Merge branch 'main' of github.com:envoyproxy/gateway into udef-gw-add…

…r/external-ips

.github/workflows/cherrypick.yaml

@@ -0,0 +1,29 @@
+on:
+  pull_request:
+    branches:
+      - main
+    types: ["closed"]
+
+jobs:
+  cherry_pick_release_v0_4:
+    runs-on: ubuntu-latest
+    name: Cherry pick into release-v0.4
+    if: ${{ contains(github.event.pull_request.labels.*.name, 'cherrypick/release-v0.4') && github.event.pull_request.merged == true }}
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v3
+        with:
+          fetch-depth: 0
+      - name: Cherry pick into release/v0.4
+        uses: carloscastrojumo/[email protected]
+        with:
+          branch: release/v0.4
+          title: "[release/v0.4] {old_title}"
+          body: "Cherry picking #{old_pull_request_id} onto release/v0.4"
+          labels: |
+            cherrypick/release-v0.4
+          # put release manager here
+          reviewers: |
+            AliceProxy
+env:
+  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

.github/workflows/docs.yaml

@@ -63,4 +63,4 @@ jobs:
     steps:
       - name: Deploy to GitHub Pages
         id: deployment
-        uses: actions/[email protected].0
+        uses: actions/[email protected].1

VERSION

@@ -1 +1 @@
-v0.4.0-rc.1
+v0.4.0

api/v1alpha1/ratelimitfilter_types.go

@@ -98,13 +98,34 @@ type RateLimitSelectCondition struct {
 	// +kubebuilder:validation:MaxItems=16
 	Headers []HeaderMatch `json:"headers,omitempty"`
 
-	// SourceIP is the IP CIDR that represents the range of Source IP Addresses of the client.
-	// These could also be the intermediate addresses through which the request has flown through and is part of the  `X-Forwarded-For` header.
-	// For example, `192.168.0.1/32`, `192.168.0.0/24`, `001:db8::/64`.
-	// All IP Addresses within the specified SourceIP CIDR are treated as a single client selector and share the same rate limit bucket.
-	//
+	// Deprecated: Use SourceCIDR instead.
 	// +optional
 	SourceIP *string `json:"sourceIP,omitempty"`
+
+	// SourceCIDR is the client IP Address range to match on.
+	//
+	// +optional
+	SourceCIDR *SourceMatch `json:"sourceCIDR,omitempty"`
+}
+
+type SourceMatchType string
+
+const (
+	// SourceMatchExact All IP Addresses within the specified Source IP CIDR are treated as a single client selector
+	// and share the same rate limit bucket.
+	SourceMatchExact SourceMatchType = "Exact"
+	// SourceMatchDistinct Each IP Address within the specified Source IP CIDR is treated as a distinct client selector
+	// and uses a separate rate limit bucket/counter.
+	SourceMatchDistinct SourceMatchType = "Distinct"
+)
+
+type SourceMatch struct {
+	Type *SourceMatchType `json:"type,omitempty"`
+
+	// Value is the IP CIDR that represents the range of Source IP Addresses of the client.
+	// These could also be the intermediate addresses through which the request has flown through and is part of the  `X-Forwarded-For` header.
+	// For example, `192.168.0.1/32`, `192.168.0.0/24`, `001:db8::/64`.
+	Value string `json:"address"`
 }
 
 // HeaderMatch defines the match attributes within the HTTP Headers of the request.

