From b16b0c3cc621b66b6f265caa478e5a57bbeec71f Mon Sep 17 00:00:00 2001 From: zirain Date: Mon, 15 Jul 2024 10:05:05 +0800 Subject: [PATCH] fix deadlink Signed-off-by: zirain --- examples/extension-server/go.mod | 6 +++--- examples/extension-server/go.sum | 3 +++ .../en/contributions/design/config-api.md | 2 +- .../en/docs/tasks/security/threat-model.md | 4 ++-- .../en/latest/tasks/security/threat-model.md | 2 +- site/content/en/news/releases/v0.2.md | 2 +- site/content/en/news/releases/v0.3.md | 2 +- site/content/en/news/releases/v0.4.md | 2 +- site/content/en/news/releases/v0.5.md | 2 +- site/content/en/news/releases/v0.6.md | 2 +- .../en/v0.2/contributions/CONTRIBUTING.md | 4 ++-- site/content/en/v0.2/contributions/DEVELOP.md | 3 +-- .../en/v0.2/contributions/RELEASING.md | 2 +- site/content/en/v0.2/design/config-api.md | 4 ++-- site/content/en/v0.2/design/system-design.md | 10 +++++----- site/content/en/v0.2/user/quickstart.md | 2 +- site/content/en/v0.3/api/config_types.md | 2 +- .../en/v0.3/contributions/CONTRIBUTING.md | 4 ++-- site/content/en/v0.3/contributions/DEVELOP.md | 2 +- .../en/v0.3/contributions/RELEASING.md | 2 +- site/content/en/v0.3/design/config-api.md | 4 ++-- .../en/v0.3/design/gatewayapi-support.md | 8 ++++---- site/content/en/v0.3/design/system-design.md | 8 ++++---- site/content/en/v0.3/user/authn.md | 2 +- site/content/en/v0.3/user/quickstart.md | 2 +- site/content/en/v0.3/user/rate-limit.md | 4 ++-- site/content/en/v0.3/user/udp-routing.md | 2 +- site/content/en/v0.4/api/config_types.md | 2 +- .../en/v0.4/contributions/CONTRIBUTING.md | 4 ++-- site/content/en/v0.4/contributions/DEVELOP.md | 2 +- .../en/v0.4/contributions/RELEASING.md | 2 +- site/content/en/v0.4/design/bootstrap.md | 2 +- site/content/en/v0.4/design/config-api.md | 4 ++-- .../en/v0.4/design/extending-envoy-gateway.md | 6 +++--- site/content/en/v0.4/design/system-design.md | 8 ++++---- site/content/en/v0.4/user/authn.md | 2 +- .../en/v0.4/user/customize-envoyproxy.md | 6 +++--- site/content/en/v0.4/user/egctl.md | 2 +- .../en/v0.4/user/gatewayapi-support.md | 8 ++++---- site/content/en/v0.4/user/quickstart.md | 2 +- site/content/en/v0.4/user/rate-limit.md | 6 +++--- site/content/en/v0.4/user/udp-routing.md | 2 +- site/content/en/v0.5/api/config_types.md | 2 +- .../en/v0.5/contributions/CONTRIBUTING.md | 4 ++-- site/content/en/v0.5/contributions/DEVELOP.md | 2 +- .../en/v0.5/contributions/RELEASING.md | 2 +- site/content/en/v0.5/design/bootstrap.md | 2 +- site/content/en/v0.5/design/config-api.md | 4 ++-- .../en/v0.5/design/envoy-patch-policy.md | 12 +++++------ .../en/v0.5/design/extending-envoy-gateway.md | 6 +++--- site/content/en/v0.5/design/system-design.md | 11 +++++----- site/content/en/v0.5/install/install-egctl.md | 2 +- site/content/en/v0.5/install/install-helm.md | 4 ++-- site/content/en/v0.5/install/install-yaml.md | 4 ++-- site/content/en/v0.5/user/authn.md | 2 +- .../en/v0.5/user/customize-envoyproxy.md | 6 +++--- site/content/en/v0.5/user/egctl.md | 2 +- .../en/v0.5/user/envoy-patch-policy.md | 10 +++++----- .../en/v0.5/user/gatewayapi-support.md | 8 ++++---- site/content/en/v0.5/user/quickstart.md | 2 +- site/content/en/v0.5/user/rate-limit.md | 6 +++--- site/content/en/v0.5/user/udp-routing.md | 2 +- site/content/en/v0.6/api/extension_types.md | 2 +- .../en/v0.6/contributions/CONTRIBUTING.md | 4 ++-- site/content/en/v0.6/contributions/DEVELOP.md | 2 +- .../en/v0.6/contributions/RELEASING.md | 5 ++++- site/content/en/v0.6/design/bootstrap.md | 2 +- site/content/en/v0.6/design/config-api.md | 2 +- .../en/v0.6/design/envoy-patch-policy.md | 10 +++++----- .../en/v0.6/design/extending-envoy-gateway.md | 6 +++--- site/content/en/v0.6/design/system-design.md | 4 ++-- site/content/en/v0.6/install/install-helm.md | 4 ++-- site/content/en/v0.6/install/install-yaml.md | 4 ++-- site/content/en/v0.6/user/cors.md | 6 +++--- .../en/v0.6/user/customize-envoyproxy.md | 6 +++--- site/content/en/v0.6/user/egctl.md | 2 +- .../en/v0.6/user/envoy-patch-policy.md | 12 +++++------ .../en/v0.6/user/gateway-api-metrics.md | 6 +++--- .../en/v0.6/user/gatewayapi-support.md | 6 +++--- .../en/v0.6/user/grafana-integration.md | 4 ++-- site/content/en/v0.6/user/http-redirect.md | 2 +- .../en/v0.6/user/http-request-headers.md | 2 +- .../en/v0.6/user/http-request-mirroring.md | 2 +- .../en/v0.6/user/http-response-headers.md | 2 +- .../en/v0.6/user/http-traffic-splitting.md | 2 +- site/content/en/v0.6/user/http-urlrewrite.md | 2 +- .../en/v0.6/user/jwt-authentication.md | 6 +++--- .../en/v0.6/user/proxy-observability.md | 4 ++-- site/content/en/v0.6/user/quickstart.md | 2 +- site/content/en/v0.6/user/rate-limit.md | 8 ++++---- site/content/en/v0.6/user/secure-gateways.md | 20 +++++++++---------- site/content/en/v0.6/user/tls-cert-manager.md | 4 ++-- site/content/en/v0.6/user/tls-passthrough.md | 4 ++-- site/content/en/v0.6/user/tls-termination.md | 2 +- site/content/en/v0.6/user/udp-routing.md | 4 ++-- .../en/v1.0/tasks/security/threat-model.md | 4 ++-- tools/make/docs.mk | 4 ++-- 97 files changed, 205 insertions(+), 199 deletions(-) diff --git a/examples/extension-server/go.mod b/examples/extension-server/go.mod index 667d6042435c..49ecf72adf70 100644 --- a/examples/extension-server/go.mod +++ b/examples/extension-server/go.mod @@ -29,10 +29,10 @@ require ( github.com/russross/blackfriday/v2 v2.1.0 // indirect github.com/xrash/smetrics v0.0.0-20240312152122-5f08fbb34913 // indirect golang.org/x/net v0.26.0 // indirect - golang.org/x/sys v0.21.0 // indirect + golang.org/x/sys v0.22.0 // indirect golang.org/x/text v0.16.0 // indirect - google.golang.org/genproto/googleapis/api v0.0.0-20240528184218-531527333157 // indirect - google.golang.org/genproto/googleapis/rpc v0.0.0-20240617180043-68d350f18fd4 // indirect + google.golang.org/genproto/googleapis/api v0.0.0-20240701130421-f6361c86f094 // indirect + google.golang.org/genproto/googleapis/rpc v0.0.0-20240701130421-f6361c86f094 // indirect google.golang.org/protobuf v1.34.2 // indirect gopkg.in/inf.v0 v0.9.1 // indirect gopkg.in/yaml.v2 v2.4.0 // indirect diff --git a/examples/extension-server/go.sum b/examples/extension-server/go.sum index 3b9eb96751bf..3f164c6bcb41 100644 --- a/examples/extension-server/go.sum +++ b/examples/extension-server/go.sum @@ -86,6 +86,7 @@ golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7w golang.org/x/sys v0.0.0-20200930185726-fdedc70b468f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.21.0 h1:rF+pYz3DAGSQAxAu1CbC7catZg4ebC4UIeIhKxBZvws= golang.org/x/sys v0.21.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= +golang.org/x/sys v0.22.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= golang.org/x/text v0.16.0 h1:a94ExnEXNtEwYLGJSIUxnWoxoRz/ZcCsV63ROupILh4= @@ -102,8 +103,10 @@ golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8T golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= google.golang.org/genproto/googleapis/api v0.0.0-20240528184218-531527333157 h1:7whR9kGa5LUwFtpLm2ArCEejtnxlGeLbAyjFY8sGNFw= google.golang.org/genproto/googleapis/api v0.0.0-20240528184218-531527333157/go.mod h1:99sLkeliLXfdj2J75X3Ho+rrVCaJze0uwN7zDDkjPVU= +google.golang.org/genproto/googleapis/api v0.0.0-20240701130421-f6361c86f094/go.mod h1:fJ/e3If/Q67Mj99hin0hMhiNyCRmt6BQ2aWIJshUSJw= google.golang.org/genproto/googleapis/rpc v0.0.0-20240617180043-68d350f18fd4 h1:Di6ANFilr+S60a4S61ZM00vLdw0IrQOSMS2/6mrnOU0= google.golang.org/genproto/googleapis/rpc v0.0.0-20240617180043-68d350f18fd4/go.mod h1:Ue6ibwXGpU+dqIcODieyLOcgj7z8+IcskoNIgZxtrFY= +google.golang.org/genproto/googleapis/rpc v0.0.0-20240701130421-f6361c86f094/go.mod h1:Ue6ibwXGpU+dqIcODieyLOcgj7z8+IcskoNIgZxtrFY= google.golang.org/grpc v1.65.0 h1:bs/cUb4lp1G5iImFFd3u5ixQzweKizoZJAwBNLR42lc= google.golang.org/grpc v1.65.0/go.mod h1:WgYC2ypjlB0EiQi6wdKixMqukr6lBc0Vo+oOgjrM5ZQ= google.golang.org/protobuf v1.34.2 h1:6xV6lTsCfpGD21XK49h7MhtcApnLqkfYgPcdHftf6hg= diff --git a/site/content/en/contributions/design/config-api.md b/site/content/en/contributions/design/config-api.md index 1c6f3057848a..89b7b0d838a8 100644 --- a/site/content/en/contributions/design/config-api.md +++ b/site/content/en/contributions/design/config-api.md @@ -88,7 +88,7 @@ type Gateway struct { // defaults to "gateway.envoyproxy.io/gatewayclass-controller". See the following // for additional details: // - // https://gateway-api.sigs.k8s.io/v1alpha2/references/spec/#gateway.networking.k8s.io/v1alpha2.GatewayClass + // https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.GatewayClass // // +optional ControllerName string `json:"controllerName,omitempty"` diff --git a/site/content/en/docs/tasks/security/threat-model.md b/site/content/en/docs/tasks/security/threat-model.md index c1bba3f9726d..f50838751074 100644 --- a/site/content/en/docs/tasks/security/threat-model.md +++ b/site/content/en/docs/tasks/security/threat-model.md @@ -396,7 +396,7 @@ When considering internal threat actors, we chose to follow the [security model] **Threat**: Reduced API gateway availability due to an attacker\'s maliciously crafted request (e.g., QoD) potentially inducing a Denial of Service (DoS) attack. - **Recommendation**: To ensure high availability and to mitigate potential security threats, adhere to the Envoy Gateway documentation for the configuration of a [rate-limiting](https://gateway.envoyproxy.io/v0.6.0/user/rate-limit/) filter and load balancing. + **Recommendation**: To ensure high availability and to mitigate potential security threats, adhere to the Envoy Gateway documentation for the configuration of a [rate-limiting](../traffic/global-rate-limit) filter and load balancing. Further, adhere to best practices for configuring Envoy Proxy as an edge proxy documented [here](https://www.envoyproxy.io/docs/envoy/latest/configuration/best_practices/edge#configuring-envoy-as-an-edge-proxy) within the EnvoyProxy docs. This involves configuring TCP and HTTP proxies with specific settings, including restricting access to the admin endpoint, setting the [overload manager](https://www.envoyproxy.io/docs/envoy/latest/configuration/operations/overload_manager/overload_manager#config-overload-manager) and [listener](https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/listener/v3/listener.proto#envoy-v3-api-field-config-listener-v3-listener-per-connection-buffer-limit-bytes) / [cluster](https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/cluster/v3/cluster.proto#envoy-v3-api-field-config-cluster-v3-cluster-per-connection-buffer-limit-bytes) buffer limits, enabling [use_remote_address](https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/filters/network/http_connection_manager/v3/http_connection_manager.proto#envoy-v3-api-field-extensions-filters-network-http-connection-manager-v3-httpconnectionmanager-use-remote-address), setting [connection and stream timeouts](https://www.envoyproxy.io/docs/envoy/latest/faq/configuration/timeouts#faq-configuration-timeouts), limiting [maximum concurrent streams](https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/core/v3/protocol.proto#envoy-v3-api-field-config-core-v3-http2protocoloptions-max-concurrent-streams), setting [initial stream window size limit](https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/core/v3/protocol.proto#envoy-v3-api-field-config-core-v3-http2protocoloptions-initial-stream-window-size), and configuring action on [headers_with_underscores](https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/core/v3/protocol.proto#envoy-v3-api-field-config-core-v3-httpprotocoloptions-headers-with-underscores-action). @@ -603,7 +603,7 @@ Set runAsUser and runAsGroup security context options to specific UIDs (e.g., ru |EGTM-008|EGTM-EG-003|Envoy Gateway| There is a risk of a threat actor misconfiguring static config and compromising the integrity of Envoy Gateway, ultimately leading to the compromised confidentiality, integrity, or availability of tenant data and cluster resources.

| Accidental or deliberate misconfiguration of static configuration leads to a misconfigured deployment of Envoy Gateway, for example logging parameters could be modified or global rate limiting configuration misconfigured.

|Medium| Implement a GitOps model, utilising Kubernetes\' Role-Based Access Control (RBAC) and adhering to the principle of least privilege to minimise human intervention on the cluster. For instance, tools like [ArgoCD](https://argo-cd.readthedocs.io/en/stable/) can be used for declarative GitOps deployments, ensuring all changes are tracked and reviewed. Additionally, configure your source control management (SCM) system to include mandatory pull request (PR) reviews, commit signing, and protected branches to ensure only authorised changes can be committed to the start-up configuration. | |EGTM-010|EGTM-CS-005|Container Security| There is a risk that a threat actor exploits a weak pod security context, compromising the CIA of a node and the resources / services which run on it.

| Threat Actor who has compromised a pod exploits weak security context to escape to a node, potentially leading to the compromise of Envoy Proxy or Gateway running on the same node.

|Medium| To mitigate this risk, apply [Pod Security Standards](https://kubernetes.io/docs/concepts/security/pod-security-standards/) at a minimum of [Baseline](https://kubernetes.io/docs/concepts/security/pod-security-standards/#baseline) level to all namespaces, especially those containing Envoy Gateway and Proxy Pods. Pod security standards are implemented through K8s [Pod Security Admission](https://kubernetes.io/docs/concepts/security/pod-security-admission/) to provide [admission control modes](https://kubernetes.io/docs/concepts/security/pod-security-admission/#pod-security-admission-labels-for-namespaces) (enforce, audit, and warn) for namespaces. Pod security standards can be enforced by namespace labels as shown [here](https://kubernetes.io/docs/tasks/configure-pod-container/enforce-standards-namespace-labels/), to enforce a baseline level of pod security to specific namespaces.

Further enhance the security by implementing a sandboxing solution such as [gVisor](https://gvisor.dev/) for Envoy Gateway and Proxy Pods to isolate the application from the host kernel. This can be set within the runtimeClassName of the Pod specification. | |EGTM-012|EGTM-GW-004|Gateway API| There is a risk that a threat actor could abuse excessive RBAC privileges to create ReferenceGrant resources. These resources could then be used to create cross-namespace communication, leading to unauthorised access to the application. This could compromise the confidentiality and integrity of resources and configuration in the affected namespaces and potentially disrupt the availability of services that rely on these object references.

| A ReferenceGrant is created, which validates traffic to cross namespace trust boundaries without a valid business reason, such as a route in one tenant\'s namespace referencing a backend in another.

|Medium| Ensure that the ability to create ReferenceGrant resources is restricted to the minimum number of people. Pay special attention to ClusterRoles that allow that action. | -|EGTM-018|EGTM-GW-006|Gateway API| There is a risk that malicious requests could lead to a Denial of Service (DoS) attack, thereby reducing API gateway availability due to misconfigurations in rate-limiting or load balancing controls, or a lack of route timeout enforcement.

| Reduced API gateway availability due to an attacker\'s maliciously crafted request (e.g., QoD) potentially inducing a Denial of Service (DoS) attack.

|Medium| To ensure high availability and to mitigate potential security threats, adhere to the Envoy Gateway documentation for the configuration of a [rate-limiting](https://gateway.envoyproxy.io/v0.6.0/user/rate-limit/) filter and load balancing.

Further, adhere to best practices for configuring Envoy Proxy as an edge proxy documented [here](https://www.envoyproxy.io/docs/envoy/latest/configuration/best_practices/edge#configuring-envoy-as-an-edge-proxy) within the EnvoyProxy docs. This involves configuring TCP and HTTP proxies with specific settings, including restricting access to the admin endpoint, setting the [overload manager](https://www.envoyproxy.io/docs/envoy/latest/configuration/operations/overload_manager/overload_manager#config-overload-manager) and [listener](https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/listener/v3/listener.proto#envoy-v3-api-field-config-listener-v3-listener-per-connection-buffer-limit-bytes) / [cluster](https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/cluster/v3/cluster.proto#envoy-v3-api-field-config-cluster-v3-cluster-per-connection-buffer-limit-bytes) buffer limits, enabling [use_remote_address](https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/filters/network/http_connection_manager/v3/http_connection_manager.proto#envoy-v3-api-field-extensions-filters-network-http-connection-manager-v3-httpconnectionmanager-use-remote-address), setting [connection and stream timeouts](https://www.envoyproxy.io/docs/envoy/latest/faq/configuration/timeouts#faq-configuration-timeouts), limiting [maximum concurrent streams](https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/core/v3/protocol.proto#envoy-v3-api-field-config-core-v3-http2protocoloptions-max-concurrent-streams), setting [initial stream window size limit](https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/core/v3/protocol.proto#envoy-v3-api-field-config-core-v3-http2protocoloptions-initial-stream-window-size), and configuring action on [headers_with_underscores](https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/core/v3/protocol.proto#envoy-v3-api-field-config-core-v3-httpprotocoloptions-headers-with-underscores-action).

[Path normalisation](https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/filters/network/http_connection_manager/v3/http_connection_manager.proto#envoy-v3-api-field-extensions-filters-network-http-connection-manager-v3-httpconnectionmanager-normalize-path) should be enabled to minimise path confusion vulnerabilities. These measures help protect against volumetric threats such as Denial of Service (DoS)nattacks. Utilise custom resources to implement policy attachment, thereby exposing request limit configuration for route types. | +|EGTM-018|EGTM-GW-006|Gateway API| There is a risk that malicious requests could lead to a Denial of Service (DoS) attack, thereby reducing API gateway availability due to misconfigurations in rate-limiting or load balancing controls, or a lack of route timeout enforcement.

| Reduced API gateway availability due to an attacker\'s maliciously crafted request (e.g., QoD) potentially inducing a Denial of Service (DoS) attack.

|Medium| To ensure high availability and to mitigate potential security threats, adhere to the Envoy Gateway documentation for the configuration of a [rate-limiting](../traffic/global-rate-limit) filter and load balancing.

