Merge branch 'main' into als

.github/PULL_REQUEST_TEMPLATE.md

@@ -1,12 +1,18 @@
 **What type of PR is this?**
 <!--
 Your PR title should be descriptive, and generally start with type that contains a subsystem name with `()` if necessary 
-and summary followed by a colon. format `chore/docs/feat/fix/refactor/style/test: summary`.
+and summary followed by a colon. format `chore/docs/api/feat/fix/refactor/style/test: summary`.
 Examples:
 * "docs: fix grammar error"
 * "feat(translator): add new feature"
 * "fix: fix xx bug"
 * "chore: change ci & build tools etc"
+* "api: add xxx fields in ClientTrafficPolicy"
+-->
+
+<!--
+NOTE: If your PR contains any API changes (changes under `/api`), we recommend you to separate these API changes into
+a new PR, and we will review the API part first. It will save you lots of implementation time if the API get accepted.
 -->
 
 **What this PR does / why we need it**:

.github/workflows/benchmark.yaml

@@ -0,0 +1,56 @@
+name: Benchmarking Tests at Scale
+on:
+  pull_request:
+    branches:
+      - "main"
+      - "release/v*"
+  workflow_dispatch:
+    inputs:
+      rps:
+        description: "The target requests-per-second rate. Default: 10000"
+        default: '10000'
+        type: string
+        required: false
+      connections:
+        description: "The maximum allowed number of concurrent connections per event loop. HTTP/1 only. Default: 100."
+        default: '100'
+        type: string
+        required: false
+      duration:
+        description: "The number of seconds that the test should run. Default: 90."
+        default: '90'
+        type: string
+        required: false
+      cpu_limits:
+        description: "The CPU resource limits for the envoy gateway, in unit 'm'. Default: 1000."
+        default: '1000'
+        type: string
+        required: false
+      memory_limits:
+        description: "The memory resource limits for the envoy gateway, in unit 'Mi'. Default: 1024."
+        default: '1024'
+        type: string
+        required: false
+
+jobs:
+  benchmark-test:
+    name: Benchmark Test
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v2
+
+      - uses: ./tools/github-actions/setup-deps
+
+      - name: Run Benchmark tests
+        env:
+          KIND_NODE_TAG: v1.28.0
+          IMAGE_PULL_POLICY: IfNotPresent
+          BENCHMARK_RPS: ${{ github.event.inputs.rps || 10000 }}
+          BENCHMARK_CONNECTIONS: ${{ github.event.inputs.connections || 100 }}
+          BENCHMARK_DURATION: ${{ github.event.inputs.duration || 90 }}
+          BENCHMARK_CPU_LIMITS: ${{ github.event.inputs.cpu_limits || 1000 }}
+          BENCHMARK_MEMORY_LIMITS: ${{ github.event.inputs.memory_limits || 2048 }}
+        run: make benchmark
+
+      - name: Read Benchmark report
+        run: cat test/benchmark/benchmark_report.md

.github/workflows/latest_release.yaml

@@ -62,7 +62,7 @@ jobs:
         GITHUB_REPOSITORY: ${{ github.repository_owner }}/${{ github.event.repository.name }}
 
     - name: Recreate the Latest Release and Tag
-      uses: softprops/action-gh-release@69320dbe05506a9a39fc8ae11030b214ec2d1f87  # v0.1.15
+      uses: softprops/action-gh-release@a74c6b72af54cfa997e81df42d94703d6313a2d0  # v0.1.15
       with:
         draft: false
         prerelease: true

.github/workflows/release.yaml

@@ -40,7 +40,7 @@ jobs:
         run: IMAGE_PULL_POLICY=IfNotPresent OCI_REGISTRY=oci://docker.io/envoyproxy CHART_VERSION=${{ env.release_tag }} IMAGE=docker.io/envoyproxy/gateway TAG=${{ env.release_tag }} make helm-package helm-push
 
