward: true issuer: https://www.two.example.com - payloadInMetadata: https://www.two.example.com + normalizePayloadInMetadata: + spaceDelimitedClaims: + - scope + payloadInMetadata: example2 remoteJwks: asyncFetch: {} cacheDuration: 300s diff --git a/internal/xds/translator/testdata/out/xds-ir/jwt-multi-route-single-provider.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/jwt-multi-route-single-provider.listeners.yaml index f247baa83b5..a48a09b2dd7 100644 --- a/internal/xds/translator/testdata/out/xds-ir/jwt-multi-route-single-provider.listeners.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/jwt-multi-route-single-provider.listeners.yaml @@ -48,7 +48,10 @@ headerName: first-route-key forward: true issuer: https://www.example.com - payloadInMetadata: https://www.example.com + normalizePayloadInMetadata: + spaceDelimitedClaims: + - scope + payloadInMetadata: example remoteJwks: asyncFetch: {} cacheDuration: 300s @@ -62,7 +65,10 @@ - foo.com forward: true issuer: https://www.example.com - payloadInMetadata: https://www.example.com + normalizePayloadInMetadata: + spaceDelimitedClaims: + - scope + payloadInMetadata: example remoteJwks: asyncFetch: {} cacheDuration: 300s diff --git a/internal/xds/translator/testdata/out/xds-ir/jwt-optional.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/jwt-optional.listeners.yaml index 9906e8df615..51d778b9cea 100644 --- a/internal/xds/translator/testdata/out/xds-ir/jwt-optional.listeners.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/jwt-optional.listeners.yaml @@ -30,7 +30,10 @@ fromParams: - token issuer: https://www.example.com - payloadInMetadata: https://www.example.com + normalizePayloadInMetadata: + spaceDelimitedClaims: + - scope + payloadInMetadata: example remoteJwks: asyncFetch: {} cacheDuration: 300s diff --git a/internal/xds/translator/testdata/out/xds-ir/jwt-ratelimit.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/jwt-ratelimit.listeners.yaml index a4520c65b4f..ead8b20d402 100644 --- a/internal/xds/translator/testdata/out/xds-ir/jwt-ratelimit.listeners.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/jwt-ratelimit.listeners.yaml @@ -23,7 +23,10 @@ - foo.com forward: true issuer: https://www.example.com - payloadInMetadata: https://www.example.com + normalizePayloadInMetadata: + spaceDelimitedClaims: + - scope + payloadInMetadata: example remoteJwks: asyncFetch: {} cacheDuration: 300s diff --git a/internal/xds/translator/testdata/out/xds-ir/jwt-single-route-single-match.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/jwt-single-route-single-match.listeners.yaml index 91280606bf5..c839763d975 100644 --- a/internal/xds/translator/testdata/out/xds-ir/jwt-single-route-single-match.listeners.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/jwt-single-route-single-match.listeners.yaml @@ -23,7 +23,10 @@ - foo.com forward: true issuer: https://www.example.com - payloadInMetadata: https://www.example.com + normalizePayloadInMetadata: + spaceDelimitedClaims: + - scope + payloadInMetadata: example remoteJwks: asyncFetch: {} cacheDuration: 300s diff --git a/internal/xds/translator/testdata/out/xds-ir/tcp-req-resp-sizes-stats.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/tcp-req-resp-sizes-stats.clusters.yaml new file mode 100644 index 00000000000..fe51488c706 --- /dev/null +++ b/internal/xds/translator/testdata/out/xds-ir/tcp-req-resp-sizes-stats.clusters.yaml @@ -0,0 +1 @@ +[] diff --git a/internal/xds/translator/testdata/out/xds-ir/tcp-req-resp-sizes-stats.endpoints.yaml b/internal/xds/translator/testdata/out/xds-ir/tcp-req-resp-sizes-stats.endpoints.yaml new file mode 100644 index 00000000000..fe51488c706 --- /dev/null +++ b/internal/xds/translator/testdata/out/xds-ir/tcp-req-resp-sizes-stats.endpoints.yaml @@ -0,0 +1 @@ +[] diff --git a/internal/xds/translator/testdata/out/xds-ir/tcp-req-resp-sizes-stats.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/tcp-req-resp-sizes-stats.listeners.yaml new file mode 100644 index 00000000000..994341e55ec --- /dev/null +++ b/internal/xds/translator/testdata/out/xds-ir/tcp-req-resp-sizes-stats.listeners.yaml @@ -0,0 +1,6 @@ +- address: + socketAddress: + address: 0.0.0.0 + portValue: 10080 + name: tcp-route-enable-req-resp-sizes-stats + perConnectionBufferLimitBytes: 32768 diff --git a/internal/xds/translator/testdata/out/xds-ir/tcp-req-resp-sizes-stats.routes.yaml b/internal/xds/translator/testdata/out/xds-ir/tcp-req-resp-sizes-stats.routes.yaml new file mode 100644 index 00000000000..fe51488c706 --- /dev/null +++ b/internal/xds/translator/testdata/out/xds-ir/tcp-req-resp-sizes-stats.routes.yaml @@ -0,0 +1 @@ +[] diff --git a/internal/xds/translator/testdata/out/xds-ir/tracing-datadog.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/tracing-datadog.clusters.yaml new file mode 100644 index 00000000000..51ef591844c --- /dev/null +++ b/internal/xds/translator/testdata/out/xds-ir/tracing-datadog.clusters.yaml @@ -0,0 +1,44 @@ +- circuitBreakers: + thresholds: + - maxRetries: 1024 + commonLbConfig: + localityWeightedLbConfig: {} + connectTimeout: 10s + dnsLookupFamily: V4_ONLY + edsClusterConfig: + edsConfig: + ads: {} + resourceApiVersion: V3 + serviceName: direct-route-dest + lbPolicy: LEAST_REQUEST + name: direct-route-dest + outlierDetection: {} + perConnectionBufferLimitBytes: 32768 + type: EDS +- circuitBreakers: + thresholds: + - maxRetries: 1024 + commonLbConfig: + localityWeightedLbConfig: {} + connectTimeout: 10s + dnsLookupFamily: V4_ONLY + dnsRefreshRate: 30s + lbPolicy: LEAST_REQUEST + loadAssignment: + clusterName: tracing-0 + endpoints: + - lbEndpoints: + - endpoint: + address: + socketAddress: + address: datadog-agent.default.svc.cluster.local + portValue: 8126 + loadBalancingWeight: 1 + loadBalancingWeight: 1 + locality: + region: tracing-0/backend/0 + name: tracing-0 + outlierDetection: {} + perConnectionBufferLimitBytes: 32768 + respectDnsTtl: true + type: STRICT_DNS diff --git a/internal/xds/translator/testdata/out/xds-ir/tracing-datadog.endpoints.yaml b/internal/xds/translator/testdata/out/xds-ir/tracing-datadog.endpoints.yaml new file mode 100644 index 00000000000..20c80b3aaaa --- /dev/null +++ b/internal/xds/translator/testdata/out/xds-ir/tracing-datadog.endpoints.yaml @@ -0,0 +1,12 @@ +- clusterName: direct-route-dest + endpoints: + - lbEndpoints: + - endpoint: + address: + socketAddress: + address: 1.2.3.4 + portValue: 50000 + loadBalancingWeight: 1 + loadBalancingWeight: 1 + locality: + region: direct-route-dest/backend/0 diff --git a/internal/xds/translator/testdata/out/xds-ir/tracing-datadog.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/tracing-datadog.listeners.yaml new file mode 100644 index 00000000000..07a3d581575 --- /dev/null +++ b/internal/xds/translator/testdata/out/xds-ir/tracing-datadog.listeners.yaml @@ -0,0 +1,60 @@ +- address: + socketAddress: + address: 0.0.0.0 + portValue: 10080 + defaultFilterChain: + filters: + - name: envoy.filters.network.http_connection_manager + typedConfig: + '@type': type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager + commonHttpProtocolOptions: + headersWithUnderscoresAction: REJECT_REQUEST + http2ProtocolOptions: + initialConnectionWindowSize: 1048576 + initialStreamWindowSize: 65536 + maxConcurrentStreams: 100 + httpFilters: + - name: envoy.filters.http.router + typedConfig: + '@type': type.googleapis.com/envoy.extensions.filters.http.router.v3.Router + suppressEnvoyHeaders: true + mergeSlashes: true + normalizePath: true + pathWithEscapedSlashesAction: UNESCAPE_AND_REDIRECT + rds: + configSource: + ads: {} + resourceApiVersion: V3 + routeConfigName: first-listener + serverHeaderTransformation: PASS_THROUGH + statPrefix: http-10080 + tracing: + clientSampling: + value: 100 + customTags: + - environment: + defaultValue: '-' + name: env1 + tag: env1 + - literal: + value: value1 + tag: literal1 + - requestHeader: + defaultValue: '-' + name: X-Request-Id + tag: req1 + overallSampling: + value: 100 + provider: + name: envoy.tracers.datadog + typedConfig: + '@type': type.googleapis.com/envoy.config.trace.v3.DatadogConfig + collectorCluster: tracing-0 + serviceName: fake-name.fake-ns + randomSampling: + value: 90 + spawnUpstreamSpan: true + useRemoteAddress: true + name: first-listener + name: first-listener + perConnectionBufferLimitBytes: 32768 diff --git a/internal/xds/translator/testdata/out/xds-ir/tracing-datadog.routes.yaml b/internal/xds/translator/testdata/out/xds-ir/tracing-datadog.routes.yaml new file mode 100644 index 00000000000..b214e8b05a3 --- /dev/null +++ b/internal/xds/translator/testdata/out/xds-ir/tracing-datadog.routes.yaml @@ -0,0 +1,12 @@ +- ignorePortInHostMatching: true + name: first-listener + virtualHosts: + - domains: + - '*' + name: first-listener/* + routes: + - directResponse: + status: 500 + match: + prefix: / + name: direct-route diff --git a/internal/xds/translator/testdata/out/xds-ir/udp-req-resp-sizes-stats.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/udp-req-resp-sizes-stats.clusters.yaml new file mode 100644 index 00000000000..f7c6a0bf095 --- /dev/null +++ b/internal/xds/translator/testdata/out/xds-ir/udp-req-resp-sizes-stats.clusters.yaml @@ -0,0 +1,19 @@ +- circuitBreakers: + thresholds: + - maxRetries: 1024 + commonLbConfig: + localityWeightedLbConfig: {} + connectTimeout: 10s + dnsLookupFamily: V4_ONLY + edsClusterConfig: + edsConfig: + ads: {} + resourceApiVersion: V3 + serviceName: udp-route-dest + lbPolicy: LEAST_REQUEST + name: udp-route-dest + outlierDetection: {} + perConnectionBufferLimitBytes: 32768 + trackClusterStats: + requestResponseSizes: true + type: EDS diff --git a/internal/xds/translator/testdata/out/xds-ir/udp-req-resp-sizes-stats.endpoints.yaml b/internal/xds/translator/testdata/out/xds-ir/udp-req-resp-sizes-stats.endpoints.yaml new file mode 100644 index 00000000000..2e3c84e672c --- /dev/null +++ b/internal/xds/translator/testdata/out/xds-ir/udp-req-resp-sizes-stats.endpoints.yaml @@ -0,0 +1,18 @@ +- clusterName: udp-route-dest + endpoints: + - lbEndpoints: + - endpoint: + address: + socketAddress: + address: 1.2.3.4 + portValue: 50000 + loadBalancingWeight: 1 + - endpoint: + address: + socketAddress: + address: 5.6.7.8 + portValue: 50001 + loadBalancingWeight: 1 + loadBalancingWeight: 1 + locality: + region: udp-route-dest/backend/0 diff --git a/internal/xds/translator/testdata/out/xds-ir/udp-req-resp-sizes-stats.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/udp-req-resp-sizes-stats.listeners.yaml new file mode 100644 index 00000000000..6bf13465916 --- /dev/null +++ b/internal/xds/translator/testdata/out/xds-ir/udp-req-resp-sizes-stats.listeners.yaml @@ -0,0 +1,18 @@ +- address: + socketAddress: + address: 0.0.0.0 + portValue: 10080 + protocol: UDP + listenerFilters: + - name: envoy.filters.udp_listener.udp_proxy + typedConfig: + '@type': type.googleapis.com/envoy.extensions.filters.udp.udp_proxy.v3.UdpProxyConfig + matcher: + onNoMatch: + action: + name: route + typedConfig: + '@type': type.googleapis.com/envoy.extensions.filters.udp.udp_proxy.v3.Route + cluster: udp-route-dest + statPrefix: service + name: udp-route-enable-req-resp-sizes-stats diff --git a/internal/xds/translator/testdata/out/xds-ir/udp-req-resp-sizes-stats.routes.yaml b/internal/xds/translator/testdata/out/xds-ir/udp-req-resp-sizes-stats.routes.yaml new file mode 100644 index 00000000000..fe51488c706 --- /dev/null +++ b/internal/xds/translator/testdata/out/xds-ir/udp-req-resp-sizes-stats.routes.yaml @@ -0,0 +1 @@ +[] diff --git a/internal/xds/translator/tracing.go b/internal/xds/translator/tracing.go index ad9a3ecc0e1..c7777f94ba2 100644 --- a/internal/xds/translator/tracing.go +++ b/internal/xds/translator/tracing.go @@ -28,6 +28,7 @@ import ( const ( envoyOpenTelemetry = "envoy.tracers.opentelemetry" envoyZipkin = "envoy.traces.zipkin" + envoyDatadog = "envoy.tracers.datadog" ) type typConfigGen func() (*anypb.Any, error) @@ -41,6 +42,16 @@ func buildHCMTracing(tracing *ir.Tracing) (*hcm.HttpConnectionManager_Tracing, e var providerConfig typConfigGen switch tracing.Provider.Type { + case egv1a1.TracingProviderTypeDatadog: + providerName = envoyDatadog + + providerConfig = func() (*anypb.Any, error) { + config := &tracecfg.DatadogConfig{ + ServiceName: tracing.ServiceName, + CollectorCluster: tracing.Destination.Name, + } + return protocov.ToAnyWithError(config) + } case egv1a1.TracingProviderTypeOpenTelemetry: providerName = envoyOpenTelemetry diff --git a/internal/xds/translator/translator_test.go b/internal/xds/translator/translator_test.go index e939ffb2b8b..4d41b865afa 100644 --- a/internal/xds/translator/translator_test.go +++ b/internal/xds/translator/translator_test.go @@ -106,7 +106,7 @@ func TestTranslateXds(t *testing.T) { errMsg: "validation failed for xds resource", }, "tracing-unknown-provider-type": { - errMsg: "unknown tracing provider type: Datadog", + errMsg: "unknown tracing provider type: AwesomeTelemetry", }, } diff --git a/osv-scanner.toml b/osv-scanner.toml index 61e02d0ceb8..02cdbc6af53 100644 --- a/osv-scanner.toml +++ b/osv-scanner.toml @@ -89,3 +89,17 @@ name = "stdlib" ecosystem = "Go" license.override = ["BSD-3-Clause"] reason = "Unidentified license, remove once https://github.com/google/deps.dev/issues/86 is resolved" + +[[PackageOverrides]] +name = "sigs.k8s.io/gateway-api" +version = "1.2.0-rc2" +ecosystem = "Go" +license.override = ["Apache-2.0"] +reason = "https://github.com/envoyproxy/gateway/actions/runs/11065210699/job/30744231458?pr=4270" + +[[PackageOverrides]] +name = "sigs.k8s.io/json" +version = "0.0.0-20221116044647-bc3834ca7abd" +ecosystem = "Go" +license.override = ["Apache-2.0"] +reason = "https://github.com/kubernetes-sigs/json/blob/main/LICENSE" diff --git a/site/content/en/contributions/DEVELOP.md b/site/content/en/contributions/DEVELOP.md index f972c547f57..c3d97284c60 100644 --- a/site/content/en/contributions/DEVELOP.md +++ b/site/content/en/contributions/DEVELOP.md @@ -163,7 +163,7 @@ the detailed benchmark report, namely `benchmark_report.zip`. Here are some brief benchmark reports about Envoy Gateway: -- It will take up nearly 1.3GiB memory and 11s total CPU time for (1 GatewayClass + 1 Gateway + 500 HTTRoutes) settings +- It will take up nearly 550MiB memory and 11s total CPU time for (1 GatewayClass + 1 Gateway + 500 HTTRoutes) settings [Quickstart]: https://github.com/envoyproxy/gateway/blob/main/docs/latest/user/quickstart.md diff --git a/site/content/en/docs/tasks/quickstart.md b/site/content/en/docs/tasks/quickstart.md index 802b7989a88..e1943c21e92 100644 --- a/site/content/en/docs/tasks/quickstart.md +++ b/site/content/en/docs/tasks/quickstart.md @@ -12,7 +12,7 @@ A Kubernetes cluster. __Note:__ Refer to the [Compatibility Matrix](/news/releases/matrix) for supported Kubernetes versions. -__Note:__ In case your Kubernetes cluster, does not have a LoadBalancer implementation, we recommend installing one +__Note:__ In case your Kubernetes cluster does not have a LoadBalancer implementation, we recommend installing one so the `Gateway` resource has an Address associated with it. We recommend using [MetalLB](https://metallb.universe.tf/installation/). __Note:__ For Mac user, you need install and run [Docker Mac Net Connect](https://github.com/chipmk/docker-mac-net-connect) to make the Docker network work. diff --git a/site/content/en/latest/api/extension_types.md b/site/content/en/latest/api/extension_types.md index b716d7ad3f0..193e698722c 100644 --- a/site/content/en/latest/api/extension_types.md +++ b/site/content/en/latest/api/extension_types.md @@ -240,7 +240,7 @@ _Appears in:_ | Field | Type | Required | Description | | --- | --- | --- | --- | -| `name` | _string_ | false | Name is a user-friendly name for the rule.
If not specified, Envoy Gateway will generate a unique name for the rule.n | +| `name` | _string_ | false | Name is a user-friendly name for the rule.
If not specified, Envoy Gateway will generate a unique name for the rule. | | `action` | _[AuthorizationAction](#authorizationaction)_ | true | Action defines the action to be taken if the rule matches. | | `principal` | _[Principal](#principal)_ | true | Principal specifies the client identity of a request.
If there are multiple principal types, all principals must match for the rule to match.
For example, if there are two principals: one for client IP and one for JWT claim,
the rule will match only if both the client IP and the JWT claim match. | @@ -852,6 +852,51 @@ _Appears in:_ | `failClosed` | _boolean_ | false | FailClosed is a switch used to control the flow of traffic when client IP detection
fails. If set to true, the listener will respond with 403 Forbidden when the client
IP address cannot be determined. | +#### CustomResponse + + + +CustomResponse defines the configuration for returning a custom response. + +_Appears in:_ +- [ResponseOverride](#responseoverride) + +| Field | Type | Required | Description | +| --- | --- | --- | --- | +| `contentType` | _string_ | false | Content Type of the response. This will be set in the Content-Type header. | +| `body` | _[CustomResponseBody](#customresponsebody)_ | true | Body of the Custom Response | + + +#### CustomResponseBody + + + +CustomResponseBody + +_Appears in:_ +- [CustomResponse](#customresponse) + +| Field | Type | Required | Description | +| --- | --- | --- | --- | +| `type` | _[ResponseValueType](#responsevaluetype)_ | true | Type is the type of method to use to read the body value. | +| `inline` | _string_ | false | Inline contains the value as an inline string. | +| `valueRef` | _[LocalObjectReference](#localobjectreference)_ | false | ValueRef contains the contents of the body
specified as a local object reference.
Only a reference to ConfigMap is supported. | + + +#### CustomResponseMatch + + + +CustomResponseMatch defines the configuration for matching a user response to return a custom one. + +_Appears in:_ +- [ResponseOverride](#responseoverride) + +| Field | Type | Required | Description | +| --- | --- | --- | --- | +| `statusCode` | _[StatusCodeMatch](#statuscodematch) array_ | true | Status code to match on. The match evaluates to true if any of the matches are successful. | + + #### CustomTag @@ -2295,8 +2340,9 @@ _Appears in:_ | Field | Type | Required | Description | | --- | --- | --- | --- | +| `provider` | _string_ | true | Provider is the name of the JWT provider that used to verify the JWT token.
In order to use JWT claims for authorization, you must configure the JWT
authentication with the same provider in the same `SecurityPolicy`. | | `claims` | _[JWTClaim](#jwtclaim) array_ | false | Claims are the claims in a JWT token.

If multiple claims are specified, all claims must match for the rule to match.
For example, if there are two claims: one for the audience and one for the issuer,
the rule will match only if both the audience and the issuer match. | -| `scopes` | _string array_ | false | Scopes are a special type of claim in a JWT token that represents the permissions of the client.

The value of the scopes field should be a space delimited string that is expected in the scope parameter,
as defined in RFC 6749: https://datatracker.ietf.org/doc/html/rfc6749#page-23.

If multiple scopes are specified, all scopes must match for the rule to match. | +| `scopes` | _[JWTScope](#jwtscope) array_ | false | Scopes are a special type of claim in a JWT token that represents the permissions of the client.

The value of the scopes field should be a space delimited string that is expected in the scope parameter,
as defined in RFC 6749: https://datatracker.ietf.org/doc/html/rfc6749#page-23.

If multiple scopes are specified, all scopes must match for the rule to match. | #### JWTProvider @@ -2319,6 +2365,17 @@ _Appears in:_ | `extractFrom` | _[JWTExtractor](#jwtextractor)_ | false | ExtractFrom defines different ways to extract the JWT token from HTTP request.
If empty, it defaults to extract JWT token from the Authorization HTTP request header using Bearer schema
or access_token from query parameters. | +#### JWTScope + +_Underlying type:_ _string_ + + + +_Appears in:_ +- [JWTPrincipal](#jwtprincipal) + + + #### KubernetesContainerSpec @@ -2807,10 +2864,7 @@ _Appears in:_ -Principal specifies the client identity of a request. -A client identity can be a client IP, a JWT claim, username from the Authorization header, -or any other identity that can be extracted from a custom header. -Currently, only the client IP is supported. +If there are multiple principal types, all principals must match for the rule to match. _Appears in:_ - [AuthorizationRule](#authorizationrule) @@ -2946,6 +3000,21 @@ _Appears in:_ | `OpenTelemetry` | ProxyAccessLogSinkTypeOpenTelemetry defines the OpenTelemetry accesslog sink.
When the provider is Kubernetes, EnvoyGateway always sends `k8s.namespace.name`
and `k8s.pod.name` as additional attributes.
| +#### ProxyAccessLogType + +_Underlying type:_ _string_ + + + +_Appears in:_ +- [ProxyAccessLogSetting](#proxyaccesslogsetting) + +| Value | Description | +| ----- | ----------- | +| `Listener` | ProxyAccessLogTypeListener defines the accesslog for Listeners.
https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/listener/v3/listener.proto#envoy-v3-api-field-config-listener-v3-listener-access-log
| +| `Route` | ProxyAccessLogTypeRoute defines the accesslog for HTTP, GRPC, UDP and TCP Routes.
https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/filters/udp/udp_proxy/v3/udp_proxy.proto#envoy-v3-api-field-extensions-filters-udp-udp-proxy-v3-udpproxyconfig-access-log
https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/filters/network/tcp_proxy/v3/tcp_proxy.proto#envoy-v3-api-field-extensions-filters-network-tcp-proxy-v3-tcpproxy-access-log
https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/filters/network/http_connection_manager/v3/http_connection_manager.proto#envoy-v3-api-field-extensions-filters-network-http-connection-manager-v3-httpconnectionmanager-access-log
| + + #### ProxyBootstrap @@ -3029,8 +3098,9 @@ _Appears in:_ | `prometheus` | _[ProxyPrometheusProvider](#proxyprometheusprovider)_ | true | Prometheus defines the configuration for Admin endpoint `/stats/prometheus`. | | `sinks` | _[ProxyMetricSink](#proxymetricsink) array_ | true | Sinks defines the metric sinks where metrics are sent to. | | `matches` | _[StringMatch](#stringmatch) array_ | true | Matches defines configuration for selecting specific metrics instead of generating all metrics stats
that are enabled by default. This helps reduce CPU and memory overhead in Envoy, but eliminating some stats
may after critical functionality. Here are the stats that we strongly recommend not disabling:
`cluster_manager.warming_clusters`, `cluster..membership_total`,`cluster..membership_healthy`,
`cluster..membership_degraded`,reference https://github.com/envoyproxy/envoy/issues/9856,
https://github.com/envoyproxy/envoy/issues/14610 | -| `enableVirtualHostStats` | _boolean_ | true | EnableVirtualHostStats enables envoy stat metrics for virtual hosts. | -| `enablePerEndpointStats` | _boolean_ | true | EnablePerEndpointStats enables per endpoint envoy stats metrics.