charts/gateway-helm/crds/generated/gateway.envoyproxy.io_ratelimitfilters.yaml

@@ -103,16 +103,26 @@ spec:
                                 x-kubernetes-list-map-keys:
                                 - name
                                 x-kubernetes-list-type: map
+                              sourceCIDR:
+                                description: SourceCIDR is the client IP Address range
+                                  to match on.
+                                properties:
+                                  address:
+                                    description: Value is the IP CIDR that represents
+                                      the range of Source IP Addresses of the client.
+                                      These could also be the intermediate addresses
+                                      through which the request has flown through
+                                      and is part of the  `X-Forwarded-For` header.
+                                      For example, `192.168.0.1/32`, `192.168.0.0/24`,
+                                      `001:db8::/64`.
+                                    type: string
+                                  type:
+                                    type: string
+                                required:
+                                - address
+                                type: object
                               sourceIP:
-                                description: SourceIP is the IP CIDR that represents
-                                  the range of Source IP Addresses of the client.
-                                  These could also be the intermediate addresses through
-                                  which the request has flown through and is part
-                                  of the  `X-Forwarded-For` header. For example, `192.168.0.1/32`,
-                                  `192.168.0.0/24`, `001:db8::/64`. All IP Addresses
-                                  within the specified SourceIP CIDR are treated as
-                                  a single client selector and share the same rate
-                                  limit bucket.
+                                description: 'Deprecated: Use SourceCIDR instead.'
                                 type: string
                             type: object
                           maxItems: 8

docs/index.html

@@ -1,5 +1,5 @@
 <html>
   <head>
-	  <meta http-equiv="refresh" content="0; url=/v0.3.0">
+	  <meta http-equiv="refresh" content="0; url=/v0.4.0">
   </head>
 </html>

docs/latest/api/config_types.md

@@ -28,7 +28,10 @@ EnvoyGateway is the schema for the envoygateways API.
 | --- | --- |
 | `apiVersion` _string_ | `config.gateway.envoyproxy.io/v1alpha1`
 | `kind` _string_ | `EnvoyGateway`
-| `EnvoyGatewaySpec` _[EnvoyGatewaySpec](#envoygatewayspec)_ | EnvoyGatewaySpec defines the desired state of EnvoyGateway. |
+| `gateway` _[Gateway](#gateway)_ | Gateway defines desired Gateway API specific configuration. If unset, default configuration parameters will apply. |
+| `provider` _[EnvoyGatewayProvider](#envoygatewayprovider)_ | Provider defines the desired provider and provider-specific configuration. If unspecified, the Kubernetes provider is used with default configuration parameters. |
+| `rateLimit` _[RateLimit](#ratelimit)_ | RateLimit defines the configuration associated with the Rate Limit service deployed by Envoy Gateway required to implement the Global Rate limiting functionality. The specific rate limit service used here is the reference implementation in Envoy. For more details visit https://github.com/envoyproxy/ratelimit. This configuration is unneeded for "Local" rate limiting. |
+| `extension` _[Extension](#extension)_ | Extension defines an extension to register for the Envoy Gateway Control Plane. |
 
 
 ## EnvoyGatewayFileProvider
@@ -63,6 +66,7 @@ _Appears in:_
 EnvoyGatewayProvider defines the desired configuration of a provider.
 
 _Appears in:_
+- [EnvoyGateway](#envoygateway)
 - [EnvoyGatewaySpec](#envoygatewayspec)
 
 | Field | Description |
@@ -160,6 +164,7 @@ _Appears in:_
 Extension defines the configuration for registering an extension to the Envoy Gateway control plane.
 
 _Appears in:_
+- [EnvoyGateway](#envoygateway)
 - [EnvoyGatewaySpec](#envoygatewayspec)
 
 | Field | Description |
@@ -210,7 +215,7 @@ _Appears in:_
 
 | Field | Description |
 | --- | --- |
-| `certificateRef` _[SecretObjectReference](#secretobjectreference)_ | CertificateRef contains a references to objects (Kubernetes objects or otherwise) that contains a TLS certificate and private keys. These certificates are used to establish a TLS handshake to the extension server. 
+| `certificateRef` _[SecretObjectReference](https://gateway-api.sigs.k8s.io/references/spec/#gateway.networking.k8s.io/v1beta1.SecretObjectReference)_ | CertificateRef contains a references to objects (Kubernetes objects or otherwise) that contains a TLS certificate and private keys. These certificates are used to establish a TLS handshake to the extension server. 
  CertificateRef can only reference a Kubernetes Secret at this time. |
 
 
@@ -221,6 +226,7 @@ _Appears in:_
 Gateway defines the desired Gateway API configuration of Envoy Gateway.
 
