Merge branch 'main' into http-jwks

envoyproxy · Dec 22, 2023 · 5979f5e · 5979f5e
2 parents 7e4cc0d + 5d691f2
commit 5979f5e
Show file tree

Hide file tree

Showing 57 changed files with 4,224 additions and 157 deletions.
diff --git a/.github/workflows/cherrypick.yaml b/.github/workflows/cherrypick.yaml
@@ -6,23 +6,23 @@ on:
     types: ["closed"]
 
 jobs:
-  cherry_pick_release_v0_5:
+  cherry_pick_release_v0_6:
     runs-on: ubuntu-22.04
-    name: Cherry pick into release-v0.5
-    if: ${{ contains(github.event.pull_request.labels.*.name, 'cherrypick/release-v0.5') && github.event.pull_request.merged == true }}
+    name: Cherry pick into release-v0.6
+    if: ${{ contains(github.event.pull_request.labels.*.name, 'cherrypick/release-v0.6') && github.event.pull_request.merged == true }}
     steps:
       - name: Checkout
         uses: actions/checkout@v4
         with:
           fetch-depth: 0
-      - name: Cherry pick into release/v0.5
+      - name: Cherry pick into release/v0.6
         uses: carloscastrojumo/[email protected]
         with:
-          branch: release/v0.5
-          title: "[release/v0.5] {old_title}"
-          body: "Cherry picking #{old_pull_request_id} onto release/v0.5"
+          branch: release/v0.6
+          title: "[release/v0.6] {old_title}"
+          body: "Cherry picking #{old_pull_request_id} onto release/v0.6"
           labels: |
-            cherrypick/release-v0.5
+            cherrypick/release-v0.6
           # put release manager here
           reviewers: |
             arkodg
diff --git a/api/v1alpha1/envoypatchpolicy_types.go b/api/v1alpha1/envoypatchpolicy_types.go
@@ -49,7 +49,8 @@ type EnvoyPatchPolicySpec struct {
 	JSONPatches []EnvoyJSONPatchConfig `json:"jsonPatches,omitempty"`
 	// TargetRef is the name of the Gateway API resource this policy
 	// is being attached to.
-	// Currently only attaching to Gateway is supported
+	// By default attaching to Gateway is supported and
+	// when mergeGateways is enabled it should attach to GatewayClass.
 	// This Policy and the TargetRef MUST be in the same namespace
 	// for this Policy to have effect and be applied to the Gateway
 	// TargetRef

diff --git a/api/v1alpha1/envoyproxy_types.go b/api/v1alpha1/envoyproxy_types.go
@@ -134,7 +134,7 @@ type EnvoyProxyKubernetesProvider struct {
 	// +optional
 	// +kubebuilder:validation:XValidation:message="minReplicas must be greater than 0",rule="!has(self.minReplicas) || self.minReplicas > 0"
 	// +kubebuilder:validation:XValidation:message="maxReplicas must be greater than 0",rule="!has(self.maxReplicas) || self.maxReplicas > 0"
-	// +kubebuilder:validation:XValidation:message="maxReplicas cannot be less than or equal to minReplicas",rule="!has(self.minReplicas) || self.maxReplicas > self.minReplicas"
+	// +kubebuilder:validation:XValidation:message="maxReplicas cannot be less than minReplicas",rule="!has(self.minReplicas) || self.maxReplicas >= self.minReplicas"
 	EnvoyHpa *KubernetesHorizontalPodAutoscalerSpec `json:"envoyHpa,omitempty"`
 }
 

diff --git a/api/v1alpha1/ratelimit_types.go b/api/v1alpha1/ratelimit_types.go
@@ -9,35 +9,58 @@ package v1alpha1
 // +union
 type RateLimitSpec struct {
 	// Type decides the scope for the RateLimits.
-	// Valid RateLimitType values are "Global".
+	// Valid RateLimitType values are "Global" or "Local".
 	//
 	// +unionDiscriminator
 	Type RateLimitType `json:"type"`
 	// Global defines global rate limit configuration.
 	//
 	// +optional
 	Global *GlobalRateLimit `json:"global,omitempty"`
+
+	// Local defines local rate limit configuration.
+	//
+	// +optional
+	Local *LocalRateLimit `json:"local,omitempty"`
 }
 
 // RateLimitType specifies the types of RateLimiting.
-// +kubebuilder:validation:Enum=Global
+// +kubebuilder:validation:Enum=Global;Local
 type RateLimitType string
 
 const (
-	// GlobalRateLimitType allows the rate limits to be applied across all Envoy proxy instances.
+	// GlobalRateLimitType allows the rate limits to be applied across all Envoy
+	// proxy instances.
 	GlobalRateLimitType RateLimitType = "Global"
+
+	// LocalRateLimitType allows the rate limits to be applied on a per Envoy
+	// proxy instance basis.
+	LocalRateLimitType RateLimitType = "Local"
 )
 
