Merge branch 'fix/ratelimit-deployment-labels' of github.com:oscarboh…

…er/gateway into fix/ratelimit-deployment-labels

.github/workflows/codeql.yml

@@ -36,14 +36,14 @@ jobs:
     - uses: ./tools/github-actions/setup-deps
 
     - name: Initialize CodeQL
-      uses: github/codeql-action/init@8214744c546c1e5c8f03dde8fab3a7353211988d  # v3.26.7
+      uses: github/codeql-action/init@294a9d92911152fe08befb9ec03e240add280cb3  # v3.26.8
       with:
         languages: ${{ matrix.language }}
 
     - name: Autobuild
-      uses: github/codeql-action/autobuild@8214744c546c1e5c8f03dde8fab3a7353211988d  # v3.26.7
+      uses: github/codeql-action/autobuild@294a9d92911152fe08befb9ec03e240add280cb3  # v3.26.8
 
     - name: Perform CodeQL Analysis
-      uses: github/codeql-action/analyze@8214744c546c1e5c8f03dde8fab3a7353211988d  # v3.26.7
+      uses: github/codeql-action/analyze@294a9d92911152fe08befb9ec03e240add280cb3  # v3.26.8
       with:
         category: "/language:${{matrix.language}}"

.github/workflows/docs.yaml

@@ -62,7 +62,7 @@ jobs:
         extended: true
 
     - name: Setup Node
-      uses: actions/setup-node@1e60f620b9541d16bece96c5465dc8ee9832be0b  # v4.1.0
+      uses: actions/setup-node@0a44ba7841725637a19e28fa30b79a866c81b0a6  # v4.1.0
       with:
         node-version: '18'
 

.github/workflows/scorecard.yml

@@ -40,6 +40,6 @@ jobs:
         retention-days: 5
 
     - name: "Upload to code-scanning"
-      uses: github/codeql-action/upload-sarif@8214744c546c1e5c8f03dde8fab3a7353211988d  # v3.26.7
+      uses: github/codeql-action/upload-sarif@294a9d92911152fe08befb9ec03e240add280cb3  # v3.26.8
       with:
         sarif_file: results.sarif

VERSION

@@ -1 +1 @@
-v1.1.1
+v1.1.2

api/v1alpha1/accesslogging_types.go

@@ -30,8 +30,30 @@ type ProxyAccessLogSetting struct {
 	// +kubebuilder:validation:MinItems=1
 	// +kubebuilder:validation:MaxItems=50
 	Sinks []ProxyAccessLogSink `json:"sinks"`
+	// Type defines the component emitting the accesslog, such as Listener and Route.
+	// If type not defined, the setting would apply to:
+	// (1) All Routes.
+	// (2) Listeners if and only if Envoy does not find a matching route for a request.
+	// If type is defined, the accesslog settings would apply to the relevant component (as-is).
+	// +kubebuilder:validation:Enum=Listener;Route
+	// +optional
+	// +notImplementedHide
+	Type *ProxyAccessLogType `json:"type,omitempty"`
 }
 
+type ProxyAccessLogType string
+
+const (
+	// ProxyAccessLogTypeListener defines the accesslog for Listeners.
+	// https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/listener/v3/listener.proto#envoy-v3-api-field-config-listener-v3-listener-access-log
+	ProxyAccessLogTypeListener ProxyAccessLogType = "Listener"
+	// ProxyAccessLogTypeRoute defines the accesslog for HTTP, GRPC, UDP and TCP Routes.
+	// https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/filters/udp/udp_proxy/v3/udp_proxy.proto#envoy-v3-api-field-extensions-filters-udp-udp-proxy-v3-udpproxyconfig-access-log
+	// https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/filters/network/tcp_proxy/v3/tcp_proxy.proto#envoy-v3-api-field-extensions-filters-network-tcp-proxy-v3-tcpproxy-access-log
+	// https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/filters/network/http_connection_manager/v3/http_connection_manager.proto#envoy-v3-api-field-extensions-filters-network-http-connection-manager-v3-httpconnectionmanager-access-log
+	ProxyAccessLogTypeRoute ProxyAccessLogType = "Route"
+)
+
 type ProxyAccessLogFormatType string
 
 const (

api/v1alpha1/authorization_types.go

@@ -28,8 +28,11 @@ type Authorization struct {
 // AuthorizationRule defines a single authorization rule.
 type AuthorizationRule struct {
 	// Name is a user-friendly name for the rule.
-	// If not specified, Envoy Gateway will generate a unique name for the rule.n
+	// If not specified, Envoy Gateway will generate a unique name for the rule.
+	//
 	// +optional
+	// +kubebuilder:validation:MinLength=1
+	// +kubebuilder:validation:MaxLength=253
 	Name *string `json:"name,omitempty"`
 
