Merge branch 'main' into btp-http2

envoyproxy · Jul 1, 2024 · dcde7e7 · dcde7e7
2 parents a81e434 + 828edfb
commit dcde7e7
Show file tree

Hide file tree

Showing 153 changed files with 9,590 additions and 617 deletions.
diff --git a/.github/workflows/benchmark.yaml b/.github/workflows/benchmark.yaml
diff --git a/.github/workflows/build_and_test.yaml b/.github/workflows/build_and_test.yaml
@@ -135,6 +135,29 @@ jobs:
         IMAGE_PULL_POLICY: IfNotPresent
       run: make e2e
 
+  benchmark-test:
+    runs-on: ubuntu-latest
+    needs: [build]
+    steps:
+    - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332  # v4.1.7
+    - uses: ./tools/github-actions/setup-deps
+
+    # Benchmark
+    - name: Run Benchmark tests
+      env:
+        KIND_NODE_TAG: v1.28.9
+        IMAGE_PULL_POLICY: IfNotPresent
+        # Args for benchmark test
+        BENCHMARK_RPS: 10000
+        BENCHMARK_CONNECTIONS: 100
+        BENCHMARK_DURATION: 30
+        BENCHMARK_CPU_LIMITS: 1000
+        BENCHMARK_MEMORY_LIMITS: 2000
+      run: make benchmark
+
+    - name: Read Benchmark report
+      run: cat test/benchmark/benchmark_report.md
+
   publish:
     runs-on: ubuntu-latest
     needs: [conformance-test, e2e-test]

diff --git a/api/v1alpha1/authorization_types.go b/api/v1alpha1/authorization_types.go
@@ -27,7 +27,8 @@ type Authorization struct {
 
 // AuthorizationRule defines a single authorization rule.
 type AuthorizationRule struct {
-	// Name is a user-friendly name for the rule. It's just for display purposes.
+	// Name is a user-friendly name for the rule.
+	// If not specified, Envoy Gateway will generate a unique name for the rule.n
 	// +optional
 	Name *string `json:"name,omitempty"`
 

diff --git a/api/v1alpha1/wasm_types.go b/api/v1alpha1/wasm_types.go
@@ -10,31 +10,27 @@ import (
 	gwapiv1b1 "sigs.k8s.io/gateway-api/apis/v1beta1"
 )
 
-// Wasm defines a wasm extension.
+// Wasm defines a Wasm extension.
 //
 // Note: at the moment, Envoy Gateway does not support configuring Wasm runtime.
 // v8 is used as the VM runtime for the Wasm extensions.
 type Wasm struct {
 	// Name is a unique name for this Wasm extension. It is used to identify the
 	// Wasm extension if multiple extensions are handled by the same vm_id and root_id.
 	// It's also used for logging/debugging.
-	Name string `json:"name"`
-
-	// VMID is an ID that will be used along with a hash of the wasm code to
-	// determine which VM will be used to load the Wasm extension. All extensions
-	// that have the same vm_id and code will use the same VM.
+	// If not specified, EG will generate a unique name for the Wasm extension.
 	//
-	// Note that sharing a VM between plugins can reduce memory utilization and
-	// make sharing of data easier, but it may have security implications.
-	// VMID *string `json:"vmID,omitempty"`
+	// +optional
+	Name *string `json:"name,omitempty"`
 
 	// RootID is a unique ID for a set of extensions in a VM which will share a
 	// RootContext and Contexts if applicable (e.g., an Wasm HttpFilter and an Wasm AccessLog).
 	// If left blank, all extensions with a blank root_id with the same vm_id will share Context(s).
-	// RootID must match the root_id parameter used to register the Context in the Wasm code.
+	//
+	// Note: RootID must match the root_id parameter used to register the Context in the Wasm code.
 	RootID *string `json:"rootID,omitempty"`
 
-	// Code is the wasm code for the extension.
+	// Code is the Wasm code for the extension.
 	Code WasmCodeSource `json:"code"`
 
 	// Config is the configuration for the Wasm extension.
@@ -58,73 +54,100 @@ type Wasm struct {
 	// Priority *uint32 `json:"priority,omitempty"`
 }
 
-// WasmCodeSource defines the source of the wasm code.
+// WasmCodeSource defines the source of the Wasm code.
+// +union
+//
+// +kubebuilder:validation:XValidation:rule="self.type == 'HTTP' ? has(self.http) : !has(self.http)",message="If type is HTTP, http field needs to be set."
+// +kubebuilder:validation:XValidation:rule="self.type == 'Image' ? has(self.image) : !has(self.image)",message="If type is Image, image field needs to be set."
 type WasmCodeSource struct {
-	// Type is the type of the source of the wasm code.
+	// Type is the type of the source of the Wasm code.
 	// Valid WasmCodeSourceType values are "HTTP" or "Image".
 	//
 	// +kubebuilder:validation:Enum=HTTP;Image;ConfigMap
 	// +unionDiscriminator
 	Type WasmCodeSourceType `json:"type"`
 
-	// HTTP is the HTTP URL containing the wasm code.
+	// HTTP is the HTTP URL containing the Wasm code.
 	//
 	// Note that the HTTP server must be accessible from the Envoy proxy.
 	// +optional
 	HTTP *HTTPWasmCodeSource `json:"http,omitempty"`
 
