Merge branch 'main' into als

.github/workflows/build_and_test.yaml

@@ -135,6 +135,29 @@ jobs:
         IMAGE_PULL_POLICY: IfNotPresent
       run: make e2e
 
+  benchmark-test:
+    runs-on: ubuntu-latest
+    needs: [build]
+    steps:
+    - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332  # v4.1.7
+    - uses: ./tools/github-actions/setup-deps
+
+    # Benchmark
+    - name: Run Benchmark tests
+      env:
+        KIND_NODE_TAG: v1.28.9
+        IMAGE_PULL_POLICY: IfNotPresent
+        # Args for benchmark test
+        BENCHMARK_RPS: 10000
+        BENCHMARK_CONNECTIONS: 100
+        BENCHMARK_DURATION: 30
+        BENCHMARK_CPU_LIMITS: 1000
+        BENCHMARK_MEMORY_LIMITS: 2000
+      run: make benchmark
+
+    - name: Read Benchmark report
+      run: cat test/benchmark/benchmark_report.md
+
   publish:
     runs-on: ubuntu-latest
     needs: [conformance-test, e2e-test]

.github/workflows/codeql.yml

@@ -36,14 +36,14 @@ jobs:
     - uses: ./tools/github-actions/setup-deps
 
     - name: Initialize CodeQL
-      uses: github/codeql-action/init@23acc5c183826b7a8a97bce3cecc52db901f8251  # v3.25.10
+      uses: github/codeql-action/init@b611370bb5703a7efb587f9d136a52ea24c5c38c  # v3.25.11
       with:
         languages: ${{ matrix.language }}
 
     - name: Autobuild
-      uses: github/codeql-action/autobuild@23acc5c183826b7a8a97bce3cecc52db901f8251  # v3.25.10
+      uses: github/codeql-action/autobuild@b611370bb5703a7efb587f9d136a52ea24c5c38c  # v3.25.11
 
     - name: Perform CodeQL Analysis
-      uses: github/codeql-action/analyze@23acc5c183826b7a8a97bce3cecc52db901f8251  # v3.25.10
+      uses: github/codeql-action/analyze@b611370bb5703a7efb587f9d136a52ea24c5c38c  # v3.25.11
       with:
         category: "/language:${{matrix.language}}"

.github/workflows/license-scan.yml

@@ -18,7 +18,7 @@ jobs:
     - name: Checkout code
       uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332  # v4.1.7
     - name: Run scanner
-      uses: google/osv-scanner-action/osv-scanner-action@ba0b4d196d231340e0ae94ae00933c8be0984192  # v1.7.4
+      uses: google/osv-scanner-action/osv-scanner-action@3c399db9dd6dd8106a27d280d53c55077d3f7cea  # v1.8.1
       with:
         scan-args: |-
           --skip-git

.github/workflows/osv-scanner.yml

@@ -16,15 +16,15 @@ on:
 jobs:
   scan-scheduled:
     if: ${{ github.event_name == 'push' || github.event_name == 'schedule' }}
-    uses: "google/osv-scanner-action/.github/workflows/osv-scanner-reusable.yml@ba0b4d196d231340e0ae94ae00933c8be0984192"  # v1.7.4
+    uses: "google/osv-scanner-action/.github/workflows/osv-scanner-reusable.yml@3c399db9dd6dd8106a27d280d53c55077d3f7cea"  # v1.8.1
     permissions:
       actions: read
       contents: read
       # Require writing security events to upload SARIF file to security tab
       security-events: write
   scan-pr:
     if: ${{ github.event_name == 'pull_request' || github.event_name == 'merge_group' }}
-    uses: "google/osv-scanner-action/.github/workflows/osv-scanner-reusable-pr.yml@ba0b4d196d231340e0ae94ae00933c8be0984192"  # v1.7.4
+    uses: "google/osv-scanner-action/.github/workflows/osv-scanner-reusable-pr.yml@3c399db9dd6dd8106a27d280d53c55077d3f7cea"  # v1.8.1
     permissions:
       actions: read
       contents: read

