Skip to content

Commit

Permalink
Merge branch 'main' into wasm-http
Browse files Browse the repository at this point in the history
Signed-off-by: Huabing Zhao <zhaohuabing@gmail.com>
  • Loading branch information
zhaohuabing authored Apr 19, 2024
2 parents 8d536ba + a428eb7 commit a13e258
Show file tree
Hide file tree
Showing 61 changed files with 2,403 additions and 635 deletions.
6 changes: 4 additions & 2 deletions .github/workflows/cherrypick.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -6,11 +6,13 @@ on:
types: ["closed"]

permissions:
pull-requests: write
contents: write
contents: read

jobs:
cherry_pick_release_v1_0:
permissions:
pull-requests: write
contents: write
runs-on: ubuntu-22.04
name: Cherry pick into release-v1.0
if: ${{ contains(github.event.pull_request.labels.*.name, 'cherrypick/release-v1.0') && github.event.pull_request.merged == true }}
Expand Down
4 changes: 4 additions & 0 deletions api/v1alpha1/jwt_types.go
Original file line number Diff line number Diff line change
Expand Up @@ -8,6 +8,10 @@ package v1alpha1
// JWT defines the configuration for JSON Web Token (JWT) authentication.
type JWT struct {

// Optional determines whether a missing JWT is acceptable, defaulting to false if not specified.
// Note: Even if optional is set to true, JWT authentication will still fail if an invalid JWT is presented.
Optional *bool `json:"optional,omitempty"`

// Providers defines the JSON Web Token (JWT) authentication provider type.
// When multiple JWT providers are specified, the JWT is considered valid if
// any of the providers successfully validate the JWT. For additional details,
Expand Down
9 changes: 9 additions & 0 deletions api/v1alpha1/shared_types.go
Original file line number Diff line number Diff line change
Expand Up @@ -220,6 +220,7 @@ const (

// KubernetesServiceSpec defines the desired state of the Kubernetes service resource.
// +kubebuilder:validation:XValidation:message="allocateLoadBalancerNodePorts can only be set for LoadBalancer type",rule="!has(self.allocateLoadBalancerNodePorts) || self.type == 'LoadBalancer'"
// +kubebuilder:validation:XValidation:message="loadBalancerSourceRanges can only be set for LoadBalancer type",rule="!has(self.loadBalancerSourceRanges) || self.type == 'LoadBalancer'"
// +kubebuilder:validation:XValidation:message="loadBalancerIP can only be set for LoadBalancer type",rule="!has(self.loadBalancerIP) || self.type == 'LoadBalancer'"
type KubernetesServiceSpec struct {
// Annotations that should be appended to the service.
Expand Down Expand Up @@ -250,6 +251,14 @@ type KubernetesServiceSpec struct {
// +optional
AllocateLoadBalancerNodePorts *bool `json:"allocateLoadBalancerNodePorts,omitempty"`

// LoadBalancerSourceRanges defines a list of allowed IP addresses which will be configured as
// firewall rules on the platform providers load balancer. This is not guaranteed to be working as
// it happens outside of kubernetes and has to be supported and handled by the platform provider.
// This field may only be set for services with type LoadBalancer and will be cleared if the type
// is changed to any other type.
// +optional
LoadBalancerSourceRanges []string `json:"loadBalancerSourceRanges,omitempty"`

// LoadBalancerIP defines the IP Address of the underlying load balancer service. This field
// may be ignored if the load balancer provider does not support this feature.
// This field has been deprecated in Kubernetes, but it is still used for setting the IP Address in some cloud
Expand Down
13 changes: 13 additions & 0 deletions api/v1alpha1/validation/envoyproxy_validate.go
Original file line number Diff line number Diff line change
Expand Up @@ -8,6 +8,7 @@ package validation
import (
"errors"
"fmt"
"net"
"net/netip"

