Merge branch 'main' into support-egctl-x-status-all

.github/workflows/build_and_test.yaml

@@ -70,7 +70,7 @@ jobs:
       run: make build-multiarch PLATFORMS="linux_amd64 linux_arm64"
 
     - name: Upload EG Binaries
-      uses: actions/upload-artifact@26f96dfa697d77e81fd5907df203aa23a56210a8  # v4.3.0
+      uses: actions/upload-artifact@5d5d22a31266ced268874388b861e4b58bb5c2f3  # v4.3.1
       with:
         name: envoy-gateway
         path: bin/
@@ -86,7 +86,7 @@ jobs:
     - uses: ./tools/github-actions/setup-deps
 
     - name: Download EG Binaries
-      uses: actions/download-artifact@6b208ae046db98c579e8a3aa621ab581ff575935  # v4.1.1
+      uses: actions/download-artifact@eaceaf801fd36c7dee90939fad912460b18a1ffe  # v4.1.2
       with:
         name: envoy-gateway
         path: bin/
@@ -114,7 +114,7 @@ jobs:
     - uses: ./tools/github-actions/setup-deps
 
     - name: Download EG Binaries
-      uses: actions/download-artifact@6b208ae046db98c579e8a3aa621ab581ff575935  # v4.1.1
+      uses: actions/download-artifact@eaceaf801fd36c7dee90939fad912460b18a1ffe  # v4.1.2
       with:
         name: envoy-gateway
         path: bin/
@@ -139,7 +139,7 @@ jobs:
     - uses: ./tools/github-actions/setup-deps
 
     - name: Download EG Binaries
-      uses: actions/download-artifact@6b208ae046db98c579e8a3aa621ab581ff575935  # v4.1.1
+      uses: actions/download-artifact@eaceaf801fd36c7dee90939fad912460b18a1ffe  # v4.1.2
       with:
         name: envoy-gateway
         path: bin/

.github/workflows/codeql.yml

@@ -36,14 +36,14 @@ jobs:
     - uses: ./tools/github-actions/setup-deps
 
     - name: Initialize CodeQL
-      uses: github/codeql-action/init@e8893c57a1f3a2b659b6b55564fdfdbbd2982911  # v3.24.0
+      uses: github/codeql-action/init@379614612a29c9e28f31f39a59013eb8012a51f0  # v3.24.3
       with:
         languages: ${{ matrix.language }}
 
     - name: Autobuild
-      uses: github/codeql-action/autobuild@e8893c57a1f3a2b659b6b55564fdfdbbd2982911  # v3.24.0
+      uses: github/codeql-action/autobuild@379614612a29c9e28f31f39a59013eb8012a51f0  # v3.24.3
 
     - name: Perform CodeQL Analysis
-      uses: github/codeql-action/analyze@e8893c57a1f3a2b659b6b55564fdfdbbd2982911  # v3.24.0
+      uses: github/codeql-action/analyze@379614612a29c9e28f31f39a59013eb8012a51f0  # v3.24.3
       with:
         category: "/language:${{matrix.language}}"

.github/workflows/docs.yaml

@@ -50,7 +50,7 @@ jobs:
         extended: true
 
     - name: Setup Node
-      uses: actions/setup-node@b39b52d1213e96004bfcb1c61a8a6fa8ab84f3e8  # v4.1.0
+      uses: actions/setup-node@60edb5dd545a775178f52524783378180af0d1f8  # v4.1.0
       with:
         node-version: '18'
 
@@ -59,7 +59,7 @@ jobs:
 
     # Upload docs for GitHub Pages
     - name: Upload GitHub Pages artifact
-      uses: actions/upload-pages-artifact@0252fc4ba7626f0298f0cf00902a25c6afc77fa8  # v3.0.0
+      uses: actions/upload-pages-artifact@56afc609e74202658d3ffba0e8f6dda462b719fa  # v3.0.1
       with:
         # Path of the directory containing the static assets.
         path: site/public
@@ -86,4 +86,4 @@ jobs:
     steps:
     - name: Deploy to GitHub Pages
       id: deployment
-      uses: actions/deploy-pages@87c3283f01cd6fe19a0ab93a23b2f6fcba5a8e42  # v4.0.3
+      uses: actions/deploy-pages@decdde0ac072f6dcbe43649d82d9c635fff5b4e4  # v4.0.4

.github/workflows/experimental_conformance.yaml

@@ -32,7 +32,7 @@ jobs:
       run: make experimental-conformance
 
     - name: Upload Conformance Report
-      uses: actions/upload-artifact@26f96dfa697d77e81fd5907df203aa23a56210a8  # v4.3.0
+      uses: actions/upload-artifact@5d5d22a31266ced268874388b861e4b58bb5c2f3  # v4.3.1
       with:
         name: conformance-report-k8s-${{ matrix.version }}
         path: ./test/conformance/conformance-report-k8s-${{ matrix.version }}.yaml