Please use with caution. | +| `enableVirtualHostStats` | _boolean_ | false | EnableVirtualHostStats enables envoy stat metrics for virtual hosts. | +| `enablePerEndpointStats` | _boolean_ | false | EnablePerEndpointStats enables per endpoint envoy stats metrics.
Please use with caution. | +| `enableRequestResponseSizesStats` | _boolean_ | false | EnableRequestResponseSizesStats enables publishing of histograms tracking header and body sizes of requests and responses. | #### ProxyOpenTelemetrySink @@ -3426,6 +3496,32 @@ _Appears in:_ | `File` | ResourceProviderTypeFile defines the "File" provider.
| +#### ResponseOverride + + + +ResponseOverride defines the configuration to override specific responses with a custom one. + +_Appears in:_ +- [BackendTrafficPolicySpec](#backendtrafficpolicyspec) + +| Field | Type | Required | Description | +| --- | --- | --- | --- | +| `match` | _[CustomResponseMatch](#customresponsematch)_ | true | Match configuration. | +| `response` | _[CustomResponse](#customresponse)_ | true | Response configuration. | + + +#### ResponseValueType + +_Underlying type:_ _string_ + +ResponseValueType defines the types of values for the response body supported by Envoy Gateway. + +_Appears in:_ +- [CustomResponseBody](#customresponsebody) + + + #### RetryOn @@ -3608,6 +3704,48 @@ _Appears in:_ | `Distinct` | SourceMatchDistinct Each IP Address within the specified Source IP CIDR is treated as a distinct client selector
and uses a separate rate limit bucket/counter.
Note: This is only supported for Global Rate Limits.
| +#### StatusCodeMatch + + + + + +_Appears in:_ +- [CustomResponseMatch](#customresponsematch) + +| Field | Type | Required | Description | +| --- | --- | --- | --- | +| `type` | _[StatusCodeValueType](#statuscodevaluetype)_ | true | Type is the type of value. | +| `value` | _string_ | false | Value contains the value of the status code. | +| `range` | _[StatusCodeRange](#statuscoderange)_ | false | ValueRef contains the contents of the body
specified as a local object reference.
Only a reference to ConfigMap is supported. | + + +#### StatusCodeRange + + + +StatusCodeRange defines the configuration for define a range of status codes. + +_Appears in:_ +- [StatusCodeMatch](#statuscodematch) + +| Field | Type | Required | Description | +| --- | --- | --- | --- | +| `start` | _integer_ | true | Start of the range, including the start value. | +| `end` | _integer_ | true | End of the range, including the end value. | + + +#### StatusCodeValueType + +_Underlying type:_ _string_ + +StatusCodeValueType defines the types of values for the status code match supported by Envoy Gateway. + +_Appears in:_ +- [StatusCodeMatch](#statuscodematch) + + + #### StringMatch @@ -3784,6 +3922,7 @@ _Appears in:_ | `OpenTelemetry` | | | `OpenTelemetry` | | | `Zipkin` | | +| `Datadog` | | #### TriggerEnum diff --git a/site/content/en/latest/install/gateway-addons-helm-api.md b/site/content/en/latest/install/gateway-addons-helm-api.md index 448aa91e504..a0ae0ed62f6 100644 --- a/site/content/en/latest/install/gateway-addons-helm-api.md +++ b/site/content/en/latest/install/gateway-addons-helm-api.md @@ -63,6 +63,7 @@ An Add-ons Helm chart for Envoy Gateway | grafana.enabled | bool | `true` | | | grafana.fullnameOverride | string | `"grafana"` | | | grafana.service.type | string | `"LoadBalancer"` | | +| grafana.testFramework.enabled | bool | `false` | | | loki.backend.replicas | int | `0` | | | loki.deploymentMode | string | `"SingleBinary"` | | | loki.enabled | bool | `true` | | diff --git a/site/content/en/latest/install/gateway-helm-api.md b/site/content/en/latest/install/gateway-helm-api.md index 2b0f8e24d6a..937a74452ab 100644 --- a/site/content/en/latest/install/gateway-helm-api.md +++ b/site/content/en/latest/install/gateway-helm-api.md @@ -55,6 +55,7 @@ The Helm chart for Envoy Gateway | deployment.ports[3].name | string | `"metrics"` | | | deployment.ports[3].port | int | `19001` | | | deployment.ports[3].targetPort | int | `19001` | | +| deployment.priorityClassName | string | `nil` | | | deployment.replicas | int | `1` | | | global.images.envoyGateway.image | string | `nil` | | | global.images.envoyGateway.pullPolicy | string | `nil` | | @@ -64,4 +65,5 @@ The Helm chart for Envoy Gateway | global.images.ratelimit.pullSecrets | list | `[]` | | | kubernetesClusterDomain | string | `"cluster.local"` | | | podDisruptionBudget.minAvailable | int | `0` | | +| service.annotations | object | `{}` | | diff --git a/site/content/en/latest/tasks/quickstart.md b/site/content/en/latest/tasks/quickstart.md index 802b7989a88..e1943c21e92 100644 --- a/site/content/en/latest/tasks/quickstart.md +++ b/site/content/en/latest/tasks/quickstart.md @@ -12,7 +12,7 @@ A Kubernetes cluster. __Note:__ Refer to the [Compatibility Matrix](/news/releases/matrix) for supported Kubernetes versions. -__Note:__ In case your Kubernetes cluster, does not have a LoadBalancer implementation, we recommend installing one +__Note:__ In case your Kubernetes cluster does not have a LoadBalancer implementation, we recommend installing one so the `Gateway` resource has an Address associated with it. We recommend using [MetalLB](https://metallb.universe.tf/installation/). __Note:__ For Mac user, you need install and run [Docker Mac Net Connect](https://github.com/chipmk/docker-mac-net-connect) to make the Docker network work. diff --git a/site/content/en/v1.1/tasks/quickstart.md b/site/content/en/v1.1/tasks/quickstart.md index 802b7989a88..e1943c21e92 100644 --- a/site/content/en/v1.1/tasks/quickstart.md +++ b/site/content/en/v1.1/tasks/quickstart.md @@ -12,7 +12,7 @@ A Kubernetes cluster. __Note:__ Refer to the [Compatibility Matrix](/news/releases/matrix) for supported Kubernetes versions. -__Note:__ In case your Kubernetes cluster, does not have a LoadBalancer implementation, we recommend installing one +__Note:__ In case your Kubernetes cluster does not have a LoadBalancer implementation, we recommend installing one so the `Gateway` resource has an Address associated with it. We recommend using [MetalLB](https://metallb.universe.tf/installation/). __Note:__ For Mac user, you need install and run [Docker Mac Net Connect](https://github.com/chipmk/docker-mac-net-connect) to make the Docker network work. diff --git a/site/content/zh/latest/api/extension_types.md b/site/content/zh/latest/api/extension_types.md index b716d7ad3f0..193e698722c 100644 --- a/site/content/zh/latest/api/extension_types.md +++ b/site/content/zh/latest/api/extension_types.md @@ -240,7 +240,7 @@ _Appears in:_ | Field | Type | Required | Description | | --- | --- | --- | --- | -| `name` | _string_ | false | Name is a user-friendly name for the rule.
If not specified, Envoy Gateway will generate a unique name for the rule.n | +| `name` | _string_ | false | Name is a user-friendly name for the rule.
If not specified, Envoy Gateway will generate a unique name for the rule. | | `action` | _[AuthorizationAction](#authorizationaction)_ | true | Action defines the action to be taken if the rule matches. | | `principal` | _[Principal](#principal)_ | true | Principal specifies the client identity of a request.
If there are multiple principal types, all principals must match for the rule to match.
For example, if there are two principals: one for client IP and one for JWT claim,
the rule will match only if both the client IP and the JWT claim match. | @@ -852,6 +852,51 @@ _Appears in:_ | `failClosed` | _boolean_ | false | FailClosed is a switch used to control the flow of traffic when client IP detection
fails. If set to true, the listener will respond with 403 Forbidden when the client
IP address cannot be determined. | +#### CustomResponse + + + +CustomResponse defines the configuration for returning a custom response. + +_Appears in:_ +- [ResponseOverride](#responseoverride) + +| Field | Type | Required | Description | +| --- | --- | --- | --- | +| `contentType` | _string_ | false | Content Type of the response. This will be set in the Content-Type header. | +| `body` | _[CustomResponseBody](#customresponsebody)_ | true | Body of the Custom Response | + + +#### CustomResponseBody + + + +CustomResponseBody + +_Appears in:_ +- [CustomResponse](#customresponse) + +| Field | Type | Required | Description | +| --- | --- | --- | --- | +| `type` | _[ResponseValueType](#responsevaluetype)_ | true | Type is the type of method to use to read the body value. | +| `inline` | _string_ | false | Inline contains the value as an inline string. | +| `valueRef` | _[LocalObjectReference](#localobjectreference)_ | false | ValueRef contains the contents of the body
specified as a local object reference.
Only a reference to ConfigMap is supported. | + + +#### CustomResponseMatch + + + +CustomResponseMatch defines the configuration for matching a user response to return a custom one. + +_Appears in:_ +- [ResponseOverride](#responseoverride) + +| Field | Type | Required | Description | +| --- | --- | --- | --- | +| `statusCode` | _[StatusCodeMatch](#statuscodematch) array_ | true | Status code to match on. The match evaluates to true if any of the matches are successful. | + + #### CustomTag @@ -2295,8 +2340,9 @@ _Appears in:_ | Field | Type | Required | Description | | --- | --- | --- | --- | +| `provider` | _string_ | true | Provider is the name of the JWT provider that used to verify the JWT token.
In order to use JWT claims for authorization, you must configure the JWT
authentication with the same provider in the same `SecurityPolicy`. | | `claims` | _[JWTClaim](#jwtclaim) array_ | false | Claims are the claims in a JWT token.

If multiple claims are specified, all claims must match for the rule to match.
For example, if there are two claims: one for the audience and one for the issuer,
the rule will match only if both the audience and the issuer match. | -| `scopes` | _string array_ | false | Scopes are a special type of claim in a JWT token that represents the permissions of the client.

The value of the scopes field should be a space delimited string that is expected in the scope parameter,
as defined in RFC 6749: https://datatracker.ietf.org/doc/html/rfc6749#page-23.

If multiple scopes are specified, all scopes must match for the rule to match. | +| `scopes` | _[JWTScope](#jwtscope) array_ | false | Scopes are a special type of claim in a JWT token that represents the permissions of the client.

The value of the scopes field should be a space delimited string that is expected in the scope parameter,
as defined in RFC 6749: https://datatracker.ietf.org/doc/html/rfc6749#page-23.

If multiple scopes are specified, all scopes must match for the rule to match. | #### JWTProvider @@ -2319,6 +2365,17 @@ _Appears in:_ | `extractFrom` | _[JWTExtractor](#jwtextractor)_ | false | ExtractFrom defines different ways to extract the JWT token from HTTP request.
If empty, it defaults to extract JWT token from the Authorization HTTP request header using Bearer schema
or access_token from query parameters. | +#### JWTScope + +_Underlying type:_ _string_ + + + +_Appears in:_ +- [JWTPrincipal](#jwtprincipal) + + + #### KubernetesContainerSpec @@ -2807,10 +2864,7 @@ _Appears in:_ -Principal specifies the client identity of a request. -A client identity can be a client IP, a JWT claim, username from the Authorization header, -or any other identity that can be extracted from a custom header. -Currently, only the client IP is supported. +If there are multiple principal types, all principals must match for the rule to match. _Appears in:_ - [AuthorizationRule](#authorizationrule) @@ -2946,6 +3000,21 @@ _Appears in:_ | `OpenTelemetry` | ProxyAccessLogSinkTypeOpenTelemetry defines the OpenTelemetry accesslog sink.
When the provider is Kubernetes, EnvoyGateway always sends `k8s.namespace.name`
and `k8s.pod.name` as additional attributes.
| +#### ProxyAccessLogType + +_Underlying type:_ _string_ + + + +_Appears in:_ +- [ProxyAccessLogSetting](#proxyaccesslogsetting) + +| Value | Description | +| ----- | ----------- | +| `Listener` | ProxyAccessLogTypeListener defines the accesslog for Listeners.
https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/listener/v3/listener.proto#envoy-v3-api-field-config-listener-v3-listener-access-log
| +| `Route` | ProxyAccessLogTypeRoute defines the accesslog for HTTP, GRPC, UDP and TCP Routes.
https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/filters/udp/udp_proxy/v3/udp_proxy.proto#envoy-v3-api-field-extensions-filters-udp-udp-proxy-v3-udpproxyconfig-access-log
https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/filters/network/tcp_proxy/v3/tcp_proxy.proto#envoy-v3-api-field-extensions-filters-network-tcp-proxy-v3-tcpproxy-access-log
https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/filters/network/http_connection_manager/v3/http_connection_manager.proto#envoy-v3-api-field-extensions-filters-network-http-connection-manager-v3-httpconnectionmanager-access-log
| + + #### ProxyBootstrap @@ -3029,8 +3098,9 @@ _Appears in:_ | `prometheus` | _[ProxyPrometheusProvider](#proxyprometheusprovider)_ | true | Prometheus defines the configuration for Admin endpoint `/stats/prometheus`. | | `sinks` | _[ProxyMetricSink](#proxymetricsink) array_ | true | Sinks defines the metric sinks where metrics are sent to. | | `matches` | _[StringMatch](#stringmatch) array_ | true | Matches defines configuration for selecting specific metrics instead of generating all metrics stats
that are enabled by default. This helps reduce CPU and memory overhead in Envoy, but eliminating some stats
may after critical functionality. Here are the stats that we strongly recommend not disabling:
`cluster_manager.warming_clusters`, `cluster..membership_total`,`cluster..membership_healthy`,
`cluster..membership_degraded`,reference https://github.com/envoyproxy/envoy/issues/9856,
https://github.com/envoyproxy/envoy/issues/14610 | -| `enableVirtualHostStats` | _boolean_ | true | EnableVirtualHostStats enables envoy stat metrics for virtual hosts. | -| `enablePerEndpointStats` | _boolean_ | true | EnablePerEndpointStats enables per endpoint envoy stats metrics.
Please use with caution. | +| `enableVirtualHostStats` | _boolean_ | false | EnableVirtualHostStats enables envoy stat metrics for virtual hosts. | +| `enablePerEndpointStats` | _boolean_ | false | EnablePerEndpointStats enables per endpoint envoy stats metrics.
Please use with caution. | +| `enableRequestResponseSizesStats` | _boolean_ | false | EnableRequestResponseSizesStats enables publishing of histograms tracking header and body sizes of requests and responses. | #### ProxyOpenTelemetrySink @@ -3426,6 +3496,32 @@ _Appears in:_ | `File` | ResourceProviderTypeFile defines the "File" provider.
| +#### ResponseOverride + + + +ResponseOverride defines the configuration to override specific responses with a custom one. + +_Appears in:_ +- [BackendTrafficPolicySpec](#backendtrafficpolicyspec) + +| Field | Type | Required | Description | +| --- | --- | --- | --- | +| `match` | _[CustomResponseMatch](#customresponsematch)_ | true | Match configuration. | +| `response` | _[CustomResponse](#customresponse)_ | true | Response configuration. | + + +#### ResponseValueType + +_Underlying type:_ _string_ + +ResponseValueType defines the types of values for the response body supported by Envoy Gateway. + +_Appears in:_ +- [CustomResponseBody](#customresponsebody) + + + #### RetryOn @@ -3608,6 +3704,48 @@ _Appears in:_ | `Distinct` | SourceMatchDistinct Each IP Address within the specified Source IP CIDR is treated as a distinct client selector
and uses a separate rate limit bucket/counter.
Note: This is only supported for Global Rate Limits.
| +#### StatusCodeMatch + + + + + +_Appears in:_ +- [CustomResponseMatch](#customresponsematch) + +| Field | Type | Required | Description | +| --- | --- | --- | --- | +| `type` | _[StatusCodeValueType](#statuscodevaluetype)_ | true | Type is the type of value. | +| `value` | _string_ | false | Value contains the value of the status code. | +| `range` | _[StatusCodeRange](#statuscoderange)_ | false | ValueRef contains the contents of the body
specified as a local object reference.
Only a reference to ConfigMap is supported. | + + +#### StatusCodeRange + + + +StatusCodeRange defines the configuration for define a range of status codes. + +_Appears in:_ +- [StatusCodeMatch](#statuscodematch) + +| Field | Type | Required | Description | +| --- | --- | --- | --- | +| `start` | _integer_ | true | Start of the range, including the start value. | +| `end` | _integer_ | true | End of the range, including the end value. | + + +#### StatusCodeValueType + +_Underlying type:_ _string_ + +StatusCodeValueType defines the types of values for the status code match supported by Envoy Gateway. + +_Appears in:_ +- [StatusCodeMatch](#statuscodematch) + + + #### StringMatch @@ -3784,6 +3922,7 @@ _Appears in:_ | `OpenTelemetry` | | | `OpenTelemetry` | | | `Zipkin` | | +| `Datadog` | | #### TriggerEnum diff --git a/site/content/zh/latest/install/gateway-addons-helm-api.md b/site/content/zh/latest/install/gateway-addons-helm-api.md index 448aa91e504..a0ae0ed62f6 100644 --- a/site/content/zh/latest/install/gateway-addons-helm-api.md +++ b/site/content/zh/latest/install/gateway-addons-helm-api.md @@ -63,6 +63,7 @@ An Add-ons Helm chart for Envoy Gateway | grafana.enabled | bool | `true` | | | grafana.fullnameOverride | string | `"grafana"` | | | grafana.service.type | string | `"LoadBalancer"` | | +| grafana.testFramework.enabled | bool | `false` | | | loki.backend.replicas | int | `0` | | | loki.deploymentMode | string | `"SingleBinary"` | | | loki.enabled | bool | `true` | | diff --git a/site/content/zh/latest/install/gateway-helm-api.md b/site/content/zh/latest/install/gateway-helm-api.md index 2b0f8e24d6a..937a74452ab 100644 --- a/site/content/zh/latest/install/gateway-helm-api.md +++ b/site/content/zh/latest/install/gateway-helm-api.md @@ -55,6 +55,7 @@ The Helm chart for Envoy Gateway | deployment.ports[3].name | string | `"metrics"` | | | deployment.ports[3].port | int | `19001` | | | deployment.ports[3].targetPort | int | `19001` | | +| deployment.priorityClassName | string | `nil` | | | deployment.replicas | int | `1` | | | global.images.envoyGateway.image | string | `nil` | | | global.images.envoyGateway.pullPolicy | string | `nil` | | @@ -64,4 +65,5 @@ The Helm chart for Envoy Gateway | global.images.ratelimit.pullSecrets | list | `[]` | | | kubernetesClusterDomain | string | `"cluster.local"` | | | podDisruptionBudget.minAvailable | int | `0` | | +| service.annotations | object | `{}` | | diff --git a/test/benchmark/benchmark_test.go b/test/benchmark/benchmark_test.go index 5ef46c08f56..a1dc6167b91 100644 --- a/test/benchmark/benchmark_test.go +++ b/test/benchmark/benchmark_test.go @@ -4,7 +4,6 @@ // the root of the repo. //go:build benchmark -// +build benchmark package benchmark diff --git a/test/benchmark/suite/flags.go b/test/benchmark/suite/flags.go index f8ec9ca168b..4f23f0780f4 100644 --- a/test/benchmark/suite/flags.go +++ b/test/benchmark/suite/flags.go @@ -4,7 +4,6 @@ // the root of the repo. //go:build benchmark -// +build benchmark package suite diff --git a/test/benchmark/suite/options.go b/test/benchmark/suite/options.go index 13a8a82a3c2..f16ccf41dae 100644 --- a/test/benchmark/suite/options.go +++ b/test/benchmark/suite/options.go @@ -4,7 +4,6 @@ // the root of the repo. //go:build benchmark -// +build benchmark package suite diff --git a/test/benchmark/suite/render.go b/test/benchmark/suite/render.go index 69992fb69ee..413d02502d8 100644 --- a/test/benchmark/suite/render.go +++ b/test/benchmark/suite/render.go @@ -4,7 +4,6 @@ // the root of the repo. //go:build benchmark -// +build benchmark package suite diff --git a/test/benchmark/suite/report.go b/test/benchmark/suite/report.go index b9ecbea9701..b159e798600 100644 --- a/test/benchmark/suite/report.go +++ b/test/benchmark/suite/report.go @@ -4,7 +4,6 @@ // the root of the repo. //go:build benchmark -// +build benchmark package suite diff --git a/test/benchmark/suite/suite.go b/test/benchmark/suite/suite.go index 58bbcce4cd2..014d841798a 