Merge branch 'main' of github.com:envoyproxy/gateway into test-envoyp…

…roxy-validate

.github/workflows/docs.yaml

@@ -44,7 +44,7 @@ jobs:
         extended: true
 
     - name: Setup Node
-      uses: actions/setup-node@v3
+      uses: actions/setup-node@v4
       with:
         node-version: '18'
 

.github/workflows/latest_release.yaml

@@ -12,6 +12,7 @@ jobs:
     runs-on: ubuntu-22.04
     steps:
     - uses: actions/checkout@v4
+    - uses: ./tools/github-actions/setup-deps
 
     - name: Generate Release Manifests
       run: make generate-manifests IMAGE=envoyproxy/gateway-dev TAG=latest OUTPUT_DIR=release-artifacts

.github/workflows/retest.yaml

@@ -22,6 +22,6 @@ jobs:
       pull-requests: write
       actions: write
     steps:
-    - uses: envoyproxy/toolshed/gh-actions/retest@actions-v0.0.25
+    - uses: envoyproxy/toolshed/gh-actions/retest@actions-v0.1.15
       with:
         token: ${{ secrets.GITHUB_TOKEN }}

OWNERS

@@ -20,5 +20,8 @@ reviewers:
 - chauhanshubham
 - kflynn
 - LanceEa
-- qicz
 - zhaohuabing
+- tmsnan
+- tanujd11
+- cnvergence
+- shawnh2

VERSION

@@ -1 +1 @@
-v0.5.0
+v0.6.0

api/v1alpha1/backendtrafficpolicy_types.go

@@ -16,9 +16,8 @@ const (
 )
 
 // +kubebuilder:object:root=true
-// +kubebuilder:resource:shortName=btpolicy
+// +kubebuilder:resource:shortName=btp
 // +kubebuilder:subresource:status
-// +kubebuilder:subresource:overrideStrategy
 // +kubebuilder:printcolumn:name="Status",type=string,JSONPath=`.status.conditions[?(@.type=="Accepted")].reason`
 // +kubebuilder:printcolumn:name="Age",type=date,JSONPath=`.metadata.creationTimestamp`
 //
@@ -37,8 +36,9 @@ type BackendTrafficPolicy struct {
 
 // spec defines the desired state of BackendTrafficPolicy.
 type BackendTrafficPolicySpec struct {
-
-	// +kubebuilder:validation:XValidation:rule="self.kind == 'Gateway' || self.kind == 'HTTPRoute' || self.kind == 'GRPCRoute' || self.kind == 'UDPRoute' || self.kind == 'TCPRoute' || self.kind == 'TLSRoute'", message="this policy can only have a targetRef.kind of Gateway/HTTPRoute/GRPCRoute/TCPRoute/UDPRoute/TLSRoute"
+	// +kubebuilder:validation:XValidation:rule="self.group == 'gateway.networking.k8s.io'", message="this policy can only have a targetRef.group of gateway.networking.k8s.io"
+	// +kubebuilder:validation:XValidation:rule="self.kind in ['Gateway', 'HTTPRoute', 'GRPCRoute', 'UDPRoute', 'TCPRoute', 'TLSRoute']", message="this policy can only have a targetRef.kind of Gateway/HTTPRoute/GRPCRoute/TCPRoute/UDPRoute/TLSRoute"
+	// +kubebuilder:validation:XValidation:rule="!has(self.sectionName)",message="this policy does not yet support the sectionName field"
 	//
 	// targetRef is the name of the resource this policy
 	// is being attached to.
@@ -49,7 +49,7 @@ type BackendTrafficPolicySpec struct {
 	// RateLimit allows the user to limit the number of incoming requests
 	// to a predefined value based on attributes within the traffic flow.
 	// +optional
-	RateLimit *RateLimitFilterSpec `json:"rateLimit,omitempty"`
+	RateLimit *RateLimitSpec `json:"rateLimit,omitempty"`
 
 	// LoadBalancer policy to apply when routing traffic from the gateway to
 	// the backend endpoints

api/v1alpha1/clienttrafficpolicy_types.go

@@ -17,6 +17,7 @@ const (
 )
 