Further, adhere to best practices for configuring Envoy Proxy as an edge proxy documented [here](https://www.envoyproxy.io/docs/envoy/latest/configuration/best_practices/edge#configuring-envoy-as-an-edge-proxy) within the EnvoyProxy docs. This involves configuring TCP and HTTP proxies with specific settings, including restricting access to the admin endpoint, setting the [overload manager](https://www.envoyproxy.io/docs/envoy/latest/configuration/operations/overload_manager/overload_manager#config-overload-manager) and [listener](https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/listener/v3/listener.proto#envoy-v3-api-field-config-listener-v3-listener-per-connection-buffer-limit-bytes) / [cluster](https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/cluster/v3/cluster.proto#envoy-v3-api-field-config-cluster-v3-cluster-per-connection-buffer-limit-bytes) buffer limits, enabling [use_remote_address](https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/filters/network/http_connection_manager/v3/http_connection_manager.proto#envoy-v3-api-field-extensions-filters-network-http-connection-manager-v3-httpconnectionmanager-use-remote-address), setting [connection and stream timeouts](https://www.envoyproxy.io/docs/envoy/latest/faq/configuration/timeouts#faq-configuration-timeouts), limiting [maximum concurrent streams](https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/core/v3/protocol.proto#envoy-v3-api-field-config-core-v3-http2protocoloptions-max-concurrent-streams), setting [initial stream window size limit](https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/core/v3/protocol.proto#envoy-v3-api-field-config-core-v3-http2protocoloptions-initial-stream-window-size), and configuring action on [headers_with_underscores](https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/core/v3/protocol.proto#envoy-v3-api-field-config-core-v3-httpprotocoloptions-headers-with-underscores-action).

[Path normalisation](https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/filters/network/http_connection_manager/v3/http_connection_manager.proto#envoy-v3-api-field-extensions-filters-network-http-connection-manager-v3-httpconnectionmanager-normalize-path) should be enabled to minimise path confusion vulnerabilities. These measures help protect against volumetric threats such as Denial of Service (DoS)nattacks. Utilise custom resources to implement policy attachment, thereby exposing request limit configuration for route types. | |EGTM-019|EGTM-DP-004|Container Security| There is a risk that replay attacks using stolen or reused JSON Web Tokens (JWTs) can compromise transmission integrity, thereby undermining the confidentiality and integrity of the data plane.

| Transmission integrity is compromised due to replay attacks using stolen or reused JSON Web Tokens (JWTs).

|Medium| Comply with JWT best practices for enhanced security, paying special attention to the use of short-lived tokens, which reduce the window of opportunity for a replay attack. The [exp](https://datatracker.ietf.org/doc/html/rfc7519#page-9) claim can be used to set token expiration times. | |EGTM-024|EGTM-EG-008|Envoy Gateway| There is a risk of developers getting more privileges than required due to the use of SecurityPolicy, ClientTrafficPolicy, EnvoyPatchPolicy and BackendTrafficPolicy. These resources can be attached to a Gateway resource. Therefore, a developer with permission to deploy them would be able to modify a Gateway configuration by targeting the gateway in the policy manifest. This conflicts with the [Advanced 4 Tier Model](https://gateway-api.sigs.k8s.io/concepts/security-model/#write-permissions-for-advanced-4-tier-model), where developers do not have write permissions on Gateways.

| Excessive developer permissions lead to a misconfiguration and/or unauthorised access.

|Medium| Considering the Tenant C scenario (represented in the Architecture Diagram), if a developer can create SecurityPolicy, ClientTrafficPolicy, EnvoyPatchPolicy or BackendTrafficPolicy objects in namespace C, they would be able to modify a Gateway configuration by attaching the policy to the gateway. In such scenarios, it is recommended to either:

a. Create a separate namespace, where developers have no permissions, > to host tenant C\'s gateway. Note that, due to design decisions, > the > SecurityPolicy/EnvoyPatchPolicy/ClientTrafficPolicy/BackendTrafficPolicy > object can only target resources deployed in the same namespace. > Therefore, having a separate namespace for the gateway would > prevent developers from attaching the policy to the gateway.

b. Forbid the creation of these policies for developers in namespace C.

On the other hand, in scenarios similar to tenants A and B, where a shared gateway namespace is in place, this issue is more limited. Note that in this scenario, developers don\'t have access to the shared gateway namespace.

In addition, it is important to mention that EnvoyPatchPolicy resources can also be attached to GatewayClass resources. This means that, in order to comply with the Advanced 4 Tier model, individuals with the Application Administrator role should not have access to this resource either. | |EGTM-003|EGTM-EG-001|Envoy Gateway| There is a risk that a threat actor could downgrade the security of proxied connections by configuring a weak set of cipher suites, compromising the confidentiality and integrity of proxied traffic.

| Exploit weak cipher suite configuration to downgrade security of proxied connections.

|Low| Users operating in highly regulated environments may need to tightly control the TLS protocol and associated cipher suites, blocking non-conforming incoming connections to the gateway.

EnvoyProxy bootstrap config can be customised as per the [customise EnvoyProxy](../operations/customize-envoyproxy) documentation. In addition, from v.1.0.0, it is possible to configure common TLS properties for a Gateway or XRoute through the [ClientTrafficPolicy](https://gateway.envoyproxy.io/latest/api/extension_types/#clienttrafficpolicy) object. | diff --git a/site/content/en/latest/tasks/security/threat-model.md b/site/content/en/latest/tasks/security/threat-model.md index cd5927e8d98f..a16319f9d72a 100644 --- a/site/content/en/latest/tasks/security/threat-model.md +++ b/site/content/en/latest/tasks/security/threat-model.md @@ -603,7 +603,7 @@ Set runAsUser and runAsGroup security context options to specific UIDs (e.g., ru |EGTM-008|EGTM-EG-003|Envoy Gateway| There is a risk of a threat actor misconfiguring static config and compromising the integrity of Envoy Gateway, ultimately leading to the compromised confidentiality, integrity, or availability of tenant data and cluster resources.

| Accidental or deliberate misconfiguration of static configuration leads to a misconfigured deployment of Envoy Gateway, for example logging parameters could be modified or global rate limiting configuration misconfigured.

|Medium| Implement a GitOps model, utilising Kubernetes\' Role-Based Access Control (RBAC) and adhering to the principle of least privilege to minimise human intervention on the cluster. For instance, tools like [ArgoCD](https://argo-cd.readthedocs.io/en/stable/) can be used for declarative GitOps deployments, ensuring all changes are tracked and reviewed. Additionally, configure your source control management (SCM) system to include mandatory pull request (PR) reviews, commit signing, and protected branches to ensure only authorised changes can be committed to the start-up configuration. | |EGTM-010|EGTM-CS-005|Container Security| There is a risk that a threat actor exploits a weak pod security context, compromising the CIA of a node and the resources / services which run on it.

| Threat Actor who has compromised a pod exploits weak security context to escape to a node, potentially leading to the compromise of Envoy Proxy or Gateway running on the same node.

|Medium| To mitigate this risk, apply [Pod Security Standards](https://kubernetes.io/docs/concepts/security/pod-security-standards/) at a minimum of [Baseline](https://kubernetes.io/docs/concepts/security/pod-security-standards/#baseline) level to all namespaces, especially those containing Envoy Gateway and Proxy Pods. Pod security standards are implemented through K8s [Pod Security Admission](https://kubernetes.io/docs/concepts/security/pod-security-admission/) to provide [admission control modes](https://kubernetes.io/docs/concepts/security/pod-security-admission/#pod-security-admission-labels-for-namespaces) (enforce, audit, and warn) for namespaces. Pod security standards can be enforced by namespace labels as shown [here](https://kubernetes.io/docs/tasks/configure-pod-container/enforce-standards-namespace-labels/), to enforce a baseline level of pod security to specific namespaces.

Further enhance the security by implementing a sandboxing solution such as [gVisor](https://gvisor.dev/) for Envoy Gateway and Proxy Pods to isolate the application from the host kernel. This can be set within the runtimeClassName of the Pod specification. | |EGTM-012|EGTM-GW-004|Gateway API| There is a risk that a threat actor could abuse excessive RBAC privileges to create ReferenceGrant resources. These resources could then be used to create cross-namespace communication, leading to unauthorised access to the application. This could compromise the confidentiality and integrity of resources and configuration in the affected namespaces and potentially disrupt the availability of services that rely on these object references.

| A ReferenceGrant is created, which validates traffic to cross namespace trust boundaries without a valid business reason, such as a route in one tenant\'s namespace referencing a backend in another.

|Medium| Ensure that the ability to create ReferenceGrant resources is restricted to the minimum number of people. Pay special attention to ClusterRoles that allow that action. | -|EGTM-018|EGTM-GW-006|Gateway API| There is a risk that malicious requests could lead to a Denial of Service (DoS) attack, thereby reducing API gateway availability due to misconfigurations in rate-limiting or load balancing controls, or a lack of route timeout enforcement.

| Reduced API gateway availability due to an attacker\'s maliciously crafted request (e.g., QoD) potentially inducing a Denial of Service (DoS) attack.

|Medium| To ensure high availability and to mitigate potential security threats, adhere to the Envoy Gateway documentation for the configuration of a [rate-limiting](https://gateway.envoyproxy.io/v0.6.0/user/rate-limit/) filter and load balancing.

Further, adhere to best practices for configuring Envoy Proxy as an edge proxy documented [here](https://www.envoyproxy.io/docs/envoy/latest/configuration/best_practices/edge#configuring-envoy-as-an-edge-proxy) within the EnvoyProxy docs. This involves configuring TCP and HTTP proxies with specific settings, including restricting access to the admin endpoint, setting the [overload manager](https://www.envoyproxy.io/docs/envoy/latest/configuration/operations/overload_manager/overload_manager#config-overload-manager) and [listener](https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/listener/v3/listener.proto#envoy-v3-api-field-config-listener-v3-listener-per-connection-buffer-limit-bytes) / [cluster](https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/cluster/v3/cluster.proto#envoy-v3-api-field-config-cluster-v3-cluster-per-connection-buffer-limit-bytes) buffer limits, enabling [use_remote_address](https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/filters/network/http_connection_manager/v3/http_connection_manager.proto#envoy-v3-api-field-extensions-filters-network-http-connection-manager-v3-httpconnectionmanager-use-remote-address), setting [connection and stream timeouts](https://www.envoyproxy.io/docs/envoy/latest/faq/configuration/timeouts#faq-configuration-timeouts), limiting [maximum concurrent streams](https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/core/v3/protocol.proto#envoy-v3-api-field-config-core-v3-http2protocoloptions-max-concurrent-streams), setting [initial stream window size limit](https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/core/v3/protocol.proto#envoy-v3-api-field-config-core-v3-http2protocoloptions-initial-stream-window-size), and configuring action on [headers_with_underscores](https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/core/v3/protocol.proto#envoy-v3-api-field-config-core-v3-httpprotocoloptions-headers-with-underscores-action).

[Path normalisation](https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/filters/network/http_connection_manager/v3/http_connection_manager.proto#envoy-v3-api-field-extensions-filters-network-http-connection-manager-v3-httpconnectionmanager-normalize-path) should be enabled to minimise path confusion vulnerabilities. These measures help protect against volumetric threats such as Denial of Service (DoS)nattacks. Utilise custom resources to implement policy attachment, thereby exposing request limit configuration for route types. | +|EGTM-018|EGTM-GW-006|Gateway API| There is a risk that malicious requests could lead to a Denial of Service (DoS) attack, thereby reducing API gateway availability due to misconfigurations in rate-limiting or load balancing controls, or a lack of route timeout enforcement.

| Reduced API gateway availability due to an attacker\'s maliciously crafted request (e.g., QoD) potentially inducing a Denial of Service (DoS) attack.

|Medium| To ensure high availability and to mitigate potential security threats, adhere to the Envoy Gateway documentation for the configuration of a [rate-limiting](../traffic/global-rate-limit) filter and load balancing.

Further, adhere to best practices for configuring Envoy Proxy as an edge proxy documented [here](https://www.envoyproxy.io/docs/envoy/latest/configuration/best_practices/edge#configuring-envoy-as-an-edge-proxy) within the EnvoyProxy docs. This involves configuring TCP and HTTP proxies with specific settings, including restricting access to the admin endpoint, setting the [overload manager](https://www.envoyproxy.io/docs/envoy/latest/configuration/operations/overload_manager/overload_manager#config-overload-manager) and [listener](https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/listener/v3/listener.proto#envoy-v3-api-field-config-listener-v3-listener-per-connection-buffer-limit-bytes) / [cluster](https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/cluster/v3/cluster.proto#envoy-v3-api-field-config-cluster-v3-cluster-per-connection-buffer-limit-bytes) buffer limits, enabling [use_remote_address](https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/filters/network/http_connection_manager/v3/http_connection_manager.proto#envoy-v3-api-field-extensions-filters-network-http-connection-manager-v3-httpconnectionmanager-use-remote-address), setting [connection and stream timeouts](https://www.envoyproxy.io/docs/envoy/latest/faq/configuration/timeouts#faq-configuration-timeouts), limiting [maximum concurrent streams](https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/core/v3/protocol.proto#envoy-v3-api-field-config-core-v3-http2protocoloptions-max-concurrent-streams), setting [initial stream window size limit](https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/core/v3/protocol.proto#envoy-v3-api-field-config-core-v3-http2protocoloptions-initial-stream-window-size), and configuring action on [headers_with_underscores](https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/core/v3/protocol.proto#envoy-v3-api-field-config-core-v3-httpprotocoloptions-headers-with-underscores-action).

[Path normalisation](https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/filters/network/http_connection_manager/v3/http_connection_manager.proto#envoy-v3-api-field-extensions-filters-network-http-connection-manager-v3-httpconnectionmanager-normalize-path) should be enabled to minimise path confusion vulnerabilities. These measures help protect against volumetric threats such as Denial of Service (DoS)nattacks. Utilise custom resources to implement policy attachment, thereby exposing request limit configuration for route types. | |EGTM-019|EGTM-DP-004|Container Security| There is a risk that replay attacks using stolen or reused JSON Web Tokens (JWTs) can compromise transmission integrity, thereby undermining the confidentiality and integrity of the data plane.

| Transmission integrity is compromised due to replay attacks using stolen or reused JSON Web Tokens (JWTs).

|Medium| Comply with JWT best practices for enhanced security, paying special attention to the use of short-lived tokens, which reduce the window of opportunity for a replay attack. The [exp](https://datatracker.ietf.org/doc/html/rfc7519#page-9) claim can be used to set token expiration times. | |EGTM-024|EGTM-EG-008|Envoy Gateway| There is a risk of developers getting more privileges than required due to the use of SecurityPolicy, ClientTrafficPolicy, EnvoyPatchPolicy and BackendTrafficPolicy. These resources can be attached to a Gateway resource. Therefore, a developer with permission to deploy them would be able to modify a Gateway configuration by targeting the gateway in the policy manifest. This conflicts with the [Advanced 4 Tier Model](https://gateway-api.sigs.k8s.io/concepts/security-model/#write-permissions-for-advanced-4-tier-model), where developers do not have write permissions on Gateways.

| Excessive developer permissions lead to a misconfiguration and/or unauthorised access.

|Medium| Considering the Tenant C scenario (represented in the Architecture Diagram), if a developer can create SecurityPolicy, ClientTrafficPolicy, EnvoyPatchPolicy or BackendTrafficPolicy objects in namespace C, they would be able to modify a Gateway configuration by attaching the policy to the gateway. In such scenarios, it is recommended to either:

a. Create a separate namespace, where developers have no permissions, > to host tenant C\'s gateway. Note that, due to design decisions, > the > SecurityPolicy/EnvoyPatchPolicy/ClientTrafficPolicy/BackendTrafficPolicy > object can only target resources deployed in the same namespace. > Therefore, having a separate namespace for the gateway would > prevent developers from attaching the policy to the gateway.

b. Forbid the creation of these policies for developers in namespace C.

On the other hand, in scenarios similar to tenants A and B, where a shared gateway namespace is in place, this issue is more limited. Note that in this scenario, developers don\'t have access to the shared gateway namespace.

In addition, it is important to mention that EnvoyPatchPolicy resources can also be attached to GatewayClass resources. This means that, in order to comply with the Advanced 4 Tier model, individuals with the Application Administrator role should not have access to this resource either. | |EGTM-003|EGTM-EG-001|Envoy Gateway| There is a risk that a threat actor could downgrade the security of proxied connections by configuring a weak set of cipher suites, compromising the confidentiality and integrity of proxied traffic.

| Exploit weak cipher suite configuration to downgrade security of proxied connections.

|Low| Users operating in highly regulated environments may need to tightly control the TLS protocol and associated cipher suites, blocking non-conforming incoming connections to the gateway.

