fix: merge

.github/workflows/cherrypick.yaml

@@ -6,11 +6,13 @@ on:
     types: ["closed"]
 
 permissions:
-  pull-requests: write
-  contents: write
+  contents: read
 
 jobs:
   cherry_pick_release_v1_0:
+    permissions:
+      pull-requests: write
+      contents: write
     runs-on: ubuntu-22.04
     name: Cherry pick into release-v1.0
     if: ${{ contains(github.event.pull_request.labels.*.name, 'cherrypick/release-v1.0') && github.event.pull_request.merged == true }}

README.md

@@ -12,8 +12,8 @@ Kubernetes-based application gateway.
 
 * [Blog][blog] introducing Envoy Gateway.
 * [Goals](GOALS.md)
-* [Quickstart](https://gateway.envoyproxy.io/latest/user/quickstart/) to use Envoy Gateway in a few simple steps.
-* [Roadmap](https://gateway.envoyproxy.io/latest/contributions/roadmap/)
+* [Quickstart](https://gateway.envoyproxy.io/latest/tasks/quickstart/) to use Envoy Gateway in a few simple steps.
+* [Roadmap](https://gateway.envoyproxy.io/contributions/roadmap/)
 
 ## Contact
 
@@ -22,9 +22,9 @@ Kubernetes-based application gateway.
 
 ## Contributing
 
-* [Code of conduct](https://gateway.envoyproxy.io/latest/contributions/code_of_conduct/)
-* [Contributing guide](https://gateway.envoyproxy.io/latest/contributions/contributing/)
-* [Developer guide](https://gateway.envoyproxy.io/latest/contributions/develop/)
+* [Code of conduct](/CODE_OF_CONDUCT)
+* [Contributing guide](https://gateway.envoyproxy.io/contributions/contributing/)
+* [Developer guide](https://gateway.envoyproxy.io/contributions/develop/)
 
 ## Community Meeting
 

VERSION

@@ -1 +1 @@
-v1.0.0
+v1.0.1

api/v1alpha1/accesslogging_types.go

@@ -5,8 +5,6 @@
 
 package v1alpha1
 
-import gwapiv1 "sigs.k8s.io/gateway-api/apis/v1"
-
 type ProxyAccessLog struct {
 	// Disable disables access logging for managed proxies if set to true.
 	Disable bool `json:"disable,omitempty"`
@@ -62,6 +60,10 @@ type ProxyAccessLogFormat struct {
 type ProxyAccessLogSinkType string
 
 const (
+	// ProxyAccessLogSinkTypeALS defines the gRPC Access Log Service (ALS) sink.
+	// The service must implement the Envoy gRPC Access Log Service streaming API:
+	// https://www.envoyproxy.io/docs/envoy/latest/api-v3/service/accesslog/v3/als.proto
+	ProxyAccessLogSinkTypeALS ProxyAccessLogSinkType = "ALS"
 	// ProxyAccessLogSinkTypeFile defines the file accesslog sink.
 	ProxyAccessLogSinkTypeFile ProxyAccessLogSinkType = "File"
 	// ProxyAccessLogSinkTypeOpenTelemetry defines the OpenTelemetry accesslog sink.
@@ -73,13 +75,17 @@ const (
 // ProxyAccessLogSink defines the sink of accesslog.
 // +union
 //
+// +kubebuilder:validation:XValidation:rule="self.type == 'ALS' ? has(self.als) : !has(self.als)",message="If AccessLogSink type is ALS, als field needs to be set."
 // +kubebuilder:validation:XValidation:rule="self.type == 'File' ? has(self.file) : !has(self.file)",message="If AccessLogSink type is File, file field needs to be set."
 // +kubebuilder:validation:XValidation:rule="self.type == 'OpenTelemetry' ? has(self.openTelemetry) : !has(self.openTelemetry)",message="If AccessLogSink type is OpenTelemetry, openTelemetry field needs to be set."
 type ProxyAccessLogSink struct {
 	// Type defines the type of accesslog sink.
-	// +kubebuilder:validation:Enum=File;OpenTelemetry
+	// +kubebuilder:validation:Enum=ALS;File;OpenTelemetry
 	// +unionDiscriminator
 	Type ProxyAccessLogSinkType `json:"type,omitempty"`
+	// ALS defines the gRPC Access Log Service (ALS) sink.
+	// +optional
+	ALS *ALSEnvoyProxyAccessLog `json:"als,omitempty"`
 	// File defines the file accesslog sink.
 	// +optional
 	File *FileEnvoyProxyAccessLog `json:"file,omitempty"`
@@ -88,6 +94,59 @@ type ProxyAccessLogSink struct {
 	OpenTelemetry *OpenTelemetryEnvoyProxyAccessLog `json:"openTelemetry,omitempty"`
 }
 