 // +kubebuilder:object:root=true
+// +kubebuilder:resource:shortName=ctp
 // +kubebuilder:subresource:status
 // +kubebuilder:printcolumn:name="Status",type=string,JSONPath=`.status.conditions[?(@.type=="Accepted")].reason`
 // +kubebuilder:printcolumn:name="Age",type=date,JSONPath=`.metadata.creationTimestamp`
@@ -36,6 +37,10 @@ type ClientTrafficPolicy struct {
 
 // ClientTrafficPolicySpec defines the desired state of ClientTrafficPolicy.
 type ClientTrafficPolicySpec struct {
+	// +kubebuilder:validation:XValidation:rule="self.group == 'gateway.networking.k8s.io'", message="this policy can only have a targetRef.group of gateway.networking.k8s.io"
+	// +kubebuilder:validation:XValidation:rule="self.kind == 'Gateway'", message="this policy can only have a targetRef.kind of Gateway"
+	// +kubebuilder:validation:XValidation:rule="!has(self.sectionName)",message="this policy does not yet support the sectionName field"
+	//
 	// TargetRef is the name of the Gateway resource this policy
 	// is being attached to.
 	// This Policy and the TargetRef MUST be in the same namespace

api/v1alpha1/cors_types.go

@@ -0,0 +1,24 @@
+// Copyright Envoy Gateway Authors
+// SPDX-License-Identifier: Apache-2.0
+// The full text of the Apache license is available in the LICENSE file at
+// the root of the repo.
+
+package v1alpha1
+
+import metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+
+// CORS defines the configuration for Cross-Origin Resource Sharing (CORS).
+type CORS struct {
+	// AllowOrigins defines the origins that are allowed to make requests.
+	// +kubebuilder:validation:MinItems=1
+	AllowOrigins []StringMatch `json:"allowOrigins,omitempty" yaml:"allowOrigins"`
+	// AllowMethods defines the methods that are allowed to make requests.
+	// +kubebuilder:validation:MinItems=1
+	AllowMethods []string `json:"allowMethods,omitempty" yaml:"allowMethods"`
+	// AllowHeaders defines the headers that are allowed to be sent with requests.
+	AllowHeaders []string `json:"allowHeaders,omitempty" yaml:"allowHeaders,omitempty"`
+	// ExposeHeaders defines the headers that can be exposed in the responses.
+	ExposeHeaders []string `json:"exposeHeaders,omitempty" yaml:"exposeHeaders,omitempty"`
+	// MaxAge defines how long the results of a preflight request can be cached.
+	MaxAge *metav1.Duration `json:"maxAge,omitempty" yaml:"maxAge,omitempty"`
+}

api/v1alpha1/envoygateway_helpers.go

@@ -76,6 +76,15 @@ func (e *EnvoyGateway) GetEnvoyGatewayAdminAddress() string {
 	return ""
 }
 
+// NamespaceMode returns if uses namespace mode.
+func (e *EnvoyGateway) NamespaceMode() bool {
+	return e.Provider != nil &&
+		e.Provider.Kubernetes != nil &&
+		e.Provider.Kubernetes.Watch != nil &&
+		e.Provider.Kubernetes.Watch.Type == KubernetesWatchModeTypeNamespaces &&
+		len(e.Provider.Kubernetes.Watch.Namespaces) > 0
+}
+
 // DefaultGateway returns a new Gateway with default configuration parameters.
 func DefaultGateway() *Gateway {
 	return &Gateway{
@@ -92,13 +101,12 @@ func DefaultEnvoyGatewayLogging() *EnvoyGatewayLogging {
 	}
 }
 
