Merge branch 'trace-rl-new' into trace-rl

envoyproxy · Apr 1, 2024 · ed53e58 · ed53e58
2 parents 61e5039 + 7bed6fa
commit ed53e58
Show file tree

Hide file tree

Showing 231 changed files with 12,356 additions and 7,498 deletions.
diff --git a/.github/workflows/build_and_test.yaml b/.github/workflows/build_and_test.yaml
@@ -20,7 +20,7 @@ jobs:
   lint:
     runs-on: ubuntu-latest
     steps:
-    - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11  # v4.1.1
+    - uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633  # v4.1.2
     - uses: ./tools/github-actions/setup-deps
     # Generate the install manifests first so it can checked
     # for errors while running `make -k lint`
@@ -31,21 +31,21 @@ jobs:
   gen-check:
     runs-on: ubuntu-22.04
     steps:
-    - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11  # v4.1.1
+    - uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633  # v4.1.2
     - uses: ./tools/github-actions/setup-deps
     - run: make -k gen-check
 
   license-check:
     runs-on: ubuntu-latest
     steps:
-    - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11  # v4.1.1
+    - uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633  # v4.1.2
     - uses: ./tools/github-actions/setup-deps
     - run: make -k licensecheck
 
   coverage-test:
     runs-on: ubuntu-latest
     steps:
-    - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11  # v4.1.1
+    - uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633  # v4.1.2
     - uses: ./tools/github-actions/setup-deps
 
     # test
@@ -63,7 +63,7 @@ jobs:
     runs-on: ubuntu-latest
     needs: [lint, gen-check, license-check, coverage-test]
     steps:
-    - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11  # v4.1.1
+    - uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633  # v4.1.2
     - uses: ./tools/github-actions/setup-deps
 
     - name: Build EG Multiarch Binaries
@@ -82,7 +82,7 @@ jobs:
       matrix:
         version: [ v1.26.14, v1.27.11, v1.28.7, v1.29.2 ]
     steps:
-    - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11  # v4.1.1
+    - uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633  # v4.1.2
     - uses: ./tools/github-actions/setup-deps
 
     - name: Download EG Binaries
@@ -110,7 +110,7 @@ jobs:
       matrix:
         version: [ v1.26.14, v1.27.11, v1.28.7, v1.29.2 ]
     steps:
-    - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11  # v4.1.1
+    - uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633  # v4.1.2
     - uses: ./tools/github-actions/setup-deps
 
     - name: Download EG Binaries
@@ -135,7 +135,7 @@ jobs:
     runs-on: ubuntu-latest
     needs: [conformance-test, e2e-test]
     steps:
-    - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11  # v4.1.1
+    - uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633  # v4.1.2
     - uses: ./tools/github-actions/setup-deps
 
     - name: Download EG Binaries
@@ -152,7 +152,7 @@ jobs:
     # build and push image
     - name: Login to DockerHub
       if: github.event_name == 'push'
-      uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d  # v3.0.0
+      uses: docker/login-action@e92390c5fb421da1463c202d546fed0ec5c39f20  # v3.1.0
       with:
         username: ${{ secrets.DOCKERHUB_USERNAME }}
         password: ${{ secrets.DOCKERHUB_PASSWORD }}

diff --git a/.github/workflows/cherrypick.yaml b/.github/workflows/cherrypick.yaml
@@ -6,7 +6,8 @@ on:
     types: ["closed"]
 
 permissions:
-  contents: read
+  pull-requests: write
+  contents: write
 
 jobs:
   cherry_pick_release_v1_0:
@@ -15,7 +16,7 @@ jobs:
     if: ${{ contains(github.event.pull_request.labels.*.name, 'cherrypick/release-v1.0') && github.event.pull_request.merged == true }}
     steps:
       - name: Checkout
-        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11  # v4.1.1
+        uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633  # v4.1.2
         with:
           fetch-depth: 0
       - name: Cherry pick into release/v1.0

diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
@@ -32,18 +32,18 @@ jobs:
 
     steps:
     - name: Checkout repository
-      uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11  # v4.1.1
+      uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633  # v4.1.2
     - uses: ./tools/github-actions/setup-deps
 
