diff --git a/OWNERS b/OWNERS index ee82b470344a..c079d03b8824 100644 --- a/OWNERS +++ b/OWNERS @@ -11,9 +11,9 @@ maintainers: - AliceProxy - arkodg -- skriss - Xunzhuo - zirain +- qicz reviewers: diff --git a/charts/gateway-helm/values.tmpl.yaml b/charts/gateway-helm/values.tmpl.yaml index 430cca41f06a..bf4de7a3873f 100644 --- a/charts/gateway-helm/values.tmpl.yaml +++ b/charts/gateway-helm/values.tmpl.yaml @@ -14,7 +14,7 @@ deployment: kubeRbacProxy: image: repository: gcr.io/kubebuilder/kube-rbac-proxy - tag: v0.11.0 + tag: v0.14.1 resources: limits: cpu: 500m diff --git a/docs/latest/design/roadmap.md b/docs/latest/design/roadmap.md index 65f88de12149..7304335d9aa5 100644 --- a/docs/latest/design/roadmap.md +++ b/docs/latest/design/roadmap.md @@ -49,12 +49,14 @@ contributing to the project. ### [v0.5.0][v0.5.0]: Observability and Scale -- Observability for control plane and data plane [Issue #701][701]. -- Compute and document Envoy Gateway performance [Issue #1365][1365]. +- Observability for data plane [Issue #699][699]. - Allow users to configure xDS Resources [Issue #24][24]. ### [v0.6.0][v0.6.0]: Preparation for GA +- Observability for control plane [Issue #700][700]. +- Compute and document Envoy Gateway performance [Issue #1365][1365]. +- Add TrafficPolicy APIs for advanced features [Issue #1492][1492]. - Envoy Gateway meets readiness criteria [Issue #1160][1160]. [issue]: https://github.com/envoyproxy/gateway/issues @@ -82,7 +84,9 @@ contributing to the project. [643]: https://github.com/envoyproxy/gateway/issues/643 [670]: https://github.com/envoyproxy/gateway/issues/670 [675]: https://github.com/envoyproxy/gateway/issues/675 -[701]: https://github.com/envoyproxy/gateway/issues/701 +[699]: https://github.com/envoyproxy/gateway/issues/699 +[700]: https://github.com/envoyproxy/gateway/issues/700 [707]: https://github.com/envoyproxy/gateway/issues/707 [1160]: https://github.com/envoyproxy/gateway/issues/1160 [1365]: https://github.com/envoyproxy/gateway/issues/1365 +[1492]: https://github.com/envoyproxy/gateway/issues/1492 diff --git a/docs/latest/dev/CODEOWNERS.md b/docs/latest/dev/CODEOWNERS.md index d4229b6b23f2..7168ff935d2b 100644 --- a/docs/latest/dev/CODEOWNERS.md +++ b/docs/latest/dev/CODEOWNERS.md @@ -4,12 +4,13 @@ - @AliceProxy - @arkodg -- @skriss - @Xunzhuo -- @youngnick - @zirain +- @qicz ## Emeritus Maintainers - @danehans - @alexgervais +- @skriss +- @youngnick diff --git a/docs/v0.5.0/design/roadmap.md b/docs/v0.5.0/design/roadmap.md index 65f88de12149..7304335d9aa5 100644 --- a/docs/v0.5.0/design/roadmap.md +++ b/docs/v0.5.0/design/roadmap.md @@ -49,12 +49,14 @@ contributing to the project. ### [v0.5.0][v0.5.0]: Observability and Scale -- Observability for control plane and data plane [Issue #701][701]. -- Compute and document Envoy Gateway performance [Issue #1365][1365]. +- Observability for data plane [Issue #699][699]. - Allow users to configure xDS Resources [Issue #24][24]. ### [v0.6.0][v0.6.0]: Preparation for GA +- Observability for control plane [Issue #700][700]. +- Compute and document Envoy Gateway performance [Issue #1365][1365]. +- Add TrafficPolicy APIs for advanced features [Issue #1492][1492]. - Envoy Gateway meets readiness criteria [Issue #1160][1160]. [issue]: https://github.com/envoyproxy/gateway/issues @@ -82,7 +84,9 @@ contributing to the project. [643]: https://github.com/envoyproxy/gateway/issues/643 [670]: https://github.com/envoyproxy/gateway/issues/670 [675]: https://github.com/envoyproxy/gateway/issues/675 -[701]: https://github.com/envoyproxy/gateway/issues/701 +[699]: https://github.com/envoyproxy/gateway/issues/699 +[700]: https://github.com/envoyproxy/gateway/issues/700 [707]: https://github.com/envoyproxy/gateway/issues/707 [1160]: https://github.com/envoyproxy/gateway/issues/1160 [1365]: https://github.com/envoyproxy/gateway/issues/1365 +[1492]: https://github.com/envoyproxy/gateway/issues/1492 diff --git a/internal/cmd/egctl/testdata/translate/out/authn-single-route-single-match-to-xds.all.json b/internal/cmd/egctl/testdata/translate/out/authn-single-route-single-match-to-xds.all.json index 013d4316996d..8c7aca80df8c 100644 --- a/internal/cmd/egctl/testdata/translate/out/authn-single-route-single-match-to-xds.all.json +++ b/internal/cmd/egctl/testdata/translate/out/authn-single-route-single-match-to-xds.all.json @@ -62,6 +62,12 @@ "clusters": [ { "connectTimeout": "10s", + "http2ProtocolOptions": { + "connectionKeepalive": { + "interval": "30s", + "timeout": "5s" + } + }, "loadAssignment": { "clusterName": "xds_cluster", "endpoints": [ diff --git a/internal/cmd/egctl/testdata/translate/out/authn-single-route-single-match-to-xds.all.yaml b/internal/cmd/egctl/testdata/translate/out/authn-single-route-single-match-to-xds.all.yaml index 80d5cd100121..87128e8e1438 100644 --- a/internal/cmd/egctl/testdata/translate/out/authn-single-route-single-match-to-xds.all.yaml +++ b/internal/cmd/egctl/testdata/translate/out/authn-single-route-single-match-to-xds.all.yaml @@ -38,6 +38,10 @@ xds: staticResources: clusters: - connectTimeout: 10s + http2ProtocolOptions: + connectionKeepalive: + interval: 30s + timeout: 5s loadAssignment: clusterName: xds_cluster endpoints: diff --git a/internal/cmd/egctl/testdata/translate/out/authn-single-route-single-match-to-xds.bootstrap.yaml b/internal/cmd/egctl/testdata/translate/out/authn-single-route-single-match-to-xds.bootstrap.yaml index fb207fdf33c2..f2ec77fd62db 100644 --- a/internal/cmd/egctl/testdata/translate/out/authn-single-route-single-match-to-xds.bootstrap.yaml +++ b/internal/cmd/egctl/testdata/translate/out/authn-single-route-single-match-to-xds.bootstrap.yaml @@ -37,6 +37,10 @@ xds: staticResources: clusters: - connectTimeout: 10s + http2ProtocolOptions: + connectionKeepalive: + interval: 30s + timeout: 5s loadAssignment: clusterName: xds_cluster endpoints: diff --git a/internal/cmd/egctl/testdata/translate/out/default-resources.all.yaml b/internal/cmd/egctl/testdata/translate/out/default-resources.all.yaml index d9ca7953e489..f0b891b84f16 100644 --- a/internal/cmd/egctl/testdata/translate/out/default-resources.all.yaml +++ b/internal/cmd/egctl/testdata/translate/out/default-resources.all.yaml @@ -75,6 +75,10 @@ envoyProxy: http2_protocol_options: {} name: xds_cluster type: STRICT_DNS + http2_protocol_options: + connection_keepalive: + interval: 30s + timeout: 5s transport_socket: name: envoy.transport_sockets.tls typed_config: @@ -460,6 +464,10 @@ xds: staticResources: clusters: - connectTimeout: 10s + http2ProtocolOptions: + connectionKeepalive: + interval: 30s + timeout: 5s loadAssignment: clusterName: xds_cluster endpoints: diff --git a/internal/cmd/egctl/testdata/translate/out/envoy-patch-policy.all.yaml b/internal/cmd/egctl/testdata/translate/out/envoy-patch-policy.all.yaml index 3c4158540e48..b4300bb7870d 100644 --- a/internal/cmd/egctl/testdata/translate/out/envoy-patch-policy.all.yaml +++ b/internal/cmd/egctl/testdata/translate/out/envoy-patch-policy.all.yaml @@ -38,6 +38,10 @@ xds: staticResources: clusters: - connectTimeout: 10s + http2ProtocolOptions: + connectionKeepalive: + interval: 30s + timeout: 5s loadAssignment: clusterName: xds_cluster endpoints: diff --git a/internal/cmd/egctl/testdata/translate/out/from-gateway-api-to-xds.all.json b/internal/cmd/egctl/testdata/translate/out/from-gateway-api-to-xds.all.json index 7cb80a5ab9cf..8584f869f2ff 100644 --- a/internal/cmd/egctl/testdata/translate/out/from-gateway-api-to-xds.all.json +++ b/internal/cmd/egctl/testdata/translate/out/from-gateway-api-to-xds.all.json @@ -62,6 +62,12 @@ "clusters": [ { "connectTimeout": "10s", + "http2ProtocolOptions": { + "connectionKeepalive": { + "interval": "30s", + "timeout": "5s" + } + }, "loadAssignment": { "clusterName": "xds_cluster", "endpoints": [ diff --git a/internal/cmd/egctl/testdata/translate/out/from-gateway-api-to-xds.all.yaml b/internal/cmd/egctl/testdata/translate/out/from-gateway-api-to-xds.all.yaml index d4d4ed9031cb..e135c2f665b5 100644 --- a/internal/cmd/egctl/testdata/translate/out/from-gateway-api-to-xds.all.yaml +++ b/internal/cmd/egctl/testdata/translate/out/from-gateway-api-to-xds.all.yaml @@ -38,6 +38,10 @@ xds: staticResources: clusters: - connectTimeout: 10s + http2ProtocolOptions: + connectionKeepalive: + interval: 30s + timeout: 5s loadAssignment: clusterName: xds_cluster endpoints: diff --git a/internal/cmd/egctl/testdata/translate/out/from-gateway-api-to-xds.bootstrap.yaml b/internal/cmd/egctl/testdata/translate/out/from-gateway-api-to-xds.bootstrap.yaml index 57e60fca3d66..40057eb38833 100644 --- a/internal/cmd/egctl/testdata/translate/out/from-gateway-api-to-xds.bootstrap.yaml +++ b/internal/cmd/egctl/testdata/translate/out/from-gateway-api-to-xds.bootstrap.yaml @@ -37,6 +37,10 @@ xds: staticResources: clusters: - connectTimeout: 10s + http2ProtocolOptions: + connectionKeepalive: + interval: 30s + timeout: 5s loadAssignment: clusterName: xds_cluster endpoints: diff --git a/internal/cmd/egctl/testdata/translate/out/rate-limit-filter-single-route-single-match-to-xds.all.json b/internal/cmd/egctl/testdata/translate/out/rate-limit-filter-single-route-single-match-to-xds.all.json index 109313bcd8b9..1df596bad5d4 100644 --- a/internal/cmd/egctl/testdata/translate/out/rate-limit-filter-single-route-single-match-to-xds.all.json +++ b/internal/cmd/egctl/testdata/translate/out/rate-limit-filter-single-route-single-match-to-xds.all.json @@ -62,6 +62,12 @@ "clusters": [ { "connectTimeout": "10s", + "http2ProtocolOptions": { + "connectionKeepalive": { + "interval": "30s", + "timeout": "5s" + } + }, "loadAssignment": { "clusterName": "xds_cluster", "endpoints": [ diff --git a/internal/cmd/egctl/testdata/translate/out/rate-limit-filter-single-route-single-match-to-xds.all.yaml b/internal/cmd/egctl/testdata/translate/out/rate-limit-filter-single-route-single-match-to-xds.all.yaml index e2b2e5a2a4af..0adc77802193 100644 --- a/internal/cmd/egctl/testdata/translate/out/rate-limit-filter-single-route-single-match-to-xds.all.yaml +++ b/internal/cmd/egctl/testdata/translate/out/rate-limit-filter-single-route-single-match-to-xds.all.yaml @@ -38,6 +38,10 @@ xds: staticResources: clusters: - connectTimeout: 10s + http2ProtocolOptions: + connectionKeepalive: + interval: 30s + timeout: 5s loadAssignment: clusterName: xds_cluster endpoints: diff --git a/internal/cmd/egctl/testdata/translate/out/rate-limit-filter-single-route-single-match-to-xds.bootstrap.yaml b/internal/cmd/egctl/testdata/translate/out/rate-limit-filter-single-route-single-match-to-xds.bootstrap.yaml index fb207fdf33c2..f2ec77fd62db 100644 --- a/internal/cmd/egctl/testdata/translate/out/rate-limit-filter-single-route-single-match-to-xds.bootstrap.yaml +++ b/internal/cmd/egctl/testdata/translate/out/rate-limit-filter-single-route-single-match-to-xds.bootstrap.yaml @@ -37,6 +37,10 @@ xds: staticResources: clusters: - connectTimeout: 10s + http2ProtocolOptions: + connectionKeepalive: + interval: 30s + timeout: 5s loadAssignment: clusterName: xds_cluster endpoints: diff --git a/internal/gatewayapi/route.go b/internal/gatewayapi/route.go index 8fc96264b953..ee2e9dd3c47a 100644 --- a/internal/gatewayapi/route.go +++ b/internal/gatewayapi/route.go @@ -509,6 +509,24 @@ func (t *Translator) processHTTPRouteParentRefListener(route RouteContext, route } for _, routeRoute := range routeRoutes { + // If the redirect port is not set, the final redirect port must be derived. + if routeRoute.Redirect != nil && routeRoute.Redirect.Port == nil { + redirectPort := uint32(listener.Port) + // If redirect scheme is not-empty, the redirect post must be the + // well-known port associated with the redirect scheme. + if scheme := routeRoute.Redirect.Scheme; scheme != nil { + switch strings.ToLower(*scheme) { + case "http": + redirectPort = 80 + case "https": + redirectPort = 443 + } + } + // If the redirect scheme does not have a well-known port, or + // if the redirect scheme is empty, the redirect port must be the Gateway Listener port. + routeRoute.Redirect.Port = &redirectPort + } + hostRoute := &ir.HTTPRoute{ Name: fmt.Sprintf("%s-%s", routeRoute.Name, host), PathMatch: routeRoute.PathMatch, diff --git a/internal/gatewayapi/testdata/httproute-with-redirect-filter-full-path-replace-https.out.yaml b/internal/gatewayapi/testdata/httproute-with-redirect-filter-full-path-replace-https.out.yaml index 182c75a83070..72134353a50b 100644 --- a/internal/gatewayapi/testdata/httproute-with-redirect-filter-full-path-replace-https.out.yaml +++ b/internal/gatewayapi/testdata/httproute-with-redirect-filter-full-path-replace-https.out.yaml @@ -127,6 +127,6 @@ xdsIR: path: fullReplace: /redirected prefixMatchReplace: null - port: null + port: 443 scheme: https statusCode: 301 diff --git a/internal/gatewayapi/testdata/httproute-with-redirect-filter-hostname.out.yaml b/internal/gatewayapi/testdata/httproute-with-redirect-filter-hostname.out.yaml index be344d64268c..87d35c67f43f 100644 --- a/internal/gatewayapi/testdata/httproute-with-redirect-filter-hostname.out.yaml +++ b/internal/gatewayapi/testdata/httproute-with-redirect-filter-hostname.out.yaml @@ -123,6 +123,6 @@ xdsIR: redirect: hostname: redirected.com path: null - port: null + port: 443 scheme: https statusCode: 301 diff --git a/internal/infrastructure/kubernetes/proxy/testdata/configmap.yaml b/internal/infrastructure/kubernetes/proxy/testdata/configmap.yaml