100644 --- a/test/benchmark/suite/suite.go +++ b/test/benchmark/suite/suite.go @@ -4,7 +4,6 @@ // the root of the repo. //go:build benchmark -// +build benchmark package suite diff --git a/test/benchmark/tests/scale_httproutes.go b/test/benchmark/tests/scale_httproutes.go index a22b7dcda3b..1431032bcec 100644 --- a/test/benchmark/tests/scale_httproutes.go +++ b/test/benchmark/tests/scale_httproutes.go @@ -4,7 +4,6 @@ // the root of the repo. //go:build benchmark -// +build benchmark package tests diff --git a/test/benchmark/tests/tests.go b/test/benchmark/tests/tests.go index 0aa49a13bb1..052ea356daa 100644 --- a/test/benchmark/tests/tests.go +++ b/test/benchmark/tests/tests.go @@ -4,7 +4,6 @@ // the root of the repo. //go:build benchmark -// +build benchmark package tests diff --git a/test/cel-validation/backend_test.go b/test/cel-validation/backend_test.go index c78e22ae24c..7b29c4353a7 100644 --- a/test/cel-validation/backend_test.go +++ b/test/cel-validation/backend_test.go @@ -4,7 +4,6 @@ // the root of the repo. //go:build celvalidation -// +build celvalidation package celvalidation diff --git a/test/cel-validation/backendtrafficpolicy_test.go b/test/cel-validation/backendtrafficpolicy_test.go index 2755295336d..49f033eb6ae 100644 --- a/test/cel-validation/backendtrafficpolicy_test.go +++ b/test/cel-validation/backendtrafficpolicy_test.go @@ -4,7 +4,6 @@ // the root of the repo. //go:build celvalidation -// +build celvalidation package celvalidation diff --git a/test/cel-validation/clienttrafficpolicy_test.go b/test/cel-validation/clienttrafficpolicy_test.go index b57adf7d025..14dd915d78a 100644 --- a/test/cel-validation/clienttrafficpolicy_test.go +++ b/test/cel-validation/clienttrafficpolicy_test.go @@ -4,7 +4,6 @@ // the root of the repo. //go:build celvalidation -// +build celvalidation package celvalidation diff --git a/test/cel-validation/envoyextensionpolicy_test.go b/test/cel-validation/envoyextensionpolicy_test.go index 5e0e1f37ad9..7c9c168df10 100644 --- a/test/cel-validation/envoyextensionpolicy_test.go +++ b/test/cel-validation/envoyextensionpolicy_test.go @@ -4,7 +4,6 @@ // the root of the repo. //go:build celvalidation -// +build celvalidation package celvalidation diff --git a/test/cel-validation/envoyproxy_test.go b/test/cel-validation/envoyproxy_test.go index 865da4ac306..8a2b198a18a 100644 --- a/test/cel-validation/envoyproxy_test.go +++ b/test/cel-validation/envoyproxy_test.go @@ -4,7 +4,6 @@ // the root of the repo. //go:build celvalidation -// +build celvalidation package celvalidation diff --git a/test/cel-validation/httproutefilter_test.go b/test/cel-validation/httproutefilter_test.go index e9ebf380fb6..67a9e4455bb 100644 --- a/test/cel-validation/httproutefilter_test.go +++ b/test/cel-validation/httproutefilter_test.go @@ -4,7 +4,6 @@ // the root of the repo. //go:build celvalidation -// +build celvalidation package celvalidation diff --git a/test/cel-validation/main_test.go b/test/cel-validation/main_test.go index 30ab253d7de..dd6f4d39fa7 100644 --- a/test/cel-validation/main_test.go +++ b/test/cel-validation/main_test.go @@ -4,7 +4,6 @@ // the root of the repo. //go:build celvalidation -// +build celvalidation package celvalidation diff --git a/test/cel-validation/securitypolicy_test.go b/test/cel-validation/securitypolicy_test.go index 92d179fec6d..c4efa812d58 100644 --- a/test/cel-validation/securitypolicy_test.go +++ b/test/cel-validation/securitypolicy_test.go @@ -4,7 +4,6 @@ // the root of the repo. //go:build celvalidation -// +build celvalidation package celvalidation diff --git a/test/conformance/conformance_test.go b/test/conformance/conformance_test.go index ce7dce052ab..b27cb0cc69d 100644 --- a/test/conformance/conformance_test.go +++ b/test/conformance/conformance_test.go @@ -4,14 +4,16 @@ // the root of the repo. //go:build conformance -// +build conformance package conformance import ( "flag" + "os" "testing" + "sigs.k8s.io/controller-runtime/pkg/log" + "sigs.k8s.io/controller-runtime/pkg/log/zap" "sigs.k8s.io/gateway-api/conformance" "sigs.k8s.io/gateway-api/conformance/tests" "sigs.k8s.io/gateway-api/conformance/utils/suite" @@ -21,6 +23,7 @@ import ( func TestGatewayAPIConformance(t *testing.T) { flag.Parse() + log.SetLogger(zap.New(zap.WriteTo(os.Stderr), zap.UseDevMode(true))) opts := conformance.DefaultOptions(t) opts.SkipTests = internalconf.EnvoyGatewaySuite.SkipTests diff --git a/test/conformance/experimental_conformance_test.go b/test/conformance/experimental_conformance_test.go index d337dbfe526..ea1fb0389e0 100644 --- a/test/conformance/experimental_conformance_test.go +++ b/test/conformance/experimental_conformance_test.go @@ -4,7 +4,6 @@ // the root of the repo. //go:build experimental -// +build experimental package conformance @@ -15,6 +14,8 @@ import ( "github.com/stretchr/testify/require" "k8s.io/apimachinery/pkg/util/sets" + "sigs.k8s.io/controller-runtime/pkg/log" + "sigs.k8s.io/controller-runtime/pkg/log/zap" "sigs.k8s.io/gateway-api/conformance" conformancev1 "sigs.k8s.io/gateway-api/conformance/apis/v1" "sigs.k8s.io/gateway-api/conformance/tests" @@ -27,6 +28,7 @@ import ( func TestExperimentalConformance(t *testing.T) { flag.Parse() + log.SetLogger(zap.New(zap.WriteTo(os.Stderr), zap.UseDevMode(true))) opts := conformance.DefaultOptions(t) opts.SkipTests = internalconf.EnvoyGatewaySuite.SkipTests diff --git a/test/e2e/e2e_test.go b/test/e2e/e2e_test.go index ef186153eef..7267bbd2d75 100644 --- a/test/e2e/e2e_test.go +++ b/test/e2e/e2e_test.go @@ -4,16 +4,18 @@ // the root of the repo. //go:build e2e -// +build e2e package e2e import ( "flag" "io/fs" + "os" "testing" "k8s.io/apimachinery/pkg/util/sets" + "sigs.k8s.io/controller-runtime/pkg/log" + "sigs.k8s.io/controller-runtime/pkg/log/zap" "sigs.k8s.io/gateway-api/conformance/utils/flags" "sigs.k8s.io/gateway-api/conformance/utils/suite" "sigs.k8s.io/gateway-api/conformance/utils/tlog" @@ -25,6 +27,7 @@ import ( func TestE2E(t *testing.T) { flag.Parse() + log.SetLogger(zap.New(zap.WriteTo(os.Stderr), zap.UseDevMode(true))) c, cfg := kubetest.NewClient(t) @@ -46,7 +49,7 @@ func TestE2E(t *testing.T) { RunTest: *flags.RunTest, // SupportedFeatures cannot be empty, so we set it to SupportGateway // All e2e tests should leave Features empty. - SupportedFeatures: sets.New[features.SupportedFeature](features.SupportGateway), + SupportedFeatures: sets.New[features.FeatureName](features.SupportGateway), SkipTests: []string{ tests.GatewayInfraResourceTest.ShortName, // https://github.com/envoyproxy/gateway/issues/3191 }, diff --git a/test/e2e/embed.go b/test/e2e/embed.go index 7bf3080fac2..d8f32cf2d7c 100644 --- a/test/e2e/embed.go +++ b/test/e2e/embed.go @@ -4,7 +4,6 @@ // the root of the repo. //go:build e2e -// +build e2e package e2e diff --git a/test/e2e/merge_gateways/merge_gateways_test.go b/test/e2e/merge_gateways/merge_gateways_test.go index fe8c616d2ed..ffa1e1774e5 100644 --- a/test/e2e/merge_gateways/merge_gateways_test.go +++ b/test/e2e/merge_gateways/merge_gateways_test.go @@ -4,7 +4,6 @@ // the root of the repo. //go:build e2e -// +build e2e package mergegateways @@ -47,7 +46,7 @@ func TestMergeGateways(t *testing.T) { RunTest: *flags.RunTest, // SupportedFeatures cannot be empty, so we set it to SupportGateway // All e2e tests should leave Features empty. - SupportedFeatures: sets.New[features.SupportedFeature](features.SupportGateway), + SupportedFeatures: sets.New[features.FeatureName](features.SupportGateway), SkipTests: []string{}, }) if err != nil { diff --git a/test/e2e/multiple_gc/multiple_gc_test.go b/test/e2e/multiple_gc/multiple_gc_test.go index 571d1afd33d..700ed86e03f 100644 --- a/test/e2e/multiple_gc/multiple_gc_test.go +++ b/test/e2e/multiple_gc/multiple_gc_test.go @@ -4,7 +4,6 @@ // the root of the repo. //go:build e2e -// +build e2e package multiplegc @@ -27,7 +26,6 @@ import ( func TestMultipleGC(t *testing.T) { flag.Parse() - c, cfg := kubetest.NewClient(t) if flags.RunTest != nil && *flags.RunTest != "" { @@ -50,7 +48,7 @@ func TestMultipleGC(t *testing.T) { RunTest: *flags.RunTest, // SupportedFeatures cannot be empty, so we set it to SupportGateway // All e2e tests should leave Features empty. - SupportedFeatures: sets.New[features.SupportedFeature](features.SupportGateway), + SupportedFeatures: sets.New[features.FeatureName](features.SupportGateway), SkipTests: []string{}, }) if err != nil { @@ -76,13 +74,14 @@ func TestMultipleGC(t *testing.T) { privateGatewaySuiteGatewayClassName := "private" privateGatewaySuite, err := suite.NewConformanceTestSuite(suite.ConformanceOptions{ Client: c, + RestConfig: cfg, GatewayClassName: privateGatewaySuiteGatewayClassName, Debug: *flags.ShowDebug, CleanupBaseResources: *flags.CleanupBaseResources, RunTest: *flags.RunTest, // SupportedFeatures cannot be empty, so we set it to SupportGateway // All e2e tests should leave Features empty. - SupportedFeatures: sets.New[features.SupportedFeature](features.SupportGateway), + SupportedFeatures: sets.New[features.FeatureName](features.SupportGateway), SkipTests: []string{}, }) if err != nil { diff --git a/test/e2e/testdata/authorization-jwt.yaml b/test/e2e/testdata/authorization-jwt.yaml new file mode 100644 index 00000000000..5d3e31ea12e --- /dev/null +++ b/test/e2e/testdata/authorization-jwt.yaml @@ -0,0 +1,143 @@ +apiVersion: gateway.networking.k8s.io/v1 +kind: HTTPRoute +metadata: + name: http-with-authorization-jwt-claim + namespace: gateway-conformance-infra +spec: + parentRefs: + - name: same-namespace + rules: + - matches: + - path: + type: Exact + value: /claim-test + backendRefs: + - name: infra-backend-v1 + port: 8080 +--- +apiVersion: gateway.networking.k8s.io/v1 +kind: HTTPRoute +metadata: + name: http-with-authorization-jwt-scope + namespace: gateway-conformance-infra +spec: + parentRefs: + - name: same-namespace + rules: + - matches: + - path: + type: Exact + value: /scope-test + backendRefs: + - name: infra-backend-v1 + port: 8080 +--- +apiVersion: gateway.networking.k8s.io/v1 +kind: HTTPRoute +metadata: + name: http-with-authorization-jwt-combined + namespace: gateway-conformance-infra +spec: + parentRefs: + - name: same-namespace + rules: + - matches: + - path: + type: Exact + value: /combined-test + backendRefs: + - name: infra-backend-v1 + port: 8080 +--- +apiVersion: gateway.envoyproxy.io/v1alpha1 +kind: SecurityPolicy +metadata: + name: authorization-jwt-claim + namespace: gateway-conformance-infra +spec: + targetRefs: + - group: gateway.networking.k8s.io + kind: HTTPRoute + name: http-with-authorization-jwt-claim + jwt: + providers: + - name: example + issuer: https://foo.bar.com + remoteJWKS: + uri: https://raw.githubusercontent.com/envoyproxy/gateway/refs/heads/main/examples/kubernetes/jwt/jwks.json + authorization: + defaultAction: Deny + rules: + - name: "allow" + action: Allow + principal: + jwt: + provider: example + claims: + - name: user.name + values: ["John Doe"] + - name: sub + values: ["1234567890"] + - name: user.roles + valueType: StringArray + values: ["admin"] +--- +apiVersion: gateway.envoyproxy.io/v1alpha1 +kind: SecurityPolicy +metadata: + name: authorization-jwt-scope + namespace: gateway-conformance-infra +spec: + targetRefs: + - group: gateway.networking.k8s.io + kind: HTTPRoute + name: http-with-authorization-jwt-scope + jwt: + providers: + - name: example + issuer: https://foo.bar.com + remoteJWKS: + uri: https://raw.githubusercontent.com/envoyproxy/gateway/refs/heads/main/examples/kubernetes/jwt/jwks.json + authorization: + defaultAction: Deny + rules: + - name: "allow" + action: Allow + principal: + jwt: + provider: example + scopes: ["read", "add", "modify"] +--- +apiVersion: gateway.envoyproxy.io/v1alpha1 +kind: SecurityPolicy +metadata: + name: authorization-jwt-combined + namespace: gateway-conformance-infra +spec: + targetRefs: + - group: gateway.networking.k8s.io + kind: HTTPRoute + name: http-with-authorization-jwt-combined + jwt: + providers: + - name: example + issuer: https://foo.bar.com + remoteJWKS: + uri: https://raw.githubusercontent.com/envoyproxy/gateway/refs/heads/main/examples/kubernetes/jwt/jwks.json + authorization: + defaultAction: Deny + rules: + - name: "allow" + action: Allow + principal: + jwt: + provider: example + scopes: ["read", "add", "modify"] + claims: + - name: user.name + values: ["John Doe"] + - name: sub + values: ["1234567890"] + - name: user.roles + valueType: StringArray + values: ["admin"] diff --git a/test/e2e/tests/accesslog.go b/test/e2e/tests/accesslog.go index 4d7fbd11844..2019d92568c 100644 --- a/test/e2e/tests/accesslog.go +++ b/test/e2e/tests/accesslog.go @@ -4,7 +4,6 @@ // the root of the repo. //go:build e2e -// +build e2e package tests diff --git a/test/e2e/tests/authorization_client_ip.go b/test/e2e/tests/authorization_client_ip.go index 8ac95845c4a..8887c46b1a0 100644 --- a/test/e2e/tests/authorization_client_ip.go +++ b/test/e2e/tests/authorization_client_ip.go @@ -4,7 +4,6 @@ // the root of the repo. //go:build e2e -// +build e2e package tests diff --git a/test/e2e/tests/authorization_default_action.go b/test/e2e/tests/authorization_default_action.go index 7eaed07b306..88462808dd9 100644 --- a/test/e2e/tests/authorization_default_action.go +++ b/test/e2e/tests/authorization_default_action.go @@ -4,7 +4,6 @@ // the root of the repo. //go:build e2e -// +build e2e package tests diff --git a/test/e2e/tests/authorization_jwt.go b/test/e2e/tests/authorization_jwt.go new file mode 100644 index 00000000000..66f5a526a2d --- /dev/null +++ b/test/e2e/tests/authorization_jwt.go @@ -0,0 +1,185 @@ +// Copyright Envoy Gateway Authors +// SPDX-License-Identifier: Apache-2.0 +// The full text of the Apache license is available in the LICENSE file at +// the root of the repo. + +//go:build e2e + +package tests + +import ( + "testing" + + "k8s.io/apimachinery/pkg/types" + gwapiv1 "sigs.k8s.io/gateway-api/apis/v1" + gwapiv1a2 "sigs.k8s.io/gateway-api/apis/v1alpha2" + "sigs.k8s.io/gateway-api/conformance/utils/http" + "sigs.k8s.io/gateway-api/conformance/utils/kubernetes" + "sigs.k8s.io/gateway-api/conformance/utils/suite" + + "github.com/envoyproxy/gateway/internal/gatewayapi" + "github.com/envoyproxy/gateway/internal/gatewayapi/resource" +) + +// { +// "iss": "https://foo.bar.com", +// "sub": "1234567890", +// "user": { +// "name": "John Doe", +// "email": "john.doe@example.com", +// "roles": ["admin", "editor"] +// }, +// "premium_user": true, +// "iat": 1516239022, +// "scope": "read add delete modify" +// } +// +// nolint: gosec +const ( + jwtToken = "eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsImtpZCI6ImI1MjBiM2MyYzRiZDc1YTEwZTljZWJjOTU3NjkzM2RjIn0.eyJpc3MiOiJodHRwczovL2Zvby5iYXIuY29tIiwic3ViIjoiMTIzNDU2Nzg5MCIsInVzZXIiOnsibmFtZSI6IkpvaG4gRG9lIiwiZW1haWwiOiJqb2huLmRvZUBleGFtcGxlLmNvbSIsInJvbGVzIjpbImFkbWluIiwiZWRpdG9yIl19LCJwcmVtaXVtX3VzZXIiOnRydWUsImlhdCI6MTUxNjIzOTAyMiwic2NvcGUiOiJyZWFkIGFkZCBkZWxldGUgbW9kaWZ5In0.P36iAlmiRCC79OiB3vstF5Q_9OqUYAMGF3a3H492GlojbV6DcuOz8YIEYGsRSWc-BNJaBKlyvUKsKsGVPtYbbF8ajwZTs64wyO-zhd2R8riPkg_HsW7iwGswV12f5iVRpfQ4AG2owmdOToIaoch0aym89He1ZzEjcShr9olgqlAbbmhnk-namd1rP-xpzPnWhhIVI3mCz5hYYgDTMcM7qbokM5FzFttTRXAn5_Luor23U1062Ct_K53QArwxBvwJ-QYiqcBycHf-hh6sMx_941cUswrZucCpa-EwA3piATf9PKAyeeWHfHV9X-y8ipGOFg3mYMMVBuUZ1lBkJCik9f9kboRY6QzpOISARQj9PKMXfxZdIPNuGmA7msSNAXQgqkvbx04jMwb9U7eCEdGZztH4C8LhlRjgj0ZdD7eNbRjeH2F6zrWyMUpGWaWyq6rMuP98W2DWM5ZflK6qvT1c7FuFsWPvWLkgxQwTWQKrHdKwdbsu32Sj8VtUBJ0-ddEb" + // { + // "iss": "https://foo.bar.com", + // "sub": "1234567890", + // "user": { + // "name": "Alice Smith", + // "email": "alice.smith@example.com", + // "roles": ["developer"] + // }, + // "premium_user": false, + // "iat": 1516239022, + // "scope": "read add delete" + // } + // + // nolint: gosec + jwtTokenWithoutRequiredValues = "eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsImtpZCI6ImI1MjBiM2MyYzRiZDc1YTEwZTljZWJjOTU3NjkzM2RjIn0.eyJpc3MiOiJodHRwczovL2Zvby5iYXIuY29tIiwic3ViIjoiMTIzNDU2Nzg5MCIsInVzZXIiOnsibmFtZSI6IkFsaWNlIFNtaXRoIiwiZW1haWwiOiJhbGljZS5zbWl0aEBleGFtcGxlLmNvbSIsInJvbGVzIjpbImRldmVsb3BlciJdfSwicHJlbWl1bV91c2VyIjpmYWxzZSwiaWF0IjoxNTE2MjM5MDIyLCJzY29wZSI6InJlYWQgYWRkIGRlbGV0ZSJ9.Da547nNXzuQXm5E7LuLAiyFswXsW4RDhuitD_rpadtR7PTwzzOsJoqrVWJ_u1jJDaOTWIpLF4gwxDoY-Aoz_couzXzlAbECLs45ZFoc_UdffpfIbGKqTZx8VtwKuDLFsAeDDDqqx1flxFhvXHftJJdZYr1FgFz9u-absMmRU90DLmEZX3Hnyc8k8eBgeiu6vsWUD0-aNy8cWkFRbwRggkGmucFyUTG8Z1MY3iyH5E66W-ISoX8G9bzE9PTxVAAPDTvefD5iLJPSDJ8qV69OuMCJ8Dczq0L9Dd_w0sF-D1s9MTvexmGg4zBWluJ3r-pU9NHEdhqBypehp_yH8xF5Rt9AE7stZ4oPFZNyfrtkE-4IOnSEkMmzcC65g_rscn0ycerv4N5ZNpkr0x2IYYM4iGuo-ULv5Htnli3rffST45kx1XA8cdsrT1D0K3aPxdIxDIk8sTJf5-WVqRyo-bwxXXltwQLB9jCM_7QbTWQBYAJwUpi-0RW4jCl44-42gZnXf" +) + +func init() { + ConformanceTests = append(ConformanceTests, AuthorizationJWTTest) +} + +var AuthorizationJWTTest = suite.ConformanceTest{ + ShortName: "Authorization with jwt claims and scopes", + Description: "Authorization with jwt claims and scopes", + Manifests: []string{"testdata/authorization-jwt.yaml"}, + Test: func(t *testing.T, suite *suite.ConformanceTestSuite) { + ns := "gateway-conformance-infra" + route1NN := types.NamespacedName{Name: "http-with-authorization-jwt-claim", Namespace: ns} + route2NN := types.NamespacedName{Name: "http-with-authorization-jwt-scope", Namespace: ns} + route3NN := types.NamespacedName{Name: "http-with-authorization-jwt-combined", Namespace: ns} + gwNN := types.NamespacedName{Name: "same-namespace", Namespace: ns} + gwAddr := kubernetes.GatewayAndHTTPRoutesMustBeAccepted(t, suite.Client, suite.TimeoutConfig, suite.ControllerName, kubernetes.NewGatewayRef(gwNN), route1NN, route2NN, route3NN) + + ancestorRef := gwapiv1a2.ParentReference{ + Group: gatewayapi.GroupPtr(gwapiv1.GroupName), + Kind: gatewayapi.KindPtr(resource.KindGateway), + Namespace: gatewayapi.NamespacePtr(gwNN.Namespace), + Name: gwapiv1.ObjectName(gwNN.Name), + } + SecurityPolicyMustBeAccepted(t, suite.Client, types.NamespacedName{Name: "authorization-jwt-claim", Namespace: ns}, suite.ControllerName, ancestorRef) + SecurityPolicyMustBeAccepted(t, suite.Client, types.NamespacedName{Name: "authorization-jwt-scope", Namespace: ns}, suite.ControllerName, ancestorRef) + SecurityPolicyMustBeAccepted(t, suite.Client, types.NamespacedName{Name: "authorization-jwt-combined", Namespace: ns}, suite.ControllerName, ancestorRef) + + t.Run("allow requests with jwt claims", func(t *testing.T) { + expectedResponse := http.ExpectedResponse{ + Request: http.Request{ + Path: "/claim-test", + Headers: map[string]string{ + "Authorization": "Bearer " + jwtToken, + }, + }, + Response: http.Response{ + StatusCode: 200, + }, + Namespace: ns, + } + + http.MakeRequestAndExpectEventuallyConsistentResponse(t, suite.RoundTripper, suite.TimeoutConfig, gwAddr, expectedResponse) + }) + + t.Run("deny requests with jwt claims that do not match the required claim value", func(t *testing.T) { + expectedResponse := http.ExpectedResponse{ + Request: http.Request{ + Path: "/claim-test", + Headers: map[string]string{ + "Authorization": "Bearer " + jwtTokenWithoutRequiredValues, + }, + }, + Response: http.Response{ + StatusCode: 403, + }, + Namespace: ns, + } + + http.MakeRequestAndExpectEventuallyConsistentResponse(t, suite.RoundTripper, suite.TimeoutConfig, gwAddr, expectedResponse) + }) + + t.Run("allow requests with jwt scopes", func(t *testing.T) { + expectedResponse := http.ExpectedResponse{ + Request: http.Request{ + Path: "/scope-test", + Headers: map[string]string{ + "Authorization": "Bearer " + jwtToken, + }, + }, + Response: http.Response{ + StatusCode: 200, + }, + Namespace: ns, + } + + http.MakeRequestAndExpectEventuallyConsistentResponse(t, suite.RoundTripper, suite.TimeoutConfig, gwAddr, expectedResponse) + }) + + t.Run("deny requests with jwt scopes that do not match the required scope value", func(t *testing.T) { + expectedResponse := http.ExpectedResponse{ + Request: http.Request{ + Path: "/scope-test", + Headers: map[string]string{ + "Authorization": "Bearer " + jwtTokenWithoutRequiredValues, + }, + }, + Response: http.Response{ + StatusCode: 403, + }, + Namespace: