Merge branch 'main' into client-cert-api

.github/codecov.yml

@@ -10,3 +10,7 @@ coverage:
         target: 60%
         threshold: 5%
         if_ci_failed: error
+ignore:
+  - "cmd"
+  - "**/*.pb.go"
+  - "**/zz_generated.deepcopy.go"

.github/workflows/cherrypick.yaml

@@ -20,7 +20,7 @@ jobs:
         with:
           fetch-depth: 0
       - name: Cherry pick into release/v1.0
-        uses: carloscastrojumo/github-cherry-pick-action@a145da1b8142e752d3cbc11aaaa46a535690f0c5  # v1.0.9
+        uses: carloscastrojumo/github-cherry-pick-action@503773289f4a459069c832dc628826685b75b4b3  # v1.0.10
         with:
           branch: release/v1.0
           title: "[release/v1.0] {old_title}"

.github/workflows/docs.yaml

@@ -27,14 +27,16 @@ jobs:
       with:
         ref: ${{ github.event.pull_request.head.sha }}
 
+    - uses: ./tools/github-actions/setup-deps
+
     - name: Run markdown linter
       uses: nosborn/github-action-markdown-cli@9b5e871c11cc0649c5ac2526af22e23525fa344d  # v3.3.0
       with:
         files: site/content/*
         config_file: ".github/markdown_lint_config.json"
 
     - name: Install linkinator
-      run: npm install -g linkinator
+      run: npm install -g linkinator@6.0.4
 
     - name: Check links
       run: make docs docs-check-links
@@ -51,6 +53,8 @@ jobs:
         submodules: true
         ref: ${{ github.event.pull_request.head.sha }}
 
+    - uses: ./tools/github-actions/setup-deps
+
     - name: Setup Hugo
       uses: peaceiris/actions-hugo@16361eb4acea8698b220b76c0d4e84e1fd22c61d  # v2.6.0
       with:

OWNERS

@@ -21,7 +21,6 @@ reviewers:
 
 - chauhanshubham
 - kflynn
-- LanceEa
 - tmsnan
 - tanujd11
 - cnvergence

README.md

@@ -6,6 +6,7 @@
 
 Envoy Gateway is an open source project for managing Envoy Proxy as a standalone or
 Kubernetes-based application gateway.
+[Gateway API](https://gateway-api.sigs.k8s.io) resources are used to dynamically provision and configure the managed Envoy Proxies.
 
 ## Documentation
 

api/v1alpha1/accesslogging_types.go

@@ -5,6 +5,8 @@
 
 package v1alpha1
 
+import gwapiv1 "sigs.k8s.io/gateway-api/apis/v1"
+
 type ProxyAccessLog struct {
 	// Disable disables access logging for managed proxies if set to true.
 	Disable bool `json:"disable,omitempty"`
@@ -92,16 +94,26 @@ type FileEnvoyProxyAccessLog struct {
 	Path string `json:"path,omitempty"`
 }
 
-// TODO: consider reuse ExtensionService?
+// OpenTelemetryEnvoyProxyAccessLog defines the OpenTelemetry access log sink.
+//
+// +kubebuilder:validation:XValidation:message="BackendRef only support Service Kind.",rule="!has(self.backendRef) || !has(self.backendRef.kind) || self.backendRef.kind == 'Service'"
 type OpenTelemetryEnvoyProxyAccessLog struct {
 	// Host define the extension service hostname.
+	// Deprecated: Use BackendRef instead.
 	Host string `json:"host"`
 	// Port defines the port the extension service is exposed on.
+	// Deprecated: Use BackendRef instead.
 	//
 	// +optional
 	// +kubebuilder:validation:Minimum=0
 	// +kubebuilder:default=4317
 	Port int32 `json:"port,omitempty"`
+	// BackendRef references a Kubernetes object that represents the
+	// backend server to which the accesslog will be sent.
+	// Only service Kind is supported for now.
+	//
+	// +optional
+	BackendRef *gwapiv1.BackendObjectReference `json:"backendRef,omitempty"`
 	// Resources is a set of labels that describe the source of a log entry, including envoy node info.
 	// It's recommended to follow [semantic conventions](https://opentelemetry.io/docs/reference/specification/resource/semantic_conventions/).
 	// +optional

api/v1alpha1/clienttrafficpolicy_types.go

@@ -99,8 +99,30 @@ type HeaderSettings struct {
 	// and responses.
 	// +optional
 	EnableEnvoyHeaders *bool `json:"enableEnvoyHeaders,omitempty"`
+
+	// WithUnderscoresAction configures the action to take when an HTTP header with underscores
+	// is encountered. The default action is to reject the request.
+	// +optional
+	WithUnderscoresAction *WithUnderscoresAction `json:"withUnderscoresAction,omitempty"`
 }
 