 // GlobalRateLimit defines global rate limit configuration.
 type GlobalRateLimit struct {
-	// Rules are a list of RateLimit selectors and limits.
-	// Each rule and its associated limit is applied
-	// in a mutually exclusive way i.e. if multiple
-	// rules get selected, each of their associated
-	// limits get applied, so a single traffic request
-	// might increase the rate limit counters for multiple
-	// rules if selected.
+	// Rules are a list of RateLimit selectors and limits. Each rule and its
+	// associated limit is applied in a mutually exclusive way. If a request
+	// matches multiple rules, each of their associated limits get applied, so a
+	// single request might increase the rate limit counters for multiple rules
+	// if selected. The rate limit service will return a logical OR of the individual
+	// rate limit decisions of all matching rules. For example, if a request
+	// matches two rules, one rate limited and one not, the final decision will be
+	// to rate limit the request.
+	//
+	// +kubebuilder:validation:MaxItems=16
+	Rules []RateLimitRule `json:"rules"`
+}
+
+// LocalRateLimit defines local rate limit configuration.
+type LocalRateLimit struct {
+	// Rules are a list of RateLimit selectors and limits. If a request matches
+	// multiple rules, the strictest limit is applied. For example, if a request
+	// matches two rules, one with 10rps and one with 20rps, the final limit will
+	// be based on the rule with 10rps.
 	//
+	// +optional
 	// +kubebuilder:validation:MaxItems=16
 	Rules []RateLimitRule `json:"rules"`
 }
@@ -49,8 +72,14 @@ type RateLimitRule struct {
 	// specific clients using attributes from the traffic flow.
 	// All individual select conditions must hold True for this rule
 	// and its limit to be applied.
-	// If this field is empty, it is equivalent to True, and
-	// the limit is applied.
+	//
+	// If no client selectors are specified, the rule applies to all traffic of
+	// the targeted Route.
+	//
+	// If the policy targets a Gateway, the rule applies to each Route of the Gateway.
+	// Please note that each Route has its own rate limit counters. For example,
+	// if a Gateway has two Routes, and the policy has a rule with limit 10rps,
+	// each Route will have its own 10rps limit.
 	//
 	// +optional
 	// +kubebuilder:validation:MaxItems=8
@@ -70,6 +99,7 @@ type RateLimitRule struct {
 type RateLimitSelectCondition struct {
 	// Headers is a list of request headers to match. Multiple header values are ANDed together,
 	// meaning, a request MUST match all the specified headers.
+	// At least one of headers or sourceCIDR condition must be specified.
 	//
 	// +listType=map
 	// +listMapKey=name
@@ -78,6 +108,7 @@ type RateLimitSelectCondition struct {
 	Headers []HeaderMatch `json:"headers,omitempty"`
 
 	// SourceCIDR is the client IP Address range to match on.
+	// At least one of headers or sourceCIDR condition must be specified.
 	//
 	// +optional
 	SourceCIDR *SourceMatch `json:"sourceCIDR,omitempty"`
@@ -91,6 +122,7 @@ const (
 	SourceMatchExact SourceMatchType = "Exact"
 	// SourceMatchDistinct Each IP Address within the specified Source IP CIDR is treated as a distinct client selector
 	// and uses a separate rate limit bucket/counter.
+	// Note: This is only supported for Global Rate Limits.
 	SourceMatchDistinct SourceMatchType = "Distinct"
 )
 
@@ -148,6 +180,7 @@ const (
 	// HeaderMatchDistinct matches any and all possible unique values encountered in the
 	// specified HTTP Header. Note that each unique value will receive its own rate limit
 	// bucket.
+	// Note: This is only supported for Global Rate Limits.
 	HeaderMatchDistinct HeaderMatchType = "Distinct"
 )
 
@@ -162,3 +195,18 @@ type RateLimitValue struct {
 //
 // +kubebuilder:validation:Enum=Second;Minute;Hour;Day
 type RateLimitUnit string
+
+// RateLimitUnit constants.
+const (
+	// RateLimitUnitSecond specifies the rate limit interval to be 1 second.
+	RateLimitUnitSecond RateLimitUnit = "Second"
+
+	// RateLimitUnitMinute specifies the rate limit interval to be 1 minute.
+	RateLimitUnitMinute RateLimitUnit = "Minute"
+
+	// RateLimitUnitHour specifies the rate limit interval to be 1 hour.
+	RateLimitUnitHour RateLimitUnit = "Hour"
+
+	// RateLimitUnitDay specifies the rate limit interval to be 1 day.
+	RateLimitUnitDay RateLimitUnit = "Day"
+)
diff --git a/api/v1alpha1/zz_generated.deepcopy.go b/api/v1alpha1/zz_generated.deepcopy.go