ns, + } + + http.MakeRequestAndExpectEventuallyConsistentResponse(t, suite.RoundTripper, suite.TimeoutConfig, gwAddr, expectedResponse) + }) + + t.Run("allow requests with jwt claims and scopes", func(t *testing.T) { + expectedResponse := http.ExpectedResponse{ + Request: http.Request{ + Path: "/combined-test", + Headers: map[string]string{ + "Authorization": "Bearer " + jwtToken, + }, + }, + Response: http.Response{ + StatusCode: 200, + }, + Namespace: ns, + } + + http.MakeRequestAndExpectEventuallyConsistentResponse(t, suite.RoundTripper, suite.TimeoutConfig, gwAddr, expectedResponse) + }) + + t.Run("deny requests with jwt scopes and claims that do not match the required scope and claim values", func(t *testing.T) { + expectedResponse := http.ExpectedResponse{ + Request: http.Request{ + Path: "/combined-test", + Headers: map[string]string{ + "Authorization": "Bearer " + jwtTokenWithoutRequiredValues, + }, + }, + Response: http.Response{ + StatusCode: 403, + }, + Namespace: ns, + } + + http.MakeRequestAndExpectEventuallyConsistentResponse(t, suite.RoundTripper, suite.TimeoutConfig, gwAddr, expectedResponse) + }) + }, +} diff --git a/test/e2e/tests/backend_health_check.go b/test/e2e/tests/backend_health_check.go index e2fc3d7d27c..bfb033499d2 100644 --- a/test/e2e/tests/backend_health_check.go +++ b/test/e2e/tests/backend_health_check.go @@ -4,7 +4,6 @@ // the root of the repo. //go:build e2e -// +build e2e package tests diff --git a/test/e2e/tests/backend_tls.go b/test/e2e/tests/backend_tls.go index dea222b477f..7fa66f28308 100644 --- a/test/e2e/tests/backend_tls.go +++ b/test/e2e/tests/backend_tls.go @@ -4,7 +4,6 @@ // the root of the repo. //go:build e2e -// +build e2e package tests diff --git a/test/e2e/tests/backend_tls_settings.go b/test/e2e/tests/backend_tls_settings.go index 0fdbdf10d62..e007a791fdd 100644 --- a/test/e2e/tests/backend_tls_settings.go +++ b/test/e2e/tests/backend_tls_settings.go @@ -4,7 +4,6 @@ // the root of the repo. //go:build e2e -// +build e2e package tests diff --git a/test/e2e/tests/backend_upgrade.go b/test/e2e/tests/backend_upgrade.go index 261ee9acb63..e7bbf897c41 100644 --- a/test/e2e/tests/backend_upgrade.go +++ b/test/e2e/tests/backend_upgrade.go @@ -4,7 +4,6 @@ // the root of the repo. //go:build e2e -// +build e2e package tests diff --git a/test/e2e/tests/backendtrafficpolicy_translation_failed.go b/test/e2e/tests/backendtrafficpolicy_translation_failed.go index f76eee15710..e5a0fab0cbc 100644 --- a/test/e2e/tests/backendtrafficpolicy_translation_failed.go +++ b/test/e2e/tests/backendtrafficpolicy_translation_failed.go @@ -4,7 +4,6 @@ // the root of the repo. //go:build e2e -// +build e2e package tests diff --git a/test/e2e/tests/basic_auth.go b/test/e2e/tests/basic_auth.go index bcedeb21db9..8510de1998d 100644 --- a/test/e2e/tests/basic_auth.go +++ b/test/e2e/tests/basic_auth.go @@ -4,7 +4,6 @@ // the root of the repo. //go:build e2e -// +build e2e package tests diff --git a/test/e2e/tests/circuitbreaker.go b/test/e2e/tests/circuitbreaker.go index 2f24d2ab3c8..1261a0e88d8 100644 --- a/test/e2e/tests/circuitbreaker.go +++ b/test/e2e/tests/circuitbreaker.go @@ -4,7 +4,6 @@ // the root of the repo. //go:build e2e -// +build e2e package tests diff --git a/test/e2e/tests/client_mtls.go b/test/e2e/tests/client_mtls.go index bed591a1152..8d753cc766a 100644 --- a/test/e2e/tests/client_mtls.go +++ b/test/e2e/tests/client_mtls.go @@ -4,7 +4,6 @@ // the root of the repo. //go:build e2e -// +build e2e package tests diff --git a/test/e2e/tests/client_timeout.go b/test/e2e/tests/client_timeout.go index 9a11f7a706a..faffec9df7b 100644 --- a/test/e2e/tests/client_timeout.go +++ b/test/e2e/tests/client_timeout.go @@ -4,7 +4,6 @@ // the root of the repo. //go:build e2e -// +build e2e package tests diff --git a/test/e2e/tests/connection_limit.go b/test/e2e/tests/connection_limit.go index fca62d3a9e6..15e316fec47 100644 --- a/test/e2e/tests/connection_limit.go +++ b/test/e2e/tests/connection_limit.go @@ -4,7 +4,6 @@ // the root of the repo. //go:build e2e -// +build e2e package tests diff --git a/test/e2e/tests/controlplane.go b/test/e2e/tests/controlplane.go index 56577c880ac..a5d29ab2600 100644 --- a/test/e2e/tests/controlplane.go +++ b/test/e2e/tests/controlplane.go @@ -4,7 +4,6 @@ // the root of the repo. //go:build e2e -// +build e2e package tests diff --git a/test/e2e/tests/cors.go b/test/e2e/tests/cors.go index 50063f5cd3f..4308ee0799c 100644 --- a/test/e2e/tests/cors.go +++ b/test/e2e/tests/cors.go @@ -4,7 +4,6 @@ // the root of the repo. //go:build e2e -// +build e2e package tests diff --git a/test/e2e/tests/eg_upgrade.go b/test/e2e/tests/eg_upgrade.go index 5a394d134f1..385952bd2a5 100644 --- a/test/e2e/tests/eg_upgrade.go +++ b/test/e2e/tests/eg_upgrade.go @@ -4,7 +4,6 @@ // the root of the repo. //go:build e2e -// +build e2e package tests @@ -53,6 +52,7 @@ var EGUpgradeTest = suite.ConformanceTest{ depNS := "envoy-gateway-system" lastVersionTag := os.Getenv("last_version_tag") if lastVersionTag == "" { + // Use v1.0.2 instead of v1.1.2 due to https://github.com/envoyproxy/gateway/issues/4336 lastVersionTag = "v1.0.2" // Default version tag if not specified } @@ -274,13 +274,14 @@ func migrateChartCRDs(actionConfig *action.Configuration, gatewayChart *chart.Ch } for _, crd := range crds { - if crd.Name == "backendtlspolicies.gateway.networking.k8s.io" { + if crd.Name == "backendtlspolicies.gateway.networking.k8s.io" || + crd.Name == "grpcroutes.gateway.networking.k8s.io" { newVersion, err := getGWAPIVersion(crd.Object) if err != nil { return err } // https://gateway-api.sigs.k8s.io/guides/?h=upgrade#v11-upgrade-notes - if newVersion == "v1.1.0" { + if newVersion == "v1.2.0-rc2" { helper := resource.NewHelper(crd.Client, crd.Mapping) existingCRD, err := helper.Get(crd.Namespace, crd.Name) if kerrors.IsNotFound(err) { @@ -294,7 +295,7 @@ func migrateChartCRDs(actionConfig *action.Configuration, gatewayChart *chart.Ch } if existingVersion == "v1.0.0" { - // Delete the existing instance of the BTLS CRD + // Delete the existing instance of the BTLS and GRPCRoute CRDs _, errs := actionConfig.KubeClient.Delete([]*resource.Info{crd}) if errs != nil { return fmt.Errorf("failed to delete backendtlspolicies: %s", util.MultipleErrors("", errs)) diff --git a/test/e2e/tests/envoy_patch_policy.go b/test/e2e/tests/envoy_patch_policy.go index 2486518ac31..2c93872841e 100644 --- a/test/e2e/tests/envoy_patch_policy.go +++ b/test/e2e/tests/envoy_patch_policy.go @@ -4,7 +4,6 @@ // the root of the repo. //go:build e2e -// +build e2e package tests diff --git a/test/e2e/tests/envoy_shutdown.go b/test/e2e/tests/envoy_shutdown.go index 6b5a35f490a..24e6b334637 100644 --- a/test/e2e/tests/envoy_shutdown.go +++ b/test/e2e/tests/envoy_shutdown.go @@ -4,7 +4,6 @@ // the root of the repo. //go:build e2e -// +build e2e package tests diff --git a/test/e2e/tests/ext_auth_grpc_service.go b/test/e2e/tests/ext_auth_grpc_service.go index 430496675ea..123a6af3e75 100644 --- a/test/e2e/tests/ext_auth_grpc_service.go +++ b/test/e2e/tests/ext_auth_grpc_service.go @@ -4,7 +4,6 @@ // the root of the repo. //go:build e2e -// +build e2e package tests diff --git a/test/e2e/tests/ext_auth_http_backend.go b/test/e2e/tests/ext_auth_http_backend.go index dd0e24c86c3..e05134b1862 100644 --- a/test/e2e/tests/ext_auth_http_backend.go +++ b/test/e2e/tests/ext_auth_http_backend.go @@ -4,7 +4,6 @@ // the root of the repo. //go:build e2e -// +build e2e package tests diff --git a/test/e2e/tests/ext_auth_http_service.go b/test/e2e/tests/ext_auth_http_service.go index d7415590485..2c39699ef93 100644 --- a/test/e2e/tests/ext_auth_http_service.go +++ b/test/e2e/tests/ext_auth_http_service.go @@ -4,7 +4,6 @@ // the root of the repo. //go:build e2e -// +build e2e package tests diff --git a/test/e2e/tests/ext_proc.go b/test/e2e/tests/ext_proc.go index dbbb4defaec..033da67f6bd 100644 --- a/test/e2e/tests/ext_proc.go +++ b/test/e2e/tests/ext_proc.go @@ -4,7 +4,6 @@ // the root of the repo. //go:build e2e -// +build e2e package tests diff --git a/test/e2e/tests/fault_injection.go b/test/e2e/tests/fault_injection.go index 76fa27c4964..fffb8b578fa 100644 --- a/test/e2e/tests/fault_injection.go +++ b/test/e2e/tests/fault_injection.go @@ -4,7 +4,6 @@ // the root of the repo. //go:build e2e -// +build e2e package tests diff --git a/test/e2e/tests/gateway_infra_resource.go b/test/e2e/tests/gateway_infra_resource.go index 7a468b80f60..213b6de1238 100644 --- a/test/e2e/tests/gateway_infra_resource.go +++ b/test/e2e/tests/gateway_infra_resource.go @@ -4,7 +4,6 @@ // the root of the repo. //go:build e2e -// +build e2e package tests diff --git a/test/e2e/tests/header_settings.go b/test/e2e/tests/header_settings.go index ee5be4c3dfc..699f6baa975 100644 --- a/test/e2e/tests/header_settings.go +++ b/test/e2e/tests/header_settings.go @@ -4,7 +4,6 @@ // the root of the repo. //go:build e2e -// +build e2e package tests diff --git a/test/e2e/tests/httproute_rewrite_full_path.go b/test/e2e/tests/httproute_rewrite_full_path.go index dd043571cbf..52083880256 100644 --- a/test/e2e/tests/httproute_rewrite_full_path.go +++ b/test/e2e/tests/httproute_rewrite_full_path.go @@ -4,7 +4,6 @@ // the root of the repo. //go:build e2e -// +build e2e package tests diff --git a/test/e2e/tests/httproute_rewrite_regex_path.go b/test/e2e/tests/httproute_rewrite_regex_path.go index 975d2ec8868..bad6811d350 100644 --- a/test/e2e/tests/httproute_rewrite_regex_path.go +++ b/test/e2e/tests/httproute_rewrite_regex_path.go @@ -4,7 +4,6 @@ // the root of the repo. //go:build e2e -// +build e2e package tests diff --git a/test/e2e/tests/jwt.go b/test/e2e/tests/jwt.go index fc7e826dd46..2ab756fcf3c 100644 --- a/test/e2e/tests/jwt.go +++ b/test/e2e/tests/jwt.go @@ -4,7 +4,6 @@ // the root of the repo. //go:build e2e -// +build e2e package tests diff --git a/test/e2e/tests/listener_health_check.go b/test/e2e/tests/listener_health_check.go index 483a54caab1..14f4a8974d0 100644 --- a/test/e2e/tests/listener_health_check.go +++ b/test/e2e/tests/listener_health_check.go @@ -4,7 +4,6 @@ // the root of the repo. //go:build e2e -// +build e2e package tests diff --git a/test/e2e/tests/load_balancing.go b/test/e2e/tests/load_balancing.go index 9f368dc0106..462916f76c1 100644 --- a/test/e2e/tests/load_balancing.go +++ b/test/e2e/tests/load_balancing.go @@ -4,7 +4,6 @@ // the root of the repo. //go:build e2e -// +build e2e package tests diff --git a/test/e2e/tests/local_ratelimit.go b/test/e2e/tests/local_ratelimit.go index a4c1accee6f..4a630d1ed67 100644 --- a/test/e2e/tests/local_ratelimit.go +++ b/test/e2e/tests/local_ratelimit.go @@ -4,7 +4,6 @@ // the root of the repo. //go:build e2e -// +build e2e package tests diff --git a/test/e2e/tests/merge_gateways.go b/test/e2e/tests/merge_gateways.go index c00cb3e84b7..018856d0fc7 100644 --- a/test/e2e/tests/merge_gateways.go +++ b/test/e2e/tests/merge_gateways.go @@ -4,7 +4,6 @@ // the root of the repo. //go:build e2e -// +build e2e package tests diff --git a/test/e2e/tests/metric.go b/test/e2e/tests/metric.go index b9814f41e56..c1cc49bbb61 100644 --- a/test/e2e/tests/metric.go +++ b/test/e2e/tests/metric.go @@ -4,7 +4,6 @@ // the root of the repo. //go:build e2e -// +build e2e package tests diff --git a/test/e2e/tests/multiple_gc.go b/test/e2e/tests/multiple_gc.go index 9b56ed1e2e4..2718aa8e93e 100644 --- a/test/e2e/tests/multiple_gc.go +++ b/test/e2e/tests/multiple_gc.go @@ -6,7 +6,6 @@ // This file contains code derived from upstream gateway-api, it will be moved to upstream. //go:build e2e -// +build e2e package tests diff --git a/test/e2e/tests/oidc.go b/test/e2e/tests/oidc.go index 4fcbabdc445..27fb79be9b3 100644 --- a/test/e2e/tests/oidc.go +++ b/test/e2e/tests/oidc.go @@ -4,7 +4,6 @@ // the root of the repo. //go:build e2e -// +build e2e package tests diff --git a/test/e2e/tests/preservecase.go b/test/e2e/tests/preservecase.go index 458bebd8219..82e865aaad0 100644 --- a/test/e2e/tests/preservecase.go +++ b/test/e2e/tests/preservecase.go @@ -4,7 +4,6 @@ // the root of the repo. //go:build e2e -// +build e2e package tests diff --git a/test/e2e/tests/ratelimit.go b/test/e2e/tests/ratelimit.go index f564eec6dd4..80064e6d906 100644 --- a/test/e2e/tests/ratelimit.go +++ b/test/e2e/tests/ratelimit.go @@ -4,7 +4,6 @@ // the root of the repo. //go:build e2e -// +build e2e package tests diff --git a/test/e2e/tests/redirect_replaceprefixmatch_slash.go b/test/e2e/tests/redirect_replaceprefixmatch_slash.go index c1986809000..272f259ee99 100644 --- a/test/e2e/tests/redirect_replaceprefixmatch_slash.go +++ b/test/e2e/tests/redirect_replaceprefixmatch_slash.go @@ -4,7 +4,6 @@ // the root of the repo. //go:build e2e -// +build e2e package tests diff --git a/test/e2e/tests/referencegrants.go b/test/e2e/tests/referencegrants.go index 903e64598bc..c17443130fd 100644 --- a/test/e2e/tests/referencegrants.go +++ b/test/e2e/tests/referencegrants.go @@ -4,7 +4,6 @@ // the root of the repo. //go:build e2e -// +build e2e package tests diff --git a/test/e2e/tests/retry.go b/test/e2e/tests/retry.go index ca18d09c014..8b0b78a68ed 100644 --- a/test/e2e/tests/retry.go +++ b/test/e2e/tests/retry.go @@ -4,7 +4,6 @@ // the root of the repo. //go:build e2e -// +build e2e package tests diff --git a/test/e2e/tests/route_with_backend.go b/test/e2e/tests/route_with_backend.go index 692764ccae5..7401e17c2f0 100644 --- a/test/e2e/tests/route_with_backend.go +++ b/test/e2e/tests/route_with_backend.go @@ -4,7 +4,6 @@ // the root of the repo. //go:build e2e -// +build e2e package tests diff --git a/test/e2e/tests/routingtype.go b/test/e2e/tests/routingtype.go index 4649e5232a9..08da267338d 100644 --- a/test/e2e/tests/routingtype.go +++ b/test/e2e/tests/routingtype.go @@ -4,7 +4,6 @@ // the root of the repo. //go:build e2e -// +build e2e package tests diff --git a/test/e2e/tests/securitypolicy_transaltion_failed.go b/test/e2e/tests/securitypolicy_transaltion_failed.go index 57cf4c397cf..302047cdb0b 100644 --- a/test/e2e/tests/securitypolicy_transaltion_failed.go +++ b/test/e2e/tests/securitypolicy_transaltion_failed.go @@ -4,7 +4,6 @@ // the root of the repo. //go:build e2e -// +build e2e package tests diff --git a/test/e2e/tests/session_persistence.go b/test/e2e/tests/session_persistence.go index 0e6e9f73907..4448ba88555 100644 --- a/test/e2e/tests/session_persistence.go +++ b/test/e2e/tests/session_persistence.go @@ -4,7 +4,6 @@ // the root of the repo. //go:build e2e -// +build e2e package tests diff --git a/test/e2e/tests/tcp_route.go b/test/e2e/tests/tcp_route.go index 71e43f17164..5526327a68e 100644 --- a/test/e2e/tests/tcp_route.go +++ b/test/e2e/tests/tcp_route.go @@ -6,7 +6,6 @@ // This file contains code derived from upstream gateway-api, it will be moved to upstream. //go:build e2e -// +build e2e package tests diff --git a/test/e2e/tests/tests.go b/test/e2e/tests/tests.go index dc39be7790b..f181e86ac3f 100644 --- a/test/e2e/tests/tests.go +++ b/test/e2e/tests/tests.go @@ -4,7 +4,6 @@ // the root of the repo. //go:build e2e -// +build e2e package tests diff --git a/test/e2e/tests/tracing.go b/test/e2e/tests/tracing.go index bd169780121..5ead14b48a1 100644 --- a/test/e2e/tests/tracing.go +++ b/test/e2e/tests/tracing.go @@ -4,7 +4,6 @@ // the root of the repo. //go:build e2e -// +build e2e package tests diff --git a/test/e2e/tests/udproute.go b/test/e2e/tests/udproute.go index 4eb160139c1..30211de759e 100644 --- a/test/e2e/tests/udproute.go +++ b/test/e2e/tests/udproute.go @@ -6,7 +6,6 @@ // This file contains code derived from upstream gateway-api, it will be moved to upstream. //go:build e2e -// +build e2e package tests diff --git a/test/e2e/tests/use_client_protocol.go b/test/e2e/tests/use_client_protocol.go index 0aa51afd077..185c95a0bdc 100644 --- a/test/e2e/tests/use_client_protocol.go +++ b/test/e2e/tests/use_client_protocol.go @@ -4,7 +4,6 @@ // the root of the repo. //go:build e2e -// +build e2e package tests diff --git a/test/e2e/tests/utils.go b/test/e2e/tests/utils.go index 4196172246a..53aeb8b96a7 100644 --- a/test/e2e/tests/utils.go +++ b/test/e2e/tests/utils.go @@ -686,9 +686,9 @@ func createTagsQueryParam(tags map[string]string) (string, error) { // CollectAndDump collects and dumps the cluster data for troubleshooting and log. // This function should be call within t.Cleanup. func CollectAndDump(t *testing.T, rest *rest.Config) { - result := tb.CollectResult(context.TODO(), rest, "", "envoy-gateway") + result := tb.CollectResult(context.TODO(), rest, "", "envoy-gateway-system") for r, data := range result { - tlog.Logf(t, "filename: %s", r) - tlog.Logf(t, "data: \n%s", data) + tlog.Logf(t, "\nfilename: %s", r) + tlog.Logf(t, "\ndata: \n%s", data) } } diff --git a/test/e2e/tests/wasm_http.go b/test/e2e/tests/wasm_http.go index 3dee419be19..e5ef2e14c82 100644 --- a/test/e2e/tests/wasm_http.go +++ b/test/e2e/tests/wasm_http.go @@ -4,7 +4,6 @@ // the root of the repo. //go:build e2e -// +build e2e package tests diff --git a/test/e2e/tests/wasm_oci.go b/test/e2e/tests/wasm_oci.go index b0d664469fa..1a0a43a33c5 100644 --- a/test/e2e/tests/wasm_oci.go +++ b/test/e2e/tests/wasm_oci.go @@ -4,7 +4,6 @@ // the root of the repo. //go:build e2e -// +build e2e package tests diff --git a/test/e2e/tests/weighted_backend.go b/test/e2e/tests/weighted_backend.go index 5bab56f53b8..2ffb239c52f 100644 --- a/test/e2e/tests/weighted_backend.go +++ b/test/e2e/tests/weighted_backend.go @@ -4,7 +4,6 @@ // the root of the repo. //go:build e2e -// +build e2e package tests diff --git a/test/e2e/upgrade/eg_upgrade_test.go b/test/e2e/upgrade/eg_upgrade_test.go index 7ef3c406e31..b93a3bab0df 100644 --- a/test/e2e/upgrade/eg_upgrade_test.go +++ b/test/e2e/upgrade/eg_upgrade_test.go @@ -4,7 +4,6 @@ // the root of the repo. //go:build e2e -// +build e2e package upgrade @@ -46,7 +45,7 @@ func TestEGUpgrade(t *testing.T) { ManifestFS: []fs.FS{e2e.UpgradeManifests}, RunTest: *flags.RunTest, BaseManifests: "upgrade/manifests.yaml", - SupportedFeatures: sets.New[features.SupportedFeature](features.SupportGateway), + SupportedFeatures: sets.New[features.FeatureName](features.SupportGateway), SkipTests: []string{}, }) if err != nil { diff --git a/test/helm/gateway-addons-helm/default.out.yaml b/test/helm/gateway-addons-helm/default.out.yaml index 060791f94d5..f2fac1dfe09 100644 --- a/test/helm/gateway-addons-helm/default.out.yaml +++ b/test/helm/gateway-addons-helm/default.out.yaml @@ -8378,6 +8378,640 @@ data: "version": 1, "weekStart": "" } + global-ratelimit.json: |- + { + "annotations": { + "list": [ + { + "builtIn": 1, + "datasource": { + "type": "grafana", + "uid": "-- Grafana --" + }, + "enable": true, + "hide": true, + "iconColor": "rgba(0, 211, 255, 1)", + "name": "Annotations & Alerts", + "type": "dashboard" + } + ] + }, + "description": "Envoy Gateway monitoring Dashboard with exported metrics.", + "editable": true, + "fiscalYearStartMonth": 0, + "graphTooltip": 0, + "id": 6, + "links": [], + "panels": [ + { + "collapsed": false, + "gridPos": { + "h": 1, + "w": 24, + "x": 0, + "y": 0 + }, + "id": 273, + "panels": [], + "title": "Global Ratelimit", + "type": "row" + }, + { + "datasource": { + "type": "prometheus", + "uid": "PBFA97CFB590B2093" + }, + "description": "The fraction of this program's available CPU time used by the GC since the program started.", + "fieldConfig": { + "defaults": { + "color": { + "mode": "palette-classic" + }, + "custom": { + "axisBorderShow": false, + "axisCenteredZero": false, + "axisColorMode": "series", + "axisGridShow": false, + "axisLabel": "", + "axisPlacement": "auto", + "barAlignment": 0, + "drawStyle": "line", + "fillOpacity": 25, + "gradientMode": "none", + "hideFrom": { + "legend": false, + "tooltip": false, + "viz": false + }, + "insertNulls": false, + "lineInterpolation": "linear", + "lineWidth": 1, + "pointSize": 5, + "scaleDistribution": { + "type": "linear" + }, + "showPoints": "auto", + "spanNulls": false, + "stacking": { + "group": "A", + "mode": "none" + }, + "thresholdsStyle": { + "mode": "off" + } + }, + "mappings": [], + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "green", + "value": null + }, + { + "color": "red", + "value": 80 + } + ] + }, + "unit": "miu" + }, + "overrides": [] + }, + "gridPos": { + "h": 