.github/workflows/scorecard.yml

@@ -33,13 +33,13 @@ jobs:
         publish_results: true
 
     - name: "Upload artifact"
-      uses: actions/upload-artifact@26f96dfa697d77e81fd5907df203aa23a56210a8  # v4.3.0
+      uses: actions/upload-artifact@5d5d22a31266ced268874388b861e4b58bb5c2f3  # v4.3.1
       with:
         name: SARIF file
         path: results.sarif
         retention-days: 5
 
     - name: "Upload to code-scanning"
-      uses: github/codeql-action/upload-sarif@e8893c57a1f3a2b659b6b55564fdfdbbd2982911  # v3.24.0
+      uses: github/codeql-action/upload-sarif@379614612a29c9e28f31f39a59013eb8012a51f0  # v3.24.3
       with:
         sarif_file: results.sarif

OWNERS

@@ -25,3 +25,5 @@ reviewers:
 - tanujd11
 - cnvergence
 - shawnh2
+- guydc
+- liorokman

api/v1alpha1/backendtrafficpolicy_types.go

@@ -82,6 +82,11 @@ type BackendTrafficPolicySpec struct {
 	// +optional
 	CircuitBreaker *CircuitBreaker `json:"circuitBreaker,omitempty"`
 
+	// Retry provides more advanced usage, allowing users to customize the number of retries, retry fallback strategy, and retry triggering conditions.
+	// If not set, retry will be disabled.
+	// +optional
+	Retry *Retry `json:"retry,omitempty"`
+
 	// Timeout settings for the backend connections.
 	//
 	// +optional

api/v1alpha1/clienttrafficpolicy_types.go

@@ -53,12 +53,6 @@ type ClientTrafficPolicySpec struct {
 	//
 	// +optional
 	TCPKeepalive *TCPKeepalive `json:"tcpKeepalive,omitempty"`
-	// SuppressEnvoyHeaders configures the Envoy Router filter to suppress the "x-envoy-'
-	// headers from both requests and responses.
-	// By default these headers are added to both requests and responses.
-	//
-	// +optional
-	SuppressEnvoyHeaders *bool `json:"suppressEnvoyHeaders,omitempty"`
 	// EnableProxyProtocol interprets the ProxyProtocol header and adds the
 	// Client Address into the X-Forwarded-For header.
 	// Note Proxy Protocol must be present when this field is set, else the connection
@@ -86,14 +80,39 @@ type ClientTrafficPolicySpec struct {
 	//
 	// +optional
 	HTTP1 *HTTP1Settings `json:"http1,omitempty"`
+	// HeaderSettings provides configuration for header management.
+	//
+	// +optional
+	Headers *HeaderSettings `json:"headers,omitempty"`
+	// Timeout settings for the client connections.
+	//
+	// +optional
+	Timeout *ClientTimeout `json:"timeout,omitempty"`
+}
+
+// HeaderSettings providess configuration options for headers on the listener.
+type HeaderSettings struct {
+	// EnableEnvoyHeaders configures Envoy Proxy to add the "X-Envoy-" headers to requests
+	// and responses.
+	// +optional
+	EnableEnvoyHeaders *bool `json:"enableEnvoyHeaders,omitempty"`
 }
 
 // ClientIPDetectionSettings provides configuration for determining the original client IP address for requests.
+//
+// +kubebuilder:validation:XValidation:rule="!(has(self.xForwardedFor) && has(self.customHeader))",message="customHeader cannot be used in conjunction with xForwardedFor"
 type ClientIPDetectionSettings struct {
 	// XForwardedForSettings provides configuration for using X-Forwarded-For headers for determining the client IP address.
 	//
 	// +optional
 	XForwardedFor *XForwardedForSettings `json:"xForwardedFor,omitempty"`
+	// CustomHeader provides configuration for determining the client IP address for a request based on
+	// a trusted custom HTTP header. This uses the the custom_header original IP detection extension.
+	// Refer to https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/http/original_ip_detection/custom_header/v3/custom_header.proto
+	// for more details.
+	//
+	// +optional
+	CustomHeader *CustomHeaderExtensionSettings `json:"customHeader,omitempty"`
 }
 
 // XForwardedForSettings provides configuration for using X-Forwarded-For headers for determining the client IP address.
@@ -107,6 +126,26 @@ type XForwardedForSettings struct {
 	NumTrustedHops *uint32 `json:"numTrustedHops,omitempty"`
 }
 