bootstrapv3 "github.com/envoyproxy/go-control-plane/envoy/config/bootstrap/v3"
Expand Down Expand Up @@ -115,6 +116,18 @@ func validateService(spec *egv1a1.EnvoyProxySpec) []error {
errs = append(errs, fmt.Errorf("allocateLoadBalancerNodePorts can only be set for %v type", egv1a1.ServiceTypeLoadBalancer))
}
}
if serviceType, serviceLoadBalancerSourceRanges :=
spec.Provider.Kubernetes.EnvoyService.Type, spec.Provider.Kubernetes.EnvoyService.LoadBalancerSourceRanges; serviceType != nil && serviceLoadBalancerSourceRanges != nil {
if *serviceType != egv1a1.ServiceTypeLoadBalancer {
errs = append(errs, fmt.Errorf("loadBalancerSourceRanges can only be set for %v type", egv1a1.ServiceTypeLoadBalancer))
}

for _, serviceLoadBalancerSourceRange := range serviceLoadBalancerSourceRanges {
if ip, _, err := net.ParseCIDR(serviceLoadBalancerSourceRange); err != nil || ip.To4() == nil {
errs = append(errs, fmt.Errorf("loadBalancerSourceRange:%s is an invalid IPv4 subnet", serviceLoadBalancerSourceRange))
}
}
}
if serviceType, serviceLoadBalancerIP := spec.Provider.Kubernetes.EnvoyService.Type, spec.Provider.Kubernetes.EnvoyService.LoadBalancerIP; serviceType != nil && serviceLoadBalancerIP != nil {
if *serviceType != egv1a1.ServiceTypeLoadBalancer {
errs = append(errs, fmt.Errorf("loadBalancerIP can only be set for %v type", egv1a1.ServiceTypeLoadBalancer))
Expand Down
43 changes: 43 additions & 0 deletions api/v1alpha1/validation/envoyproxy_validate_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -213,6 +213,49 @@ func TestValidateEnvoyProxy(t *testing.T) {
},
expected: false,
},

{
name: "envoy service type 'LoadBalancer' with loadBalancerSourceRanges",
proxy: &egv1a1.EnvoyProxy{
ObjectMeta: metav1.ObjectMeta{
Namespace: "test",
Name: "test",
},
Spec: egv1a1.EnvoyProxySpec{
Provider: &egv1a1.EnvoyProxyProvider{
Type: egv1a1.ProviderTypeKubernetes,
Kubernetes: &egv1a1.EnvoyProxyKubernetesProvider{
EnvoyService: &egv1a1.KubernetesServiceSpec{
Type: egv1a1.GetKubernetesServiceType(egv1a1.ServiceTypeLoadBalancer),
LoadBalancerSourceRanges: []string{"1.1.1.1/32"},
},
},
},
},
},
expected: true,
},
{
name: "non envoy service type 'LoadBalancer' with loadBalancerSourceRanges",
proxy: &egv1a1.EnvoyProxy{
ObjectMeta: metav1.ObjectMeta{
Namespace: "test",
Name: "test",
},
Spec: egv1a1.EnvoyProxySpec{
Provider: &egv1a1.EnvoyProxyProvider{
Type: egv1a1.ProviderTypeKubernetes,
Kubernetes: &egv1a1.EnvoyProxyKubernetesProvider{
EnvoyService: &egv1a1.KubernetesServiceSpec{
Type: egv1a1.GetKubernetesServiceType(egv1a1.ServiceTypeClusterIP),
LoadBalancerSourceRanges: []string{"1.1.1.1/32"},
},
},
},
},
},
expected: false,
},
{
name: "envoy service type 'LoadBalancer' with valid loadBalancerIP",
proxy: &egv1a1.EnvoyProxy{
Expand Down
10 changes: 10 additions & 0 deletions api/v1alpha1/zz_generated.deepcopy.go