7, + "w": 8, + "x": 0, + "y": 1 + }, + "id": 274, + "options": { + "legend": { + "calcs": [], + "displayMode": "hidden", + "placement": "right", + "showLegend": false + }, + "tooltip": { + "maxHeight": 600, + "mode": "single", + "sort": "none" + } + }, + "pluginVersion": "11.0.0", + "targets": [ + { + "datasource": { + "type": "prometheus", + "uid": "PBFA97CFB590B2093" + }, + "disableTextWrap": false, + "editorMode": "code", + "exemplar": false, + "expr": "(go_memstats_gc_cpu_fraction)*1000000", + "format": "time_series", + "fullMetaSearch": false, + "includeNullMetadata": true, + "instant": false, + "legendFormat": "__auto", + "range": true, + "refId": "A", + "useBackend": false + } + ], + "title": "CPU Fraction", + "transparent": true, + "type": "timeseries" + }, + { + "datasource": { + "type": "prometheus", + "uid": "PBFA97CFB590B2093" + }, + "description": "Resident memory size", + "fieldConfig": { + "defaults": { + "color": { + "mode": "thresholds" + }, + "mappings": [], + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "green", + "value": null + } + ] + }, + "unit": "decmbytes" + }, + "overrides": [] + }, + "gridPos": { + "h": 7, + "w": 7, + "x": 9, + "y": 1 + }, + "id": 291, + "options": { + "minVizHeight": 75, + "minVizWidth": 75, + "orientation": "auto", + "reduceOptions": { + "calcs": [ + "lastNotNull" + ], + "fields": "", + "values": false + }, + "showThresholdLabels": false, + "showThresholdMarkers": false, + "sizing": "auto" + }, + "pluginVersion": "11.0.0", + "targets": [ + { + "datasource": { + "type": "prometheus", + "uid": "PBFA97CFB590B2093" + }, + "disableTextWrap": false, + "editorMode": "code", + "exemplar": false, + "expr": "(process_resident_memory_bytes{app_kubernetes_io_component=\"ratelimit\"})/1000000", + "fullMetaSearch": false, + "includeNullMetadata": true, + "instant": false, + "legendFormat": "__auto", + "range": true, + "refId": "A", + "useBackend": false + } + ], + "title": "Resident Memory", + "transparent": true, + "type": "gauge" + }, + { + "datasource": { + "type": "prometheus", + "uid": "PBFA97CFB590B2093" + }, + "description": "Virtual memory size", + "fieldConfig": { + "defaults": { + "color": { + "mode": "thresholds" + }, + "mappings": [], + "min": 0, + "thresholds": { + "mode": "percentage", + "steps": [ + { + "color": "green", + "value": null + } + ] + }, + "unit": "decmbytes" + }, + "overrides": [] + }, + "gridPos": { + "h": 7, + "w": 7, + "x": 16, + "y": 1 + }, + "id": 325, + "options": { + "minVizHeight": 75, + "minVizWidth": 75, + "orientation": "auto", + "reduceOptions": { + "calcs": [ + "lastNotNull" + ], + "fields": "", + "values": false + }, + "showThresholdLabels": false, + "showThresholdMarkers": false, + "sizing": "auto" + }, + "pluginVersion": "11.0.0", + "targets": [ + { + "datasource": { + "type": "prometheus", + "uid": "PBFA97CFB590B2093" + }, + "disableTextWrap": false, + "editorMode": "code", + "exemplar": false, + "expr": "(process_virtual_memory_bytes{app_kubernetes_io_component=\"ratelimit\"})/1000000", + "fullMetaSearch": false, + "includeNullMetadata": true, + "instant": false, + "legendFormat": "__auto", + "range": true, + "refId": "A", + "useBackend": false + } + ], + "title": "Virtual Memory", + "transparent": true, + "type": "gauge" + }, + { + "datasource": { + "type": "prometheus", + "uid": "PBFA97CFB590B2093" + }, + "description": "Number of ratelimit rule hits in total", + "fieldConfig": { + "defaults": { + "color": { + "fixedColor": "light-blue", + "mode": "shades" + }, + "fieldMinMax": false, + "mappings": [], + "noValue": "0", + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "green", + "value": null + } + ] + }, + "unit": "none" + }, + "overrides": [] + }, + "gridPos": { + "h": 7, + "w": 6, + "x": 0, + "y": 8 + }, + "id": 308, + "options": { + "colorMode": "value", + "graphMode": "none", + "justifyMode": "center", + "orientation": "auto", + "reduceOptions": { + "calcs": [ + "lastNotNull" + ], + "fields": "", + "values": false + }, + "showPercentChange": false, + "textMode": "value", + "wideLayout": false + }, + "pluginVersion": "11.0.0", + "targets": [ + { + "datasource": { + "type": "prometheus", + "uid": "PBFA97CFB590B2093" + }, + "disableTextWrap": false, + "editorMode": "builder", + "exemplar": false, + "expr": "ratelimit_service_rate_limit_total_hits{domain=\"$DefaultDomain\", key1=\"httproute/default/http-ratelimit/rule/0/match/0/ratelimit_example_httproute/default/http-ratelimit/rule/0/match/0/ratelimit_example\", key2=\"rule-0-match-0_rule-0-match-0\"}", + "fullMetaSearch": false, + "includeNullMetadata": true, + "instant": false, + "interval": "", + "legendFormat": "__auto", + "range": true, + "refId": "A", + "useBackend": false + } + ], + "title": "Total Hits", + "type": "stat" + }, + { + "datasource": { + "type": "prometheus", + "uid": "PBFA97CFB590B2093" + }, + "description": "Number of rule hits over the NearLimit ratio threshold (currently 80%) but under the threshold rate.", + "fieldConfig": { + "defaults": { + "color": { + "fixedColor": "light-blue", + "mode": "shades" + }, + "fieldMinMax": false, + "mappings": [], + "noValue": "0", + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "green", + "value": null + } + ] + }, + "unit": "none" + }, + "overrides": [] + }, + "gridPos": { + "h": 7, + "w": 6, + "x": 6, + "y": 8 + }, + "id": 326, + "options": { + "colorMode": "value", + "graphMode": "none", + "justifyMode": "center", + "orientation": "auto", + "reduceOptions": { + "calcs": [ + "lastNotNull" + ], + "fields": "", + "values": false + }, + "showPercentChange": false, + "textMode": "value", + "wideLayout": false + }, + "pluginVersion": "11.0.0", + "targets": [ + { + "datasource": { + "type": "prometheus", + "uid": "PBFA97CFB590B2093" + }, + "disableTextWrap": false, + "editorMode": "builder", + "exemplar": false, + "expr": "ratelimit_service_rate_limit_near_limit{domain=\"$DefaultDomain\", key1=\"httproute/default/http-ratelimit/rule/0/match/0/ratelimit_example_httproute/default/http-ratelimit/rule/0/match/0/ratelimit_example\", key2=\"rule-0-match-0_rule-0-match-0\"}", + "fullMetaSearch": false, + "includeNullMetadata": true, + "instant": false, + "interval": "", + "legendFormat": "__auto", + "range": true, + "refId": "A", + "useBackend": false + } + ], + "title": "Near Limit", + "type": "stat" + }, + { + "datasource": { + "type": "prometheus", + "uid": "PBFA97CFB590B2093" + }, + "description": "Number of rule hits exceeding the threshold rate", + "fieldConfig": { + "defaults": { + "color": { + "fixedColor": "light-blue", + "mode": "shades" + }, + "fieldMinMax": false, + "mappings": [], + "noValue": "0", + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "green", + "value": null + } + ] + }, + "unit": "none" + }, + "overrides": [] + }, + "gridPos": { + "h": 7, + "w": 6, + "x": 12, + "y": 8 + }, + "id": 327, + "options": { + "colorMode": "value", + "graphMode": "none", + "justifyMode": "center", + "orientation": "auto", + "reduceOptions": { + "calcs": [ + "lastNotNull" + ], + "fields": "", + "values": false + }, + "showPercentChange": false, + "textMode": "value", + "wideLayout": false + }, + "pluginVersion": "11.0.0", + "targets": [ + { + "datasource": { + "type": "prometheus", + "uid": "PBFA97CFB590B2093" + }, + "disableTextWrap": false, + "editorMode": "builder", + "exemplar": false, + "expr": "ratelimit_service_rate_limit_over_limit{domain=\"$DefaultDomain\", key1=\"httproute/default/http-ratelimit/rule/0/match/0/ratelimit_example_httproute/default/http-ratelimit/rule/0/match/0/ratelimit_example\", key2=\"rule-0-match-0_rule-0-match-0\"}", + "fullMetaSearch": false, + "includeNullMetadata": true, + "instant": false, + "interval": "", + "legendFormat": "__auto", + "range": true, + "refId": "A", + "useBackend": false + } + ], + "title": "Over Limit", + "type": "stat" + } + ], + "refresh": "", + "schemaVersion": 39, + "tags": [ + "Control Plane" + ], + "templating": { + "list": [ + { + "current": { + "selected": false, + "text": "Prometheus", + "value": "PBFA97CFB590B2093" + }, + "hide": 0, + "includeAll": false, + "multi": false, + "name": "datasource", + "options": [], + "query": "prometheus", + "refresh": 1, + "regex": "", + "skipUrlSync": false, + "type": "datasource" + }, + { + "allValue": ".*", + "current": { + "selected": false, + "text": "envoy-gateway-system", + "value": "envoy-gateway-system" + }, + "datasource": { + "type": "prometheus", + "uid": "$datasource" + }, + "definition": "label_values(watchable_depth,namespace)", + "hide": 0, + "includeAll": false, + "multi": false, + "name": "Namespace", + "options": [], + "query": { + "qryType": 1, + "query": "label_values(watchable_depth,namespace)", + "refId": "PrometheusVariableQueryEditor-VariableQuery" + }, + "refresh": 1, + "regex": "", + "skipUrlSync": false, + "sort": 0, + "type": "query" + }, + { + "allValue": ".*", + "current": { + "selected": true, + "text": [ + "All" + ], + "value": [ + "$__all" + ] + }, + "datasource": { + "type": "prometheus", + "uid": "$datasource" + }, + "definition": "label_values(watchable_depth,runner)", + "hide": 0, + "includeAll": true, + "multi": true, + "name": "Runner", + "options": [], + "query": { + "qryType": 1, + "query": "label_values(watchable_depth,runner)", + "refId": "PrometheusVariableQueryEditor-VariableQuery" + }, + "refresh": 2, + "regex": "", + "skipUrlSync": false, + "sort": 0, + "type": "query" + }, + { + "current": { + "selected": false, + "text": "default/eg/http", + "value": "default/eg/http" + }, + "description": "DefaultDomain is set to default/eg/http", + "hide": 0, + "includeAll": false, + "multi": false, + "name": "DefaultDomain", + "options": [ + { + "selected": true, + "text": "default/eg/http", + "value": "default/eg/http" + } + ], + "query": "default/eg/http", + "skipUrlSync": false, + "type": "custom" + } + ] + }, + "time": { + "from": "now-6h", + "to": "now" + }, + "timeRangeUpdatedDuringEditOrView": false, + "timepicker": {}, + "timezone": "browser", + "title": "Global Ratelimit", + "uid": "R2xvYmFsIFJhdGVsaW1pdAo", + "version": 4, + "weekStart": "" + } resources-monitor.gen.json: |- { "description": "Memory and CPU Usage Monitor for Envoy Gateway and Envoy Proxy.\n", @@ -9519,75 +10153,3 @@ spec: updateStrategy: type: RollingUpdate ---- -# Source: gateway-addons-helm/charts/grafana/templates/tests/test-serviceaccount.yaml -apiVersion: v1 -kind: ServiceAccount -metadata: - labels: - helm.sh/chart: grafana-8.0.0 - app.kubernetes.io/name: grafana - app.kubernetes.io/instance: gateway-addons-helm - app.kubernetes.io/version: "11.0.0" - app.kubernetes.io/managed-by: Helm - name: grafana-test - namespace: monitoring - annotations: - "helm.sh/hook": test-success - "helm.sh/hook-delete-policy": "before-hook-creation,hook-succeeded" ---- -# Source: gateway-addons-helm/charts/grafana/templates/tests/test-configmap.yaml -apiVersion: v1 -kind: ConfigMap -metadata: - name: grafana-test - namespace: monitoring - annotations: - "helm.sh/hook": test-success - "helm.sh/hook-delete-policy": "before-hook-creation,hook-succeeded" - labels: - helm.sh/chart: grafana-8.0.0 - app.kubernetes.io/name: grafana - app.kubernetes.io/instance: gateway-addons-helm - app.kubernetes.io/version: "11.0.0" - app.kubernetes.io/managed-by: Helm -data: - run.sh: |- - @test "Test Health" { - url="http://grafana/api/health" - - code=$(wget --server-response --spider --timeout 90 --tries 10 ${url} 2>&1 | awk '/^ HTTP/{print $2}') - [ "$code" == "200" ] - } ---- -# Source: gateway-addons-helm/charts/grafana/templates/tests/test.yaml -apiVersion: v1 -kind: Pod -metadata: - name: grafana-test - labels: - helm.sh/chart: grafana-8.0.0 - app.kubernetes.io/name: grafana - app.kubernetes.io/instance: gateway-addons-helm - app.kubernetes.io/version: "11.0.0" - app.kubernetes.io/managed-by: Helm - annotations: - "helm.sh/hook": test-success - "helm.sh/hook-delete-policy": "before-hook-creation,hook-succeeded" - namespace: monitoring -spec: - serviceAccountName: grafana-test - containers: - - name: gateway-addons-helm-test - image: "docker.io/bats/bats:v1.4.1" - imagePullPolicy: "IfNotPresent" - command: ["/opt/bats/bin/bats", "-t", "/tests/run.sh"] - volumeMounts: - - mountPath: /tests - name: tests - readOnly: true - volumes: - - name: tests - configMap: - name: grafana-test - restartPolicy: Never diff --git a/test/helm/gateway-addons-helm/e2e.out.yaml b/test/helm/gateway-addons-helm/e2e.out.yaml index df3d02ade7e..52ed8fcb97e 100644 --- a/test/helm/gateway-addons-helm/e2e.out.yaml +++ b/test/helm/gateway-addons-helm/e2e.out.yaml @@ -8410,6 +8410,640 @@ data: "version": 1, "weekStart": "" } + global-ratelimit.json: |- + { + "annotations": { + "list": [ + { + "builtIn": 1, + "datasource": { + "type": "grafana", + "uid": "-- Grafana --" + }, + "enable": true, + "hide": true, + "iconColor": "rgba(0, 211, 255, 1)", + "name": "Annotations & Alerts", + "type": "dashboard" + } + ] + }, + "description": "Envoy Gateway monitoring Dashboard with exported metrics.", + "editable": true, + "fiscalYearStartMonth": 0, + "graphTooltip": 0, + "id": 6, + "links": [], + "panels": [ + { + "collapsed": false, + "gridPos": { + "h": 1, + "w": 24, + "x": 0, + "y": 0 + }, + "id": 273, + "panels": [], + "title": "Global Ratelimit", + "type": "row" + }, + { + "datasource": { + "type": "prometheus", + "uid": "PBFA97CFB590B2093" + }, + "description": "The fraction of this program's available CPU time used by the GC since the program started.", + "fieldConfig": { + "defaults": { + "color": { + "mode": "palette-classic" + }, + "custom": { + "axisBorderShow": false, + "axisCenteredZero": false, + "axisColorMode": "series", + "axisGridShow": false, + "axisLabel": "", + "axisPlacement": "auto", + "barAlignment": 0, + "drawStyle": "line", + "fillOpacity": 25, + "gradientMode": "none", + "hideFrom": { + "legend": false, + "tooltip": false, + "viz": false + }, + "insertNulls": false, + "lineInterpolation": "linear", + "lineWidth": 1, + "pointSize": 5, + "scaleDistribution": { + "type": "linear" + }, + "showPoints": "auto", + "spanNulls": false, + "stacking": { + "group": "A", + "mode": "none" + }, + "thresholdsStyle": { + "mode": "off" + } + }, + "mappings": [], + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "green", + "value": null + }, + { + "color": "red", + "value": 80 + } + ] + }, + "unit": "miu" + }, + "overrides": [] + }, + "gridPos": { + "h": 7, + "w": 8, + "x": 0, + "y": 1 + }, + "id": 274, + "options": { + "legend": { + "calcs": [], + "displayMode": "hidden", + "placement": "right", + "showLegend": false + }, + "tooltip": { + "maxHeight": 600, + "mode": "single", + "sort": "none" + } + }, + "pluginVersion": "11.0.0", + "targets": [ + { + "datasource": { + "type": "prometheus", + "uid": "PBFA97CFB590B2093" + }, + "disableTextWrap": false, + "editorMode": "code", + "exemplar": false, + "expr": "(go_memstats_gc_cpu_fraction)*1000000", + "format": "time_series", + "fullMetaSearch": false, + "includeNullMetadata": true, + "instant": false, + "legendFormat": "__auto", + "range": true, + "refId": "A", + "useBackend": false + } + ], + "title": "CPU Fraction", + "transparent": true, + "type": "timeseries" + }, + { + "datasource": { + "type": "prometheus", + "uid": "PBFA97CFB590B2093" + }, + "description": "Resident memory size", + "fieldConfig": { + "defaults": { + "color": { + "mode": "thresholds" + }, + "mappings": [], + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "green", + "value": null + } + ] + }, + "unit": "decmbytes" + }, + "overrides": [] + }, + "gridPos": { + "h": 7, + "w": 7, + "x": 9, + "y": 1 + }, + "id": 291, + "options": { + "minVizHeight": 75, + "minVizWidth": 75, + "orientation": "auto", + "reduceOptions": { + "calcs": [ + "lastNotNull" + ], + "fields": "", + "values": false + }, + "showThresholdLabels": false, + "showThresholdMarkers": false, + "sizing": "auto" + }, + "pluginVersion": "11.0.0", + "targets": [ + { + "datasource": { + "type": "prometheus", + "uid": "PBFA97CFB590B2093" + }, + "disableTextWrap": false, + "editorMode": "code", + "exemplar": false, + "expr": "(process_resident_memory_bytes{app_kubernetes_io_component=\"ratelimit\"})/1000000", + "fullMetaSearch": false, + "includeNullMetadata": true, + "instant": false, + "legendFormat": "__auto", + "range": true, + "refId": "A", + "useBackend": false + } + ], + "title": "Resident Memory", + "transparent": true, + "type": "gauge" + }, + { + "datasource": { + "type": "prometheus", + "uid": "PBFA97CFB590B2093" + }, + "description": "Virtual memory size", + "fieldConfig": { + "defaults": { + "color": { + "mode": "thresholds" + }, + "mappings": [], + "min": 0, + "thresholds": { + "mode": "percentage", + "steps": [ + { + "color": "green", + "value": null + } + ] + }, + "unit": "decmbytes" + }, + "overrides": [] + }, + "gridPos": { + "h": 7, + "w": 7, + "x": 16, + "y": 1 + }, + "id": 325, + "options": { + "minVizHeight": 75, + "minVizWidth": 75, + "orientation": "auto", + "reduceOptions": { + "calcs": [ + "lastNotNull" + ], + "fields": "", + "values": false + }, + "showThresholdLabels": false, + "showThresholdMarkers": false, + "sizing": "auto" + }, + "pluginVersion": "11.0.0", + "targets": [ + { + "datasource": { + "type": "prometheus", + "uid": "PBFA97CFB590B2093" + }, + "disableTextWrap": false, + "editorMode": "code", + "exemplar": false, + "expr": "(process_virtual_memory_bytes{app_kubernetes_io_component=\"ratelimit\"})/1000000", + "fullMetaSearch": false, + "includeNullMetadata": true, + "instant": false, + "legendFormat": "__auto", + "range": true, + "refId": "A", + "useBackend": false + } + ], + "title": "Virtual Memory", + "transparent": true, + "type": "gauge" + }, + { + "datasource": { + "type": "prometheus", + "uid": "PBFA97CFB590B2093" + }, + "description": "Number of ratelimit rule hits in total", + "fieldConfig": { + "defaults": { + "color": { + "fixedColor": "light-blue", + "mode": "shades" + }, + "fieldMinMax": false, + "mappings": [], + "noValue": "0", + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "green", + "value": null + } + ] + }, + "unit": "none" + }, + "overrides": [] + }, + "gridPos": { + "h": 7, + "w": 6, + "x": 0, + "y": 8 + }, + "id": 308, + "options": { + "colorMode": "value", + "graphMode": "none", + "justifyMode": "center", + "orientation": "auto", + "reduceOptions": { + "calcs": [ + "lastNotNull" + ], + "fields": "", + "values": false + }, + "showPercentChange": false, + "textMode": "value", + "wideLayout": false + }, + "pluginVersion": "11.0.0", + "targets": [ + { + "datasource": { + "type": "prometheus", + "uid": "PBFA97CFB590B2093" + }, + "disableTextWrap": false, + "editorMode": "builder", + "exemplar": false, + "expr": "ratelimit_service_rate_limit_total_hits{domain=\"$DefaultDomain\", key1=\"httproute/default/http-ratelimit/rule/0/match/0/ratelimit_example_httproute/default/http-ratelimit/rule/0/match/0/ratelimit_example\", key2=\"rule-0-match-0_rule-0-match-0\"}", + "fullMetaSearch": false, + "includeNullMetadata": true, + "instant": false, + "interval": "", + "legendFormat": "__auto", + "range": true, + "refId": "A", + "useBackend": false + } + ], + "title": "Total Hits", + "type": "stat" + }, + { + "datasource": { + "type": "prometheus", + "uid": "PBFA97CFB590B2093" + }, + "description": "Number of rule hits over the NearLimit ratio threshold (currently 80%) but under the threshold rate.", + "fieldConfig": { + "defaults": { + "color": { + "fixedColor": "light-blue", + "mode": "shades" + }, + "fieldMinMax": false, + "mappings": [], + "noValue": "0", + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "green", + "value": null + } + ] + }, + "unit": "none" + }, + "overrides": [] + }, + "gridPos": { + "h": 7, + "w": 6, + "x": 6, + "y": 8 + }, + "id": 326, + "options": { + "colorMode": "value", + "graphMode": "none", + "justifyMode": "center", + "orientation": "auto", + "reduceOptions": { + "calcs": [ + "lastNotNull" + ], + "fields": "", + "values": false + }, + "showPercentChange": false, + "textMode": "value", + "wideLayout": false + }, + "pluginVersion": "11.0.0", + "targets": [ + { + "datasource": { + "type": "prometheus", + "uid": "PBFA97CFB590B2093" + }, + "disableTextWrap": false, + "editorMode": "builder", + "exemplar": false, + "expr": "ratelimit_service_rate_limit_near_limit{domain=\"$DefaultDomain\", key1=\"httproute/default/http-ratelimit/rule/0/match/0/ratelimit_example_httproute/default/http-ratelimit/rule/0/match/0/ratelimit_example\", key2=\"rule-0-match-0_rule-0-match-0\"}", + "fullMetaSearch": false, + "includeNullMetadata": true, + "instant": false, + "interval": "", + "legendFormat": "__auto", + "range": true, + "refId": "A", + "useBackend": false + } + ], + "title": "Near Limit", + "type": "stat" + }, + { + "datasource": { + "type": "prometheus", + "uid": "PBFA97CFB590B2093" + }, + "description": "Number of rule hits exceeding the threshold rate", + "fieldConfig": { + "defaults": { + "color": { + "fixedColor": "light-blue", + "mode": "shades" + }, + "fieldMinMax": false, + "mappings": [], + "noValue": "0", + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "green", + "value": null + } + ] + }, + "unit": "none" + }, + "overrides": [] + }, + "gridPos": { + "h": 7, + "w": 6, + "x": 12, + "y": 8 + }, + "id": 327, + "options": { + "colorMode": "value", + "graphMode": "none", + "justifyMode": "center", + "orientation": "auto", + "reduceOptions": { + "calcs": [ + "lastNotNull" + ], + "fields": "", + "values": false + }, + "showPercentChange": false, + "textMode": "value", + "wideLayout": false + }, + "pluginVersion": "11.0.0", + "targets": [ + { + "datasource": { + "type": "prometheus", + "uid": "PBFA97CFB590B2093" + }, + "disableTextWrap": false, + "editorMode": "builder", + "exemplar": false, + "expr": "ratelimit_service_rate_limit_over_limit{domain=\"$DefaultDomain\", key1=\"httproute/default/http-ratelimit/rule/0/match/0/ratelimit_example_httproute/default/http-ratelimit/rule/0/match/0/ratelimit_example\", key2=\"rule-0-match-0_rule-0-match-0\"}", + "fullMetaSearch": false, + "includeNullMetadata": true, + "instant": false, + "interval": "", + "legendFormat": "__auto", + "range": true, + "refId": "A", + "useBackend": false + } + ], + "title": "Over Limit", + "type": "stat" + } + ], + "refresh": "", + "schemaVersion": 39, + "tags": [ + "Control Plane" + ], + "templating": { + "list": [ + { + "current": { + "selected": false, + "text": "Prometheus", + "value": "PBFA97CFB590B2093" + }, + "hide": 0, + "includeAll": false, + "multi": false, + "name": "datasource", + "options": [], + "query": "prometheus", + "refresh": 1, + "regex": "", + "skipUrlSync": false, + "type": "datasource" + }, + { + "allValue": ".