fix conflict

Signed-off-by: zhaonan <[email protected]>

.github/dependabot.yml

@@ -13,6 +13,10 @@ updates:
     directory: /
     schedule:
       interval: weekly
+    groups:
+      k8s.io:
+        patterns:
+          - "k8s.io/*"
   - package-ecosystem: pip
     directory: /tools/src/codespell
     schedule:

.github/workflows/build_and_test.yaml

@@ -93,7 +93,7 @@ jobs:
         chmod +x bin/linux/arm64/envoy-gateway
 
     # conformance
-    - name: Run Conformance Tests
+    - name: Run Standard Conformance Tests
       env:
         KIND_NODE_TAG: ${{ matrix.version }}
         IMAGE_PULL_POLICY: IfNotPresent
@@ -148,7 +148,7 @@ jobs:
     # build and push image
     - name: Login to DockerHub
       if: github.event_name == 'push'
-      uses: docker/login-action@v2
+      uses: docker/login-action@v3
       with:
         username: ${{ secrets.DOCKERHUB_USERNAME }}
         password: ${{ secrets.DOCKERHUB_PASSWORD }}

.github/workflows/experimental_conformance.yaml

@@ -0,0 +1,35 @@
+name: Experimental Conformance Test
+on:
+  push:
+    paths:
+    - 'charts/gateway-helm/crds/gatewayapi-crds.yaml'
+  pull_request:
+    paths:
+    - 'charts/gateway-helm/crds/gatewayapi-crds.yaml'
+    - 'test/conformance/*.go'
+  # Add workflow_dispatch to trigger this workflow manually by maintainers.
+  workflow_dispatch:
+
+jobs:
+  experimental-conformance-test:
+    runs-on: ubuntu-latest
+    strategy:
+      matrix:
+        version: [ v1.26.6, v1.27.3, v1.28.0 ]
+    steps:
+    - uses: actions/checkout@v4
+    - uses: ./tools/github-actions/setup-deps
+
+    # gateway api experimental conformance
+    - name: Run Experimental Conformance Tests
+      env:
+        CONFORMANCE_REPORT_PATH: conformance-report-k8s-${{ matrix.version }}.yaml
+        KIND_NODE_TAG: ${{ matrix.version }}
+        IMAGE_PULL_POLICY: IfNotPresent
+      run: make experimental-conformance
+
+    - name: Upload Conformance Report
+      uses: actions/upload-artifact@v3
+      with:
+        name: conformance-report-k8s-${{ matrix.version }}
+        path: ./test/conformance/conformance-report-k8s-${{ matrix.version }}.yaml

.github/workflows/release.yaml

@@ -19,7 +19,7 @@ jobs:
           echo "sha_short=$(git rev-parse --short HEAD)" >> $GITHUB_ENV
 
       - name: Login to DockerHub
-        uses: docker/login-action@v2
+        uses: docker/login-action@v3
         with:
           username: ${{ secrets.DOCKERHUB_USERNAME }}
           password: ${{ secrets.DOCKERHUB_PASSWORD }}

api/config/v1alpha1/envoygateway_types.go

@@ -177,15 +177,37 @@ type EnvoyGatewayKubernetesProvider struct {
 	OverwriteControlPlaneCerts bool `json:"overwrite_control_plane_certs,omitempty"`
 }
 
+const (
+	// KubernetesWatchModeTypeNamespaces indicates that the namespace watch mode is used.
+	KubernetesWatchModeTypeNamespaces = "Namespaces"
+
+	// KubernetesWatchModeTypeNamespaceSelectors indicates that namespaceSelectors watch
+	// mode is used.
+	KubernetesWatchModeTypeNamespaceSelectors = "NamespaceSelectors"
+)
+
+// KubernetesWatchModeType defines the type of KubernetesWatchMode
+type KubernetesWatchModeType string
+
 // KubernetesWatchMode holds the configuration for which input resources to watch and reconcile.
 type KubernetesWatchMode struct {
+	// Type indicates what watch mode to use. KubernetesWatchModeTypeNamespaces and
+	// KubernetesWatchModeTypeNamespaceSelectors are currently supported
+	// By default, when this field is unset or empty, Envoy Gateway will watch for input namespaced resources
+	// from all namespaces.
+	Type KubernetesWatchModeType
+
 	// Namespaces holds the list of namespaces that Envoy Gateway will watch for namespaced scoped
 	// resources such as Gateway, HTTPRoute and Service.
 	// Note that Envoy Gateway will continue to reconcile relevant cluster scoped resources such as
-	// GatewayClass that it is linked to.
-	// By default, when this field is unset or empty, Envoy Gateway will watch for input namespaced resources
-	// from all namespaces.
-	Namespaces []string `json:"namespaces,omitempty"`
+	// GatewayClass that it is linked to. Precisely one of Namespaces and NamespaceSelectors must be set
+	Namespaces []string
+
+	// NamespaceSelectors holds a list of labels that namespaces have to have in order to be watched.
+	// Note this doesn't set the informer to watch the namespaces with the given labels. Informer still
+	// watches all namespaces. But the events for objects whois namespce have no given labels
+	// will be filtered out. Precisely one of Namespaces and NamespaceSelectors must be set
+	NamespaceSelectors []string `json:"namespaces,omitempty"`
 }
 