.github/workflows/scorecard.yml

@@ -40,6 +40,6 @@ jobs:
         retention-days: 5
 
     - name: "Upload to code-scanning"
-      uses: github/codeql-action/upload-sarif@23acc5c183826b7a8a97bce3cecc52db901f8251  # v3.25.10
+      uses: github/codeql-action/upload-sarif@b611370bb5703a7efb587f9d136a52ea24c5c38c  # v3.25.11
       with:
         sarif_file: results.sarif

go.mod

@@ -10,7 +10,7 @@ require (
 	github.com/Masterminds/semver/v3 v3.2.1
 	github.com/cncf/xds/go v0.0.0-20240423153145-555b57ec207b
 	github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc
-	github.com/docker/cli v26.1.3+incompatible
+	github.com/docker/cli v27.0.2+incompatible
 	github.com/dominikbraun/graph v0.23.0
 	github.com/envoyproxy/go-control-plane v0.12.1-0.20240612043845-c54ec4ce422d
 	github.com/envoyproxy/ratelimit v1.4.1-0.20230427142404-e2a87f41d3a7
@@ -23,12 +23,12 @@ require (
 	github.com/golang/protobuf v1.5.4
 	github.com/google/cel-go v0.20.1
 	github.com/google/go-cmp v0.6.0
-	github.com/google/go-containerregistry v0.19.1
+	github.com/google/go-containerregistry v0.19.2
 	github.com/grafana/tempo v1.5.0
 	github.com/hashicorp/go-multierror v1.1.1
 	github.com/miekg/dns v1.1.61
 	github.com/prometheus/client_golang v1.19.1
-	github.com/prometheus/common v0.54.0
+	github.com/prometheus/common v0.55.0
 	github.com/spf13/cobra v1.8.1
 	github.com/spf13/pflag v1.0.5
 	github.com/stretchr/testify v1.9.0
@@ -62,7 +62,7 @@ require (
 	sigs.k8s.io/yaml v1.4.0
 )
 
-require github.com/docker/docker v26.1.3+incompatible
+require github.com/docker/docker v27.0.3+incompatible
 
