Merge branch 'envoyproxy:main' into lb-source-ranges

api/v1alpha1/accesslogging_types.go

@@ -60,6 +60,10 @@ type ProxyAccessLogFormat struct {
 type ProxyAccessLogSinkType string
 
 const (
+	// ProxyAccessLogSinkTypeALS defines the gRPC Access Log Service (ALS) sink.
+	// The service must implement the Envoy gRPC Access Log Service streaming API:
+	// https://www.envoyproxy.io/docs/envoy/latest/api-v3/service/accesslog/v3/als.proto
+	ProxyAccessLogSinkTypeALS ProxyAccessLogSinkType = "ALS"
 	// ProxyAccessLogSinkTypeFile defines the file accesslog sink.
 	ProxyAccessLogSinkTypeFile ProxyAccessLogSinkType = "File"
 	// ProxyAccessLogSinkTypeOpenTelemetry defines the OpenTelemetry accesslog sink.
@@ -71,13 +75,17 @@ const (
 // ProxyAccessLogSink defines the sink of accesslog.
 // +union
 //
+// +kubebuilder:validation:XValidation:rule="self.type == 'ALS' ? has(self.als) : !has(self.als)",message="If AccessLogSink type is ALS, als field needs to be set."
 // +kubebuilder:validation:XValidation:rule="self.type == 'File' ? has(self.file) : !has(self.file)",message="If AccessLogSink type is File, file field needs to be set."
 // +kubebuilder:validation:XValidation:rule="self.type == 'OpenTelemetry' ? has(self.openTelemetry) : !has(self.openTelemetry)",message="If AccessLogSink type is OpenTelemetry, openTelemetry field needs to be set."
 type ProxyAccessLogSink struct {
 	// Type defines the type of accesslog sink.
-	// +kubebuilder:validation:Enum=File;OpenTelemetry
+	// +kubebuilder:validation:Enum=ALS;File;OpenTelemetry
 	// +unionDiscriminator
 	Type ProxyAccessLogSinkType `json:"type,omitempty"`
+	// ALS defines the gRPC Access Log Service (ALS) sink.
+	// +optional
+	ALS *ALSEnvoyProxyAccessLog `json:"als,omitempty"`
 	// File defines the file accesslog sink.
 	// +optional
 	File *FileEnvoyProxyAccessLog `json:"file,omitempty"`
@@ -86,6 +94,59 @@ type ProxyAccessLogSink struct {
 	OpenTelemetry *OpenTelemetryEnvoyProxyAccessLog `json:"openTelemetry,omitempty"`
 }
 
+type ALSEnvoyProxyAccessLogType string
+
+const (
+	// ALSEnvoyProxyAccessLogTypeHTTP defines the HTTP access log type and will populate StreamAccessLogsMessage.http_logs.
+	ALSEnvoyProxyAccessLogTypeHTTP ALSEnvoyProxyAccessLogType = "HTTP"
+	// ALSEnvoyProxyAccessLogTypeTCP defines the TCP access log type and will populate StreamAccessLogsMessage.tcp_logs.
+	ALSEnvoyProxyAccessLogTypeTCP ALSEnvoyProxyAccessLogType = "TCP"
+)
+
+// ALSEnvoyProxyAccessLog defines the gRPC Access Log Service (ALS) sink.
+// The service must implement the Envoy gRPC Access Log Service streaming API:
+// https://www.envoyproxy.io/docs/envoy/latest/api-v3/service/accesslog/v3/als.proto
+// Access log format information is passed in the form of gRPC metadata when the
+// stream is established. Specifically, the following metadata is passed:
+//
+// - `x-accesslog-text` - The access log format string when a Text format is used.
+// - `x-accesslog-attr` - JSON encoded key/value pairs when a JSON format is used.
+//
+// +kubebuilder:validation:XValidation:rule="self.type == 'HTTP' || !has(self.http)",message="The http field may only be set when type is HTTP."
+type ALSEnvoyProxyAccessLog struct {
+	// BackendRefs references a Kubernetes object that represents the gRPC service to which
+	// the access logs will be sent. Currently only Service is supported.
+	//
+	// +kubebuilder:validation:MinItems=1
+	// +kubebuilder:validation:MaxItems=1
+	// +kubebuilder:validation:XValidation:message="BackendRefs only supports Service kind.",rule="self.all(f, f.kind == 'Service')"
+	BackendRefs []BackendRef `json:"backendRefs"`
+	// LogName defines the friendly name of the access log to be returned in
+	// StreamAccessLogsMessage.Identifier. This allows the access log server
+	// to differentiate between different access logs coming from the same Envoy.
+	// +optional
+	// +kubebuilder:validation:MinLength=1
+	LogName *string `json:"logName,omitempty"`
+	// Type defines the type of accesslog. Supported types are "HTTP" and "TCP".
+	// +kubebuilder:validation:Enum=HTTP;TCP
+	Type ALSEnvoyProxyAccessLogType `json:"type"`
+	// HTTP defines additional configuration specific to HTTP access logs.
+	// +optional
+	HTTP *ALSEnvoyProxyHTTPAccessLogConfig `json:"http,omitempty"`
+}
+
+type ALSEnvoyProxyHTTPAccessLogConfig struct {
+	// RequestHeaders defines request headers to include in log entries sent to the access log service.
+	// +optional
+	RequestHeaders []string `json:"requestHeaders,omitempty"`
+	// ResponseHeaders defines response headers to include in log entries sent to the access log service.
+	// +optional
+	ResponseHeaders []string `json:"responseHeaders,omitempty"`
+	// ResponseTrailers defines response trailers to include in log entries sent to the access log service.
+	// +optional
+	ResponseTrailers []string `json:"responseTrailers,omitempty"`
+}
+
 type FileEnvoyProxyAccessLog struct {
 	// Path defines the file path used to expose envoy access log(e.g. /dev/stdout).
 	// +kubebuilder:validation:MinLength=1

