Skip to content

Commit

Permalink
Merge branch 'main' into telemetry-backend
Browse files Browse the repository at this point in the history
  • Loading branch information
zirain committed May 21, 2024
2 parents 00ce4f5 + 926d572 commit aa582af
Show file tree
Hide file tree
Showing 170 changed files with 10,048 additions and 443 deletions.
2 changes: 0 additions & 2 deletions .github/dependabot.yml
Original file line number Diff line number Diff line change
Expand Up @@ -20,8 +20,6 @@ updates:
ignore:
# skip to update retest, because it won't work with the latest version
- dependency-name: "envoyproxy/toolshed/gh-actions/retest"
# skip until https://github.com/codecov/feedback/issues/112 is resolved
- dependency-name: "codecov/codecov-action"
- package-ecosystem: github-actions
directory: /tools/github-actions/setup-deps
schedule:
Expand Down
9 changes: 7 additions & 2 deletions .github/workflows/build_and_test.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -44,6 +44,9 @@ jobs:

coverage-test:
runs-on: ubuntu-latest
permissions:
contents: read # for actions/checkout
id-token: write # for fetching OIDC token
steps:
- uses: actions/checkout@44c2b7a8a4ea60a981eaca3cf939b5f4305c123b # v4.1.5
- uses: ./tools/github-actions/setup-deps
Expand All @@ -52,12 +55,14 @@ jobs:
- name: Run Coverage Tests
run: make go.test.coverage
- name: Upload coverage to Codecov
uses: codecov/codecov-action@4fe8c5f003fae66aa5ebb77cfd3e7bfbbda0b6b0 # v3.1.5
uses: codecov/codecov-action@6d798873df2b1b8e5846dba6fb86631229fbcb17 # v4.4.0
with:
fail_ci_if_error: false
fail_ci_if_error: true
files: ./coverage.xml
name: codecov-envoy-gateway
verbose: true
# TODO change to `use_oidc: true` once https://github.com/codecov/codecov-action/issues/1435 is resolved.
use_oidc: ${{ github.event_name == 'push' || (github.event_name == 'pull_request' && github.event.pull_request.head.repo.full_name == github.repository) }}

build:
runs-on: ubuntu-latest
Expand Down
27 changes: 27 additions & 0 deletions .github/workflows/license-scan.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,27 @@
name: License Scan

on:
pull_request:
branches:
- "main"
push:
branches:
- "main"

permissions:
contents: read

jobs:
scan:
runs-on: ubuntu-22.04
steps:
- name: Checkout code
uses: actions/checkout@44c2b7a8a4ea60a981eaca3cf939b5f4305c123b # v4.1.5
- name: Run scanner
uses: google/osv-scanner-action/osv-scanner-action@75532bf0bf75464b047d80414dbce04449498365 # v1.7.3
with:
scan-args: |-
--skip-git
--experimental-licenses=Apache-2.0,BSD-2-Clause,BSD-2-Clause-FreeBSD,BSD-3-Clause,MIT,ISC,Python-2.0,PostgreSQL,X11,Zlib
./
continue-on-error: true # TODO remove once all issues are resolved
2 changes: 1 addition & 1 deletion .github/workflows/trivy.yml
Original file line number Diff line number Diff line change
Expand Up @@ -25,7 +25,7 @@ jobs:
IMAGE=envoy-proxy/gateway-dev TAG=${{ github.sha }} make image
- name: Run Trivy vulnerability scanner
uses: aquasecurity/trivy-action@d710430a6722f083d3b36b8339ff66b32f22ee55 # v0.19.0
uses: aquasecurity/trivy-action@b2933f565dbc598b29947660e66259e3c7bc8561 # v0.20.0
with:
image-ref: envoy-proxy/gateway-dev:${{ github.sha }}
exit-code: '1'
193 changes: 193 additions & 0 deletions api/v1alpha1/backend_types.go
Original file line number Diff line number Diff line change
@@ -0,0 +1,193 @@
// Copyright Envoy Gateway Authors
// SPDX-License-Identifier: Apache-2.0
// The full text of the Apache license is available in the LICENSE file at
// the root of the repo.

package v1alpha1

import (
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
)

const (
// KindBackend is the name of the Backend kind.
KindBackend = "Backend"
)