EnvoyProxy bootstrap config can be customised as per the [customise EnvoyProxy](../operations/customize-envoyproxy) documentation. In addition, from v.1.0.0, it is possible to configure common TLS properties for a Gateway or XRoute through the [ClientTrafficPolicy](https://gateway.envoyproxy.io/latest/api/extension_types/#clienttrafficpolicy) object. | diff --git a/site/content/en/news/releases/v0.2.md b/site/content/en/news/releases/v0.2.md index e6eec10a3f62..10cd1216ed8f 100644 --- a/site/content/en/news/releases/v0.2.md +++ b/site/content/en/news/releases/v0.2.md @@ -41,6 +41,6 @@ release and future direction of the project. [docs]: https://gateway.envoyproxy.io/index.html [Download]: https://github.com/envoyproxy/gateway/releases/tag/v0.2.0 [conformance tests]: https://gateway-api.sigs.k8s.io/concepts/conformance/?h=conformance -[quickstart guide]: ../v0.2/user/quickstart +[quickstart guide]: ../../v0.2/user/quickstart [EnvoyCon NA]: https://events.linuxfoundation.org/envoycon-north-america/program/schedule/ [our talk]: https://sched.co/1AO5S diff --git a/site/content/en/news/releases/v0.3.md b/site/content/en/news/releases/v0.3.md index e693c4f4716d..90f164025a8b 100644 --- a/site/content/en/news/releases/v0.3.md +++ b/site/content/en/news/releases/v0.3.md @@ -42,5 +42,5 @@ The release adds a ton of features and functionality. Here are some highlights: [Release Notes]: ./notes/v0.3.0 [matrix]: ./matrix -[docs]: https://gateway.envoyproxy.io/v0.3.0/index.html +[docs]: /v0.3 [Download]: https://github.com/envoyproxy/gateway/releases/tag/v0.3.0 diff --git a/site/content/en/news/releases/v0.4.md b/site/content/en/news/releases/v0.4.md index bcbe9eb3fa5c..1df25b4b4050 100644 --- a/site/content/en/news/releases/v0.4.md +++ b/site/content/en/news/releases/v0.4.md @@ -53,5 +53,5 @@ The release adds a ton of features and functionality. Here are some highlights: [Release Notes]: ./notes/v0.4.0 [matrix]: ./matrix -[docs]: https://gateway.envoyproxy.io/v0.4.0/index.html +[docs]: /v0.4 [Download]: https://github.com/envoyproxy/gateway/releases/tag/v0.4.0 diff --git a/site/content/en/news/releases/v0.5.md b/site/content/en/news/releases/v0.5.md index bd93e5dd8dba..860b040985b8 100644 --- a/site/content/en/news/releases/v0.5.md +++ b/site/content/en/news/releases/v0.5.md @@ -53,5 +53,5 @@ The release adds a ton of features and functionality. Here are some highlights: [Release Notes]: ./notes/v0.5.0 [matrix]: ./matrix -[docs]: https://gateway.envoyproxy.io/v0.5.0/index.html +[docs]: /v0.5 [Download]: https://github.com/envoyproxy/gateway/releases/tag/v0.5.0 diff --git a/site/content/en/news/releases/v0.6.md b/site/content/en/news/releases/v0.6.md index 37ebbae81c5c..bfb6c57d405b 100644 --- a/site/content/en/news/releases/v0.6.md +++ b/site/content/en/news/releases/v0.6.md @@ -78,5 +78,5 @@ The release adds a ton of features and functionality. Here are some highlights: [Release Notes]: ./notes/v0.6.0 [matrix]: ./matrix -[docs]: https://gateway.envoyproxy.io/v0.6.0/index.html +[docs]: https://gateway.envoyproxy.io/v0.6 [Download]: https://github.com/envoyproxy/gateway/releases/tag/v0.6.0 diff --git a/site/content/en/v0.2/contributions/CONTRIBUTING.md b/site/content/en/v0.2/contributions/CONTRIBUTING.md index f94b2c940e97..b37898e948eb 100644 --- a/site/content/en/v0.2/contributions/CONTRIBUTING.md +++ b/site/content/en/v0.2/contributions/CONTRIBUTING.md @@ -49,7 +49,7 @@ to the following guidelines for all code, APIs, and documentation: build. If your PR cannot have 100% coverage for some reason please clearly explain why when you open it. * Any PR that changes user-facing behavior **must** have associated documentation in the [docs](https://github.com/envoyproxy/gateway/tree/main/site) folder of the repo as - well as the [changelog](/blog/releases). + well as the [changelog](/news/releases). * All code comments and documentation are expected to have proper English grammar and punctuation. If you are not a fluent English speaker (or a bad writer ;-)) please let us know and we will try to find some help but there are no guarantees. @@ -175,7 +175,7 @@ git config --add alias.c "commit -s" ## Fixing DCO If your PR fails the DCO check, it's necessary to fix the entire commit history in the PR. Best -practice is to [squash](https://gitready.com/advanced/2009/02/10/squashing-commits-with-rebase.html) +practice is to [squash](https://docs.github.com/en/pull-requests/collaborating-with-pull-requests/incorporating-changes-from-a-pull-request/about-pull-request-merges#squash-and-merge-your-commits) the commit history to a single commit, append the DCO sign-off as described above, and [force push](https://git-scm.com/docs/git-push#git-push---force). For example, if you have 2 commits in your history: diff --git a/site/content/en/v0.2/contributions/DEVELOP.md b/site/content/en/v0.2/contributions/DEVELOP.md index 6f82c4a411f5..13c61295f029 100644 --- a/site/content/en/v0.2/contributions/DEVELOP.md +++ b/site/content/en/v0.2/contributions/DEVELOP.md @@ -139,7 +139,7 @@ There are many other endpoints on the [Envoy admin interface][] that may be help ### JWT Testing -An example [JSON Web Token (JWT)][jwt] and [JSON Web Key Set (JWKS)][jwks] are used for the [request authentication][] +An example [JSON Web Token (JWT)][jwt] and [JSON Web Key Set (JWKS)][jwks] are used for the request authentication user guide. The JWT was created by the [JWT Debugger][], using the `RS256` algorithm. The public key from the JWTs verify signature was copied to [JWK Creator][] for generating the JWK. The JWK Creator was configured with matching settings, i.e. `Signing` public key use and the `RS256` algorithm. The generated JWK was wrapped in a JWKS structure @@ -158,6 +158,5 @@ and is hosted in the repo. [Envoy admin interface]: https://www.envoyproxy.io/docs/envoy/latest/operations/admin#operations-admin-interface [jwt]: https://tools.ietf.org/html/rfc7519 [jwks]: https://tools.ietf.org/html/rfc7517 -[request authentication]: https://gateway.envoyproxy.io/latest/user/authn.html [JWT Debugger]: https://jwt.io/ [JWK Creator]: https://russelldavies.github.io/jwk-creator/ diff --git a/site/content/en/v0.2/contributions/RELEASING.md b/site/content/en/v0.2/contributions/RELEASING.md index eb5663061417..bad13a6830ce 100644 --- a/site/content/en/v0.2/contributions/RELEASING.md +++ b/site/content/en/v0.2/contributions/RELEASING.md @@ -73,7 +73,7 @@ export GITHUB_REMOTE=origin ### Setup cherry picker action -After release branch cut, RM (Release Manager) should add job [cherrypick action](../../../.github/workflows/cherrypick.yaml) for target release. +After release branch cut, RM (Release Manager) should add job [cherrypick action](https://github.com/envoyproxy/gateway/blob/main/.github/workflows/cherrypick.yaml) for target release. Configuration looks like following: diff --git a/site/content/en/v0.2/design/config-api.md b/site/content/en/v0.2/design/config-api.md index 466b84d8f351..0ed5253007d6 100644 --- a/site/content/en/v0.2/design/config-api.md +++ b/site/content/en/v0.2/design/config-api.md @@ -88,7 +88,7 @@ type Gateway struct { // defaults to "gateway.envoyproxy.io/gatewayclass-controller". See the following // for additional details: // - // https://gateway-api.sigs.k8s.io/v1alpha2/references/spec/#gateway.networking.k8s.io/v1alpha2.GatewayClass + // https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.GatewayClass // // +optional ControllerName string `json:"controllerName,omitempty"` @@ -347,6 +347,6 @@ __Note:__ The NetworkPublishing API is currently undefined and is provided here [issue_51]: https://github.com/envoyproxy/gateway/issues/51 [design_doc]: https://github.com/envoyproxy/gateway/blob/main/docs/design/SYSTEM_DESIGN.md [gw_api]: https://gateway-api.sigs.k8s.io/ -[gc]: https://gateway-api.sigs.k8s.io/v1alpha2/references/spec/#gateway.networking.k8s.io/v1alpha2.GatewayClass +[gc]: https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.GatewayClass [cr]: https://kubernetes.io/docs/concepts/extend-kubernetes/api-extension/custom-resources/ [union]: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#unions diff --git a/site/content/en/v0.2/design/system-design.md b/site/content/en/v0.2/design/system-design.md index 72c0a98ecda7..a414843a9552 100644 --- a/site/content/en/v0.2/design/system-design.md +++ b/site/content/en/v0.2/design/system-design.md @@ -159,16 +159,16 @@ The draft for this document is [here][draft_design]. [grl]: https://www.envoyproxy.io/docs/envoy/latest/intro/arch_overview/other_features/global_rate_limiting [rls]: https://github.com/envoyproxy/ratelimit [rlf]: https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/filters/http/ratelimit/v3/rate_limit.proto#envoy-v3-api-msg-extensions-filters-http-ratelimit-v3-ratelimit -[crf]: https://gateway-api.sigs.k8s.io/v1alpha2/api-types/httproute/#filters-optional +[crf]: https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.HTTPRoute#filters-optional [gwapi_conflicts]: https://gateway-api.sigs.k8s.io/concepts/guidelines/#conflicts [listener]: https://www.envoyproxy.io/docs/envoy/latest/configuration/listeners/listeners#config-listeners [route]: https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/route/v3/route_components.proto#envoy-v3-api-msg-config-route-v3-route -[be_ref]: https://gateway-api.sigs.k8s.io/v1alpha2/api-types/httproute/#backendrefs-optional +[be_ref]: https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.HTTPRoute#backendrefs-optional [cluster]: https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/cluster/v3/cluster.proto#config-cluster-v3-cluster [draft_design]: https://docs.google.com/document/d/1riyTPPYuvNzIhBdrAX8dpfxTmcobWZDSYTTB5NeybuY/edit [cr]: https://kubernetes.io/docs/concepts/extend-kubernetes/api-extension/custom-resources/ -[be]: https://gateway-api.sigs.k8s.io/v1alpha2/references/spec/#gateway.networking.k8s.io/v1alpha2.BackendObjectReference +[be]: https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io%2fv1.BackendObjectReference [svc]: https://kubernetes.io/docs/concepts/services-networking/service/ -[ wcd ]: ./watching.md +[ wcd ]: ./watching [Issue #37]: https://github.com/envoyproxy/gateway/issues/37 -[roadmap]: roadmap.md +[roadmap]: ../contributions/roadmap diff --git a/site/content/en/v0.2/user/quickstart.md b/site/content/en/v0.2/user/quickstart.md index 291480b1747c..08d77a1d8eaa 100644 --- a/site/content/en/v0.2/user/quickstart.md +++ b/site/content/en/v0.2/user/quickstart.md @@ -9,7 +9,7 @@ This guide will help you get started with Envoy Gateway in a few simple steps. A Kubernetes cluster. -__Note:__ Refer to the [Compatibility Matrix](/blog/2022/10/01/versions/) for supported Kubernetes versions. +__Note:__ Refer to the [Compatibility Matrix](/news/releases/matrix/) for supported Kubernetes versions. ## Installation diff --git a/site/content/en/v0.3/api/config_types.md b/site/content/en/v0.3/api/config_types.md index 4ff5b3f6f181..76999b6d181d 100644 --- a/site/content/en/v0.3/api/config_types.md +++ b/site/content/en/v0.3/api/config_types.md @@ -104,7 +104,7 @@ _Appears in:_ | Field | Description | | --- | --- | -| `controllerName` _string_ | ControllerName defines the name of the Gateway API controller. If unspecified, defaults to "gateway.envoyproxy.io/gatewayclass-controller". See the following for additional details: https://gateway-api.sigs.k8s.io/v1alpha2/references/spec/#gateway.networking.k8s.io/v1alpha2.GatewayClass | +| `controllerName` _string_ | ControllerName defines the name of the Gateway API controller. If unspecified, defaults to "gateway.envoyproxy.io/gatewayclass-controller". See the following for additional details: https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.GatewayClass | ## KubernetesDeploymentSpec diff --git a/site/content/en/v0.3/contributions/CONTRIBUTING.md b/site/content/en/v0.3/contributions/CONTRIBUTING.md index f94b2c940e97..b37898e948eb 100644 --- a/site/content/en/v0.3/contributions/CONTRIBUTING.md +++ b/site/content/en/v0.3/contributions/CONTRIBUTING.md @@ -49,7 +49,7 @@ to the following guidelines for all code, APIs, and documentation: build. If your PR cannot have 100% coverage for some reason please clearly explain why when you open it. * Any PR that changes user-facing behavior **must** have associated documentation in the [docs](https://github.com/envoyproxy/gateway/tree/main/site) folder of the repo as - well as the [changelog](/blog/releases). + well as the [changelog](/news/releases). * All code comments and documentation are expected to have proper English grammar and punctuation. If you are not a fluent English speaker (or a bad writer ;-)) please let us know and we will try to find some help but there are no guarantees. @@ -175,7 +175,7 @@ git config --add alias.c "commit -s" ## Fixing DCO If your PR fails the DCO check, it's necessary to fix the entire commit history in the PR. Best -practice is to [squash](https://gitready.com/advanced/2009/02/10/squashing-commits-with-rebase.html) +practice is to [squash](https://docs.github.com/en/pull-requests/collaborating-with-pull-requests/incorporating-changes-from-a-pull-request/about-pull-request-merges#squash-and-merge-your-commits) the commit history to a single commit, append the DCO sign-off as described above, and [force push](https://git-scm.com/docs/git-push#git-push---force). For example, if you have 2 commits in your history: diff --git a/site/content/en/v0.3/contributions/DEVELOP.md b/site/content/en/v0.3/contributions/DEVELOP.md index 6f82c4a411f5..67500b42915e 100644 --- a/site/content/en/v0.3/contributions/DEVELOP.md +++ b/site/content/en/v0.3/contributions/DEVELOP.md @@ -158,6 +158,6 @@ and is hosted in the repo. [Envoy admin interface]: https://www.envoyproxy.io/docs/envoy/latest/operations/admin#operations-admin-interface [jwt]: https://tools.ietf.org/html/rfc7519 [jwks]: https://tools.ietf.org/html/rfc7517 -[request authentication]: https://gateway.envoyproxy.io/latest/user/authn.html +[request authentication]: ../user/authn [JWT Debugger]: https://jwt.io/ [JWK Creator]: https://russelldavies.github.io/jwk-creator/ diff --git a/site/content/en/v0.3/contributions/RELEASING.md b/site/content/en/v0.3/contributions/RELEASING.md index eb5663061417..bad13a6830ce 100644 --- a/site/content/en/v0.3/contributions/RELEASING.md +++ b/site/content/en/v0.3/contributions/RELEASING.md @@ -73,7 +73,7 @@ export GITHUB_REMOTE=origin ### Setup cherry picker action -After release branch cut, RM (Release Manager) should add job [cherrypick action](../../../.github/workflows/cherrypick.yaml) for target release. +After release branch cut, RM (Release Manager) should add job [cherrypick action](https://github.com/envoyproxy/gateway/blob/main/.github/workflows/cherrypick.yaml) for target release. Configuration looks like following: diff --git a/site/content/en/v0.3/design/config-api.md b/site/content/en/v0.3/design/config-api.md index 466b84d8f351..0ed5253007d6 100644 --- a/site/content/en/v0.3/design/config-api.md +++ b/site/content/en/v0.3/design/config-api.md @@ -88,7 +88,7 @@ type Gateway struct { // defaults to "gateway.envoyproxy.io/gatewayclass-controller". See the following // for additional details: // - // https://gateway-api.sigs.k8s.io/v1alpha2/references/spec/#gateway.networking.k8s.io/v1alpha2.GatewayClass + // https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.GatewayClass // // +optional ControllerName string `json:"controllerName,omitempty"` @@ -347,6 +347,6 @@ __Note:__ The NetworkPublishing API is currently undefined and is provided here [issue_51]: https://github.com/envoyproxy/gateway/issues/51 [design_doc]: https://github.com/envoyproxy/gateway/blob/main/docs/design/SYSTEM_DESIGN.md [gw_api]: https://gateway-api.sigs.k8s.io/ -[gc]: https://gateway-api.sigs.k8s.io/v1alpha2/references/spec/#gateway.networking.k8s.io/v1alpha2.GatewayClass +[gc]: https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.GatewayClass [cr]: https://kubernetes.io/docs/concepts/extend-kubernetes/api-extension/custom-resources/ [union]: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#unions diff --git a/site/content/en/v0.3/design/gatewayapi-support.md b/site/content/en/v0.3/design/gatewayapi-support.md index 67eaf05bb4ac..d9daaf04198a 100644 --- a/site/content/en/v0.3/design/gatewayapi-support.md +++ b/site/content/en/v0.3/design/gatewayapi-support.md @@ -96,7 +96,7 @@ these types of cross-namespace references. Envoy Gateway supports the following namespace. - Allowing a Gateway's [SecretObjectReference][] to reference a secret in a different namespace. -[system design]: https://gateway.envoyproxy.io/latest/design/system-design.html +[system design]: ../design/system-design [Gateway API]: https://gateway-api.sigs.k8s.io/ [GatewayClass]: https://gateway-api.sigs.k8s.io/references/spec/#gateway.networking.k8s.io/v1beta1.GatewayClass [parameters reference]: https://gateway-api.sigs.k8s.io/references/spec/#gateway.networking.k8s.io/v1beta1.ParametersReference @@ -113,9 +113,9 @@ these types of cross-namespace references. Envoy Gateway supports the following [TLSRoute]: https://gateway-api.sigs.k8s.io/references/spec/#gateway.networking.k8s.io/v1alpha2.TLSRoute [ReferenceGrant]: https://gateway-api.sigs.k8s.io/references/spec/#gateway.networking.k8s.io%2fv1beta1.ReferenceGrant [SecretObjectReference]: https://gateway-api.sigs.k8s.io/references/spec/#gateway.networking.k8s.io/v1beta1.SecretObjectReference -[rate limiting]: https://gateway.envoyproxy.io/latest/user/rate-limit.html -[request authentication]: https://gateway.envoyproxy.io/latest/user/authn.html -[EnvoyProxy]: https://gateway.envoyproxy.io/latest/api/config_types.html#envoyproxy +[rate limiting]: ../user/rate-limit +[request authentication]: ../user/authn +[EnvoyProxy]: ../api/config_types#envoyproxy [resolving conflicts]: https://gateway-api.sigs.k8s.io/concepts/guidelines/?h=conflict#conflicts [ExtensionRefs]: https://gateway-api.sigs.k8s.io/references/spec/#gateway.networking.k8s.io/v1beta1.HTTPRouteFilterType [grpc-filter]: https://gateway-api.sigs.k8s.io/references/spec/#gateway.networking.k8s.io/v1alpha2.GRPCRouteFilter diff --git a/site/content/en/v0.3/design/system-design.md b/site/content/en/v0.3/design/system-design.md index 72c0a98ecda7..a683e5307bc5 100644 --- a/site/content/en/v0.3/design/system-design.md +++ b/site/content/en/v0.3/design/system-design.md @@ -159,16 +159,16 @@ The draft for this document is [here][draft_design]. [grl]: https://www.envoyproxy.io/docs/envoy/latest/intro/arch_overview/other_features/global_rate_limiting [rls]: https://github.com/envoyproxy/ratelimit [rlf]: https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/filters/http/ratelimit/v3/rate_limit.proto#envoy-v3-api-msg-extensions-filters-http-ratelimit-v3-ratelimit -[crf]: https://gateway-api.sigs.k8s.io/v1alpha2/api-types/httproute/#filters-optional +[crf]: https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.HTTPRoute#filters-optional [gwapi_conflicts]: https://gateway-api.sigs.k8s.io/concepts/guidelines/#conflicts [listener]: https://www.envoyproxy.io/docs/envoy/latest/configuration/listeners/listeners#config-listeners [route]: https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/route/v3/route_components.proto#envoy-v3-api-msg-config-route-v3-route -[be_ref]: https://gateway-api.sigs.k8s.io/v1alpha2/api-types/httproute/#backendrefs-optional +[be_ref]: https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.HTTPRoute#backendrefs-optional [cluster]: https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/cluster/v3/cluster.proto#config-cluster-v3-cluster [draft_design]: https://docs.google.com/document/d/1riyTPPYuvNzIhBdrAX8dpfxTmcobWZDSYTTB5NeybuY/edit [cr]: https://kubernetes.io/docs/concepts/extend-kubernetes/api-extension/custom-resources/ -[be]: https://gateway-api.sigs.k8s.io/v1alpha2/references/spec/#gateway.networking.k8s.io/v1alpha2.BackendObjectReference +[be]: https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io%2fv1.BackendObjectReference [svc]: https://kubernetes.io/docs/concepts/services-networking/service/ [ wcd ]: ./watching.md [Issue #37]: https://github.com/envoyproxy/gateway/issues/37 -[roadmap]: roadmap.md +[roadmap]: ../contributions/roadmap diff --git a/site/content/en/v0.3/user/authn.md b/site/content/en/v0.3/user/authn.md index 312e4103b9b8..a4887d574381 100644 --- a/site/content/en/v0.3/user/authn.md +++ b/site/content/en/v0.3/user/authn.md @@ -92,5 +92,5 @@ kubectl delete authenticationfilter/jwt-example Checkout the [Developer Guide](../../contributions/develop/) to get involved in the project. [jwt]: https://tools.ietf.org/html/rfc7519 -[AuthenticationFilter]: https://gateway.envoyproxy.io/v0.3.0/api/extension_types.html#authenticationfilter +[AuthenticationFilter]: ../api/extension_types#authenticationfilter [jwks]: https://tools.ietf.org/html/rfc7517 diff --git a/site/content/en/v0.3/user/quickstart.md b/site/content/en/v0.3/user/quickstart.md index 4875a1ff987c..c98ef97e20b8 100644 --- a/site/content/en/v0.3/user/quickstart.md +++ b/site/content/en/v0.3/user/quickstart.md @@ -9,7 +9,7 @@ This guide will help you get started with Envoy Gateway in a few simple steps. A Kubernetes cluster. -__Note:__ Refer to the [Compatibility Matrix](/blog/2022/10/01/versions/) for supported Kubernetes versions. +__Note:__ Refer to the [Compatibility Matrix](/news/releases/matrix/) for supported Kubernetes versions. ## Installation diff --git a/site/content/en/v0.3/user/rate-limit.md b/site/content/en/v0.3/user/rate-limit.md index 08eae1025470..bf0675e546eb 100644 --- a/site/content/en/v0.3/user/rate-limit.md +++ b/site/content/en/v0.3/user/rate-limit.md @@ -484,8 +484,8 @@ transfer-encoding: chunked [Global rate limiting]: https://www.envoyproxy.io/docs/envoy/latest/intro/arch_overview/other_features/global_rate_limiting -[RateLimitFilter]: https://gateway.envoyproxy.io/v0.3.0/api/extension_types.html#ratelimitfilter +[RateLimitFilter]: ../api/config_types#ratelimitfilter [Envoy Ratelimit]: https://github.com/envoyproxy/ratelimit -[EnvoyGateway]: https://gateway.envoyproxy.io/v0.3.0/api/config_types.html#envoygateway +[EnvoyGateway]: ../api/config_types#envoygateway [HTTPRoute]: https://gateway-api.sigs.k8s.io/api-types/httproute/ [ExtensionRef]: https://gateway-api.sigs.k8s.io/references/spec/#gateway.networking.k8s.io%2fv1beta1.HTTPRouteFilter diff --git a/site/content/en/v0.3/user/udp-routing.md b/site/content/en/v0.3/user/udp-routing.md index 4652db421200..1425c553092b 100644 --- a/site/content/en/v0.3/user/udp-routing.md +++ b/site/content/en/v0.3/user/udp-routing.md @@ -153,4 +153,4 @@ kubectl delete udproute/coredns Checkout the [Developer Guide](../../contributions/develop/) to get involved in the project. [UDPRoute]: https://gateway-api.sigs.k8s.io/references/spec/#gateway.networking.k8s.io/v1alpha2.UDPRoute -[UDP proxy documentation]: https://www.envoyproxy.io/docs/envoy/v0.3.0/configuration/listeners/udp_filters/udp_proxy +[UDP proxy documentation]: https://www.envoyproxy.io/docs/envoy/latest/configuration/listeners/udp_filters/udp_proxy diff --git a/site/content/en/v0.4/api/config_types.md b/site/content/en/v0.4/api/config_types.md index 91f6b5fd5323..fd702f4ca4bf 100644 --- a/site/content/en/v0.4/api/config_types.md +++ b/site/content/en/v0.4/api/config_types.md @@ -227,7 +227,7 @@ _Appears in:_ | Field | Description | | --- | --- | -| `controllerName` _string_ | ControllerName defines the name of the Gateway API controller. If unspecified, defaults to "gateway.envoyproxy.io/gatewayclass-controller". See the following for additional details: https://gateway-api.sigs.k8s.io/v1alpha2/references/spec/#gateway.networking.k8s.io/v1alpha2.GatewayClass | +| `controllerName` _string_ | ControllerName defines the name of the Gateway API controller. If unspecified, defaults to "gateway.envoyproxy.io/gatewayclass-controller". See the following for additional details: https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.GatewayClass | ## GroupVersionKind diff --git a/site/content/en/v0.4/contributions/CONTRIBUTING.md b/site/content/en/v0.4/contributions/CONTRIBUTING.md index f94b2c940e97..b37898e948eb 100644 --- a/site/content/en/v0.4/contributions/CONTRIBUTING.md +++ b/site/content/en/v0.4/contributions/CONTRIBUTING.md @@ -49,7 +49,7 @@ to the following guidelines for all code, APIs, and documentation: build. If your PR cannot have 100% coverage for some reason please clearly explain why when you open it. * Any PR that changes user-facing behavior **must** have associated documentation in the [docs](https://github.com/envoyproxy/gateway/tree/main/site) folder of the repo as - well as the [changelog](/blog/releases). + well as the [changelog](/news/releases). * All code comments and documentation are expected to have proper English grammar and punctuation. If you are not a fluent English speaker (or a bad writer ;-)) please let us know and we will try to find some help but there are no guarantees. @@ -175,7 +175,7 @@ git config --add alias.c "commit -s" ## Fixing DCO If your PR fails the DCO check, it's necessary to fix the entire commit history in the PR. Best -practice is to [squash](https://gitready.com/advanced/2009/02/10/squashing-commits-with-rebase.html) +practice is to [squash](https://docs.github.com/en/pull-requests/collaborating-with-pull-requests/incorporating-changes-from-a-pull-request/about-pull-request-merges#squash-and-merge-your-commits) the commit history to a single commit, append the DCO sign-off as described above, and [force push](https://git-scm.com/docs/git-push#git-push---force). For example, if you have 2 commits in your history: diff --git a/site/content/en/v0.4/contributions/DEVELOP.md b/site/content/en/v0.4/contributions/DEVELOP.md index 6f82c4a411f5..67500b42915e 100644 --- a/site/content/en/v0.4/contributions/DEVELOP.md +++ b/site/content/en/v0.4/contributions/DEVELOP.md @@ -158,6 +158,6 @@ and is hosted in the repo. [Envoy admin interface]: https://www.envoyproxy.io/docs/envoy/latest/operations/admin#operations-admin-interface [jwt]: https://tools.ietf.org/html/rfc7519 [jwks]: https://tools.ietf.org/html/rfc7517 -[request authentication]: https://gateway.envoyproxy.io/latest/user/authn.html +[request authentication]: ../user/authn [JWT Debugger]: https://jwt.io/ [JWK Creator]: https://russelldavies.github.io/jwk-creator/ diff --git a/site/content/en/v0.4/contributions/RELEASING.md b/site/content/en/v0.4/contributions/RELEASING.md index eb5663061417..bad13a6830ce 100644 --- a/site/content/en/v0.4/contributions/RELEASING.md +++ b/site/content/en/v0.4/contributions/RELEASING.md @@ -73,7 +73,7 @@ export GITHUB_REMOTE=origin ### Setup cherry picker action -After release branch cut, RM (Release Manager) should add job [cherrypick action](../../../.github/workflows/cherrypick.yaml) for target release. +After release branch cut, RM (Release Manager) should add job [cherrypick action](https://github.com/envoyproxy/gateway/blob/main/.github/workflows/cherrypick.yaml) for target release. Configuration looks like following: diff --git a/site/content/en/v0.4/design/bootstrap.md b/site/content/en/v0.4/design/bootstrap.md index 9a8f0c789efa..08c71f978d12 100644 --- a/site/content/en/v0.4/design/bootstrap.md +++ b/site/content/en/v0.4/design/bootstrap.md @@ -376,6 +376,6 @@ spec: ``` [Issue 31]: https://github.com/envoyproxy/gateway/issues/31 -[EnvoyProxy]: https://gateway.envoyproxy.io/latest/api/config_types.html#envoyproxy +[EnvoyProxy]: ../api/config_types#envoyproxy [GatewayClass]: https://gateway-api.sigs.k8s.io/references/spec/#gateway.networking.k8s.io/v1beta1.GatewayClass [parametersRef]: https://gateway-api.sigs.k8s.io/references/spec/#gateway.networking.k8s.io/v1beta1.ParametersReference diff --git a/site/content/en/v0.4/design/config-api.md b/site/content/en/v0.4/design/config-api.md index ca5380151a8e..3762bfb93e90 100644 --- a/site/content/en/v0.4/design/config-api.md +++ b/site/content/en/v0.4/design/config-api.md @@ -88,7 +88,7 @@ type Gateway struct { // defaults to "gateway.envoyproxy.io/gatewayclass-controller". See the following // for additional details: // - // https://gateway-api.sigs.k8s.io/v1alpha2/references/spec/#gateway.networking.k8s.io/v1alpha2.GatewayClass + // https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.GatewayClass // // +optional ControllerName string `json:"controllerName,omitempty"` @@ -347,6 +347,6 @@ __Note:__ The NetworkPublishing API is currently undefined and is provided here [issue_51]: https://github.com/envoyproxy/gateway/issues/51 [design_doc]: https://github.com/envoyproxy/gateway/blob/main/docs/design/SYSTEM_DESIGN.md [gw_api]: https://gateway-api.sigs.k8s.io/ -[gc]: https://gateway-api.sigs.k8s.io/v1alpha2/references/spec/#gateway.networking.k8s.io/v1alpha2.GatewayClass +[gc]: https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.GatewayClass [cr]: https://kubernetes.io/docs/concepts/extend-kubernetes/api-extension/custom-resources/ [union]: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#unions diff --git a/site/content/en/v0.4/design/extending-envoy-gateway.md b/site/content/en/v0.4/design/extending-envoy-gateway.md index df19dcc09d5c..bc9d29607066 100644 --- a/site/content/en/v0.4/design/extending-envoy-gateway.md +++ b/site/content/en/v0.4/design/extending-envoy-gateway.md @@ -314,11 +314,11 @@ Extending Envoy Gateway by using an external extension server which makes use of [Envoy]: https://www.envoyproxy.io/ [Envoy specific configuration (xDS)]: https://www.envoyproxy.io/docs/envoy/v1.25.1/configuration/configuration [v1beta1]: https://gateway-api.sigs.k8s.io/references/spec/#gateway.networking.k8s.io%2fv1beta1 -[rate limiting]: https://gateway.envoyproxy.io/v0.3.0/user/rate-limit.html -[authentication]: https://gateway.envoyproxy.io/v0.3.0/user/authn.html +[rate limiting]: ../user/rate-limit +[authentication]: ../user/authn [HTTPRoute]: https://gateway-api.sigs.k8s.io/references/spec/#gateway.networking.k8s.io/v1beta1.HTTPRoute [GRPCRoute]: https://gateway-api.sigs.k8s.io/references/spec/#gateway.networking.k8s.io/v1alpha2.GRPCRoute -[EnvoyGateway config]: https://gateway.envoyproxy.io/v0.3.0/api/config_types.html#envoygateway +[EnvoyGateway config]: ../api/config_types#envoygateway [controller-runtime]: https://github.com/kubernetes-sigs/controller-runtime [Unstructured]: https://pkg.go.dev/k8s.io/apimachinery/pkg/apis/meta/v1/unstructured [Listener]: https://www.envoyproxy.io/docs/envoy/v1.23.0/api-v3/config/listener/v3/listener.proto#config-listener-v3-listener diff --git a/site/content/en/v0.4/design/system-design.md b/site/content/en/v0.4/design/system-design.md index 16123948ee72..c17c234c13f4 100644 --- a/site/content/en/v0.4/design/system-design.md +++ b/site/content/en/v0.4/design/system-design.md @@ -159,16 +159,16 @@ The draft for this document is [here][draft_design]. [grl]: https://www.envoyproxy.io/docs/envoy/latest/intro/arch_overview/other_features/global_rate_limiting [rls]: https://github.com/envoyproxy/ratelimit [rlf]: https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/filters/http/ratelimit/v3/rate_limit.proto#envoy-v3-api-msg-extensions-filters-http-ratelimit-v3-ratelimit -[crf]: https://gateway-api.sigs.k8s.io/v1alpha2/api-types/httproute/#filters-optional +[crf]: https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.HTTPRoute#filters-optional [gwapi_conflicts]: https://gateway-api.sigs.k8s.io/concepts/guidelines/#conflicts [listener]: https://www.envoyproxy.io/docs/envoy/latest/configuration/listeners/listeners#config-listeners [route]: https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/route/v3/route_components.proto#envoy-v3-api-msg-config-route-v3-route -[be_ref]: https://gateway-api.sigs.k8s.io/v1alpha2/api-types/httproute/#backendrefs-optional +[be_ref]: https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.HTTPRoute#backendrefs-optional [cluster]: https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/cluster/v3/cluster.proto#config-cluster-v3-cluster [draft_design]: https://docs.google.com/document/d/1riyTPPYuvNzIhBdrAX8dpfxTmcobWZDSYTTB5NeybuY/edit [cr]: https://kubernetes.io/docs/concepts/extend-kubernetes/api-extension/custom-resources/ -[be]: https://gateway-api.sigs.k8s.io/v1alpha2/references/spec/#gateway.networking.k8s.io/v1alpha2.BackendObjectReference +[be]: https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io%2fv1.BackendObjectReference [svc]: https://kubernetes.io/docs/concepts/services-networking/service/ [ wcd ]: ./watching.md [Issue #37]: https://github.com/envoyproxy/gateway/issues/37 -[roadmap]: roadmap.md +[roadmap]: ../contributions/roadmap diff --git a/site/content/en/v0.4/user/authn.md b/site/content/en/v0.4/user/authn.md index 9f25623bdf72..907e16f752e6 100644 --- a/site/content/en/v0.4/user/authn.md +++ b/site/content/en/v0.4/user/authn.md @@ -92,5 +92,5 @@ kubectl delete authenticationfilter/jwt-example Checkout the [Developer Guide](../../contributions/develop/) to get involved in the project. [jwt]: https://tools.ietf.org/html/rfc7519 -[AuthenticationFilter]: https://gateway.envoyproxy.io/v0.4.0/api/extension_types.html#authenticationfilter +[AuthenticationFilter]: ../api/config_types#authenticationfilter [jwks]: https://tools.ietf.org/html/rfc7517 diff --git a/site/content/en/v0.4/user/customize-envoyproxy.md b/site/content/en/v0.4/user/customize-envoyproxy.md index 0f2b92f2dabf..692750b8623a 100644 --- a/site/content/en/v0.4/user/customize-envoyproxy.md +++ b/site/content/en/v0.4/user/customize-envoyproxy.md @@ -243,11 +243,11 @@ spec: EOF ``` -You can use [egctl translate](https://gateway.envoyproxy.io/v0.4.0/user/egctl.html#validating-gateway-api-configuration) +You can use [egctl translate](../user/egctl#validating-gateway-api-configuration) to get the default xDS Bootstrap configuration used by Envoy Gateway. After applying the config, the bootstrap config will be overridden by the new config you provided. Any errors in the configuration will be surfaced as status within the `GatewayClass` resource. -You can also validate this configuration using [egctl translate](https://gateway.envoyproxy.io/v0.4/user/egctl.html#validating-gateway-api-configuration). +You can also validate this configuration using [egctl translate](../user/egctl#validating-gateway-api-configuration). [Gateway API documentation]: https://gateway-api.sigs.k8s.io/ -[EnvoyProxy]: https://gateway.envoyproxy.io/v0.4.0/api/config_types.html#envoyproxy +[EnvoyProxy]: ../api/config_types#envoyproxy diff --git a/site/content/en/v0.4/user/egctl.md b/site/content/en/v0.4/user/egctl.md index 29f0200f8967..3e4b6c79d99d 100644 --- a/site/content/en/v0.4/user/egctl.md +++ b/site/content/en/v0.4/user/egctl.md @@ -463,7 +463,7 @@ spec: EOF ``` -You can see the output contains a [EnvoyProxy](https://gateway.envoyproxy.io/v0.4/api/config_types.html#envoyproxy) resource that +You can see the output contains a [EnvoyProxy](../api/config_types#envoyproxy) resource that can be used as a starting point to modify the xDS bootstrap resource for the managed Envoy Proxy fleet. ```yaml diff --git a/site/content/en/v0.4/user/gatewayapi-support.md b/site/content/en/v0.4/user/gatewayapi-support.md index 79e077498427..f0938702966c 100644 --- a/site/content/en/v0.4/user/gatewayapi-support.md +++ b/site/content/en/v0.4/user/gatewayapi-support.md @@ -96,7 +96,7 @@ these types of cross-namespace references. Envoy Gateway supports the following namespace. - Allowing a Gateway's [SecretObjectReference][] to reference a secret in a different namespace. -[system design]: https://gateway.envoyproxy.io/latest/design/system-design.html +[system design]: ../design/system-design [Gateway API]: https://gateway-api.sigs.k8s.io/ [GatewayClass]: https://gateway-api.sigs.k8s.io/references/spec/#gateway.networking.k8s.io/v1beta1.GatewayClass [parameters reference]: https://gateway-api.sigs.k8s.io/references/spec/#gateway.networking.k8s.io/v1beta1.ParametersReference @@ -113,9 +113,9 @@ these types of cross-namespace references. Envoy Gateway supports the following [TLSRoute]: https://gateway-api.sigs.k8s.io/references/spec/#gateway.networking.k8s.io/v1alpha2.TLSRoute [ReferenceGrant]: https://gateway-api.sigs.k8s.io/references/spec/#gateway.networking.k8s.io%2fv1beta1.ReferenceGrant [SecretObjectReference]: https://gateway-api.sigs.k8s.io/references/spec/#gateway.networking.k8s.io/v1beta1.SecretObjectReference -[rate limiting]: https://gateway.envoyproxy.io/latest/user/rate-limit.html -[request authentication]: https://gateway.envoyproxy.io/latest/user/authn.html -[EnvoyProxy]: https://gateway.envoyproxy.io/latest/api/config_types.html#envoyproxy +[rate limiting]: ./rate-limit +[request authentication]: ../user/authn +[EnvoyProxy]: ../api/config_types#envoyproxy [resolving conflicts]: https://gateway-api.sigs.k8s.io/concepts/guidelines/?h=conflict#conflicts [ExtensionRefs]: https://gateway-api.sigs.k8s.io/references/spec/#gateway.networking.k8s.io/v1beta1.HTTPRouteFilterType [grpc-filter]: https://gateway-api.sigs.k8s.io/references/spec/#gateway.networking.k8s.io/v1alpha2.GRPCRouteFilter diff --git a/site/content/en/v0.4/user/quickstart.md b/site/content/en/v0.4/user/quickstart.md index ef4df466c1ab..7020707a0c5b 100644 --- a/site/content/en/v0.4/user/quickstart.md +++ b/site/content/en/v0.4/user/quickstart.md @@ -9,7 +9,7 @@ This guide will help you get started with Envoy Gateway in a few simple steps. A Kubernetes cluster. -__Note:__ Refer to the [Compatibility Matrix](/blog/2022/10/01/versions/) for supported Kubernetes versions. +__Note:__ Refer to the [Compatibility Matrix](/news/releases/matrix/) for supported Kubernetes versions. ## Installation diff --git a/site/content/en/v0.4/user/rate-limit.md b/site/content/en/v0.4/user/rate-limit.md index e932db92627f..847115571d65 100644 --- a/site/content/en/v0.4/user/rate-limit.md +++ b/site/content/en/v0.4/user/rate-limit.md @@ -625,9 +625,9 @@ EOF kubectl rollout restart deployment envoy-gateway -n envoy-gateway-system ``` -[Global rate limiting]: https://www.envoyproxy.io/docs/envoy/v0.4.0/intro/arch_overview/other_features/global_rate_limiting -[RateLimitFilter]: https://gateway.envoyproxy.io/v0.4.0/api/extension_types.html#ratelimitfilter +[Global rate limiting]: https://www.envoyproxy.io/docs/envoy/latest/intro/arch_overview/other_features/global_rate_limiting +[RateLimitFilter]: ../api/extension_types#ratelimitfilter [Envoy Ratelimit]: https://github.com/envoyproxy/ratelimit -[EnvoyGateway]: https://gateway.envoyproxy.io/v0.4.0/api/config_types.html#envoygateway +[EnvoyGateway]: ../api/config_types#envoygateway [HTTPRoute]: https://gateway-api.sigs.k8s.io/api-types/httproute/ [ExtensionRef]: https://gateway-api.sigs.k8s.io/references/spec/#gateway.networking.k8s.io%2fv1beta1.HTTPRouteFilter diff --git a/site/content/en/v0.4/user/udp-routing.md b/site/content/en/v0.4/user/udp-routing.md index 5230be9f8f56..c57a8ab1a820 100644 --- a/site/content/en/v0.4/user/udp-routing.md +++ b/site/content/en/v0.4/user/udp-routing.md @@ -153,4 +153,4 @@ kubectl delete udproute/coredns Checkout the [Developer Guide](../../contributions/develop/) to get involved in the project. [UDPRoute]: https://gateway-api.sigs.k8s.io/references/spec/#gateway.networking.k8s.io/v1alpha2.UDPRoute -[UDP proxy documentation]: https://www.envoyproxy.io/docs/envoy/v0.4.0/configuration/listeners/udp_filters/udp_proxy +[UDP proxy documentation]: https://www.envoyproxy.io/docs/envoy/latest/configuration/listeners/udp_filters/udp_proxy diff --git a/site/content/en/v0.5/api/config_types.md b/site/content/en/v0.5/api/config_types.md index 93764201f349..23010b5d0358 100644 --- a/site/content/en/v0.5/api/config_types.md +++ b/site/content/en/v0.5/api/config_types.md @@ -431,7 +431,7 @@ _Appears in:_ | Field | Description | | --- | --- | -| `controllerName` _string_ | ControllerName defines the name of the Gateway API controller. If unspecified, defaults to "gateway.envoyproxy.io/gatewayclass-controller". See the following for additional details: https://gateway-api.sigs.k8s.io/v1alpha2/references/spec/#gateway.networking.k8s.io/v1alpha2.GatewayClass | +| `controllerName` _string_ | ControllerName defines the name of the Gateway API controller. If unspecified, defaults to "gateway.envoyproxy.io/gatewayclass-controller". See the following for additional details: https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.GatewayClass | ## GroupVersionKind diff --git a/site/content/en/v0.5/contributions/CONTRIBUTING.md b/site/content/en/v0.5/contributions/CONTRIBUTING.md index f94b2c940e97..b37898e948eb 100644 --- a/site/content/en/v0.5/contributions/CONTRIBUTING.md +++ b/site/content/en/v0.5/contributions/CONTRIBUTING.md @@ -49,7 +49,7 @@ to the following guidelines for all code, APIs, and documentation: build. If your PR cannot have 100% coverage for some reason please clearly explain why when you open it. * Any PR that changes user-facing behavior **must** have associated documentation in the [docs](https://github.com/envoyproxy/gateway/tree/main/site) folder of the repo as - well as the [changelog](/blog/releases). + well as the [changelog](/news/releases). * All code comments and documentation are expected to have proper English grammar and punctuation. If you are not a fluent English speaker (or a bad writer ;-)) please let us know and we will try to find some help but there are no guarantees. @@ -175,7 +175,7 @@ git config --add alias.c "commit -s" ## Fixing DCO If your PR fails the DCO check, it's necessary to fix the entire commit history in the PR. Best -practice is to [squash](https://gitready.com/advanced/2009/02/10/squashing-commits-with-rebase.html) +practice is to [squash](https://docs.github.com/en/pull-requests/collaborating-with-pull-requests/incorporating-changes-from-a-pull-request/about-pull-request-merges#squash-and-merge-your-commits) the commit history to a single commit, append the DCO sign-off as described above, and [force push](https://git-scm.com/docs/git-push#git-push---force). For example, if you have 2 commits in your history: diff --git a/site/content/en/v0.5/contributions/DEVELOP.md b/site/content/en/v0.5/contributions/DEVELOP.md index 6f82c4a411f5..67500b42915e 100644 --- a/site/content/en/v0.5/contributions/DEVELOP.md +++ b/site/content/en/v0.5/contributions/DEVELOP.md @@ -158,6 +158,6 @@ and is hosted in the repo. [Envoy admin interface]: https://www.envoyproxy.io/docs/envoy/latest/operations/admin#operations-admin-interface [jwt]: https://tools.ietf.org/html/rfc7519 [jwks]: https://tools.ietf.org/html/rfc7517 -[request authentication]: https://gateway.envoyproxy.io/latest/user/authn.html +[request authentication]: ../user/authn [JWT Debugger]: https://jwt.io/ [JWK Creator]: https://russelldavies.github.io/jwk-creator/ diff --git a/site/content/en/v0.5/contributions/RELEASING.md b/site/content/en/v0.5/contributions/RELEASING.md index f84f711b0684..206c9f0589dc 100644 --- a/site/content/en/v0.5/contributions/RELEASING.md +++ b/site/content/en/v0.5/contributions/RELEASING.md @@ -73,7 +73,7 @@ export GITHUB_REMOTE=origin ### Setup cherry picker action -After release branch cut, RM (Release Manager) should add job [cherrypick action](../../../.github/workflows/cherrypick.yaml) for target release. +After release branch cut, RM (Release Manager) should add job [cherrypick action](https://github.com/envoyproxy/gateway/blob/main/.github/workflows/cherrypick.yaml) for target release. Configuration looks like following: diff --git a/site/content/en/v0.5/design/bootstrap.md b/site/content/en/v0.5/design/bootstrap.md index 9a8f0c789efa..08c71f978d12 100644 --- a/site/content/en/v0.5/design/bootstrap.md +++ b/site/content/en/v0.5/design/bootstrap.md @@ -376,6 +376,6 @@ spec: ``` [Issue 31]: https://github.com/envoyproxy/gateway/issues/31 -[EnvoyProxy]: https://gateway.envoyproxy.io/latest/api/config_types.html#envoyproxy +[EnvoyProxy]: ../api/config_types#envoyproxy [GatewayClass]: https://gateway-api.sigs.k8s.io/references/spec/#gateway.networking.k8s.io/v1beta1.GatewayClass [parametersRef]: https://gateway-api.sigs.k8s.io/references/spec/#gateway.networking.k8s.io/v1beta1.ParametersReference diff --git a/site/content/en/v0.5/design/config-api.md b/site/content/en/v0.5/design/config-api.md index ca5380151a8e..3762bfb93e90 100644 --- a/site/content/en/v0.5/design/config-api.md +++ b/site/content/en/v0.5/design/config-api.md @@ -88,7 +88,7 @@ type Gateway struct { // defaults to "gateway.envoyproxy.io/gatewayclass-controller". See the following // for additional details: // - // https://gateway-api.sigs.k8s.io/v1alpha2/references/spec/#gateway.networking.k8s.io/v1alpha2.GatewayClass + // https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.GatewayClass // // +optional ControllerName string `json:"controllerName,omitempty"` @@ -347,6 +347,6 @@ __Note:__ The NetworkPublishing API is currently undefined and is provided here [issue_51]: https://github.com/envoyproxy/gateway/issues/51 [design_doc]: https://github.com/envoyproxy/gateway/blob/main/docs/design/SYSTEM_DESIGN.md [gw_api]: https://gateway-api.sigs.k8s.io/ -[gc]: https://gateway-api.sigs.k8s.io/v1alpha2/references/spec/#gateway.networking.k8s.io/v1alpha2.GatewayClass +[gc]: https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.GatewayClass [cr]: https://kubernetes.io/docs/concepts/extend-kubernetes/api-extension/custom-resources/ [union]: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#unions diff --git a/site/content/en/v0.5/design/envoy-patch-policy.md b/site/content/en/v0.5/design/envoy-patch-policy.md index d34937d05ef1..04081ac0763d 100644 --- a/site/content/en/v0.5/design/envoy-patch-policy.md +++ b/site/content/en/v0.5/design/envoy-patch-policy.md @@ -167,10 +167,10 @@ patches will work. [Gateway API]: https://gateway-api.sigs.k8s.io/ [Kubernetes]: https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/ [Kustomize]: https://github.com/kubernetes-sigs/kustomize/blob/master/examples/jsonpatch.md -[Extension APIs]: https://gateway.envoyproxy.io/latest/api/extension_types.html -[RateLimit]: https://gateway.envoyproxy.io/latest/user/rate-limit.html -[EnvoyGateway]: https://gateway.envoyproxy.io/latest/api/config_types.html#envoygateway -[Extending the Control Plane]: https://gateway.envoyproxy.io/latest/design/extending-envoy-gateway.html +[Extension APIs]: ../api/extension_types +[RateLimit]: ../user/rate-limit +[EnvoyGateway]: ../api/config_types#envoygateway +[Extending the Control Plane]: ./extending-envoy-gateway [EnvoyFilter]: https://istio.io/latest/docs/reference/config/networking/envoy-filter -[egctl x translate]: https://gateway.envoyproxy.io/latest/user/egctl.html#egctl-experimental-translate -[Bootstrap configuration using EnvoyProxy API]: https://gateway.envoyproxy.io/latest/user/customize-envoyproxy.html#customize-envoyproxy-bootstrap-config +[egctl x translate]: ../user/egctl#egctl-experimental-translate +[Bootstrap configuration using EnvoyProxy API]: ../user/customize-envoyproxy#customize-envoyproxy-bootstrap-config diff --git a/site/content/en/v0.5/design/extending-envoy-gateway.md b/site/content/en/v0.5/design/extending-envoy-gateway.md index 0caa870ffb1a..7624ceaa2afb 100644 --- a/site/content/en/v0.5/design/extending-envoy-gateway.md +++ b/site/content/en/v0.5/design/extending-envoy-gateway.md @@ -315,11 +315,11 @@ Extending Envoy Gateway by using an external extension server which makes use of [Envoy]: https://www.envoyproxy.io/ [Envoy specific configuration (xDS)]: https://www.envoyproxy.io/docs/envoy/v1.25.1/configuration/configuration [v1beta1]: https://gateway-api.sigs.k8s.io/references/spec/#gateway.networking.k8s.io%2fv1beta1 -[rate limiting]: https://gateway.envoyproxy.io/v0.3.0/user/rate-limit.html -[authentication]: https://gateway.envoyproxy.io/v0.3.0/user/authn.html +[rate limiting]: ../user/rate-limit +[authentication]: ../user/authn [HTTPRoute]: https://gateway-api.sigs.k8s.io/references/spec/#gateway.networking.k8s.io/v1beta1.HTTPRoute [GRPCRoute]: https://gateway-api.sigs.k8s.io/references/spec/#gateway.networking.k8s.io/v1alpha2.GRPCRoute -[EnvoyGateway config]: https://gateway.envoyproxy.io/v0.3.0/api/config_types.html#envoygateway +[EnvoyGateway config]: ../api/config_types#envoygateway [controller-runtime]: https://github.com/kubernetes-sigs/controller-runtime [Unstructured]: https://pkg.go.dev/k8s.io/apimachinery/pkg/apis/meta/v1/unstructured [Listener]: https://www.envoyproxy.io/docs/envoy/v1.23.0/api-v3/config/listener/v3/listener.proto#config-listener-v3-listener diff --git a/site/content/en/v0.5/design/system-design.md b/site/content/en/v0.5/design/system-design.md index 16123948ee72..c40c3e51fc9c 100644 --- a/site/content/en/v0.5/design/system-design.md +++ b/site/content/en/v0.5/design/system-design.md @@ -159,16 +159,17 @@ The draft for this document is [here][draft_design]. [grl]: https://www.envoyproxy.io/docs/envoy/latest/intro/arch_overview/other_features/global_rate_limiting [rls]: https://github.com/envoyproxy/ratelimit [rlf]: https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/filters/http/ratelimit/v3/rate_limit.proto#envoy-v3-api-msg-extensions-filters-http-ratelimit-v3-ratelimit -[crf]: https://gateway-api.sigs.k8s.io/v1alpha2/api-types/httproute/#filters-optional +[crf]: https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.HTTPRoute#filters-optional [gwapi_conflicts]: https://gateway-api.sigs.k8s.io/concepts/guidelines/#conflicts [listener]: https://www.envoyproxy.io/docs/envoy/latest/configuration/listeners/listeners#config-listeners [route]: https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/route/v3/route_components.proto#envoy-v3-api-msg-config-route-v3-route -[be_ref]: https://gateway-api.sigs.k8s.io/v1alpha2/api-types/httproute/#backendrefs-optional +[be_ref]: https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.HTTPRoute#backendrefs-optional [cluster]: https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/cluster/v3/cluster.proto#config-cluster-v3-cluster [draft_design]: https://docs.google.com/document/d/1riyTPPYuvNzIhBdrAX8dpfxTmcobWZDSYTTB5NeybuY/edit [cr]: https://kubernetes.io/docs/concepts/extend-kubernetes/api-extension/custom-resources/ -[be]: https://gateway-api.sigs.k8s.io/v1alpha2/references/spec/#gateway.networking.k8s.io/v1alpha2.BackendObjectReference +[be]: https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io%2fv1.BackendObjectReference [svc]: https://kubernetes.io/docs/concepts/services-networking/service/ -[ wcd ]: ./watching.md +[ wcd ]: ./watching [Issue #37]: https://github.com/envoyproxy/gateway/issues/37 -[roadmap]: roadmap.md +[roadmap]: ../contributions/roadmap + diff --git a/site/content/en/v0.5/install/install-egctl.md b/site/content/en/v0.5/install/install-egctl.md index 8534acb71271..86649ac248c8 100644 --- a/site/content/en/v0.5/install/install-egctl.md +++ b/site/content/en/v0.5/install/install-egctl.md @@ -52,6 +52,6 @@ curl https://gateway.envoyproxy.io/get-egctl.sh | VERSION=latest bash {{% alert title="Next Steps" color="warning" %}} -You can refer to [User Guides](../../user/egctl) to more details about egctl. +You can refer to [User Guides](../user/egctl) to more details about egctl. {{% /alert %}} diff --git a/site/content/en/v0.5/install/install-helm.md b/site/content/en/v0.5/install/install-helm.md index 44e84aaa9dfc..4e988b07b110 100644 --- a/site/content/en/v0.5/install/install-helm.md +++ b/site/content/en/v0.5/install/install-helm.md @@ -10,7 +10,7 @@ Envoy Gateway can be installed via a Helm chart with a few simple steps, dependi ## Before you begin {{% alert title="Compatibility Matrix" color="warning" %}} -Refer to the [Version Compatibility Matrix](/blog/2022/10/01/versions/) to learn more. +Refer to the [Version Compatibility Matrix](/news/releases/matrix/) to learn more. {{% /alert %}} The Envoy Gateway Helm chart is hosted by DockerHub. @@ -138,5 +138,5 @@ These are the ports used by Envoy Gateway and the managed Envoy Proxy. | Heath Check | 0.0.0.0 | 19001 | {{% alert title="Next Steps" color="warning" %}} -Envoy Gateway should now be successfully installed and running, but in order to experience more abilities of Envoy Gateway, you can refer to [User Guides](../../user). +Envoy Gateway should now be successfully installed and running, but in order to experience more abilities of Envoy Gateway, you