index bd3d48db8fec..536dec8b77c9 100644 --- a/internal/infrastructure/kubernetes/proxy/testdata/configmap.yaml +++ b/internal/infrastructure/kubernetes/proxy/testdata/configmap.yaml @@ -7,7 +7,7 @@ metadata: app.kubernetes.io/managed-by: envoy-gateway gateway.envoyproxy.io/owning-gateway-name: default gateway.envoyproxy.io/owning-gateway-namespace: default - name: envoy-default-64656661 + name: envoy-default-37a8eec1 namespace: envoy-gateway-system data: xds-certificate.json: '{"resources":[{"@type":"type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.Secret","name":"xds_certificate","tls_certificate":{"certificate_chain":{"filename":"/certs/tls.crt"},"private_key":{"filename":"/certs/tls.key"}}}]}' diff --git a/internal/infrastructure/kubernetes/proxy/testdata/deployments/bootstrap.yaml b/internal/infrastructure/kubernetes/proxy/testdata/deployments/bootstrap.yaml index cc54211cc28f..daf13fca4974 100644 --- a/internal/infrastructure/kubernetes/proxy/testdata/deployments/bootstrap.yaml +++ b/internal/infrastructure/kubernetes/proxy/testdata/deployments/bootstrap.yaml @@ -7,7 +7,7 @@ metadata: app.kubernetes.io/managed-by: envoy-gateway gateway.envoyproxy.io/owning-gateway-name: default gateway.envoyproxy.io/owning-gateway-namespace: default - name: envoy-default-64656661 + name: envoy-default-37a8eec1 namespace: envoy-gateway-system spec: replicas: 1 @@ -84,7 +84,7 @@ spec: dnsPolicy: ClusterFirst restartPolicy: Always schedulerName: default-scheduler - serviceAccountName: envoy-default-64656661 + serviceAccountName: envoy-default-37a8eec1 terminationGracePeriodSeconds: 300 volumes: - name: certs @@ -98,7 +98,7 @@ spec: path: xds-trusted-ca.json - key: xds-certificate.json path: xds-certificate.json - name: envoy-default-64656661 + name: envoy-default-37a8eec1 optional: false name: sds revisionHistoryLimit: 10 diff --git a/internal/infrastructure/kubernetes/proxy/testdata/deployments/component-level.yaml b/internal/infrastructure/kubernetes/proxy/testdata/deployments/component-level.yaml index 4837cd083715..1ab7054d173d 100644 --- a/internal/infrastructure/kubernetes/proxy/testdata/deployments/component-level.yaml +++ b/internal/infrastructure/kubernetes/proxy/testdata/deployments/component-level.yaml @@ -7,7 +7,7 @@ metadata: app.kubernetes.io/managed-by: envoy-gateway gateway.envoyproxy.io/owning-gateway-name: default gateway.envoyproxy.io/owning-gateway-namespace: default - name: envoy-default-64656661 + name: envoy-default-37a8eec1 namespace: envoy-gateway-system spec: replicas: 1 @@ -85,7 +85,7 @@ spec: dnsPolicy: ClusterFirst restartPolicy: Always schedulerName: default-scheduler - serviceAccountName: envoy-default-64656661 + serviceAccountName: envoy-default-37a8eec1 terminationGracePeriodSeconds: 300 volumes: - name: certs @@ -99,7 +99,7 @@ spec: path: xds-trusted-ca.json - key: xds-certificate.json path: xds-certificate.json - name: envoy-default-64656661 + name: envoy-default-37a8eec1 optional: false name: sds revisionHistoryLimit: 10 diff --git a/internal/infrastructure/kubernetes/proxy/testdata/deployments/custom.yaml b/internal/infrastructure/kubernetes/proxy/testdata/deployments/custom.yaml index 66fbefdd763c..2cc872d01edc 100644 --- a/internal/infrastructure/kubernetes/proxy/testdata/deployments/custom.yaml +++ b/internal/infrastructure/kubernetes/proxy/testdata/deployments/custom.yaml @@ -7,7 +7,7 @@ metadata: app.kubernetes.io/managed-by: envoy-gateway gateway.envoyproxy.io/owning-gateway-name: default gateway.envoyproxy.io/owning-gateway-namespace: default - name: envoy-default-64656661 + name: envoy-default-37a8eec1 namespace: envoy-gateway-system spec: replicas: 2 @@ -109,6 +109,10 @@ spec: http2_protocol_options: {} name: xds_cluster type: STRICT_DNS + http2_protocol_options: + connection_keepalive: + interval: 30s + timeout: 5s transport_socket: name: envoy.transport_sockets.tls typed_config: @@ -190,7 +194,7 @@ spec: dnsPolicy: ClusterFirst restartPolicy: Always schedulerName: default-scheduler - serviceAccountName: envoy-default-64656661 + serviceAccountName: envoy-default-37a8eec1 terminationGracePeriodSeconds: 300 securityContext: runAsUser: 1000 @@ -206,7 +210,7 @@ spec: path: xds-trusted-ca.json - key: xds-certificate.json path: xds-certificate.json - name: envoy-default-64656661 + name: envoy-default-37a8eec1 optional: false name: sds revisionHistoryLimit: 10 diff --git a/internal/infrastructure/kubernetes/proxy/testdata/deployments/default-env.yaml