Merge branch 'main' into xds-ir-cors

charts/gateway-helm/templates/certgen-rbac.yaml

@@ -5,8 +5,14 @@ metadata:
   namespace: '{{ .Release.Namespace }}'
   labels:
   {{- include "eg.labels" . | nindent 4 }}
+  {{- if .Values.certgen.rbac.labels }}
+  {{- toYaml .Values.certgen.rbac.labels | nindent 4 }}
+  {{- end }}
   annotations:
     "helm.sh/hook": pre-install
+  {{- if .Values.certgen.rbac.annotations }}
+    {{- toYaml .Values.certgen.rbac.annotations | nindent 4 -}}
+  {{- end }}
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
@@ -15,8 +21,14 @@ metadata:
   namespace: '{{ .Release.Namespace }}'
   labels:
   {{- include "eg.labels" . | nindent 4 }}
+  {{- if .Values.certgen.rbac.labels }}
+  {{- toYaml .Values.certgen.rbac.labels | nindent 4 }}
+  {{- end }}
   annotations:
     "helm.sh/hook": pre-install
+  {{- if .Values.certgen.rbac.annotations }}
+    {{- toYaml .Values.certgen.rbac.annotations | nindent 4 -}}
+  {{- end }}
 rules:
 - apiGroups:
   - ""
@@ -34,8 +46,14 @@ metadata:
   namespace: '{{ .Release.Namespace }}'
   labels:
   {{- include "eg.labels" . | nindent 4 }}
+  {{- if .Values.certgen.rbac.labels }}
+  {{- toYaml .Values.certgen.rbac.labels | nindent 4 }}
+  {{- end }}
   annotations:
     "helm.sh/hook": pre-install
+  {{- if .Values.certgen.rbac.annotations }}
+    {{- toYaml .Values.certgen.rbac.annotations | nindent 4 -}}
+  {{- end }}
 roleRef:
   apiGroup: rbac.authorization.k8s.io
   kind: Role

charts/gateway-helm/templates/certgen.yaml

@@ -7,6 +7,9 @@ metadata:
   {{- include "eg.labels" . | nindent 4 }}
   annotations:
     "helm.sh/hook": pre-install
+  {{- if .Values.certgen.job.annotations }}
+    {{- toYaml .Values.certgen.job.annotations | nindent 4 -}}
+  {{- end }}
 spec:
   backoffLimit: 1
   completions: 1
@@ -37,4 +40,6 @@ spec:
         runAsNonRoot: true
         runAsUser: 65534
       serviceAccountName: {{ include "eg.fullname" . }}-certgen
-  ttlSecondsAfterFinished: 0
+  {{- if not ( kindIs "invalid" .Values.certgen.job.ttlSecondsAfterFinished) }}
+  ttlSecondsAfterFinished: {{ .Values.certgen.job.ttlSecondsAfterFinished }}
+  {{- end }}

charts/gateway-helm/values.tmpl.yaml

@@ -55,3 +55,11 @@ envoyGatewayMetricsService:
 createNamespace: false
 
 kubernetesClusterDomain: cluster.local
+
+certgen:
+  job:
+    annotations: {}
+    ttlSecondsAfterFinished: 0
+  rbac:
+    annotations: {}
+    labels: {}

internal/envoygateway/scheme.go

@@ -10,6 +10,7 @@ import (
 	clientgoscheme "k8s.io/client-go/kubernetes/scheme"
 	gwapiv1 "sigs.k8s.io/gateway-api/apis/v1"
 	gwapiv1a2 "sigs.k8s.io/gateway-api/apis/v1alpha2"
+	gwapiv1b1 "sigs.k8s.io/gateway-api/apis/v1beta1"
 	mcsapi "sigs.k8s.io/mcs-api/pkg/apis/v1alpha1"
 
 	egv1a1 "github.com/envoyproxy/gateway/api/v1alpha1"
@@ -37,6 +38,9 @@ func init() {
 	if err := gwapiv1.AddToScheme(scheme); err != nil {
 		panic(err)
 	}
+	if err := gwapiv1b1.AddToScheme(scheme); err != nil {
+		panic(err)
+	}
 	if err := gwapiv1a2.AddToScheme(scheme); err != nil {
 		panic(err)
 	}