can refer to [User Guides](../user). {{% /alert %}} diff --git a/site/content/en/v0.5/install/install-yaml.md b/site/content/en/v0.5/install/install-yaml.md index 28f6bec4a76d..fcf0c55b37dd 100644 --- a/site/content/en/v0.5/install/install-yaml.md +++ b/site/content/en/v0.5/install/install-yaml.md @@ -17,7 +17,7 @@ Envoy Gateway is designed to run in Kubernetes for production. The most essentia * The `kubectl` command-line tool {{% alert title="Compatibility Matrix" color="warning" %}} -Refer to the [Version Compatibility Matrix](/blog/2022/10/01/versions/) to learn more. +Refer to the [Version Compatibility Matrix](/news/releases/matrix/) to learn more. {{% /alert %}} ## Install with YAML @@ -36,4 +36,4 @@ Refer to the [Developer Guide](../../contributions/develop) to learn more. 2. Next Steps - Envoy Gateway should now be successfully installed and running, but in order to experience more abilities of Envoy Gateway, you can refer to [User Guides](../../user). + Envoy Gateway should now be successfully installed and running, but in order to experience more abilities of Envoy Gateway, you can refer to [User Guides](../user). diff --git a/site/content/en/v0.5/user/authn.md b/site/content/en/v0.5/user/authn.md index 3762e6f814b6..779542722889 100644 --- a/site/content/en/v0.5/user/authn.md +++ b/site/content/en/v0.5/user/authn.md @@ -92,5 +92,5 @@ kubectl delete authenticationfilter/jwt-example Checkout the [Developer Guide](../../contributions/develop/) to get involved in the project. [jwt]: https://tools.ietf.org/html/rfc7519 -[AuthenticationFilter]: https://gateway.envoyproxy.io/v0.5.0/api/extension_types.html#authenticationfilter +[AuthenticationFilter]: ../api/extension_types#authenticationfilter [jwks]: https://tools.ietf.org/html/rfc7517 diff --git a/site/content/en/v0.5/user/customize-envoyproxy.md b/site/content/en/v0.5/user/customize-envoyproxy.md index 24bdbec70331..937f5b82435a 100644 --- a/site/content/en/v0.5/user/customize-envoyproxy.md +++ b/site/content/en/v0.5/user/customize-envoyproxy.md @@ -304,12 +304,12 @@ spec: EOF ``` -You can use [egctl translate](https://gateway.envoyproxy.io/v0.5.0/user/egctl.html#validating-gateway-api-configuration) +You can use [egctl translate](./egctl#validating-gateway-api-configuration) to get the default xDS Bootstrap configuration used by Envoy Gateway. After applying the config, the bootstrap config will be overridden by the new config you provided. Any errors in the configuration will be surfaced as status within the `GatewayClass` resource. -You can also validate this configuration using [egctl translate](https://gateway.envoyproxy.io/v0.5.0/user/egctl.html#validating-gateway-api-configuration). +You can also validate this configuration using [egctl translate](./egctl.html#validating-gateway-api-configuration). [Gateway API documentation]: https://gateway-api.sigs.k8s.io/ -[EnvoyProxy]: https://gateway.envoyproxy.io/v0.5.0/api/config_types.html#envoyproxy +[EnvoyProxy]: ../api/config_types#envoyproxy diff --git a/site/content/en/v0.5/user/egctl.md b/site/content/en/v0.5/user/egctl.md index a09b1b434813..4977d2f6c87a 100644 --- a/site/content/en/v0.5/user/egctl.md +++ b/site/content/en/v0.5/user/egctl.md @@ -444,7 +444,7 @@ spec: EOF ``` -You can see the output contains a [EnvoyProxy](https://gateway.envoyproxy.io/v0.5.0/api/config_types.html#envoyproxy) resource that +You can see the output contains a [EnvoyProxy](../api/config_types#envoyproxy) resource that can be used as a starting point to modify the xDS bootstrap resource for the managed Envoy Proxy fleet. ```yaml diff --git a/site/content/en/v0.5/user/envoy-patch-policy.md b/site/content/en/v0.5/user/envoy-patch-policy.md index ae237f2f6aee..cf1f1d78abe7 100644 --- a/site/content/en/v0.5/user/envoy-patch-policy.md +++ b/site/content/en/v0.5/user/envoy-patch-policy.md @@ -194,9 +194,9 @@ across versions for these reasons * Envoy Gateway might alter the xDS translation creating a different xDS output such as changing the `name` field of resources. -[EnvoyPatchPolicy]: https://gateway.envoyproxy.io/v0.5.0/api/extension_types.html#envoypatchpolicy -[EnvoyGateway]: https://gateway.envoyproxy.io/v0.5.0/api/config_types.html#envoygateway +[EnvoyPatchPolicy]: ../api/extension_types#envoypatchpolicy +[EnvoyGateway]: ../api/config_types#envoygateway [JSON Patch]: https://datatracker.ietf.org/doc/html/rfc6902 -[xDS]: https://www.envoyproxy.io/docs/envoy/v0.5.0/intro/arch_overview/operations/dynamic_configuration -[Local Reply Modification]: https://www.envoyproxy.io/docs/envoy/v0.5.0/configuration/http/http_conn_man/local_reply -[egctl x translate]: https://gateway.envoyproxy.io/v0.5.0/user/egctl.html#egctl-experimental-translate +[xDS]: https://www.envoyproxy.io/docs/envoy/latest/intro/arch_overview/operations/dynamic_configuration +[Local Reply Modification]: https://www.envoyproxy.io/docs/envoy/latest/configuration/http/http_conn_man/local_reply +[egctl x translate]: ./egctl#egctl-experimental-translate diff --git a/site/content/en/v0.5/user/gatewayapi-support.md b/site/content/en/v0.5/user/gatewayapi-support.md index 368745d2f759..28505934c47e 100644 --- a/site/content/en/v0.5/user/gatewayapi-support.md +++ b/site/content/en/v0.5/user/gatewayapi-support.md @@ -94,7 +94,7 @@ these types of cross-namespace references. Envoy Gateway supports the following namespace. - Allowing a Gateway's [SecretObjectReference][] to reference a secret in a different namespace. -[system design]: https://gateway.envoyproxy.io/v0.5.0/design/system-design.html +[system design]: ../design/system-design [Gateway API]: https://gateway-api.sigs.k8s.io/ [GatewayClass]: https://gateway-api.sigs.k8s.io/references/spec/#gateway.networking.k8s.io/v1beta1.GatewayClass [parameters reference]: https://gateway-api.sigs.k8s.io/references/spec/#gateway.networking.k8s.io/v1beta1.ParametersReference @@ -110,9 +110,9 @@ these types of cross-namespace references. Envoy Gateway supports the following [TLSRoute]: https://gateway-api.sigs.k8s.io/references/spec/#gateway.networking.k8s.io/v1alpha2.TLSRoute [ReferenceGrant]: https://gateway-api.sigs.k8s.io/references/spec/#gateway.networking.k8s.io%2fv1beta1.ReferenceGrant [SecretObjectReference]: https://gateway-api.sigs.k8s.io/references/spec/#gateway.networking.k8s.io/v1beta1.SecretObjectReference -[rate limiting]: https://gateway.envoyproxy.io/v0.5.0/user/rate-limit.html -[request authentication]: https://gateway.envoyproxy.io/v0.5.0/user/authn.html -[EnvoyProxy]: https://gateway.envoyproxy.io/v0.5.0/api/config_types.html#envoyproxy +[rate limiting]: ./rate-limit +[request authentication]: ./authn +[EnvoyProxy]: ../api/config_types#envoyproxy [resolving conflicts]: https://gateway-api.sigs.k8s.io/concepts/guidelines/?h=conflict#conflicts [ExtensionRefs]: https://gateway-api.sigs.k8s.io/references/spec/#gateway.networking.k8s.io/v1beta1.HTTPRouteFilterType [grpc-filter]: https://gateway-api.sigs.k8s.io/references/spec/#gateway.networking.k8s.io/v1alpha2.GRPCRouteFilter diff --git a/site/content/en/v0.5/user/quickstart.md b/site/content/en/v0.5/user/quickstart.md index 8443d6f323ff..be0ae4188969 100644 --- a/site/content/en/v0.5/user/quickstart.md +++ b/site/content/en/v0.5/user/quickstart.md @@ -9,7 +9,7 @@ This guide will help you get started with Envoy Gateway in a few simple steps. A Kubernetes cluster. -__Note:__ Refer to the [Compatibility Matrix](/blog/2022/10/01/versions/) for supported Kubernetes versions. +__Note:__ Refer to the [Compatibility Matrix](/news/releases/matrix/) for supported Kubernetes versions. ## Installation diff --git a/site/content/en/v0.5/user/rate-limit.md b/site/content/en/v0.5/user/rate-limit.md index bddca2d52bb0..5f97900c494b 100644 --- a/site/content/en/v0.5/user/rate-limit.md +++ b/site/content/en/v0.5/user/rate-limit.md @@ -802,9 +802,9 @@ EOF kubectl rollout restart deployment envoy-gateway -n envoy-gateway-system ``` -[Global Rate Limiting]: https://www.envoyproxy.io/docs/envoy/v0.5.0/intro/arch_overview/other_features/global_rate_limiting -[RateLimitFilter]: https://gateway.envoyproxy.io/v0.5.0/api/extension_types.html#ratelimitfilter +[Global Rate Limiting]: https://www.envoyproxy.io/docs/envoy/latest/intro/arch_overview/other_features/global_rate_limiting +[RateLimitFilter]: ../api/extension_types#ratelimitfilter [Envoy Ratelimit]: https://github.com/envoyproxy/ratelimit -[EnvoyGateway]: https://gateway.envoyproxy.io/v0.5.0/api/config_types.html#envoygateway +[EnvoyGateway]: ../api/config_types#envoygateway [HTTPRoute]: https://gateway-api.sigs.k8s.io/api-types/httproute/ [ExtensionRef]: https://gateway-api.sigs.k8s.io/references/spec/#gateway.networking.k8s.io%2fv1beta1.HTTPRouteFilter diff --git a/site/content/en/v0.5/user/udp-routing.md b/site/content/en/v0.5/user/udp-routing.md index f5eaf0c55412..330f2bdfc012 100644 --- a/site/content/en/v0.5/user/udp-routing.md +++ b/site/content/en/v0.5/user/udp-routing.md @@ -153,4 +153,4 @@ kubectl delete udproute/coredns Checkout the [Developer Guide](../../contributions/develop/) to get involved in the project. [UDPRoute]: https://gateway-api.sigs.k8s.io/references/spec/#gateway.networking.k8s.io/v1alpha2.UDPRoute -[UDP proxy documentation]: https://www.envoyproxy.io/docs/envoy/v0.5.0/configuration/listeners/udp_filters/udp_proxy +[UDP proxy documentation]: https://www.envoyproxy.io/docs/envoy/latest/configuration/listeners/udp_filters/udp_proxy diff --git a/site/content/en/v0.6/api/extension_types.md b/site/content/en/v0.6/api/extension_types.md index 08b53e29c854..351356d5fb45 100644 --- a/site/content/en/v0.6/api/extension_types.md +++ b/site/content/en/v0.6/api/extension_types.md @@ -780,7 +780,7 @@ _Appears in:_ | Field | Description | | --- | --- | -| `controllerName` _string_ | ControllerName defines the name of the Gateway API controller. If unspecified, defaults to "gateway.envoyproxy.io/gatewayclass-controller". See the following for additional details: https://gateway-api.sigs.k8s.io/v1alpha2/references/spec/#gateway.networking.k8s.io/v1.GatewayClass | +| `controllerName` _string_ | ControllerName defines the name of the Gateway API controller. If unspecified, defaults to "gateway.envoyproxy.io/gatewayclass-controller". See the following for additional details: https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.GatewayClass | #### GlobalRateLimit diff --git a/site/content/en/v0.6/contributions/CONTRIBUTING.md b/site/content/en/v0.6/contributions/CONTRIBUTING.md index f94b2c940e97..b37898e948eb 100644 --- a/site/content/en/v0.6/contributions/CONTRIBUTING.md +++ b/site/content/en/v0.6/contributions/CONTRIBUTING.md @@ -49,7 +49,7 @@ to the following guidelines for all code, APIs, and documentation: build. If your PR cannot have 100% coverage for some reason please clearly explain why when you open it. * Any PR that changes user-facing behavior **must** have associated documentation in the [docs](https://github.com/envoyproxy/gateway/tree/main/site) folder of the repo as - well as the [changelog](/blog/releases). + well as the [changelog](/news/releases). * All code comments and documentation are expected to have proper English grammar and punctuation. If you are not a fluent English speaker (or a bad writer ;-)) please let us know and we will try to find some help but there are no guarantees. @@ -175,7 +175,7 @@ git config --add alias.c "commit -s" ## Fixing DCO If your PR fails the DCO check, it's necessary to fix the entire commit history in the PR. Best -practice is to [squash](https://gitready.com/advanced/2009/02/10/squashing-commits-with-rebase.html) +practice is to [squash](https://docs.github.com/en/pull-requests/collaborating-with-pull-requests/incorporating-changes-from-a-pull-request/about-pull-request-merges#squash-and-merge-your-commits) the commit history to a single commit, append the DCO sign-off as described above, and [force push](https://git-scm.com/docs/git-push#git-push---force). For example, if you have 2 commits in your history: diff --git a/site/content/en/v0.6/contributions/DEVELOP.md b/site/content/en/v0.6/contributions/DEVELOP.md index 6f82c4a411f5..366524eb9c7c 100644 --- a/site/content/en/v0.6/contributions/DEVELOP.md +++ b/site/content/en/v0.6/contributions/DEVELOP.md @@ -158,6 +158,6 @@ and is hosted in the repo. [Envoy admin interface]: https://www.envoyproxy.io/docs/envoy/latest/operations/admin#operations-admin-interface [jwt]: https://tools.ietf.org/html/rfc7519 [jwks]: https://tools.ietf.org/html/rfc7517 -[request authentication]: https://gateway.envoyproxy.io/latest/user/authn.html +[request authentication]: ../user/jwt-authentication [JWT Debugger]: https://jwt.io/ [JWK Creator]: https://russelldavies.github.io/jwk-creator/ diff --git a/site/content/en/v0.6/contributions/RELEASING.md b/site/content/en/v0.6/contributions/RELEASING.md index 50d2db76abdc..5abb7ba45031 100644 --- a/site/content/en/v0.6/contributions/RELEASING.md +++ b/site/content/en/v0.6/contributions/RELEASING.md @@ -6,7 +6,10 @@ description: "This section tells the release process of Envoy Gateway." This document guides maintainers through the process of creating an Envoy Gateway release. - [Release Candidate](#release-candidate) + - [Prerequisites](#prerequisites) + - [Setup cherry picker action](#setup-cherry-picker-action) - [Minor Release](#minor-release) + - [Prerequisites](#prerequisites-1) - [Announce the Release](#announce-the-release) ## Release Candidate @@ -73,7 +76,7 @@ export GITHUB_REMOTE=origin ### Setup cherry picker action -After release branch cut, RM (Release Manager) should add job [cherrypick action](../../../.github/workflows/cherrypick.yaml) for target release. +After release branch cut, RM (Release Manager) should add job [cherrypick action](https://github.com/envoyproxy/gateway/blob/main/.github/workflows/cherrypick.yaml) for target release. Configuration looks like following: diff --git a/site/content/en/v0.6/design/bootstrap.md b/site/content/en/v0.6/design/bootstrap.md index c0581347a24e..743a0d9bad88 100644 --- a/site/content/en/v0.6/design/bootstrap.md +++ b/site/content/en/v0.6/design/bootstrap.md @@ -376,6 +376,6 @@ spec: ``` [Issue 31]: https://github.com/envoyproxy/gateway/issues/31 -[EnvoyProxy]: ../../api/extension_types#envoyproxy +[EnvoyProxy]: ../api/extension_types#envoyproxy [GatewayClass]: https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.GatewayClass [parametersRef]: https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.ParametersReference diff --git a/site/content/en/v0.6/design/config-api.md b/site/content/en/v0.6/design/config-api.md index 1c6f3057848a..89b7b0d838a8 100644 --- a/site/content/en/v0.6/design/config-api.md +++ b/site/content/en/v0.6/design/config-api.md @@ -88,7 +88,7 @@ type Gateway struct { // defaults to "gateway.envoyproxy.io/gatewayclass-controller". See the following // for additional details: // - // https://gateway-api.sigs.k8s.io/v1alpha2/references/spec/#gateway.networking.k8s.io/v1alpha2.GatewayClass + // https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.GatewayClass // // +optional ControllerName string `json:"controllerName,omitempty"` diff --git a/site/content/en/v0.6/design/envoy-patch-policy.md b/site/content/en/v0.6/design/envoy-patch-policy.md index 83ccb035b4d3..1aa441ef114b 100644 --- a/site/content/en/v0.6/design/envoy-patch-policy.md +++ b/site/content/en/v0.6/design/envoy-patch-policy.md @@ -167,10 +167,10 @@ patches will work. [Gateway API]: https://gateway-api.sigs.k8s.io/ [Kubernetes]: https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/ [Kustomize]: https://github.com/kubernetes-sigs/kustomize/blob/master/examples/jsonpatch.md -[Extension APIs]: ../../api/extension_types/ -[RateLimit]: ../../user/rate-limit/ -[EnvoyGateway]: ../../api/extension_types#envoygateway +[Extension APIs]: ../api/extension_types +[RateLimit]: ../user/rate-limit +[EnvoyGateway]: ../api/extension_types#envoygateway [Extending the Control Plane]: ../extending-envoy-gateway/ [EnvoyFilter]: https://istio.io/latest/docs/reference/config/networking/envoy-filter -[egctl x translate]: ../../user/egctl#egctl-experimental-translate -[Bootstrap configuration using EnvoyProxy API]: ../../user/customize-envoyproxy#customize-envoyproxy-bootstrap-config +[egctl x translate]: ../user/egctl#egctl-experimental-translate +[Bootstrap configuration using EnvoyProxy API]: ../user/customize-envoyproxy#customize-envoyproxy-bootstrap-config diff --git a/site/content/en/v0.6/design/extending-envoy-gateway.md b/site/content/en/v0.6/design/extending-envoy-gateway.md index 104bd804542a..4976b16754e2 100644 --- a/site/content/en/v0.6/design/extending-envoy-gateway.md +++ b/site/content/en/v0.6/design/extending-envoy-gateway.md @@ -315,11 +315,11 @@ Extending Envoy Gateway by using an external extension server which makes use of [Envoy]: https://www.envoyproxy.io/ [Envoy specific configuration (xDS)]: https://www.envoyproxy.io/docs/envoy/v1.25.1/configuration/configuration [v1]: https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1 -[rate limiting]: ../../user/rate-limit/ -[authentication]: ../../user/jwt-authentication/ +[rate limiting]: ../user/rate-limit +[authentication]: ../user/jwt-authentication [HTTPRoute]: https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.HTTPRoute [GRPCRoute]: https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1alpha2.GRPCRoute -[EnvoyGateway config]: ../../api/extension_types#envoygateway +[EnvoyGateway config]: ../api/extension_types#envoygateway [controller-runtime]: https://github.com/kubernetes-sigs/controller-runtime [Unstructured]: https://pkg.go.dev/k8s.io/apimachinery/pkg/apis/meta/v1/unstructured [Listener]: https://www.envoyproxy.io/docs/envoy/v1.23.0/api-v3/config/listener/v3/listener.proto#config-listener-v3-listener diff --git a/site/content/en/v0.6/design/system-design.md b/site/content/en/v0.6/design/system-design.md index 956482ffcc39..c64846873b17 100644 --- a/site/content/en/v0.6/design/system-design.md +++ b/site/content/en/v0.6/design/system-design.md @@ -159,11 +159,11 @@ The draft for this document is [here][draft_design]. [grl]: https://www.envoyproxy.io/docs/envoy/latest/intro/arch_overview/other_features/global_rate_limiting [rls]: https://github.com/envoyproxy/ratelimit [rlf]: https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/filters/http/ratelimit/v3/rate_limit.proto#envoy-v3-api-msg-extensions-filters-http-ratelimit-v3-ratelimit -[crf]: https://gateway-api.sigs.k8s.io/v1alpha2/api-types/httproute/#filters-optional +[crf]: https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.HTTPRoute#filters-optional [gwapi_conflicts]: https://gateway-api.sigs.k8s.io/concepts/guidelines/#conflicts [listener]: https://www.envoyproxy.io/docs/envoy/latest/configuration/listeners/listeners#config-listeners [route]: https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/route/v3/route_components.proto#envoy-v3-api-msg-config-route-v3-route -[be_ref]: https://gateway-api.sigs.k8s.io/v1alpha2/api-types/httproute/#backendrefs-optional +[be_ref]: https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.HTTPRoute#backendrefs-optional [cluster]: https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/cluster/v3/cluster.proto#config-cluster-v3-cluster [draft_design]: https://docs.google.com/document/d/1riyTPPYuvNzIhBdrAX8dpfxTmcobWZDSYTTB5NeybuY/edit [cr]: https://kubernetes.io/docs/concepts/extend-kubernetes/api-extension/custom-resources/ diff --git a/site/content/en/v0.6/install/install-helm.md b/site/content/en/v0.6/install/install-helm.md index 7bb4b63952bf..37c1c6491523 100644 --- a/site/content/en/v0.6/install/install-helm.md +++ b/site/content/en/v0.6/install/install-helm.md @@ -10,7 +10,7 @@ Envoy Gateway can be installed via a Helm chart with a few simple steps, dependi ## Before you begin {{% alert title="Compatibility Matrix" color="warning" %}} -Refer to the [Version Compatibility Matrix](/blog/2022/10/01/versions/) to learn more. +Refer to the [Version Compatibility Matrix](/news/releases/matrix/) to learn more. {{% /alert %}} The Envoy Gateway Helm chart is hosted by DockerHub. @@ -140,5 +140,5 @@ These are the ports used by Envoy Gateway and the managed Envoy Proxy. | Heath Check | 0.0.0.0 | 19001 | {{% alert title="Next Steps" color="warning" %}} -Envoy Gateway should now be successfully installed and running, but in order to experience more abilities of Envoy Gateway, you can refer to [User Guides](../../user). +Envoy Gateway should now be successfully installed and running, but in order to experience more abilities of Envoy Gateway, you can refer to [User Guides](../user). {{% /alert %}} diff --git a/site/content/en/v0.6/install/install-yaml.md b/site/content/en/v0.6/install/install-yaml.md index 0b617d34be69..e00cf0f2733e 100644 --- a/site/content/en/v0.6/install/install-yaml.md +++ b/site/content/en/v0.6/install/install-yaml.md @@ -17,7 +17,7 @@ Envoy Gateway is designed to run in Kubernetes for production. The most essentia * The `kubectl` command-line tool {{% alert title="Compatibility Matrix" color="warning" %}} -Refer to the [Version Compatibility Matrix](/blog/2022/10/01/versions/) to learn more. +Refer to the [Version Compatibility Matrix](/news/releases/matrix/) to learn more. {{% /alert %}} ## Install with YAML @@ -36,4 +36,4 @@ Refer to the [Developer Guide](/contributions/develop) to learn more. 2. Next Steps - Envoy Gateway should now be successfully installed and running, but in order to experience more abilities of Envoy Gateway, you can refer to [User Guides](/latest/user). + Envoy Gateway should now be successfully installed and running, but in order to experience more abilities of Envoy Gateway, you can refer to [User Guides](../user). diff --git a/site/content/en/v0.6/user/cors.md b/site/content/en/v0.6/user/cors.md index d8867ccb8d2b..4c7d694e0a77 100644 --- a/site/content/en/v0.6/user/cors.md +++ b/site/content/en/v0.6/user/cors.md @@ -11,7 +11,7 @@ This instantiated resource can be linked to a [Gateway][Gateway], [HTTPRoute][HT ## Prerequisites -Follow the steps from the [Quickstart](../quickstart) guide to install Envoy Gateway and the example manifest. +Follow the steps from the [Quickstart](./quickstart) guide to install Envoy Gateway and the example manifest. Before proceeding, you should be able to query the example backend using HTTP. ## Configuration @@ -53,7 +53,7 @@ kubectl get securitypolicy/cors-example -o yaml ## Testing -Ensure the `GATEWAY_HOST` environment variable from the [Quickstart](../quickstart) guide is set. If not, follow the +Ensure the `GATEWAY_HOST` environment variable from the [Quickstart](./quickstart) guide is set. If not, follow the Quickstart instructions to set the variable. ```shell @@ -102,7 +102,7 @@ its configuration. It won't deny any requests. The browsers are responsible for ## Clean-Up -Follow the steps from the [Quickstart](../quickstart) guide to uninstall Envoy Gateway and the example manifest. +Follow the steps from the [Quickstart](./quickstart) guide to uninstall Envoy Gateway and the example manifest. Delete the SecurityPolicy: diff --git a/site/content/en/v0.6/user/customize-envoyproxy.md b/site/content/en/v0.6/user/customize-envoyproxy.md index 7f9bfb7cdc07..5835bd73b6c0 100644 --- a/site/content/en/v0.6/user/customize-envoyproxy.md +++ b/site/content/en/v0.6/user/customize-envoyproxy.md @@ -8,7 +8,7 @@ Service. To learn more about GatewayClass and ParametersRef, please refer to [Ga ## Installation -Follow the steps from the [Quickstart Guide](../quickstart) to install Envoy Gateway and the example manifest. +Follow the steps from the [Quickstart Guide](./quickstart) to install Envoy Gateway and the example manifest. Before proceeding, you should be able to query the example backend using HTTP. ## Add GatewayClass ParametersRef @@ -318,5 +318,5 @@ Any errors in the configuration will be surfaced as status within the `GatewayCl You can also validate this configuration using [egctl translate][]. [Gateway API documentation]: https://gateway-api.sigs.k8s.io/ -[EnvoyProxy]: ../../api/extension_types#envoyproxy -[egctl translate]: ../egctl#validating-gateway-api-configuration +[EnvoyProxy]: ../api/extension_types#envoyproxy +[egctl translate]: ./egctl#validating-gateway-api-configuration diff --git a/site/content/en/v0.6/user/egctl.md b/site/content/en/v0.6/user/egctl.md index 937c783cc022..999ccc82903d 100644 --- a/site/content/en/v0.6/user/egctl.md +++ b/site/content/en/v0.6/user/egctl.md @@ -396,7 +396,7 @@ spec: EOF ``` -You can see the output contains a [EnvoyProxy](../../api/extension_types#envoyproxy) resource that +You can see the output contains a [EnvoyProxy](../api/extension_types#envoyproxy) resource that can be used as a starting point to modify the xDS bootstrap resource for the managed Envoy Proxy fleet. ```yaml diff --git a/site/content/en/v0.6/user/envoy-patch-policy.md b/site/content/en/v0.6/user/envoy-patch-policy.md index 9bf6459d2cdc..da09f4a3263c 100644 --- a/site/content/en/v0.6/user/envoy-patch-policy.md +++ b/site/content/en/v0.6/user/envoy-patch-policy.md @@ -22,7 +22,7 @@ not exposed by Envoy Gateway APIs today. ### Prerequisites -* Follow the steps from the [Quickstart](../quickstart) guide to install Envoy Gateway and the example manifest. +* Follow the steps from the [Quickstart](./quickstart) guide to install Envoy Gateway and the example manifest. Before proceeding, you should be able to query the example backend using HTTP. ### Enable EnvoyPatchPolicy @@ -194,9 +194,9 @@ across versions for these reasons * Envoy Gateway might alter the xDS translation creating a different xDS output such as changing the `name` field of resources. -[EnvoyPatchPolicy]: ../../api/extension_types#envoypatchpolicy -[EnvoyGateway]: ../../api/extension_types#envoygateway +[EnvoyPatchPolicy]: ../api/extension_types#envoypatchpolicy +[EnvoyGateway]: ../api/extension_types#envoygateway [JSON Patch]: https://datatracker.ietf.org/doc/html/rfc6902 -[xDS]: https://www.envoyproxy.io/docs/envoy/v0.6.0/intro/arch_overview/operations/dynamic_configuration -[Local Reply Modification]: https://www.envoyproxy.io/docs/envoy/v0.6.0/configuration/http/http_conn_man/local_reply -[egctl x translate]: ../egctl#egctl-experimental-translate +[xDS]: https://www.envoyproxy.io/docs/envoy/latest/intro/arch_overview/operations/dynamic_configuration +[Local Reply Modification]: https://www.envoyproxy.io/docs/envoy/latest/configuration/http/http_conn_man/local_reply +[egctl x translate]: ./egctl#egctl-experimental-translate diff --git a/site/content/en/v0.6/user/gateway-api-metrics.md b/site/content/en/v0.6/user/gateway-api-metrics.md index fef51bde69fe..3f787e33a50b 100644 --- a/site/content/en/v0.6/user/gateway-api-metrics.md +++ b/site/content/en/v0.6/user/gateway-api-metrics.md @@ -7,7 +7,7 @@ The project also provides example dashboard for visualising the metrics using Gr ## Prerequisites -Follow the steps from the [Quickstart Guide](../quickstart) to install Envoy Gateway and the example manifest. +Follow the steps from the [Quickstart Guide](./quickstart) to install Envoy Gateway and the example manifest. Before proceeding, you should be able to query the example backend using HTTP. Run the following commands to install the metrics stack, with the Gateway API State Metrics configuration, on your kubernetes cluster: @@ -29,7 +29,7 @@ kubectl -n monitoring rollout status --watch --timeout=5m statefulset/prometheus kubectl -n monitoring port-forward service/prometheus-k8s 9090:9090 > /dev/null & ``` -Navigate to [http://localhost:9090](http://localhost:9090). +Navigate to `http://localhost:9090`. Metrics can be queried from the 'Graph' tab e.g. `gatewayapi_gateway_created` See the [Gateway API State Metrics README](https://github.com/Kuadrant/gateway-api-state-metrics/tree/main#metrics) for the full list of Gateway API metrics available. @@ -47,7 +47,7 @@ kubectl -n monitoring wait --timeout=5m deployment/grafana --for=condition=Avail kubectl -n monitoring port-forward service/grafana 3000:3000 > /dev/null & ``` -Navigate to [http://localhost:3000](http://localhost:3000) and sign in with admin/admin. +Navigate to `http://localhost:3000` and sign in with admin/admin. The Gateway API State dashboards will be available in the 'Default' folder and tagged with 'gateway-api'. See the [Gateway API State Metrics README](https://github.com/Kuadrant/gateway-api-state-metrics/tree/main#dashboards) for further information on available dashboards. diff --git a/site/content/en/v0.6/user/gatewayapi-support.md b/site/content/en/v0.6/user/gatewayapi-support.md index 064bb5b2b1bc..107edf886cc6 100644 --- a/site/content/en/v0.6/user/gatewayapi-support.md +++ b/site/content/en/v0.6/user/gatewayapi-support.md @@ -110,9 +110,9 @@ these types of cross-namespace references. Envoy Gateway supports the following [TLSRoute]: https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1alpha2.TLSRoute [ReferenceGrant]: https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1alpha2.ReferenceGrant [SecretObjectReference]: https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.SecretObjectReference -[rate limiting]: ../rate-limit/ -[request authentication]: ../jwt-authentication/ -[EnvoyProxy]: ../../api/extension_types#envoyproxy +[rate limiting]: ./rate-limit +[request authentication]: ./jwt-authentication +[EnvoyProxy]: ../api/extension_types#envoyproxy [resolving conflicts]: https://gateway-api.sigs.k8s.io/concepts/guidelines/?h=conflict#conflicts [ExtensionRefs]: https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.HTTPRouteFilterType [grpc-filter]: https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1alpha2.GRPCRouteFilter diff --git a/site/content/en/v0.6/user/grafana-integration.md b/site/content/en/v0.6/user/grafana-integration.md index 7223a35e9421..fc9512eed277 100644 --- a/site/content/en/v0.6/user/grafana-integration.md +++ b/site/content/en/v0.6/user/grafana-integration.md @@ -7,7 +7,7 @@ This guide shows you how to visualise the metrics exposed to prometheus using gr ## Prerequisites -Follow the steps from the [Quickstart Guide](../quickstart) to install Envoy Gateway and the example manifest. +Follow the steps from the [Quickstart Guide](./quickstart) to install Envoy Gateway and the example manifest. Before proceeding, you should be able to query the example backend using HTTP. Follow the steps from the [Proxy Observability](../proxy-observability#Metrics) to enable prometheus metrics. @@ -62,4 +62,4 @@ Envoy Gateway has examples of dashboard for you to get started: ![Envoy Pod Resources](/img/envoy-pod-resources-dashboard.png) -You can load the above dashboards in your Grafana to get started. Please refer to Grafana docs for [importing dashboards](https://grafana.com/docs/grafana/v0.6.0/dashboards/manage-dashboards/#import-a-dashboard). +You can load the above dashboards in your Grafana to get started. Please refer to Grafana docs for [importing dashboards](https://grafana.com/docs/grafana/latest/dashboards/manage-dashboards/#import-a-dashboard). diff --git a/site/content/en/v0.6/user/http-redirect.md b/site/content/en/v0.6/user/http-redirect.md index 1ef88e53fa3a..2fec0b521a9b 100644 --- a/site/content/en/v0.6/user/http-redirect.md +++ b/site/content/en/v0.6/user/http-redirect.md @@ -9,7 +9,7 @@ learn more about HTTP routing, refer to the [Gateway API documentation][]. ## Prerequisites -Follow the steps from the [Quickstart](../quickstart) to install Envoy Gateway and the example manifest. +Follow the steps from the [Quickstart](./quickstart) to install Envoy Gateway and the example manifest. Before proceeding, you should be able to query the example backend using HTTPS. ## Redirects diff --git a/site/content/en/v0.6/user/http-request-headers.md b/site/content/en/v0.6/user/http-request-headers.md index 25b675a16d7a..6372aacbf02c 100644 --- a/site/content/en/v0.6/user/http-request-headers.md +++ b/site/content/en/v0.6/user/http-request-headers.md @@ -14,7 +14,7 @@ client. ## Prerequisites -Follow the steps from the [Quickstart Guide](../quickstart) to install Envoy Gateway and the example manifest. +Follow the steps from the [Quickstart Guide](./quickstart) to install Envoy Gateway and the example manifest. Before proceeding, you should be able to query the example backend using HTTP. ## Adding Request Headers diff --git a/site/content/en/v0.6/user/http-request-mirroring.md b/site/content/en/v0.6/user/http-request-mirroring.md index db6bcca33f28..9f2aac4b6cea 100644 --- a/site/content/en/v0.6/user/http-request-mirroring.md +++ b/site/content/en/v0.6/user/http-request-mirroring.md @@ -244,7 +244,7 @@ EOF Error from server: error when creating "STDIN": admission webhook "validate.gateway.networking.k8s.io" denied the request: spec.rules[0].filters: Invalid value: "RequestMirror": cannot be used multiple times in the same rule ``` -[Quickstart Guide]: ../quickstart/ +[Quickstart Guide]: ./quickstart/ [HTTPRoute]: https://gateway-api.sigs.k8s.io/api-types/httproute/ [backendRefs]: https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.BackendRef [HTTPRequestMirrorFilter]: https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.HTTPRequestMirrorFilter diff --git a/site/content/en/v0.6/user/http-response-headers.md b/site/content/en/v0.6/user/http-response-headers.md index 76cf33362b40..1a3ab351ebf1 100644 --- a/site/content/en/v0.6/user/http-response-headers.md +++ b/site/content/en/v0.6/user/http-response-headers.md @@ -12,7 +12,7 @@ upstream service. ## Prerequisites -Follow the steps from the [Quickstart Guide](../quickstart) to install Envoy Gateway and the example manifest. +Follow the steps from the [Quickstart Guide](./quickstart) to install Envoy Gateway and the example manifest. Before proceeding, you should be able to query the example backend using HTTP. ## Adding Response Headers diff --git a/site/content/en/v0.6/user/http-traffic-splitting.md b/site/content/en/v0.6/user/http-traffic-splitting.md index 49e6ca89c2fe..6d3257af415f 100644 --- a/site/content/en/v0.6/user/http-traffic-splitting.md +++ b/site/content/en/v0.6/user/http-traffic-splitting.md @@ -8,7 +8,7 @@ with status code `500` for all requests that would have been sent to that backen ## Installation -Follow the steps from the [Quickstart Guide](../quickstart) to install Envoy Gateway and the example manifest. +Follow the steps from the [Quickstart Guide](./quickstart) to install Envoy Gateway and the example manifest. Before proceeding, you should be able to query the example backend using HTTP. ## Single backendRef diff --git a/site/content/en/v0.6/user/http-urlrewrite.md b/site/content/en/v0.6/user/http-urlrewrite.md index 945a24a7a447..b806a355b2c7 100644 --- a/site/content/en/v0.6/user/http-urlrewrite.md +++ b/site/content/en/v0.6/user/http-urlrewrite.md @@ -7,7 +7,7 @@ used on a Route rule. This MUST NOT be used on the same Route rule as a HTTPRequ ## Prerequisites -Follow the steps from the [Quickstart Guide](../quickstart) to install Envoy Gateway and the example manifest. +Follow the steps from the [Quickstart Guide](./quickstart) to install Envoy Gateway and the example manifest. Before proceeding, you should be able to query the example backend using HTTP. ## Rewrite URL Prefix Path diff --git a/site/content/en/v0.6/user/jwt-authentication.md b/site/content/en/v0.6/user/jwt-authentication.md index e11358c22fac..6c04873a10f6 100644 --- a/site/content/en/v0.6/user/jwt-authentication.md +++ b/site/content/en/v0.6/user/jwt-authentication.md @@ -11,7 +11,7 @@ This instantiated resource can be linked to a [Gateway][Gateway], [HTTPRoute][HT ## Prerequisites -Follow the steps from the [Quickstart](../quickstart) guide to install Envoy Gateway and the example manifest. +Follow the steps from the [Quickstart](./quickstart) guide to install Envoy Gateway and the example manifest. For GRPC - follow the steps from the [GRPC Routing](../grpc-routing/) example. Before proceeding, you should be able to query the example backend using HTTP or GRPC. @@ -71,7 +71,7 @@ kubectl get securitypolicy/jwt-example -o yaml ## Testing -Ensure the `GATEWAY_HOST` environment variable from the [Quickstart](../quickstart) guide is set. If not, follow the +Ensure the `GATEWAY_HOST` environment variable from the [Quickstart](./quickstart) guide is set. If not, follow the Quickstart instructions to set the variable. ```shell @@ -150,7 +150,7 @@ You should see the below response ## Clean-Up -Follow the steps from the [Quickstart](../quickstart) guide to uninstall Envoy Gateway and the example manifest. +Follow the steps from the [Quickstart](./quickstart) guide to uninstall Envoy Gateway and the example manifest. Delete the SecurityPolicy: diff --git a/site/content/en/v0.6/user/proxy-observability.md b/site/content/en/v0.6/user/proxy-observability.md index 8601a0de7a8c..77b391eadfb8 100644 --- a/site/content/en/v0.6/user/proxy-observability.md +++ b/site/content/en/v0.6/user/proxy-observability.md @@ -7,7 +7,7 @@ This guide show you how to config proxy observability, includes metrics, logs, a ## Prerequisites -Follow the steps from the [Quickstart Guide](../quickstart) to install Envoy Gateway and the example manifest. +Follow the steps from the [Quickstart Guide](./quickstart) to install Envoy Gateway and the example manifest. Before proceeding, you should be able to query the example backend using HTTP. [FluentBit](https://fluentbit.io/) is used to collect logs from the EnvoyProxy instances and forward them to Loki. Install FluentBit: @@ -87,7 +87,7 @@ curl localhost:19001/metrics | grep "default/backend/rule/0/match/0-www" ## Logs -By default, Envoy Gateway send logs to stdout in [default text format](https://www.envoyproxy.io/docs/envoy/v0.6.0/configuration/observability/access_log/usage.html#default-format-string). +By default, Envoy Gateway send logs to stdout in [default text format](https://www.envoyproxy.io/docs/envoy/latest/configuration/observability/access_log/usage.html#default-format-string). Verify logs from loki: ```shell diff --git a/site/content/en/v0.6/user/quickstart.md b/site/content/en/v0.6/user/quickstart.md index 2e47dd6f26b9..6a35933590ed 100644 --- a/site/content/en/v0.6/user/quickstart.md +++ b/site/content/en/v0.6/user/quickstart.md @@ -9,7 +9,7 @@ This guide will help you get started with Envoy Gateway in a few simple steps. A Kubernetes cluster. -__Note:__ Refer to the [Compatibility Matrix](/blog/2022/10/01/versions/) for supported Kubernetes versions. +__Note:__ Refer to the [Compatibility Matrix](/news/releases/matrix/) for supported Kubernetes versions. __Note:__ In case your Kubernetes cluster, does not have a LoadBalancer implementation, we recommend installing one so the `Gateway` resource has an Address associated with it. We recommend using [MetalLB](https://metallb.universe.tf/installation/). diff --git a/site/content/en/v0.6/user/rate-limit.md b/site/content/en/v0.6/user/rate-limit.md index 8f5867413ce9..5a8cf305bbd9 100644 --- a/site/content/en/v0.6/user/rate-limit.md +++ b/site/content/en/v0.6/user/rate-limit.md @@ -21,7 +21,7 @@ can be linked to a [Gateway][], [HTTPRoute][] or [GRPCRoute][] resource. ### Install Envoy Gateway -* Follow the steps from the [Quickstart Guide](../quickstart) to install Envoy Gateway and the HTTPRoute example manifest. +* Follow the steps from the [Quickstart Guide](./quickstart) to install Envoy Gateway and the HTTPRoute example manifest. Before proceeding, you should be able to query the example backend using HTTP. ### Install Redis @@ -817,10 +817,10 @@ EOF kubectl rollout restart deployment envoy-gateway -n envoy-gateway-system ``` -[Global Rate Limiting]: https://www.envoyproxy.io/docs/envoy/v0.6.0/intro/arch_overview/other_features/global_rate_limiting -[BackendTrafficPolicy]: ../../api/extension_types#backendtrafficpolicy +[Global Rate Limiting]: https://www.envoyproxy.io/docs/envoy/latest/intro/arch_overview/other_features/global_rate_limiting +[BackendTrafficPolicy]: ../api/extension_types#backendtrafficpolicy [Envoy Ratelimit]: https://github.com/envoyproxy/ratelimit -[EnvoyGateway]: ../../api/extension_types#envoygateway +[EnvoyGateway]: ../api/extension_types#envoygateway [Gateway]: https://gateway-api.sigs.k8s.io/api-types/gateway/ [HTTPRoute]: https://gateway-api.sigs.k8s.io/api-types/httproute/ [GRPCRoute]: https://gateway-api.sigs.k8s.io/api-types/grpcroute/ diff --git a/site/content/en/v0.6/user/secure-gateways.md b/site/content/en/v0.6/user/secure-gateways.md index 805aeb8b1a67..1c1551fb92a1 100644 --- a/site/content/en/v0.6/user/secure-gateways.md +++ b/site/content/en/v0.6/user/secure-gateways.md @@ -11,7 +11,7 @@ testing and demonstration purposes only. ## Installation -Follow the steps from the [Quickstart Guide](../quickstart) to install Envoy Gateway and the example manifest. +Follow the steps from the [Quickstart Guide](./quickstart) to install Envoy Gateway and the example manifest. Before proceeding, you should be able to query the example backend using HTTP. ## TLS Certificates @@ -242,7 +242,7 @@ Lastly, test connectivity using the above [Testing section](#testing). ## Clean-Up -Follow the steps from the [Quickstart Guide](../quickstart) to uninstall Envoy Gateway and the example manifest. +Follow the steps from the [Quickstart Guide](./quickstart) to uninstall Envoy Gateway and the example manifest. Delete the Secrets: @@ -257,14 +257,14 @@ This section gives a walkthrough to generate RSA and ECDSA derived certificates ## Prerequisites -Follow the steps from the [Quickstart Guide](../quickstart) to install Envoy Gateway and the example manifest. +Follow the steps from the [Quickstart Guide](./quickstart) to install Envoy Gateway and the example manifest. Before proceeding, you should be able to query the example backend using HTTP. -Follow the steps in the [TLS Certificates](../secure-gateways#tls-certificates) section in the guide to generate self-signed RSA derived Server certificate and private key, and configure those in the Gateway listener configuration to terminate HTTPS traffic. +Follow the steps in the [TLS Certificates](./secure-gateways#tls-certificates) section in the guide to generate self-signed RSA derived Server certificate and private key, and configure those in the Gateway listener configuration to terminate HTTPS traffic. ## Pre-checks -While testing in [Cluster without External LoadBalancer Support](../secure-gateways#clusters-without-external-loadbalancer-support), we can query the example app through Envoy proxy while enforcing an RSA cipher, as shown below: +While testing in [Cluster without External LoadBalancer Support](./secure-gateways#clusters-without-external-loadbalancer-support), we can query the example app through Envoy proxy while enforcing an RSA cipher, as shown below: ```shell curl -v -HHost:www.example.com --resolve "www.example.com:8443:127.0.0.1" \ @@ -295,7 +295,7 @@ Moving forward in the doc, we will be configuring the existing Gateway listener ## TLS Certificates -Reuse the CA certificate and key pair generated in the [Secure Gateways](../secure-gateways#tls-certificates) guide and use this CA to sign both RSA and ECDSA Server certificates. +Reuse the CA certificate and key pair generated in the [Secure Gateways](./secure-gateways#tls-certificates) guide and use this CA to sign both RSA and ECDSA Server certificates. Note the CA certificate and key names are `example.com.crt` and `example.com.key` respectively. @@ -369,14 +369,14 @@ This sections gives a walkthrough to generate multiple certificates correspondin ## Prerequisites -Follow the steps from the [Quickstart Guide](../quickstart) to install Envoy Gateway and the example manifest. +Follow the steps from the [Quickstart Guide](./quickstart) to install Envoy Gateway and the example manifest. Before proceeding, you should be able to query the example backend using HTTP. -Follow the steps in the [TLS Certificates](../secure-gateways#tls-certificates) section in the guide to generate self-signed RSA derived Server certificate and private key, and configure those in the Gateway listener configuration to terminate HTTPS traffic. +Follow the steps in the [TLS Certificates](./secure-gateways#tls-certificates) section in the guide to generate self-signed RSA derived Server certificate and private key, and configure those in the Gateway listener configuration to terminate HTTPS traffic. ## Additional Configurations -Using the [TLS Certificates](../secure-gateways#tls-certificates) section in the guide we first generate additional Secret for another Host `www.sample.com`. +Using the [TLS Certificates](./secure-gateways#tls-certificates) section in the guide we first generate additional Secret for another Host `www.sample.com`. ```shell openssl req -x509 -sha256 -nodes -days 365 -newkey rsa:2048 -subj '/O=sample Inc./CN=sample.com' -keyout sample.com.key -out sample.com.crt @@ -446,7 +446,7 @@ Since the multiple certificates are configured on the same Gateway listener, Env ### Clusters with External LoadBalancer Support -Refer to the steps mentioned earlier in the guide under [Testing in clusters with External LoadBalancer Support](../secure-gateways#clusters-with-external-loadbalancer-support) +Refer to the steps mentioned earlier in the guide under [Testing in clusters with External LoadBalancer Support](./secure-gateways#clusters-with-external-loadbalancer-support) ## Next Steps diff --git a/site/content/en/v0.6/user/tls-cert-manager.md b/site/content/en/v0.6/user/tls-cert-manager.md index 7776fbb24135..aeb5e1a0759d 100644 --- a/site/content/en/v0.6/user/tls-cert-manager.md +++ b/site/content/en/v0.6/user/tls-cert-manager.md @@ -18,7 +18,7 @@ Changing to the Let's Encrypt production environment is straight-forward after t ## Installation -Follow the steps from the [Quickstart Guide](../quickstart) to install Envoy Gateway and the example manifest. +Follow the steps from the [Quickstart Guide](./quickstart) to install Envoy Gateway and the example manifest. Before proceeding, you should be able to query the example backend using HTTP. ## Deploying cert-manager @@ -432,5 +432,5 @@ eg-https kubernetes.io/tls 3 42m ## See Also -* [Secure Gateways](../secure-gateways/) +* [Secure Gateways](./secure-gateways) * [Securing gateway.networking.k8s.io Gateway Resources](https://cert-manager.io/docs/usage/gateway/) diff --git a/site/content/en/v0.6/user/tls-passthrough.md b/site/content/en/v0.6/user/tls-passthrough.md index aab53254cc9b..3390af7ea8ae 100644 --- a/site/content/en/v0.6/user/tls-passthrough.md +++ b/site/content/en/v0.6/user/tls-passthrough.md @@ -12,7 +12,7 @@ to terminate the TLS connection, while the Gateway routes the requests to the ap ## Installation -Follow the steps from the [Quickstart Guide](../quickstart) to install Envoy Gateway and the example manifest. +Follow the steps from the [Quickstart Guide](./quickstart) to install Envoy Gateway and the example manifest. Before proceeding, you should be able to query the example backend using HTTP. ## TLS Certificates @@ -106,7 +106,7 @@ curl -v -HHost:passthrough.example.com --resolve "passthrough.example.com:6443:$ ## Clean-Up -Follow the steps from the [Quickstart Guide](../quickstart) to uninstall Envoy Gateway and the example manifest. +Follow the steps from the [Quickstart Guide](./quickstart) to uninstall Envoy Gateway and the example manifest. Delete the Secret: diff --git a/site/content/en/v0.6/user/tls-termination.md b/site/content/en/v0.6/user/tls-termination.md index 4ac72aac7af2..706f95b71ca3 100644 --- a/site/content/en/v0.6/user/tls-termination.md +++ b/site/content/en/v0.6/user/tls-termination.md @@ -10,7 +10,7 @@ This guide will walk through the steps required to configure TLS Terminate mode ## Installation -Follow the steps from the [Quickstart Guide](../quickstart) to install Envoy Gateway. +Follow the steps from the [Quickstart Guide](./quickstart) to install Envoy Gateway. ## TLS Certificates Generate the certificates and keys used by the Gateway to terminate client TLS connections. diff --git a/site/content/en/v0.6/user/udp-routing.md b/site/content/en/v0.6/user/udp-routing.md index 8d80fe789cf6..20a77ca17cbb 100644 --- a/site/content/en/v0.6/user/udp-routing.md +++ b/site/content/en/v0.6/user/udp-routing.md @@ -137,7 +137,7 @@ _udp.foo.bar.com. 0 IN SRV 0 0 42376 . ## Clean-Up -Follow the steps from the [Quickstart Guide](../quickstart) to uninstall Envoy Gateway. +Follow the steps from the [Quickstart Guide](./quickstart) to uninstall Envoy Gateway. Delete the CoreDNS example manifest and the UDPRoute: @@ -153,4 +153,4 @@ kubectl delete udproute/coredns Checkout the [Developer Guide](../../contributions/develop/) to get involved in the project. [UDPRoute]: https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1alpha2.UDPRoute -[UDP proxy documentation]: https://www.envoyproxy.io/docs/envoy/v0.6.0/configuration/listeners/udp_filters/udp_proxy +[UDP proxy documentation]: https://www.envoyproxy.io/docs/envoy/latest/configuration/listeners/udp_filters/udp_proxy diff --git a/site/content/en/v1.0/tasks/security/threat-model.md b/site/content/en/v1.0/tasks/security/threat-model.md index c1bba3f9726d..f50838751074 100644 --- a/site/content/en/v1.0/tasks/security/threat-model.md +++ b/site/content/en/v1.0/tasks/security/threat-model.md @@ -396,7 +396,7 @@ When considering internal threat actors, we chose to follow the [security model] **Threat**: Reduced API gateway availability due to an attacker\'s maliciously crafted request (e.g., QoD) potentially inducing a Denial of Service (DoS) attack. - **Recommendation**: To ensure high availability and to mitigate potential security threats, adhere to the Envoy Gateway documentation for the configuration of a [rate-limiting](https://gateway.envoyproxy.io/v0.6.0/user/rate-limit/) filter and load balancing. + **Recommendation**: To ensure high availability and to mitigate potential security threats, adhere to the Envoy Gateway documentation for the configuration of a [rate-limiting](../traffic/global-rate-limit) filter and load balancing. Further, adhere to best practices for configuring Envoy Proxy as an edge proxy documented [here](https://www.envoyproxy.io/docs/envoy/latest/configuration/best_practices/edge#configuring-envoy-as-an-edge-proxy) within the EnvoyProxy docs. This involves configuring TCP and HTTP proxies with specific settings, including restricting access to the admin endpoint, setting the [overload manager](https://www.envoyproxy.io/docs/envoy/latest/configuration/operations/overload_manager/overload_manager#config-overload-manager) and [listener](https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/listener/v3/listener.proto#envoy-v3-api-field-config-listener-v3-listener-per-connection-buffer-limit-bytes) / [cluster](https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/cluster/v3/cluster.proto#envoy-v3-api-field-config-cluster-v3-cluster-per-connection-buffer-limit-bytes) buffer limits, enabling [use_remote_address](https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/filters/network/http_connection_manager/v3/http_connection_manager.proto#envoy-v3-api-field-extensions-filters-network-http-connection-manager-v3-httpconnectionmanager-use-remote-address), setting [connection and stream timeouts](https://www.envoyproxy.io/docs/envoy/latest/faq/configuration/timeouts#faq-configuration-timeouts), limiting [maximum concurrent streams](https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/core/v3/protocol.proto#envoy-v3-api-field-config-core-v3-http2protocoloptions-max-concurrent-streams), setting [initial stream window size limit](https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/core/v3/protocol.proto#envoy-v3-api-field-config-core-v3-http2protocoloptions-initial-stream-window-size), and configuring action on [headers_with_underscores](https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/core/v3/protocol.proto#envoy-v3-api-field-config-core-v3-httpprotocoloptions-headers-with-underscores-action). @@ -603,7 +603,7 @@ Set runAsUser and runAsGroup security context options to specific UIDs (e.g., ru |EGTM-008|EGTM-EG-003|Envoy Gateway| There is a risk of a threat actor misconfiguring static config and compromising the integrity of Envoy Gateway, ultimately leading to the compromised confidentiality, integrity, or availability of tenant data and cluster resources.