b/internal/infrastructure/kubernetes/proxy/testdata/deployments/default-env.yaml index 2fa18c4b54ba..5ac058983adf 100644 --- a/internal/infrastructure/kubernetes/proxy/testdata/deployments/default-env.yaml +++ b/internal/infrastructure/kubernetes/proxy/testdata/deployments/default-env.yaml @@ -7,7 +7,7 @@ metadata: app.kubernetes.io/managed-by: envoy-gateway gateway.envoyproxy.io/owning-gateway-name: default gateway.envoyproxy.io/owning-gateway-namespace: default - name: envoy-default-64656661 + name: envoy-default-37a8eec1 namespace: envoy-gateway-system spec: replicas: 2 @@ -107,6 +107,10 @@ spec: http2_protocol_options: {} name: xds_cluster type: STRICT_DNS + http2_protocol_options: + connection_keepalive: + interval: 30s + timeout: 5s transport_socket: name: envoy.transport_sockets.tls typed_config: @@ -188,7 +192,7 @@ spec: dnsPolicy: ClusterFirst restartPolicy: Always schedulerName: default-scheduler - serviceAccountName: envoy-default-64656661 + serviceAccountName: envoy-default-37a8eec1 terminationGracePeriodSeconds: 300 securityContext: runAsUser: 1000 @@ -204,7 +208,7 @@ spec: path: xds-trusted-ca.json - key: xds-certificate.json path: xds-certificate.json - name: envoy-default-64656661 + name: envoy-default-37a8eec1 optional: false name: sds revisionHistoryLimit: 10 diff --git a/internal/infrastructure/kubernetes/proxy/testdata/deployments/default.yaml b/internal/infrastructure/kubernetes/proxy/testdata/deployments/default.yaml index 791bb3653792..8eecfc61decf 100644 --- a/internal/infrastructure/kubernetes/proxy/testdata/deployments/default.yaml +++ b/internal/infrastructure/kubernetes/proxy/testdata/deployments/default.yaml @@ -7,7 +7,7 @@ metadata: app.kubernetes.io/managed-by: envoy-gateway gateway.envoyproxy.io/owning-gateway-name: default gateway.envoyproxy.io/owning-gateway-namespace: default - name: envoy-default-64656661 + name: envoy-default-37a8eec1 namespace: envoy-gateway-system spec: replicas: 1 @@ -105,6 +105,10 @@ spec: http2_protocol_options: {} name: xds_cluster type: STRICT_DNS + http2_protocol_options: + connection_keepalive: + interval: 30s + timeout: 5s transport_socket: name: envoy.transport_sockets.tls typed_config: @@ -181,7 +185,7 @@ spec: dnsPolicy: ClusterFirst restartPolicy: Always schedulerName: default-scheduler - serviceAccountName: envoy-default-64656661 + serviceAccountName: envoy-default-37a8eec1 terminationGracePeriodSeconds: 300 volumes: - name: certs @@ -195,7 +199,7 @@ spec: path: xds-trusted-ca.json - key: xds-certificate.json path: xds-certificate.json - name: envoy-default-64656661 + name: envoy-default-37a8eec1 optional: false name: sds revisionHistoryLimit: 10 diff --git a/internal/infrastructure/kubernetes/proxy/testdata/deployments/enable-prometheus.yaml b/internal/infrastructure/kubernetes/proxy/testdata/deployments/enable-prometheus.yaml index 8100d6f3dbe1..5537ca78f9cf 100644 --- a/internal/infrastructure/kubernetes/proxy/testdata/deployments/enable-prometheus.yaml +++ b/internal/infrastructure/kubernetes/proxy/testdata/deployments/enable-prometheus.yaml @@ -7,7 +7,7 @@ metadata: app.kubernetes.io/managed-by: envoy-gateway gateway.envoyproxy.io/owning-gateway-name: default gateway.envoyproxy.io/owning-gateway-namespace: default - name: envoy-default-64656661 + name: envoy-default-37a8eec1 namespace: envoy-gateway-system spec: replicas: 1 @@ -131,6 +131,10 @@ spec: http2_protocol_options: {} name: xds_cluster type: STRICT_DNS + http2_protocol_options: + connection_keepalive: + interval: 30s + timeout: 5s transport_socket: name: envoy.transport_sockets.tls typed_config: @@ -210,7 +214,7 @@ spec: dnsPolicy: ClusterFirst restartPolicy: Always schedulerName: default-scheduler - serviceAccountName: envoy-default-64656661 + serviceAccountName: envoy-default-37a8eec1 terminationGracePeriodSeconds: 300 volumes: - name: certs @@ -224,7 +228,7 @@ spec: path: xds-trusted-ca.json - key: xds-certificate.json path: xds-certificate.json - name: envoy-default-64656661 + name: envoy-default-37a8eec1 optional: false name: sds revisionHistoryLimit: 10 diff --git a/internal/infrastructure/kubernetes/proxy/testdata/deployments/extension-env.yaml b/internal/infrastructure/kubernetes/proxy/testdata/deployments/extension-env.yaml index 9ea8502fc4fd..4f21a3587e62 100644 --- a/internal/infrastructure/kubernetes/proxy/testdata/deployments/extension-env.yaml +++ b/internal/infrastructure/kubernetes/proxy/testdata/deployments/extension-env.yaml @@ -7,7 +7,7 @@ metadata: app.kubernetes.io/managed-by: envoy-gateway gateway.envoyproxy.io/owning-gateway-name: default gateway.envoyproxy.io/owning-gateway-namespace: default - name: envoy-default-64656661 + name: envoy-default-37a8eec1 namespace: envoy-gateway-system spec: replicas: 2 @@ -107,6 +107,10 @@ spec: http2_protocol_options: {} name: xds_cluster type: STRICT_DNS + http2_protocol_options: + connection_keepalive: + interval: 30s + timeout: 5s transport_socket: name: envoy.transport_sockets.tls typed_config: @@ -192,7 +196,7 @@ spec: dnsPolicy: ClusterFirst restartPolicy: Always schedulerName: default-scheduler - serviceAccountName: envoy-default-64656661 + serviceAccountName: envoy-default-37a8eec1 terminationGracePeriodSeconds: 300 securityContext: runAsUser: 1000 @@ -208,7 +212,7 @@ spec: path: xds-trusted-ca.json - key: xds-certificate.json path: xds-certificate.json - name: envoy-default-64656661 + name: envoy-default-37a8eec1 optional: false name: sds revisionHistoryLimit: 10 diff --git a/internal/infrastructure/kubernetes/proxy/testdata/deployments/volumes.yaml b/internal/infrastructure/kubernetes/proxy/testdata/deployments/volumes.yaml index 56fdae986842..6035f63a71ac 100644 --- a/internal/infrastructure/kubernetes/proxy/testdata/deployments/volumes.yaml +++ b/internal/infrastructure/kubernetes/proxy/testdata/deployments/volumes.yaml @@ -7,7 +7,7 @@ metadata: app.kubernetes.io/managed-by: envoy-gateway gateway.envoyproxy.io/owning-gateway-name: default gateway.envoyproxy.io/owning-gateway-namespace: default - name: envoy-default-64656661 + name: envoy-default-37a8eec1 namespace: envoy-gateway-system spec: replicas: 2 @@ -107,6 +107,10 @@ spec: http2_protocol_options: {} name: xds_cluster type: STRICT_DNS + http2_protocol_options: + connection_keepalive: + interval: 30s + timeout: 5s transport_socket: name: envoy.transport_sockets.tls typed_config: @@ -192,7 +196,7 @@ spec: dnsPolicy: ClusterFirst restartPolicy: Always schedulerName: default-scheduler - serviceAccountName: envoy-default-64656661 + serviceAccountName: envoy-default-37a8eec1 terminationGracePeriodSeconds: 300 securityContext: runAsUser: 1000 @@ -208,7 +212,7 @@ spec: path: xds-trusted-ca.json - key: xds-certificate.json path: xds-certificate.json - name: envoy-default-64656661 + name: envoy-default-37a8eec1 optional: false name: sds revisionHistoryLimit: 10 diff --git a/internal/infrastructure/kubernetes/proxy/testdata/deployments/with-concurrency.yaml b/internal/infrastructure/kubernetes/proxy/testdata/deployments/with-concurrency.yaml index bcac83735aef..d644e17ca024 100644 --- a/internal/infrastructure/kubernetes/proxy/testdata/deployments/with-concurrency.yaml +++ b/internal/infrastructure/kubernetes/proxy/testdata/deployments/with-concurrency.yaml @@ -7,7 +7,7 @@ metadata: app.kubernetes.io/managed-by: envoy-gateway gateway.envoyproxy.io/owning-gateway-name: default gateway.envoyproxy.io/owning-gateway-namespace: default - name: envoy-default-64656661 + name: envoy-default-37a8eec1 namespace: envoy-gateway-system spec: replicas: 1 @@ -85,7 +85,7 @@ spec: dnsPolicy: ClusterFirst restartPolicy: Always schedulerName: default-scheduler - serviceAccountName: envoy-default-64656661 + serviceAccountName: envoy-default-37a8eec1 terminationGracePeriodSeconds: 300 volumes: - name: certs @@ -99,7 +99,7 @@ spec: path: xds-trusted-ca.json - key: xds-certificate.json path: xds-certificate.json - name: envoy-default-64656661 + name: envoy-default-37a8eec1 optional: false name: sds revisionHistoryLimit: 10 diff --git a/internal/infrastructure/kubernetes/proxy/testdata/serviceaccount.yaml b/internal/infrastructure/kubernetes/proxy/testdata/serviceaccount.yaml index 617dc090f7f6..4e2731766af4 100644 --- a/internal/infrastructure/kubernetes/proxy/testdata/serviceaccount.yaml +++ b/internal/infrastructure/kubernetes/proxy/testdata/serviceaccount.yaml @@ -7,5 +7,5 @@ metadata: app.kubernetes.io/managed-by: envoy-gateway gateway.envoyproxy.io/owning-gateway-name: default gateway.envoyproxy.io/owning-gateway-namespace: default - name: envoy-default-64656661 + name: envoy-default-37a8eec1 namespace: envoy-gateway-system diff --git a/internal/infrastructure/kubernetes/proxy/testdata/services/custom.yaml b/internal/infrastructure/kubernetes/proxy/testdata/services/custom.yaml index 334b6a0e46da..e898ccb1affa 100644 --- a/internal/infrastructure/kubernetes/proxy/testdata/services/custom.yaml +++ b/internal/infrastructure/kubernetes/proxy/testdata/services/custom.yaml @@ -9,7 +9,7 @@ metadata: app.kubernetes.io/managed-by: envoy-gateway gateway.envoyproxy.io/owning-gateway-name: default gateway.envoyproxy.io/owning-gateway-namespace: default - name: envoy-default-64656661 + name: envoy-default-37a8eec1 namespace: envoy-gateway-system spec: ports: diff --git a/internal/infrastructure/kubernetes/proxy/testdata/services/default.yaml b/internal/infrastructure/kubernetes/proxy/testdata/services/default.yaml index f780f0198e22..8b4bd40b87f4 100644 --- a/internal/infrastructure/kubernetes/proxy/testdata/services/default.yaml +++ b/internal/infrastructure/kubernetes/proxy/testdata/services/default.yaml @@ -7,7 +7,7 @@ metadata: app.kubernetes.io/managed-by: envoy-gateway gateway.envoyproxy.io/owning-gateway-name: default gateway.envoyproxy.io/owning-gateway-namespace: default - name: envoy-default-64656661 + name: envoy-default-37a8eec1 namespace: envoy-gateway-system spec: externalTrafficPolicy: Local diff --git a/internal/infrastructure/kubernetes/proxy_configmap_test.go b/internal/infrastructure/kubernetes/proxy_configmap_test.go index b1c4de739196..2d99048a6d58 100644 --- a/internal/infrastructure/kubernetes/proxy_configmap_test.go +++ b/internal/infrastructure/kubernetes/proxy_configmap_test.go @@ -43,7 +43,7 @@ func TestCreateOrUpdateProxyConfigMap(t *testing.T) { expect: &corev1.ConfigMap{ ObjectMeta: metav1.ObjectMeta{ Namespace: cfg.Namespace, - Name: "envoy-test-74657374", + Name: "envoy-test-9f86d081", Labels: map[string]string{ "app.kubernetes.io/name": "envoy", "app.kubernetes.io/component": "proxy", @@ -77,7 +77,7 @@ func TestCreateOrUpdateProxyConfigMap(t *testing.T) { expect: &corev1.ConfigMap{ ObjectMeta: metav1.ObjectMeta{ Namespace: cfg.Namespace, - Name: "envoy-test-74657374", + Name: "envoy-test-9f86d081", Labels: map[string]string{ "app.kubernetes.io/name": "envoy", "app.kubernetes.io/component": "proxy", diff --git a/internal/infrastructure/kubernetes/proxy_serviceaccount_test.go b/internal/infrastructure/kubernetes/proxy_serviceaccount_test.go index 2b13e36276aa..dbba0492d43d 100644 --- a/internal/infrastructure/kubernetes/proxy_serviceaccount_test.go +++ b/internal/infrastructure/kubernetes/proxy_serviceaccount_test.go @@ -54,7 +54,7 @@ func TestCreateOrUpdateProxyServiceAccount(t *testing.T) { }, ObjectMeta: metav1.ObjectMeta{ Namespace: "test", - Name: "envoy-test-74657374", + Name: "envoy-test-9f86d081", Labels: map[string]string{ "app.kubernetes.io/name": "envoy", "app.kubernetes.io/component": "proxy", @@ -103,7 +103,7 @@ func TestCreateOrUpdateProxyServiceAccount(t *testing.T) { }, ObjectMeta: metav1.ObjectMeta{ Namespace: "test", - Name: "envoy-test-74657374", + Name: "envoy-test-9f86d081", Labels: map[string]string{ "app.kubernetes.io/name": "envoy", "app.kubernetes.io/component": "proxy", @@ -152,7 +152,7 @@ func TestCreateOrUpdateProxyServiceAccount(t *testing.T) { }, ObjectMeta: metav1.ObjectMeta{ Namespace: "test", - Name: "envoy-very-long-name-that-will-be-hashed-and-cut-off-b-76657279", + Name: "envoy-very-long-name-that-will-be-hashed-and-cut-off-b-5bacc75e", Labels: map[string]string{ "app.kubernetes.io/name": "envoy", "app.kubernetes.io/component": "proxy", diff --git a/internal/provider/kubernetes/helpers.go b/internal/provider/kubernetes/helpers.go index d96f17170c31..8912ccf637e5 100644 --- a/internal/provider/kubernetes/helpers.go +++ b/internal/provider/kubernetes/helpers.go @@ -197,12 +197,12 @@ func refsSecret(ref *gwapiv1b1.SecretObjectReference) bool { } func infraServiceName(gateway *gwapiv1b1.Gateway) string { - infraName := utils.GetHashedName(fmt.Sprintf("%s-%s", gateway.Namespace, gateway.Name)) + infraName := utils.GetHashedName(fmt.Sprintf("%s/%s", gateway.Namespace, gateway.Name)) return fmt.Sprintf("%s-%s", config.EnvoyPrefix, infraName) } func infraDeploymentName(gateway *gwapiv1b1.Gateway) string { - infraName := utils.GetHashedName(fmt.Sprintf("%s-%s", gateway.Namespace, gateway.Name)) + infraName := utils.GetHashedName(fmt.Sprintf("%s/%s", gateway.Namespace, gateway.Name)) return fmt.Sprintf("%s-%s", config.EnvoyPrefix, infraName) } diff --git a/internal/provider/utils/utils.go b/internal/provider/utils/utils.go index 2796434cfbba..984a4e90d01c 100644 --- a/internal/provider/utils/utils.go +++ b/internal/provider/utils/utils.go @@ -22,12 +22,13 @@ func NamespacedName(obj client.Object) types.NamespacedName { } } -// GetHashedName returns a partially hashed name for the string including up to 48 characters of the original name before the hash +// GetHashedName returns a partially hashed name for the string including up to 48 characters of the original name before the hash. +// Input `nsName` should be formatted as `{Namespace}/{ResourceName}`. func GetHashedName(nsName string) string { h := sha256.New() // Using sha256 instead of sha1 due to Blocklisted import crypto/sha1: weak cryptographic primitive (gosec) - hSum := h.Sum([]byte(nsName)) - hashedName := strings.ToLower(fmt.Sprintf("%x", hSum)) + h.Write([]byte(nsName)) + hashedName := strings.ToLower(fmt.Sprintf("%x", h.Sum(nil))) // replace `/` with `-` to create a valid K8s resource name resourceName := strings.ReplaceAll(nsName, "/", "-") diff --git a/internal/xds/bootstrap/bootstrap.yaml.tpl b/internal/xds/bootstrap/bootstrap.yaml.tpl index d29f939dc42f..b94a69cfac36 100644 --- a/internal/xds/bootstrap/bootstrap.yaml.tpl +++ b/internal/xds/bootstrap/bootstrap.yaml.tpl @@ -125,6 +125,10 @@ static_resources: http2_protocol_options: {} name: xds_cluster type: STRICT_DNS + http2_protocol_options: + connection_keepalive: + interval: 30s + timeout: 5s transport_socket: name: envoy.transport_sockets.tls typed_config: diff --git a/internal/xds/bootstrap/testdata/default.yaml b/internal/xds/bootstrap/testdata/default.yaml index 48c5b1cbdde8..9f78d3881f96 100644 --- a/internal/xds/bootstrap/testdata/default.yaml +++ b/internal/xds/bootstrap/testdata/default.yaml @@ -68,6 +68,10 @@ static_resources: http2_protocol_options: {} name: xds_cluster type: STRICT_DNS + http2_protocol_options: + connection_keepalive: + interval: 30s + timeout: 5s transport_socket: name: envoy.transport_sockets.tls typed_config: diff --git a/internal/xds/bootstrap/testdata/enable-prometheus.yaml b/internal/xds/bootstrap/testdata/enable-prometheus.yaml index 457f116c715b..260bf9107d86 100644 --- a/internal/xds/bootstrap/testdata/enable-prometheus.yaml +++ b/internal/xds/bootstrap/testdata/enable-prometheus.yaml @@ -90,6 +90,10 @@ static_resources: http2_protocol_options: {} name: xds_cluster type: STRICT_DNS + http2_protocol_options: + connection_keepalive: + interval: 30s + timeout: 5s transport_socket: name: envoy.transport_sockets.tls typed_config: diff --git a/internal/xds/bootstrap/testdata/otel-metrics.yaml b/internal/xds/bootstrap/testdata/otel-metrics.yaml index 5a07f9030ea8..e99a7e3ca285 100644 --- a/internal/xds/bootstrap/testdata/otel-metrics.yaml +++ b/internal/xds/bootstrap/testdata/otel-metrics.yaml @@ -93,6 +93,10 @@ static_resources: http2_protocol_options: {} name: xds_cluster type: STRICT_DNS + http2_protocol_options: + connection_keepalive: + interval: 30s + timeout: 5s transport_socket: name: envoy.transport_sockets.tls typed_config: diff --git a/internal/xds/server/runner/runner.go b/internal/xds/server/runner/runner.go index e76224a739c9..ee285c133f22 100644 --- a/internal/xds/server/runner/runner.go +++ b/internal/xds/server/runner/runner.go @@ -14,6 +14,9 @@ import ( "net" "os" "strconv" + "time" + + "google.golang.org/grpc/keepalive" clusterv3 "github.com/envoyproxy/go-control-plane/envoy/service/cluster/v3" discoveryv3 "github.com/envoyproxy/go-control-plane/envoy/service/discovery/v3" @@ -75,7 +78,10 @@ func (r *Runner) Start(ctx context.Context) error { // Create SnapshotCache before start subscribeAndTranslate, // prevent panics in case cache is nil. cfg := r.tlsConfig(xdsTLSCertFilename, xdsTLSKeyFilename, xdsTLSCaFilename) - r.grpc = grpc.NewServer(grpc.Creds(credentials.NewTLS(cfg))) + r.grpc = grpc.NewServer(grpc.Creds(credentials.NewTLS(cfg)), grpc.KeepaliveEnforcementPolicy(keepalive.EnforcementPolicy{ + MinTime: 15 * time.Second, + PermitWithoutStream: true, + })) r.cache = cache.NewSnapshotCache(false, r.Logger) registerServer(serverv3.NewServer(ctx, r.cache, r.cache), r.grpc) diff --git a/test/conformance/conformance_test.go b/test/conformance/conformance_test.go index 806a74be70a1..4e3b424f10d8 100644 --- a/test/conformance/conformance_test.go +++ b/test/conformance/conformance_test.go @@ -46,9 +46,6 @@ func TestGatewayAPIConformance(t *testing.T) { CleanupBaseResources: *flags.CleanupBaseResources, SupportedFeatures: suite.AllFeatures, ExemptFeatures: suite.MeshCoreFeatures, - SkipTests: []string{ - tests.HTTPRouteRedirectPortAndScheme.ShortName, - }, }) cSuite.Setup(t) cSuite.Run(t, tests.ConformanceTests)