-// GetEnvoyGatewayAdmin returns the EnvoyGatewayAdmin of EnvoyGateway or a default EnvoyGatewayAdmin if unspecified.
+// GetEnvoyGatewayTelemetry returns the EnvoyGatewayTelemetry of EnvoyGateway or a default EnvoyGatewayTelemetry if unspecified.
 func (e *EnvoyGateway) GetEnvoyGatewayTelemetry() *EnvoyGatewayTelemetry {
 	if e.Telemetry != nil {
 		if e.Telemetry.Metrics.Prometheus == nil {
 			e.Telemetry.Metrics.Prometheus = DefaultEnvoyGatewayPrometheus()
 		}
-
 		if e.Telemetry.Metrics == nil {
 			e.Telemetry.Metrics = DefaultEnvoyGatewayMetrics()
 		}
@@ -109,8 +117,8 @@ func (e *EnvoyGateway) GetEnvoyGatewayTelemetry() *EnvoyGatewayTelemetry {
 	return e.Telemetry
 }
 
-// IfDisablePrometheus returns if disable prometheus.
-func (e *EnvoyGateway) IfDisablePrometheus() bool {
+// DisablePrometheus returns if disable prometheus.
+func (e *EnvoyGateway) DisablePrometheus() bool {
 	return e.GetEnvoyGatewayTelemetry().Metrics.Prometheus.Disable
 }
 

api/v1alpha1/envoygateway_types.go

@@ -445,11 +445,11 @@ type EnvoyGatewayAdmin struct {
 	// EnableDumpConfig defines if enable dump config in Envoy Gateway logs.
 	//
 	// +optional
-	EnableDumpConfig bool
+	EnableDumpConfig bool `json:"enableDumpConfig,omitempty"`
 	// EnablePprof defines if enable pprof in Envoy Gateway Admin Server.
 	//
 	// +optional
-	EnablePprof bool
+	EnablePprof bool `json:"enablePprof,omitempty"`
 }
 
 // EnvoyGatewayAdminAddress defines the Envoy Gateway Admin Address configuration.

api/v1alpha1/envoypatchpolicy_types.go

@@ -17,6 +17,7 @@ const (
 )
 
 // +kubebuilder:object:root=true
+// +kubebuilder:resource:shortName=epp
 // +kubebuilder:subresource:status
 // +kubebuilder:printcolumn:name="Status",type=string,JSONPath=`.status.conditions[?(@.type=="Programmed")].reason`
 // +kubebuilder:printcolumn:name="Age",type=date,JSONPath=`.metadata.creationTimestamp`

api/v1alpha1/envoyproxy_metric_types.go

@@ -23,7 +23,7 @@ type ProxyMetrics struct {
 	// `cluster.<cluster_name>.membership_degraded`，reference  https://github.com/envoyproxy/envoy/issues/9856,
 	// https://github.com/envoyproxy/envoy/issues/14610
 	//
-	Matches []Match `json:"matches,omitempty"`
+	Matches []StringMatch `json:"matches,omitempty"`
 
 	// EnableVirtualHostStats enables envoy stat metrics for virtual hosts.
 	EnableVirtualHostStats bool `json:"enableVirtualHostStats,omitempty"`
@@ -58,20 +58,3 @@ type ProxyPrometheusProvider struct {
 	// Disable the Prometheus endpoint.
 	Disable bool `json:"disable,omitempty"`
 }
-
-// Match defines the stats match configuration.
-type Match struct { // TODO: zhaohuabing this type should be renamed to StatsMatch
-	// MatcherType defines the stats matcher type
-	//
-	// +kubebuilder:validation:Enum=RegularExpression;Prefix;Suffix
-	Type  MatcherType `json:"type"`
-	Value string      `json:"value"`
-}
-
-type MatcherType string
-
-const ( // TODO: zhaohuabing the const types should be prefixed with StatsMatch
-	Prefix            MatcherType = "Prefix"
-	RegularExpression MatcherType = "RegularExpression"
-	Suffix            MatcherType = "Suffix"
-)

api/v1alpha1/envoyproxy_types.go

@@ -15,6 +15,7 @@ const (
 )
 
 // +kubebuilder:object:root=true
+// +kubebuilder:resource:shortName=eproxy
 // +kubebuilder:subresource:status
 
