Merge branch 'main' into docs-update

api/v1alpha1/envoyproxy_types.go

@@ -112,6 +112,8 @@ type EnvoyProxySpec struct {
 	//
 	// - envoy.filters.http.jwt_authn
 	//
+	// - envoy.filters.http.stateful_session
+	//
 	// - envoy.filters.http.ext_proc
 	//
 	// - envoy.filters.http.wasm
@@ -172,7 +174,7 @@ type FilterPosition struct {
 }
 
 // EnvoyFilter defines the type of Envoy HTTP filter.
-// +kubebuilder:validation:Enum=envoy.filters.http.health_check;envoy.filters.http.fault;envoy.filters.http.cors;envoy.filters.http.ext_authz;envoy.filters.http.basic_auth;envoy.filters.http.oauth2;envoy.filters.http.jwt_authn;envoy.filters.http.ext_proc;envoy.filters.http.wasm;envoy.filters.http.rbac;envoy.filters.http.local_ratelimit;envoy.filters.http.ratelimit
+// +kubebuilder:validation:Enum=envoy.filters.http.health_check;envoy.filters.http.fault;envoy.filters.http.cors;envoy.filters.http.ext_authz;envoy.filters.http.basic_auth;envoy.filters.http.oauth2;envoy.filters.http.jwt_authn;envoy.filters.http.stateful_session;envoy.filters.http.ext_proc;envoy.filters.http.wasm;envoy.filters.http.rbac;envoy.filters.http.local_ratelimit;envoy.filters.http.ratelimit
 type EnvoyFilter string
 
 const (
@@ -197,6 +199,9 @@ const (
 	// EnvoyFilterJWTAuthn defines the Envoy HTTP JWT authentication filter.
 	EnvoyFilterJWTAuthn EnvoyFilter = "envoy.filters.http.jwt_authn"
 
+	// EnvoyFilterSessionPersistence defines the Envoy HTTP session persistence filter.
+	EnvoyFilterSessionPersistence EnvoyFilter = "envoy.filters.http.stateful_session"
+
 	// EnvoyFilterExtProc defines the Envoy HTTP external process filter.
 	EnvoyFilterExtProc EnvoyFilter = "envoy.filters.http.ext_proc"
 

charts/gateway-helm/crds/generated/gateway.envoyproxy.io_envoyproxies.yaml

@@ -251,6 +251,9 @@ spec:
                   - envoy.filters.http.jwt_authn
 
 
+                  - envoy.filters.http.stateful_session
+
+
                   - envoy.filters.http.ext_proc
 
 
@@ -286,6 +289,7 @@ spec:
                       - envoy.filters.http.basic_auth
                       - envoy.filters.http.oauth2
                       - envoy.filters.http.jwt_authn
+                      - envoy.filters.http.stateful_session
                       - envoy.filters.http.ext_proc
                       - envoy.filters.http.wasm
                       - envoy.filters.http.rbac
@@ -304,6 +308,7 @@ spec:
                       - envoy.filters.http.basic_auth
                       - envoy.filters.http.oauth2
                       - envoy.filters.http.jwt_authn
+                      - envoy.filters.http.stateful_session
                       - envoy.filters.http.ext_proc
                       - envoy.filters.http.wasm
                       - envoy.filters.http.rbac
@@ -320,6 +325,7 @@ spec:
                       - envoy.filters.http.basic_auth
                       - envoy.filters.http.oauth2
                       - envoy.filters.http.jwt_authn
+                      - envoy.filters.http.stateful_session
                       - envoy.filters.http.ext_proc
                       - envoy.filters.http.wasm
                       - envoy.filters.http.rbac

examples/extension-server/cmd/extension-server/main.go

@@ -13,11 +13,11 @@ import (
 	"os/signal"
 	"syscall"
 
-	pb "github.com/envoyproxy/gateway/proto/extension"
+	"github.com/exampleorg/envoygateway-extension/internal/extensionserver"
 	"github.com/urfave/cli/v2"
 	"google.golang.org/grpc"
 
