merge

Signed-off-by: Guy Daich <guy.daich@sap.com>

.github/workflows/build_and_test.yaml

@@ -52,7 +52,7 @@ jobs:
     - name: Run Coverage Tests
       run: make go.test.coverage
     - name: Upload coverage to Codecov
-      uses: codecov/codecov-action@eaaf4bedf32dbdc6b720b63067d99c4d77d6047d  # v3.1.4
+      uses: codecov/codecov-action@4fe8c5f003fae66aa5ebb77cfd3e7bfbbda0b6b0  # v3.1.5
       with:
         fail_ci_if_error: true
         files: ./coverage.xml
@@ -70,7 +70,7 @@ jobs:
       run: make build-multiarch PLATFORMS="linux_amd64 linux_arm64"
 
     - name: Upload EG Binaries
-      uses: actions/upload-artifact@1eb3cb2b3e0f29609092a73eb033bb759a334595  # v4.1.0
+      uses: actions/upload-artifact@5d5d22a31266ced268874388b861e4b58bb5c2f3  # v4.3.1
       with:
         name: envoy-gateway
         path: bin/
@@ -86,7 +86,7 @@ jobs:
     - uses: ./tools/github-actions/setup-deps
 
     - name: Download EG Binaries
-      uses: actions/download-artifact@6b208ae046db98c579e8a3aa621ab581ff575935  # v4.1.1
+      uses: actions/download-artifact@eaceaf801fd36c7dee90939fad912460b18a1ffe  # v4.1.2
       with:
         name: envoy-gateway
         path: bin/
@@ -114,7 +114,7 @@ jobs:
     - uses: ./tools/github-actions/setup-deps
 
     - name: Download EG Binaries
-      uses: actions/download-artifact@6b208ae046db98c579e8a3aa621ab581ff575935  # v4.1.1
+      uses: actions/download-artifact@eaceaf801fd36c7dee90939fad912460b18a1ffe  # v4.1.2
       with:
         name: envoy-gateway
         path: bin/
@@ -139,7 +139,7 @@ jobs:
     - uses: ./tools/github-actions/setup-deps
 
     - name: Download EG Binaries
-      uses: actions/download-artifact@6b208ae046db98c579e8a3aa621ab581ff575935  # v4.1.1
+      uses: actions/download-artifact@eaceaf801fd36c7dee90939fad912460b18a1ffe  # v4.1.2
       with:
         name: envoy-gateway
         path: bin/

.github/workflows/codeql.yml

@@ -36,14 +36,14 @@ jobs:
     - uses: ./tools/github-actions/setup-deps
 
     - name: Initialize CodeQL
-      uses: github/codeql-action/init@e5f05b81d5b6ff8cfa111c80c22c5fd02a384118  # v3.23.0
+      uses: github/codeql-action/init@379614612a29c9e28f31f39a59013eb8012a51f0  # v3.24.3
       with:
         languages: ${{ matrix.language }}
 
     - name: Autobuild
-      uses: github/codeql-action/autobuild@e5f05b81d5b6ff8cfa111c80c22c5fd02a384118  # v3.23.0
+      uses: github/codeql-action/autobuild@379614612a29c9e28f31f39a59013eb8012a51f0  # v3.24.3
 
     - name: Perform CodeQL Analysis
-      uses: github/codeql-action/analyze@e5f05b81d5b6ff8cfa111c80c22c5fd02a384118  # v3.23.0
+      uses: github/codeql-action/analyze@379614612a29c9e28f31f39a59013eb8012a51f0  # v3.24.3
       with:
         category: "/language:${{matrix.language}}"

.github/workflows/docs.yaml

@@ -50,7 +50,7 @@ jobs:
         extended: true
 
     - name: Setup Node
-      uses: actions/setup-node@b39b52d1213e96004bfcb1c61a8a6fa8ab84f3e8  # v4.1.0
+      uses: actions/setup-node@60edb5dd545a775178f52524783378180af0d1f8  # v4.1.0
       with:
         node-version: '18'
 
@@ -59,7 +59,7 @@ jobs:
 
     # Upload docs for GitHub Pages
     - name: Upload GitHub Pages artifact
-      uses: actions/upload-pages-artifact@0252fc4ba7626f0298f0cf00902a25c6afc77fa8  # v3.0.0
+      uses: actions/upload-pages-artifact@56afc609e74202658d3ffba0e8f6dda462b719fa  # v3.0.1
       with:
         # Path of the directory containing the static assets.
         path: site/public
@@ -86,4 +86,4 @@ jobs:
     steps:
     - name: Deploy to GitHub Pages
       id: deployment
-      uses: actions/deploy-pages@87c3283f01cd6fe19a0ab93a23b2f6fcba5a8e42  # v4.0.3
+      uses: actions/deploy-pages@decdde0ac072f6dcbe43649d82d9c635fff5b4e4  # v4.0.4