     - name: Initialize CodeQL
-      uses: github/codeql-action/init@8a470fddafa5cbb6266ee11b37ef4d8aae19c571  # v3.24.6
+      uses: github/codeql-action/init@1b1aada464948af03b950897e5eb522f92603cc2  # v3.24.9
       with:
         languages: ${{ matrix.language }}
 
     - name: Autobuild
-      uses: github/codeql-action/autobuild@8a470fddafa5cbb6266ee11b37ef4d8aae19c571  # v3.24.6
+      uses: github/codeql-action/autobuild@1b1aada464948af03b950897e5eb522f92603cc2  # v3.24.9
 
     - name: Perform CodeQL Analysis
-      uses: github/codeql-action/analyze@8a470fddafa5cbb6266ee11b37ef4d8aae19c571  # v3.24.6
+      uses: github/codeql-action/analyze@1b1aada464948af03b950897e5eb522f92603cc2  # v3.24.9
       with:
         category: "/language:${{matrix.language}}"
diff --git a/.github/workflows/docs.yaml b/.github/workflows/docs.yaml
@@ -6,12 +6,14 @@ on:
     - "release/v*"
     paths:
     - 'site/**'
+    - 'tools/make/docs.mk'
   pull_request:
     branches:
     - "main"
     - "release/v*"
     paths:
     - 'site/**'
+    - 'tools/make/docs.mk'
 
 permissions:
   contents: read
@@ -21,28 +23,38 @@ jobs:
     runs-on: ubuntu-22.04
     steps:
     - name: Check out code
-      uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11  # v4.1.1
+      uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633  # v4.1.2
       with:
         ref: ${{ github.event.pull_request.head.sha }}
 
+    - uses: ./tools/github-actions/setup-deps
+
     - name: Run markdown linter
       uses: nosborn/github-action-markdown-cli@9b5e871c11cc0649c5ac2526af22e23525fa344d  # v3.3.0
       with:
         files: site/content/*
         config_file: ".github/markdown_lint_config.json"
 
+    - name: Install linkinator
+      run: npm install -g linkinator
+
+    - name: Check links
+      run: make docs docs-check-links
+
   docs-build:
     runs-on: ubuntu-latest
     needs: docs-lint
     permissions:
       contents: write
     steps:
     - name: Git checkout
-      uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11  # v4.1.1
+      uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633  # v4.1.2
       with:
         submodules: true
         ref: ${{ github.event.pull_request.head.sha }}
 
+    - uses: ./tools/github-actions/setup-deps
+
     - name: Setup Hugo
       uses: peaceiris/actions-hugo@16361eb4acea8698b220b76c0d4e84e1fd22c61d  # v2.6.0
       with:
@@ -86,4 +98,4 @@ jobs:
     steps:
     - name: Deploy to GitHub Pages
       id: deployment
-      uses: actions/deploy-pages@decdde0ac072f6dcbe43649d82d9c635fff5b4e4  # v4.0.4
+      uses: actions/deploy-pages@d6db90164ac5ed86f2b6aed7e0febac5b3c0c03e  # v4.0.5
diff --git a/.github/workflows/experimental_conformance.yaml b/.github/workflows/experimental_conformance.yaml
@@ -20,7 +20,7 @@ jobs:
       matrix:
         version: [ v1.26.14, v1.27.11, v1.28.7, v1.29.2 ]
     steps:
-    - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11  # v4.1.1
+    - uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633  # v4.1.2
     - uses: ./tools/github-actions/setup-deps
 
     # gateway api experimental conformance

diff --git a/.github/workflows/latest_release.yaml b/.github/workflows/latest_release.yaml
@@ -22,7 +22,7 @@ jobs:
     permissions:
       contents: write
     steps:
-    - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11  # v4.1.1
+    - uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633  # v4.1.2
     - uses: ./tools/github-actions/setup-deps
 
     - name: Generate Release Manifests

diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml
@@ -15,7 +15,7 @@ jobs:
     permissions:
       contents: write
     steps:
-      - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11  # v4.1.1
+      - uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633  # v4.1.2
 
       - name: Extract Release Tag and Commit SHA
         id: vars
@@ -25,7 +25,7 @@ jobs:
           echo "sha_short=$(git rev-parse --short HEAD)" >> $GITHUB_ENV
 