internal/gatewayapi/resource.go

@@ -11,6 +11,7 @@ import (
 	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
 	gwapiv1 "sigs.k8s.io/gateway-api/apis/v1"
 	gwapiv1a2 "sigs.k8s.io/gateway-api/apis/v1alpha2"
+	gwapiv1b1 "sigs.k8s.io/gateway-api/apis/v1beta1"
 	mcsapi "sigs.k8s.io/mcs-api/pkg/apis/v1alpha1"
 
 	egv1a1 "github.com/envoyproxy/gateway/api/v1alpha1"
@@ -33,7 +34,7 @@ type Resources struct {
 	TLSRoutes             []*gwapiv1a2.TLSRoute          `json:"tlsRoutes,omitempty" yaml:"tlsRoutes,omitempty"`
 	TCPRoutes             []*gwapiv1a2.TCPRoute          `json:"tcpRoutes,omitempty" yaml:"tcpRoutes,omitempty"`
 	UDPRoutes             []*gwapiv1a2.UDPRoute          `json:"udpRoutes,omitempty" yaml:"udpRoutes,omitempty"`
-	ReferenceGrants       []*gwapiv1a2.ReferenceGrant    `json:"referenceGrants,omitempty" yaml:"referenceGrants,omitempty"`
+	ReferenceGrants       []*gwapiv1b1.ReferenceGrant    `json:"referenceGrants,omitempty" yaml:"referenceGrants,omitempty"`
 	Namespaces            []*v1.Namespace                `json:"namespaces,omitempty" yaml:"namespaces,omitempty"`
 	Services              []*v1.Service                  `json:"services,omitempty" yaml:"services,omitempty"`
 	ServiceImports        []*mcsapi.ServiceImport        `json:"serviceImports,omitempty" yaml:"serviceImports,omitempty"`
@@ -56,7 +57,7 @@ func NewResources() *Resources {
 		Services:              []*v1.Service{},
 		EndpointSlices:        []*discoveryv1.EndpointSlice{},
 		Secrets:               []*v1.Secret{},
-		ReferenceGrants:       []*gwapiv1a2.ReferenceGrant{},
+		ReferenceGrants:       []*gwapiv1b1.ReferenceGrant{},
 		Namespaces:            []*v1.Namespace{},
 		RateLimitFilters:      []*egv1a1.RateLimitFilter{},
 		AuthenticationFilters: []*egv1a1.AuthenticationFilter{},

internal/gatewayapi/translator_test.go

@@ -25,7 +25,7 @@ import (
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/runtime/schema"
 	"k8s.io/apimachinery/pkg/util/intstr"
-	"sigs.k8s.io/gateway-api/apis/v1alpha2"
+	"sigs.k8s.io/gateway-api/apis/v1beta1"
 	"sigs.k8s.io/yaml"
 
 	egv1a1 "github.com/envoyproxy/gateway/api/v1alpha1"
@@ -537,7 +537,7 @@ func TestIsValidCrossNamespaceRef(t *testing.T) {
 		name           string
 		from           crossNamespaceFrom
 		to             crossNamespaceTo
-		referenceGrant *v1alpha2.ReferenceGrant
+		referenceGrant *v1beta1.ReferenceGrant
 		want           bool
 	}
 
@@ -559,20 +559,20 @@ func TestIsValidCrossNamespaceRef(t *testing.T) {
 				namespace: "default",
 				name:      "tls-secret-1",
 			},
-			referenceGrant: &v1alpha2.ReferenceGrant{
+			referenceGrant: &v1beta1.ReferenceGrant{
 				ObjectMeta: metav1.ObjectMeta{
 					Name:      "referencegrant-1",
 					Namespace: "default",
 				},
-				Spec: v1alpha2.ReferenceGrantSpec{
-					From: []v1alpha2.ReferenceGrantFrom{
+				Spec: v1beta1.ReferenceGrantSpec{
+					From: []v1beta1.ReferenceGrantFrom{
 						{
 							Group:     "gateway.networking.k8s.io",
 							Kind:      "Gateway",
 							Namespace: "envoy-gateway-system",
 						},
 					},
-					To: []v1alpha2.ReferenceGrantTo{
+					To: []v1beta1.ReferenceGrantTo{
 						{
 							Group: "",
 							Kind:  "Secret",
@@ -642,7 +642,7 @@ func TestIsValidCrossNamespaceRef(t *testing.T) {
 	for _, tc := range testcases {
 		tc := tc
 		t.Run(tc.name, func(t *testing.T) {
-			var referenceGrants []*v1alpha2.ReferenceGrant
+			var referenceGrants []*v1beta1.ReferenceGrant
 			if tc.referenceGrant != nil {
 				referenceGrants = append(referenceGrants, tc.referenceGrant)
 			}