.github/workflows/experimental_conformance.yaml

@@ -32,7 +32,7 @@ jobs:
       run: make experimental-conformance
 
     - name: Upload Conformance Report
-      uses: actions/upload-artifact@1eb3cb2b3e0f29609092a73eb033bb759a334595  # v4.1.0
+      uses: actions/upload-artifact@5d5d22a31266ced268874388b861e4b58bb5c2f3  # v4.3.1
       with:
         name: conformance-report-k8s-${{ matrix.version }}
         path: ./test/conformance/conformance-report-k8s-${{ matrix.version }}.yaml

.github/workflows/scorecard.yml

@@ -33,13 +33,13 @@ jobs:
         publish_results: true
 
     - name: "Upload artifact"
-      uses: actions/upload-artifact@1eb3cb2b3e0f29609092a73eb033bb759a334595  # v4.1.0
+      uses: actions/upload-artifact@5d5d22a31266ced268874388b861e4b58bb5c2f3  # v4.3.1
       with:
         name: SARIF file
         path: results.sarif
         retention-days: 5
 
     - name: "Upload to code-scanning"
-      uses: github/codeql-action/upload-sarif@e5f05b81d5b6ff8cfa111c80c22c5fd02a384118  # v3.23.0
+      uses: github/codeql-action/upload-sarif@379614612a29c9e28f31f39a59013eb8012a51f0  # v3.24.3
       with:
         sarif_file: results.sarif

OWNERS

@@ -25,3 +25,5 @@ reviewers:
 - tanujd11
 - cnvergence
 - shawnh2
+- guydc
+- liorokman

api/v1alpha1/backendtrafficpolicy_types.go

@@ -91,6 +91,11 @@ type BackendTrafficPolicySpec struct {
 	//
 	// +optional
 	Timeout *Timeout `json:"timeout,omitempty"`
+
+	// The compression config for the http streams.
+	//
+	// +optional
+	Compression []*Compression `json:"compression,omitempty"`
 }
 
 // BackendTrafficPolicyStatus defines the state of BackendTrafficPolicy

api/v1alpha1/circuitbreaker_types.go

@@ -30,4 +30,12 @@ type CircuitBreaker struct {
 	// +kubebuilder:default=1024
 	// +optional
 	MaxParallelRequests *int64 `json:"maxParallelRequests,omitempty"`
+
+	// The maximum number of requests that Envoy will make over a single connection to the referenced backend defined within a xRoute rule.
+	// Default: unlimited.
+	//
+	// +kubebuilder:validation:Minimum=0
+	// +kubebuilder:validation:Maximum=4294967295
+	// +optional
+	MaxRequestsPerConnection *int64 `json:"maxRequestsPerConnection,omitempty"`
 }