-	// Image is the OCI image containing the wasm code.
+	// Image is the OCI image containing the Wasm code.
 	//
 	// Note that the image must be accessible from the Envoy Gateway.
 	// +optional
 	Image *ImageWasmCodeSource `json:"image,omitempty"`
 
-	// SHA256 checksum that will be used to verify the wasm code.
+	// PullPolicy is the policy to use when pulling the Wasm module by either the HTTP or Image source.
+	// This field is only applicable when the SHA256 field is not set.
 	//
-	// kubebuilder:validation:Pattern=`^[a-f0-9]{64}$`
-	SHA256 string `json:"sha256"`
+	// If not specified, the default policy is IfNotPresent except for OCI images whose tag is latest.
+	//
+	// Note: EG does not update the Wasm module every time an Envoy proxy requests
+	// the Wasm module even if the pull policy is set to Always.
+	// It only updates the Wasm module when the EnvoyExtension resource version changes.
+	// +optional
+	PullPolicy *ImagePullPolicy `json:"pullPolicy,omitempty"`
 }
 
-// WasmCodeSourceType specifies the types of sources for the wasm code.
+// WasmCodeSourceType specifies the types of sources for the Wasm code.
 // +kubebuilder:validation:Enum=HTTP;Image
 type WasmCodeSourceType string
 
 const (
-	// HTTPWasmCodeSourceType allows the user to specify the wasm code in an HTTP URL.
+	// HTTPWasmCodeSourceType allows the user to specify the Wasm code in an HTTP URL.
 	HTTPWasmCodeSourceType WasmCodeSourceType = "HTTP"
 
-	// ImageWasmCodeSourceType allows the user to specify the wasm code in an OCI image.
+	// ImageWasmCodeSourceType allows the user to specify the Wasm code in an OCI image.
 	ImageWasmCodeSourceType WasmCodeSourceType = "Image"
 )
 
-// HTTPWasmCodeSource defines the HTTP URL containing the wasm code.
+// HTTPWasmCodeSource defines the HTTP URL containing the Wasm code.
 type HTTPWasmCodeSource struct {
-	// URL is the URL containing the wasm code.
+	// URL is the URL containing the Wasm code.
+	// +kubebuilder:validation:Pattern=`^((https?:)(\/\/\/?)([\w]*(?::[\w]*)?@)?([\d\w\.-]+)(?::(\d+))?)?([\/\\\w\.()-]*)?(?:([?][^#]*)?(#.*)?)*`
 	URL string `json:"url"`
+
+	// SHA256 checksum that will be used to verify the Wasm code.
+	//
+	// If not specified, Envoy Gateway will not verify the downloaded Wasm code.
+	// kubebuilder:validation:Pattern=`^[a-f0-9]{64}$`
+	// +optional
+	SHA256 *string `json:"sha256"`
 }
 
-// ImageWasmCodeSource defines the OCI image containing the wasm code.
+// ImageWasmCodeSource defines the OCI image containing the Wasm code.
 type ImageWasmCodeSource struct {
 	// URL is the URL of the OCI image.
+	// URL can be in the format of `registry/image:tag` or `registry/image@sha256:digest`.
 	URL string `json:"url"`
 
-	// PullSecretRef is a reference to the secret containing the credentials to pull the image.
-	PullSecretRef gwapiv1b1.SecretObjectReference `json:"pullSecret"`
+	// SHA256 checksum that will be used to verify the OCI image.
+	//
+	// It must match the digest of the OCI image.
+	//
+	// If not specified, Envoy Gateway will not verify the downloaded OCI image.
+	// kubebuilder:validation:Pattern=`^[a-f0-9]{64}$`
+	// +optional
+	SHA256 *string `json:"sha256"`
 
-	// PullPolicy is the policy to use when pulling the image.
-	// If not specified, the default policy is IfNotPresent for images whose tag is not latest,
-	// and Always for images whose tag is latest.
+	// PullSecretRef is a reference to the secret containing the credentials to pull the image.
+	// Only support Kubernetes Secret resource from the same namespace.
+	// +kubebuilder:validation:XValidation:message="only support Secret kind.",rule="self.kind == 'Secret'"
 	// +optional
-	// PullPolicy *PullPolicy `json:"pullPolicy,omitempty"`
+	PullSecretRef *gwapiv1b1.SecretObjectReference `json:"pullSecretRef,omitempty"`
 }
 
-// PullPolicy defines the policy to use when pulling an OIC image.
-/* type PullPolicy string
+// ImagePullPolicy defines the policy to use when pulling an OIC image.
+// +kubebuilder:validation:Enum=IfNotPresent;Always
+type ImagePullPolicy string
 
 const (
-	// PullPolicyIfNotPresent will only pull the image if it does not already exist.
-	PullPolicyIfNotPresent PullPolicy = "IfNotPresent"
+	// ImagePullPolicyIfNotPresent will only pull the image if it does not already exist in the EG cache.
+	ImagePullPolicyIfNotPresent ImagePullPolicy = "IfNotPresent"
 
-	// PullPolicyAlways will always pull the image.
-	PullPolicyAlways PullPolicy = "Always"
-)*/
+	// ImagePullPolicyAlways will pull the image when the EnvoyExtension resource version changes.
+	// Note: EG does not update the Wasm module every time an Envoy proxy requests the Wasm module.
+	ImagePullPolicyAlways ImagePullPolicy = "Always"
+)
diff --git a/api/v1alpha1/zz_generated.deepcopy.go b/api/v1alpha1/zz_generated.deepcopy.go