 // KubernetesDeployMode holds configuration for how to deploy managed resources such as the Envoy Proxy

api/config/v1alpha1/metric_types.go

@@ -18,6 +18,9 @@ type ProxyMetrics struct {
 	// https://github.com/envoyproxy/envoy/issues/14610
 	//
 	Matches []Match `json:"matches,omitempty"`
+
+	// EnableVirtualHostStats enables envoy stat metrics for virtual hosts.
+	EnableVirtualHostStats bool `json:"enableVirtualHostStats,omitempty"`
 }
 
 type MetricSinkType string

charts/gateway-helm/crds/generated/config.gateway.envoyproxy.io_envoyproxies.yaml

@@ -3938,6 +3938,10 @@ spec:
                     description: Metrics defines metrics configuration for managed
                       proxies.
                     properties:
+                      enableVirtualHostStats:
+                        description: EnableVirtualHostStats enables envoy stat metrics
+                          for virtual hosts.
+                        type: boolean
                       matches:
                         description: 'Matches defines configuration for selecting
                           specific metrics instead of generating all metrics stats

charts/gateway-helm/templates/_rbac.tpl

@@ -70,6 +70,7 @@ verbs:
 - list
 - update
 - watch
+- patch
 {{- end }}
 
 {{- define "eg.rbac.namespaced.gateway.envoyproxy" -}}

docs/latest/api/config_types.md

@@ -564,7 +564,20 @@ _Appears in:_
 
 | Field | Description |
 | --- | --- |
-| `namespaces` _string array_ | Namespaces holds the list of namespaces that Envoy Gateway will watch for namespaced scoped resources such as Gateway, HTTPRoute and Service. Note that Envoy Gateway will continue to reconcile relevant cluster scoped resources such as GatewayClass that it is linked to. By default, when this field is unset or empty, Envoy Gateway will watch for input namespaced resources from all namespaces. |
+| `Type` _[KubernetesWatchModeType](#kuberneteswatchmodetype)_ | Type indicates what watch mode to use. KubernetesWatchModeTypeNamespaces and KubernetesWatchModeTypeNamespaceSelectors are currently supported By default, when this field is unset or empty, Envoy Gateway will watch for input namespaced resources from all namespaces. |
+| `Namespaces` _string array_ | Namespaces holds the list of namespaces that Envoy Gateway will watch for namespaced scoped resources such as Gateway, HTTPRoute and Service. Note that Envoy Gateway will continue to reconcile relevant cluster scoped resources such as GatewayClass that it is linked to. Precisely one of Namespaces and NamespaceSelectors must be set |
+| `namespaces` _string array_ | NamespaceSelectors holds a list of labels that namespaces have to have in order to be watched. Note this doesn't set the informer to watch the namespaces with the given labels. Informer still watches all namespaces. But the events for objects whois namespce have no given labels will be filtered out. Precisely one of Namespaces and NamespaceSelectors must be set |
+
+
+## KubernetesWatchModeType
+
+_Underlying type:_ `string`
+
+KubernetesWatchModeType defines the type of KubernetesWatchMode
+
+_Appears in:_
+- [KubernetesWatchMode](#kuberneteswatchmode)
+
 