 // EnvoyProxy is the schema for the envoyproxies API.
@@ -122,6 +123,9 @@ type EnvoyProxyKubernetesProvider struct {
 	// are applied.
 	//
 	// +optional
+	// +kubebuilder:validation:XValidation:message="allocateLoadBalancerNodePorts can only be set for LoadBalancer type",rule="!has(self.allocateLoadBalancerNodePorts) || self.type == 'LoadBalancer'"
+	// +kubebuilder:validation:XValidation:message="loadBalancerIP can only be set for LoadBalancer type",rule="!has(self.loadBalancerIP) || self.type == 'LoadBalancer'"
+	// +kubebuilder:validation:XValidation:message="loadBalancerIP must be a valid IPv4 address",rule="!has(self.loadBalancerIP) || self.loadBalancerIP.matches(r\"^(((25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)(\\.|$)){4})\")"
 	EnvoyService *KubernetesServiceSpec `json:"envoyService,omitempty"`
 }
 

api/v1alpha1/authenticationfilter_types.go → api/v1alpha1/jwt_types.go

@@ -5,72 +5,22 @@
 
 package v1alpha1
 
-import (
-	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
-)
+// JWT defines the configuration for JSON Web Token (JWT) authentication.
+type JWT struct {
 
-const (
-	// KindAuthenticationFilter is the name of the AuthenticationFilter kind.
-	KindAuthenticationFilter = "AuthenticationFilter"
-)
-
-// +kubebuilder:object:root=true
-// +kubebuilder:printcolumn:name="Age",type=date,JSONPath=`.metadata.creationTimestamp`
-
-type AuthenticationFilter struct {
-	metav1.TypeMeta   `json:",inline"`
-	metav1.ObjectMeta `json:"metadata,omitempty"`
-
-	// Spec defines the desired state of the AuthenticationFilter type.
-	Spec AuthenticationFilterSpec `json:"spec"`
-
-	// Note: The status sub-resource has been excluded but may be added in the future.
-}
-
-// ClaimToHeader defines a configuration to convert JWT claims into HTTP headers
-type ClaimToHeader struct {
-
-	// Header defines the name of the HTTP request header that the JWT Claim will be saved into.
-	Header string `json:"header"`
-
-	// Claim is the JWT Claim that should be saved into the header : it can be a nested claim of type
-	// (eg. "claim.nested.key", "sub"). The nested claim name must use dot "."
-	// to separate the JSON name path.
-	Claim string `json:"claim"`
-}
-
-// AuthenticationFilterSpec defines the desired state of the AuthenticationFilter type.
-// +union
-type AuthenticationFilterSpec struct {
-	// Type defines the type of authentication provider to use. Supported provider types
-	// are "JWT".
+	// Providers defines the JSON Web Token (JWT) authentication provider type.
 	//
-	// +unionDiscriminator
-	Type AuthenticationFilterType `json:"type"`
-
-	// JWT defines the JSON Web Token (JWT) authentication provider type. When multiple
-	// jwtProviders are specified, the JWT is considered valid if any of the providers
-	// successfully validate the JWT. For additional details, see
-	// https://www.envoyproxy.io/docs/envoy/latest/configuration/http/http_filters/jwt_authn_filter.html.
+	// When multiple JWT providers are specified, the JWT is considered valid if
+	// any of the providers successfully validate the JWT. For additional details,
+	// see https://www.envoyproxy.io/docs/envoy/latest/configuration/http/http_filters/jwt_authn_filter.html.
 	//
+	// +kubebuilder:validation:MinItems=1
 	// +kubebuilder:validation:MaxItems=4
-	// +optional
-	JwtProviders []JwtAuthenticationFilterProvider `json:"jwtProviders,omitempty"`
+	Providers []JWTProvider `json:"providers"`
 }
 