+// CustomHeader provides configuration for determining the client IP address for a request based on
+// a trusted custom HTTP header. This uses the the custom_header original IP detection extension.
+// Refer to https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/http/original_ip_detection/custom_header/v3/custom_header.proto
+// for more details.
+type CustomHeaderExtensionSettings struct {
+	// Name of the header containing the original downstream remote address, if present.
+	//
+	// +kubebuilder:validation:MinLength=1
+	// +kubebuilder:validation:MaxLength=255
+	// +kubebuilder:validation:Pattern="^[A-Za-z0-9-]+$"
+	//
+	Name string `json:"name"`
+	// FailClosed is a switch used to control the flow of traffic when client IP detection
+	// fails. If set to true, the listener will respond with 403 Forbidden when the client
+	// IP address cannot be determined.
+	//
+	// +optional
+	FailClosed *bool `json:"failClosed,omitempty"`
+}
+
 // HTTP3Settings provides HTTP/3 configuration on the listener.
 type HTTP3Settings struct {
 }
@@ -120,6 +159,20 @@ type HTTP1Settings struct {
 	// By default, Envoy will lowercase all the headers.
 	// +optional
 	PreserveHeaderCase *bool `json:"preserveHeaderCase,omitempty"`
+	// HTTP10 turns on support for HTTP/1.0 and HTTP/0.9 requests.
+	// +optional
+	HTTP10 *HTTP10Settings `json:"http10,omitempty"`
+}
+
+// HTTP10Settings provides HTTP/1.0 configuration on the listener.
+type HTTP10Settings struct {
+	// UseDefaultHost defines if the HTTP/1.0 request is missing the Host header,
+	// then the hostname associated with the listener should be injected into the
+	// request.
+	// If this is not set and an HTTP/1.0 request arrives without a host, then
+	// it will be rejected.
+	// +optional
+	UseDefaultHost *bool `json:"useDefaultHost,omitempty"`
 }
 
 // ClientTrafficPolicyStatus defines the state of ClientTrafficPolicy

api/v1alpha1/envoypatchpolicy_types.go

@@ -117,8 +117,10 @@ type JSONPatchOperation struct {
 	// Refer to https://datatracker.ietf.org/doc/html/rfc6901 for more details.
 	// +optional
 	From *string `json:"from,omitempty"`
-	// Value is the new value of the path location.
-	Value apiextensionsv1.JSON `json:"value"`
+	// Value is the new value of the path location. The value is only used by
+	// the `add` and `replace` operations.
+	// +optional
+	Value *apiextensionsv1.JSON `json:"value,omitempty"`
 }
 
 // EnvoyPatchPolicyStatus defines the state of EnvoyPatchPolicy

api/v1alpha1/ext_auth_types.go

@@ -9,8 +9,12 @@ import (
 	gwapiv1 "sigs.k8s.io/gateway-api/apis/v1"
 )
 
-// +kubebuilder:validation:XValidation:message="one of grpc or http must be specified",rule="(has(self.grpc) || has(self.http))"
-// +kubebuilder:validation:XValidation:message="only one of grpc or http can be specified",rule="(has(self.grpc) && !has(self.http)) || (!has(self.grpc) && has(self.http))"
+// +kubebuilder:validation:XValidation:rule="(has(self.grpc) || has(self.http))",message="one of grpc or http must be specified"
+// +kubebuilder:validation:XValidation:rule="(has(self.grpc) && !has(self.http)) || (!has(self.grpc) && has(self.http))",message="only one of grpc or http can be specified"
+// +kubebuilder:validation:XValidation:rule="has(self.grpc) ? (!has(self.grpc.backendRef.group) || self.grpc.backendRef.group == \"\") : true", message="group is invalid, only the core API group (specified by omitting the group field or setting it to an empty string) is supported"
+// +kubebuilder:validation:XValidation:rule="has(self.grpc) ? (!has(self.grpc.backendRef.kind) || self.grpc.backendRef.kind == 'Service') : true", message="kind is invalid, only Service (specified by omitting the kind field or setting it to 'Service') is supported"
+// +kubebuilder:validation:XValidation:rule="has(self.http) ? (!has(self.http.backendRef.group) || self.http.backendRef.group == \"\") : true", message="group is invalid, only the core API group (specified by omitting the group field or setting it to an empty string) is supported"
+// +kubebuilder:validation:XValidation:rule="has(self.http) ? (!has(self.http.backendRef.kind) || self.http.backendRef.kind == 'Service') : true", message="kind is invalid, only Service (specified by omitting the kind field or setting it to 'Service') is supported"
 //
 // ExtAuth defines the configuration for External Authorization.
 type ExtAuth struct {
@@ -42,18 +46,18 @@ type ExtAuth struct {
 // The authorization request message is defined in
 // https://www.envoyproxy.io/docs/envoy/latest/api-v3/service/auth/v3/external_auth.proto
 type GRPCExtAuthService struct {
-	// BackendObjectReference references a Kubernetes object that represents the
+	// BackendRef references a Kubernetes object that represents the
 	// backend server to which the authorization request will be sent.
 	// Only service Kind is supported for now.
-	gwapiv1.BackendObjectReference `json:",inline"`
+	BackendRef gwapiv1.BackendObjectReference `json:"backendRef"`
 }
 