+type ALSEnvoyProxyAccessLogType string
+
+const (
+	// ALSEnvoyProxyAccessLogTypeHTTP defines the HTTP access log type and will populate StreamAccessLogsMessage.http_logs.
+	ALSEnvoyProxyAccessLogTypeHTTP ALSEnvoyProxyAccessLogType = "HTTP"
+	// ALSEnvoyProxyAccessLogTypeTCP defines the TCP access log type and will populate StreamAccessLogsMessage.tcp_logs.
+	ALSEnvoyProxyAccessLogTypeTCP ALSEnvoyProxyAccessLogType = "TCP"
+)
+
+// ALSEnvoyProxyAccessLog defines the gRPC Access Log Service (ALS) sink.
+// The service must implement the Envoy gRPC Access Log Service streaming API:
+// https://www.envoyproxy.io/docs/envoy/latest/api-v3/service/accesslog/v3/als.proto
+// Access log format information is passed in the form of gRPC metadata when the
+// stream is established. Specifically, the following metadata is passed:
+//
+// - `x-accesslog-text` - The access log format string when a Text format is used.
+// - `x-accesslog-attr` - JSON encoded key/value pairs when a JSON format is used.
+//
+// +kubebuilder:validation:XValidation:rule="self.type == 'HTTP' || !has(self.http)",message="The http field may only be set when type is HTTP."
+type ALSEnvoyProxyAccessLog struct {
+	// BackendRefs references a Kubernetes object that represents the gRPC service to which
+	// the access logs will be sent. Currently only Service is supported.
+	//
+	// +kubebuilder:validation:MinItems=1
+	// +kubebuilder:validation:MaxItems=1
+	// +kubebuilder:validation:XValidation:message="BackendRefs only supports Service kind.",rule="self.all(f, f.kind == 'Service')"
+	BackendRefs []BackendRef `json:"backendRefs"`
+	// LogName defines the friendly name of the access log to be returned in
+	// StreamAccessLogsMessage.Identifier. This allows the access log server
+	// to differentiate between different access logs coming from the same Envoy.
+	// +optional
+	// +kubebuilder:validation:MinLength=1
+	LogName *string `json:"logName,omitempty"`
+	// Type defines the type of accesslog. Supported types are "HTTP" and "TCP".
+	// +kubebuilder:validation:Enum=HTTP;TCP
+	Type ALSEnvoyProxyAccessLogType `json:"type"`
+	// HTTP defines additional configuration specific to HTTP access logs.
+	// +optional
+	HTTP *ALSEnvoyProxyHTTPAccessLogConfig `json:"http,omitempty"`
+}
+
+type ALSEnvoyProxyHTTPAccessLogConfig struct {
+	// RequestHeaders defines request headers to include in log entries sent to the access log service.
+	// +optional
+	RequestHeaders []string `json:"requestHeaders,omitempty"`
+	// ResponseHeaders defines response headers to include in log entries sent to the access log service.
+	// +optional
+	ResponseHeaders []string `json:"responseHeaders,omitempty"`
+	// ResponseTrailers defines response trailers to include in log entries sent to the access log service.
+	// +optional
+	ResponseTrailers []string `json:"responseTrailers,omitempty"`
+}
+
 type FileEnvoyProxyAccessLog struct {
 	// Path defines the file path used to expose envoy access log(e.g. /dev/stdout).
 	// +kubebuilder:validation:MinLength=1
@@ -96,24 +155,28 @@ type FileEnvoyProxyAccessLog struct {
 
