Merge branch 'main' into main

envoyproxy · May 29, 2024 · 3d28ef9 · 3d28ef9
2 parents 14e216c + 78fe57a
commit 3d28ef9
Show file tree

Hide file tree

Showing 225 changed files with 8,059 additions and 1,400 deletions.
diff --git a/.github/workflows/build_and_test.yaml b/.github/workflows/build_and_test.yaml
@@ -84,7 +84,7 @@ jobs:
     needs: [build]
     strategy:
       matrix:
-        version: [ v1.26.14, v1.27.11, v1.28.7, v1.29.2 ]
+        version: [ v1.27.13, v1.28.9, v1.29.4, v1.30.0 ]
     steps:
     - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29  # v4.1.6
     - uses: ./tools/github-actions/setup-deps
@@ -112,7 +112,7 @@ jobs:
     needs: [build]
     strategy:
       matrix:
-        version: [ v1.26.14, v1.27.11, v1.28.7, v1.29.2 ]
+        version: [ v1.27.13, v1.28.9, v1.29.4, v1.30.0 ]
     steps:
     - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29  # v4.1.6
     - uses: ./tools/github-actions/setup-deps

diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
@@ -36,14 +36,14 @@ jobs:
     - uses: ./tools/github-actions/setup-deps
 
     - name: Initialize CodeQL
-      uses: github/codeql-action/init@b7cec7526559c32f1616476ff32d17ba4c59b2d6  # v3.25.5
+      uses: github/codeql-action/init@9fdb3e49720b44c48891d036bb502feb25684276  # v3.25.6
       with:
         languages: ${{ matrix.language }}
 
     - name: Autobuild
-      uses: github/codeql-action/autobuild@b7cec7526559c32f1616476ff32d17ba4c59b2d6  # v3.25.5
+      uses: github/codeql-action/autobuild@9fdb3e49720b44c48891d036bb502feb25684276  # v3.25.6
 
     - name: Perform CodeQL Analysis
-      uses: github/codeql-action/analyze@b7cec7526559c32f1616476ff32d17ba4c59b2d6  # v3.25.5
+      uses: github/codeql-action/analyze@9fdb3e49720b44c48891d036bb502feb25684276  # v3.25.6
       with:
         category: "/language:${{matrix.language}}"
diff --git a/.github/workflows/experimental_conformance.yaml b/.github/workflows/experimental_conformance.yaml
@@ -18,7 +18,7 @@ jobs:
     runs-on: ubuntu-latest
     strategy:
       matrix:
-        version: [ v1.26.14, v1.27.11, v1.28.7, v1.29.2 ]
+        version: [ v1.27.13, v1.28.9, v1.29.4, v1.30.0 ]
     steps:
     - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29  # v4.1.6
     - uses: ./tools/github-actions/setup-deps

diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml
@@ -40,6 +40,6 @@ jobs:
         retention-days: 5
 
     - name: "Upload to code-scanning"
-      uses: github/codeql-action/upload-sarif@b7cec7526559c32f1616476ff32d17ba4c59b2d6  # v3.25.5
+      uses: github/codeql-action/upload-sarif@9fdb3e49720b44c48891d036bb502feb25684276  # v3.25.6
       with:
         sarif_file: results.sarif
diff --git a/.github/workflows/trivy.yml b/.github/workflows/trivy.yml
@@ -25,7 +25,7 @@ jobs:
         IMAGE=envoy-proxy/gateway-dev TAG=${{ github.sha }} make image
 