       - name: Upload Release Manifests
-        uses: softprops/action-gh-release@69320dbe05506a9a39fc8ae11030b214ec2d1f87  # v0.1.15
+        uses: softprops/action-gh-release@a74c6b72af54cfa997e81df42d94703d6313a2d0  # v0.1.15
         with:
           files: |
             release-artifacts/install.yaml

.github/workflows/trivy.yml

@@ -25,7 +25,7 @@ jobs:
         IMAGE=envoy-proxy/gateway-dev TAG=${{ github.sha }} make image
 
     - name: Run Trivy vulnerability scanner
-      uses: aquasecurity/trivy-action@595be6a0f6560a0a8fc419ddf630567fc623531d  # v0.22.0
+      uses: aquasecurity/trivy-action@7c2007bcb556501da015201bcba5aa14069b74e2  # v0.23.0
       with:
         image-ref: envoy-proxy/gateway-dev:${{ github.sha }}
         exit-code: '1'

api/v1alpha1/accesslogging_types.go

@@ -19,6 +19,11 @@ type ProxyAccessLog struct {
 type ProxyAccessLogSetting struct {
 	// Format defines the format of accesslog.
 	Format ProxyAccessLogFormat `json:"format"`
+	// Matches defines the match conditions for accesslog in CEL expression.
+	// An accesslog will be emitted only when one or more match conditions are evaluated to true.
+	// Invalid [CEL](https://www.envoyproxy.io/docs/envoy/latest/xds/type/v3/cel.proto.html#common-expression-language-cel-proto) expressions will be ignored.
+	// +notImplementedHide
+	Matches []string `json:"matches,omitempty"`
 	// Sinks defines the sinks of accesslog.
 	// +kubebuilder:validation:MinItems=1
 	// +kubebuilder:validation:MaxItems=50

api/v1alpha1/authorization_types.go

@@ -27,7 +27,8 @@ type Authorization struct {
 
 // AuthorizationRule defines a single authorization rule.
 type AuthorizationRule struct {
-	// Name is a user-friendly name for the rule. It's just for display purposes.
+	// Name is a user-friendly name for the rule.
+	// If not specified, Envoy Gateway will generate a unique name for the rule.n
 	// +optional
 	Name *string `json:"name,omitempty"`
 

api/v1alpha1/backendtrafficpolicy_types.go

@@ -109,7 +109,7 @@ type BackendTrafficPolicySpec struct {
 	// Connection includes backend connection settings.
 	//
 	// +optional
-	Connection *BackendTrafficPolicyConnection `json:"connection,omitempty"`
+	Connection *BackendConnection `json:"connection,omitempty"`
 }
 
 // +kubebuilder:object:root=true

api/v1alpha1/clienttrafficpolicy_types.go

@@ -81,7 +81,7 @@ type ClientTrafficPolicySpec struct {
 	// Connection includes client connection settings.
 	//
 	// +optional
-	Connection *Connection `json:"connection,omitempty"`
+	Connection *ClientConnection `json:"connection,omitempty"`
 	// HTTP1 provides HTTP/1 configuration on the listener.
 	//
 	// +optional

api/v1alpha1/connection_types.go

@@ -10,8 +10,8 @@ import (
 	gwapiv1 "sigs.k8s.io/gateway-api/apis/v1"
 )
 
-// Connection allows users to configure connection-level settings
-type Connection struct {
+// ClientConnection allows users to configure connection-level settings of client
+type ClientConnection struct {
 	// ConnectionLimit defines limits related to connections
 	//
 	// +optional
@@ -26,6 +26,18 @@ type Connection struct {
 	BufferLimit *resource.Quantity `json:"bufferLimit,omitempty"`
 }
 
