Skip to content

Commit

Permalink
Merge branch 'main' into image-pull-secrets
Browse files Browse the repository at this point in the history
  • Loading branch information
zirain authored Dec 27, 2023
2 parents 6f9ad3b + 1a77c4f commit 6863f4d
Show file tree
Hide file tree
Showing 31 changed files with 1,318 additions and 47 deletions.
41 changes: 41 additions & 0 deletions .github/workflows/command.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,41 @@
name: Return Action on PR Comment

on:
issue_comment:
types: [created]

permissions:
contents: read

jobs:
command:
if: |
${{
github.event.issue.pull_request
&& github.repository == 'envoyproxy/gateway'
&& github.actor != 'repokitteh-read-only[bot]'
&& github.actor != 'dependabot[bot]'
}}
name: Retest
runs-on: ubuntu-22.04
permissions:
pull-requests: write
actions: write
steps:
- uses: envoyproxy/toolshed/gh-actions/github/[email protected]
name: Parse command from comment
id: command
with:
text: ${{ github.event.comment.body }}
matching: >-
^/(retest)
# retest
- uses: envoyproxy/toolshed/gh-actions/[email protected]
if: ${{ steps.command.outputs.command == 'retest' }}
with:
token: ${{ secrets.GITHUB_TOKEN }}
comment-id: ${{ github.event.comment.id }}
pr-url: ${{ github.event.issue.pull_request.url }}
app-owner: "github-actions"
args: ${{ steps.command.outputs.args }}
4 changes: 2 additions & 2 deletions .github/workflows/docs.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -56,7 +56,7 @@ jobs:

# Upload docs for GitHub Pages
- name: Upload GitHub Pages artifact
uses: actions/upload-pages-artifact@v2.0.0
uses: actions/upload-pages-artifact@v3.0.0
with:
# Path of the directory containing the static assets.
path: site/public
Expand All @@ -83,4 +83,4 @@ jobs:
steps:
- name: Deploy to GitHub Pages
id: deployment
uses: actions/deploy-pages@v3.0.1
uses: actions/deploy-pages@v4.0.2
27 changes: 0 additions & 27 deletions .github/workflows/retest.yaml

This file was deleted.

11 changes: 11 additions & 0 deletions api/v1alpha1/clienttrafficpolicy_types.go
Original file line number Diff line number Diff line change
Expand Up @@ -34,6 +34,7 @@ type ClientTrafficPolicy struct {
Status ClientTrafficPolicyStatus `json:"status,omitempty"`
}

// +kubebuilder:validation:XValidation:rule="has(self.http3) && has(self.tls) && has(self.tls.alpnProtocols) ? self.tls.alpnProtocols.size() == 0 : true",message="alpn protocols can't be set if HTTP/3 is enabled"
// ClientTrafficPolicySpec defines the desired state of ClientTrafficPolicy.
type ClientTrafficPolicySpec struct {
// +kubebuilder:validation:XValidation:rule="self.group == 'gateway.networking.k8s.io'", message="this policy can only have a targetRef.group of gateway.networking.k8s.io"
Expand All @@ -52,6 +53,12 @@ type ClientTrafficPolicySpec struct {
//
// +optional
TCPKeepalive *TCPKeepalive `json:"tcpKeepalive,omitempty"`
// SuppressEnvoyHeaders configures the Envoy Router filter to suppress the "x-envoy-'
// headers from both requests and responses.
// By default these headers are added to both requests and responses.
//
// +optional
SuppressEnvoyHeaders *bool `json:"suppressEnvoyHeaders,omitempty"`
// EnableProxyProtocol interprets the ProxyProtocol header and adds the
// Client Address into the X-Forwarded-For header.
// Note Proxy Protocol must be present when this field is set, else the connection
Expand All @@ -63,6 +70,10 @@ type ClientTrafficPolicySpec struct {
//
// +optional
HTTP3 *HTTP3Settings `json:"http3,omitempty"`
// TLS settings configure TLS termination settings with the downstream client.
//
// +optional
TLS *TLSSettings `json:"tls,omitempty"`
}

// HTTP3Settings provides HTTP/3 configuration on the listener.
Expand Down
8 changes: 8 additions & 0 deletions api/v1alpha1/shared_types.go
Original file line number Diff line number Diff line change
Expand Up @@ -117,6 +117,14 @@ type KubernetesPodSpec struct {
// HostNetwork, If this is set to true, the pod will use host's network namespace.
// +optional
HostNetwork bool `json:"hostNetwork,omitempty"`

// ImagePullSecrets is an optional list of references to secrets
// in the same namespace to use for pulling any of the images used by this PodSpec.
// If specified, these secrets will be passed to individual puller implementations for them to use.
// More info: https://kubernetes.io/docs/concepts/containers/images#specifying-imagepullsecrets-on-a-pod
//
// +optional
ImagePullSecrets []corev1.LocalObjectReference `json:"imagePullSecrets,omitempty"`
}