 // OpenTelemetryEnvoyProxyAccessLog defines the OpenTelemetry access log sink.
 //
-// +kubebuilder:validation:XValidation:message="BackendRef only support Service Kind.",rule="!has(self.backendRef) || !has(self.backendRef.kind) || self.backendRef.kind == 'Service'"
+// +kubebuilder:validation:XValidation:message="host or backendRefs needs to be set",rule="has(self.host) || self.backendRefs.size() > 0"
 type OpenTelemetryEnvoyProxyAccessLog struct {
 	// Host define the extension service hostname.
 	// Deprecated: Use BackendRef instead.
-	Host string `json:"host"`
+	//
+	// +optional
+	Host *string `json:"host,omitempty"`
 	// Port defines the port the extension service is exposed on.
 	// Deprecated: Use BackendRef instead.
 	//
 	// +optional
 	// +kubebuilder:validation:Minimum=0
 	// +kubebuilder:default=4317
 	Port int32 `json:"port,omitempty"`
-	// BackendRef references a Kubernetes object that represents the
+	// BackendRefs references a Kubernetes object that represents the
 	// backend server to which the accesslog will be sent.
 	// Only service Kind is supported for now.
 	//
 	// +optional
-	BackendRef *gwapiv1.BackendObjectReference `json:"backendRef,omitempty"`
+	// +kubebuilder:validation:MaxItems=1
+	// +kubebuilder:validation:XValidation:message="only support Service kind.",rule="self.all(f, f.kind == 'Service')"
+	BackendRefs []BackendRef `json:"backendRefs,omitempty"`
 	// Resources is a set of labels that describe the source of a log entry, including envoy node info.
 	// It's recommended to follow [semantic conventions](https://opentelemetry.io/docs/reference/specification/resource/semantic_conventions/).
 	// +optional

api/v1alpha1/backendtrafficpolicy_types.go

@@ -95,6 +95,7 @@ type BackendTrafficPolicySpec struct {
 	// The compression config for the http streams.
 	//
 	// +optional
+	// +notImplementedHide
 	Compression []*Compression `json:"compression,omitempty"`
 }
 

api/v1alpha1/envoyextensionypolicy_types.go

@@ -46,12 +46,12 @@ type EnvoyExtensionPolicySpec struct {
 	// TargetRef
 	TargetRef gwapiv1a2.PolicyTargetReferenceWithSectionName `json:"targetRef"`
 
-	// WASM is a list of Wasm extensions to be loaded by the Gateway.
+	// Wasm is a list of Wasm extensions to be loaded by the Gateway.
 	// Order matters, as the extensions will be loaded in the order they are
 	// defined in this list.
 	//
 	// +optional
-	WASM []Wasm `json:"wasm,omitempty"`
+	Wasm []Wasm `json:"wasm,omitempty"`
 
 	// ExtProc is an ordered list of external processing filters
 	// that should added to the envoy filter chain

api/v1alpha1/envoygateway_types.go

@@ -354,6 +354,9 @@ type RateLimit struct {
 type RateLimitTelemetry struct {
 	// Metrics defines metrics configuration for RateLimit.
 	Metrics *RateLimitMetrics `json:"metrics,omitempty"`
+
+	// Tracing defines traces configuration for RateLimit.
+	Tracing *RateLimitTracing `json:"tracing,omitempty"`
 }
 
 type RateLimitMetrics struct {
@@ -366,6 +369,34 @@ type RateLimitMetricsPrometheusProvider struct {
 	Disable bool `json:"disable,omitempty"`
 }
 