 // HTTPExtAuthService defines the HTTP External Authorization service
 type HTTPExtAuthService struct {
-	// BackendObjectReference references a Kubernetes object that represents the
+	// BackendRef references a Kubernetes object that represents the
 	// backend server to which the authorization request will be sent.
 	// Only service Kind is supported for now.
-	gwapiv1.BackendObjectReference `json:",inline"`
+	BackendRef gwapiv1.BackendObjectReference `json:"backendRef"`
 
 	// Path is the path of the HTTP External Authorization service.
 	// If path is specified, the authorization request will be sent to that path,

api/v1alpha1/healthcheck_types.go

@@ -13,6 +13,60 @@ type HealthCheck struct {
 	// Active health check configuration
 	// +optional
 	Active *ActiveHealthCheck `json:"active,omitempty"`
+
+	// Passive passive check configuration
+	// +optional
+	Passive *PassiveHealthCheck `json:"passive,omitempty"`
+}
+
+// PassiveHealthCheck defines the configuration for passive health checks in the context of Envoy's Outlier Detection,
+// see https://www.envoyproxy.io/docs/envoy/latest/intro/arch_overview/upstream/outlier
+type PassiveHealthCheck struct {
+
+	// SplitExternalLocalOriginErrors enables splitting of errors between external and local origin.
+	//
+	// +kubebuilder:default=false
+	// +optional
+	SplitExternalLocalOriginErrors *bool `json:"splitExternalLocalOriginErrors,omitempty"`
+
+	// Interval defines the time between passive health checks.
+	//
+	// +kubebuilder:validation:Format=duration
+	// +kubebuilder:default="3s"
+	// +optional
+	Interval *metav1.Duration `json:"interval,omitempty"`
+
+	// ConsecutiveLocalOriginFailures sets the number of consecutive local origin failures triggering ejection.
+	// Parameter takes effect only when split_external_local_origin_errors is set to true.
+	//
+	// +kubebuilder:default=5
+	// +optional
+	ConsecutiveLocalOriginFailures *uint32 `json:"consecutiveLocalOriginFailures,omitempty"`
+
+	// ConsecutiveGatewayErrors sets the number of consecutive gateway errors triggering ejection.
+	//
+	// +kubebuilder:default=0
+	// +optional
+	ConsecutiveGatewayErrors *uint32 `json:"consecutiveGatewayErrors,omitempty"`
+
+	// Consecutive5xxErrors sets the number of consecutive 5xx errors triggering ejection.
+	//
+	// +kubebuilder:default=5
+	// +optional
+	Consecutive5xxErrors *uint32 `json:"consecutive5XxErrors,omitempty"`
+
+	// BaseEjectionTime defines the base duration for which a host will be ejected on consecutive failures.
+	//
+	// +kubebuilder:validation:Format=duration
+	// +kubebuilder:default="30s"
+	// +optional
+	BaseEjectionTime *metav1.Duration `json:"baseEjectionTime,omitempty"`
+
+	// MaxEjectionPercent sets the maximum percentage of hosts in a cluster that can be ejected.
+	//
+	// +kubebuilder:default=10
+	// +optional
+	MaxEjectionPercent *int32 `json:"maxEjectionPercent,omitempty"`
 }
 
 // ActiveHealthCheck defines the active health check configuration.
@@ -29,7 +83,7 @@ type ActiveHealthCheck struct {
 	// +optional
 	Timeout *metav1.Duration `json:"timeout"`
 
-	// Interval defines the time between health checks.
+	// Interval defines the time between active health checks.
 	//
 	// +kubebuilder:validation:Format=duration
 	// +kubebuilder:default="3s"
@@ -106,12 +160,6 @@ type TCPActiveHealthChecker struct {
 	Receive *ActiveHealthCheckPayload `json:"receive,omitempty" yaml:"receive,omitempty"`
 }
 
-// HTTPStatus defines the http status code.
-// +kubebuilder:validation:Minimum=100
-// +kubebuilder:validation:Maximum=600
-// +kubebuilder:validation:ExclusiveMaximum=true
-type HTTPStatus int
-
 // ActiveHealthCheckPayloadType is the type of the payload.
 // +kubebuilder:validation:Enum=Text;Binary
 type ActiveHealthCheckPayloadType string