// AppProtocolType defines various backend applications protocols supported by Envoy Gateway
//
// +kubebuilder:validation:Enum=gateway.envoyproxy.io/h2c;gateway.envoyproxy.io/ws;gateway.envoyproxy.io/wss
// +notImplementedHide
type AppProtocolType string

const (
// AppProtocolTypeH2C defines the HTTP/2 application protocol.
AppProtocolTypeH2C AppProtocolType = "gateway.envoyproxy.io/h2c"
// AppProtocolTypeWS defines the WebSocket over HTTP protocol.
AppProtocolTypeWS AppProtocolType = "gateway.envoyproxy.io/ws"
// AppProtocolTypeWSS defines the WebSocket over HTTPS protocol.
AppProtocolTypeWSS AppProtocolType = "gateway.envoyproxy.io/wss"
)

// Backend allows the user to configure the endpoints of a backend and
// the behavior of the connection from Envoy Proxy to the backend.
//
// +kubebuilder:object:root=true
// +kubebuilder:resource:categories=envoy-gateway,shortName=be
// +kubebuilder:subresource:status
// +kubebuilder:printcolumn:name="Status",type=string,JSONPath=`.status.conditions[?(@.type=="Accepted")].reason`
// +kubebuilder:printcolumn:name="Age",type=date,JSONPath=`.metadata.creationTimestamp`
// +notImplementedHide
type Backend struct {
metav1.TypeMeta `json:",inline"`
metav1.ObjectMeta `json:"metadata,omitempty"`

// Spec defines the desired state of Backend.
Spec BackendSpec `json:"spec"`

// Status defines the current status of Backend.
Status BackendStatus `json:"status,omitempty"`
}

// BackendEndpoint describes a backend endpoint, which can be either a fully-qualified domain name, IPv4 address or unix domain socket
// corresponding to Envoy's Address: https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/core/v3/address.proto#config-core-v3-address
//
// +kubebuilder:validation:XValidation:rule="(has(self.fqdn) || has(self.ipv4) || has(self.unix))",message="one of fqdn, ipv4 or unix must be specified"
// +kubebuilder:validation:XValidation:rule="((has(self.fqdn) && !(has(self.ipv4) || has(self.unix))) || (has(self.ipv4) && !(has(self.fqdn) || has(self.unix))) || (has(self.unix) && !(has(self.ipv4) || has(self.fqdn))))",message="only one of fqdn, ipv4 or unix can be specified"
// +notImplementedHide
type BackendEndpoint struct {
// FQDN defines a FQDN endpoint
//
// +optional
FQDN *FQDNEndpoint `json:"fqdn,omitempty"`

// IPv4 defines an IPv4 endpoint
//
// +optional
IPv4 *IPv4Endpoint `json:"ipv4,omitempty"`

// Unix defines the unix domain socket endpoint
//
// +optional
Unix *UnixSocket `json:"unix,omitempty"`
}

// IPv4Endpoint describes TCP/UDP socket address, corresponding to Envoy's Socket Address
// https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/core/v3/address.proto#config-core-v3-socketaddress
//
// +notImplementedHide
type IPv4Endpoint struct {
// Address defines the IPv4 address of the backend endpoint.
//
// +kubebuilder:validation:MinLength=7
// +kubebuilder:validation:MaxLength=15
// +kubebuilder:validation:Pattern=`^((25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)$`
Address string `json:"address"`

// Port defines the port of the backend endpoint.
//
// +kubebuilder:validation:Minimum=0
// +kubebuilder:validation:Maximum=65535
Port int32 `json:"port"`
}

// FQDNEndpoint describes TCP/UDP socket address, corresponding to Envoy's Socket Address
// https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/core/v3/address.proto#config-core-v3-socketaddress
//
// +notImplementedHide
type FQDNEndpoint struct {
// Hostname defines the FQDN hostname of the backend endpoint.
//
// +kubebuilder:validation:MinLength=1
// +kubebuilder:validation:MaxLength=253
// +kubebuilder:validation:Pattern=`^(\*\.)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$`
Hostname string `json:"hostname"`

// Port defines the port of the backend endpoint.
//
// +kubebuilder:validation:Minimum=0
// +kubebuilder:validation:Maximum=65535
Port int32 `json:"port"`
}

// UnixSocket describes TCP/UDP unix domain socket address, corresponding to Envoy's Pipe
// https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/core/v3/address.proto#config-core-v3-pipe
//
// +notImplementedHide
type UnixSocket struct {
// Path defines the unix domain socket path of the backend endpoint.
Path string `json:"path"`
}

// BackendSpec describes the desired state of BackendSpec.
//
// +notImplementedHide
type BackendSpec struct {
// Endpoints defines the endpoints to be used when connecting to the backend.
//
// +kubebuilder:validation:MinItems=1
// +kubebuilder:validation:MaxItems=4
// +kubebuilder:validation:XValidation:rule="self.all(f, has(f.fqdn)) || !self.exists(f, has(f.fqdn))",message="fqdn addresses cannot be mixed with other address types"
Endpoints []BackendEndpoint `json:"endpoints,omitempty"`