+type RateLimitTracing struct {
+	// SamplingRate controls the rate at which traffic will be
+	// selected for tracing if no prior sampling decision has been made.
+	// Defaults to 100, valid values [0-100]. 100 indicates 100% sampling.
+	// +optional
+	SamplingRate *uint32 `json:"samplingRate,omitempty"`
+
+	// Provider defines the rateLimit tracing provider.
+	// Only OpenTelemetry is supported currently.
+	Provider *RateLimitTracingProvider `json:"provider,omitempty"`
+}
+
+type RateLimitTracingProviderType string
+
+const (
+	RateLimitTracingProviderTypeOpenTelemetry TracingProviderType = "OpenTelemetry"
+)
+
+// RateLimitTracingProvider defines the tracing provider configuration of RateLimit
+type RateLimitTracingProvider struct {
+	// Type defines the tracing provider type.
+	// Since to RateLimit Exporter currently using OpenTelemetry, only OpenTelemetry is supported
+	Type *RateLimitTracingProviderType `json:"type,omitempty"`
+
+	// URL is the endpoint of the trace collector that supports the OTLP protocol
+	URL string `json:"url"`
+}
+
 // RateLimitDatabaseBackend defines the configuration associated with
 // the database backend used by the rate limit service.
 // +union

api/v1alpha1/envoyproxy_metric_types.go

@@ -5,8 +5,6 @@
 
 package v1alpha1
 
-import gwapiv1 "sigs.k8s.io/gateway-api/apis/v1"
-
 type MetricSinkType string
 
 const (
@@ -55,11 +53,13 @@ type ProxyMetricSink struct {
 
 // ProxyOpenTelemetrySink defines the configuration for OpenTelemetry sink.
 //
-// +kubebuilder:validation:XValidation:message="BackendRef only support Service Kind.",rule="!has(self.backendRef) || !has(self.backendRef.kind) || self.backendRef.kind == 'Service'"
+// +kubebuilder:validation:XValidation:message="host or backendRefs needs to be set",rule="has(self.host) || self.backendRefs.size() > 0"
 type ProxyOpenTelemetrySink struct {
 	// Host define the service hostname.
 	// Deprecated: Use BackendRef instead.
-	Host string `json:"host"`
+	//
+	// +optional
+	Host *string `json:"host,omitempty"`
 	// Port defines the port the service is exposed on.
 	// Deprecated: Use BackendRef instead.
 	//
@@ -68,17 +68,22 @@ type ProxyOpenTelemetrySink struct {
 	// +kubebuilder:validation:Maximum=65535
 	// +kubebuilder:default=4317
 	Port int32 `json:"port,omitempty"`
-	// BackendRef references a Kubernetes object that represents the
+	// BackendRefs references a Kubernetes object that represents the
 	// backend server to which the metric will be sent.
 	// Only service Kind is supported for now.
 	//
 	// +optional
-	BackendRef *gwapiv1.BackendObjectReference `json:"backendRef,omitempty"`
+	// +kubebuilder:validation:MaxItems=1
+	// +kubebuilder:validation:XValidation:message="only support Service kind.",rule="self.all(f, f.kind == 'Service')"
+	BackendRefs []BackendRef `json:"backendRefs,omitempty"`
 
 	// TODO: add support for customizing OpenTelemetry sink in https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/stat_sinks/open_telemetry/v3/open_telemetry.proto#envoy-v3-api-msg-extensions-stat-sinks-open-telemetry-v3-sinkconfig
 }
 
 type ProxyPrometheusProvider struct {
 	// Disable the Prometheus endpoint.
 	Disable bool `json:"disable,omitempty"`
+	// Configure the compression on Prometheus endpoint. Compression is useful in situations when bandwidth is scarce and large payloads can be effectively compressed at the expense of higher CPU load.
+	// +optional
+	Compression *Compression `json:"compression,omitempty"`
 }

api/v1alpha1/envoyproxy_types.go

@@ -86,8 +86,92 @@ type EnvoyProxySpec struct {
 	//
 	// +optional
 	Shutdown *ShutdownConfig `json:"shutdown,omitempty"`
+
+	// FilterOrder defines the order of filters in the Envoy proxy's HTTP filter chain.
+	// If unspecified, the default filter order is applied.
+	// Default filter order is:
+	//
+	// - envoy.filters.http.fault
+	//
+	// - envoy.filters.http.cors
+	//
+	// - envoy.filters.http.ext_authz
+	//
+	// - envoy.filters.http.basic_authn
+	//
+	// - envoy.filters.http.oauth2
+	//
+	// - envoy.filters.http.jwt_authn
+	//
+	// - envoy.filters.http.ext_proc
+	//
+	// - envoy.filters.http.wasm
+	//
+	// - envoy.filters.http.local_ratelimit
+	//
+	// - envoy.filters.http.ratelimit
+	//
+	// - envoy.filters.http.router
+	//
+	// +optional
+	// +notImplementedHide
+	FilterOrder []FilterPosition `json:"filterOrder,omitempty"`
 }
 
+// FilterPosition defines the position of an Envoy HTTP filter in the filter chain.
+// +kubebuilder:validation:XValidation:rule="(has(self.before) || has(self.after))",message="one of before or after must be specified"
+// +kubebuilder:validation:XValidation:rule="(has(self.before) && !has(self.after)) || (!has(self.before) && has(self.after))",message="only one of before or after can be specified"
+type FilterPosition struct {
+	// Name of the filter.
+	Name EnvoyFilter `json:"filter"`
+
+	// Before defines the filter that should come before the filter.
+	// Only one of Before or After must be set.
+	Before *EnvoyFilter `json:"before,omitempty"`
+
+	// After defines the filter that should come after the filter.
+	// Only one of Before or After must be set.
+	After *EnvoyFilter `json:"after,omitempty"`
+}
+
+// EnvoyFilter defines the type of Envoy HTTP filter.
+// +kubebuilder:validation:Enum=envoy.filters.http.cors;envoy.filters.http.ext_authz;envoy.filters.http.basic_authn;envoy.filters.http.oauth2;envoy.filters.http.jwt_authn;envoy.filters.http.fault;envoy.filters.http.local_ratelimit;envoy.filters.http.ratelimit;envoy.filters.http.wasm;envoy.filters.http.ext_proc
+type EnvoyFilter string
+
+const (
+	// EnvoyFilterFault defines the Envoy HTTP fault filter.
+	EnvoyFilterFault EnvoyFilter = "envoy.filters.http.fault"
+	// EnvoyFilterCORS defines the Envoy HTTP CORS filter.
+	EnvoyFilterCORS EnvoyFilter = "envoy.filters.http.cors"
+
+	// EnvoyFilterExtAuthz defines the Envoy HTTP external authorization filter.
+	EnvoyFilterExtAuthz EnvoyFilter = "envoy.filters.http.ext_authz"
+
+	// EnvoyFilterBasicAuthn defines the Envoy HTTP basic authentication filter.
+	EnvoyFilterBasicAuthn EnvoyFilter = "envoy.filters.http.basic_authn"
+
+	// EnvoyFilterOAuth2 defines the Envoy HTTP OAuth2 filter.
+	EnvoyFilterOAuth2 EnvoyFilter = "envoy.filters.http.oauth2"
+
+	// EnvoyFilterJWTAuthn defines the Envoy HTTP JWT authentication filter.
+	EnvoyFilterJWTAuthn EnvoyFilter = "envoy.filters.http.jwt_authn"
+
+	// EnvoyFilterExtProc defines the Envoy HTTP external process filter.
+	EnvoyFilterExtProc EnvoyFilter = "envoy.filters.http.ext_proc"
+
+	// EnvoyFilterWasm defines the Envoy HTTP WebAssembly filter.
+	EnvoyFilterWasm EnvoyFilter = "envoy.filters.http.wasm"
+
+	// EnvoyFilterLocalRateLimit defines the Envoy HTTP local rate limit filter.
+	EnvoyFilterLocalRateLimit EnvoyFilter = "envoy.filters.http.local_ratelimit"
+
+	// EnvoyFilterRateLimit defines the Envoy HTTP rate limit filter.
+	EnvoyFilterRateLimit EnvoyFilter = "envoy.filters.http.ratelimit"
+
+	// EnvoyFilterRouter defines the Envoy HTTP router filter.
+	EnvoyFilterRouter EnvoyFilter = "envoy.filters.http.router"
+)
+
 type ProxyTelemetry struct {
 	// AccessLogs defines accesslog parameters for managed proxies.
 	// If unspecified, will send default format to stdout.