// KubernetesContainerSpec defines the desired state of the Kubernetes container resource.
Expand Down
99 changes: 99 additions & 0 deletions api/v1alpha1/tls_types.go
Original file line number Diff line number Diff line change
@@ -0,0 +1,99 @@
// Copyright Envoy Gateway Authors
// SPDX-License-Identifier: Apache-2.0
// The full text of the Apache license is available in the LICENSE file at
// the root of the repo.

package v1alpha1

// +kubebuilder:validation:XValidation:rule="has(self.minVersion) && self.minVersion == 'v1_3' ? !has(self.ciphers) : true", message="setting ciphers has no effect if the minimum possible TLS version is 1.3"
// +kubebuilder:validation:XValidation:rule="has(self.minVersion) && has(self.maxVersion) ? {\"Auto\":0,\"v1_1\":1,\"v1_2\":2,\"v1_3\":3}[self.minVersion] <= {\"v1_1\":1,\"v1_2\":2,\"v1_3\":3,\"Auto\":4}[self.maxVersion] : !has(self.minVersion) && has(self.maxVersion) ? 2 <= {\"v1_1\":1,\"v1_2\":2,\"v1_3\":3,\"Auto\":4}[self.maxVersion] : true", message="minVersion must be smaller or equal to maxVersion"
type TLSSettings struct {

// Min specifies the minimal TLS protocol version to allow.
//
// The default is TLS 1.2 if this is not specified.
// +optional
MinVersion *TLSVersion `json:"minVersion,omitempty"`

// Max specifies the maximal TLS protocol version to allow
//
// The default is TLS 1.3 if this is not specified.
// +optional
MaxVersion *TLSVersion `json:"maxVersion,omitempty"`

// Ciphers specifies the set of cipher suites supported when
// negotiating TLS 1.0 - 1.2. This setting has no effect for TLS 1.3.
//
// In non-FIPS Envoy Proxy builds the default cipher list is:
// - [ECDHE-ECDSA-AES128-GCM-SHA256|ECDHE-ECDSA-CHACHA20-POLY1305]
// - [ECDHE-RSA-AES128-GCM-SHA256|ECDHE-RSA-CHACHA20-POLY1305]
// - ECDHE-ECDSA-AES256-GCM-SHA384
// - ECDHE-RSA-AES256-GCM-SHA384
//
// In builds using BoringSSL FIPS the default cipher list is:
// - ECDHE-ECDSA-AES128-GCM-SHA256
// - ECDHE-RSA-AES128-GCM-SHA256
// - ECDHE-ECDSA-AES256-GCM-SHA384
// - ECDHE-RSA-AES256-GCM-SHA384
//
// +optional
Ciphers []string `json:"ciphers,omitempty"`

// ECDHCurves specifies the set of supported ECDH curves.
// In non-FIPS Envoy Proxy builds the default curves are:
// - X25519
// - P-256
//
// In builds using BoringSSL FIPS the default curve is:
// - P-256
//
// +optional
ECDHCurves []string `json:"ecdhCurves,omitempty"`

// SignatureAlgorithms specifies which signature algorithms the listener should
// support.
//
// +optional
SignatureAlgorithms []string `json:"signatureAlgorithms,omitempty"`

// ALPNProtocols supplies the list of ALPN protocols that should be
// exposed by the listener. By default http/2 and http/1.1 are enabled.
//
// Supported values are:
// - http/1.0
// - http/1.1
// - http/2
//
// +optional
ALPNProtocols []ALPNProtocol `json:"alpnProtocols,omitempty"`
}

// ALPNProtocol specifies the protocol to be negotiated using ALPN
// +kubebuilder:validation:Enum=http/1.0;http/1.1;http/2
type ALPNProtocol string

const (
// HTTPProtocolVersion1_0 specifies that HTTP/1.0 should be negotiable with ALPN
HTTPProtocolVersion1_0 ALPNProtocol = "http/1.0"
// HTTPProtocolVersion1_1 specifies that HTTP/1.1 should be negotiable with ALPN
HTTPProtocolVersion1_1 ALPNProtocol = "http/1.1"
// HTTPProtocolVersion2 specifies that HTTP/2 should be negotiable with ALPN
HTTPProtocolVersion2 ALPNProtocol = "http/2"
)

// TLSVersion specifies the TLS version
// +kubebuilder:validation:Enum=Auto;v1_0;v1_1;v1_2;v1_3
type TLSVersion string

const (
// TLSAuto allows Envoy to choose the optimal TLS Version
TLSAuto TLSVersion = "Auto"
// TLSv1_0 specifies TLS version 1.0
TLSv10 TLSVersion = "v1_0"
// TLSv1_1 specifies TLS version 1.1
TLSv11 TLSVersion = "v1_1"
// TLSv1.2 specifies TLS version 1.2
TLSv12 TLSVersion = "v1_2"
// TLSv1.3 specifies TLS version 1.3
TLSv13 TLSVersion = "v1_3"
)
60 changes: 60 additions & 0 deletions api/v1alpha1/zz_generated.deepcopy.go

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

Loading

0 comments on commit 6863f4d

Please sign in to comment.