+// WithUnderscoresAction configures the action to take when an HTTP header with underscores
+// is encountered.
+// +kubebuilder:validation:Enum=Allow;RejectRequest;DropHeader
+type WithUnderscoresAction string
+
+const (
+	// WithUnderscoresActionAllow allows headers with underscores to be passed through.
+	WithUnderscoresActionAllow WithUnderscoresAction = "Allow"
+	// WithUnderscoresActionRejectRequest rejects the client request. HTTP/1 requests are rejected with
+	// the 400 status. HTTP/2 requests end with the stream reset.
+	WithUnderscoresActionRejectRequest WithUnderscoresAction = "RejectRequest"
+	// WithUnderscoresActionDropHeader drops the client header with name containing underscores. The header
+	// is dropped before the filter chain is invoked and as such filters will not see
+	// dropped headers.
+	WithUnderscoresActionDropHeader WithUnderscoresAction = "DropHeader"
+)
+
 // ClientIPDetectionSettings provides configuration for determining the original client IP address for requests.
 //
 // +kubebuilder:validation:XValidation:rule="!(has(self.xForwardedFor) && has(self.customHeader))",message="customHeader cannot be used in conjunction with xForwardedFor"

api/v1alpha1/connection_types.go

@@ -5,14 +5,25 @@
 
 package v1alpha1
 
-import gwapiv1 "sigs.k8s.io/gateway-api/apis/v1"
+import (
+	"k8s.io/apimachinery/pkg/api/resource"
+	gwapiv1 "sigs.k8s.io/gateway-api/apis/v1"
+)
 
 // Connection allows users to configure connection-level settings
 type Connection struct {
 	// ConnectionLimit defines limits related to connections
 	//
 	// +optional
 	ConnectionLimit *ConnectionLimit `json:"connectionLimit,omitempty"`
+	// BufferLimit provides configuration for the maximum buffer size in bytes for each incoming connection.
+	// For example, 20Mi, 1Gi, 256Ki etc.
+	// Note that when the suffix is not provided, the value is interpreted as bytes.
+	// Default: 32768 bytes.
+	//
+	// +kubebuilder:validation:XValidation:rule="type(self) == string ? self.matches(r\"^[1-9]+[0-9]*([EPTGMK]i|[EPTGMk])?$\") : type(self) == int",message="bufferLimit must be of the format \"^[1-9]+[0-9]*([EPTGMK]i|[EPTGMk])?$\""
+	// +optional
+	BufferLimit *resource.Quantity `json:"bufferLimit,omitempty"`
 }
 
 type ConnectionLimit struct {

api/v1alpha1/envoyextensionypolicy_types.go

@@ -46,15 +46,16 @@ type EnvoyExtensionPolicySpec struct {
 	// TargetRef
 	TargetRef gwapiv1a2.PolicyTargetReferenceWithSectionName `json:"targetRef"`
 
-	// Priority of the EnvoyExtensionPolicy.
-	// If multiple EnvoyExtensionPolices are applied to the same
-	// TargetRef, extensions will execute in the ascending order of
-	// the priority i.e. int32.min has the highest priority and
-	// int32.max has the lowest priority.
-	// Defaults to 0.
+	// WASM is a list of Wasm extensions to be loaded by the Gateway.
+	// Order matters, as the extensions will be loaded in the order they are
+	// defined in this list.
 	//
 	// +optional
-	Priority int32 `json:"priority,omitempty"`
+	WASM []Wasm `json:"wasm,omitempty"`
+
+	// ExtProc is an ordered list of external processing filters
+	// that should added to the envoy filter chain
+	ExtProc []ExtProc `json:"extProc,omitempty"`
 }
 
 //+kubebuilder:object:root=true

api/v1alpha1/envoygateway_helpers.go

@@ -9,6 +9,8 @@ import (
 	"fmt"
 
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/utils/ptr"
+	gwapiv1 "sigs.k8s.io/gateway-api/apis/v1"
 )
 
 // DefaultEnvoyGateway returns a new EnvoyGateway with default configuration parameters.
@@ -39,6 +41,14 @@ func (e *EnvoyGateway) SetEnvoyGatewayDefaults() {
 	if e.Provider == nil {
 		e.Provider = DefaultEnvoyGatewayProvider()
 	}
+	if e.Provider.Kubernetes == nil {
+		e.Provider.Kubernetes = &EnvoyGatewayKubernetesProvider{
+			LeaderElection: DefaultLeaderElection(),
+		}
+	}
+	if e.Provider.Kubernetes.LeaderElection == nil {
+		e.Provider.Kubernetes.LeaderElection = DefaultLeaderElection()
+	}
 	if e.Gateway == nil {
 		e.Gateway = DefaultGateway()
 	}
@@ -85,6 +95,16 @@ func (e *EnvoyGateway) NamespaceMode() bool {
 		len(e.Provider.Kubernetes.Watch.Namespaces) > 0
 }
 