api/v1alpha1/ext_proc_types.go

@@ -14,8 +14,26 @@ import (
 //
 // ExtProc defines the configuration for External Processing filter.
 type ExtProc struct {
-	// Service defines the configuration of the external processing service
+	// BackendRef defines the configuration of the external processing service
 	BackendRef ExtProcBackendRef `json:"backendRef"`
+
+	// BackendRefs defines the configuration of the external processing service
+	//
+	// +optional
+	BackendRefs []BackendRef `json:"backendRefs,omitempty"`
+
+	// MessageTimeout is the timeout for a response to be returned from the external processor
+	// Default: 200ms
+	//
+	// +optional
+	MessageTimeout *gwapiv1.Duration `json:"messageTimeout,omitempty"`
+
+	// FailOpen defines if requests or responses that cannot be processed due to connectivity to the
+	// external processor are terminated or passed-through.
+	// Default: false
+	//
+	// +optional
+	FailOpen *bool `json:"failOpen,omitempty"`
 }
 
 // ExtProcService defines the gRPC External Processing service using the envoy grpc client

api/v1alpha1/wasm_types.go

@@ -83,7 +83,7 @@ type WasmCodeSource struct {
 }
 
 // WasmCodeSourceType specifies the types of sources for the wasm code.
-// +kubebuilder:validation:Enum=Global;Local
+// +kubebuilder:validation:Enum=HTTP;Image
 type WasmCodeSourceType string
 
 const (

charts/gateway-helm/crds/generated/gateway.envoyproxy.io_envoyextensionpolicies.yaml

@@ -58,7 +58,7 @@ spec:
                     filter.
                   properties:
                     backendRef:
-                      description: Service defines the configuration of the external
+                      description: BackendRef defines the configuration of the external
                         processing service
                       properties:
                         group:
@@ -134,6 +134,99 @@ spec:
                       - message: Must have port for Service reference
                         rule: '(size(self.group) == 0 && self.kind == ''Service'')
                           ? has(self.port) : true'
+                    backendRefs:
+                      description: BackendRefs defines the configuration of the external
+                        processing service
+                      items:
+                        description: BackendRef defines how an ObjectReference that
+                          is specific to BackendRef.
+                        properties:
+                          group:
+                            default: ""
+                            description: |-
+                              Group is the group of the referent. For example, "gateway.networking.k8s.io".
+                              When unspecified or empty string, core API group is inferred.
+                            maxLength: 253
+                            pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+                            type: string
+                          kind:
+                            default: Service
+                            description: |-
+                              Kind is the Kubernetes resource kind of the referent. For example
+                              "Service".
+
+
+                              Defaults to "Service" when not specified.
+
+
+                              ExternalName services can refer to CNAME DNS records that may live
+                              outside of the cluster and as such are difficult to reason about in
+                              terms of conformance. They also may not be safe to forward to (see
+                              CVE-2021-25740 for more information). Implementations SHOULD NOT
+                              support ExternalName Services.
+
+
+                              Support: Core (Services with a type other than ExternalName)
+
+
+                              Support: Implementation-specific (Services with type ExternalName)
+                            maxLength: 63
+                            minLength: 1
+                            pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
+                            type: string
+                          name:
+                            description: Name is the name of the referent.
+                            maxLength: 253
+                            minLength: 1
+                            type: string
+                          namespace:
+                            description: |-
+                              Namespace is the namespace of the backend. When unspecified, the local
+                              namespace is inferred.
+
+
+                              Note that when a namespace different than the local namespace is specified,
+                              a ReferenceGrant object is required in the referent namespace to allow that
+                              namespace's owner to accept the reference. See the ReferenceGrant
+                              documentation for details.
+
+
+                              Support: Core
+                            maxLength: 63
+                            minLength: 1
+                            pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+                            type: string
+                          port:
+                            description: |-
+                              Port specifies the destination port number to use for this resource.
+                              Port is required when the referent is a Kubernetes Service. In this
+                              case, the port number is the service port number, not the target port.
+                              For other resources, destination port might be derived from the referent
+                              resource or this field.
+                            format: int32
+                            maximum: 65535
+                            minimum: 1
+                            type: integer
+                        required:
+                        - name
+                        type: object
+                        x-kubernetes-validations:
+                        - message: Must have port for Service reference
+                          rule: '(size(self.group) == 0 && self.kind == ''Service'')
+                            ? has(self.port) : true'
+                      type: array
+                    failOpen:
+                      description: |-
+                        FailOpen defines if requests or responses that cannot be processed due to connectivity to the
+                        external processor are terminated or passed-through.
+                        Default: false
+                      type: boolean
+                    messageTimeout:
+                      description: |-
+                        MessageTimeout is the timeout for a response to be returned from the external processor
+                        Default: 200ms
+                      pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$
+                      type: string
                   required:
                   - backendRef
                   type: object
@@ -304,8 +397,8 @@ spec:
                         type:
                           allOf:
                           - enum:
-                            - Global
-                            - Local
+                            - HTTP
+                            - Image
                           - enum:
                             - HTTP
                             - Image