 _Appears in:_
+- [EnvoyGateway](#envoygateway)
 - [EnvoyGatewaySpec](#envoygatewayspec)
 
 | Field | Description |
@@ -362,6 +368,7 @@ _Appears in:_
 RateLimit defines the configuration associated with the Rate Limit Service used for Global Rate Limiting.
 
 _Appears in:_
+- [EnvoyGateway](#envoygateway)
 - [EnvoyGatewaySpec](#envoygatewayspec)
 
 | Field | Description |

docs/latest/api/extension_types.md

@@ -173,7 +173,8 @@ _Appears in:_
 | Field | Description |
 | --- | --- |
 | `headers` _[HeaderMatch](#headermatch) array_ | Headers is a list of request headers to match. Multiple header values are ANDed together, meaning, a request MUST match all the specified headers. |
-| `sourceIP` _string_ | SourceIP is the IP CIDR that represents the range of Source IP Addresses of the client. These could also be the intermediate addresses through which the request has flown through and is part of the  `X-Forwarded-For` header. For example, `192.168.0.1/32`, `192.168.0.0/24`, `001:db8::/64`. All IP Addresses within the specified SourceIP CIDR are treated as a single client selector and share the same rate limit bucket. |
+| `sourceIP` _string_ | Deprecated: Use SourceCIDR instead. |
+| `sourceCIDR` _[SourceMatch](#sourcematch)_ | SourceCIDR is the client IP Address range to match on. |
 
 
 ## RateLimitType
@@ -227,3 +228,29 @@ _Appears in:_
 | `uri` _string_ | URI is the HTTPS URI to fetch the JWKS. Envoy's system trust bundle is used to validate the server certificate. |
 
 
+## SourceMatch
+
+
+
+
+
+_Appears in:_
+- [RateLimitSelectCondition](#ratelimitselectcondition)
+
+| Field | Description |
+| --- | --- |
+| `type` _[SourceMatchType](#sourcematchtype)_ |  |
+| `address` _string_ | Value is the IP CIDR that represents the range of Source IP Addresses of the client. These could also be the intermediate addresses through which the request has flown through and is part of the  `X-Forwarded-For` header. For example, `192.168.0.1/32`, `192.168.0.0/24`, `001:db8::/64`. |
+
+
+## SourceMatchType
+
+_Underlying type:_ `string`
+
+
+
+_Appears in:_
+- [SourceMatch](#sourcematch)
+
+
+

docs/latest/dev/releasing.md

@@ -68,6 +68,37 @@ export GITHUB_REMOTE=origin
 18. Ensure you check the "This is a pre-release" checkbox when editing the GitHub release.
 19. If you find any bugs in this process, please create an issue.
 
+### Setup cherry picker action
+
+After release branch cut, RM (Release Manager) should add job [cherrypick action](../../../.github/workflows/cherrypick.yaml) for target release.
+
+Configuration looks like following:
+
+```yaml
+  cherry_pick_release_v0_4:
+    runs-on: ubuntu-latest
+    name: Cherry pick into release-v0.4
+    if: ${{ contains(github.event.pull_request.labels.*.name, 'cherrypick/release-v0.4') && github.event.pull_request.merged == true }}
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v3
+        with:
+          fetch-depth: 0
+      - name: Cherry pick into release/v0.4
+        uses: carloscastrojumo/[email protected]
+        with:
+          branch: release/v0.4
+          title: "[release/v0.4] {old_title}"
+          body: "Cherry picking #{old_pull_request_id} onto release/v0.4"
+          labels: |
+            cherrypick/release-v0.4
+          # put release manager here
+          reviewers: |
+            AliceProxy
+```
+
+Replace `v0.4` with real branch name, and `AliceProxy` with the real name of RM.
+
 ## Minor Release
 
