Merge branch 'main' into rui.zou/fix-helm-docs

.github/workflows/codeql.yml

@@ -36,14 +36,14 @@ jobs:
     - uses: ./tools/github-actions/setup-deps
 
     - name: Initialize CodeQL
-      uses: github/codeql-action/init@379614612a29c9e28f31f39a59013eb8012a51f0  # v3.24.3
+      uses: github/codeql-action/init@47b3d888fe66b639e431abf22ebca059152f1eea  # v3.24.5
       with:
         languages: ${{ matrix.language }}
 
     - name: Autobuild
-      uses: github/codeql-action/autobuild@379614612a29c9e28f31f39a59013eb8012a51f0  # v3.24.3
+      uses: github/codeql-action/autobuild@47b3d888fe66b639e431abf22ebca059152f1eea  # v3.24.5
 
     - name: Perform CodeQL Analysis
-      uses: github/codeql-action/analyze@379614612a29c9e28f31f39a59013eb8012a51f0  # v3.24.3
+      uses: github/codeql-action/analyze@47b3d888fe66b639e431abf22ebca059152f1eea  # v3.24.5
       with:
         category: "/language:${{matrix.language}}"

.github/workflows/scorecard.yml

@@ -40,6 +40,6 @@ jobs:
         retention-days: 5
 
     - name: "Upload to code-scanning"
-      uses: github/codeql-action/upload-sarif@379614612a29c9e28f31f39a59013eb8012a51f0  # v3.24.3
+      uses: github/codeql-action/upload-sarif@47b3d888fe66b639e431abf22ebca059152f1eea  # v3.24.5
       with:
         sarif_file: results.sarif

LOGO.md

@@ -0,0 +1,66 @@
+# Creative Brief - [Envoy Gateway]
+
+## Purpose /  Background
+
+Envoy Gateway is an open-source initiative designed to streamline the deployment and management of Envoy Proxy as an API gateway. It offers a simple, expressive API that integrates seamlessly with Kubernetes, providing a user-friendly interface with sensible defaults and powerful customization options. The project aims to make application accessibility a trivial task for developers and simplify management for infrastructure administrators.
+
+## Target Date
+
+2024.03.01
+
+## Target Audience
+
+- Application Developers
+- Kubernetes Operators
+- Infrastructure Administrators
+- Open Source Community
+
+## Primary Stakeholders
+
+- Envoy Gateway Core Team
+- Commercial API Gateway Vendors
+- End Users (Businesses/Developers)
+
+## Perception
+
+Envoy Gateway is perceived as an intuitive, powerful, and flexible solution that democratizes access to advanced API gateway capabilities. The logo should reflect the project's ease of use, adaptability, and the robust foundation it provides for both simple and complex use cases.
+
+## Magnetic Idea
+
+The logo should convey the concept of "powerful simplicity" and "connectivity for all," highlighting the project's commitment to making advanced technology accessible to a broader audience.
+
+## Terminology Associated with this Brand Includes
+
+- Expressive API
+- Kubernetes-Native
+- Extensibility
+- Batteries Included(EnvoyProxy)
+- All Environments
+- Simplified Management
+- Kubernetes Gateway API
+
+## Competition:  (Please list any competitors and/or potential members whose branding we should be aware of) 
+
+- Gloo Edge
+- Traefik
+- NGINX Ingress Controller
+- Kong
+
+## Design Suggestions  
+
+The logo should be a variation of the Envoy Proxy logo also shares the same color palette. embody the project's core values of simplicity, power, and flexibility. A modern, clean design with elements that suggest connectivity, integration, and extension would be ideal. The use of familiar shapes or symbols that resonate with the target audience, such as abstract representations of gateways, bridges, or nodes, could be effective.
+
+## Creative Considerations & Distribution
+
+The logo must be versatile, scalable, and adaptable to various media, maintaining its integrity in both color and monochrome. It should be easily identifiable at different sizes, from large banners to small icons, and compatible with digital, print, and merchandise applications.
+
+## Primary Deliverables
+
+- Print-Ready Logo Artwork Files: SVG
+- Screen-Optimized Logo Artwork Files: PNG
+
+## Additional Deliverables
+
+- Logo Usage Guidelines: PDF
+- PowerPoint Template: PPTX
+- Any Font Licenses and Files Needed

api/v1alpha1/backendtrafficpolicy_types.go

@@ -16,7 +16,7 @@ const (
 )
 
 // +kubebuilder:object:root=true
-// +kubebuilder:resource:shortName=btp
+// +kubebuilder:resource:categories=envoy-gateway,shortName=btp
 // +kubebuilder:subresource:status
 // +kubebuilder:printcolumn:name="Status",type=string,JSONPath=`.status.conditions[?(@.type=="Accepted")].reason`
 // +kubebuilder:printcolumn:name="Age",type=date,JSONPath=`.metadata.creationTimestamp`

api/v1alpha1/clienttrafficpolicy_types.go

@@ -16,7 +16,7 @@ const (
 )
 