api/v1alpha1/clienttrafficpolicy_types.go

@@ -53,19 +53,17 @@ type ClientTrafficPolicySpec struct {
 	//
 	// +optional
 	TCPKeepalive *TCPKeepalive `json:"tcpKeepalive,omitempty"`
-	// SuppressEnvoyHeaders configures the Envoy Router filter to suppress the "x-envoy-'
-	// headers from both requests and responses.
-	// By default these headers are added to both requests and responses.
-	//
-	// +optional
-	SuppressEnvoyHeaders *bool `json:"suppressEnvoyHeaders,omitempty"`
 	// EnableProxyProtocol interprets the ProxyProtocol header and adds the
 	// Client Address into the X-Forwarded-For header.
 	// Note Proxy Protocol must be present when this field is set, else the connection
 	// is closed.
 	//
 	// +optional
 	EnableProxyProtocol *bool `json:"enableProxyProtocol,omitempty"`
+	// ClientIPDetectionSettings provides configuration for determining the original client IP address for requests.
+	//
+	// +optional
+	ClientIPDetection *ClientIPDetectionSettings `json:"clientIPDetection,omitempty"`
 	// HTTP3 provides HTTP/3 configuration on the listener.
 	//
 	// +optional
@@ -78,12 +76,105 @@ type ClientTrafficPolicySpec struct {
 	//
 	// +optional
 	Path *PathSettings `json:"path,omitempty"`
+	// HTTP1 provides HTTP/1 configuration on the listener.
+	//
+	// +optional
+	HTTP1 *HTTP1Settings `json:"http1,omitempty"`
+	// HeaderSettings provides configuration for header management.
+	//
+	// +optional
+	Headers *HeaderSettings `json:"headers,omitempty"`
+	// Timeout settings for the client connections.
+	//
+	// +optional
+	Timeout *ClientTimeout `json:"timeout,omitempty"`
+}
+
+// HeaderSettings providess configuration options for headers on the listener.
+type HeaderSettings struct {
+	// EnableEnvoyHeaders configures Envoy Proxy to add the "X-Envoy-" headers to requests
+	// and responses.
+	// +optional
+	EnableEnvoyHeaders *bool `json:"enableEnvoyHeaders,omitempty"`
+}
+
+// ClientIPDetectionSettings provides configuration for determining the original client IP address for requests.
+//
+// +kubebuilder:validation:XValidation:rule="!(has(self.xForwardedFor) && has(self.customHeader))",message="customHeader cannot be used in conjunction with xForwardedFor"
+type ClientIPDetectionSettings struct {
+	// XForwardedForSettings provides configuration for using X-Forwarded-For headers for determining the client IP address.
+	//
+	// +optional
+	XForwardedFor *XForwardedForSettings `json:"xForwardedFor,omitempty"`
+	// CustomHeader provides configuration for determining the client IP address for a request based on
+	// a trusted custom HTTP header. This uses the the custom_header original IP detection extension.
+	// Refer to https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/http/original_ip_detection/custom_header/v3/custom_header.proto
+	// for more details.
+	//
+	// +optional
+	CustomHeader *CustomHeaderExtensionSettings `json:"customHeader,omitempty"`
+}
+
+// XForwardedForSettings provides configuration for using X-Forwarded-For headers for determining the client IP address.
+type XForwardedForSettings struct {
+	// NumTrustedHops controls the number of additional ingress proxy hops from the right side of XFF HTTP
+	// headers to trust when determining the origin client's IP address.
+	// Refer to https://www.envoyproxy.io/docs/envoy/latest/configuration/http/http_conn_man/headers#x-forwarded-for
+	// for more details.
+	//
+	// +optional
+	NumTrustedHops *uint32 `json:"numTrustedHops,omitempty"`
+}
+
+// CustomHeader provides configuration for determining the client IP address for a request based on
+// a trusted custom HTTP header. This uses the the custom_header original IP detection extension.
+// Refer to https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/http/original_ip_detection/custom_header/v3/custom_header.proto
+// for more details.
+type CustomHeaderExtensionSettings struct {
+	// Name of the header containing the original downstream remote address, if present.
+	//
+	// +kubebuilder:validation:MinLength=1
+	// +kubebuilder:validation:MaxLength=255
+	// +kubebuilder:validation:Pattern="^[A-Za-z0-9-]+$"
+	//
+	Name string `json:"name"`
+	// FailClosed is a switch used to control the flow of traffic when client IP detection
+	// fails. If set to true, the listener will respond with 403 Forbidden when the client
+	// IP address cannot be determined.
+	//
+	// +optional
+	FailClosed *bool `json:"failClosed,omitempty"`
 }
 
 // HTTP3Settings provides HTTP/3 configuration on the listener.
 type HTTP3Settings struct {
 }
 
+// HTTP1Settings provides HTTP/1 configuration on the listener.
+type HTTP1Settings struct {
+	// EnableTrailers defines if HTTP/1 trailers should be proxied by Envoy.
+	// +optional
+	EnableTrailers *bool `json:"enableTrailers,omitempty"`
+	// PreserveHeaderCase defines if Envoy should preserve the letter case of headers.
+	// By default, Envoy will lowercase all the headers.
+	// +optional
+	PreserveHeaderCase *bool `json:"preserveHeaderCase,omitempty"`
+	// HTTP10 turns on support for HTTP/1.0 and HTTP/0.9 requests.
+	// +optional
+	HTTP10 *HTTP10Settings `json:"http10,omitempty"`
+}
+
+// HTTP10Settings provides HTTP/1.0 configuration on the listener.
+type HTTP10Settings struct {
+	// UseDefaultHost defines if the HTTP/1.0 request is missing the Host header,
+	// then the hostname associated with the listener should be injected into the
+	// request.
+	// If this is not set and an HTTP/1.0 request arrives without a host, then
+	// it will be rejected.
+	// +optional
+	UseDefaultHost *bool `json:"useDefaultHost,omitempty"`
+}
+
 // ClientTrafficPolicyStatus defines the state of ClientTrafficPolicy
 type ClientTrafficPolicyStatus struct {
 	// Conditions describe the current conditions of the ClientTrafficPolicy.