-// AuthenticationFilterType is a type of authentication provider.
-// +kubebuilder:validation:Enum=JWT
-type AuthenticationFilterType string
-
-const (
-	// JwtAuthenticationFilterProviderType is a provider that uses JSON Web Token (JWT)
-	// for authenticating requests..
-	JwtAuthenticationFilterProviderType AuthenticationFilterType = "JWT"
-)
-
-// JwtAuthenticationFilterProvider defines the JSON Web Token (JWT) authentication provider type
-// and how JWTs should be verified:
-type JwtAuthenticationFilterProvider struct {
+// JWTProvider defines how a JSON Web Token (JWT) can be verified.
+type JWTProvider struct {
 	// Name defines a unique name for the JWT provider. A name can have a variety of forms,
 	// including RFC1123 subdomains, RFC 1123 labels, or RFC 1035 labels.
 	//
@@ -120,15 +70,14 @@ type RemoteJWKS struct {
 	// TODO: Add TBD remote JWKS fields based on defined use cases.
 }
 
-//+kubebuilder:object:root=true
+// ClaimToHeader defines a configuration to convert JWT claims into HTTP headers
+type ClaimToHeader struct {
 
-// AuthenticationFilterList contains a list of AuthenticationFilter.
-type AuthenticationFilterList struct {
-	metav1.TypeMeta `json:",inline"`
-	metav1.ListMeta `json:"metadata,omitempty"`
-	Items           []AuthenticationFilter `json:"items"`
-}
+	// Header defines the name of the HTTP request header that the JWT Claim will be saved into.
+	Header string `json:"header"`
 
-func init() {
-	SchemeBuilder.Register(&AuthenticationFilter{}, &AuthenticationFilterList{})
+	// Claim is the JWT Claim that should be saved into the header : it can be a nested claim of type
+	// (eg. "claim.nested.key", "sub"). The nested claim name must use dot "."
+	// to separate the JSON name path.
+	Claim string `json:"claim"`
 }

api/v1alpha1/loadbalancer_types.go

@@ -7,9 +7,11 @@ package v1alpha1
 
 // LoadBalancer defines the load balancer policy to be applied.
 // +union
+//
+// +kubebuilder:validation:XValidation:rule="self.type == 'ConsistentHash' ? has(self.consistentHash) : !has(self.consistentHash)",message="If LoadBalancer type is consistentHash, consistentHash field needs to be set."
 type LoadBalancer struct {
 	// Type decides the type of Load Balancer policy.
-	// Valid RateLimitType values are
+	// Valid LoadBalancerType values are
 	// "ConsistentHash",
 	// "LeastRequest",
 	// "Random",

api/v1alpha1/ratelimitfilter_types.go → api/v1alpha1/ratelimit_types.go

@@ -5,31 +5,9 @@
 
 package v1alpha1
 
-import (
-	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
-)
-
-const (
-	// KindRateLimitFilter is the name of the RateLimitFilter kind.
-	KindRateLimitFilter = "RateLimitFilter"
-)
-
-// +kubebuilder:object:root=true
-// +kubebuilder:printcolumn:name="Age",type=date,JSONPath=`.metadata.creationTimestamp`
-
-// RateLimitFilter allows the user to limit the number of incoming requests
-// to a predefined value based on attributes within the traffic flow.
-type RateLimitFilter struct {
-	metav1.TypeMeta   `json:",inline"`
-	metav1.ObjectMeta `json:"metadata,omitempty"`
-
-	// Spec defines the desired state of RateLimitFilter.
-	Spec RateLimitFilterSpec `json:"spec"`
-}
-
-// RateLimitFilterSpec defines the desired state of RateLimitFilter.
+// RateLimitSpec defines the desired state of RateLimitSpec.
 // +union
-type RateLimitFilterSpec struct {
+type RateLimitSpec struct {
 	// Type decides the scope for the RateLimits.
 	// Valid RateLimitType values are "Global".
 	//
@@ -184,16 +162,3 @@ type RateLimitValue struct {
 //
 // +kubebuilder:validation:Enum=Second;Minute;Hour;Day
 type RateLimitUnit string
-
-//+kubebuilder:object:root=true
-
-// RateLimitFilterList contains a list of RateLimitFilter resources.
-type RateLimitFilterList struct {
-	metav1.TypeMeta `json:",inline"`
-	metav1.ListMeta `json:"metadata,omitempty"`
-	Items           []RateLimitFilter `json:"items"`
-}
-
-func init() {
-	SchemeBuilder.Register(&RateLimitFilter{}, &RateLimitFilterList{})
-}