merge with latest main

Signed-off-by: Alexander Volchok <alex.volchok@sap.com>

.github/codecov.yml

@@ -10,3 +10,7 @@ coverage:
         target: 60%
         threshold: 5%
         if_ci_failed: error
+ignore:
+  - "cmd"
+  - "**/*.pb.go"
+  - "**/zz_generated.deepcopy.go"

.github/dependabot.yml

@@ -20,6 +20,8 @@ updates:
     ignore:
       # skip to update retest, because it won't work with the latest version
       - dependency-name: "envoyproxy/toolshed/gh-actions/retest"
+      # skip until https://github.com/codecov/feedback/issues/112 is resolved
+      - dependency-name: "codecov/codecov-action"
   - package-ecosystem: github-actions
     directory: /tools/github-actions/setup-deps
     schedule:

.github/workflows/build_and_test.yaml

@@ -54,7 +54,7 @@ jobs:
     - name: Upload coverage to Codecov
       uses: codecov/codecov-action@4fe8c5f003fae66aa5ebb77cfd3e7bfbbda0b6b0  # v3.1.5
       with:
-        fail_ci_if_error: true
+        fail_ci_if_error: false
         files: ./coverage.xml
         name: codecov-envoy-gateway
         verbose: true

.github/workflows/cherrypick.yaml

@@ -6,7 +6,8 @@ on:
     types: ["closed"]
 
 permissions:
-  contents: read
+  pull-requests: write
+  contents: write
 
 jobs:
   cherry_pick_release_v1_0:
@@ -19,7 +20,7 @@ jobs:
         with:
           fetch-depth: 0
       - name: Cherry pick into release/v1.0
-        uses: carloscastrojumo/github-cherry-pick-action@a145da1b8142e752d3cbc11aaaa46a535690f0c5  # v1.0.9
+        uses: carloscastrojumo/github-cherry-pick-action@503773289f4a459069c832dc628826685b75b4b3  # v1.0.10
         with:
           branch: release/v1.0
           title: "[release/v1.0] {old_title}"

.github/workflows/codeql.yml

@@ -36,14 +36,14 @@ jobs:
     - uses: ./tools/github-actions/setup-deps
 
     - name: Initialize CodeQL
-      uses: github/codeql-action/init@3ab4101902695724f9365a384f86c1074d94e18c  # v3.24.7
+      uses: github/codeql-action/init@4355270be187e1b672a7a1c7c7bae5afdc1ab94a  # v3.24.10
       with:
         languages: ${{ matrix.language }}
 
     - name: Autobuild
-      uses: github/codeql-action/autobuild@3ab4101902695724f9365a384f86c1074d94e18c  # v3.24.7
+      uses: github/codeql-action/autobuild@4355270be187e1b672a7a1c7c7bae5afdc1ab94a  # v3.24.10
 
     - name: Perform CodeQL Analysis
-      uses: github/codeql-action/analyze@3ab4101902695724f9365a384f86c1074d94e18c  # v3.24.7
+      uses: github/codeql-action/analyze@4355270be187e1b672a7a1c7c7bae5afdc1ab94a  # v3.24.10
       with:
         category: "/language:${{matrix.language}}"

.github/workflows/docs.yaml

@@ -6,12 +6,14 @@ on:
     - "release/v*"
     paths:
     - 'site/**'
+    - 'tools/make/docs.mk'
   pull_request:
     branches:
     - "main"
     - "release/v*"
     paths:
     - 'site/**'
+    - 'tools/make/docs.mk'
 
 permissions:
   contents: read
@@ -25,12 +27,20 @@ jobs:
       with:
         ref: ${{ github.event.pull_request.head.sha }}
 
+    - uses: ./tools/github-actions/setup-deps
+
     - name: Run markdown linter
       uses: nosborn/github-action-markdown-cli@9b5e871c11cc0649c5ac2526af22e23525fa344d  # v3.3.0
       with:
         files: site/content/*
         config_file: ".github/markdown_lint_config.json"
 
+    - name: Install linkinator
+      run: npm install -g linkinator@6.0.4
+
+    - name: Check links
+      run: make docs docs-check-links
+
   docs-build:
     runs-on: ubuntu-latest
     needs: docs-lint
@@ -43,8 +53,10 @@ jobs:
         submodules: true
         ref: ${{ github.event.pull_request.head.sha }}
 