api/v1alpha1/compression_types.go

@@ -0,0 +1,31 @@
+// Copyright Envoy Gateway Authors
+// SPDX-License-Identifier: Apache-2.0
+// The full text of the Apache license is available in the LICENSE file at
+// the root of the repo.
+
+package v1alpha1
+
+// CompressorType defines the types of compressor library supported by Envoy Gateway.
+//
+// +kubebuilder:validation:Enum=Gzip
+type CompressorType string
+
+// GzipCompressor defines the config for the Gzip compressor.
+// The default values can be found here:
+// https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/compression/gzip/compressor/v3/gzip.proto#extension-envoy-compression-gzip-compressor
+type GzipCompressor struct {
+}
+
+// Compression defines the config of enabling compression.
+// This can help reduce the bandwidth at the expense of higher CPU.
+type Compression struct {
+	// CompressorType defines the compressor type to use for compression.
+	//
+	// +required
+	Type CompressorType `json:"type"`
+
+	// The configuration for GZIP compressor.
+	//
+	// +optional
+	Gzip *GzipCompressor `json:"gzip,omitempty"`
+}

api/v1alpha1/cors_types.go

@@ -8,19 +8,22 @@ package v1alpha1
 import metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 
 // Origin is defined by the scheme (protocol), hostname (domain), and port of
-// the URL used to access it. The hostname can be “precise” which is just the
-// domain name or “wildcard” which is a domain name prefixed with a single
-// wildcard label such as “*.example.com”.
+// the URL used to access it. The hostname can be "precise" which is just the
+// domain name or "wildcard" which is a domain name prefixed with a single
+// wildcard label such as "*.example.com".
+// In addition to that a single wildcard (with or without scheme) can be
+// configured to match any origin.
 //
 // For example, the following are valid origins:
 // - https://foo.example.com
 // - https://*.example.com
 // - http://foo.example.com:8080
 // - http://*.example.com:8080
+// - https://*
 //
 // +kubebuilder:validation:MinLength=1
 // +kubebuilder:validation:MaxLength=253
-// +kubebuilder:validation:Pattern=`^https?:\/\/(\*\.)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*(:[0-9]+)?$`
+// +kubebuilder:validation:Pattern=`^(\*|https?:\/\/(\*|(\*\.)?(([\w-]+\.?)+)?[\w-]+)(:\d{1,5})?)$`
 type Origin string
 
 // CORS defines the configuration for Cross-Origin Resource Sharing (CORS).

api/v1alpha1/envoygateway_types.go

@@ -200,9 +200,9 @@ const (
 	// KubernetesWatchModeTypeNamespaces indicates that the namespace watch mode is used.
 	KubernetesWatchModeTypeNamespaces = "Namespaces"
 
-	// KubernetesWatchModeTypeNamespaceSelectors indicates that namespaceSelectors watch
+	// KubernetesWatchModeTypeNamespaceSelector indicates that namespaceSelector watch
 	// mode is used.
-	KubernetesWatchModeTypeNamespaceSelectors = "NamespaceSelectors"
+	KubernetesWatchModeTypeNamespaceSelector = "NamespaceSelector"
 )
 
 // KubernetesWatchModeType defines the type of KubernetesWatchMode
@@ -211,22 +211,21 @@ type KubernetesWatchModeType string
 // KubernetesWatchMode holds the configuration for which input resources to watch and reconcile.
 type KubernetesWatchMode struct {
 	// Type indicates what watch mode to use. KubernetesWatchModeTypeNamespaces and
-	// KubernetesWatchModeTypeNamespaceSelectors are currently supported
+	// KubernetesWatchModeTypeNamespaceSelector are currently supported
 	// By default, when this field is unset or empty, Envoy Gateway will watch for input namespaced resources
 	// from all namespaces.
 	Type KubernetesWatchModeType `json:"type,omitempty"`
 
 	// Namespaces holds the list of namespaces that Envoy Gateway will watch for namespaced scoped
 	// resources such as Gateway, HTTPRoute and Service.
 	// Note that Envoy Gateway will continue to reconcile relevant cluster scoped resources such as
-	// GatewayClass that it is linked to. Precisely one of Namespaces and NamespaceSelectors must be set.
+	// GatewayClass that it is linked to. Precisely one of Namespaces and NamespaceSelector must be set.
 	Namespaces []string `json:"namespaces,omitempty"`
 
-	// NamespaceSelectors holds a list of labels that namespaces have to have in order to be watched.
-	// Note this doesn't set the informer to watch the namespaces with the given labels. Informer still
-	// watches all namespaces. But the events for objects whose namespace do not match given labels
-	// will be filtered out. Precisely one of Namespaces and NamespaceSelectors must be set.
-	NamespaceSelectors []string `json:"namespaceSelectors,omitempty"`
+	// NamespaceSelector holds the label selector used to dynamically select namespaces.
+	// Envoy Gateway will watch for namespaces matching the specified label selector.
+	// Precisely one of Namespaces and NamespaceSelector must be set.
+	NamespaceSelector *metav1.LabelSelector `json:"namespaceSelector,omitempty"`
 }
 
 // KubernetesDeployMode holds configuration for how to deploy managed resources such as the Envoy Proxy