internal/gatewayapi/validate.go

@@ -16,6 +16,7 @@ import (
 	"k8s.io/apimachinery/pkg/util/validation"
 	gwapiv1 "sigs.k8s.io/gateway-api/apis/v1"
 	gwapiv1a2 "sigs.k8s.io/gateway-api/apis/v1alpha2"
+	gwapiv1b1 "sigs.k8s.io/gateway-api/apis/v1beta1"
 )
 
 func (t *Translator) validateBackendRef(backendRef *gwapiv1a2.BackendRef, parentRef *RouteParentContext, route RouteContext,
@@ -629,7 +630,7 @@ func (t *Translator) validateConflictedLayer4Listeners(gateways []*GatewayContex
 	}
 }
 
-func (t *Translator) validateCrossNamespaceRef(from crossNamespaceFrom, to crossNamespaceTo, referenceGrants []*gwapiv1a2.ReferenceGrant) bool {
+func (t *Translator) validateCrossNamespaceRef(from crossNamespaceFrom, to crossNamespaceTo, referenceGrants []*gwapiv1b1.ReferenceGrant) bool {
 	for _, referenceGrant := range referenceGrants {
 		// The ReferenceGrant must be defined in the namespace of
 		// the "to" (the referent).

internal/provider/kubernetes/controller.go

@@ -27,6 +27,7 @@ import (
 	"sigs.k8s.io/controller-runtime/pkg/source"
 	gwapiv1 "sigs.k8s.io/gateway-api/apis/v1"
 	gwapiv1a2 "sigs.k8s.io/gateway-api/apis/v1alpha2"
+	gwapiv1b1 "sigs.k8s.io/gateway-api/apis/v1beta1"
 	mcsapi "sigs.k8s.io/mcs-api/pkg/apis/v1alpha1"
 
 	egv1a1 "github.com/envoyproxy/gateway/api/v1alpha1"
@@ -133,7 +134,7 @@ type resourceMappings struct {
 	// Map for storing backendRefs' NamespaceNames referred by various Route objects.
 	allAssociatedBackendRefs map[gwapiv1.BackendObjectReference]struct{}
 	// Map for storing referenceGrant NamespaceNames for BackendRefs, SecretRefs.
-	allAssociatedRefGrants map[types.NamespacedName]*gwapiv1a2.ReferenceGrant
+	allAssociatedRefGrants map[types.NamespacedName]*gwapiv1b1.ReferenceGrant
 	// authenFilters is a map of AuthenticationFilters, where the key is the
 	// namespaced name of the AuthenticationFilter.
 	authenFilters map[types.NamespacedName]*egv1a1.AuthenticationFilter
@@ -150,7 +151,7 @@ func newResourceMapping() *resourceMappings {
 	return &resourceMappings{
 		allAssociatedNamespaces:  map[string]struct{}{},
 		allAssociatedBackendRefs: map[gwapiv1.BackendObjectReference]struct{}{},
-		allAssociatedRefGrants:   map[types.NamespacedName]*gwapiv1a2.ReferenceGrant{},
+		allAssociatedRefGrants:   map[types.NamespacedName]*gwapiv1b1.ReferenceGrant{},
 		authenFilters:            map[types.NamespacedName]*egv1a1.AuthenticationFilter{},
 		rateLimitFilters:         map[types.NamespacedName]*egv1a1.RateLimitFilter{},
 		extensionRefFilters:      map[types.NamespacedName]unstructured.Unstructured{},
@@ -445,16 +446,16 @@ func (r *gatewayAPIReconciler) statusUpdateForGateway(ctx context.Context, gtw *
 	})
 }
 