| Accidental or deliberate misconfiguration of static configuration leads to a misconfigured deployment of Envoy Gateway, for example logging parameters could be modified or global rate limiting configuration misconfigured.

|Medium| Implement a GitOps model, utilising Kubernetes\' Role-Based Access Control (RBAC) and adhering to the principle of least privilege to minimise human intervention on the cluster. For instance, tools like [ArgoCD](https://argo-cd.readthedocs.io/en/stable/) can be used for declarative GitOps deployments, ensuring all changes are tracked and reviewed. Additionally, configure your source control management (SCM) system to include mandatory pull request (PR) reviews, commit signing, and protected branches to ensure only authorised changes can be committed to the start-up configuration. | |EGTM-010|EGTM-CS-005|Container Security| There is a risk that a threat actor exploits a weak pod security context, compromising the CIA of a node and the resources / services which run on it.

| Threat Actor who has compromised a pod exploits weak security context to escape to a node, potentially leading to the compromise of Envoy Proxy or Gateway running on the same node.

|Medium| To mitigate this risk, apply [Pod Security Standards](https://kubernetes.io/docs/concepts/security/pod-security-standards/) at a minimum of [Baseline](https://kubernetes.io/docs/concepts/security/pod-security-standards/#baseline) level to all namespaces, especially those containing Envoy Gateway and Proxy Pods. Pod security standards are implemented through K8s [Pod Security Admission](https://kubernetes.io/docs/concepts/security/pod-security-admission/) to provide [admission control modes](https://kubernetes.io/docs/concepts/security/pod-security-admission/#pod-security-admission-labels-for-namespaces) (enforce, audit, and warn) for namespaces. Pod security standards can be enforced by namespace labels as shown [here](https://kubernetes.io/docs/tasks/configure-pod-container/enforce-standards-namespace-labels/), to enforce a baseline level of pod security to specific namespaces.

