Merge branch 'main' into chore-eep-docs

api/v1alpha1/backendtrafficpolicy_types.go

@@ -86,6 +86,13 @@ type BackendTrafficPolicySpec struct {
 	// +optional
 	Retry *Retry `json:"retry,omitempty"`
 
+	// UseClientProtocol configures Envoy to prefer sending requests to backends using
+	// the same HTTP protocol that the incoming request used. Defaults to false, which means
+	// that Envoy will use the protocol indicated by the attached BackendRef.
+	//
+	// +optional
+	UseClientProtocol *bool `json:"useClientProtocol,omitempty"`
+
 	// Timeout settings for the backend connections.
 	//
 	// +optional

api/v1alpha1/clienttrafficpolicy_types.go

@@ -222,6 +222,9 @@ type HTTP2Settings struct {
 
 	// MaxConcurrentStreams sets the maximum number of concurrent streams allowed per connection.
 	// If not set, the default value is 100.
+	// +kubebuilder:validation:Minimum=1
+	// +kubebuilder:validation:Maximum=2147483647
+	// +optional
 	MaxConcurrentStreams *uint32 `json:"maxConcurrentStreams,omitempty"`
 }
 

charts/gateway-helm/crds/generated/gateway.envoyproxy.io_backendtrafficpolicies.yaml

@@ -958,6 +958,12 @@ spec:
                         type: string
                     type: object
                 type: object
+              useClientProtocol:
+                description: |-
+                  UseClientProtocol configures Envoy to prefer sending requests to backends using
+                  the same HTTP protocol that the incoming request used. Defaults to false, which means
+                  that Envoy will use the protocol indicated by the attached BackendRef.
+                type: boolean
             required:
             - targetRef
             type: object

charts/gateway-helm/crds/generated/gateway.envoyproxy.io_clienttrafficpolicies.yaml

@@ -217,6 +217,8 @@ spec:
                       MaxConcurrentStreams sets the maximum number of concurrent streams allowed per connection.
                       If not set, the default value is 100.
                     format: int32
+                    maximum: 2147483647
+                    minimum: 1
                     type: integer
                 type: object
               http3:

internal/gatewayapi/clienttrafficpolicy.go

@@ -28,7 +28,11 @@ import (
 
 const (
 	// Use an invalid string to represent all sections (listeners) within a Gateway
-	AllSections = "/"
+	AllSections                         = "/"
+	MinHTTP2InitialStreamWindowSize     = 65535      // https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/core/v3/protocol.proto#envoy-v3-api-field-config-core-v3-http2protocoloptions-initial-stream-window-size
+	MaxHTTP2InitialStreamWindowSize     = 2147483647 // https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/core/v3/protocol.proto#envoy-v3-api-field-config-core-v3-http2protocoloptions-initial-stream-window-size
+	MinHTTP2InitialConnectionWindowSize = MinHTTP2InitialStreamWindowSize
+	MaxHTTP2InitialConnectionWindowSize = MaxHTTP2InitialStreamWindowSize
 )
 
 func hasSectionName(policy *egv1a1.ClientTrafficPolicy) bool {
@@ -409,6 +413,11 @@ func (t *Translator) translateClientTrafficPolicyForListener(policy *egv1a1.Clie
 			return err
 		}
 
+		// Translate HTTP2 Settings
+		if err := translateHTTP2Settings(policy.Spec.HTTP2, httpIR); err != nil {
+			return err
+		}
+
 		// enable http3 if set and TLS is enabled
 		if httpIR.TLS != nil && policy.Spec.HTTP3 != nil {
 			http3 := &ir.HTTP3Settings{
@@ -576,6 +585,52 @@ func translateHTTP1Settings(http1Settings *egv1a1.HTTP1Settings, httpIR *ir.HTTP
 	return nil
 }
 