 
 ## LiteralCustomTag
@@ -837,6 +850,7 @@ _Appears in:_
 | `prometheus` _[PrometheusProvider](#prometheusprovider)_ | Prometheus defines the configuration for Admin endpoint `/stats/prometheus`. |
 | `sinks` _[MetricSink](#metricsink) array_ | Sinks defines the metric sinks where metrics are sent to. |
 | `matches` _[Match](#match) array_ | Matches defines configuration for selecting specific metrics instead of generating all metrics stats that are enabled by default. This helps reduce CPU and memory overhead in Envoy, but eliminating some stats may after critical functionality. Here are the stats that we strongly recommend not disabling: `cluster_manager.warming_clusters`, `cluster.<cluster_name>.membership_total`,`cluster.<cluster_name>.membership_healthy`, `cluster.<cluster_name>.membership_degraded`，reference  https://github.com/envoyproxy/envoy/issues/9856, https://github.com/envoyproxy/envoy/issues/14610 |
+| `enableVirtualHostStats` _boolean_ | EnableVirtualHostStats enables envoy stat metrics for virtual hosts. |
 
 
 ## ProxyTelemetry

docs/latest/user/gateway-api-metrics.md

@@ -0,0 +1,52 @@
+# Gateway API Metrics
+
+Resource metrics for Gateway API objects are available using the [Gateway API State Metrics](https://github.com/Kuadrant/gateway-api-state-metrics) project.
+The project also provides example dashboard for visualising the metrics using Grafana, and example alerts using Prometheus & Alertmanager.
+
+## Prerequisites
+
+Follow the steps from the [Quickstart Guide](quickstart.md) to install Envoy Gateway and the example manifest.
+Before proceeding, you should be able to query the example backend using HTTP.
+
+Run the following commands to install the metrics stack, with the Gateway API State Metrics configuration, on your kubernetes cluster:
+
+```shell
+kubectl apply --server-side -f https://raw.githubusercontent.com/Kuadrant/gateway-api-state-metrics/main/config/examples/kube-prometheus/bundle_crd.yaml
+kubectl apply -f https://raw.githubusercontent.com/Kuadrant/gateway-api-state-metrics/main/config/examples/kube-prometheus/bundle.yaml
+```
+
+## Metrics and Alerts
+
+To access the Prometheus UI, wait for the statefulset to be ready, then use the port-forward command:
+
+```shell
+# This first command may fail if the statefulset has not been created yet.
+# In that case, try again until you get a message like 'Waiting for 2 pods to be ready...'
+# or 'statefulset rolling update complete 2 pods...'
+kubectl -n monitoring rollout status --watch --timeout=5m statefulset/prometheus-k8s
+kubectl -n monitoring port-forward service/prometheus-k8s 9090:9090 > /dev/null &
+```
+
+Navigate to [http://localhost:9090](http://localhost:9090).
+Metrics can be queried from the 'Graph' tab e.g. `gatewayapi_gateway_created`
+See the [Gateway API State Metrics README](https://github.com/Kuadrant/gateway-api-state-metrics/tree/main#metrics) for the full list of Gateway API metrics available.
+
+Alerts can be see in the 'Alerts' tab.
+Gateway API specific alerts will be grouped under the 'gateway-api.rules' heading.
+
+***Note:*** Alerts are defined in a PrometheusRules custom resource in the 'monitoring' namespace. You can modify the alert rules by updating this resource.
+
+## Dashboards
+
+To view the dashboards in Grafana, wait for the deployment to be ready, then use the port-forward command:
+
+```shell
+kubectl -n monitoring wait --timeout=5m deployment/grafana --for=condition=Available
+kubectl -n monitoring port-forward service/grafana 3000:3000 > /dev/null &
+```
+
+Navigate to [http://localhost:3000](http://localhost:3000) and sign in with admin/admin.
+The Gateway API State dashboards will be available in the 'Default' folder and tagged with 'gateway-api'.
+See the [Gateway API State Metrics README](https://github.com/Kuadrant/gateway-api-state-metrics/tree/main#dashboards) for further information on available dashboards.
+
+***Note:*** Dashboards are loaded from configmaps. You can modify the dashboards in the Grafana UI, however you will need to export them from the UI and update the json in the configmaps to persist changes.

docs/latest/user/grpc-routing.md

@@ -86,6 +86,8 @@ You should see the below response
 
 Envoy Gateway also supports [gRPC-Web][] requests for this configuration. The below `curl` command can be used to send a grpc-Web request with over HTTP/2. You should receive the same response seen in the previous command.
 