*", + "current": { + "selected": false, + "text": "envoy-gateway-system", + "value": "envoy-gateway-system" + }, + "datasource": { + "type": "prometheus", + "uid": "$datasource" + }, + "definition": "label_values(watchable_depth,namespace)", + "hide": 0, + "includeAll": false, + "multi": false, + "name": "Namespace", + "options": [], + "query": { + "qryType": 1, + "query": "label_values(watchable_depth,namespace)", + "refId": "PrometheusVariableQueryEditor-VariableQuery" + }, + "refresh": 1, + "regex": "", + "skipUrlSync": false, + "sort": 0, + "type": "query" + }, + { + "allValue": ".*", + "current": { + "selected": true, + "text": [ + "All" + ], + "value": [ + "$__all" + ] + }, + "datasource": { + "type": "prometheus", + "uid": "$datasource" + }, + "definition": "label_values(watchable_depth,runner)", + "hide": 0, + "includeAll": true, + "multi": true, + "name": "Runner", + "options": [], + "query": { + "qryType": 1, + "query": "label_values(watchable_depth,runner)", + "refId": "PrometheusVariableQueryEditor-VariableQuery" + }, + "refresh": 2, + "regex": "", + "skipUrlSync": false, + "sort": 0, + "type": "query" + }, + { + "current": { + "selected": false, + "text": "default/eg/http", + "value": "default/eg/http" + }, + "description": "DefaultDomain is set to default/eg/http", + "hide": 0, + "includeAll": false, + "multi": false, + "name": "DefaultDomain", + "options": [ + { + "selected": true, + "text": "default/eg/http", + "value": "default/eg/http" + } + ], + "query": "default/eg/http", + "skipUrlSync": false, + "type": "custom" + } + ] + }, + "time": { + "from": "now-6h", + "to": "now" + }, + "timeRangeUpdatedDuringEditOrView": false, + "timepicker": {}, + "timezone": "browser", + "title": "Global Ratelimit", + "uid": "R2xvYmFsIFJhdGVsaW1pdAo", + "version": 4, + "weekStart": "" + } resources-monitor.gen.json: |- { "description": "Memory and CPU Usage Monitor for Envoy Gateway and Envoy Proxy.\n", diff --git a/test/helm/gateway-helm/deployment-priorityclass.in.yaml b/test/helm/gateway-helm/deployment-priorityclass.in.yaml new file mode 100644 index 00000000000..f5dbd6afc49 --- /dev/null +++ b/test/helm/gateway-helm/deployment-priorityclass.in.yaml @@ -0,0 +1,7 @@ +global: + images: + envoyGateway: + image: "docker.io/envoyproxy/gateway-dev:latest" + pullPolicy: Always +deployment: + priorityClassName: system-cluster-critical diff --git a/test/helm/gateway-helm/deployment-priorityclass.out.yaml b/test/helm/gateway-helm/deployment-priorityclass.out.yaml new file mode 100644 index 00000000000..d3648d443d9 --- /dev/null +++ b/test/helm/gateway-helm/deployment-priorityclass.out.yaml @@ -0,0 +1,571 @@ +--- +# Source: gateway-helm/templates/envoy-gateway-serviceaccount.yaml +apiVersion: v1 +kind: ServiceAccount +metadata: + name: envoy-gateway + namespace: 'envoy-gateway-system' + labels: + helm.sh/chart: gateway-helm-v0.0.0-latest + app.kubernetes.io/name: gateway-helm + app.kubernetes.io/instance: gateway-helm + app.kubernetes.io/version: "latest" + app.kubernetes.io/managed-by: Helm +--- +# Source: gateway-helm/templates/envoy-gateway-config.yaml +apiVersion: v1 +kind: ConfigMap +metadata: + name: envoy-gateway-config + namespace: 'envoy-gateway-system' + labels: + helm.sh/chart: gateway-helm-v0.0.0-latest + app.kubernetes.io/name: gateway-helm + app.kubernetes.io/instance: gateway-helm + app.kubernetes.io/version: "latest" + app.kubernetes.io/managed-by: Helm +data: + envoy-gateway.yaml: | + apiVersion: gateway.envoyproxy.io/v1alpha1 + kind: EnvoyGateway + gateway: + controllerName: gateway.envoyproxy.io/gatewayclass-controller + logging: + level: + default: info + provider: + kubernetes: + rateLimitDeployment: + container: + image: docker.io/envoyproxy/ratelimit:master + patch: + type: StrategicMerge + value: + spec: + template: + spec: + containers: + - imagePullPolicy: IfNotPresent + name: envoy-ratelimit + shutdownManager: + image: docker.io/envoyproxy/gateway-dev:latest + type: Kubernetes +--- +# Source: gateway-helm/templates/envoy-gateway-rbac.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + creationTimestamp: null + name: gateway-helm-envoy-gateway-role +rules: +- apiGroups: + - "" + resources: + - nodes + - namespaces + verbs: + - get + - list + - watch +- apiGroups: + - gateway.networking.k8s.io + resources: + - gatewayclasses + verbs: + - get + - list + - patch + - update + - watch +- apiGroups: + - gateway.networking.k8s.io + resources: + - gatewayclasses/status + verbs: + - update +- apiGroups: + - multicluster.x-k8s.io + resources: + - serviceimports + verbs: + - get + - list + - watch +- apiGroups: + - "" + resources: + - configmaps + - secrets + - services + verbs: + - get + - list + - watch +- apiGroups: + - apps + resources: + - deployments + verbs: + - get + - list + - watch +- apiGroups: + - discovery.k8s.io + resources: + - endpointslices + verbs: + - get + - list + - watch +- apiGroups: + - gateway.envoyproxy.io + resources: + - envoyproxies + - envoypatchpolicies + - clienttrafficpolicies + - backendtrafficpolicies + - securitypolicies + - envoyextensionpolicies + - backends + - httproutefilters + verbs: + - get + - list + - watch +- apiGroups: + - gateway.envoyproxy.io + resources: + - envoypatchpolicies/status + - clienttrafficpolicies/status + - backendtrafficpolicies/status + - securitypolicies/status + - envoyextensionpolicies/status + - backends/status + verbs: + - update +- apiGroups: + - gateway.networking.k8s.io + resources: + - gateways + - grpcroutes + - httproutes + - referencegrants + - tcproutes + - tlsroutes + - udproutes + - backendtlspolicies + verbs: + - get + - list + - watch +- apiGroups: + - gateway.networking.k8s.io + resources: + - gateways/status + - grpcroutes/status + - httproutes/status + - tcproutes/status + - tlsroutes/status + - udproutes/status + - backendtlspolicies/status + verbs: + - update +--- +# Source: gateway-helm/templates/envoy-gateway-rbac.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: gateway-helm-envoy-gateway-rolebinding +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: gateway-helm-envoy-gateway-role +subjects: +- kind: ServiceAccount + name: 'envoy-gateway' + namespace: 'envoy-gateway-system' +--- +# Source: gateway-helm/templates/infra-manager-rbac.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: gateway-helm-infra-manager + namespace: 'envoy-gateway-system' + labels: + helm.sh/chart: gateway-helm-v0.0.0-latest + app.kubernetes.io/name: gateway-helm + app.kubernetes.io/instance: gateway-helm + app.kubernetes.io/version: "latest" + app.kubernetes.io/managed-by: Helm +rules: +- apiGroups: + - "" + resources: + - serviceaccounts + - services + verbs: + - create + - get + - delete + - patch +- apiGroups: + - apps + resources: + - deployments + - daemonsets + verbs: + - create + - get + - delete + - patch +- apiGroups: + - autoscaling + - policy + resources: + - horizontalpodautoscalers + - poddisruptionbudgets + verbs: + - create + - get + - delete + - patch +--- +# Source: gateway-helm/templates/leader-election-rbac.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: gateway-helm-leader-election-role + namespace: 'envoy-gateway-system' + labels: + helm.sh/chart: gateway-helm-v0.0.0-latest + app.kubernetes.io/name: gateway-helm + app.kubernetes.io/instance: gateway-helm + app.kubernetes.io/version: "latest" + app.kubernetes.io/managed-by: Helm +rules: +- apiGroups: + - "" + resources: + - configmaps + verbs: + - get + - list + - watch + - create + - update + - patch + - delete +- apiGroups: + - coordination.k8s.io + resources: + - leases + verbs: + - get + - list + - watch + - create + - update + - patch + - delete +- apiGroups: + - "" + resources: + - events + verbs: + - create + - patch +--- +# Source: gateway-helm/templates/infra-manager-rbac.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: gateway-helm-infra-manager + namespace: 'envoy-gateway-system' + labels: + helm.sh/chart: gateway-helm-v0.0.0-latest + app.kubernetes.io/name: gateway-helm + app.kubernetes.io/instance: gateway-helm + app.kubernetes.io/version: "latest" + app.kubernetes.io/managed-by: Helm +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: 'gateway-helm-infra-manager' +subjects: +- kind: ServiceAccount + name: 'envoy-gateway' + namespace: 'envoy-gateway-system' +--- +# Source: gateway-helm/templates/leader-election-rbac.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: gateway-helm-leader-election-rolebinding + namespace: 'envoy-gateway-system' + labels: + helm.sh/chart: gateway-helm-v0.0.0-latest + app.kubernetes.io/name: gateway-helm + app.kubernetes.io/instance: gateway-helm + app.kubernetes.io/version: "latest" + app.kubernetes.io/managed-by: Helm +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: 'gateway-helm-leader-election-role' +subjects: +- kind: ServiceAccount + name: 'envoy-gateway' + namespace: 'envoy-gateway-system' +--- +# Source: gateway-helm/templates/envoy-gateway-service.yaml +apiVersion: v1 +kind: Service +metadata: + name: envoy-gateway + namespace: 'envoy-gateway-system' + labels: + control-plane: envoy-gateway + helm.sh/chart: gateway-helm-v0.0.0-latest + app.kubernetes.io/name: gateway-helm + app.kubernetes.io/instance: gateway-helm + app.kubernetes.io/version: "latest" + app.kubernetes.io/managed-by: Helm +spec: + selector: + control-plane: envoy-gateway + app.kubernetes.io/name: gateway-helm + app.kubernetes.io/instance: gateway-helm + ports: + - name: grpc + port: 18000 + targetPort: 18000 + - name: ratelimit + port: 18001 + targetPort: 18001 + - name: wasm + port: 18002 + targetPort: 18002 + - name: metrics + port: 19001 + targetPort: 19001 +--- +# Source: gateway-helm/templates/envoy-gateway-deployment.yaml +apiVersion: apps/v1 +kind: Deployment +metadata: + name: envoy-gateway + namespace: 'envoy-gateway-system' + labels: + control-plane: envoy-gateway + helm.sh/chart: gateway-helm-v0.0.0-latest + app.kubernetes.io/name: gateway-helm + app.kubernetes.io/instance: gateway-helm + app.kubernetes.io/version: "latest" + app.kubernetes.io/managed-by: Helm +spec: + replicas: 1 + selector: + matchLabels: + control-plane: envoy-gateway + app.kubernetes.io/name: gateway-helm + app.kubernetes.io/instance: gateway-helm + template: + metadata: + annotations: + prometheus.io/port: "19001" + prometheus.io/scrape: "true" + labels: + control-plane: envoy-gateway + app.kubernetes.io/name: gateway-helm + app.kubernetes.io/instance: gateway-helm + spec: + containers: + - args: + - server + - --config-path=/config/envoy-gateway.yaml + env: + - name: ENVOY_GATEWAY_NAMESPACE + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.namespace + - name: KUBERNETES_CLUSTER_DOMAIN + value: cluster.local + image: docker.io/envoyproxy/gateway-dev:latest + imagePullPolicy: Always + livenessProbe: + httpGet: + path: /healthz + port: 8081 + initialDelaySeconds: 15 + periodSeconds: 20 + name: envoy-gateway + ports: + - containerPort: 18000 + name: grpc + - containerPort: 18001 + name: ratelimit + - containerPort: 18002 + name: wasm + - containerPort: 19001 + name: metrics + readinessProbe: + httpGet: + path: /readyz + port: 8081 + initialDelaySeconds: 5 + periodSeconds: 10 + resources: + limits: + cpu: 500m + memory: 1024Mi + requests: + cpu: 100m + memory: 256Mi + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + privileged: false + runAsNonRoot: true + runAsGroup: 65532 + runAsUser: 65532 + seccompProfile: + type: RuntimeDefault + volumeMounts: + - mountPath: /config + name: envoy-gateway-config + readOnly: true + - mountPath: /certs + name: certs + readOnly: true + imagePullSecrets: [] + priorityClassName: "system-cluster-critical" + serviceAccountName: envoy-gateway + terminationGracePeriodSeconds: 10 + volumes: + - configMap: + defaultMode: 420 + name: envoy-gateway-config + name: envoy-gateway-config + - name: certs + secret: + secretName: envoy-gateway +--- +# Source: gateway-helm/templates/certgen-rbac.yaml +apiVersion: v1 +kind: ServiceAccount +metadata: + name: gateway-helm-certgen + namespace: 'envoy-gateway-system' + labels: + helm.sh/chart: gateway-helm-v0.0.0-latest + app.kubernetes.io/name: gateway-helm + app.kubernetes.io/instance: gateway-helm + app.kubernetes.io/version: "latest" + app.kubernetes.io/managed-by: Helm + annotations: + "helm.sh/hook": pre-install +--- +# Source: gateway-helm/templates/certgen-rbac.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: gateway-helm-certgen + namespace: 'envoy-gateway-system' + labels: + helm.sh/chart: gateway-helm-v0.0.0-latest + app.kubernetes.io/name: gateway-helm + app.kubernetes.io/instance: gateway-helm + app.kubernetes.io/version: "latest" + app.kubernetes.io/managed-by: Helm + annotations: + "helm.sh/hook": pre-install +rules: +- apiGroups: + - "" + resources: + - secrets + verbs: + - get + - create + - update +--- +# Source: gateway-helm/templates/certgen-rbac.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: gateway-helm-certgen + namespace: 'envoy-gateway-system' + labels: + helm.sh/chart: gateway-helm-v0.0.0-latest + app.kubernetes.io/name: gateway-helm + app.kubernetes.io/instance: gateway-helm + app.kubernetes.io/version: "latest" + app.kubernetes.io/managed-by: Helm + annotations: + "helm.sh/hook": pre-install +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: 'gateway-helm-certgen' +subjects: +- kind: ServiceAccount + name: 'gateway-helm-certgen' + namespace: 'envoy-gateway-system' +--- +# Source: gateway-helm/templates/certgen.yaml +apiVersion: batch/v1 +kind: Job +metadata: + name: gateway-helm-certgen + namespace: 'envoy-gateway-system' + labels: + helm.sh/chart: gateway-helm-v0.0.0-latest + app.kubernetes.io/name: gateway-helm + app.kubernetes.io/instance: gateway-helm + app.kubernetes.io/version: "latest" + app.kubernetes.io/managed-by: Helm + annotations: + "helm.sh/hook": pre-install, pre-upgrade +spec: + backoffLimit: 1 + completions: 1 + parallelism: 1 + template: + metadata: + labels: + app: certgen + spec: + containers: + - command: + - envoy-gateway + - certgen + env: + - name: ENVOY_GATEWAY_NAMESPACE + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.namespace + - name: KUBERNETES_CLUSTER_DOMAIN + value: cluster.local + image: docker.io/envoyproxy/gateway-dev:latest + imagePullPolicy: Always + name: envoy-gateway-certgen + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + privileged: false + readOnlyRootFilesystem: true + runAsNonRoot: true + runAsGroup: 65534 + runAsUser: 65534 + seccompProfile: + type: RuntimeDefault + imagePullSecrets: [] + restartPolicy: Never + serviceAccountName: gateway-helm-certgen + ttlSecondsAfterFinished: 30 diff --git a/test/helm/gateway-helm/service-annotations.in.yaml b/test/helm/gateway-helm/service-annotations.in.yaml new file mode 100644 index 00000000000..0149c11c51f --- /dev/null +++ b/test/helm/gateway-helm/service-annotations.in.yaml @@ -0,0 +1,8 @@ +global: + images: + envoyGateway: + image: "docker.io/envoyproxy/gateway-dev:latest" + pullPolicy: Always +service: + annotations: + this: that diff --git a/test/helm/gateway-helm/service-annotations.out.yaml b/test/helm/gateway-helm/service-annotations.out.yaml new file mode 100644 index 00000000000..97f39cd0bea --- /dev/null +++ b/test/helm/gateway-helm/service-annotations.out.yaml @@ -0,0 +1,572 @@ +--- +# Source: gateway-helm/templates/envoy-gateway-serviceaccount.yaml +apiVersion: v1 +kind: ServiceAccount +metadata: + name: envoy-gateway + namespace: 'envoy-gateway-system' + labels: + helm.sh/chart: gateway-helm-v0.0.0-latest + app.kubernetes.io/name: gateway-helm + app.kubernetes.io/instance: gateway-helm + app.kubernetes.io/version: "latest" + app.kubernetes.io/managed-by: Helm +--- +# Source: gateway-helm/templates/envoy-gateway-config.yaml +apiVersion: v1 +kind: ConfigMap +metadata: + name: envoy-gateway-config + namespace: 'envoy-gateway-system' + labels: + helm.sh/chart: gateway-helm-v0.0.0-latest + app.kubernetes.io/name: gateway-helm + app.kubernetes.io/instance: gateway-helm + app.kubernetes.io/version: "latest" + app.kubernetes.io/managed-by: Helm +data: + envoy-gateway.yaml: | + apiVersion: gateway.envoyproxy.io/v1alpha1 + kind: EnvoyGateway + gateway: + controllerName: gateway.envoyproxy.io/gatewayclass-controller + logging: + level: + default: info + provider: + kubernetes: + rateLimitDeployment: + container: + image: docker.io/envoyproxy/ratelimit:master + patch: + type: StrategicMerge + value: + spec: + template: + spec: + containers: + - imagePullPolicy: IfNotPresent + name: envoy-ratelimit + shutdownManager: + image: docker.io/envoyproxy/gateway-dev:latest + type: Kubernetes +--- +# Source: gateway-helm/templates/envoy-gateway-rbac.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + creationTimestamp: null + name: gateway-helm-envoy-gateway-role +rules: +- apiGroups: + - "" + resources: + - nodes + - namespaces + verbs: + - get + - list + - watch +- apiGroups: + - gateway.networking.k8s.io + resources: + - gatewayclasses + verbs: + - get + - list + - patch + - update + - watch +- apiGroups: + - gateway.networking.k8s.io + resources: + - gatewayclasses/status + verbs: + - update +- apiGroups: + - multicluster.x-k8s.io + resources: + - serviceimports + verbs: + - get + - list + - watch +- apiGroups: + - "" + resources: + - configmaps + - secrets + - services + verbs: + - get + - list + - watch +- apiGroups: + - apps + resources: + - deployments + verbs: + - get + - list + - watch +- apiGroups: + - discovery.k8s.io + resources: + - endpointslices + verbs: + - get + - list + - watch +- apiGroups: + - gateway.envoyproxy.io + resources: + - envoyproxies + - envoypatchpolicies + - clienttrafficpolicies + - backendtrafficpolicies + - securitypolicies + - envoyextensionpolicies + - backends + - httproutefilters + verbs: + - get + - list + - watch +- apiGroups: + - gateway.envoyproxy.io + resources: + - envoypatchpolicies/status + - clienttrafficpolicies/status + - backendtrafficpolicies/status + - securitypolicies/status + - envoyextensionpolicies/status + - backends/status + verbs: + - update +- apiGroups: + - gateway.networking.k8s.io + resources: + - gateways + - grpcroutes + - httproutes + - referencegrants + - tcproutes + - tlsroutes + - udproutes + - backendtlspolicies + verbs: + - get + - list + - watch +- apiGroups: + - gateway.networking.k8s.io + resources: + - gateways/status + - grpcroutes/status + - httproutes/status + - tcproutes/status + - tlsroutes/status + - udproutes/status + - backendtlspolicies/status + verbs: + - update +--- +# Source: gateway-helm/templates/envoy-gateway-rbac.