+// DefaultLeaderElection returns a new LeaderElection with default configuration parameters.
+func DefaultLeaderElection() *LeaderElection {
+	return &LeaderElection{
+		RenewDeadline: ptr.To(gwapiv1.Duration("10s")),
+		RetryPeriod:   ptr.To(gwapiv1.Duration("2s")),
+		LeaseDuration: ptr.To(gwapiv1.Duration("15s")),
+		Disable:       ptr.To(false),
+	}
+}
+
 // DefaultGateway returns a new Gateway with default configuration parameters.
 func DefaultGateway() *Gateway {
 	return &Gateway{
@@ -148,6 +168,9 @@ func DefaultEnvoyGatewayPrometheus() *EnvoyGatewayPrometheusProvider {
 func DefaultEnvoyGatewayProvider() *EnvoyGatewayProvider {
 	return &EnvoyGatewayProvider{
 		Type: ProviderTypeKubernetes,
+		Kubernetes: &EnvoyGatewayKubernetesProvider{
+			LeaderElection: DefaultLeaderElection(),
+		},
 	}
 }
 
@@ -195,9 +218,16 @@ func (r *EnvoyGatewayProvider) GetEnvoyGatewayKubeProvider() *EnvoyGatewayKubern
 
 	if r.Kubernetes == nil {
 		r.Kubernetes = DefaultEnvoyGatewayKubeProvider()
+		if r.Kubernetes.LeaderElection == nil {
+			r.Kubernetes.LeaderElection = DefaultLeaderElection()
+		}
 		return r.Kubernetes
 	}
 
+	if r.Kubernetes.LeaderElection == nil {
+		r.Kubernetes.LeaderElection = DefaultLeaderElection()
+	}
+
 	if r.Kubernetes.RateLimitDeployment == nil {
 		r.Kubernetes.RateLimitDeployment = DefaultKubernetesDeployment(DefaultRateLimitImage)
 	}

api/v1alpha1/envoygateway_types.go

@@ -90,6 +90,21 @@ type EnvoyGatewaySpec struct {
 	ExtensionAPIs *ExtensionAPISettings `json:"extensionApis,omitempty"`
 }
 
+// LeaderElection defines the desired leader election settings.
+type LeaderElection struct {
+	// LeaseDuration defines the time non-leader contenders will wait before attempting to claim leadership.
+	// It's based on the timestamp of the last acknowledged signal. The default setting is 15 seconds.
+	LeaseDuration *gwapiv1.Duration `json:"leaseDuration,omitempty"`
+	// RenewDeadline represents the time frame within which the current leader will attempt to renew its leadership
+	// status before relinquishing its position. The default setting is 10 seconds.
+	RenewDeadline *gwapiv1.Duration `json:"renewDeadline,omitempty"`
+	// RetryPeriod denotes the interval at which LeaderElector clients should perform action retries.
+	// The default setting is 2 seconds.
+	RetryPeriod *gwapiv1.Duration `json:"retryPeriod,omitempty"`
+	// Disable provides the option to turn off leader election, which is enabled by default.
+	Disable *bool `json:"disable,omitempty"`
+}
+
 // EnvoyGatewayTelemetry defines telemetry configurations for envoy gateway control plane.
 // Control plane will focus on metrics observability telemetry and tracing telemetry later.
 type EnvoyGatewayTelemetry struct {
@@ -151,10 +166,6 @@ type ExtensionAPISettings struct {
 	// EnableEnvoyPatchPolicy enables Envoy Gateway to
 	// reconcile and implement the EnvoyPatchPolicy resources.
 	EnableEnvoyPatchPolicy bool `json:"enableEnvoyPatchPolicy"`
-
-	// EnableEnvoyExtensionPolicy enables Envoy Gateway to
-	// reconcile and implement the EnvoyExtensionPolicy resources.
-	EnableEnvoyExtensionPolicy bool `json:"enableEnvoyExtensionPolicy"`
 }
 