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

Original file line number Diff line number Diff line change
Expand Up @@ -5859,6 +5859,16 @@ spec:
x-kubernetes-validations:
- message: loadBalancerIP must be a valid IPv4 address
rule: self.matches(r"^((25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)$")
loadBalancerSourceRanges:
description: |-
LoadBalancerSourceRanges defines a list of allowed IP addresses which will be configured as
firewall rules on the platform providers load balancer. This is not guaranteed to be working as
it happens outside of kubernetes and has to be supported and handled by the platform provider.
This field may only be set for services with type LoadBalancer and will be cleared if the type
is changed to any other type.
items:
type: string
type: array
patch:
description: Patch defines how to perform the patch operation
to the service
Expand Down Expand Up @@ -5896,6 +5906,10 @@ spec:
LoadBalancer type
rule: '!has(self.allocateLoadBalancerNodePorts) || self.type
== ''LoadBalancer'''
- message: loadBalancerSourceRanges can only be set for LoadBalancer
type
rule: '!has(self.loadBalancerSourceRanges) || self.type
== ''LoadBalancer'''
- message: loadBalancerIP can only be set for LoadBalancer
type
rule: '!has(self.loadBalancerIP) || self.type == ''LoadBalancer'''
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -422,6 +422,11 @@ spec:
description: JWT defines the configuration for JSON Web Token (JWT)
authentication.
properties:
optional:
description: |-
Optional determines whether a missing JWT is acceptable, defaulting to false if not specified.
Note: Even if optional is set to true, JWT authentication will still fail if an invalid JWT is presented.
type: boolean
providers:
description: |-
Providers defines the JSON Web Token (JWT) authentication provider type.
Expand Down
4 changes: 2 additions & 2 deletions go.mod
Original file line number Diff line number Diff line change
Expand Up @@ -8,7 +8,7 @@ require (
github.com/Masterminds/semver/v3 v3.2.1
github.com/cncf/xds/go v0.0.0-20231128003011-0fa0005c9caa
github.com/davecgh/go-spew v1.1.1
github.com/envoyproxy/go-control-plane v0.12.1-0.20240322155512-db0b36a50fa8
github.com/envoyproxy/go-control-plane v0.12.1-0.20240410145647-bdba4bba15fc
github.com/envoyproxy/ratelimit v1.4.1-0.20230427142404-e2a87f41d3a7
github.com/evanphx/json-patch/v5 v5.9.0
github.com/fatih/color v1.16.0
Expand Down Expand Up @@ -99,7 +99,7 @@ require (
github.com/morikuni/aec v1.0.0 // indirect
github.com/opencontainers/go-digest v1.0.0 // indirect
github.com/opencontainers/image-spec v1.1.0-rc5 // indirect
github.com/planetscale/vtprotobuf v0.5.1-0.20231212170721-e7d721933795 // indirect
github.com/planetscale/vtprotobuf v0.6.1-0.20240319094008-0393e58bdf10 // indirect