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: gateway-helm-envoy-gateway-rolebinding +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: gateway-helm-envoy-gateway-role +subjects: +- kind: ServiceAccount + name: 'envoy-gateway' + namespace: 'envoy-gateway-system' +--- +# Source: gateway-helm/templates/infra-manager-rbac.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: gateway-helm-infra-manager + namespace: 'envoy-gateway-system' + labels: + helm.sh/chart: gateway-helm-v0.0.0-latest + app.kubernetes.io/name: gateway-helm + app.kubernetes.io/instance: gateway-helm + app.kubernetes.io/version: "latest" + app.kubernetes.io/managed-by: Helm +rules: +- apiGroups: + - "" + resources: + - serviceaccounts + - services + verbs: + - create + - get + - delete + - patch +- apiGroups: + - apps + resources: + - deployments + - daemonsets + verbs: + - create + - get + - delete + - patch +- apiGroups: + - autoscaling + - policy + resources: + - horizontalpodautoscalers + - poddisruptionbudgets + verbs: + - create + - get + - delete + - patch +--- +# Source: gateway-helm/templates/leader-election-rbac.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: gateway-helm-leader-election-role + namespace: 'envoy-gateway-system' + labels: + helm.sh/chart: gateway-helm-v0.0.0-latest + app.kubernetes.io/name: gateway-helm + app.kubernetes.io/instance: gateway-helm + app.kubernetes.io/version: "latest" + app.kubernetes.io/managed-by: Helm +rules: +- apiGroups: + - "" + resources: + - configmaps + verbs: + - get + - list + - watch + - create + - update + - patch + - delete +- apiGroups: + - coordination.k8s.io + resources: + - leases + verbs: + - get + - list + - watch + - create + - update + - patch + - delete +- apiGroups: + - "" + resources: + - events + verbs: + - create + - patch +--- +# Source: gateway-helm/templates/infra-manager-rbac.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: gateway-helm-infra-manager + namespace: 'envoy-gateway-system' + labels: + helm.sh/chart: gateway-helm-v0.0.0-latest + app.kubernetes.io/name: gateway-helm + app.kubernetes.io/instance: gateway-helm + app.kubernetes.io/version: "latest" + app.kubernetes.io/managed-by: Helm +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: 'gateway-helm-infra-manager' +subjects: +- kind: ServiceAccount + name: 'envoy-gateway' + namespace: 'envoy-gateway-system' +--- +# Source: gateway-helm/templates/leader-election-rbac.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: gateway-helm-leader-election-rolebinding + namespace: 'envoy-gateway-system' + labels: + helm.sh/chart: gateway-helm-v0.0.0-latest + app.kubernetes.io/name: gateway-helm + app.kubernetes.io/instance: gateway-helm + app.kubernetes.io/version: "latest" + app.kubernetes.io/managed-by: Helm +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: 'gateway-helm-leader-election-role' +subjects: +- kind: ServiceAccount + name: 'envoy-gateway' + namespace: 'envoy-gateway-system' +--- +# Source: gateway-helm/templates/envoy-gateway-service.yaml +apiVersion: v1 +kind: Service +metadata: + name: envoy-gateway + namespace: 'envoy-gateway-system' + annotations: + this: that + labels: + control-plane: envoy-gateway + helm.sh/chart: gateway-helm-v0.0.0-latest + app.kubernetes.io/name: gateway-helm + app.kubernetes.io/instance: gateway-helm + app.kubernetes.io/version: "latest" + app.kubernetes.io/managed-by: Helm +spec: + selector: + control-plane: envoy-gateway + app.kubernetes.io/name: gateway-helm + app.kubernetes.io/instance: gateway-helm + ports: + - name: grpc + port: 18000 + targetPort: 18000 + - name: ratelimit + port: 18001 + targetPort: 18001 + - name: wasm + port: 18002 + targetPort: 18002 + - name: metrics + port: 19001 + targetPort: 19001 +--- +# Source: gateway-helm/templates/envoy-gateway-deployment.yaml +apiVersion: apps/v1 +kind: Deployment +metadata: + name: envoy-gateway + namespace: 'envoy-gateway-system' + labels: + control-plane: envoy-gateway + helm.sh/chart: gateway-helm-v0.0.0-latest + app.kubernetes.io/name: gateway-helm + app.kubernetes.io/instance: gateway-helm + app.kubernetes.io/version: "latest" + app.kubernetes.io/managed-by: Helm +spec: + replicas: 1 + selector: + matchLabels: + control-plane: envoy-gateway + app.kubernetes.io/name: gateway-helm + app.kubernetes.io/instance: gateway-helm + template: + metadata: + annotations: + prometheus.io/port: "19001" + prometheus.io/scrape: "true" + labels: + control-plane: envoy-gateway + app.kubernetes.io/name: gateway-helm + app.kubernetes.io/instance: gateway-helm + spec: + containers: + - args: + - server + - --config-path=/config/envoy-gateway.yaml + env: + - name: ENVOY_GATEWAY_NAMESPACE + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.namespace + - name: KUBERNETES_CLUSTER_DOMAIN + value: cluster.local + image: docker.io/envoyproxy/gateway-dev:latest + imagePullPolicy: Always + livenessProbe: + httpGet: + path: /healthz + port: 8081 + initialDelaySeconds: 15 + periodSeconds: 20 + name: envoy-gateway + ports: + - containerPort: 18000 + name: grpc + - containerPort: 18001 + name: ratelimit + - containerPort: 18002 + name: wasm + - containerPort: 19001 + name: metrics + readinessProbe: + httpGet: + path: /readyz + port: 8081 + initialDelaySeconds: 5 + periodSeconds: 10 + resources: + limits: + cpu: 500m + memory: 1024Mi + requests: + cpu: 100m + memory: 256Mi + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + privileged: false + runAsNonRoot: true + runAsGroup: 65532 + runAsUser: 65532 + seccompProfile: + type: RuntimeDefault + volumeMounts: + - mountPath: /config + name: envoy-gateway-config + readOnly: true + - mountPath: /certs + name: certs + readOnly: true + imagePullSecrets: [] + serviceAccountName: envoy-gateway + terminationGracePeriodSeconds: 10 + volumes: + - configMap: + defaultMode: 420 + name: envoy-gateway-config + name: envoy-gateway-config + - name: certs + secret: + secretName: envoy-gateway +--- +# Source: gateway-helm/templates/certgen-rbac.yaml +apiVersion: v1 +kind: ServiceAccount +metadata: + name: gateway-helm-certgen + namespace: 'envoy-gateway-system' + labels: + helm.sh/chart: gateway-helm-v0.0.0-latest + app.kubernetes.io/name: gateway-helm + app.kubernetes.io/instance: gateway-helm + app.kubernetes.io/version: "latest" + app.kubernetes.io/managed-by: Helm + annotations: + "helm.sh/hook": pre-install +--- +# Source: gateway-helm/templates/certgen-rbac.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: gateway-helm-certgen + namespace: 'envoy-gateway-system' + labels: + helm.sh/chart: gateway-helm-v0.0.0-latest + app.kubernetes.io/name: gateway-helm + app.kubernetes.io/instance: gateway-helm + app.kubernetes.io/version: "latest" + app.kubernetes.io/managed-by: Helm + annotations: + "helm.sh/hook": pre-install +rules: +- apiGroups: + - "" + resources: + - secrets + verbs: + - get + - create + - update +--- +# Source: gateway-helm/templates/certgen-rbac.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: gateway-helm-certgen + namespace: 'envoy-gateway-system' + labels: + helm.sh/chart: gateway-helm-v0.0.0-latest + app.kubernetes.io/name: gateway-helm + app.kubernetes.io/instance: gateway-helm + app.kubernetes.io/version: "latest" + app.kubernetes.io/managed-by: Helm + annotations: + "helm.sh/hook": pre-install +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: 'gateway-helm-certgen' +subjects: +- kind: ServiceAccount + name: 'gateway-helm-certgen' + namespace: 'envoy-gateway-system' +--- +# Source: gateway-helm/templates/certgen.yaml +apiVersion: batch/v1 +kind: Job +metadata: + name: gateway-helm-certgen + namespace: 'envoy-gateway-system' + labels: + helm.sh/chart: gateway-helm-v0.0.0-latest + app.kubernetes.io/name: gateway-helm + app.kubernetes.io/instance: gateway-helm + app.kubernetes.io/version: "latest" + app.kubernetes.io/managed-by: Helm + annotations: + "helm.sh/hook": pre-install, pre-upgrade +spec: + backoffLimit: 1 + completions: 1 + parallelism: 1 + template: + metadata: + labels: + app: certgen + spec: + containers: + - command: + - envoy-gateway + - certgen + env: + - name: ENVOY_GATEWAY_NAMESPACE + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.namespace + - name: KUBERNETES_CLUSTER_DOMAIN + value: cluster.local + image: docker.io/envoyproxy/gateway-dev:latest + imagePullPolicy: Always + name: envoy-gateway-certgen + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + privileged: false + readOnlyRootFilesystem: true + runAsNonRoot: true + runAsGroup: 65534 + runAsUser: 65534 + seccompProfile: + type: RuntimeDefault + imagePullSecrets: [] + restartPolicy: Never + serviceAccountName: gateway-helm-certgen + ttlSecondsAfterFinished: 30 diff --git a/tools/boilerplate/boilerplate.py b/tools/boilerplate/boilerplate.py index 4741440808f..f3b21cd6b7c 100755 --- a/tools/boilerplate/boilerplate.py +++ b/tools/boilerplate/boilerplate.py @@ -229,7 +229,6 @@ def get_regexs(): regexs["date"] = re.compile(get_dates()) # strip the following build constraints/tags: # //go:build - # // +build \n\n regexs["go_build_constraints"] = re.compile( r"^(//(go:build| \+build).*\n)+\n", re.MULTILINE) # strip #!.* from scripts diff --git a/tools/docker/envoy-gateway/Dockerfile b/tools/docker/envoy-gateway/Dockerfile index 2f30eec5468..1f5ad0cb8d0 100644 --- a/tools/docker/envoy-gateway/Dockerfile +++ b/tools/docker/envoy-gateway/Dockerfile @@ -1,10 +1,10 @@ -FROM busybox@sha256:c230832bd3b0be59a6c47ed64294f9ce71e91b327957920b6929a0caa8353140 as source +FROM busybox@sha256:768e5c6f5cb6db0794eec98dc7a967f40631746c32232b78a3105fb946f3ab83 AS source # Create the data directory for eg RUN mkdir -p /var/lib/eg # Use distroless as minimal base image to package the manager binary # Refer to https://github.com/GoogleContainerTools/distroless for more details -FROM gcr.io/distroless/static:nonroot@sha256:dcd3f1f09adef5689088c9c4d96a8d98c889d8281d3946145074f89eafe7e1af +FROM gcr.io/distroless/static:nonroot@sha256:26f9b99f2463f55f20db19feb4d96eb88b056e0f1be7016bb9296a464a89d772 ARG TARGETPLATFORM COPY $TARGETPLATFORM/envoy-gateway /usr/local/bin/ COPY --from=source --chown=65532:65532 /var/lib /var/lib diff --git a/tools/src/buf/go.mod b/tools/src/buf/go.mod index 7dcf60d5c51..9154ce02a93 100644 --- a/tools/src/buf/go.mod +++ b/tools/src/buf/go.mod @@ -2,25 +2,26 @@ module local go 1.23.1 -require github.com/bufbuild/buf v1.42.0 +require github.com/bufbuild/buf v1.44.0 require ( - buf.build/gen/go/bufbuild/bufplugin/protocolbuffers/go v1.34.2-20240904181154-a0be11449112.2 // indirect - buf.build/gen/go/bufbuild/protovalidate/protocolbuffers/go v1.34.2-20240717164558-a6c49f84cc0f.2 // indirect - buf.build/gen/go/bufbuild/registry/connectrpc/go v1.16.2-20240821192916-45ba72cdd479.1 // indirect - buf.build/gen/go/bufbuild/registry/protocolbuffers/go v1.34.2-20240821192916-45ba72cdd479.2 // indirect + buf.build/gen/go/bufbuild/bufplugin/protocolbuffers/go v1.34.2-20240928190436-5e8abcfd7a7e.2 // indirect + buf.build/gen/go/bufbuild/protovalidate/protocolbuffers/go v1.34.2-20240920164238-5a7b106cbb87.2 // indirect + buf.build/gen/go/bufbuild/registry/connectrpc/go v1.17.0-20240925012807-1610ffa05635.1 // indirect + buf.build/gen/go/bufbuild/registry/protocolbuffers/go v1.34.2-20240925012807-1610ffa05635.2 // indirect buf.build/gen/go/pluginrpc/pluginrpc/protocolbuffers/go v1.34.2-20240828222655-5345c0a56177.2 // indirect - buf.build/go/bufplugin v0.2.0 // indirect + buf.build/go/bufplugin v0.5.0 // indirect buf.build/go/protoyaml v0.2.0 // indirect - connectrpc.com/connect v1.16.2 // indirect + buf.build/go/spdx v0.2.0 // indirect + connectrpc.com/connect v1.17.0 // indirect connectrpc.com/otelconnect v0.7.1 // indirect github.com/Azure/go-ansiterm v0.0.0-20230124172434-306776ec8161 // indirect github.com/Microsoft/go-winio v0.6.2 // indirect - github.com/Microsoft/hcsshim v0.12.6 // indirect + github.com/Microsoft/hcsshim v0.12.7 // indirect github.com/antlr4-go/antlr/v4 v4.13.1 // indirect github.com/bufbuild/protocompile v0.14.1 // indirect github.com/bufbuild/protoplugin v0.0.0-20240911180120-7bb73e41a54a // indirect - github.com/bufbuild/protovalidate-go v0.6.5 // indirect + github.com/bufbuild/protovalidate-go v0.7.1 // indirect github.com/containerd/cgroups/v3 v3.0.3 // indirect github.com/containerd/containerd v1.7.22 // indirect github.com/containerd/continuity v0.4.3 // indirect @@ -30,11 +31,11 @@ require ( github.com/containerd/stargz-snapshotter/estargz v0.15.1 // indirect github.com/containerd/ttrpc v1.2.5 // indirect github.com/containerd/typeurl/v2 v2.2.0 // indirect - github.com/cpuguy83/go-md2man/v2 v2.0.4 // indirect + github.com/cpuguy83/go-md2man/v2 v2.0.5 // indirect github.com/distribution/reference v0.6.0 // indirect - github.com/docker/cli v27.2.1+incompatible // indirect + github.com/docker/cli v27.3.1+incompatible // indirect github.com/docker/distribution v2.8.3+incompatible // indirect - github.com/docker/docker v27.2.1+incompatible // indirect + github.com/docker/docker v27.3.1+incompatible // indirect github.com/docker/docker-credential-helpers v0.8.2 // indirect github.com/docker/go-connections v0.5.0 // indirect github.com/docker/go-units v0.5.0 // indirect @@ -45,17 +46,16 @@ require ( github.com/go-logr/stdr v1.2.2 // indirect github.com/go-task/slim-sprig/v3 v3.0.0 // indirect github.com/gofrs/flock v0.12.1 // indirect - github.com/gofrs/uuid/v5 v5.3.0 // indirect github.com/gogo/protobuf v1.3.2 // indirect github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da // indirect github.com/google/cel-go v0.21.0 // indirect github.com/google/go-containerregistry v0.20.2 // indirect - github.com/google/pprof v0.0.0-20240910150728-a0b0bb1d4134 // indirect + github.com/google/pprof v0.0.0-20240929191954-255acd752d31 // indirect github.com/google/uuid v1.6.0 // indirect github.com/grpc-ecosystem/grpc-gateway/v2 v2.20.0 // indirect github.com/inconshreveable/mousetrap v1.1.0 // indirect github.com/jdx/go-netrc v1.0.0 // indirect - github.com/klauspost/compress v1.17.9 // indirect + github.com/klauspost/compress v1.17.10 // indirect github.com/klauspost/pgzip v1.2.6 // indirect github.com/mattn/go-isatty v0.0.20 // indirect github.com/mitchellh/go-homedir v1.1.0 // indirect @@ -81,11 +81,18 @@ require ( github.com/rogpeppe/go-internal v1.10.0 // indirect github.com/rs/cors v1.11.1 // indirect github.com/russross/blackfriday/v2 v2.1.0 // indirect + github.com/segmentio/asm v1.2.0 // indirect + github.com/segmentio/encoding v0.4.0 // indirect github.com/sirupsen/logrus v1.9.3 // indirect github.com/spf13/cobra v1.8.1 // indirect github.com/spf13/pflag v1.0.5 // indirect github.com/stoewer/go-strcase v1.3.0 // indirect - github.com/vbatts/tar-split v0.11.5 // indirect + github.com/tetratelabs/wazero v1.8.0 // indirect + github.com/vbatts/tar-split v0.11.6 // indirect + go.lsp.dev/jsonrpc2 v0.10.0 // indirect + go.lsp.dev/pkg v0.0.0-20210717090340-384b27a52fb2 // indirect + go.lsp.dev/protocol v0.12.0 // indirect + go.lsp.dev/uri v0.3.0 // indirect go.opencensus.io v0.24.0 // indirect go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.55.0 // indirect go.opentelemetry.io/otel v1.30.0 // indirect @@ -106,10 +113,10 @@ require ( golang.org/x/term v0.24.0 // indirect golang.org/x/text v0.18.0 // indirect golang.org/x/tools v0.25.0 // indirect - google.golang.org/genproto/googleapis/api v0.0.0-20240903143218-8af14fe29dc1 // indirect - google.golang.org/genproto/googleapis/rpc v0.0.0-20240903143218-8af14fe29dc1 // indirect - google.golang.org/grpc v1.66.2 // indirect - google.golang.org/protobuf v1.34.3-0.20240816073751-94ecbc261689 // indirect + google.golang.org/genproto/googleapis/api v0.0.0-20240924160255-9d4c2d233b61 // indirect + google.golang.org/genproto/googleapis/rpc v0.0.0-20240924160255-9d4c2d233b61 // indirect + google.golang.org/grpc v1.67.0 // indirect + google.golang.org/protobuf v1.34.3-0.20240906163944-03df6c145d96 // indirect gopkg.in/yaml.v3 v3.0.1 // indirect - pluginrpc.com/pluginrpc v0.3.0 // indirect + pluginrpc.com/pluginrpc v0.5.0 // indirect ) diff --git a/tools/src/buf/go.sum b/tools/src/buf/go.sum index e76ce65da22..1c3d37804b5 100644 --- a/tools/src/buf/go.sum +++ b/tools/src/buf/go.sum @@ -1,20 +1,22 @@ -buf.build/gen/go/bufbuild/bufplugin/protocolbuffers/go v1.34.2-20240904181154-a0be11449112.2 h1:X9qBPcvWGOJs/CeRVLoxxLJwC/eKyWDS/G4nj+3KGMY= -buf.build/gen/go/bufbuild/bufplugin/protocolbuffers/go v1.34.2-20240904181154-a0be11449112.2/go.mod h1:B+9TKHRYqoAUW57pLjhkLOnBCu0DQYMV+f7imQ9nXwI= -buf.build/gen/go/bufbuild/protovalidate/protocolbuffers/go v1.34.2-20240717164558-a6c49f84cc0f.2 h1:SZRVx928rbYZ6hEKUIN+vtGDkl7uotABRWGY4OAg5gM= -buf.build/gen/go/bufbuild/protovalidate/protocolbuffers/go v1.34.2-20240717164558-a6c49f84cc0f.2/go.mod h1:ylS4c28ACSI59oJrOdW4pHS4n0Hw4TgSPHn8rpHl4Yw= -buf.build/gen/go/bufbuild/registry/connectrpc/go v1.16.2-20240821192916-45ba72cdd479.1 h1:QaJ6UkpvlGo4dBXR41vLRfPiKungbg7brjmbBC/k6Ig= -buf.build/gen/go/bufbuild/registry/connectrpc/go v1.16.2-20240821192916-45ba72cdd479.1/go.mod h1:oQsMFNU3YzxxjRS6O68UkcF/A+pXdXqQNcUfQEBTWcw= -buf.build/gen/go/bufbuild/registry/protocolbuffers/go v1.34.2-20240821192916-45ba72cdd479.2 h1:C3CTZTucEUm7i0O2tAM8GSlg23GnQYcljX1b1Jcpsro= -buf.build/gen/go/bufbuild/registry/protocolbuffers/go v1.34.2-20240821192916-45ba72cdd479.2/go.mod h1:psseUmlKRo9v5LZJtR/aTpdTLuyp9o3X7rnLT87SZEo= +buf.build/gen/go/bufbuild/bufplugin/protocolbuffers/go v1.34.2-20240928190436-5e8abcfd7a7e.2 h1:BQVQ0fcYgqpe6F/2ZPJUR1rTN+nwdrj2z7IAbAu9XAQ= +buf.build/gen/go/bufbuild/bufplugin/protocolbuffers/go v1.34.2-20240928190436-5e8abcfd7a7e.2/go.mod h1:B+9TKHRYqoAUW57pLjhkLOnBCu0DQYMV+f7imQ9nXwI= +buf.build/gen/go/bufbuild/protovalidate/protocolbuffers/go v1.34.2-20240920164238-5a7b106cbb87.2 h1:hl0FrmGlNpQZIGvU1/jDz0lsPDd0BhCE0QDRwPfLZcA= +buf.build/gen/go/bufbuild/protovalidate/protocolbuffers/go v1.34.2-20240920164238-5a7b106cbb87.2/go.mod h1:ylS4c28ACSI59oJrOdW4pHS4n0Hw4TgSPHn8rpHl4Yw= +buf.build/gen/go/bufbuild/registry/connectrpc/go v1.17.0-20240925012807-1610ffa05635.1 h1:p4A9QnhBrKjCquBt1mKqfO37QseLwgWqQp+Wb9ZjasE= +buf.build/gen/go/bufbuild/registry/connectrpc/go v1.17.0-20240925012807-1610ffa05635.1/go.mod h1:7WtU+waNF+dyxDsuNaqmG3d0w3y2poNju8cvun1/jLs= +buf.build/gen/go/bufbuild/registry/protocolbuffers/go v1.34.2-20240925012807-1610ffa05635.2 h1:3sSS9z8k6zVe7rNNt9R6DN2fOFBVClEflmICIjbXwms= +buf.build/gen/go/bufbuild/registry/protocolbuffers/go v1.34.2-20240925012807-1610ffa05635.2/go.mod h1:psseUmlKRo9v5LZJtR/aTpdTLuyp9o3X7rnLT87SZEo= buf.build/gen/go/pluginrpc/pluginrpc/protocolbuffers/go v1.34.2-20240828222655-5345c0a56177.2 h1:oSi+Adw4xvIjXrW8eY8QGR3sBdfWeY5HN/RefnRt52M= buf.build/gen/go/pluginrpc/pluginrpc/protocolbuffers/go v1.34.2-20240828222655-5345c0a56177.2/go.mod h1:GjH0gjlY/ns16X8d6eaXV2W+6IFwsO5Ly9WVnzyd1E0= -buf.build/go/bufplugin v0.2.0 h1:nnNvWzUgQXitRDmjWWIkuXj9klreAAE94sVCsL+0v5g= -buf.build/go/bufplugin v0.2.0/go.mod h1:ZZYGt6PDcjbBSywdz/G8NdXkIuWi2rzR8CduGzbCPdk= +buf.build/go/bufplugin v0.5.0 h1:pmK1AloAMp+4woH5hEisK9qVmDdLySzIKexUUVZLJ2Q= +buf.build/go/bufplugin v0.5.0/go.mod h1:r7Y8tpqpErLtUXUecEgwAHnjihY03YbN0IaBFNJF/x0= buf.build/go/protoyaml v0.2.0 h1:2g3OHjtLDqXBREIOjpZGHmQ+U/4mkN1YiQjxNB68Ip8= buf.build/go/protoyaml