 // +kubebuilder:object:root=true
-// +kubebuilder:resource:shortName=ctp
+// +kubebuilder:resource:categories=envoy-gateway,shortName=ctp
 // +kubebuilder:subresource:status
 // +kubebuilder:printcolumn:name="Status",type=string,JSONPath=`.status.conditions[?(@.type=="Accepted")].reason`
 // +kubebuilder:printcolumn:name="Age",type=date,JSONPath=`.metadata.creationTimestamp`

api/v1alpha1/envoygateway_helpers.go

@@ -104,12 +104,12 @@ func DefaultEnvoyGatewayLogging() *EnvoyGatewayLogging {
 // GetEnvoyGatewayTelemetry returns the EnvoyGatewayTelemetry of EnvoyGateway or a default EnvoyGatewayTelemetry if unspecified.
 func (e *EnvoyGateway) GetEnvoyGatewayTelemetry() *EnvoyGatewayTelemetry {
 	if e.Telemetry != nil {
-		if e.Telemetry.Metrics.Prometheus == nil {
-			e.Telemetry.Metrics.Prometheus = DefaultEnvoyGatewayPrometheus()
-		}
 		if e.Telemetry.Metrics == nil {
 			e.Telemetry.Metrics = DefaultEnvoyGatewayMetrics()
 		}
+		if e.Telemetry.Metrics.Prometheus == nil {
+			e.Telemetry.Metrics.Prometheus = DefaultEnvoyGatewayPrometheus()
+		}
 		return e.Telemetry
 	}
 	e.Telemetry = DefaultEnvoyGatewayTelemetry()

api/v1alpha1/envoypatchpolicy_types.go

@@ -17,7 +17,7 @@ const (
 )
 
 // +kubebuilder:object:root=true
-// +kubebuilder:resource:shortName=epp
+// +kubebuilder:resource:categories=envoy-gateway,shortName=epp
 // +kubebuilder:subresource:status
 // +kubebuilder:printcolumn:name="Status",type=string,JSONPath=`.status.conditions[?(@.type=="Programmed")].reason`
 // +kubebuilder:printcolumn:name="Age",type=date,JSONPath=`.metadata.creationTimestamp`

api/v1alpha1/envoyproxy_helpers.go

@@ -12,6 +12,7 @@ import (
 
 	autoscalingv2 "k8s.io/api/autoscaling/v2"
 	v1 "k8s.io/api/core/v1"
+	"k8s.io/apimachinery/pkg/api/resource"
 	"k8s.io/utils/ptr"
 )
 
@@ -120,3 +121,13 @@ func (logging *ProxyLogging) GetEnvoyProxyComponentLevel() string {
 
 	return strings.Join(args, ",")
 }
+
+// DefaultShutdownManagerContainerResourceRequirements returns a new ResourceRequirements with default settings.
+func DefaultShutdownManagerContainerResourceRequirements() *v1.ResourceRequirements {
+	return &v1.ResourceRequirements{
+		Requests: v1.ResourceList{
+			v1.ResourceCPU:    resource.MustParse(DefaultShutdownManagerCPUResourceRequests),
+			v1.ResourceMemory: resource.MustParse(DefaultShutdownManagerMemoryResourceRequests),
+		},
+	}
+}

api/v1alpha1/envoyproxy_types.go

@@ -15,7 +15,7 @@ const (
 )
 
 // +kubebuilder:object:root=true
-// +kubebuilder:resource:shortName=eproxy
+// +kubebuilder:resource:categories=envoy-gateway,shortName=eproxy
 // +kubebuilder:subresource:status
 
 // EnvoyProxy is the schema for the envoyproxies API.
@@ -81,6 +81,11 @@ type EnvoyProxySpec struct {
 	//
 	// +optional
 	MergeGateways *bool `json:"mergeGateways,omitempty"`
+
+	// Shutdown defines configuration for graceful envoy shutdown process.
+	//
+	// +optional
+	Shutdown *ShutdownConfig `json:"shutdown,omitempty"`
 }
 
 type ProxyTelemetry struct {
@@ -115,6 +120,20 @@ type EnvoyProxyProvider struct {
 	Kubernetes *EnvoyProxyKubernetesProvider `json:"kubernetes,omitempty"`
 }
 