github.com/rivo/uniseg v0.2.0 // indirect
github.com/rubenv/sql-migrate v1.5.2 // indirect
github.com/shopspring/decimal v1.3.1 // indirect
Expand Down
8 changes: 4 additions & 4 deletions go.sum
Original file line number Diff line number Diff line change
Expand Up @@ -167,8 +167,8 @@ github.com/emicklei/go-restful v2.9.5+incompatible/go.mod h1:otzb+WCGbkyDHkqmQmT
github.com/emicklei/go-restful/v3 v3.11.0 h1:rAQeMHw1c7zTmncogyy8VvRZwtkmkZ4FxERmMY4rD+g=
github.com/emicklei/go-restful/v3 v3.11.0/go.mod h1:6n3XBCmQQb25CM2LCACGz8ukIrRry+4bhvbpWn3mrbc=
github.com/envoyproxy/go-control-plane v0.9.1-0.20191026205805-5f8ba28d4473/go.mod h1:YTl/9mNaCwkRvm6d1a2C3ymFceY/DCBVvsKhRF0iEA4=
github.com/envoyproxy/go-control-plane v0.12.1-0.20240322155512-db0b36a50fa8 h1:Zghtu+wdlGvrmutCyhU9Ew5ozU18PVpxP+zGSgyUpFs=
github.com/envoyproxy/go-control-plane v0.12.1-0.20240322155512-db0b36a50fa8/go.mod h1:YtsM9q/kVkKyvmemY+BF/ZK7I93OWsx4uk4Do2Mr/OA=
github.com/envoyproxy/go-control-plane v0.12.1-0.20240410145647-bdba4bba15fc h1:FJoupBhZkbUXmzGxgAic3rEHeZf8jgvREB7uMfBI23w=
github.com/envoyproxy/go-control-plane v0.12.1-0.20240410145647-bdba4bba15fc/go.mod h1:Dj0RQ153G7gNYzcQCihXUreYTQbuJNuL7IT7v9+jTr4=
github.com/envoyproxy/protoc-gen-validate v0.1.0/go.mod h1:iSmxcyjqTsJpI2R4NaDN7+kN2VEUnK/pcBlmesArF7c=
github.com/envoyproxy/protoc-gen-validate v1.0.4 h1:gVPz/FMfvh57HdSJQyvBtF00j8JU4zdyUgIUNhlgg0A=
github.com/envoyproxy/protoc-gen-validate v1.0.4/go.mod h1:qys6tmnRsYrQqIhm2bvKZH4Blx/1gTIZ2UKVY1M+Yew=
Expand Down Expand Up @@ -546,8 +546,8 @@ github.com/pkg/errors v0.8.0/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINE
github.com/pkg/errors v0.8.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
github.com/pkg/errors v0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4=
github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
github.com/planetscale/vtprotobuf v0.5.1-0.20231212170721-e7d721933795 h1:pH+U6pJP0BhxqQ4njBUjOg0++WMMvv3eByWzB+oATBY=
github.com/planetscale/vtprotobuf v0.5.1-0.20231212170721-e7d721933795/go.mod h1:t/avpk3KcrXxUnYOhZhMXJlSEyie6gQbtLq5NM3loB8=
github.com/planetscale/vtprotobuf v0.6.1-0.20240319094008-0393e58bdf10 h1:GFCKgmp0tecUJ0sJuv4pzYCqS9+RGSn52M3FUwPs+uo=
github.com/planetscale/vtprotobuf v0.6.1-0.20240319094008-0393e58bdf10/go.mod h1:t/avpk3KcrXxUnYOhZhMXJlSEyie6gQbtLq5NM3loB8=
github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
github.com/poy/onpar v1.1.2 h1:QaNrNiZx0+Nar5dLgTVp5mXkyoVFIbepjyEoGSnhbAY=
Expand Down
20 changes: 14 additions & 6 deletions internal/gatewayapi/listener.go
Original file line number Diff line number Diff line change
Expand Up @@ -43,10 +43,7 @@ func (t *Translator) ProcessListeners(gateways []*GatewayContext, xdsIR XdsIRMap
if resources.EnvoyProxy != nil {
infraIR[irKey].Proxy.Config = resources.EnvoyProxy
}