+    - uses: ./tools/github-actions/setup-deps
+
     - name: Setup Hugo
-      uses: peaceiris/actions-hugo@16361eb4acea8698b220b76c0d4e84e1fd22c61d  # v2.6.0
+      uses: peaceiris/actions-hugo@75d2e84710de30f6ff7268e08f310b60ef14033f  # v3.0.0
       with:
         hugo-version: 'latest'
         extended: true
@@ -86,4 +98,4 @@ jobs:
     steps:
     - name: Deploy to GitHub Pages
       id: deployment
-      uses: actions/deploy-pages@decdde0ac072f6dcbe43649d82d9c635fff5b4e4  # v4.0.4
+      uses: actions/deploy-pages@d6db90164ac5ed86f2b6aed7e0febac5b3c0c03e  # v4.0.5

.github/workflows/scorecard.yml

@@ -40,6 +40,6 @@ jobs:
         retention-days: 5
 
     - name: "Upload to code-scanning"
-      uses: github/codeql-action/upload-sarif@3ab4101902695724f9365a384f86c1074d94e18c  # v3.24.7
+      uses: github/codeql-action/upload-sarif@4355270be187e1b672a7a1c7c7bae5afdc1ab94a  # v3.24.10
       with:
         sarif_file: results.sarif

ADOPTERS.md

@@ -41,3 +41,13 @@ If you would like to be included in this table, please submit a PR to this file
 * Status: production
 * (Option) https://tetrate.io/wp-content/uploads/2023/03/tetrate-logo-dark.svg
 * (Option) Description:
+
+## Airspace Link
+* Organizatioin: Airspace Link
+* Website: https://airspacelink.com/
+* Category: End User
+* Environments: Azure
+* Use Cases:
+    - Airspace Link is using Envoy Gateway to route all public APIs to Kubernetes clusters, developers are manipulating routes descriptions using agnostic manifest files, which are then automatically provisioned using Envoy Gateway.
+* Status: production
+* Logo: https://airhub.airspacelink.com/images/asl-flat-logo.png

OWNERS

@@ -21,7 +21,6 @@ reviewers:
 
 - chauhanshubham
 - kflynn
-- LanceEa
 - tmsnan
 - tanujd11
 - cnvergence

README.md

@@ -6,6 +6,7 @@
 
 Envoy Gateway is an open source project for managing Envoy Proxy as a standalone or
 Kubernetes-based application gateway.
+[Gateway API](https://gateway-api.sigs.k8s.io) resources are used to dynamically provision and configure the managed Envoy Proxies.
 
 ## Documentation
 

VERSION

@@ -1 +1 @@
-v1.0.0
+v1.0.1

api/v1alpha1/accesslogging_types.go

@@ -5,6 +5,8 @@
 
 package v1alpha1
 
+import gwapiv1 "sigs.k8s.io/gateway-api/apis/v1"
+
 type ProxyAccessLog struct {
 	// Disable disables access logging for managed proxies if set to true.
 	Disable bool `json:"disable,omitempty"`
@@ -92,16 +94,26 @@ type FileEnvoyProxyAccessLog struct {
 	Path string `json:"path,omitempty"`
 }
 
-// TODO: consider reuse ExtensionService?
+// OpenTelemetryEnvoyProxyAccessLog defines the OpenTelemetry access log sink.
+//
+// +kubebuilder:validation:XValidation:message="BackendRef only support Service Kind.",rule="!has(self.backendRef) || !has(self.backendRef.kind) || self.backendRef.kind == 'Service'"
 type OpenTelemetryEnvoyProxyAccessLog struct {
 	// Host define the extension service hostname.
+	// Deprecated: Use BackendRef instead.
 	Host string `json:"host"`
 	// Port defines the port the extension service is exposed on.
+	// Deprecated: Use BackendRef instead.
 	//
 	// +optional
 	// +kubebuilder:validation:Minimum=0
 	// +kubebuilder:default=4317
 	Port int32 `json:"port,omitempty"`
+	// BackendRef references a Kubernetes object that represents the
+	// backend server to which the accesslog will be sent.
+	// Only service Kind is supported for now.
+	//
+	// +optional
+	BackendRef *gwapiv1.BackendObjectReference `json:"backendRef,omitempty"`
 	// Resources is a set of labels that describe the source of a log entry, including envoy node info.
 	// It's recommended to follow [semantic conventions](https://opentelemetry.io/docs/reference/specification/resource/semantic_conventions/).
 	// +optional