       - name: Login to DockerHub
-        uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d  # v3.0.0
+        uses: docker/login-action@e92390c5fb421da1463c202d546fed0ec5c39f20  # v3.1.0
         with:
           username: ${{ secrets.DOCKERHUB_USERNAME }}
           password: ${{ secrets.DOCKERHUB_PASSWORD }}

diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml
@@ -21,7 +21,7 @@ jobs:
 
     steps:
     - name: "Checkout code"
-      uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11  # v4.1.1
+      uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633  # v4.1.2
       with:
         persist-credentials: false
 
@@ -40,6 +40,6 @@ jobs:
         retention-days: 5
 
     - name: "Upload to code-scanning"
-      uses: github/codeql-action/upload-sarif@8a470fddafa5cbb6266ee11b37ef4d8aae19c571  # v3.24.6
+      uses: github/codeql-action/upload-sarif@1b1aada464948af03b950897e5eb522f92603cc2  # v3.24.9
       with:
         sarif_file: results.sarif
diff --git a/ADOPTERS.md b/ADOPTERS.md
@@ -41,3 +41,13 @@ If you would like to be included in this table, please submit a PR to this file
 * Status: production
 * (Option) https://tetrate.io/wp-content/uploads/2023/03/tetrate-logo-dark.svg
 * (Option) Description:
+
+## Airspace Link
+* Organizatioin: Airspace Link
+* Website: https://airspacelink.com/
+* Category: End User
+* Environments: Azure
+* Use Cases:
+    - Airspace Link is using Envoy Gateway to route all public APIs to Kubernetes clusters, developers are manipulating routes descriptions using agnostic manifest files, which are then automatically provisioned using Envoy Gateway.
+* Status: production
+* Logo: https://airhub.airspacelink.com/images/asl-flat-logo.png
diff --git a/README.md b/README.md
@@ -6,6 +6,7 @@
 
 Envoy Gateway is an open source project for managing Envoy Proxy as a standalone or
 Kubernetes-based application gateway.
+[Gateway API](https://gateway-api.sigs.k8s.io) resources are used to dynamically provision and configure the managed Envoy Proxies.
 
 ## Documentation
 

diff --git a/api/v1alpha1/clienttrafficpolicy_types.go b/api/v1alpha1/clienttrafficpolicy_types.go
@@ -99,8 +99,30 @@ type HeaderSettings struct {
 	// and responses.
 	// +optional
 	EnableEnvoyHeaders *bool `json:"enableEnvoyHeaders,omitempty"`
+
+	// WithUnderscoresAction configures the action to take when an HTTP header with underscores
+	// is encountered. The default action is to reject the request.
+	// +optional
+	WithUnderscoresAction *WithUnderscoresAction `json:"withUnderscoresAction,omitempty"`
 }
 
+// WithUnderscoresAction configures the action to take when an HTTP header with underscores
+// is encountered.
+// +kubebuilder:validation:Enum=Allow;RejectRequest;DropHeader
+type WithUnderscoresAction string
+
+const (
+	// WithUnderscoresActionAllow allows headers with underscores to be passed through.
+	WithUnderscoresActionAllow WithUnderscoresAction = "Allow"
+	// WithUnderscoresActionRejectRequest rejects the client request. HTTP/1 requests are rejected with
+	// the 400 status. HTTP/2 requests end with the stream reset.
+	WithUnderscoresActionRejectRequest WithUnderscoresAction = "RejectRequest"
+	// WithUnderscoresActionDropHeader drops the client header with name containing underscores. The header
+	// is dropped before the filter chain is invoked and as such filters will not see
+	// dropped headers.
+	WithUnderscoresActionDropHeader WithUnderscoresAction = "DropHeader"
+)
+
 // ClientIPDetectionSettings provides configuration for determining the original client IP address for requests.
 //
 // +kubebuilder:validation:XValidation:rule="!(has(self.xForwardedFor) && has(self.customHeader))",message="customHeader cannot be used in conjunction with xForwardedFor"

diff --git a/api/v1alpha1/connection_types.go b/api/v1alpha1/connection_types.go
@@ -5,24 +5,34 @@
 
 package v1alpha1
 
-import gwapiv1 "sigs.k8s.io/gateway-api/apis/v1"
+import (
+	"k8s.io/apimachinery/pkg/api/resource"
+	gwapiv1 "sigs.k8s.io/gateway-api/apis/v1"
+)
 