+// BackendConnection allows users to configure connection-level settings of backend
+type BackendConnection struct {
+	// BufferLimit Soft limit on size of the cluster’s connections read and write buffers.
+	// If unspecified, an implementation defined default is applied (32768 bytes).
+	// For example, 20Mi, 1Gi, 256Ki etc.
+	// Note: that when the suffix is not provided, the value is interpreted as bytes.
+	//
+	// +kubebuilder:validation:XValidation:rule="type(self) == string ? self.matches(r\"^[1-9]+[0-9]*([EPTGMK]i|[EPTGMk])?$\") : type(self) == int",message="BufferLimit must be of the format \"^[1-9]+[0-9]*([EPTGMK]i|[EPTGMk])?$\""
+	// +optional
+	BufferLimit *resource.Quantity `json:"bufferLimit,omitempty"`
+}
+
 type ConnectionLimit struct {
 	// Value of the maximum concurrent connections limit.
 	// When the limit is reached, incoming connections will be closed after the CloseDelay duration.

api/v1alpha1/tracing_types.go

@@ -18,23 +18,22 @@ type ProxyTracing struct {
 	// If provider is kubernetes, pod name and namespace are added by default.
 	CustomTags map[string]CustomTag `json:"customTags,omitempty"`
 	// Provider defines the tracing provider.
-	// Only OpenTelemetry is supported currently.
 	Provider TracingProvider `json:"provider"`
 }
 
 type TracingProviderType string
 
 const (
 	TracingProviderTypeOpenTelemetry TracingProviderType = "OpenTelemetry"
+	TracingProviderTypeZipkin        TracingProviderType = "Zipkin"
 )
 
 // TracingProvider defines the tracing provider configuration.
 //
 // +kubebuilder:validation:XValidation:message="host or backendRefs needs to be set",rule="has(self.host) || self.backendRefs.size() > 0"
 type TracingProvider struct {
 	// Type defines the tracing provider type.
-	// EG currently only supports OpenTelemetry.
-	// +kubebuilder:validation:Enum=OpenTelemetry
+	// +kubebuilder:validation:Enum=OpenTelemetry;Zipkin
 	// +kubebuilder:default=OpenTelemetry
 	Type TracingProviderType `json:"type"`
 	// Host define the provider service hostname.
@@ -58,6 +57,9 @@ type TracingProvider struct {
 	// +kubebuilder:validation:XValidation:message="only support Service kind.",rule="self.all(f, f.kind == 'Service')"
 	// +kubebuilder:validation:XValidation:message="BackendRefs only supports Core group.",rule="self.all(f, f.group == '')"
 	BackendRefs []BackendRef `json:"backendRefs,omitempty"`
+	// Zipkin defines the Zipkin tracing provider configuration
+	// +optional
+	Zipkin *ZipkinTracingProvider `json:"zipkin,omitempty"`
 }
 
 type CustomTagType string
@@ -114,3 +116,16 @@ type RequestHeaderCustomTag struct {
 	// +optional
 	DefaultValue *string `json:"defaultValue,omitempty"`
 }
+
+// ZipkinTracingProvider defines the Zipkin tracing provider configuration.
+type ZipkinTracingProvider struct {
+	// Enable128BitTraceID determines whether a 128bit trace id will be used
+	// when creating a new trace instance. If set to false, a 64bit trace
+	// id will be used.
+	// +optional
+	Enable128BitTraceID *bool `json:"enable128BitTraceId,omitempty"`
+	// DisableSharedSpanContext determines whether the default Envoy behaviour of
+	// client and server spans sharing the same span context should be disabled.
+	// +optional
+	DisableSharedSpanContext *bool `json:"disableSharedSpanContext,omitempty"`
+}

api/v1alpha1/wasm_types.go

@@ -10,31 +10,27 @@ import (
 	gwapiv1b1 "sigs.k8s.io/gateway-api/apis/v1beta1"
 )
 
-// Wasm defines a wasm extension.
+// Wasm defines a Wasm extension.
 //
 // Note: at the moment, Envoy Gateway does not support configuring Wasm runtime.
 // v8 is used as the VM runtime for the Wasm extensions.
 type Wasm struct {
 	// Name is a unique name for this Wasm extension. It is used to identify the
 	// Wasm extension if multiple extensions are handled by the same vm_id and root_id.
 	// It's also used for logging/debugging.
-	Name string `json:"name"`
-
-	// VMID is an ID that will be used along with a hash of the wasm code to
-	// determine which VM will be used to load the Wasm extension. All extensions
-	// that have the same vm_id and code will use the same VM.
+	// If not specified, EG will generate a unique name for the Wasm extension.
 	//
-	// Note that sharing a VM between plugins can reduce memory utilization and
-	// make sharing of data easier, but it may have security implications.
-	// VMID *string `json:"vmID,omitempty"`
+	// +optional
+	Name *string `json:"name,omitempty"`
 
 	// RootID is a unique ID for a set of extensions in a VM which will share a
 	// RootContext and Contexts if applicable (e.g., an Wasm HttpFilter and an Wasm AccessLog).
 	// If left blank, all extensions with a blank root_id with the same vm_id will share Context(s).
-	// RootID must match the root_id parameter used to register the Context in the Wasm code.
+	//
+	// Note: RootID must match the root_id parameter used to register the Context in the Wasm code.
 	RootID *string `json:"rootID,omitempty"`
 
-	// Code is the wasm code for the extension.
+	// Code is the Wasm code for the extension.
 	Code WasmCodeSource `json:"code"`
 
 	// Config is the configuration for the Wasm extension.
@@ -58,73 +54,100 @@ type Wasm struct {
 	// Priority *uint32 `json:"priority,omitempty"`
 }
 
-// WasmCodeSource defines the source of the wasm code.
+// WasmCodeSource defines the source of the Wasm code.
+// +union
+//
+// +kubebuilder:validation:XValidation:rule="self.type == 'HTTP' ? has(self.http) : !has(self.http)",message="If type is HTTP, http field needs to be set."
+// +kubebuilder:validation:XValidation:rule="self.type == 'Image' ? has(self.image) : !has(self.image)",message="If type is Image, image field needs to be set."
 type WasmCodeSource struct {
-	// Type is the type of the source of the wasm code.
+	// Type is the type of the source of the Wasm code.
 	// Valid WasmCodeSourceType values are "HTTP" or "Image".
 	//
 	// +kubebuilder:validation:Enum=HTTP;Image;ConfigMap
 	// +unionDiscriminator
 	Type WasmCodeSourceType `json:"type"`
 
-	// HTTP is the HTTP URL containing the wasm code.
+	// HTTP is the HTTP URL containing the Wasm code.
 	//
 	// Note that the HTTP server must be accessible from the Envoy proxy.
 	// +optional
 	HTTP *HTTPWasmCodeSource `json:"http,omitempty"`
 
-	// Image is the OCI image containing the wasm code.
+	// Image is the OCI image containing the Wasm code.
 	//
 	// Note that the image must be accessible from the Envoy Gateway.
 	// +optional
 	Image *ImageWasmCodeSource `json:"image,omitempty"`
 
-	// SHA256 checksum that will be used to verify the wasm code.
+	// PullPolicy is the policy to use when pulling the Wasm module by either the HTTP or Image source.
+	// This field is only applicable when the SHA256 field is not set.
 	//
-	// kubebuilder:validation:Pattern=`^[a-f0-9]{64}$`
-	SHA256 string `json:"sha256"`
+	// If not specified, the default policy is IfNotPresent except for OCI images whose tag is latest.
+	//
+	// Note: EG does not update the Wasm module every time an Envoy proxy requests
+	// the Wasm module even if the pull policy is set to Always.
+	// It only updates the Wasm module when the EnvoyExtension resource version changes.
+	// +optional
+	PullPolicy *ImagePullPolicy `json:"pullPolicy,omitempty"`
 }
 
-// WasmCodeSourceType specifies the types of sources for the wasm code.
+// WasmCodeSourceType specifies the types of sources for the Wasm code.
 // +kubebuilder:validation:Enum=HTTP;Image
 type WasmCodeSourceType string
 
 const (
-	// HTTPWasmCodeSourceType allows the user to specify the wasm code in an HTTP URL.
+	// HTTPWasmCodeSourceType allows the user to specify the Wasm code in an HTTP URL.
 	HTTPWasmCodeSourceType WasmCodeSourceType = "HTTP"
 
-	// ImageWasmCodeSourceType allows the user to specify the wasm code in an OCI image.
+	// ImageWasmCodeSourceType allows the user to specify the Wasm code in an OCI image.
 	ImageWasmCodeSourceType WasmCodeSourceType = "Image"
 )
 
-// HTTPWasmCodeSource defines the HTTP URL containing the wasm code.
+// HTTPWasmCodeSource defines the HTTP URL containing the Wasm code.
 type HTTPWasmCodeSource struct {
-	// URL is the URL containing the wasm code.
+	// URL is the URL containing the Wasm code.
+	// +kubebuilder:validation:Pattern=`^((https?:)(\/\/\/?)([\w]*(?::[\w]*)?@)?([\d\w\.-]+)(?::(\d+))?)?([\/\\\w\.()-]*)?(?:([?][^#]*)?(#.*)?)*`
 	URL string `json:"url"`
+
+	// SHA256 checksum that will be used to verify the Wasm code.
+	//
+	// If not specified, Envoy Gateway will not verify the downloaded Wasm code.
+	// kubebuilder:validation:Pattern=`^[a-f0-9]{64}$`
+	// +optional
+	SHA256 *string `json:"sha256"`
 }
 
-// ImageWasmCodeSource defines the OCI image containing the wasm code.
+// ImageWasmCodeSource defines the OCI image containing the Wasm code.
 type ImageWasmCodeSource struct {
 	// URL is the URL of the OCI image.
+	// URL can be in the format of `registry/image:tag` or `registry/image@sha256:digest`.
 	URL string `json:"url"`
 
-	// PullSecretRef is a reference to the secret containing the credentials to pull the image.
-	PullSecretRef gwapiv1b1.SecretObjectReference `json:"pullSecret"`
+	// SHA256 checksum that will be used to verify the OCI image.
+	//
+	// It must match the digest of the OCI image.
+	//
+	// If not specified, Envoy Gateway will not verify the downloaded OCI image.
+	// kubebuilder:validation:Pattern=`^[a-f0-9]{64}$`
+	// +optional
+	SHA256 *string `json:"sha256"`
 
-	// PullPolicy is the policy to use when pulling the image.
-	// If not specified, the default policy is IfNotPresent for images whose tag is not latest,
-	// and Always for images whose tag is latest.
+	// PullSecretRef is a reference to the secret containing the credentials to pull the image.
+	// Only support Kubernetes Secret resource from the same namespace.
+	// +kubebuilder:validation:XValidation:message="only support Secret kind.",rule="self.kind == 'Secret'"
 	// +optional
-	// PullPolicy *PullPolicy `json:"pullPolicy,omitempty"`
+	PullSecretRef *gwapiv1b1.SecretObjectReference `json:"pullSecretRef,omitempty"`
 }
 
-// PullPolicy defines the policy to use when pulling an OIC image.
-/* type PullPolicy string
+// ImagePullPolicy defines the policy to use when pulling an OIC image.
+// +kubebuilder:validation:Enum=IfNotPresent;Always
+type ImagePullPolicy string
 
 const (
-	// PullPolicyIfNotPresent will only pull the image if it does not already exist.
-	PullPolicyIfNotPresent PullPolicy = "IfNotPresent"
+	// ImagePullPolicyIfNotPresent will only pull the image if it does not already exist in the EG cache.
+	ImagePullPolicyIfNotPresent ImagePullPolicy = "IfNotPresent"
 
-	// PullPolicyAlways will always pull the image.
-	PullPolicyAlways PullPolicy = "Always"
-)*/
+	// ImagePullPolicyAlways will pull the image when the EnvoyExtension resource version changes.
+	// Note: EG does not update the Wasm module every time an Envoy proxy requests the Wasm module.
+	ImagePullPolicyAlways ImagePullPolicy = "Always"
+)