api/v1alpha1/clienttrafficpolicy_types.go

@@ -99,8 +99,30 @@ type HeaderSettings struct {
 	// and responses.
 	// +optional
 	EnableEnvoyHeaders *bool `json:"enableEnvoyHeaders,omitempty"`
+
+	// WithUnderscoresAction configures the action to take when an HTTP header with underscores
+	// is encountered. The default action is to reject the request.
+	// +optional
+	WithUnderscoresAction *WithUnderscoresAction `json:"withUnderscoresAction,omitempty"`
 }
 
+// WithUnderscoresAction configures the action to take when an HTTP header with underscores
+// is encountered.
+// +kubebuilder:validation:Enum=Allow;RejectRequest;DropHeader
+type WithUnderscoresAction string
+
+const (
+	// WithUnderscoresActionAllow allows headers with underscores to be passed through.
+	WithUnderscoresActionAllow WithUnderscoresAction = "Allow"
+	// WithUnderscoresActionRejectRequest rejects the client request. HTTP/1 requests are rejected with
+	// the 400 status. HTTP/2 requests end with the stream reset.
+	WithUnderscoresActionRejectRequest WithUnderscoresAction = "RejectRequest"
+	// WithUnderscoresActionDropHeader drops the client header with name containing underscores. The header
+	// is dropped before the filter chain is invoked and as such filters will not see
+	// dropped headers.
+	WithUnderscoresActionDropHeader WithUnderscoresAction = "DropHeader"
+)
+
 // ClientIPDetectionSettings provides configuration for determining the original client IP address for requests.
 //
 // +kubebuilder:validation:XValidation:rule="!(has(self.xForwardedFor) && has(self.customHeader))",message="customHeader cannot be used in conjunction with xForwardedFor"

api/v1alpha1/connection_types.go

@@ -5,24 +5,34 @@
 
 package v1alpha1
 
-import gwapiv1 "sigs.k8s.io/gateway-api/apis/v1"
+import (
+	"k8s.io/apimachinery/pkg/api/resource"
+	gwapiv1 "sigs.k8s.io/gateway-api/apis/v1"
+)
 
 // Connection allows users to configure connection-level settings
 type Connection struct {
-	// Limit defines limits related to connections
+	// ConnectionLimit defines limits related to connections
 	//
 	// +optional
-	Limit *ConnectionLimit `json:"limit,omitempty"`
+	ConnectionLimit *ConnectionLimit `json:"connectionLimit,omitempty"`
+	// BufferLimit provides configuration for the maximum buffer size in bytes for each incoming connection.
+	// For example, 20Mi, 1Gi, 256Ki etc.
+	// Note that when the suffix is not provided, the value is interpreted as bytes.
+	// Default: 32768 bytes.
+	//
+	// +kubebuilder:validation:XValidation:rule="type(self) == string ? self.matches(r\"^[1-9]+[0-9]*([EPTGMK]i|[EPTGMk])?$\") : type(self) == int",message="bufferLimit must be of the format \"^[1-9]+[0-9]*([EPTGMK]i|[EPTGMk])?$\""
+	// +optional
+	BufferLimit *resource.Quantity `json:"bufferLimit,omitempty"`
 }
 
 type ConnectionLimit struct {
 	// Value of the maximum concurrent connections limit.
 	// When the limit is reached, incoming connections will be closed after the CloseDelay duration.
 	// Default: unlimited.
 	//
-	// +optional
 	// +kubebuilder:validation:Minimum=0
-	Value *int64 `json:"value,omitempty"`
+	Value int64 `json:"value,omitempty"`
 
 	// CloseDelay defines the delay to use before closing connections that are rejected
 	// once the limit value is reached.