 require (
 	cel.dev/expr v0.15.0 // indirect

go.sum

@@ -150,13 +150,13 @@ github.com/distribution/distribution/v3 v3.0.0-20221208165359-362910506bc2 h1:aB
 github.com/distribution/distribution/v3 v3.0.0-20221208165359-362910506bc2/go.mod h1:WHNsWjnIn2V1LYOrME7e8KxSeKunYHsxEm4am0BUtcI=
 github.com/distribution/reference v0.6.0 h1:0IXCQ5g4/QMHHkarYzh5l+u8T3t73zM5QvfrDyIgxBk=
 github.com/distribution/reference v0.6.0/go.mod h1:BbU0aIcezP1/5jX/8MP0YiH4SdvB5Y4f/wlDRiLyi3E=
-github.com/docker/cli v26.1.3+incompatible h1:bUpXT/N0kDE3VUHI2r5VMsYQgi38kYuoC0oL9yt3lqc=
-github.com/docker/cli v26.1.3+incompatible/go.mod h1:JLrzqnKDaYBop7H2jaqPtU4hHvMKP+vjCwu2uszcLI8=
+github.com/docker/cli v27.0.2+incompatible h1:IgWU3lWqAYNibtcxgl/PY4TB0eCmK1ZpNUZVJfenDQs=
+github.com/docker/cli v27.0.2+incompatible/go.mod h1:JLrzqnKDaYBop7H2jaqPtU4hHvMKP+vjCwu2uszcLI8=
 github.com/docker/distribution v2.8.3+incompatible h1:AtKxIZ36LoNK51+Z6RpzLpddBirtxJnzDrHLEKxTAYk=
 github.com/docker/distribution v2.8.3+incompatible/go.mod h1:J2gT2udsDAN96Uj4KfcMRqY0/ypR+oyYUYmja8H+y+w=
 github.com/docker/docker v0.7.3-0.20190327010347-be7ac8be2ae0/go.mod h1:eEKB0N0r5NX/I1kEveEz05bcu8tLC/8azJZsviup8Sk=
-github.com/docker/docker v26.1.3+incompatible h1:lLCzRbrVZrljpVNobJu1J2FHk8V0s4BawoZippkc+xo=
-github.com/docker/docker v26.1.3+incompatible/go.mod h1:eEKB0N0r5NX/I1kEveEz05bcu8tLC/8azJZsviup8Sk=
+github.com/docker/docker v27.0.3+incompatible h1:aBGI9TeQ4MPlhquTQKq9XbK79rKFVwXNUAYz9aXyEBE=
+github.com/docker/docker v27.0.3+incompatible/go.mod h1:eEKB0N0r5NX/I1kEveEz05bcu8tLC/8azJZsviup8Sk=
 github.com/docker/docker-credential-helpers v0.8.2 h1:bX3YxiGzFP5sOXWc3bTPEXdEaZSeVMrFgOr3T+zrFAo=
 github.com/docker/docker-credential-helpers v0.8.2/go.mod h1:P3ci7E3lwkZg6XiHdRKft1KckHiO9a2rNtyFbZ/ry9M=
 github.com/docker/go-connections v0.5.0 h1:USnMq7hx7gwdVZq1L49hLXaFtUdTADjXGp+uj1Br63c=
@@ -335,8 +335,8 @@ github.com/google/go-cmp v0.4.0/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/
 github.com/google/go-cmp v0.5.9/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY=
 github.com/google/go-cmp v0.6.0 h1:ofyhxvXcZhMsU5ulbFiLKl/XBFqE1GSq7atu8tAmTRI=
 github.com/google/go-cmp v0.6.0/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY=
-github.com/google/go-containerregistry v0.19.1 h1:yMQ62Al6/V0Z7CqIrrS1iYoA5/oQCm88DeNujc7C1KY=
-github.com/google/go-containerregistry v0.19.1/go.mod h1:YCMFNQeeXeLF+dnhhWkqDItx/JSkH01j1Kis4PsjzFI=
+github.com/google/go-containerregistry v0.19.2 h1:TannFKE1QSajsP6hPWb5oJNgKe1IKjHukIKDUmvsV6w=
+github.com/google/go-containerregistry v0.19.2/go.mod h1:YCMFNQeeXeLF+dnhhWkqDItx/JSkH01j1Kis4PsjzFI=
 github.com/google/gofuzz v1.0.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg=
 github.com/google/gofuzz v1.1.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg=
 github.com/google/gofuzz v1.2.0 h1:xRy4A+RhZaiKjJ1bPfwQ8sedCA+YS2YcCHW6ec7JMi0=
@@ -574,8 +574,8 @@ github.com/prometheus/common v0.0.0-20181113130724-41aa239b4cce/go.mod h1:daVV7q
 github.com/prometheus/common v0.4.0/go.mod h1:TNfzLD0ON7rHzMJeJkieUDPYmFC7Snx/y86RQel1bk4=
 github.com/prometheus/common v0.4.1/go.mod h1:TNfzLD0ON7rHzMJeJkieUDPYmFC7Snx/y86RQel1bk4=
 github.com/prometheus/common v0.6.0/go.mod h1:eBmuwkDJBwy6iBfxCBob6t6dR6ENT/y+J+Zk0j9GMYc=
-github.com/prometheus/common v0.54.0 h1:ZlZy0BgJhTwVZUn7dLOkwCZHUkrAqd3WYtcFCWnM1D8=
-github.com/prometheus/common v0.54.0/go.mod h1:/TQgMJP5CuVYveyT7n/0Ix8yLNNXy9yRSkhnLTHPDIQ=
+github.com/prometheus/common v0.55.0 h1:KEi6DK7lXW/m7Ig5i47x0vRzuBsHuvJdi5ee6Y3G1dc=
+github.com/prometheus/common v0.55.0/go.mod h1:2SECS4xJG1kd8XF9IcM1gMX6510RAEL65zxzNImwdc8=
 github.com/prometheus/procfs v0.0.0-20181005140218-185b4288413d/go.mod h1:c3At6R/oaqEKCNdg8wHV1ftS6bRYblBhIjjI8uT2IGk=
 github.com/prometheus/procfs v0.0.0-20190507164030-5867b95ac084/go.mod h1:TjEm7ze935MbeOT/UhFTIMYKhuLP4wbCsTZCD3I8kEA=
 github.com/prometheus/procfs v0.0.2/go.mod h1:TjEm7ze935MbeOT/UhFTIMYKhuLP4wbCsTZCD3I8kEA=

internal/gatewayapi/envoyextensionpolicy.go

@@ -430,7 +430,7 @@ func (t *Translator) buildExtProcs(policy *egv1a1.EnvoyExtensionPolicy, resource
 	}
 
 	for idx, ep := range policy.Spec.ExtProc {
-		name := irConfigNameForEEP(policy, idx)
+		name := irConfigNameForExtProc(policy, idx)
 		extProcIR, err := t.buildExtProc(name, utils.NamespacedName(policy), ep, idx, resources, envoyProxy)
 		if err != nil {
 			return nil, err
@@ -534,12 +534,11 @@ func (t *Translator) buildExtProc(
 	return extProcIR, err
 }
 
