Skip to content

Commit

Permalink
resolve conflicts
Browse files Browse the repository at this point in the history
Signed-off-by: Shahar Harari <[email protected]>
  • Loading branch information
shahar-h committed Dec 28, 2023
2 parents 298a957 + ae350be commit 748488a
Show file tree
Hide file tree
Showing 60 changed files with 2,027 additions and 157 deletions.
16 changes: 15 additions & 1 deletion .github/workflows/retest.yaml → .github/workflows/command.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -8,7 +8,7 @@ permissions:
contents: read

jobs:
retest:
command:
if: |
${{
github.event.issue.pull_request
Expand All @@ -22,6 +22,20 @@ jobs:
pull-requests: write
actions: write
steps:
- uses: envoyproxy/toolshed/gh-actions/github/[email protected]
name: Parse command from comment
id: command
with:
text: ${{ github.event.comment.body }}
matching: >-
^/(retest)
# retest
- uses: envoyproxy/toolshed/gh-actions/[email protected]
if: ${{ steps.command.outputs.command == 'retest' }}
with:
token: ${{ secrets.GITHUB_TOKEN }}
comment-id: ${{ github.event.comment.id }}
pr-url: ${{ github.event.issue.pull_request.url }}
app-owner: "github-actions"
args: ${{ steps.command.outputs.args }}
4 changes: 2 additions & 2 deletions .github/workflows/docs.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -56,7 +56,7 @@ jobs:

# Upload docs for GitHub Pages
- name: Upload GitHub Pages artifact
uses: actions/upload-pages-artifact@v2.0.0
uses: actions/upload-pages-artifact@v3.0.0
with:
# Path of the directory containing the static assets.
path: site/public
Expand All @@ -83,4 +83,4 @@ jobs:
steps:
- name: Deploy to GitHub Pages
id: deployment
uses: actions/deploy-pages@v3.0.1
uses: actions/deploy-pages@v4.0.2
11 changes: 11 additions & 0 deletions api/v1alpha1/clienttrafficpolicy_types.go
Original file line number Diff line number Diff line change
Expand Up @@ -34,6 +34,7 @@ type ClientTrafficPolicy struct {
Status ClientTrafficPolicyStatus `json:"status,omitempty"`
}

// +kubebuilder:validation:XValidation:rule="has(self.http3) && has(self.tls) && has(self.tls.alpnProtocols) ? self.tls.alpnProtocols.size() == 0 : true",message="alpn protocols can't be set if HTTP/3 is enabled"
// ClientTrafficPolicySpec defines the desired state of ClientTrafficPolicy.
type ClientTrafficPolicySpec struct {
// +kubebuilder:validation:XValidation:rule="self.group == 'gateway.networking.k8s.io'", message="this policy can only have a targetRef.group of gateway.networking.k8s.io"
Expand All @@ -52,6 +53,12 @@ type ClientTrafficPolicySpec struct {
//
// +optional
TCPKeepalive *TCPKeepalive `json:"tcpKeepalive,omitempty"`
// SuppressEnvoyHeaders configures the Envoy Router filter to suppress the "x-envoy-'
// headers from both requests and responses.
// By default these headers are added to both requests and responses.
//
// +optional
SuppressEnvoyHeaders *bool `json:"suppressEnvoyHeaders,omitempty"`
// EnableProxyProtocol interprets the ProxyProtocol header and adds the
// Client Address into the X-Forwarded-For header.
// Note Proxy Protocol must be present when this field is set, else the connection
Expand All @@ -63,6 +70,10 @@ type ClientTrafficPolicySpec struct {
//
// +optional
HTTP3 *HTTP3Settings `json:"http3,omitempty"`
// TLS settings configure TLS termination settings with the downstream client.
//
// +optional
TLS *TLSSettings `json:"tls,omitempty"`
}

// HTTP3Settings provides HTTP/3 configuration on the listener.
Expand Down
6 changes: 3 additions & 3 deletions api/v1alpha1/envoygateway_types.go
Original file line number Diff line number Diff line change
Expand Up @@ -214,19 +214,19 @@ type KubernetesWatchMode struct {
// KubernetesWatchModeTypeNamespaceSelectors are currently supported
// By default, when this field is unset or empty, Envoy Gateway will watch for input namespaced resources
// from all namespaces.
Type KubernetesWatchModeType
Type KubernetesWatchModeType `json:"type,omitempty"`

// Namespaces holds the list of namespaces that Envoy Gateway will watch for namespaced scoped
// resources such as Gateway, HTTPRoute and Service.
// Note that Envoy Gateway will continue to reconcile relevant cluster scoped resources such as
// GatewayClass that it is linked to. Precisely one of Namespaces and NamespaceSelectors must be set
Namespaces []string
Namespaces []string `json:"namespaces,omitempty"`

// NamespaceSelectors holds a list of labels that namespaces have to have in order to be watched.
// Note this doesn't set the informer to watch the namespaces with the given labels. Informer still
// watches all namespaces. But the events for objects whois namespce have no given labels
// will be filtered out. Precisely one of Namespaces and NamespaceSelectors must be set
NamespaceSelectors []string `json:"namespaces,omitempty"`
NamespaceSelectors []string `json:"namespaceSelectors,omitempty"`
}

// KubernetesDeployMode holds configuration for how to deploy managed resources such as the Envoy Proxy
Expand Down
7 changes: 7 additions & 0 deletions api/v1alpha1/shared_types.go
Original file line number Diff line number Diff line change
Expand Up @@ -126,6 +126,13 @@ type KubernetesPodSpec struct {
// +optional
ImagePullSecrets []corev1.LocalObjectReference `json:"imagePullSecrets,omitempty"`