 // Connection allows users to configure connection-level settings
 type Connection struct {
-	// Limit defines limits related to connections
+	// ConnectionLimit defines limits related to connections
 	//
 	// +optional
-	Limit *ConnectionLimit `json:"limit,omitempty"`
+	ConnectionLimit *ConnectionLimit `json:"connectionLimit,omitempty"`
+	// BufferLimit provides configuration for the maximum buffer size in bytes for each incoming connection.
+	// For example, 20Mi, 1Gi, 256Ki etc.
+	// Note that when the suffix is not provided, the value is interpreted as bytes.
+	// Default: 32768 bytes.
+	//
+	// +kubebuilder:validation:XValidation:rule="type(self) == string ? self.matches(r\"^[1-9]+[0-9]*([EPTGMK]i|[EPTGMk])?$\") : type(self) == int",message="bufferLimit must be of the format \"^[1-9]+[0-9]*([EPTGMK]i|[EPTGMk])?$\""
+	// +optional
+	BufferLimit *resource.Quantity `json:"bufferLimit,omitempty"`
 }
 
 type ConnectionLimit struct {
 	// Value of the maximum concurrent connections limit.
 	// When the limit is reached, incoming connections will be closed after the CloseDelay duration.
 	// Default: unlimited.
 	//
-	// +optional
 	// +kubebuilder:validation:Minimum=0
-	Value *int64 `json:"value,omitempty"`
+	Value int64 `json:"value,omitempty"`
 
 	// CloseDelay defines the delay to use before closing connections that are rejected
 	// once the limit value is reached.

diff --git a/api/v1alpha1/envoyextensionypolicy_types.go b/api/v1alpha1/envoyextensionypolicy_types.go
@@ -55,6 +55,13 @@ type EnvoyExtensionPolicySpec struct {
 	//
 	// +optional
 	Priority int32 `json:"priority,omitempty"`
+
+	// WASM is a list of Wasm extensions to be loaded by the Gateway.
+	// Order matters, as the extensions will be loaded in the order they are
+	// defined in this list.
+	//
+	// +optional
+	WASM []Wasm `json:"wasm,omitempty"`
 }
 
 //+kubebuilder:object:root=true

diff --git a/api/v1alpha1/envoygateway_types.go b/api/v1alpha1/envoygateway_types.go
@@ -140,7 +140,7 @@ type Gateway struct {
 	// ControllerName defines the name of the Gateway API controller. If unspecified,
 	// defaults to "gateway.envoyproxy.io/gatewayclass-controller". See the following
 	// for additional details:
-	//   https://gateway-api.sigs.k8s.io/v1alpha2/references/spec/#gateway.networking.k8s.io/v1.GatewayClass
+	//   https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.GatewayClass
 	//
 	// +optional
 	ControllerName string `json:"controllerName,omitempty"`

diff --git a/api/v1alpha1/oidc_types.go b/api/v1alpha1/oidc_types.go
@@ -37,6 +37,11 @@ type OIDC struct {
 	// +optional
 	Scopes []string `json:"scopes,omitempty"`
 
+	// The OIDC resources to be used in the
+	// [Authentication Request](https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest).
+	// +optional
+	Resources []string `json:"resources,omitempty"`
+
 	// The redirect URL to be used in the OIDC
 	// [Authentication Request](https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest).
 	// If not specified, uses the default redirect URI "%REQ(x-forwarded-proto)%://%REQ(:authority)%/oauth2/callback"

diff --git a/api/v1alpha1/timeout_types.go b/api/v1alpha1/timeout_types.go
@@ -50,9 +50,15 @@ type ClientTimeout struct {
 }
 
 type HTTPClientTimeout struct {
-	// The duration envoy waits for the complete request reception. This timer starts upon request
+	// RequestReceivedTimeout is the duration envoy waits for the complete request reception. This timer starts upon request
 	// initiation and stops when either the last byte of the request is sent upstream or when the response begins.
 	//
 	// +optional
 	RequestReceivedTimeout *gwapiv1.Duration `json:"requestReceivedTimeout,omitempty"`
+
+	// IdleTimeout for an HTTP connection. Idle time is defined as a period in which there are no active requests in the connection.
+	// Default: 1 hour.
+	//
+	// +optional
+	IdleTimeout *gwapiv1.Duration `json:"idleTimeout,omitempty"`
 }