xdsIR[irKey].AccessLog = processAccessLog(infraIR[irKey].Proxy.Config)
xdsIR[irKey].Tracing = processTracing(gateway.Gateway, infraIR[irKey].Proxy.Config)
xdsIR[irKey].Metrics = processMetrics(infraIR[irKey].Proxy.Config)
t.processProxyObservability(gateway.Gateway, xdsIR[irKey], infraIR[irKey].Proxy.Config)

for _, listener := range gateway.listeners {
// Process protocol & supported kinds
Expand Down Expand Up @@ -130,6 +127,12 @@ func (t *Translator) ProcessListeners(gateways []*GatewayContext, xdsIR XdsIRMap
}
}

func (t *Translator) processProxyObservability(gw *gwapiv1.Gateway, xdsIR *ir.Xds, envoyProxy *egv1a1.EnvoyProxy) {
xdsIR.AccessLog = processAccessLog(envoyProxy)
xdsIR.Tracing = processTracing(gw, envoyProxy, t.MergeGateways)
xdsIR.Metrics = processMetrics(envoyProxy)
}

func (t *Translator) processInfraIRListener(listener *ListenerContext, infraIR InfraIRMap, irKey string, servicePort *protocolPort) {
var proto ir.ProtocolType
switch listener.Protocol {
Expand Down Expand Up @@ -242,7 +245,7 @@ func processAccessLog(envoyproxy *egv1a1.EnvoyProxy) *ir.AccessLog {
return irAccessLog
}

func processTracing(gw *gwapiv1.Gateway, envoyproxy *egv1a1.EnvoyProxy) *ir.Tracing {
func processTracing(gw *gwapiv1.Gateway, envoyproxy *egv1a1.EnvoyProxy, mergeGateways bool) *ir.Tracing {
if envoyproxy == nil ||
envoyproxy.Spec.Telemetry == nil ||
envoyproxy.Spec.Telemetry.Tracing == nil {
Expand All @@ -265,8 +268,13 @@ func processTracing(gw *gwapiv1.Gateway, envoyproxy *egv1a1.EnvoyProxy) *ir.Trac
samplingRate = float64(*tracing.SamplingRate)
}

serviceName := naming.ServiceName(utils.NamespacedName(gw))
if mergeGateways {
serviceName = string(gw.Spec.GatewayClassName)
}

return &ir.Tracing{
ServiceName: naming.ServiceName(utils.NamespacedName(gw)),
ServiceName: serviceName,
Host: host,
Port: port,
SamplingRate: samplingRate,
Expand Down
30 changes: 27 additions & 3 deletions internal/gatewayapi/listener_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -19,8 +19,9 @@ import (

func TestProcessTracing(t *testing.T) {
cases := []struct {
gw gwapiv1.Gateway
proxy *egcfgv1a1.EnvoyProxy
gw gwapiv1.Gateway
proxy *egcfgv1a1.EnvoyProxy
mergedgw bool

expected *ir.Tracing
}{
Expand All @@ -44,6 +45,29 @@ func TestProcessTracing(t *testing.T) {
SamplingRate: 100.0,
},
},
{
gw: gwapiv1.Gateway{
ObjectMeta: metav1.ObjectMeta{
Name: "fake-gw",
Namespace: "fake-ns",
},
Spec: gwapiv1.GatewaySpec{
GatewayClassName: "fake-gateway-class",
},
},
proxy: &egcfgv1a1.EnvoyProxy{
Spec: egcfgv1a1.EnvoyProxySpec{
Telemetry: &egcfgv1a1.ProxyTelemetry{
Tracing: &egcfgv1a1.ProxyTracing{},
},
},
},
mergedgw: true,
expected: &ir.Tracing{
ServiceName: "fake-gateway-class",
SamplingRate: 100.0,
},
},
{
gw: gwapiv1.Gateway{
ObjectMeta: metav1.ObjectMeta{
Expand Down Expand Up @@ -149,7 +173,7 @@ func TestProcessTracing(t *testing.T) {
for _, c := range cases {
c := c
t.Run("", func(t *testing.T) {
got := processTracing(&c.gw, c.proxy)
got := processTracing(&c.gw, c.proxy, c.mergedgw)
assert.Equal(t, c.expected, got)
})
}
Expand Down
3 changes: 2 additions & 1 deletion internal/gatewayapi/securitypolicy.go
Original file line number Diff line number Diff line change
Expand Up @@ -527,7 +527,8 @@ func wildcard2regex(wildcard string) string {

func (t *Translator) buildJWT(jwt *egv1a1.JWT) *ir.JWT {
return &ir.JWT{
Providers: jwt.Providers,
AllowMissing: ptr.Deref(jwt.Optional, false),
Providers: jwt.Providers,
}
}

Expand Down
Loading

0 comments on commit a13e258

Please sign in to comment.