+func translateHTTP2Settings(http2Settings *egv1a1.HTTP2Settings, httpIR *ir.HTTPListener) error {
+	if http2Settings == nil {
+		return nil
+	}
+
+	var (
+		http2 = &ir.HTTP2Settings{}
+		errs  error
+	)
+
+	if http2Settings.InitialStreamWindowSize != nil {
+		initialStreamWindowSize, ok := http2Settings.InitialStreamWindowSize.AsInt64()
+		switch {
+		case !ok:
+			errs = errors.Join(errs, fmt.Errorf("invalid InitialStreamWindowSize value %s", http2Settings.InitialStreamWindowSize.String()))
+		case initialStreamWindowSize < MinHTTP2InitialStreamWindowSize || initialStreamWindowSize > MaxHTTP2InitialStreamWindowSize:
+			errs = errors.Join(errs, fmt.Errorf("InitialStreamWindowSize value %s is out of range, must be between %d and %d",
+				http2Settings.InitialStreamWindowSize.String(),
+				MinHTTP2InitialStreamWindowSize,
+				MaxHTTP2InitialStreamWindowSize))
+		default:
+			http2.InitialStreamWindowSize = ptr.To(uint32(initialStreamWindowSize))
+		}
+	}
+
+	if http2Settings.InitialConnectionWindowSize != nil {
+		initialConnectionWindowSize, ok := http2Settings.InitialConnectionWindowSize.AsInt64()
+		switch {
+		case !ok:
+			errs = errors.Join(errs, fmt.Errorf("invalid InitialConnectionWindowSize value %s", http2Settings.InitialConnectionWindowSize.String()))
+		case initialConnectionWindowSize < MinHTTP2InitialConnectionWindowSize || initialConnectionWindowSize > MaxHTTP2InitialConnectionWindowSize:
+			errs = errors.Join(errs, fmt.Errorf("InitialConnectionWindowSize value %s is out of range, must be between %d and %d",
+				http2Settings.InitialConnectionWindowSize.String(),
+				MinHTTP2InitialConnectionWindowSize,
+				MaxHTTP2InitialConnectionWindowSize))
+		default:
+			http2.InitialConnectionWindowSize = ptr.To(uint32(initialConnectionWindowSize))
+		}
+	}
+
+	http2.MaxConcurrentStreams = http2Settings.MaxConcurrentStreams
+
+	httpIR.HTTP2 = http2
+	return errs
+}
+
 func (t *Translator) translateListenerTLSParameters(policy *egv1a1.ClientTrafficPolicy,
 	httpIR *ir.HTTPListener, resources *Resources) error {
 	// Return if this listener isn't a TLS listener. There has to be
@@ -711,7 +766,8 @@ func translateListenerConnection(connection *egv1a1.Connection, httpIR *ir.HTTPL
 			return fmt.Errorf("invalid BufferLimit value %s", connection.BufferLimit.String())
 		}
 		if bufferLimit < 0 || bufferLimit > math.MaxUint32 {
-			return fmt.Errorf("BufferLimit value %s is out of range", connection.BufferLimit.String())
+			return fmt.Errorf("BufferLimit value %s is out of range, must be between 0 and %d",
+				connection.BufferLimit.String(), math.MaxUint32)
 		}
 		irConnection.BufferLimitBytes = ptr.To(uint32(bufferLimit))
 	}

internal/gatewayapi/testdata/clienttrafficpolicy-buffer-limit-with-out-of-range-error.out.yaml

@@ -24,7 +24,7 @@ clientTrafficPolicies:
         sectionName: http-1
       conditions:
       - lastTransitionTime: null
-        message: BufferLimit value 100G is out of range
+        message: BufferLimit value 100G is out of range, must be between 0 and 4294967295
         reason: Invalid
         status: "False"
         type: Accepted

internal/gatewayapi/testdata/clienttrafficpolicy-http2.in.yaml

@@ -0,0 +1,55 @@
+clientTrafficPolicies:
+- apiVersion: gateway.envoyproxy.io/v1alpha1
+  kind: ClientTrafficPolicy
+  metadata:
+    namespace: envoy-gateway
+    name: target-gateway-1-section-http-1
+  spec:
+    http2:
+      initialStreamWindowSize: 64Ki
+      initialConnectionWindowSize: 32Mi
+      maxConcurrentStreams: 200
+    targetRef:
+      group: gateway.networking.k8s.io
+      kind: Gateway
+      name: gateway-1
+      sectionName: http-1
+      namespace: envoy-gateway
+- apiVersion: gateway.envoyproxy.io/v1alpha1
+  kind: ClientTrafficPolicy
+  metadata:
+    namespace: envoy-gateway
+    name: target-gateway-1-section-http-2
+  spec:
+    http2:
+      initialStreamWindowSize: 1Ki
+      initialConnectionWindowSize: 1Ti
+      maxConcurrentStreams: 200
+    targetRef:
+      group: gateway.networking.k8s.io
+      kind: Gateway
+      name: gateway-1
+      sectionName: http-2
+      namespace: envoy-gateway
+gateways:
+- apiVersion: gateway.networking.k8s.io/v1
+  kind: Gateway
+  metadata:
+    namespace: envoy-gateway
+    name: gateway-1
+  spec:
+    gatewayClassName: envoy-gateway-class
+    listeners:
+    - name: http-1
+      protocol: HTTP
+      port: 80
+      allowedRoutes:
+        namespaces:
+          from: Same
+    - name: http-2
+      protocol: HTTP
+      hostname: www.example.com
+      port: 8080
+      allowedRoutes:
+        namespaces:
+          from: Same