// AppProtocols defines the application protocols to be supported when connecting to the backend.
//
// +optional
AppProtocols []AppProtocolType `json:"appProtocols,omitempty"`
}

// BackendConditionType is a type of condition for a backend. This type should be
// used with a Backend resource Status.Conditions field.
type BackendConditionType string

// BackendConditionReason is a reason for a backend condition.
type BackendConditionReason string

const (
// BackendConditionAccepted indicates whether the backend has been accepted or
// rejected by a targeted resource, and why.
//
// Possible reasons for this condition to be True are:
//
// * "Accepted"
//
// Possible reasons for this condition to be False are:
//
// * "Invalid"
//
BackendConditionAccepted BackendConditionType = "Accepted"

// BackendReasonAccepted is used with the "Accepted" condition when the backend
// has been accepted by the targeted resource.
BackendReasonAccepted BackendConditionReason = "Accepted"

// BackendReasonInvalid is used with the "Accepted" condition when the backend
// is syntactically or semantically invalid.
BackendReasonInvalid BackendConditionReason = "Invalid"
)

// BackendStatus defines the state of Backend
// +notImplementedHide
type BackendStatus struct {
// Conditions describe the current conditions of the Backend.
//
// +optional
// +listType=map
// +listMapKey=type
// +kubebuilder:validation:MaxItems=8
Conditions []metav1.Condition `json:"conditions,omitempty"`
}

// BackendList contains a list of Backend resources.
//
// +kubebuilder:object:root=true
// +notImplementedHide
type BackendList struct {
metav1.TypeMeta `json:",inline"`
metav1.ListMeta `json:"metadata,omitempty"`
Items []Backend `json:"items"`
}

func init() {
SchemeBuilder.Register(&Backend{}, &BackendList{})
}
65 changes: 65 additions & 0 deletions api/v1alpha1/clienttrafficpolicy_types.go
Original file line number Diff line number Diff line change
Expand Up @@ -104,10 +104,22 @@ type HeaderSettings struct {
// +optional
EnableEnvoyHeaders *bool `json:"enableEnvoyHeaders,omitempty"`

// Configure Envoy proxy how to handle the x-forwarded-client-cert (XFCC) HTTP header.
// When enabled, Hash and By is always set
// +optional
XForwardedClientCert *XForwardedClientCert `json:"xForwardedClientCert,omitempty"`

// WithUnderscoresAction configures the action to take when an HTTP header with underscores
// is encountered. The default action is to reject the request.
// +optional
WithUnderscoresAction *WithUnderscoresAction `json:"withUnderscoresAction,omitempty"`

// PreserveXRequestID configures Envoy to keep the X-Request-ID header if passed for a request that is edge
// (Edge request is the request from external clients to front Envoy) and not reset it, which is the current Envoy behaviour.
// It defaults to false.
//
// +optional
PreserveXRequestID *bool `json:"preserveXRequestID,omitempty"`
}

// WithUnderscoresAction configures the action to take when an HTTP header with underscores
Expand All @@ -127,6 +139,59 @@ const (
WithUnderscoresActionDropHeader WithUnderscoresAction = "DropHeader"
)

// Configure Envoy proxy how to handle the x-forwarded-client-cert (XFCC) HTTP header.
type XForwardedClientCert struct {
// Envoy Proxy mode how to handle the x-forwarded-client-cert (XFCC) HTTP header.
// +optional
Mode *ForwardMode `json:"mode,omitempty"`

// Specifies the fields in the client certificate to be forwarded on the x-forwarded-client-cert (XFCC) HTTP header
// +kubebuilder:validation:MaxItems=5
// +optional
CertDetailsToAdd []ClientCertData `json:"certDetailsToAdd,omitempty"`
}

// Envoy Proxy mode how to handle the x-forwarded-client-cert (XFCC) HTTP header.
// +kubebuilder:validation:Enum=Sanitize;ForwardOnly;AppendForward;SanitizeSet;AlwaysForwardOnly
type ForwardMode string

const (
// Do not send the XFCC header to the next hop. This is the default value.
ForwardModeSanitize ForwardMode = "Sanitize"
// When the client connection is mTLS (Mutual TLS), forward the XFCC header
// in the request.
ForwardModeForwardOnly ForwardMode = "ForwardOnly"
// When the client connection is mTLS, append the client certificate
// information to the request’s XFCC header and forward it.
ForwardModeAppendForward ForwardMode = "AppendForward"
// When the client connection is mTLS, reset the XFCC header with the client
// certificate information and send it to the next hop.
ForwardModeSanitizeSet ForwardMode = "SanitizeSet"
// Always forward the XFCC header in the request, regardless of whether the
// client connection is mTLS.
ForwardModeAlwaysForwardOnly ForwardMode = "AlwaysForwardOnly"
)