 	// Action defines the action to be taken if the rule matches.
@@ -45,7 +48,8 @@ type AuthorizationRule struct {
 // Principal specifies the client identity of a request.
 // A client identity can be a client IP, a JWT claim, username from the Authorization header,
 // or any other identity that can be extracted from a custom header.
-// Currently, only the client IP is supported.
+
+// If there are multiple principal types, all principals must match for the rule to match.
 //
 // +kubebuilder:validation:XValidation:rule="(has(self.clientCIDRs) || has(self.jwt))",message="at least one of clientCIDRs or jwt must be specified"
 type Principal struct {
@@ -60,7 +64,8 @@ type Principal struct {
 	// You can use the `ClientIPDetection` or the `EnableProxyProtocol` field in
 	// the `ClientTrafficPolicy` to configure how the client IP is detected.
 	// +optional
-	ClientCIDRs []CIDR `json:"clientCIDRs"`
+	// +kubebuilder:validation:MinItems=1
+	ClientCIDRs []CIDR `json:"clientCIDRs,omitempty"`
 
 	// JWT authorize the request based on the JWT claims and scopes.
 	// Note: in order to use JWT claims for authorization, you must configure the
@@ -76,12 +81,23 @@ type Principal struct {
 //
 // +kubebuilder:validation:XValidation:rule="(has(self.claims) || has(self.scopes))",message="at least one of claims or scopes must be specified"
 type JWTPrincipal struct {
+	// Provider is the name of the JWT provider that used to verify the JWT token.
+	// In order to use JWT claims for authorization, you must configure the JWT
+	// authentication with the same provider in the same `SecurityPolicy`.
+	//
+	// +kubebuilder:validation:MinLength=1
+	// +kubebuilder:validation:MaxLength=253
+	Provider string `json:"provider"`
+
 	// Claims are the claims in a JWT token.
 	//
 	// If multiple claims are specified, all claims must match for the rule to match.
 	// For example, if there are two claims: one for the audience and one for the issuer,
 	// the rule will match only if both the audience and the issuer match.
+	//
 	// +optional
+	// +kubebuilder:validation:MinItems=1
+	// +kubebuilder:validation:MaxItems=16
 	Claims []JWTClaim `json:"claims,omitempty"`
 
 	// Scopes are a special type of claim in a JWT token that represents the permissions of the client.
@@ -90,8 +106,11 @@ type JWTPrincipal struct {
 	// as defined in RFC 6749: https://datatracker.ietf.org/doc/html/rfc6749#page-23.
 	//
 	// If multiple scopes are specified, all scopes must match for the rule to match.
+	//
 	// +optional
-	Scopes []string `json:"scopes,omitempty"`
+	// +kubebuilder:validation:MinItems=1
+	// +kubebuilder:validation:MaxItems=16
+	Scopes []JWTScope `json:"scopes,omitempty"`
 }
 
 // JWTClaim specifies a claim in a JWT token.
@@ -101,10 +120,14 @@ type JWTClaim struct {
 	// represent the full path to the claim.
 	// For example, if the claim is in the "department" field in the "organization" field,
 	// the name should be "organization.department".
+	//
+	// +kubebuilder:validation:MinLength=1
+	// +kubebuilder:validation:MaxLength=253
 	Name string `json:"name"`
 
 	// ValueType is the type of the claim value.
 	// Only String and StringArray types are supported for now.
+	//
 	// +kubebuilder:validation:Enum=String;StringArray
 	// +kubebuilder:default=String
 	// +unionDiscriminator
@@ -115,9 +138,16 @@ type JWTClaim struct {
 	// If the claim is a string type, the specified value must match exactly.
 	// If the claim is a string array type, the specified value must match one of the values in the array.
 	// If multiple values are specified, one of the values must match for the rule to match.
+	//
+	// +kubebuilder:validation:MinItems=1
+	// +kubebuilder:validation:MaxItems=16
 	Values []string `json:"values"`
 }
 