     - name: Run Trivy vulnerability scanner
-      uses: aquasecurity/trivy-action@b2933f565dbc598b29947660e66259e3c7bc8561  # v0.20.0
+      uses: aquasecurity/trivy-action@fd25fed6972e341ff0007ddb61f77e88103953c2  # v0.21.0
       with:
         image-ref: envoy-proxy/gateway-dev:${{ github.sha }}
         exit-code: '1'
diff --git a/api/v1alpha1/accesslogging_types.go b/api/v1alpha1/accesslogging_types.go
@@ -158,19 +158,19 @@ type FileEnvoyProxyAccessLog struct {
 // +kubebuilder:validation:XValidation:message="host or backendRefs needs to be set",rule="has(self.host) || self.backendRefs.size() > 0"
 type OpenTelemetryEnvoyProxyAccessLog struct {
 	// Host define the extension service hostname.
-	// Deprecated: Use BackendRef instead.
+	// Deprecated: Use BackendRefs instead.
 	//
 	// +optional
 	Host *string `json:"host,omitempty"`
 	// Port defines the port the extension service is exposed on.
-	// Deprecated: Use BackendRef instead.
+	// Deprecated: Use BackendRefs instead.
 	//
 	// +optional
 	// +kubebuilder:validation:Minimum=0
 	// +kubebuilder:default=4317
 	Port int32 `json:"port,omitempty"`
 	// BackendRefs references a Kubernetes object that represents the
-	// backend server to which the accesslog will be sent.
+	// backend server to which the access log will be sent.
 	// Only service Kind is supported for now.
 	//
 	// +optional

diff --git a/api/v1alpha1/envoygateway_metrics_types.go b/api/v1alpha1/envoygateway_metrics_types.go
@@ -5,6 +5,8 @@
 
 package v1alpha1
 
+import gatewayv1 "sigs.k8s.io/gateway-api/apis/v1"
+
 // EnvoyGatewayMetrics defines control plane push/pull metrics configurations.
 type EnvoyGatewayMetrics struct {
 	// Sinks defines the metric sinks where metrics are sent to.
@@ -38,6 +40,18 @@ type EnvoyGatewayOpenTelemetrySink struct {
 	// +kubebuilder:validation:Minimum=0
 	// +kubebuilder:default=4317
 	Port int32 `json:"port,omitempty"`
+	// ExportInterval configures the intervening time between exports for a
+	// Sink. This option overrides any value set for the
+	// OTEL_METRIC_EXPORT_INTERVAL environment variable.
+	// If ExportInterval is less than or equal to zero, 60 seconds
+	// is used as the default.
+	ExportInterval *gatewayv1.Duration `json:"exportInterval,omitempty"`
+	// ExportTimeout configures the time a Sink waits for an export to
+	// complete before canceling it. This option overrides any value set for the
+	// OTEL_METRIC_EXPORT_TIMEOUT environment variable.
+	// If ExportTimeout is less than or equal to zero, 30 seconds
+	// is used as the default.
+	ExportTimeout *gatewayv1.Duration `json:"exportTimeout,omitempty"`
 }
 
 // EnvoyGatewayPrometheusProvider will expose prometheus endpoint in pull mode.

diff --git a/api/v1alpha1/envoyproxy_metric_types.go b/api/v1alpha1/envoyproxy_metric_types.go
@@ -56,12 +56,12 @@ type ProxyMetricSink struct {
 // +kubebuilder:validation:XValidation:message="host or backendRefs needs to be set",rule="has(self.host) || self.backendRefs.size() > 0"
 type ProxyOpenTelemetrySink struct {
 	// Host define the service hostname.
-	// Deprecated: Use BackendRef instead.
+	// Deprecated: Use BackendRefs instead.
 	//
 	// +optional
 	Host *string `json:"host,omitempty"`
 	// Port defines the port the service is exposed on.
-	// Deprecated: Use BackendRef instead.
+	// Deprecated: Use BackendRefs instead.
 	//
 	// +optional
 	// +kubebuilder:validation:Minimum=0

diff --git a/api/v1alpha1/envoyproxy_types.go b/api/v1alpha1/envoyproxy_types.go
@@ -128,6 +128,7 @@ type BackendTLSConfig struct {
 	// ClientCertificateRef defines the reference to a Kubernetes Secret that contains
 	// the client certificate and private key for Envoy to use when connecting to
 	// backend services and external services, such as ExtAuth, ALS, OpenTelemetry, etc.
+	// This secret should be located within the same namespace as the Envoy proxy resource that references it.
 	// +optional
 	ClientCertificateRef *gwapiv1.SecretObjectReference `json:"clientCertificateRef,omitempty"`
 	TLSSettings          `json:",inline"`

diff --git a/api/v1alpha1/ext_auth_types.go b/api/v1alpha1/ext_auth_types.go
@@ -9,14 +9,14 @@ import (
 	gwapiv1 "sigs.k8s.io/gateway-api/apis/v1"
 )
 