-func irConfigNameForEEP(policy *egv1a1.EnvoyExtensionPolicy, idx int) string {
+func irConfigNameForExtProc(policy *egv1a1.EnvoyExtensionPolicy, index int) string {
 	return fmt.Sprintf(
-		"%s/%s/%d",
-		strings.ToLower(egv1a1.KindEnvoyExtensionPolicy),
-		utils.NamespacedName(policy).String(),
-		idx)
+		"%s/extproc/%s",
+		irConfigName(policy),
+		strconv.Itoa(index))
 }
 
 func (t *Translator) buildWasms(

internal/gatewayapi/status/gateway.go

@@ -75,7 +75,7 @@ func UpdateGatewayStatusProgrammedCondition(gw *gwapiv1.Gateway, svc *corev1.Ser
 			}
 		}
 
-		var gwAddresses []gwapiv1.GatewayStatusAddress
+		gwAddresses := make([]gwapiv1.GatewayStatusAddress, 0, len(addresses)+len(hostnames))
 		for i := range addresses {
 			addr := gwapiv1.GatewayStatusAddress{
 				Type:  ptr.To(gwapiv1.IPAddressType),

internal/gatewayapi/testdata/envoyextensionpolicy-override-replace.out.yaml

@@ -230,7 +230,7 @@ xdsIR:
             settings:
             - protocol: GRPC
               weight: 1
-          name: envoyextensionpolicy/default/policy-for-route-1/0
+          name: envoyextensionpolicy/default/policy-for-route-1/extproc/0
         hostname: gateway.envoyproxy.io
         isHTTP2: false
         name: httproute/default/httproute-1/rule/0/match/0/gateway_envoyproxy_io
@@ -254,7 +254,7 @@ xdsIR:
             settings:
             - protocol: GRPC
               weight: 1
-          name: envoyextensionpolicy/envoy-gateway/policy-for-gateway-1/0
+          name: envoyextensionpolicy/envoy-gateway/policy-for-gateway-1/extproc/0
         hostname: gateway.envoyproxy.io
         isHTTP2: false
         name: httproute/default/httproute-2/rule/0/match/0/gateway_envoyproxy_io

internal/gatewayapi/testdata/envoyextensionpolicy-with-extproc-with-backendtlspolicy.out.yaml

@@ -315,7 +315,7 @@ xdsIR:
                   name: policy-btls-grpc-2/default-ca
                 sni: grpc-backend-2
               weight: 1
-          name: envoyextensionpolicy/default/policy-for-http-route/0
+          name: envoyextensionpolicy/default/policy-for-http-route/extproc/0
           requestHeaderProcessing: true
           responseHeaderProcessing: true
         hostname: www.foo.com
@@ -349,7 +349,7 @@ xdsIR:
               weight: 1
           failOpen: true
           messageTimeout: 5s
-          name: envoyextensionpolicy/default/policy-for-gateway/0
+          name: envoyextensionpolicy/default/policy-for-gateway/extproc/0
           requestBodyProcessingMode: Buffered
           requestHeaderProcessing: true
           responseBodyProcessingMode: Streamed

internal/gatewayapi/testdata/envoyextensionpolicy-with-extproc-with-multiple-backendrefs.out.yaml

@@ -335,7 +335,7 @@ xdsIR:
                   name: policy-btls-backend-ip/envoy-gateway-ca
                 sni: ip-backend
               weight: 1
-          name: envoyextensionpolicy/default/policy-for-http-route/0
+          name: envoyextensionpolicy/default/policy-for-http-route/extproc/0
         hostname: www.foo.com
         isHTTP2: false
         name: httproute/default/httproute-1/rule/0/match/0/www_foo_com

internal/gatewayapi/testdata/envoyproxy-accesslog-cel-with-invalid.in.yaml

@@ -10,7 +10,7 @@ envoyProxyForGatewayClass:
         settings:
         - matches:
           - "response.code >= 400"
-          - ")++++" # invalid CEL expression will be ignored
+          - ")++++"
           format:
             type: Text
             text: |

internal/xds/translator/testdata/in/xds-ir/ext-proc.yaml

@@ -19,7 +19,7 @@ http:
               protocol: HTTP
               weight: 1
         extProc:
-          - name: envoyextensionpolicy/default/policy-for-route-2/0
+          - name: envoyextensionpolicy/default/policy-for-route-2/extproc/0
             failOpen: true
             messageTimeout: 5s
             requestHeaderProcessing: true
@@ -31,7 +31,7 @@ http:
               settings:
                 - protocol: GRPC
                   weight: 1
-          - name: envoyextensionpolicy/default/policy-for-route-1/0
+          - name: envoyextensionpolicy/default/policy-for-route-1/extproc/0
             failOpen: true
             messageTimeout: 5s
             responseHeaderProcessing: true
@@ -59,14 +59,14 @@ http:
               protocol: HTTP
               weight: 1
         extProc:
-          - name: envoyextensionpolicy/envoy-gateway/policy-for-gateway-2/0
+          - name: envoyextensionpolicy/envoy-gateway/policy-for-gateway-2/extproc/0
             authority: grpc-backend-3.envoy-gateway:3000
             destination:
               name: envoyextensionpolicy/envoy-gateway/policy-for-gateway-2/0/grpc-backend-3
               settings:
                 - protocol: GRPC
                   weight: 1
-          - name: envoyextensionpolicy/envoy-gateway/policy-for-gateway-1/0
+          - name: envoyextensionpolicy/envoy-gateway/policy-for-gateway-1/extproc/0
             failOpen: false
             messageTimeout: 15s
             authority: grpc-backend.envoy-gateway:9000