+// +kubebuilder:validation:MinLength=1
+// +kubebuilder:validation:MaxLength=253
+type JWTScope string
+
 type JWTClaimValueType string
 
 const (

api/v1alpha1/envoypatchpolicy_types.go

@@ -109,12 +109,16 @@ type JSONPatchOperationType string
 type JSONPatchOperation struct {
 	// Op is the type of operation to perform
 	Op JSONPatchOperationType `json:"op"`
-	// Path is the location of the target document/field where the operation will be performed
-	// Refer to https://datatracker.ietf.org/doc/html/rfc6901 for more details.
+	// Path is a JSONPointer expression. Refer to https://datatracker.ietf.org/doc/html/rfc6901 for more details.
+	// It specifies the location of the target document/field where the operation will be performed
 	// +optional
 	Path *string `json:"path,omitempty"`
-	// JSONPath specifies the locations of the target document/field where the operation will be performed
-	// Refer to https://datatracker.ietf.org/doc/rfc9535/ for more details.
+	// JSONPath is a JSONPath expression. Refer to https://datatracker.ietf.org/doc/rfc9535/ for more details.
+	// It produces one or more JSONPointer expressions based on the given JSON document.
+	// If no JSONPointer is found, it will result in an error.
+	// If the 'Path' property is also set, it will be appended to the resulting JSONPointer expressions from the JSONPath evaluation.
+	// This is useful when creating a property that does not yet exist in the JSON document.
+	// The final JSONPointer expressions specifies the locations in the target document/field where the operation will be applied.
 	// +optional
 	JSONPath *string `json:"jsonPath,omitempty"`
 	// From is the source location of the value to be copied or moved. Only valid

api/v1alpha1/envoyproxy_types.go

@@ -256,12 +256,12 @@ type EnvoyProxyProvider struct {
 // ShutdownConfig defines configuration for graceful envoy shutdown process.
 type ShutdownConfig struct {
 	// DrainTimeout defines the graceful drain timeout. This should be less than the pod's terminationGracePeriodSeconds.
-	// If unspecified, defaults to 600 seconds.
+	// If unspecified, defaults to 60 seconds.
 	//
 	// +optional
 	DrainTimeout *metav1.Duration `json:"drainTimeout,omitempty"`
 	// MinDrainDuration defines the minimum drain duration allowing time for endpoint deprogramming to complete.
-	// If unspecified, defaults to 5 seconds.
+	// If unspecified, defaults to 10 seconds.
 	//
 	// +optional
 	MinDrainDuration *metav1.Duration `json:"minDrainDuration,omitempty"`

api/v1alpha1/httproutefilter_types.go

@@ -56,14 +56,17 @@ const (
 type ReplaceRegexMatch struct {
 	// Pattern matches a regular expression against the value of the HTTP Path.The regex string must
 	// adhere to the syntax documented in https://github.com/google/re2/wiki/Syntax.
+	// +kubebuilder:validation:MinLength=1
 	Pattern string `json:"pattern"`
 	// Substitution is an expression that replaces the matched portion.The expression may include numbered
 	// capture groups that adhere to syntax documented in https://github.com/google/re2/wiki/Syntax.
 	Substitution string `json:"substitution"`
 }
 
+// +kubebuilder:validation:XValidation:rule="self.type == 'ReplaceRegexMatch' ? has(self.replaceRegexMatch) : !has(self.replaceRegexMatch)",message="If HTTPPathModifier type is ReplaceRegexMatch, replaceRegexMatch field needs to be set."
 type HTTPPathModifier struct {
-	// +kubebuilder:validation:Enum=RegexHTTPPathModifier
+	// +kubebuilder:validation:Enum=ReplaceRegexMatch
+	// +kubebuilder:validation:Required
 	Type HTTPPathModifierType `json:"type"`
 	// ReplaceRegexMatch defines a path regex rewrite. The path portions matched by the regex pattern are replaced by the defined substitution.
 	// https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/route/v3/route_components.proto#envoy-v3-api-field-config-route-v3-routeaction-regex-rewrite
@@ -84,6 +87,7 @@ type HTTPPathModifier struct {
 	//       pattern: (?i)/xxx/
 	//       substitution: /yyy/
 	//     Would transform path /aaa/XxX/bbb into /aaa/yyy/bbb (case-insensitive).
+	// +optional
 	ReplaceRegexMatch *ReplaceRegexMatch `json:"replaceRegexMatch,omitempty"`
 }
 