+// ExtAuth defines the configuration for External Authorization.
+//
 // +kubebuilder:validation:XValidation:rule="(has(self.grpc) || has(self.http))",message="one of grpc or http must be specified"
 // +kubebuilder:validation:XValidation:rule="(has(self.grpc) && !has(self.http)) || (!has(self.grpc) && has(self.http))",message="only one of grpc or http can be specified"
-// +kubebuilder:validation:XValidation:rule="has(self.grpc) ? (!has(self.grpc.backendRef.group) || self.grpc.backendRef.group == \"\") : true", message="group is invalid, only the core API group (specified by omitting the group field or setting it to an empty string) is supported"
-// +kubebuilder:validation:XValidation:rule="has(self.grpc) ? (!has(self.grpc.backendRef.kind) || self.grpc.backendRef.kind == 'Service') : true", message="kind is invalid, only Service (specified by omitting the kind field or setting it to 'Service') is supported"
-// +kubebuilder:validation:XValidation:rule="has(self.http) ? (!has(self.http.backendRef.group) || self.http.backendRef.group == \"\") : true", message="group is invalid, only the core API group (specified by omitting the group field or setting it to an empty string) is supported"
-// +kubebuilder:validation:XValidation:rule="has(self.http) ? (!has(self.http.backendRef.kind) || self.http.backendRef.kind == 'Service') : true", message="kind is invalid, only Service (specified by omitting the kind field or setting it to 'Service') is supported"
-//
-// ExtAuth defines the configuration for External Authorization.
+// +kubebuilder:validation:XValidation:rule="has(self.grpc) ? (!has(self.grpc.backendRef) || !has(self.grpc.backendRef.group) || self.grpc.backendRef.group == \"\") : true", message="group is invalid, only the core API group (specified by omitting the group field or setting it to an empty string) is supported"
+// +kubebuilder:validation:XValidation:rule="has(self.grpc) ? (!has(self.grpc.backendRef) || !has(self.grpc.backendRef.kind) || self.grpc.backendRef.kind == 'Service') : true", message="kind is invalid, only Service (specified by omitting the kind field or setting it to 'Service') is supported"
+// +kubebuilder:validation:XValidation:rule="has(self.http) ? (!has(self.http.backendRef) || !has(self.http.backendRef.group) || self.http.backendRef.group == \"\") : true", message="group is invalid, only the core API group (specified by omitting the group field or setting it to an empty string) is supported"
+// +kubebuilder:validation:XValidation:rule="has(self.http) ? (!has(self.http.backendRef) || !has(self.http.backendRef.kind) || self.http.backendRef.kind == 'Service') : true", message="kind is invalid, only Service (specified by omitting the kind field or setting it to 'Service') is supported"
 type ExtAuth struct {
 	// GRPC defines the gRPC External Authorization service.
 	// Either GRPCService or HTTPService must be specified,
@@ -55,19 +55,42 @@ type ExtAuth struct {
 // GRPCExtAuthService defines the gRPC External Authorization service
 // The authorization request message is defined in
 // https://www.envoyproxy.io/docs/envoy/latest/api-v3/service/auth/v3/external_auth.proto
+// +kubebuilder:validation:XValidation:message="backendRef or backendRefs needs to be set",rule="has(self.backendRef) || self.backendRefs.size() > 0"
 type GRPCExtAuthService struct {
 	// BackendRef references a Kubernetes object that represents the
 	// backend server to which the authorization request will be sent.
 	// Only service Kind is supported for now.
-	BackendRef gwapiv1.BackendObjectReference `json:"backendRef"`
+	// Deprecated: Use BackendRefs instead.
+	BackendRef *gwapiv1.BackendObjectReference `json:"backendRef,omitempty"`
+
+	// BackendRefs references a Kubernetes object that represents the
+	// backend server to which the authorization request will be sent.
+	// Only service Kind is supported for now.
+	//
+	// +optional
+	// +kubebuilder:validation:MaxItems=1
+	// +kubebuilder:validation:XValidation:message="only support Service kind.",rule="self.all(f, f.kind == 'Service')"
+	BackendRefs []BackendRef `json:"backendRefs,omitempty"`
 }
 