// Specifies the fields in the client certificate to be forwarded on the x-forwarded-client-cert (XFCC) HTTP header
// By default, x-forwarded-client-cert (XFCC) will always include By and Hash data
// +kubebuilder:validation:Enum=Subject;Cert;Chain;Dns;Uri
type ClientCertData string

const (
// Whether to forward the subject of the client cert.
ClientCertDataSubject ClientCertData = "Subject"
// Whether to forward the entire client cert in URL encoded PEM format.
// This will appear in the XFCC header comma separated from other values with the value Cert=”PEM”.
ClientCertDataCert ClientCertData = "Cert"
// Whether to forward the entire client cert chain (including the leaf cert) in URL encoded PEM format.
// This will appear in the XFCC header comma separated from other values with the value Chain=”PEM”.
ClientCertDataChain ClientCertData = "Chain"
// Whether to forward the DNS type Subject Alternative Names of the client cert.
ClientCertDataDNS ClientCertData = "Dns"
// Whether to forward the URI type Subject Alternative Name of the client cert.
ClientCertDataURI ClientCertData = "Uri"
)

// ClientIPDetectionSettings provides configuration for determining the original client IP address for requests.
//
// +kubebuilder:validation:XValidation:rule="!(has(self.xForwardedFor) && has(self.customHeader))",message="customHeader cannot be used in conjunction with xForwardedFor"
Expand Down
3 changes: 3 additions & 0 deletions api/v1alpha1/envoygateway_types.go
Original file line number Diff line number Diff line change
Expand Up @@ -166,6 +166,9 @@ type ExtensionAPISettings struct {
// EnableEnvoyPatchPolicy enables Envoy Gateway to
// reconcile and implement the EnvoyPatchPolicy resources.
EnableEnvoyPatchPolicy bool `json:"enableEnvoyPatchPolicy"`
// EnableBackend enables Envoy Gateway to
// reconcile and implement the Backend resources.
EnableBackend bool `json:"enableBackend"`
}

// EnvoyGatewayProvider defines the desired configuration of a provider.
Expand Down
17 changes: 17 additions & 0 deletions api/v1alpha1/envoyproxy_helpers.go
Original file line number Diff line number Diff line change
Expand Up @@ -57,6 +57,23 @@ func DefaultEnvoyProxyHpaMetrics() []autoscalingv2.MetricSpec {
}
}

// NeedToSwitchPorts returns true if the EnvoyProxy needs to switch ports.
func (e *EnvoyProxy) NeedToSwitchPorts() bool {
if e.Spec.Provider == nil {
return true
}

if e.Spec.Provider.Kubernetes == nil {
return true
}

if e.Spec.Provider.Kubernetes.UseListenerPortAsContainerPort == nil {
return true
}

return !*e.Spec.Provider.Kubernetes.UseListenerPortAsContainerPort
}

// GetEnvoyProxyKubeProvider returns the EnvoyProxyKubernetesProvider of EnvoyProxyProvider or
// a default EnvoyProxyKubernetesProvider if unspecified. If EnvoyProxyProvider is not of
// type "Kubernetes", a nil EnvoyProxyKubernetesProvider is returned.
Expand Down
7 changes: 7 additions & 0 deletions api/v1alpha1/envoyproxy_types.go
Original file line number Diff line number Diff line change
Expand Up @@ -264,6 +264,13 @@ type EnvoyProxyKubernetesProvider struct {
//
// +optional
EnvoyHpa *KubernetesHorizontalPodAutoscalerSpec `json:"envoyHpa,omitempty"`

// UseListenerPortAsContainerPort disables the port shifting feature in the Envoy Proxy.
// When set to false (default value), if the service port is a privileged port (1-1023), add a constant to the value converting it into an ephemeral port.
// This allows the container to bind to the port without needing a CAP_NET_BIND_SERVICE capability.
//
// +optional
UseListenerPortAsContainerPort *bool `json:"useListenerPortAsContainerPort,omitempty"`
}

// ProxyLogging defines logging parameters for managed proxies.
Expand Down
Loading

0 comments on commit aa582af

Please sign in to comment.