+The data in the body `AAAAAAA=` is a base64 encoded representation of an empty message (data length 0) that the Ping RPC accepts.
+
 ```shell
 curl --http2-prior-knowledge -s ${GATEWAY_HOST}:80/yages.Echo/Ping -H 'Host: grpc-example.com'   -H 'Content-Type: application/grpc-web-text'   -H 'Accept: application/grpc-web-text' -XPOST -d'AAAAAAA=' | base64 -d
 ```

docs/latest/user_docs.rst

@@ -30,5 +30,6 @@ Learn how to deploy, use, and operate Envoy Gateway.
   user/deployment-mode
   user/gateway-address
   user/gatewayapi-support
+  user/gateway-api-metrics
   user/proxy-observability
   user/multicluster-service

go.mod

@@ -7,7 +7,7 @@ require (
 	github.com/davecgh/go-spew v1.1.1
 	github.com/envoyproxy/go-control-plane v0.11.1
 	github.com/envoyproxy/ratelimit v1.4.1-0.20230427142404-e2a87f41d3a7
-	github.com/evanphx/json-patch/v5 v5.6.0
+	github.com/evanphx/json-patch/v5 v5.7.0
 	github.com/go-logfmt/logfmt v0.6.0
 	github.com/go-logr/logr v1.2.4
 	github.com/go-logr/zapr v1.2.4
@@ -26,7 +26,7 @@ require (
 	go.opentelemetry.io/proto/otlp v1.0.0
 	go.uber.org/zap v1.25.0
 	golang.org/x/exp v0.0.0-20220722155223-a9213eeb770e
-	google.golang.org/grpc v1.57.0
+	google.golang.org/grpc v1.58.0
 	google.golang.org/protobuf v1.31.0
 	gopkg.in/yaml.v3 v3.0.1
 	k8s.io/api v0.28.1
@@ -36,12 +36,12 @@ require (
 	k8s.io/client-go v0.28.1
 	k8s.io/kubectl v0.28.1
 	k8s.io/utils v0.0.0-20230406110748-d93618cff8a2
-	sigs.k8s.io/controller-runtime v0.16.1
+	sigs.k8s.io/controller-runtime v0.16.2
 	sigs.k8s.io/gateway-api v0.8.0
 	sigs.k8s.io/yaml v1.3.0
 )
 
-require golang.org/x/sync v0.2.0 // indirect
+require golang.org/x/sync v0.3.0 // indirect
 
 require (
 	github.com/Azure/go-ansiterm v0.0.0-20210617225240-d185dfc1b5a1 // indirect
@@ -51,7 +51,7 @@ require (
 	github.com/cespare/xxhash/v2 v2.2.0 // indirect
 	github.com/chai2010/gettext-go v1.0.2 // indirect
 	github.com/emicklei/go-restful/v3 v3.9.0 // indirect
-	github.com/envoyproxy/protoc-gen-validate v1.0.1 // indirect
+	github.com/envoyproxy/protoc-gen-validate v1.0.2 // indirect
 	github.com/evanphx/json-patch v5.6.0+incompatible // indirect
 	github.com/exponent-io/jsonpath v0.0.0-20151013193312-d6023ce2651d // indirect
 	github.com/fsnotify/fsnotify v1.6.0 // indirect
@@ -96,16 +96,16 @@ require (
 	go.starlark.net v0.0.0-20230525235612-a134d8f9ddca // indirect
 	go.uber.org/multierr v1.11.0 // indirect
 	golang.org/x/net v0.14.0 // indirect
-	golang.org/x/oauth2 v0.8.0 // indirect
+	golang.org/x/oauth2 v0.10.0 // indirect
 	golang.org/x/sys v0.11.0 // indirect
 	golang.org/x/term v0.11.0 // indirect
 	golang.org/x/text v0.12.0 // indirect
 	golang.org/x/time v0.3.0 // indirect
 	gomodules.xyz/jsonpatch/v2 v2.4.0 // indirect
 	google.golang.org/appengine v1.6.7 // indirect
-	google.golang.org/genproto v0.0.0-20230526203410-71b5a4ffd15e // indirect
-	google.golang.org/genproto/googleapis/api v0.0.0-20230530153820-e85fd2cbaebc // indirect
-	google.golang.org/genproto/googleapis/rpc v0.0.0-20230530153820-e85fd2cbaebc // indirect
+	google.golang.org/genproto v0.0.0-20230711160842-782d3b101e98 // indirect
+	google.golang.org/genproto/googleapis/api v0.0.0-20230711160842-782d3b101e98 // indirect
+	google.golang.org/genproto/googleapis/rpc v0.0.0-20230711160842-782d3b101e98 // indirect
 	gopkg.in/inf.v0 v0.9.1 // indirect
 	gopkg.in/yaml.v2 v2.4.0 // indirect
 	k8s.io/component-base v0.28.1 // indirect