v0.2.0/go.mod h1:L/9QvTDkTWcDTzAL6HMfN+mYC6CmZRm2KnsUA054iL0= +buf.build/go/spdx v0.2.0 h1:IItqM0/cMxvFJJumcBuP8NrsIzMs/UYjp/6WSpq8LTw= +buf.build/go/spdx v0.2.0/go.mod h1:bXdwQFem9Si3nsbNy8aJKGPoaPi5DKwdeEp5/ArZ6w8= cloud.google.com/go v0.26.0/go.mod h1:aQUYkXzVsufM+DwF1aE+0xfcU+56JwCaLick0ClmMTw= -connectrpc.com/connect v1.16.2 h1:ybd6y+ls7GOlb7Bh5C8+ghA6SvCBajHwxssO2CGFjqE= -connectrpc.com/connect v1.16.2/go.mod h1:n2kgwskMHXC+lVqb18wngEpF95ldBHXjZYJussz5FRc= +connectrpc.com/connect v1.17.0 h1:W0ZqMhtVzn9Zhn2yATuUokDLO5N+gIuBWMOnsQrfmZk= +connectrpc.com/connect v1.17.0/go.mod h1:0292hj1rnx8oFrStN7cB4jjVBeqs+Yx5yDIC2prWDO8= connectrpc.com/otelconnect v0.7.1 h1:scO5pOb0i4yUE66CnNrHeK1x51yq0bE0ehPg6WvzXJY= connectrpc.com/otelconnect v0.7.1/go.mod h1:dh3bFgHBTb2bkqGCeVVOtHJreSns7uu9wwL2Tbz17ms= github.com/AdaLogics/go-fuzz-headers v0.0.0-20230811130428-ced1acdcaa24 h1:bvDV9vkmnHYOMsOr4WLk+Vo07yKIzd94sVoIqshQ4bU= @@ -24,18 +26,18 @@ github.com/Azure/go-ansiterm v0.0.0-20230124172434-306776ec8161/go.mod h1:xomTg6 github.com/BurntSushi/toml v0.3.1/go.mod h1:xHWCNGjB5oqiDr8zfno3MHue2Ht5sIBksp03qcyfWMU= github.com/Microsoft/go-winio v0.6.2 h1:F2VQgta7ecxGYO8k3ZZz3RS8fVIXVxONVUPlNERoyfY= github.com/Microsoft/go-winio v0.6.2/go.mod h1:yd8OoFMLzJbo9gZq8j5qaps8bJ9aShtEA8Ipt1oGCvU= -github.com/Microsoft/hcsshim v0.12.6 h1:qEnZjoHXv+4/s0LmKZWE0/AiZmMWEIkFfWBSf1a0wlU= -github.com/Microsoft/hcsshim v0.12.6/go.mod h1:ZABCLVcvLMjIkzr9rUGcQ1QA0p0P3Ps+d3N1g2DsFfk= +github.com/Microsoft/hcsshim v0.12.7 h1:MP6R1spmjxTE4EU4J3YsrTxn8CjvN9qwjTKJXldFaRg= +github.com/Microsoft/hcsshim v0.12.7/go.mod h1:HPbAuJ9BvQYYZbB4yEQcyGIsTP5L4yHKeO9XO149AEM= github.com/antlr4-go/antlr/v4 v4.13.1 h1:SqQKkuVZ+zWkMMNkjy5FZe5mr5WURWnlpmOuzYWrPrQ= github.com/antlr4-go/antlr/v4 v4.13.1/go.mod h1:GKmUxMtwp6ZgGwZSva4eWPC5mS6vUAmOABFgjdkM7Nw= -github.com/bufbuild/buf v1.42.0 h1:awh6dZ1qjC468Wq9FN/3WAeBLoe6LV8GeFSHlL3ltvE= -github.com/bufbuild/buf v1.42.0/go.mod h1:AKKOqvsTLjeFXTEc7h9KsxsVBY/hETalmy7k8e0FVEo= +github.com/bufbuild/buf v1.44.0 h1:95vd2ZbgaDkKIJ557eZrx2z6jdMULEpVbNpLlw/9Y5w= +github.com/bufbuild/buf v1.44.0/go.mod h1:Ksh+C0pR3t1or0BGyzq7krkam3zhBv21QVs1zsqdOik= github.com/bufbuild/protocompile v0.14.1 h1:iA73zAf/fyljNjQKwYzUHD6AD4R8KMasmwa/FBatYVw= github.com/bufbuild/protocompile v0.14.1/go.mod h1:ppVdAIhbr2H8asPk6k4pY7t9zB1OU5DoEw9xY/FUi1c= github.com/bufbuild/protoplugin v0.0.0-20240911180120-7bb73e41a54a h1:l3RhVoG0RtC61h6TVWnkniGj4TgBebuyPQRdleFAmTg= github.com/bufbuild/protoplugin v0.0.0-20240911180120-7bb73e41a54a/go.mod h1:c5D8gWRIZ2HLWO3gXYTtUfw/hbJyD8xikv2ooPxnklQ= -github.com/bufbuild/protovalidate-go v0.6.5 h1:WucDKXIbK22WjkO8A8J6Yyxxy0jl91Oe9LSMduq3YEE= -github.com/bufbuild/protovalidate-go v0.6.5/go.mod h1:LHDiGCWSM3GagZEnyEZ1sPtFwi6Ja4tVTi/DCc+iDFI= +github.com/bufbuild/protovalidate-go v0.7.1 h1:ac50NTO6+1+mKg5sP/GBPLlMkQFeI+OeaYGFdS1vu98= +github.com/bufbuild/protovalidate-go v0.7.1/go.mod h1:PHV5pFuWlRzdDW02/cmVyNzdiQ+RNNwo7idGxdzS7o4= github.com/cenkalti/backoff/v4 v4.3.0 h1:MyRJ/UdXutAwSAT+s3wNd7MfTIcy71VQueUuFK343L8= github.com/cenkalti/backoff/v4 v4.3.0/go.mod h1:Y3VNntkOUPxTVeUxJ/G5vcM//AlwfmyYozVcomhLiZE= github.com/census-instrumentation/opencensus-proto v0.2.1/go.mod h1:f6KPmirojxKA12rnyqOA5BBL4O983OfeGPqjHWSTneU= @@ -68,8 +70,9 @@ github.com/containerd/ttrpc v1.2.5 h1:IFckT1EFQoFBMG4c3sMdT8EP3/aKfumK1msY+Ze4oL github.com/containerd/ttrpc v1.2.5/go.mod h1:YCXHsb32f+Sq5/72xHubdiJRQY9inL4a4ZQrAbN1q9o= github.com/containerd/typeurl/v2 v2.2.0 h1:6NBDbQzr7I5LHgp34xAXYF5DOTQDn05X58lsPEmzLso= github.com/containerd/typeurl/v2 v2.2.0/go.mod h1:8XOOxnyatxSWuG8OfsZXVnAF4iZfedjS/8UHSPJnX4g= -github.com/cpuguy83/go-md2man/v2 v2.0.4 h1:wfIWP927BUkWJb2NmU/kNDYIBTh/ziUX91+lVfRxZq4= github.com/cpuguy83/go-md2man/v2 v2.0.4/go.mod h1:tgQtvFlXSQOSOSIRvRPT7W67SCa46tRHOmNcaadrF8o= +github.com/cpuguy83/go-md2man/v2 v2.0.5 h1:ZtcqGrnekaHpVLArFSe4HK5DoKx1T0rq2DwVB0alcyc= +github.com/cpuguy83/go-md2man/v2 v2.0.5/go.mod h1:tgQtvFlXSQOSOSIRvRPT7W67SCa46tRHOmNcaadrF8o= github.com/creack/pty v1.1.18 h1:n56/Zwd5o6whRC5PMGretI4IdRLlmBXYNjScPaBgsbY= github.com/creack/pty v1.1.18/go.mod h1:MOBLtS5ELjhRRrroQr9kyvTxUAFNvYEK993ew/Vr4O4= github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= @@ -77,12 +80,12 @@ github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= github.com/distribution/reference v0.6.0 h1:0IXCQ5g4/QMHHkarYzh5l+u8T3t73zM5QvfrDyIgxBk= github.com/distribution/reference v0.6.0/go.mod h1:BbU0aIcezP1/5jX/8MP0YiH4SdvB5Y4f/wlDRiLyi3E= -github.com/docker/cli v27.2.1+incompatible h1:U5BPtiD0viUzjGAjV1p0MGB8eVA3L3cbIrnyWmSJI70= -github.com/docker/cli v27.2.1+incompatible/go.mod h1:JLrzqnKDaYBop7H2jaqPtU4hHvMKP+vjCwu2uszcLI8= +github.com/docker/cli v27.3.1+incompatible h1:qEGdFBF3Xu6SCvCYhc7CzaQTlBmqDuzxPDpigSyeKQQ= +github.com/docker/cli v27.3.1+incompatible/go.mod h1:JLrzqnKDaYBop7H2jaqPtU4hHvMKP+vjCwu2uszcLI8= github.com/docker/distribution v2.8.3+incompatible h1:AtKxIZ36LoNK51+Z6RpzLpddBirtxJnzDrHLEKxTAYk= github.com/docker/distribution v2.8.3+incompatible/go.mod h1:J2gT2udsDAN96Uj4KfcMRqY0/ypR+oyYUYmja8H+y+w= -github.com/docker/docker v27.2.1+incompatible h1:fQdiLfW7VLscyoeYEBz7/J8soYFDZV1u6VW6gJEjNMI= -github.com/docker/docker v27.2.1+incompatible/go.mod h1:eEKB0N0r5NX/I1kEveEz05bcu8tLC/8azJZsviup8Sk= +github.com/docker/docker v27.3.1+incompatible h1:KttF0XoteNTicmUtBO0L2tP+J7FGRFTjaEF4k6WdhfI= +github.com/docker/docker v27.3.1+incompatible/go.mod h1:eEKB0N0r5NX/I1kEveEz05bcu8tLC/8azJZsviup8Sk= github.com/docker/docker-credential-helpers v0.8.2 h1:bX3YxiGzFP5sOXWc3bTPEXdEaZSeVMrFgOr3T+zrFAo= github.com/docker/docker-credential-helpers v0.8.2/go.mod h1:P3ci7E3lwkZg6XiHdRKft1KckHiO9a2rNtyFbZ/ry9M= github.com/docker/go-connections v0.5.0 h1:USnMq7hx7gwdVZq1L49hLXaFtUdTADjXGp+uj1Br63c= @@ -114,8 +117,6 @@ github.com/gobwas/pool v0.2.1/go.mod h1:q8bcK0KcYlCgd9e7WYLm9LpyS+YeLd8JVDW6Wezm github.com/gobwas/ws v1.2.1/go.mod h1:hRKAFb8wOxFROYNsT1bqfWnhX+b5MFeJM9r2ZSwg/KY= github.com/gofrs/flock v0.12.1 h1:MTLVXXHf8ekldpJk3AKicLij9MdwOWkZ+a/jHHZby9E= github.com/gofrs/flock v0.12.1/go.mod h1:9zxTsyu5xtJ9DK+1tFZyibEV7y3uwDxPPfbxeeHCoD0= -github.com/gofrs/uuid/v5 v5.3.0 h1:m0mUMr+oVYUdxpMLgSYCZiXe7PuVPnI94+OMeVBNedk= -github.com/gofrs/uuid/v5 v5.3.0/go.mod h1:CDOjlDMVAtN56jqyRUZh58JT31Tiw7/oQyEXZV+9bD8= github.com/gogo/protobuf v1.3.2 h1:Ov1cvc58UF3b5XjBnZv7+opcTcQFZebYjWzi34vdm4Q= github.com/gogo/protobuf v1.3.2/go.mod h1:P1XiOD3dCwIKUDQYPy72D8LYyHL2YPYrpS2s69NZV8Q= github.com/golang/glog v0.0.0-20160126235308-23def4e6c14b/go.mod h1:SBH7ygxi8pfUlaOkMMuAQtPIUF8ecWP5IEl/CR7VP2Q= @@ -146,8 +147,8 @@ github.com/google/go-containerregistry v0.20.2 h1:B1wPJ1SN/S7pB+ZAimcciVD+r+yV/l github.com/google/go-containerregistry v0.20.2/go.mod h1:z38EKdKh4h7IP2gSfUUqEvalZBqs6AoLeWfUy34nQC8= github.com/google/pprof v0.0.0-20211214055906-6f57359322fd/go.mod h1:KgnwoLYCZ8IQu3XUZ8Nc/bM9CCZFOyjUNOSygVozoDg= github.com/google/pprof v0.0.0-20240227163752-401108e1b7e7/go.mod h1:czg5+yv1E0ZGTi6S6vVK1mke0fV+FaUhNGcd6VRS9Ik= -github.com/google/pprof v0.0.0-20240910150728-a0b0bb1d4134 h1:c5FlPPgxOn7kJz3VoPLkQYQXGBS3EklQ4Zfi57uOuqQ= -github.com/google/pprof v0.0.0-20240910150728-a0b0bb1d4134/go.mod h1:vavhavw2zAxS5dIdcRluK6cSGGPlZynqzFM8NdvU144= +github.com/google/pprof v0.0.0-20240929191954-255acd752d31 h1:LcRdQWywSgfi5jPsYZ1r2avbbs5IQ5wtyhMBCcokyo4= +github.com/google/pprof v0.0.0-20240929191954-255acd752d31/go.mod h1:vavhavw2zAxS5dIdcRluK6cSGGPlZynqzFM8NdvU144= github.com/google/uuid v1.1.2/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo= github.com/google/uuid v1.6.0 h1:NIvaJDMOsjHA8n1jAhLSgzrAzy1Hgr+hNrb57e+94F0= github.com/google/uuid v1.6.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo= @@ -164,8 +165,8 @@ github.com/jhump/protoreflect/v2 v2.0.0-beta.2/go.mod h1:4tnOYkB/mq7QTyS3YKtVtNr github.com/josharian/intern v1.0.0/go.mod h1:5DoeVV0s6jJacbCEi61lwdGj/aVlrQvzHFFd8Hwg//Y= github.com/kisielk/errcheck v1.5.0/go.mod h1:pFxgyoBC7bSaBwPgfKdkLd5X25qrDl4LWUI2bnpBCr8= github.com/kisielk/gotool v1.0.0/go.mod h1:XhKaO+MFFWcvkIS/tQcRk01m1F5IRFswLeQ+oQHNcck= -github.com/klauspost/compress v1.17.9 h1:6KIumPrER1LHsvBVuDa0r5xaG0Es51mhhB9BQB2qeMA= -github.com/klauspost/compress v1.17.9/go.mod h1:Di0epgTjJY877eYKx5yC51cX2A2Vl2ibi7bDH9ttBbw= +github.com/klauspost/compress v1.17.10 h1:oXAz+Vh0PMUvJczoi+flxpnBEPxoER1IaAnU/NMPtT0= +github.com/klauspost/compress v1.17.10/go.mod h1:pMDklpSncoRMuLFrf1W9Ss9KT+0rH90U12bZKk7uwG0= github.com/klauspost/pgzip v1.2.6 h1:8RXeL5crjEUFnR2/Sn6GJNWtSQ3Dk8pq4CL3jvdDyjU= github.com/klauspost/pgzip v1.2.6/go.mod h1:Ch1tH69qFZu15pkjo5kYi6mth2Zzwzt50oCQKQE9RUs= github.com/kr/pretty v0.3.1 h1:flRD4NNwYAUpkphVc1HcthR4KEIFJ65n8Mw5qdRn3LE= @@ -220,8 +221,8 @@ github.com/pkg/profile v1.7.0/go.mod h1:8Uer0jas47ZQMJ7VD+OHknK4YDY07LPUC6dEvqDj github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM= github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4= github.com/prometheus/client_model v0.0.0-20190812154241-14fe0d1b01d4/go.mod h1:xMI15A0UPsDsEKsMN9yxemIoYk6Tm2C1GtYGdfGttqA= -github.com/prometheus/procfs v0.12.0 h1:jluTpSng7V9hY0O2R9DzzJHYb2xULk9VTR1V1R/k6Bo= -github.com/prometheus/procfs v0.12.0/go.mod h1:pcuDEFsWDnvcgNzo4EEweacyhjeA9Zk3cnaOZAZEfOo= +github.com/prometheus/procfs v0.15.1 h1:YagwOFzUgYfKKHX6Dr+sHT7km/hxC76UB0learggepc= +github.com/prometheus/procfs v0.15.1/go.mod h1:fB45yRUv8NstnjriLhBQLuOUt+WW4BsoGhij/e3PBqk= github.com/quic-go/qpack v0.5.1 h1:giqksBPnT/HDtZ6VhtFKgoLOWmlyo9Ei6u9PqzIMbhI= github.com/quic-go/qpack v0.5.1/go.mod h1:+PC4XFrEskIVkcLzpEkbLqq1uCoxPhQuvK5rH1ZgaEg= github.com/quic-go/quic-go v0.47.0 h1:yXs3v7r2bm1wmPTYNLKAAJTHMYkPEsfYJmTazXrCZ7Y= @@ -232,6 +233,10 @@ github.com/rs/cors v1.11.1 h1:eU3gRzXLRK57F5rKMGMZURNdIG4EoAmX8k94r9wXWHA= github.com/rs/cors v1.11.1/go.mod h1:XyqrcTp5zjWr1wsJ8PIRZssZ8b/WMcMf71DJnit4EMU= github.com/russross/blackfriday/v2 v2.1.0 h1:JIOH55/0cWyOuilr9/qlrm0BSXldqnqwMsf35Ld67mk= github.com/russross/blackfriday/v2 v2.1.0/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQDYRxCVz55jmeOWTM= +github.com/segmentio/asm v1.2.0 h1:9BQrFxC+YOHJlTlHGkTrFWf59nbL3XnCoFLTwDCI7ys= +github.com/segmentio/asm v1.2.0/go.mod h1:BqMnlJP91P8d+4ibuonYZw9mfnzI9HfxselHZr5aAcs= +github.com/segmentio/encoding v0.4.0 h1:MEBYvRqiUB2nfR2criEXWqwdY6HJOUrCn5hboVOVmy8= +github.com/segmentio/encoding v0.4.0/go.mod h1:/d03Cd8PoaDeceuhUUUQWjU0KhWjrmYrWPgtJHYZSnI= github.com/sirupsen/logrus v1.9.3 h1:dueUQJ1C2q9oE3F7wvmSGAaVtTmUizReu6fjN8uqzbQ= github.com/sirupsen/logrus v1.9.3/go.mod h1:naHLuLoDiP4jHNo9R0sCBMtWGeIprob74mVsIT4qYEQ= github.com/spf13/cobra v1.8.1 h1:e5/vxKd/rZsfSJMUX1agtjeTDf+qv1/JdBF8gg5k9ZM= @@ -249,10 +254,20 @@ github.com/stretchr/testify v1.8.0/go.mod h1:yNjHg4UonilssWZ8iaSj1OCr/vHnekPRkoO github.com/stretchr/testify v1.8.1/go.mod h1:w2LPCIKwWwSfY2zedu0+kehJoqGctiVI29o6fzry7u4= github.com/stretchr/testify v1.9.0 h1:HtqpIVDClZ4nwg75+f6Lvsy/wHu+3BoSGCbBAcpTsTg= github.com/stretchr/testify v1.9.0/go.mod h1:r2ic/lqez/lEtzL7wO/rwa5dbSLXVDPFyf8C91i36aY= -github.com/vbatts/tar-split v0.11.5 h1:3bHCTIheBm1qFTcgh9oPu+nNBtX+XJIupG/vacinCts= -github.com/vbatts/tar-split v0.11.5/go.mod h1:yZbwRsSeGjusneWgA781EKej9HF8vme8okylkAeNKLk= +github.com/tetratelabs/wazero v1.8.0 h1:iEKu0d4c2Pd+QSRieYbnQC9yiFlMS9D+Jr0LsRmcF4g= +github.com/tetratelabs/wazero v1.8.0/go.mod h1:yAI0XTsMBhREkM/YDAK/zNou3GoiAce1P6+rp/wQhjs= +github.com/vbatts/tar-split v0.11.6 h1:4SjTW5+PU11n6fZenf2IPoV8/tz3AaYHMWjf23envGs= +github.com/vbatts/tar-split v0.11.6/go.mod h1:dqKNtesIOr2j2Qv3W/cHjnvk9I8+G7oAkFDFN6TCBEI= github.com/yuin/goldmark v1.1.27/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74= github.com/yuin/goldmark v1.2.1/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74= +go.lsp.dev/jsonrpc2 v0.10.0 h1:Pr/YcXJoEOTMc/b6OTmcR1DPJ3mSWl/SWiU1Cct6VmI= +go.lsp.dev/jsonrpc2 v0.10.0/go.mod h1:fmEzIdXPi/rf6d4uFcayi8HpFP1nBF99ERP1htC72Ac= +go.lsp.dev/pkg v0.0.0-20210717090340-384b27a52fb2 h1:hCzQgh6UcwbKgNSRurYWSqh8MufqRRPODRBblutn4TE= +go.lsp.dev/pkg v0.0.0-20210717090340-384b27a52fb2/go.mod h1:gtSHRuYfbCT0qnbLnovpie/WEmqyJ7T4n6VXiFMBtcw= +go.lsp.dev/protocol v0.12.0 h1:tNprUI9klQW5FAFVM4Sa+AbPFuVQByWhP1ttNUAjIWg= +go.lsp.dev/protocol v0.12.0/go.mod h1:Qb11/HgZQ72qQbeyPfJbu3hZBH23s1sr4st8czGeDMQ= +go.lsp.dev/uri v0.3.0 h1:KcZJmh6nFIBeJzTugn5JTU6OOyG0lDOo3R9KwTxTYbo= +go.lsp.dev/uri v0.3.0/go.mod h1:P5sbO1IQR+qySTWOCnhnK7phBx+W3zbLqSMDJNTw88I= go.opencensus.io v0.24.0 h1:y73uSU6J157QMP2kn2r30vwW1A2W2WFwSCGnAVxeaD0= go.opencensus.io v0.24.0/go.mod h1:vNK8G9p7aAivkbmorf4v+7Hgx+Zs0yY+0fOtgBfjQKo= go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.55.0 h1:ZIg3ZT/aQ7AfKqdwp7ECpOK6vHqquXXuyTjIO8ZdmPs= @@ -356,17 +371,17 @@ google.golang.org/appengine v1.4.0/go.mod h1:xpcJRLb0r/rnEns0DIKYYv+WjYCduHsrkT7 google.golang.org/genproto v0.0.0-20180817151627-c66870c02cf8/go.mod h1:JiN7NxoALGmiZfu7CAH4rXhgtRTLTxftemlI0sWmxmc= google.golang.org/genproto v0.0.0-20190819201941-24fa4b261c55/go.mod h1:DMBHOl98Agz4BDEuKkezgsaosCRResVns1a3J2ZsMNc= google.golang.org/genproto v0.0.0-20200526211855-cb27e3aa2013/go.mod h1:NbSheEEYHJ7i3ixzK3sjbqSGDJWnxyFXZblF3eUsNvo= -google.golang.org/genproto/googleapis/api v0.0.0-20240903143218-8af14fe29dc1 h1:hjSy6tcFQZ171igDaN5QHOw2n6vx40juYbC/x67CEhc= -google.golang.org/genproto/googleapis/api v0.0.0-20240903143218-8af14fe29dc1/go.mod h1:qpvKtACPCQhAdu3PyQgV4l3LMXZEtft7y8QcarRsp9I= -google.golang.org/genproto/googleapis/rpc v0.0.0-20240903143218-8af14fe29dc1 h1:pPJltXNxVzT4pK9yD8vR9X75DaWYYmLGMsEvBfFQZzQ= -google.golang.org/genproto/googleapis/rpc v0.0.0-20240903143218-8af14fe29dc1/go.mod h1:UqMtugtsSgubUsoxbuAoiCXvqvErP7Gf0so0mK9tHxU= +google.golang.org/genproto/googleapis/api v0.0.0-20240924160255-9d4c2d233b61 h1:pAjq8XSSzXoP9ya73v/w+9QEAAJNluLrpmMq5qFJQNY= +google.golang.org/genproto/googleapis/api v0.0.0-20240924160255-9d4c2d233b61/go.mod h1:O6rP0uBq4k0mdi/b4ZEMAZjkhYWhS815kCvaMha4VN8= +google.golang.org/genproto/googleapis/rpc v0.0.0-20240924160255-9d4c2d233b61 h1:N9BgCIAUvn/M+p4NJccWPWb3BWh88+zyL0ll9HgbEeM= +google.golang.org/genproto/googleapis/rpc v0.0.0-20240924160255-9d4c2d233b61/go.mod h1:UqMtugtsSgubUsoxbuAoiCXvqvErP7Gf0so0mK9tHxU= google.golang.org/grpc v1.19.0/go.mod h1:mqu4LbDTu4XGKhr4mRzUsmM4RtVoemTSY81AxZiDr8c= google.golang.org/grpc v1.23.0/go.mod h1:Y5yQAOtifL1yxbo5wqy6BxZv8vAUGQwXBOALyacEbxg= google.golang.org/grpc v1.25.1/go.mod h1:c3i+UQWmh7LiEpx4sFZnkU36qjEYZ0imhYfXVyQciAY= google.golang.org/grpc v1.27.0/go.mod h1:qbnxyOmOxrQa7FizSgH+ReBfzJrCY1pSN7KXBS8abTk= google.golang.org/grpc v1.33.2/go.mod h1:JMHMWHQWaTccqQQlmk3MJZS+GWXOdAesneDmEnv2fbc= -google.golang.org/grpc v1.66.2 h1:3QdXkuq3Bkh7w+ywLdLvM56cmGvQHUMZpiCzt6Rqaoo= -google.golang.org/grpc v1.66.2/go.mod h1:s3/l6xSSCURdVfAnL+TqCNMyTDAGN6+lZeVxnZR128Y= +google.golang.org/grpc v1.67.0 h1:IdH9y6PF5MPSdAntIcpjQ+tXO41pcQsfZV2RxtQgVcw= +google.golang.org/grpc v1.67.0/go.mod h1:1gLDyUQU7CTLJI90u3nXZ9ekeghjeM7pTDZlqFNg2AA= google.golang.org/protobuf v0.0.0-20200109180630-ec00e32a8dfd/go.mod h1:DFci5gLYBciE7Vtevhsrf46CRTquxDuWsQurQQe4oz8= google.golang.org/protobuf v0.0.0-20200221191635-4d8936d0db64/go.mod h1:kwYJMbMJ01Woi6D6+Kah6886xMZcty6N08ah7+eCXa0= google.golang.org/protobuf v0.0.0-20200228230310-ab0ca4ff8a60/go.mod h1:cfTl7dwQJ+fmap5saPgwCLgHXTUD7jkjRqWcaiX5VyM= @@ -376,8 +391,8 @@ google.golang.org/protobuf v1.22.0/go.mod h1:EGpADcykh3NcUnDUJcl1+ZksZNG86OlYog2 google.golang.org/protobuf v1.23.0/go.mod h1:EGpADcykh3NcUnDUJcl1+ZksZNG86OlYog2l/sGQquU= google.golang.org/protobuf v1.23.1-0.20200526195155-81db48ad09cc/go.mod h1:EGpADcykh3NcUnDUJcl1+ZksZNG86OlYog2l/sGQquU= google.golang.org/protobuf v1.25.0/go.mod h1:9JNX74DMeImyA3h4bdi1ymwjUzf21/xIlbajtzgsN7c= -google.golang.org/protobuf v1.34.3-0.20240816073751-94ecbc261689 h1:hNwajDgT0MlsxZzlUajZVmUYFpts8/CYe4BSNx503ZE= -google.golang.org/protobuf v1.34.3-0.20240816073751-94ecbc261689/go.mod h1:qYOHts0dSfpeUzUFpOMr/WGzszTmLH+DiWniOlNbLDw= +google.golang.org/protobuf v1.34.3-0.20240906163944-03df6c145d96 h1:gqpvySYmKe3qf25lfA3WIEMTXBU+lfISbNkPH2BA844= +google.golang.org/protobuf v1.34.3-0.20240906163944-03df6c145d96/go.mod h1:9fA7Ob0pmnwhb644+1+CVWFRbNajQ6iRojtC/QF5bRE= gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c h1:Hei/4ADfdWqJk1ZMxUNpqntNwaWcugrBjAiHlqqRiVk= gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c/go.mod h1:JHkPIbrfpd72SG/EVd6muEfDQjcINNoR0C8j2r3qZ4Q= @@ -388,5 +403,5 @@ gotest.tools/v3 v3.0.3 h1:4AuOwCGf4lLR9u3YOe2awrHygurzhO/HeQ6laiA6Sx0= gotest.tools/v3 v3.0.3/go.mod h1:Z7Lb0S5l+klDB31fvDQX8ss/FlKDxtlFlw3Oa8Ymbl8= honnef.co/go/tools v0.0.0-20190102054323-c2f93a96b099/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4= honnef.co/go/tools v0.0.0-20190523083050-ea95bdfd59fc/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4= -pluginrpc.com/pluginrpc v0.3.0 h1:9BSGRIdNLf/+EU3JrkISLwgIAuYxBrMEzSfNyeQ/Gp0= -pluginrpc.com/pluginrpc v0.3.0/go.mod h1:UNWZ941hcVAoOZUn8YZsMmOZBzbUjQa3XMns8RQLp9o= +pluginrpc.com/pluginrpc v0.5.0 h1:tOQj2D35hOmvHyPu8e7ohW2/QvAnEtKscy2IJYWQ2yo= +pluginrpc.com/pluginrpc v0.5.0/go.mod h1:UNWZ941hcVAoOZUn8YZsMmOZBzbUjQa3XMns8RQLp9o= diff --git a/tools/src/buf/pin.go b/tools/src/buf/pin.go index c13637f5ca1..0efc9288fdc 100644 --- a/tools/src/buf/pin.go +++ b/tools/src/buf/pin.go @@ -4,7 +4,6 @@ // the root of the repo. //go:build pin -// +build pin package ignore diff --git a/tools/src/controller-gen/pin.go b/tools/src/controller-gen/pin.go index 82c8d1cf3c5..a3fbfac77f7 100644 --- a/tools/src/controller-gen/pin.go +++ b/tools/src/controller-gen/pin.go @@ -4,7 +4,6 @@ // the root of the repo. //go:build pin -// +build pin package ignore diff --git a/tools/src/crd-ref-docs/pin.go b/tools/src/crd-ref-docs/pin.go index 189206471eb..633c2a07b38 100644 --- a/tools/src/crd-ref-docs/pin.go +++ b/tools/src/crd-ref-docs/pin.go @@ -4,7 +4,6 @@ // the root of the repo. //go:build pin -// +build pin package ignore diff --git a/tools/src/gci/pin.go b/tools/src/gci/pin.go index a9d92c30ded..b268ca2aa62 100644 --- a/tools/src/gci/pin.go +++ b/tools/src/gci/pin.go @@ -4,7 +4,6 @@ // the root of the repo. //go:build pin -// +build pin package ignore diff --git a/tools/src/golangci-lint/pin.go b/tools/src/golangci-lint/pin.go index 79215a6f79c..124aa7ee154 100644 --- a/tools/src/golangci-lint/pin.go +++ b/tools/src/golangci-lint/pin.go @@ -4,7 +4,6 @@ // the root of the repo. //go:build pin -// +build pin package ignore diff --git a/tools/src/helm-docs/pin.go b/tools/src/helm-docs/pin.go index c2a76758431..c199d5b0285 100644 --- a/tools/src/helm-docs/pin.go +++ b/tools/src/helm-docs/pin.go @@ -4,7 +4,6 @@ // the root of the repo. //go:build pin -// +build pin package ignore diff --git a/tools/src/jb/pin.go b/tools/src/jb/pin.go index e7b14fc86ff..8aeb1584257 100644 --- a/tools/src/jb/pin.go +++ b/tools/src/jb/pin.go @@ -4,7 +4,6 @@ // the root of the repo. //go:build pin -// +build pin package ignore diff --git a/tools/src/jsonnet/pin.go b/tools/src/jsonnet/pin.go index d8e5f03d16c..62839ad6881 100644 --- a/tools/src/jsonnet/pin.go +++ b/tools/src/jsonnet/pin.go @@ -4,7 +4,6 @@ // the root of the repo. //go:build pin -// +build pin package ignore diff --git a/tools/src/kind/pin.go b/tools/src/kind/pin.go index 6f55c9cae83..71a5637bcc9 100644 --- a/tools/src/kind/pin.go +++ b/tools/src/kind/pin.go @@ -4,7 +4,6 @@ // the root of the repo. //go:build pin -// +build pin package ignore diff --git a/tools/src/protoc-gen-go-grpc/pin.go b/tools/src/protoc-gen-go-grpc/pin.go index eb75ed5104b..de760119e13 100644 --- a/tools/src/protoc-gen-go-grpc/pin.go +++ b/tools/src/protoc-gen-go-grpc/pin.go @@ -4,7 +4,6 @@ // the root of the repo. //go:build pin -// +build pin package ignore diff --git a/tools/src/protoc-gen-go/pin.go b/tools/src/protoc-gen-go/pin.go index 074554f8b17..b0b6eb1c034 100644 --- a/tools/src/protoc-gen-go/pin.go +++ b/tools/src/protoc-gen-go/pin.go @@ -4,7 +4,6 @@ // the root of the repo. //go:build pin -// +build pin package ignore diff --git a/tools/src/setup-envtest/pin.go b/tools/src/setup-envtest/pin.go index d7a602fb15f..c16aa88025f 100644 --- a/tools/src/setup-envtest/pin.go +++ b/tools/src/setup-envtest/pin.go @@ -4,7 +4,6 @@ // the root of the repo. //go:build pin -// +build pin package ignore