Further enhance the security by implementing a sandboxing solution such as [gVisor](https://gvisor.dev/) for Envoy Gateway and Proxy Pods to isolate the application from the host kernel. This can be set within the runtimeClassName of the Pod specification. | |EGTM-012|EGTM-GW-004|Gateway API| There is a risk that a threat actor could abuse excessive RBAC privileges to create ReferenceGrant resources. These resources could then be used to create cross-namespace communication, leading to unauthorised access to the application. This could compromise the confidentiality and integrity of resources and configuration in the affected namespaces and potentially disrupt the availability of services that rely on these object references.

| A ReferenceGrant is created, which validates traffic to cross namespace trust boundaries without a valid business reason, such as a route in one tenant\'s namespace referencing a backend in another.

|Medium| Ensure that the ability to create ReferenceGrant resources is restricted to the minimum number of people. Pay special attention to ClusterRoles that allow that action. | -|EGTM-018|EGTM-GW-006|Gateway API| There is a risk that malicious requests could lead to a Denial of Service (DoS) attack, thereby reducing API gateway availability due to misconfigurations in rate-limiting or load balancing controls, or a lack of route timeout enforcement.

| Reduced API gateway availability due to an attacker\'s maliciously crafted request (e.g., QoD) potentially inducing a Denial of Service (DoS) attack.

|Medium| To ensure high availability and to mitigate potential security threats, adhere to the Envoy Gateway documentation for the configuration of a [rate-limiting](https://gateway.envoyproxy.io/v0.6.0/user/rate-limit/) filter and load balancing.

Further, adhere to best practices for configuring Envoy Proxy as an edge proxy documented [here](https://www.envoyproxy.io/docs/envoy/latest/configuration/best_practices/edge#configuring-envoy-as-an-edge-proxy) within the EnvoyProxy docs. This involves configuring TCP and HTTP proxies with specific settings, including restricting access to the admin endpoint, setting the [overload manager](https://www.envoyproxy.io/docs/envoy/latest/configuration/operations/overload_manager/overload_manager#config-overload-manager) and [listener](https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/listener/v3/listener.proto#envoy-v3-api-field-config-listener-v3-listener-per-connection-buffer-limit-bytes) / [cluster](https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/cluster/v3/cluster.proto#envoy-v3-api-field-config-cluster-v3-cluster-per-connection-buffer-limit-bytes) buffer limits, enabling [use_remote_address](https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/filters/network/http_connection_manager/v3/http_connection_manager.proto#envoy-v3-api-field-extensions-filters-network-http-connection-manager-v3-httpconnectionmanager-use-remote-address), setting [connection and stream timeouts](https://www.envoyproxy.io/docs/envoy/latest/faq/configuration/timeouts#faq-configuration-timeouts), limiting [maximum concurrent streams](https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/core/v3/protocol.proto#envoy-v3-api-field-config-core-v3-http2protocoloptions-max-concurrent-streams), setting [initial stream window size limit](https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/core/v3/protocol.proto#envoy-v3-api-field-config-core-v3-http2protocoloptions-initial-stream-window-size), and configuring action on [headers_with_underscores](https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/core/v3/protocol.proto#envoy-v3-api-field-config-core-v3-httpprotocoloptions-headers-with-underscores-action).

[Path normalisation](https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/filters/network/http_connection_manager/v3/http_connection_manager.proto#envoy-v3-api-field-extensions-filters-network-http-connection-manager-v3-httpconnectionmanager-normalize-path) should be enabled to minimise path confusion vulnerabilities. These measures help protect against volumetric threats such as Denial of Service (DoS)nattacks. Utilise custom resources to implement policy attachment, thereby exposing request limit configuration for route types. | +|EGTM-018|EGTM-GW-006|Gateway API| There is a risk that malicious requests could lead to a Denial of Service (DoS) attack, thereby reducing API gateway availability due to misconfigurations in rate-limiting or load balancing controls, or a lack of route timeout enforcement.

| Reduced API gateway availability due to an attacker\'s maliciously crafted request (e.g., QoD) potentially inducing a Denial of Service (DoS) attack.

|Medium| To ensure high availability and to mitigate potential security threats, adhere to the Envoy Gateway documentation for the configuration of a [rate-limiting](../traffic/global-rate-limit) filter and load balancing.

Further, adhere to best practices for configuring Envoy Proxy as an edge proxy documented [here](https://www.envoyproxy.io/docs/envoy/latest/configuration/best_practices/edge#configuring-envoy-as-an-edge-proxy) within the EnvoyProxy docs. This involves configuring TCP and HTTP proxies with specific settings, including restricting access to the admin endpoint, setting the [overload manager](https://www.envoyproxy.io/docs/envoy/latest/configuration/operations/overload_manager/overload_manager#config-overload-manager) and [listener](https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/listener/v3/listener.proto#envoy-v3-api-field-config-listener-v3-listener-per-connection-buffer-limit-bytes) / [cluster](https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/cluster/v3/cluster.proto#envoy-v3-api-field-config-cluster-v3-cluster-per-connection-buffer-limit-bytes) buffer limits, enabling [use_remote_address](https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/filters/network/http_connection_manager/v3/http_connection_manager.proto#envoy-v3-api-field-extensions-filters-network-http-connection-manager-v3-httpconnectionmanager-use-remote-address), setting [connection and stream timeouts](https://www.envoyproxy.io/docs/envoy/latest/faq/configuration/timeouts#faq-configuration-timeouts), limiting [maximum concurrent streams](https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/core/v3/protocol.proto#envoy-v3-api-field-config-core-v3-http2protocoloptions-max-concurrent-streams), setting [initial stream window size limit](https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/core/v3/protocol.proto#envoy-v3-api-field-config-core-v3-http2protocoloptions-initial-stream-window-size), and configuring action on [headers_with_underscores](https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/core/v3/protocol.proto#envoy-v3-api-field-config-core-v3-httpprotocoloptions-headers-with-underscores-action).

[Path normalisation](https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/filters/network/http_connection_manager/v3/http_connection_manager.proto#envoy-v3-api-field-extensions-filters-network-http-connection-manager-v3-httpconnectionmanager-normalize-path) should be enabled to minimise path confusion vulnerabilities. These measures help protect against volumetric threats such as Denial of Service (DoS)nattacks. Utilise custom resources to implement policy attachment, thereby exposing request limit configuration for route types. | |EGTM-019|EGTM-DP-004|Container Security| There is a risk that replay attacks using stolen or reused JSON Web Tokens (JWTs) can compromise transmission integrity, thereby undermining the confidentiality and integrity of the data plane.

| Transmission integrity is compromised due to replay attacks using stolen or reused JSON Web Tokens (JWTs).

|Medium| Comply with JWT best practices for enhanced security, paying special attention to the use of short-lived tokens, which reduce the window of opportunity for a replay attack. The [exp](https://datatracker.ietf.org/doc/html/rfc7519#page-9) claim can be used to set token expiration times. | |EGTM-024|EGTM-EG-008|Envoy Gateway| There is a risk of developers getting more privileges than required due to the use of SecurityPolicy, ClientTrafficPolicy, EnvoyPatchPolicy and BackendTrafficPolicy. These resources can be attached to a Gateway resource. Therefore, a developer with permission to deploy them would be able to modify a Gateway configuration by targeting the gateway in the policy manifest. This conflicts with the [Advanced 4 Tier Model](https://gateway-api.sigs.k8s.io/concepts/security-model/#write-permissions-for-advanced-4-tier-model), where developers do not have write permissions on Gateways.

| Excessive developer permissions lead to a misconfiguration and/or unauthorised access.

|Medium| Considering the Tenant C scenario (represented in the Architecture Diagram), if a developer can create SecurityPolicy, ClientTrafficPolicy, EnvoyPatchPolicy or BackendTrafficPolicy objects in namespace C, they would be able to modify a Gateway configuration by attaching the policy to the gateway. In such scenarios, it is recommended to either:

a. Create a separate namespace, where developers have no permissions, > to host tenant C\'s gateway. Note that, due to design decisions, > the > SecurityPolicy/EnvoyPatchPolicy/ClientTrafficPolicy/BackendTrafficPolicy > object can only target resources deployed in the same namespace. > Therefore, having a separate namespace for the gateway would > prevent developers from attaching the policy to the gateway.

b. Forbid the creation of these policies for developers in namespace C.

On the other hand, in scenarios similar to tenants A and B, where a shared gateway namespace is in place, this issue is more limited. Note that in this scenario, developers don\'t have access to the shared gateway namespace.

In addition, it is important to mention that EnvoyPatchPolicy resources can also be attached to GatewayClass resources. This means that, in order to comply with the Advanced 4 Tier model, individuals with the Application Administrator role should not have access to this resource either. | |EGTM-003|EGTM-EG-001|Envoy Gateway| There is a risk that a threat actor could downgrade the security of proxied connections by configuring a weak set of cipher suites, compromising the confidentiality and integrity of proxied traffic.

| Exploit weak cipher suite configuration to downgrade security of proxied connections.

|Low| Users operating in highly regulated environments may need to tightly control the TLS protocol and associated cipher suites, blocking non-conforming incoming connections to the gateway.

EnvoyProxy bootstrap config can be customised as per the [customise EnvoyProxy](../operations/customize-envoyproxy) documentation. In addition, from v.1.0.0, it is possible to configure common TLS properties for a Gateway or XRoute through the [ClientTrafficPolicy](https://gateway.envoyproxy.io/latest/api/extension_types/#clienttrafficpolicy) object. | diff --git a/tools/make/docs.mk b/tools/make/docs.mk index 704e9e44c522..20e851f818c3 100644 --- a/tools/make/docs.mk +++ b/tools/make/docs.mk @@ -1,6 +1,6 @@ DOCS_OUTPUT_DIR := site/public RELEASE_VERSIONS ?= $(foreach v,$(wildcard ${ROOT_DIR}/docs/*),$(notdir ${v})) -LINKINATOR_IGNORE := "github.com githubusercontent.com example.com github.io _print v0.6 v0.5 v0.4 v0.3 v0.2" +LINKINATOR_IGNORE := "github.com githubusercontent.com example.com github.io _print" CLEAN_NODE_MODULES ?= true ##@ Docs @@ -122,7 +122,7 @@ docs-check-links: # github.com does not allow access too often, there are a lot of 429 errors # TODO: find a way to remove github.com from ignore list # TODO: example.com is not a valid domain, we should remove it from ignore list - linkinator site/public/ -r --concurrency 25 --skip $(LINKINATOR_IGNORE) + linkinator site/public/ -r --timeout 1000 --concurrency 25 --skip $(LINKINATOR_IGNORE) release-notes-docs: $(tools/release-notes-docs) @$(LOG_TARGET)