-func (r *gatewayAPIReconciler) findReferenceGrant(ctx context.Context, from, to ObjectKindNamespacedName) (*gwapiv1a2.ReferenceGrant, error) {
-	refGrantList := new(gwapiv1a2.ReferenceGrantList)
+func (r *gatewayAPIReconciler) findReferenceGrant(ctx context.Context, from, to ObjectKindNamespacedName) (*gwapiv1b1.ReferenceGrant, error) {
+	refGrantList := new(gwapiv1b1.ReferenceGrantList)
 	opts := &client.ListOptions{FieldSelector: fields.OneTermEqualSelector(targetRefGrantRouteIndex, to.kind)}
 	if err := r.client.List(ctx, refGrantList, opts); err != nil {
 		return nil, fmt.Errorf("failed to list ReferenceGrants: %v", err)
 	}
 
 	refGrants := refGrantList.Items
 	if len(r.namespaceLabels) != 0 {
-		var rgs []gwapiv1a2.ReferenceGrant
+		var rgs []gwapiv1b1.ReferenceGrant
 		for _, refGrant := range refGrants {
 			ns := refGrant.GetNamespace()
 			ok, err := r.checkObjectNamespaceLabels(ns)
@@ -607,8 +608,8 @@ func (r *gatewayAPIReconciler) processGateways(ctx context.Context, acceptedGC *
 }
 
 func addReferenceGrantIndexers(ctx context.Context, mgr manager.Manager) error {
-	if err := mgr.GetFieldIndexer().IndexField(ctx, &gwapiv1a2.ReferenceGrant{}, targetRefGrantRouteIndex, func(rawObj client.Object) []string {
-		refGrant := rawObj.(*gwapiv1a2.ReferenceGrant)
+	if err := mgr.GetFieldIndexer().IndexField(ctx, &gwapiv1b1.ReferenceGrant{}, targetRefGrantRouteIndex, func(rawObj client.Object) []string {
+		refGrant := rawObj.(*gwapiv1b1.ReferenceGrant)
 		var referredServices []string
 		for _, target := range refGrant.Spec.To {
 			referredServices = append(referredServices, string(target.Kind))
@@ -1478,7 +1479,7 @@ func (r *gatewayAPIReconciler) watchResources(ctx context.Context, mgr manager.M
 		rgPredicates = append(rgPredicates, predicate.NewPredicateFuncs(r.hasMatchingNamespaceLabels))
 	}
 	if err := c.Watch(
-		source.Kind(mgr.GetCache(), &gwapiv1a2.ReferenceGrant{}),
+		source.Kind(mgr.GetCache(), &gwapiv1b1.ReferenceGrant{}),
 		handler.EnqueueRequestsFromMapFunc(r.enqueueClass),
 		rgPredicates...,
 	); err != nil {

internal/xds/translator/cors.go

@@ -26,7 +26,7 @@ const (
 )
 
 // patchHCMWithCorsFilter builds and appends the Cors Filter to the HTTP
-// Connection Manager if applicable, and it does not already exist.
+// Connection Manager if applicable.
 func patchHCMWithCorsFilter(mgr *hcmv3.HttpConnectionManager, irListener *ir.HTTPListener) error {
 	if mgr == nil {
 		return errors.New("hcm is nil")
@@ -43,7 +43,9 @@ func patchHCMWithCorsFilter(mgr *hcmv3.HttpConnectionManager, irListener *ir.HTT
 	// Return early if filter already exists.
 	for _, httpFilter := range mgr.HttpFilters {
 		if httpFilter.Name == corsFilter {
-			return nil
+			// This should not happen since this is the only place where the cors
+			// filter is added in a listener.
+			return fmt.Errorf("cors filter already exists in hcm: %+v", mgr)
 		}
 	}
 
@@ -106,6 +108,8 @@ func patchRouteWithCorsConfig(route *routev3.Route, irRoute *ir.HTTPRoute) error
 
 	filterCfg := route.GetTypedPerFilterConfig()
 	if _, ok := filterCfg[corsFilter]; ok {
+		// This should not happen since this is the only place where the cors
+		// filter is added in a route.
 		return fmt.Errorf("route already contains cors config: %+v", route)
 	}
 

site/content/en/latest/install/api.md

@@ -24,6 +24,10 @@ The Helm chart for Envoy Gateway
 
 | Key | Type | Default | Description |
 |-----|------|---------|-------------|
+| certgen.job.annotations | object | `{}` |  |
+| certgen.job.ttlSecondsAfterFinished | int | `0` |  |
+| certgen.rbac.annotations | object | `{}` |  |
+| certgen.rbac.labels | object | `{}` |  |
 | config.envoyGateway.gateway.controllerName | string | `"gateway.envoyproxy.io/gatewayclass-controller"` |  |
 | config.envoyGateway.logging.level.default | string | `"info"` |  |
 | config.envoyGateway.provider.type | string | `"Kubernetes"` |  |

site/content/en/latest/user/rate-limit.md

@@ -734,11 +734,17 @@ for i in {1..4}; do grpcurl -plaintext -authority=grpc-example.com ${GATEWAY_HOS
 ```
 