-	"github.com/exampleorg/envoygateway-extension/internal/extensionserver"
+	pb "github.com/envoyproxy/gateway/proto/extension"
 )
 
 func main() {

examples/extension-server/internal/extensionserver/server.go

@@ -11,15 +11,15 @@ import (
 	"fmt"
 	"log/slog"
 
-	pb "github.com/envoyproxy/gateway/proto/extension"
 	corev3 "github.com/envoyproxy/go-control-plane/envoy/config/core/v3"
 	listenerv3 "github.com/envoyproxy/go-control-plane/envoy/config/listener/v3"
 	bav3 "github.com/envoyproxy/go-control-plane/envoy/extensions/filters/http/basic_auth/v3"
 	hcm "github.com/envoyproxy/go-control-plane/envoy/extensions/filters/network/http_connection_manager/v3"
 	"github.com/envoyproxy/go-control-plane/pkg/wellknown"
+	"github.com/exampleorg/envoygateway-extension/api/v1alpha1"
 	"google.golang.org/protobuf/types/known/anypb"
 
-	"github.com/exampleorg/envoygateway-extension/api/v1alpha1"
+	pb "github.com/envoyproxy/gateway/proto/extension"
 )
 
 type Server struct {

internal/gatewayapi/route.go

@@ -314,12 +314,60 @@ func (t *Translator) processHTTPRouteRule(httpRoute *HTTPRouteContext, ruleIdx i
 		ruleRoutes = append(ruleRoutes, irRoute)
 	}
 
+	var sessionPersistence *ir.SessionPersistence
+	if rule.SessionPersistence != nil {
+		if rule.SessionPersistence.IdleTimeout != nil {
+			return nil, fmt.Errorf("idle timeout is not supported in envoy gateway")
+		}
+
+		var sessionName string
+		if rule.SessionPersistence.SessionName == nil {
+			// SessionName is optional on the gateway-api, but envoy requires it
+			// so we generate the one here.
+
+			// We generate a unique session name per route.
+			// `/` isn't allowed in the header key, so we just replace it with `-`.
+			sessionName = strings.ReplaceAll(irRouteDestinationName(httpRoute, ruleIdx), "/", "-")
+		} else {
+			sessionName = *rule.SessionPersistence.SessionName
+		}
+
+		switch {
+		case rule.SessionPersistence.Type == nil || // Cookie-based session persistence is default.
+			*rule.SessionPersistence.Type == gwapiv1.CookieBasedSessionPersistence:
+			sessionPersistence = &ir.SessionPersistence{
+				Cookie: &ir.CookieBasedSessionPersistence{
+					Name: sessionName,
+				},
+			}
+			if rule.SessionPersistence.AbsoluteTimeout != nil &&
+				rule.SessionPersistence.CookieConfig != nil && rule.SessionPersistence.CookieConfig.LifetimeType != nil &&
+				*rule.SessionPersistence.CookieConfig.LifetimeType == gwapiv1.PermanentCookieLifetimeType {
+				ttl, err := time.ParseDuration(string(*rule.SessionPersistence.AbsoluteTimeout))
+				if err != nil {
+					return nil, err
+				}
+				sessionPersistence.Cookie.TTL = &metav1.Duration{Duration: ttl}
+			}
+		case *rule.SessionPersistence.Type == gwapiv1.HeaderBasedSessionPersistence:
+			sessionPersistence = &ir.SessionPersistence{
+				Header: &ir.HeaderBasedSessionPersistence{
+					Name: sessionName,
+				},
+			}
+		default:
+			// Unknown session persistence type is specified.
+			return nil, fmt.Errorf("unknown session persistence type %s", *rule.SessionPersistence.Type)
+		}
+	}
+
 	// A rule is matched if any one of its matches
 	// is satisfied (i.e. a logical "OR"), so generate
 	// a unique Xds IR HTTPRoute per match.
 	for matchIdx, match := range rule.Matches {
 		irRoute := &ir.HTTPRoute{
-			Name: irRouteName(httpRoute, ruleIdx, matchIdx),
+			Name:               irRouteName(httpRoute, ruleIdx, matchIdx),
+			SessionPersistence: sessionPersistence,
 		}
 		processTimeout(irRoute, rule)
 