charts/gateway-helm/crds/generated/gateway.envoyproxy.io_envoypatchpolicies.yaml

@@ -73,8 +73,12 @@ spec:
                           type: string
                         jsonPath:
                           description: |-
-                            JSONPath specifies the locations of the target document/field where the operation will be performed
-                            Refer to https://datatracker.ietf.org/doc/rfc9535/ for more details.
+                            JSONPath is a JSONPath expression. Refer to https://datatracker.ietf.org/doc/rfc9535/ for more details.
+                            It produces one or more JSONPointer expressions based on the given JSON document.
+                            If no JSONPointer is found, it will result in an error.
+                            If the 'Path' property is also set, it will be appended to the resulting JSONPointer expressions from the JSONPath evaluation.
+                            This is useful when creating a property that does not yet exist in the JSON document.
+                            The final JSONPointer expressions specifies the locations in the target document/field where the operation will be applied.
                           type: string
                         op:
                           description: Op is the type of operation to perform
@@ -88,8 +92,8 @@ spec:
                           type: string
                         path:
                           description: |-
-                            Path is the location of the target document/field where the operation will be performed
-                            Refer to https://datatracker.ietf.org/doc/html/rfc6901 for more details.
+                            Path is a JSONPointer expression. Refer to https://datatracker.ietf.org/doc/html/rfc6901 for more details.
+                            It specifies the location of the target document/field where the operation will be performed
                           type: string
                         value:
                           description: |-

charts/gateway-helm/crds/generated/gateway.envoyproxy.io_envoyproxies.yaml

@@ -208,8 +208,12 @@ spec:
                           type: string
                         jsonPath:
                           description: |-
-                            JSONPath specifies the locations of the target document/field where the operation will be performed
-                            Refer to https://datatracker.ietf.org/doc/rfc9535/ for more details.
+                            JSONPath is a JSONPath expression. Refer to https://datatracker.ietf.org/doc/rfc9535/ for more details.
+                            It produces one or more JSONPointer expressions based on the given JSON document.
+                            If no JSONPointer is found, it will result in an error.
+                            If the 'Path' property is also set, it will be appended to the resulting JSONPointer expressions from the JSONPath evaluation.
+                            This is useful when creating a property that does not yet exist in the JSON document.
+                            The final JSONPointer expressions specifies the locations in the target document/field where the operation will be applied.
                           type: string
                         op:
                           description: Op is the type of operation to perform
@@ -223,8 +227,8 @@ spec:
                           type: string
                         path:
                           description: |-
-                            Path is the location of the target document/field where the operation will be performed
-                            Refer to https://datatracker.ietf.org/doc/html/rfc6901 for more details.
+                            Path is a JSONPointer expression. Refer to https://datatracker.ietf.org/doc/html/rfc6901 for more details.
+                            It specifies the location of the target document/field where the operation will be performed
                           type: string
                         value:
                           description: |-
@@ -10244,12 +10248,12 @@ spec:
                   drainTimeout:
                     description: |-
                       DrainTimeout defines the graceful drain timeout. This should be less than the pod's terminationGracePeriodSeconds.
-                      If unspecified, defaults to 600 seconds.
+                      If unspecified, defaults to 60 seconds.
                     type: string
                   minDrainDuration:
                     description: |-
                       MinDrainDuration defines the minimum drain duration allowing time for endpoint deprogramming to complete.
-                      If unspecified, defaults to 5 seconds.
+                      If unspecified, defaults to 10 seconds.
                     type: string
                 type: object
               telemetry:
@@ -12251,6 +12255,17 @@ spec:
                               maxItems: 50
                               minItems: 1
                               type: array
+                            type:
+                              description: |-
+                                Type defines the component emitting the accesslog, such as Listener and Route.
+                                If type not defined, the setting would apply to:
+                                (1) All Routes.
+                                (2) Listeners if and only if Envoy does not find a matching route for a request.
+                                If type is defined, the accesslog settings would apply to the relevant component (as-is).
+                              enum:
+                              - Listener
+                              - Route
+                              type: string
                           required:
                           - sinks
                           type: object

charts/gateway-helm/crds/generated/gateway.envoyproxy.io_httproutefilters.yaml

@@ -82,6 +82,7 @@ spec:
                             description: |-
                               Pattern matches a regular expression against the value of the HTTP Path.The regex string must
                               adhere to the syntax documented in https://github.com/google/re2/wiki/Syntax.
+                            minLength: 1
                             type: string
                           substitution:
                             description: |-
@@ -96,11 +97,16 @@ spec:
                         description: HTTPPathModifierType defines the type of path
                           redirect or rewrite.
                         enum:
-                        - RegexHTTPPathModifier
+                        - ReplaceRegexMatch
                         type: string
                     required:
                     - type
                     type: object
+                    x-kubernetes-validations:
+                    - message: If HTTPPathModifier type is ReplaceRegexMatch, replaceRegexMatch
+                        field needs to be set.
+                      rule: 'self.type == ''ReplaceRegexMatch'' ? has(self.replaceRegexMatch)
+                        : !has(self.replaceRegexMatch)'
                 type: object
             type: object
         required: