Merge branch 'main' into string-match

Signed-off-by: Huabing Zhao <zhaohuabing@gmail.com>
envoyproxy · Oct 29, 2023 · c63789e · c63789e
2 parents 2729c6f + d65ab59
commit c63789e
Show file tree

Hide file tree

Showing 18 changed files with 21 additions and 27 deletions.
diff --git a/api/v1alpha1/securitypolicy_types.go b/api/v1alpha1/securitypolicy_types.go
@@ -37,7 +37,7 @@ type SecurityPolicy struct {
 // SecurityPolicySpec defines the desired state of SecurityPolicy.
 type SecurityPolicySpec struct {
 	// +kubebuilder:validation:XValidation:rule="self.group == 'gateway.networking.k8s.io'", message="this policy can only have a targetRef.group of gateway.networking.k8s.io"
-	// +kubebuilder:validation:XValidation:rule="self.kind == 'Gateway'", message="this policy can only have a targetRef.kind of Gateway"
+	// +kubebuilder:validation:XValidation:rule="self.kind in ['Gateway', 'HTTPRoute', 'GRPCRoute']", message="this policy can only have a targetRef.kind of Gateway/HTTPRoute/GRPCRoute"
 	// +kubebuilder:validation:XValidation:rule="!has(self.sectionName)",message="this policy does not yet support the sectionName field"
 	//
 	// TargetRef is the name of the Gateway resource this policy

diff --git a/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_securitypolicies.yaml b/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_securitypolicies.yaml
@@ -238,8 +238,8 @@ spec:
                 x-kubernetes-validations:
                 - message: this policy can only have a targetRef.group of gateway.networking.k8s.io
                   rule: self.group == 'gateway.networking.k8s.io'
-                - message: this policy can only have a targetRef.kind of Gateway
-                  rule: self.kind == 'Gateway'
+                - message: this policy can only have a targetRef.kind of Gateway/HTTPRoute/GRPCRoute
+                  rule: self.kind in ['Gateway', 'HTTPRoute', 'GRPCRoute']
                 - message: this policy does not yet support the sectionName field
                   rule: '!has(self.sectionName)'
             required:

diff --git a/examples/kubernetes/jwt/grpc-jwt.yaml b/examples/kubernetes/jwt/grpc-jwt.yaml
@@ -11,7 +11,7 @@ spec:
     providers:
     - name: example
       remoteJWKS:
-        uri: https://raw.githubusercontent.com/envoyproxy/gateway/main/examples/kubernetes/authn/jwks.json
+        uri: https://raw.githubusercontent.com/envoyproxy/gateway/main/examples/kubernetes/jwt/jwks.json
 ---
 apiVersion: gateway.networking.k8s.io/v1alpha2
 kind: GRPCRoute

diff --git a/examples/kubernetes/jwt/jwt.yaml b/examples/kubernetes/jwt/jwt.yaml
@@ -11,7 +11,7 @@ spec:
     providers:
     - name: example
       remoteJWKS:
-        uri: https://raw.githubusercontent.com/envoyproxy/gateway/main/examples/kubernetes/authn/jwks.json
+        uri: https://raw.githubusercontent.com/envoyproxy/gateway/main/examples/kubernetes/jwt/jwks.json
 ---
 apiVersion: gateway.networking.k8s.io/v1
 kind: HTTPRoute

diff --git a/internal/cmd/egctl/testdata/translate/in/jwt-single-route-single-match-to-xds.yaml b/internal/cmd/egctl/testdata/translate/in/jwt-single-route-single-match-to-xds.yaml
@@ -83,7 +83,7 @@ spec:
     providers:
       - name: example
         remoteJWKS:
-          uri: https://raw.githubusercontent.com/envoyproxy/gateway/main/examples/kubernetes/authn/jwks.json
+          uri: https://raw.githubusercontent.com/envoyproxy/gateway/main/examples/kubernetes/jwt/jwks.json
 ---
 apiVersion: gateway.networking.k8s.io/v1
 kind: HTTPRoute

diff --git a/internal/cmd/egctl/testdata/translate/out/jwt-single-route-single-match-to-xds.all.json b/internal/cmd/egctl/testdata/translate/out/jwt-single-route-single-match-to-xds.all.json
@@ -397,7 +397,7 @@
                                       "httpUri": {
                                         "cluster": "raw_githubusercontent_com_443",
                                         "timeout": "5s",
-                                        "uri": "https://raw.githubusercontent.com/envoyproxy/gateway/main/examples/kubernetes/authn/jwks.json"
+                                        "uri": "https://raw.githubusercontent.com/envoyproxy/gateway/main/examples/kubernetes/jwt/jwks.json"
                                       },
                                       "retryPolicy": {}
                                     }

diff --git a/internal/cmd/egctl/testdata/translate/out/jwt-single-route-single-match-to-xds.all.yaml b/internal/cmd/egctl/testdata/translate/out/jwt-single-route-single-match-to-xds.all.yaml
@@ -238,7 +238,7 @@ xds:
                             httpUri:
                               cluster: raw_githubusercontent_com_443
                               timeout: 5s
-                              uri: https://raw.githubusercontent.com/envoyproxy/gateway/main/examples/kubernetes/authn/jwks.json
+                              uri: https://raw.githubusercontent.com/envoyproxy/gateway/main/examples/kubernetes/jwt/jwks.json
                             retryPolicy: {}
                       requirementMap:
                         httproute/envoy-gateway-system/backend/rule/0/match/0/www_example_com:

diff --git a/internal/cmd/egctl/testdata/translate/out/jwt-single-route-single-match-to-xds.listener.yaml b/internal/cmd/egctl/testdata/translate/out/jwt-single-route-single-match-to-xds.listener.yaml
@@ -54,7 +54,7 @@ xds:
                           httpUri:
                             cluster: raw_githubusercontent_com_443
                             timeout: 5s
-                            uri: https://raw.githubusercontent.com/envoyproxy/gateway/main/examples/kubernetes/authn/jwks.json
+                            uri: https://raw.githubusercontent.com/envoyproxy/gateway/main/examples/kubernetes/jwt/jwks.json
                           retryPolicy: {}
                     requirementMap:
                       httproute/envoy-gateway-system/backend/rule/0/match/0/www_example_com:

diff --git a/internal/gatewayapi/route.go b/internal/gatewayapi/route.go
@@ -554,9 +554,6 @@ func (t *Translator) processHTTPRouteParentRefListener(route RouteContext, route
 					DirectResponse:        routeRoute.DirectResponse,
 					URLRewrite:            routeRoute.URLRewrite,
 					Mirrors:               routeRoute.Mirrors,
-					RateLimit:             routeRoute.RateLimit,
-					CORS:                  routeRoute.CORS,
-					JWT:                   routeRoute.JWT,
 					Timeout:               routeRoute.Timeout,
 					ExtensionRefs:         routeRoute.ExtensionRefs,
 				}

diff --git a/internal/xds/translator/ratelimit.go b/internal/xds/translator/ratelimit.go
@@ -128,7 +128,7 @@ func (t *Translator) buildRateLimitFilter(irListener *ir.HTTPListener) *hcmv3.Ht
 // patchRouteWithRateLimit builds rate limit actions and appends to the route.
 func patchRouteWithRateLimit(xdsRouteAction *routev3.RouteAction, irRoute *ir.HTTPRoute) error { //nolint:unparam
 	// Return early if no rate limit config exists.
-	if irRoute.RateLimit == nil || irRoute.RateLimit.Global == nil {
+	if irRoute.RateLimit == nil || irRoute.RateLimit.Global == nil || xdsRouteAction == nil {
 		return nil
 	}
 

diff --git a/site/content/en/latest/contributions/RELEASING.md b/site/content/en/latest/contributions/RELEASING.md
@@ -44,7 +44,7 @@ export GITHUB_REMOTE=origin
     git push ${GITHUB_REMOTE} release/v${MAJOR_VERSION}.${MINOR_VERSION}
     ```
 
-7. Create a topic branch for updating the Envoy proxy image to the tag supported by the release. Reference [PR #958][]
+7. Create a topic branch for updating the Envoy proxy image and Envoy Ratelimit image to the tag supported by the release. Reference [PR #2098][]
    for additional details on updating the image tag.
 8. Sign, commit, and push your changes to your fork.
 9. Submit a [Pull Request][] to merge the changes into the `release/v${MAJOR_VERSION}.${MINOR_VERSION}` branch. Do not
@@ -247,6 +247,6 @@ It's important that the world knows about the release. Use the following steps t
 [release]: https://github.com/envoyproxy/gateway/releases
 [Generate]: https://docs.github.com/en/repositories/releasing-projects-on-github/automatically-generated-release-notes
 [PR #635]: https://github.com/envoyproxy/gateway/pull/635
-[PR #958]: https://github.com/envoyproxy/gateway/pull/958
+[PR #2098]: https://github.com/envoyproxy/gateway/pull/2098
 [PR #1002]: https://github.com/envoyproxy/gateway/pull/1002
 [VERSION]: https://github.com/envoyproxy/gateway/blob/main/VERSION
diff --git a/site/content/en/latest/design/rate-limit.md b/site/content/en/latest/design/rate-limit.md
@@ -232,7 +232,7 @@ spec:
     providers:
       - name: example
         remoteJWKS:
-          uri: https://raw.githubusercontent.com/envoyproxy/gateway/main/examples/kubernetes/authn/jwks.json
+          uri: https://raw.githubusercontent.com/envoyproxy/gateway/main/examples/kubernetes/jwt/jwks.json
         claimToHeaders:
       - claim: name
         header: custom-request-header

diff --git a/site/content/en/latest/design/security-policy.md b/site/content/en/latest/design/security-policy.md
@@ -73,7 +73,7 @@ spec:
     providers:
     - name: example
       remoteJWKS:
-        uri: https://raw.githubusercontent.com/envoyproxy/gateway/main/examples/kubernetes/authn/jwks.json
+        uri: https://raw.githubusercontent.com/envoyproxy/gateway/main/examples/kubernetes/jwt/jwks.json
   targetRef:
     group: gateway.networking.k8s.io
     kind: Gateway

diff --git a/site/content/en/latest/user/rate-limit.md b/site/content/en/latest/user/rate-limit.md
@@ -607,7 +607,7 @@ spec:
   jwtProviders:
   - name: example
     remoteJWKS:
-      uri: https://raw.githubusercontent.com/envoyproxy/gateway/main/examples/kubernetes/authn/jwks.json
+      uri: https://raw.githubusercontent.com/envoyproxy/gateway/main/examples/kubernetes/jwt/jwks.json
     claimToHeaders:
     - claim: name
       header: x-claim-name

diff --git a/site/content/en/v0.5.0/design/rate-limit.md b/site/content/en/v0.5.0/design/rate-limit.md
@@ -228,7 +228,7 @@ spec:
   jwtProviders:
   - name: example
     remoteJWKS:
-      uri: https://raw.githubusercontent.com/envoyproxy/gateway/main/examples/kubernetes/authn/jwks.json
+      uri: https://raw.githubusercontent.com/envoyproxy/gateway/main/examples/kubernetes/jwt/jwks.json
     claimToHeaders:
     - claim: name
       header: custom-request-header

diff --git a/site/content/en/v0.5.0/user/rate-limit.md b/site/content/en/v0.5.0/user/rate-limit.md
@@ -590,7 +590,7 @@ spec:
   jwtProviders:
   - name: example
     remoteJWKS:
-      uri: https://raw.githubusercontent.com/envoyproxy/gateway/main/examples/kubernetes/authn/jwks.json
+      uri: https://raw.githubusercontent.com/envoyproxy/gateway/main/examples/kubernetes/jwt/jwks.json
     claimToHeaders:
     - claim: name
       header: x-claim-name

diff --git a/test/e2e/e2e_test.go b/test/e2e/e2e_test.go
@@ -41,12 +41,9 @@ func TestE2E(t *testing.T) {
 		*flags.GatewayClassName, *flags.CleanupBaseResources, *flags.ShowDebug, *flags.SupportedFeatures, *flags.ExemptFeatures)
 
 	cSuite := suite.New(suite.Options{
-		Client:           client,
-		GatewayClassName: *flags.GatewayClassName,
-		Debug:            *flags.ShowDebug,
-		SkipTests: []string{
-			tests.RateLimitBasedJwtClaimsTest.ShortName,
-		},
+		Client:               client,
+		GatewayClassName:     *flags.GatewayClassName,
+		Debug:                *flags.ShowDebug,
 		CleanupBaseResources: *flags.CleanupBaseResources,
 		FS:                   &Manifests,
 	})

diff --git a/test/e2e/testdata/ratelimit-based-jwt-claims.yaml b/test/e2e/testdata/ratelimit-based-jwt-claims.yaml
@@ -13,7 +13,7 @@ spec:
     providers:
     - name: example
       remoteJWKS:
-        uri: https://raw.githubusercontent.com/envoyproxy/gateway/main/examples/kubernetes/authn/jwks.json
+        uri: https://raw.githubusercontent.com/envoyproxy/gateway/main/examples/kubernetes/jwt/jwks.json
       claimToHeaders:
       - claim: name
         header: x-claim-name