+// ShutdownConfig defines configuration for graceful envoy shutdown process.
+type ShutdownConfig struct {
+	// DrainTimeout defines the graceful drain timeout. This should be less than the pod's terminationGracePeriodSeconds.
+	// If unspecified, defaults to 600 seconds.
+	//
+	// +optional
+	DrainTimeout *metav1.Duration `json:"drainTimeout,omitempty"`
+	// MinDrainDuration defines the minimum drain duration allowing time for endpoint deprogramming to complete.
+	// If unspecified, defaults to 5 seconds.
+	//
+	// +optional
+	MinDrainDuration *metav1.Duration `json:"minDrainDuration,omitempty"`
+}
+
 // EnvoyProxyKubernetesProvider defines configuration for the Kubernetes resource
 // provider.
 type EnvoyProxyKubernetesProvider struct {

api/v1alpha1/jwt_types.go

@@ -19,6 +19,7 @@ type JWT struct {
 }
 
 // JWTProvider defines how a JSON Web Token (JWT) can be verified.
+// +kubebuilder:validation:XValidation:rule="(has(self.recomputeRoute) && self.recomputeRoute) ? size(self.claimToHeaders) > 0 : true", message="claimToHeaders must be specified if recomputeRoute is enabled"
 type JWTProvider struct {
 	// Name defines a unique name for the JWT provider. A name can have a variety of forms,
 	// including RFC1123 subdomains, RFC 1123 labels, or RFC 1035 labels.
@@ -52,8 +53,17 @@ type JWTProvider struct {
 	// For examples, following config:
 	// The claim must be of type; string, int, double, bool. Array type claims are not supported
 	//
+	// +optional
 	ClaimToHeaders []ClaimToHeader `json:"claimToHeaders,omitempty"`
 
+	// RecomputeRoute clears the route cache and recalculates the routing decision.
+	// This field must be enabled if the headers generated from the claim are used for
+	// route matching decisions. If the recomputation selects a new route, features targeting
+	// the new matched route will be applied.
+	//
+	// +optional
+	RecomputeRoute *bool `json:"recomputeRoute,omitempty"`
+
 	// ExtractFrom defines different ways to extract the JWT token from HTTP request.
 	// If empty, it defaults to extract JWT token from the Authorization HTTP request header using Bearer schema
 	// or access_token from query parameters.

api/v1alpha1/kubernetes_helpers.go

@@ -6,9 +6,14 @@
 package v1alpha1
 
 import (
+	"encoding/json"
+	"fmt"
+
+	jsonpatch "github.com/evanphx/json-patch"
 	appv1 "k8s.io/api/apps/v1"
 	corev1 "k8s.io/api/core/v1"
 	"k8s.io/apimachinery/pkg/api/resource"
+	"k8s.io/apimachinery/pkg/util/strategicpatch"
 	"k8s.io/utils/ptr"
 )
 
@@ -121,3 +126,39 @@ func (hpa *KubernetesHorizontalPodAutoscalerSpec) setDefault() {
 		hpa.Metrics = DefaultEnvoyProxyHpaMetrics()
 	}
 }
+
+// ApplyMergePatch applies a merge patch to a deployment based on the merge type
+func (deployment *KubernetesDeploymentSpec) ApplyMergePatch(old *appv1.Deployment) (*appv1.Deployment, error) {
+	if deployment.Patch == nil {
+		return old, nil
+	}
+
+	var patchedJSON []byte
+	var err error
+
+	// Serialize the current deployment to JSON
+	originalJSON, err := json.Marshal(old)
+	if err != nil {
+		return nil, fmt.Errorf("error marshaling original deployment: %w", err)
+	}
+
+	switch {
+	case deployment.Patch.Type == nil || *deployment.Patch.Type == StrategicMerge:
+		patchedJSON, err = strategicpatch.StrategicMergePatch(originalJSON, deployment.Patch.Value.Raw, appv1.Deployment{})
+	case *deployment.Patch.Type == JSONMerge:
+		patchedJSON, err = jsonpatch.MergePatch(originalJSON, deployment.Patch.Value.Raw)
+	default:
+		return nil, fmt.Errorf("unsupported merge type: %s", *deployment.Patch.Type)
+	}
+	if err != nil {
+		return nil, fmt.Errorf("error applying merge patch: %w", err)
+	}
+
+	// Deserialize the patched JSON into a new deployment object
+	var patchedDeployment appv1.Deployment
+	if err := json.Unmarshal(patchedJSON, &patchedDeployment); err != nil {
+		return nil, fmt.Errorf("error unmarshaling patched deployment: %w", err)
+	}
+
+	return &patchedDeployment, nil
+}

api/v1alpha1/securitypolicy_types.go

@@ -16,7 +16,7 @@ const (
 )
 