internal/xds/translator/testdata/out/xds-ir/ext-proc.listeners.yaml

@@ -15,7 +15,7 @@
           maxConcurrentStreams: 100
         httpFilters:
         - disabled: true
-          name: envoy.filters.http.ext_proc/envoyextensionpolicy/default/policy-for-route-2/0
+          name: envoy.filters.http.ext_proc/envoyextensionpolicy/default/policy-for-route-2/extproc/0
           typedConfig:
             '@type': type.googleapis.com/envoy.extensions.filters.http.ext_proc.v3.ExternalProcessor
             failureModeAllow: true
@@ -33,7 +33,7 @@
               responseHeaderMode: SKIP
               responseTrailerMode: SKIP
         - disabled: true
-          name: envoy.filters.http.ext_proc/envoyextensionpolicy/default/policy-for-route-1/0
+          name: envoy.filters.http.ext_proc/envoyextensionpolicy/default/policy-for-route-1/extproc/0
           typedConfig:
             '@type': type.googleapis.com/envoy.extensions.filters.http.ext_proc.v3.ExternalProcessor
             failureModeAllow: true
@@ -50,7 +50,7 @@
               responseHeaderMode: SEND
               responseTrailerMode: SKIP
         - disabled: true
-          name: envoy.filters.http.ext_proc/envoyextensionpolicy/envoy-gateway/policy-for-gateway-2/0
+          name: envoy.filters.http.ext_proc/envoyextensionpolicy/envoy-gateway/policy-for-gateway-2/extproc/0
           typedConfig:
             '@type': type.googleapis.com/envoy.extensions.filters.http.ext_proc.v3.ExternalProcessor
             grpcService:
@@ -64,7 +64,7 @@
               responseHeaderMode: SKIP
               responseTrailerMode: SKIP
         - disabled: true
-          name: envoy.filters.http.ext_proc/envoyextensionpolicy/envoy-gateway/policy-for-gateway-1/0
+          name: envoy.filters.http.ext_proc/envoyextensionpolicy/envoy-gateway/policy-for-gateway-1/extproc/0
           typedConfig:
             '@type': type.googleapis.com/envoy.extensions.filters.http.ext_proc.v3.ExternalProcessor
             grpcService:

internal/xds/translator/testdata/out/xds-ir/ext-proc.routes.yaml

@@ -13,10 +13,10 @@
         upgradeConfigs:
         - upgradeType: websocket
       typedPerFilterConfig:
-        envoy.filters.http.ext_proc/envoyextensionpolicy/default/policy-for-route-1/0:
+        envoy.filters.http.ext_proc/envoyextensionpolicy/default/policy-for-route-1/extproc/0:
           '@type': type.googleapis.com/envoy.config.route.v3.FilterConfig
           config: {}
-        envoy.filters.http.ext_proc/envoyextensionpolicy/default/policy-for-route-2/0:
+        envoy.filters.http.ext_proc/envoyextensionpolicy/default/policy-for-route-2/extproc/0:
           '@type': type.googleapis.com/envoy.config.route.v3.FilterConfig
           config: {}
     - match:
@@ -27,9 +27,9 @@
         upgradeConfigs:
         - upgradeType: websocket
       typedPerFilterConfig:
-        envoy.filters.http.ext_proc/envoyextensionpolicy/envoy-gateway/policy-for-gateway-1/0:
+        envoy.filters.http.ext_proc/envoyextensionpolicy/envoy-gateway/policy-for-gateway-1/extproc/0:
           '@type': type.googleapis.com/envoy.config.route.v3.FilterConfig
           config: {}
-        envoy.filters.http.ext_proc/envoyextensionpolicy/envoy-gateway/policy-for-gateway-2/0:
+        envoy.filters.http.ext_proc/envoyextensionpolicy/envoy-gateway/policy-for-gateway-2/extproc/0:
           '@type': type.googleapis.com/envoy.config.route.v3.FilterConfig
           config: {}