 The following steps should be used for creating a minor release.
@@ -93,7 +124,8 @@ export GITHUB_REMOTE=origin
       notes should be an accumulation of the release candidate release notes and any changes since the release
       candidate.
    2. Create a release announcement. Refer to [PR #635] as an example release announcement.
-   3. Generate the versioned release docs:
+   3. Include the release in the compatibility matrix. Refer to [PR #1002] as an example.
+   4. Generate the versioned release docs:
 
    ``` shell
       make docs-release TAG=v${MAJOR_VERSION}.${MINOR_VERSION}
@@ -192,4 +224,5 @@ It's important that the world knows about the release. Use the following steps t
 [Generate]: https://docs.github.com/en/repositories/releasing-projects-on-github/automatically-generated-release-notes
 [PR #635]: https://github.com/envoyproxy/gateway/pull/635
 [PR #958]: https://github.com/envoyproxy/gateway/pull/958
+[PR #1002]: https://github.com/envoyproxy/gateway/pull/1002
 [VERSION]: https://github.com/envoyproxy/gateway/blob/main/VERSION

docs/latest/intro/compatibility.rst

@@ -10,11 +10,13 @@ and the Gateway API actually compiled into each Envoy Gateway release.
 +--------------------------+---------------------+---------------------+---------------------+----------------------------+
 | Envoy Gateway version    | Envoy Proxy version | Rate Limit version  | Gateway API version | Kubernetes version         |
 +--------------------------+---------------------+---------------------+---------------------+----------------------------+
+| v0.4.0                   | **v1.26-latest**    |   **542a6047**      |  **v0.6.2**         | v1.25, v1.26, v1.27        |
++--------------------------+---------------------+---------------------+---------------------+----------------------------+
 | v0.3.0                   | **v1.25-latest**    |   **f28024e3**      |  **v0.6.1**         | v1.24, v1.25, v1.26        |
 +--------------------------+---------------------+---------------------+---------------------+----------------------------+
 | v0.2.0                   | **v1.23-latest**    |                     |  **v0.5.1**         | v1.24                      |
 +--------------------------+---------------------+---------------------+---------------------+----------------------------+
-| latest                   | **dev-latest**      |   **master**        |  **v0.6.2**         | v1.24, v1.25, v1.26        |
+| latest                   | **dev-latest**      |   **master**        |  **v0.6.2**         | v1.25, v1.26, v1.27        |
 +--------------------------+---------------------+---------------------+---------------------+----------------------------+
 
 .. note::

docs/latest/releases.rst

@@ -9,3 +9,4 @@ Learn more about Envoy Gateway releases.
   releases/README
   releases/v0.2
   releases/v0.3
+  releases/v0.4

docs/latest/releases/README.md

@@ -25,6 +25,7 @@ communications with the Envoy Gateway community, and the mechanics of the releas
 |:-------:|:--------------------------------------------------------------:|
 | 2022 Q4 |    Daneyon Hansen ([danehans](https://github.com/danehans))    |
 | 2023 Q1 |    Xunzhuo Liu ([Xunzhuo](https://github.com/Xunzhuo))         |
+| 2023 Q2 |    Alice Wasko ([AliceProxy](https://github.com/AliceProxy))   |
 
 ## Release Schedule
 
@@ -35,6 +36,7 @@ In order to align with the Envoy Proxy [release schedule][], Envoy Gateway relea
 |:-------:|:-----------:|:-----------:|:----------:|:-----------:|
 |  0.2.0  | 2022/10/22  | 2022/10/20  |   -2 day   |  2023/4/20  |
 |  0.3.0  | 2023/01/22  | 2023/02/09  |   +17 day  |  2023/08/09 |
+|  0.3.0  | 2023/04/22  | 2023/04/24  |   +2 day   |  2023/10/24 |
 
 [v2.0.0 spec]: https://semver.org/spec/v2.0.0.html
 [release guide]: ../dev/releasing.md