 // +kubebuilder:object:root=true
-// +kubebuilder:resource:shortName=sp
+// +kubebuilder:resource:categories=envoy-gateway,shortName=sp
 // +kubebuilder:subresource:status
 // +kubebuilder:printcolumn:name="Status",type=string,JSONPath=`.status.conditions[?(@.type=="Accepted")].reason`
 // +kubebuilder:printcolumn:name="Age",type=date,JSONPath=`.metadata.creationTimestamp`

api/v1alpha1/shared_types.go

@@ -9,6 +9,7 @@ import (
 	appv1 "k8s.io/api/apps/v1"
 	autoscalingv2 "k8s.io/api/autoscaling/v2"
 	corev1 "k8s.io/api/core/v1"
+	apiextensionsv1 "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1"
 )
 
 const (
@@ -20,6 +21,12 @@ const (
 	DefaultDeploymentMemoryResourceRequests = "512Mi"
 	// DefaultEnvoyProxyImage is the default image used by envoyproxy
 	DefaultEnvoyProxyImage = "envoyproxy/envoy:distroless-dev"
+	// DefaultShutdownManagerCPUResourceRequests for shutdown manager cpu resource
+	DefaultShutdownManagerCPUResourceRequests = "10m"
+	// DefaultShutdownManagerMemoryResourceRequests for shutdown manager memory resource
+	DefaultShutdownManagerMemoryResourceRequests = "32Mi"
+	// DefaultShutdownManagerImage is the default image used for the shutdown manager.
+	DefaultShutdownManagerImage = "envoyproxy/gateway-dev:latest"
 	// DefaultRateLimitImage is the default image used by ratelimit.
 	DefaultRateLimitImage = "envoyproxy/ratelimit:master"
 	// HTTPProtocol is the common-used http protocol.
@@ -52,6 +59,11 @@ const (
 
 // KubernetesDeploymentSpec defines the desired state of the Kubernetes deployment resource.
 type KubernetesDeploymentSpec struct {
+	// Patch defines how to perform the patch operation to deployment
+	//
+	// +optional
+	Patch *KubernetesPatchSpec `json:"patch,omitempty"`
+
 	// Replicas is the number of desired pods. Defaults to 1.
 	//
 	// +optional
@@ -370,3 +382,25 @@ type KubernetesHorizontalPodAutoscalerSpec struct {
 // +kubebuilder:validation:Maximum=600
 // +kubebuilder:validation:ExclusiveMaximum=true
 type HTTPStatus int
+
+// MergeType defines the type of merge operation
+type MergeType string
+
+const (
+	// StrategicMerge indicates a strategic merge patch type
+	StrategicMerge MergeType = "StrategicMerge"
+	// JSONMerge indicates a JSON merge patch type
+	JSONMerge MergeType = "JSONMerge"
+)
+
+// KubernetesPatchSpec defines how to perform the patch operation
+type KubernetesPatchSpec struct {
+	// Type is the type of merge operation to perform
+	//
+	// By default, StrategicMerge is used as the patch type.
+	// +optional
+	Type *MergeType `json:"type,omitempty"`
+
+	// Object contains the raw configuration for merged object
+	Value apiextensionsv1.JSON `json:"value"`
+}

api/v1alpha1/validation/envoyproxy_validate.go

@@ -73,6 +73,10 @@ func validateProvider(spec *egv1a1.EnvoyProxySpec) []error {
 		if spec.Provider.Type != egv1a1.ProviderTypeKubernetes {
 			errs = append(errs, fmt.Errorf("unsupported provider type %v", spec.Provider.Type))
 		}
+		validateDeploymentErrs := validateDeployment(spec)
+		if len(validateDeploymentErrs) != 0 {
+			errs = append(errs, validateDeploymentErrs...)
+		}
 		validateServiceErrs := validateService(spec)
 		if len(validateServiceErrs) != 0 {
 			errs = append(errs, validateServiceErrs...)
@@ -81,6 +85,21 @@ func validateProvider(spec *egv1a1.EnvoyProxySpec) []error {
 	return errs
 }
 
+func validateDeployment(spec *egv1a1.EnvoyProxySpec) []error {
+	var errs []error
+	if spec.Provider.Kubernetes != nil && spec.Provider.Kubernetes.EnvoyDeployment != nil {
+		if patch := spec.Provider.Kubernetes.EnvoyDeployment.Patch; patch != nil {
+			if patch.Value.Raw == nil {
+				errs = append(errs, fmt.Errorf("envoy deployment patch object cannot be empty"))
+			}
+			if patch.Type != nil && *patch.Type != egv1a1.JSONMerge && *patch.Type != egv1a1.StrategicMerge {
+				errs = append(errs, fmt.Errorf("unsupported envoy deployment patch type %s", *patch.Type))
+			}
+		}
+	}
+	return errs
+}
+
 // TODO: remove this function if CEL validation became stable
 func validateService(spec *egv1a1.EnvoyProxySpec) []error {
 	var errs []error