api/v1alpha1/envoyextensionypolicy_types.go

@@ -46,15 +46,16 @@ type EnvoyExtensionPolicySpec struct {
 	// TargetRef
 	TargetRef gwapiv1a2.PolicyTargetReferenceWithSectionName `json:"targetRef"`
 
-	// Priority of the EnvoyExtensionPolicy.
-	// If multiple EnvoyExtensionPolices are applied to the same
-	// TargetRef, extensions will execute in the ascending order of
-	// the priority i.e. int32.min has the highest priority and
-	// int32.max has the lowest priority.
-	// Defaults to 0.
+	// WASM is a list of Wasm extensions to be loaded by the Gateway.
+	// Order matters, as the extensions will be loaded in the order they are
+	// defined in this list.
 	//
 	// +optional
-	Priority int32 `json:"priority,omitempty"`
+	WASM []Wasm `json:"wasm,omitempty"`
+
+	// ExtProc is an ordered list of external processing filters
+	// that should added to the envoy filter chain
+	ExtProc []ExtProc `json:"extProc,omitempty"`
 }
 
 //+kubebuilder:object:root=true

api/v1alpha1/envoygateway_helpers.go

@@ -9,6 +9,8 @@ import (
 	"fmt"
 
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/utils/ptr"
+	gwapiv1 "sigs.k8s.io/gateway-api/apis/v1"
 )
 
 // DefaultEnvoyGateway returns a new EnvoyGateway with default configuration parameters.
@@ -39,6 +41,14 @@ func (e *EnvoyGateway) SetEnvoyGatewayDefaults() {
 	if e.Provider == nil {
 		e.Provider = DefaultEnvoyGatewayProvider()
 	}
+	if e.Provider.Kubernetes == nil {
+		e.Provider.Kubernetes = &EnvoyGatewayKubernetesProvider{
+			LeaderElection: DefaultLeaderElection(),
+		}
+	}
+	if e.Provider.Kubernetes.LeaderElection == nil {
+		e.Provider.Kubernetes.LeaderElection = DefaultLeaderElection()
+	}
 	if e.Gateway == nil {
 		e.Gateway = DefaultGateway()
 	}
@@ -85,6 +95,16 @@ func (e *EnvoyGateway) NamespaceMode() bool {
 		len(e.Provider.Kubernetes.Watch.Namespaces) > 0
 }
 
+// DefaultLeaderElection returns a new LeaderElection with default configuration parameters.
+func DefaultLeaderElection() *LeaderElection {
+	return &LeaderElection{
+		RenewDeadline: ptr.To(gwapiv1.Duration("10s")),
+		RetryPeriod:   ptr.To(gwapiv1.Duration("2s")),
+		LeaseDuration: ptr.To(gwapiv1.Duration("15s")),
+		Disable:       ptr.To(false),
+	}
+}
+
 // DefaultGateway returns a new Gateway with default configuration parameters.
 func DefaultGateway() *Gateway {
 	return &Gateway{
@@ -148,6 +168,9 @@ func DefaultEnvoyGatewayPrometheus() *EnvoyGatewayPrometheusProvider {
 func DefaultEnvoyGatewayProvider() *EnvoyGatewayProvider {
 	return &EnvoyGatewayProvider{
 		Type: ProviderTypeKubernetes,
+		Kubernetes: &EnvoyGatewayKubernetesProvider{
+			LeaderElection: DefaultLeaderElection(),
+		},
 	}
 }
 
@@ -195,9 +218,16 @@ func (r *EnvoyGatewayProvider) GetEnvoyGatewayKubeProvider() *EnvoyGatewayKubern
 
 	if r.Kubernetes == nil {
 		r.Kubernetes = DefaultEnvoyGatewayKubeProvider()
+		if r.Kubernetes.LeaderElection == nil {
+			r.Kubernetes.LeaderElection = DefaultLeaderElection()
+		}
 		return r.Kubernetes
 	}
 
+	if r.Kubernetes.LeaderElection == nil {
+		r.Kubernetes.LeaderElection = DefaultLeaderElection()
+	}
+
 	if r.Kubernetes.RateLimitDeployment == nil {
 		r.Kubernetes.RateLimitDeployment = DefaultKubernetesDeployment(DefaultRateLimitImage)
 	}