 // HTTPExtAuthService defines the HTTP External Authorization service
+//
+// +kubebuilder:validation:XValidation:message="backendRef or backendRefs needs to be set",rule="has(self.backendRef) || self.backendRefs.size() > 0"
 type HTTPExtAuthService struct {
 	// BackendRef references a Kubernetes object that represents the
 	// backend server to which the authorization request will be sent.
 	// Only service Kind is supported for now.
-	BackendRef gwapiv1.BackendObjectReference `json:"backendRef"`
+	// Deprecated: Use BackendRefs instead.
+	BackendRef *gwapiv1.BackendObjectReference `json:"backendRef,omitempty"`
+
+	// BackendRefs references a Kubernetes object that represents the
+	// backend server to which the authorization request will be sent.
+	// Only service Kind is supported for now.
+	//
+	// +optional
+	// +kubebuilder:validation:MaxItems=1
+	// +kubebuilder:validation:XValidation:message="only support Service kind.",rule="self.all(f, f.kind == 'Service')"
+	BackendRefs []BackendRef `json:"backendRefs,omitempty"`
 
 	// Path is the path of the HTTP External Authorization service.
 	// If path is specified, the authorization request will be sent to that path,

diff --git a/api/v1alpha1/loadbalancer_types.go b/api/v1alpha1/loadbalancer_types.go
@@ -73,7 +73,6 @@ type ConsistentHash struct {
 	// +kubebuilder:validation:Maximum=5000011
 	// +kubebuilder:default=65537
 	// +optional
-	// +notImplementedHide
 	TableSize *uint64 `json:"tableSize,omitempty"`
 }
 

diff --git a/api/v1alpha1/share_types_helper.go b/api/v1alpha1/share_types_helper.go
@@ -0,0 +1,18 @@
+// Copyright Envoy Gateway Authors
+// SPDX-License-Identifier: Apache-2.0
+// The full text of the Apache license is available in the LICENSE file at
+// the root of the repo.
+
+package v1alpha1
+
+import gwapiv1 "sigs.k8s.io/gateway-api/apis/v1"
+
+func ToBackendObjectReference(ref BackendRef) *gwapiv1.BackendObjectReference {
+	return &gwapiv1.BackendObjectReference{
+		Group:     ref.Group,
+		Kind:      ref.Kind,
+		Namespace: ref.Namespace,
+		Name:      ref.Name,
+		Port:      ref.Port,
+	}
+}
diff --git a/api/v1alpha1/tracing_types.go b/api/v1alpha1/tracing_types.go
@@ -38,19 +38,19 @@ type TracingProvider struct {
 	// +kubebuilder:default=OpenTelemetry
 	Type TracingProviderType `json:"type"`
 	// Host define the provider service hostname.
-	// Deprecated: Use BackendRef instead.
+	// Deprecated: Use BackendRefs instead.
 	//
 	// +optional
 	Host *string `json:"host,omitempty"`
 	// Port defines the port the provider service is exposed on.
-	// Deprecated: Use BackendRef instead.
+	// Deprecated: Use BackendRefs instead.
 	//
 	// +optional
 	// +kubebuilder:validation:Minimum=0
 	// +kubebuilder:default=4317
 	Port int32 `json:"port,omitempty"`
 	// BackendRefs references a Kubernetes object that represents the
-	// backend server to which the accesslog will be sent.
+	// backend server to which the trace will be sent.
 	// Only service Kind is supported for now.
 	//
 	// +optional

diff --git a/api/v1alpha1/zz_generated.deepcopy.go b/api/v1alpha1/zz_generated.deepcopy.go