 ```console
-Error invoking method "yages.Echo/Ping": rpc error: code = Unavailable desc = failed to query for service descriptor "yages.Echo":
+{
+  "text": "pong"
+}
 
-Error invoking method "yages.Echo/Ping": rpc error: code = Unavailable desc = failed to query for service descriptor "yages.Echo":
+{
+  "text": "pong"
+}
 
-Error invoking method "yages.Echo/Ping": rpc error: code = Unavailable desc = failed to query for service descriptor "yages.Echo":
+{
+  "text": "pong"
+}
 
 Error invoking method "yages.Echo/Ping": rpc error: code = Unavailable desc = failed to query for service descriptor "yages.Echo":
 

site/content/en/latest/user/secure-gateways.md

@@ -173,7 +173,7 @@ namespace to reference Secrets in the "envoy-gateway-system" namespace:
 
 ```console
 $ cat <<EOF | kubectl apply -f -
-apiVersion: gateway.networking.k8s.io/v1alpha2
+apiVersion: gateway.networking.k8s.io/v1beta1
 kind: ReferenceGrant
 metadata:
   name: example

test/conformance/conformance_test.go

@@ -18,6 +18,7 @@ import (
 	"sigs.k8s.io/controller-runtime/pkg/client/config"
 	"sigs.k8s.io/gateway-api/apis/v1"
 	"sigs.k8s.io/gateway-api/apis/v1alpha2"
+	"sigs.k8s.io/gateway-api/apis/v1beta1"
 	"sigs.k8s.io/gateway-api/conformance/tests"
 	"sigs.k8s.io/gateway-api/conformance/utils/flags"
 	"sigs.k8s.io/gateway-api/conformance/utils/suite"
@@ -36,6 +37,7 @@ func TestGatewayAPIConformance(t *testing.T) {
 	require.NoError(t, err)
 
 	require.NoError(t, v1alpha2.AddToScheme(client.Scheme()))
+	require.NoError(t, v1beta1.AddToScheme(client.Scheme()))
 	require.NoError(t, v1.AddToScheme(client.Scheme()))
 
 	cSuite := suite.New(suite.Options{
@@ -47,7 +49,6 @@ func TestGatewayAPIConformance(t *testing.T) {
 		SupportedFeatures:    suite.AllFeatures,
 		SkipTests: []string{
 			tests.GatewaySecretInvalidReferenceGrant.ShortName,
-			tests.HTTPRouteReferenceGrant.ShortName,
 			tests.HTTPRouteRewritePath.ShortName,
 			tests.GatewayStaticAddresses.ShortName,
 		},

test/conformance/experimental_conformance_test.go

@@ -22,6 +22,7 @@ import (
 
 	"sigs.k8s.io/gateway-api/apis/v1"
 	"sigs.k8s.io/gateway-api/apis/v1alpha2"
+	"sigs.k8s.io/gateway-api/apis/v1beta1"
 	confv1a1 "sigs.k8s.io/gateway-api/conformance/apis/v1alpha1"
 	"sigs.k8s.io/gateway-api/conformance/tests"
 	"sigs.k8s.io/gateway-api/conformance/utils/flags"
@@ -53,6 +54,8 @@ func TestExperimentalConformance(t *testing.T) {
 
 	err = v1alpha2.AddToScheme(mgrClient.Scheme())
 	assert.NoError(t, err)
+	err = v1beta1.AddToScheme(mgrClient.Scheme())
+	assert.NoError(t, err)
 	err = v1.AddToScheme(mgrClient.Scheme())
 	assert.NoError(t, err)
 
@@ -94,7 +97,6 @@ func experimentalConformance(t *testing.T) {
 				CleanupBaseResources: *flags.CleanupBaseResources,
 				SkipTests: []string{
 					tests.GatewaySecretInvalidReferenceGrant.ShortName,
-					tests.HTTPRouteReferenceGrant.ShortName,
 					tests.HTTPRouteRewritePath.ShortName,
 					tests.GatewayStaticAddresses.ShortName,
 				},