@@ -699,6 +747,7 @@ func (t *Translator) processHTTPRouteParentRefListener(route RouteContext, route
 					Mirrors:               routeRoute.Mirrors,
 					ExtensionRefs:         routeRoute.ExtensionRefs,
 					IsHTTP2:               routeRoute.IsHTTP2,
+					SessionPersistence:    routeRoute.SessionPersistence,
 				}
 				if routeRoute.Traffic != nil {
 					hostRoute.Traffic = &ir.TrafficFeatures{

internal/ir/xds.go

@@ -565,6 +565,8 @@ type HTTPRoute struct {
 	UseClientProtocol *bool `json:"useClientProtocol,omitempty" yaml:"useClientProtocol,omitempty"`
 	// Metadata is used to enrich envoy route metadata with user and provider-specific information
 	Metadata *ResourceMetadata `json:"metadata,omitempty" yaml:"metadata,omitempty"`
+	// SessionPersistence holds the configuration for session persistence.
+	SessionPersistence *SessionPersistence `json:"sessionPersistence,omitempty" yaml:"sessionPersistence,omitempty"`
 }
 
 // DNS contains configuration options for DNS resolution.
@@ -576,6 +578,33 @@ type DNS struct {
 	RespectDNSTTL *bool `json:"respectDnsTtl,omitempty"`
 }
 
+// SessionPersistence defines the desired state of SessionPersistence.
+// +k8s:deepcopy-gen=true
+type SessionPersistence struct {
+	// Cookie defines the configuration for cookie-based session persistence.
+	// Either Cookie or Header must be non-empty.
+	Cookie *CookieBasedSessionPersistence `json:"cookie,omitempty" yaml:"cookie,omitempty"`
+	// Header defines the configuration for header-based session persistence.
+	// Either Cookie or Header must be non-empty.
+	Header *HeaderBasedSessionPersistence `json:"header,omitempty" yaml:"header,omitempty"`
+}
+
+// CookieBasedSessionPersistence defines the configuration for cookie-based session persistence.
+// +k8s:deepcopy-gen=true
+type CookieBasedSessionPersistence struct {
+	// Name defines the name of the persistent session token.
+	Name string `json:"name"`
+
+	TTL *metav1.Duration `json:"ttl,omitempty" yaml:"ttl,omitempty"`
+}
+
+// HeaderBasedSessionPersistence defines the configuration for header-based session persistence.
+// +k8s:deepcopy-gen=true
+type HeaderBasedSessionPersistence struct {
+	// Name defines the name of the persistent session token.
+	Name string `json:"name"`
+}
+
 // TrafficFeatures holds the information associated with the Backend Traffic Policy.
 // +k8s:deepcopy-gen=true
 type TrafficFeatures struct {

internal/xds/translator/httpfilters.go

@@ -114,8 +114,10 @@ func newOrderedHTTPFilter(filter *hcmv3.HttpFilter) *OrderedHTTPFilter {
 		order = 5
 	case isFilterType(filter, egv1a1.EnvoyFilterJWTAuthn):
 		order = 6
+	case isFilterType(filter, egv1a1.EnvoyFilterSessionPersistence):
+		order = 7
 	case isFilterType(filter, egv1a1.EnvoyFilterExtProc):
-		order = 7 + mustGetFilterIndex(filter.Name)
+		order = 8 + mustGetFilterIndex(filter.Name)
 	case isFilterType(filter, egv1a1.EnvoyFilterWasm):
 		order = 100 + mustGetFilterIndex(filter.Name)
 	case isFilterType(filter, egv1a1.EnvoyFilterRBAC):