 // EnvoyGatewayProvider defines the desired configuration of a provider.
@@ -198,6 +209,10 @@ type EnvoyGatewayKubernetesProvider struct {
 	// OverwriteControlPlaneCerts updates the secrets containing the control plane certs, when set.
 	// +optional
 	OverwriteControlPlaneCerts *bool `json:"overwriteControlPlaneCerts,omitempty"`
+	// LeaderElection specifies the configuration for leader election.
+	// If it's not set up, leader election will be active by default, using Kubernetes' standard settings.
+	// +optional
+	LeaderElection *LeaderElection `json:"leaderElection,omitempty"`
 }
 
 const (

api/v1alpha1/envoyproxy_metric_types.go

@@ -5,6 +5,8 @@
 
 package v1alpha1
 
+import gwapiv1 "sigs.k8s.io/gateway-api/apis/v1"
+
 type MetricSinkType string
 
 const (
@@ -47,16 +49,27 @@ type ProxyMetricSink struct {
 	OpenTelemetry *ProxyOpenTelemetrySink `json:"openTelemetry,omitempty"`
 }
 
+// ProxyOpenTelemetrySink defines the configuration for OpenTelemetry sink.
+//
+// +kubebuilder:validation:XValidation:message="BackendRef only support Service Kind.",rule="!has(self.backendRef) || !has(self.backendRef.kind) || self.backendRef.kind == 'Service'"
 type ProxyOpenTelemetrySink struct {
 	// Host define the service hostname.
+	// Deprecated: Use BackendRef instead.
 	Host string `json:"host"`
 	// Port defines the port the service is exposed on.
+	// Deprecated: Use BackendRef instead.
 	//
 	// +optional
 	// +kubebuilder:validation:Minimum=0
 	// +kubebuilder:validation:Maximum=65535
 	// +kubebuilder:default=4317
 	Port int32 `json:"port,omitempty"`
+	// BackendRef references a Kubernetes object that represents the
+	// backend server to which the metric will be sent.
+	// Only service Kind is supported for now.
+	//
+	// +optional
+	BackendRef *gwapiv1.BackendObjectReference `json:"backendRef,omitempty"`
 
 	// TODO: add support for customizing OpenTelemetry sink in https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/stat_sinks/open_telemetry/v3/open_telemetry.proto#envoy-v3-api-msg-extensions-stat-sinks-open-telemetry-v3-sinkconfig
 }

api/v1alpha1/ext_proc_types.go

@@ -0,0 +1,29 @@
+// Copyright Envoy Gateway Authors
+// SPDX-License-Identifier: Apache-2.0
+// The full text of the Apache license is available in the LICENSE file at
+// the root of the repo.
+
+package v1alpha1
+
+import (
+	gwapiv1 "sigs.k8s.io/gateway-api/apis/v1"
+)
+
+// +kubebuilder:validation:XValidation:rule="has(self.backendRef) ? (!has(self.backendRef.group) || self.backendRef.group == \"\") : true", message="group is invalid, only the core API group (specified by omitting the group field or setting it to an empty string) is supported"
+// +kubebuilder:validation:XValidation:rule="has(self.backendRef) ? (!has(self.backendRef.kind) || self.backendRef.kind == 'Service') : true", message="kind is invalid, only Service (specified by omitting the kind field or setting it to 'Service') is supported"
+//
+// ExtProc defines the configuration for External Processing filter.
+type ExtProc struct {
+	// Service defines the configuration of the external processing service
+	BackendRef ExtProcBackendRef `json:"backendRef"`
+}
+
+// ExtProcService defines the gRPC External Processing service using the envoy grpc client
+// The processing request and response messages are defined in
+// https://www.envoyproxy.io/docs/envoy/latest/api-v3/service/ext_proc/v3/external_processor.proto
+type ExtProcBackendRef struct {
+	// BackendObjectReference references a Kubernetes object that represents the
+	// backend server to which the processing requests will be sent.
+	// Only service Kind is supported for now.
+	gwapiv1.BackendObjectReference `json:",inline"`
+}

api/v1alpha1/timeout_types.go

@@ -50,9 +50,15 @@ type ClientTimeout struct {
 }
 
 type HTTPClientTimeout struct {
-	// The duration envoy waits for the complete request reception. This timer starts upon request
+	// RequestReceivedTimeout is the duration envoy waits for the complete request reception. This timer starts upon request
 	// initiation and stops when either the last byte of the request is sent upstream or when the response begins.
 	//
 	// +optional
 	RequestReceivedTimeout *gwapiv1.Duration `json:"requestReceivedTimeout,omitempty"`
+
+	// IdleTimeout for an HTTP connection. Idle time is defined as a period in which there are no active requests in the connection.
+	// Default: 1 hour.
+	//
+	// +optional
+	IdleTimeout *gwapiv1.Duration `json:"idleTimeout,omitempty"`
 }