// NodeSelector is a selector which must be true for the pod to fit on a node.
// Selector which must match a node's labels for the pod to be scheduled on that node.
// More info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/
//
// +optional
NodeSelector map[string]string `json:"nodeSelector,omitempty"`

// TopologySpreadConstraints describes how a group of pods ought to spread across topology
// domains. Scheduler will schedule pods in a way which abides by the constraints.
// All topologySpreadConstraints are ANDed.
Expand Down
99 changes: 99 additions & 0 deletions api/v1alpha1/tls_types.go
Original file line number Diff line number Diff line change
@@ -0,0 +1,99 @@
// Copyright Envoy Gateway Authors
// SPDX-License-Identifier: Apache-2.0
// The full text of the Apache license is available in the LICENSE file at
// the root of the repo.

package v1alpha1

// +kubebuilder:validation:XValidation:rule="has(self.minVersion) && self.minVersion == 'v1_3' ? !has(self.ciphers) : true", message="setting ciphers has no effect if the minimum possible TLS version is 1.3"
// +kubebuilder:validation:XValidation:rule="has(self.minVersion) && has(self.maxVersion) ? {\"Auto\":0,\"v1_1\":1,\"v1_2\":2,\"v1_3\":3}[self.minVersion] <= {\"v1_1\":1,\"v1_2\":2,\"v1_3\":3,\"Auto\":4}[self.maxVersion] : !has(self.minVersion) && has(self.maxVersion) ? 2 <= {\"v1_1\":1,\"v1_2\":2,\"v1_3\":3,\"Auto\":4}[self.maxVersion] : true", message="minVersion must be smaller or equal to maxVersion"
type TLSSettings struct {

// Min specifies the minimal TLS protocol version to allow.
//
// The default is TLS 1.2 if this is not specified.
// +optional
MinVersion *TLSVersion `json:"minVersion,omitempty"`

// Max specifies the maximal TLS protocol version to allow
//
// The default is TLS 1.3 if this is not specified.
// +optional
MaxVersion *TLSVersion `json:"maxVersion,omitempty"`

// Ciphers specifies the set of cipher suites supported when
// negotiating TLS 1.0 - 1.2. This setting has no effect for TLS 1.3.
//
// In non-FIPS Envoy Proxy builds the default cipher list is:
// - [ECDHE-ECDSA-AES128-GCM-SHA256|ECDHE-ECDSA-CHACHA20-POLY1305]
// - [ECDHE-RSA-AES128-GCM-SHA256|ECDHE-RSA-CHACHA20-POLY1305]
// - ECDHE-ECDSA-AES256-GCM-SHA384
// - ECDHE-RSA-AES256-GCM-SHA384
//
// In builds using BoringSSL FIPS the default cipher list is:
// - ECDHE-ECDSA-AES128-GCM-SHA256
// - ECDHE-RSA-AES128-GCM-SHA256
// - ECDHE-ECDSA-AES256-GCM-SHA384
// - ECDHE-RSA-AES256-GCM-SHA384
//
// +optional
Ciphers []string `json:"ciphers,omitempty"`

// ECDHCurves specifies the set of supported ECDH curves.
// In non-FIPS Envoy Proxy builds the default curves are:
// - X25519
// - P-256
//
// In builds using BoringSSL FIPS the default curve is:
// - P-256
//
// +optional
ECDHCurves []string `json:"ecdhCurves,omitempty"`

// SignatureAlgorithms specifies which signature algorithms the listener should
// support.
//
// +optional
SignatureAlgorithms []string `json:"signatureAlgorithms,omitempty"`

// ALPNProtocols supplies the list of ALPN protocols that should be
// exposed by the listener. By default http/2 and http/1.1 are enabled.
//
// Supported values are:
// - http/1.0
// - http/1.1
// - http/2
//
// +optional
ALPNProtocols []ALPNProtocol `json:"alpnProtocols,omitempty"`
}

// ALPNProtocol specifies the protocol to be negotiated using ALPN
// +kubebuilder:validation:Enum=http/1.0;http/1.1;http/2
type ALPNProtocol string

const (
// HTTPProtocolVersion1_0 specifies that HTTP/1.0 should be negotiable with ALPN
HTTPProtocolVersion1_0 ALPNProtocol = "http/1.0"
// HTTPProtocolVersion1_1 specifies that HTTP/1.1 should be negotiable with ALPN
HTTPProtocolVersion1_1 ALPNProtocol = "http/1.1"
// HTTPProtocolVersion2 specifies that HTTP/2 should be negotiable with ALPN
HTTPProtocolVersion2 ALPNProtocol = "http/2"
)

// TLSVersion specifies the TLS version
// +kubebuilder:validation:Enum=Auto;v1_0;v1_1;v1_2;v1_3
type TLSVersion string

const (
// TLSAuto allows Envoy to choose the optimal TLS Version
TLSAuto TLSVersion = "Auto"
// TLSv1_0 specifies TLS version 1.0
TLSv10 TLSVersion = "v1_0"
// TLSv1_1 specifies TLS version 1.1
TLSv11 TLSVersion = "v1_1"
// TLSv1.2 specifies TLS version 1.2
TLSv12 TLSVersion = "v1_2"
// TLSv1.3 specifies TLS version 1.3
TLSv13 TLSVersion = "v1_3"
)
65 changes: 60 additions & 5 deletions api/v1alpha1/zz_generated.deepcopy.go

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

Loading

0 comments on commit 748488a

Please sign in to comment.