From ef1934f1461157afc890cddac863418c3e90b4f0 Mon Sep 17 00:00:00 2001 From: Lior Okman Date: Wed, 6 Mar 2024 22:47:55 +0200 Subject: [PATCH 1/4] feat: Support WellKnownSystemCerts in BackendTLSPolicy (#2804) * Add support for using the system truststore with upstream TLS. Signed-off-by: Lior Okman * Make the linter happy Signed-off-by: Lior Okman --------- Signed-off-by: Lior Okman --- .gitignore | 3 + internal/gatewayapi/backendtlspolicy.go | 3 +- internal/gatewayapi/route.go | 18 +- .../backendtlspolicy-ca-only.out.yaml | 4 +- .../backendtlspolicy-default-ns.out.yaml | 4 +- .../backendtlspolicy-invalid-ca.out.yaml | 0 ...backendtlspolicy-system-truststore.in.yaml | 105 +++++++++++ ...ackendtlspolicy-system-truststore.out.yaml | 163 ++++++++++++++++++ ...fficpolicy-status-fault-injection.out.yaml | 0 ...endtrafficpolicy-with-healthcheck.out.yaml | 0 ...dtrafficpolicy-with-timeout-error.out.yaml | 0 ...backendtrafficpolicy-with-timeout.out.yaml | 0 .../grpcroute-with-empty-backends.out.yaml | 0 ...dtrafficpolicy-with-timeout-error.out.yaml | 0 ...backendtrafficpolicy-with-timeout.out.yaml | 0 ...ith-empty-backends-and-no-filters.out.yaml | 0 ...id-backend-ref-unsupported-filter.out.yaml | 0 ...-extauth-invalid-no-matching-port.out.yaml | 0 ...xtauth-invalid-no-reference-grant.out.yaml | 0 ...y-with-extauth-invalid-no-service.out.yaml | 0 .../securitypolicy-with-extauth.out.yaml | 0 internal/ir/xds.go | 7 +- internal/ir/zz_generated.deepcopy.go | 6 +- ...http-route-with-tls-system-truststore.yaml | 32 ++++ .../xds-ir/client-ip-detection.clusters.yaml | 0 .../xds-ir/client-ip-detection.endpoints.yaml | 0 .../xds-ir/client-ip-detection.listeners.yaml | 0 .../xds-ir/client-ip-detection.routes.yaml | 0 .../out/xds-ir/ext-auth.clusters.yaml | 0 .../out/xds-ir/ext-auth.endpoints.yaml | 0 .../out/xds-ir/ext-auth.listeners.yaml | 0 .../testdata/out/xds-ir/ext-auth.routes.yaml | 0 .../out/xds-ir/fault-injection.clusters.yaml | 0 .../out/xds-ir/fault-injection.endpoints.yaml | 0 .../out/xds-ir/fault-injection.listeners.yaml | 0 .../out/xds-ir/fault-injection.routes.yaml | 0 ...e-with-tls-system-truststore.clusters.yaml | 26 +++ ...-with-tls-system-truststore.endpoints.yaml | 12 ++ ...-with-tls-system-truststore.listeners.yaml | 34 ++++ ...ute-with-tls-system-truststore.routes.yaml | 14 ++ .../http-route-with-tlsbundle.clusters.yaml | 0 .../http-route-with-tlsbundle.endpoints.yaml | 0 .../http-route-with-tlsbundle.listeners.yaml | 0 .../http-route-with-tlsbundle.routes.yaml | 0 .../http-route-with-tlsbundle.secrets.yaml | 0 internal/xds/translator/translator.go | 52 ++++-- internal/xds/translator/translator_test.go | 3 + 47 files changed, 459 insertions(+), 27 deletions(-) mode change 100755 => 100644 internal/gatewayapi/testdata/backendtlspolicy-ca-only.out.yaml mode change 100755 => 100644 internal/gatewayapi/testdata/backendtlspolicy-default-ns.out.yaml mode change 100755 => 100644 internal/gatewayapi/testdata/backendtlspolicy-invalid-ca.out.yaml create mode 100644 internal/gatewayapi/testdata/backendtlspolicy-system-truststore.in.yaml create mode 100644 internal/gatewayapi/testdata/backendtlspolicy-system-truststore.out.yaml mode change 100755 => 100644 internal/gatewayapi/testdata/backendtrafficpolicy-status-fault-injection.out.yaml mode change 100755 => 100644 internal/gatewayapi/testdata/backendtrafficpolicy-with-healthcheck.out.yaml mode change 100755 => 100644 internal/gatewayapi/testdata/backendtrafficpolicy-with-timeout-error.out.yaml mode change 100755 => 100644 internal/gatewayapi/testdata/backendtrafficpolicy-with-timeout.out.yaml mode change 100755 => 100644 internal/gatewayapi/testdata/grpcroute-with-empty-backends.out.yaml mode change 100755 => 100644 internal/gatewayapi/testdata/httproute-and-backendtrafficpolicy-with-timeout-error.out.yaml mode change 100755 => 100644 internal/gatewayapi/testdata/httproute-and-backendtrafficpolicy-with-timeout.out.yaml mode change 100755 => 100644 internal/gatewayapi/testdata/httproute-rule-with-empty-backends-and-no-filters.out.yaml mode change 100755 => 100644 internal/gatewayapi/testdata/httproute-with-invalid-backend-ref-unsupported-filter.out.yaml mode change 100755 => 100644 internal/gatewayapi/testdata/securitypolicy-with-extauth-invalid-no-matching-port.out.yaml mode change 100755 => 100644 internal/gatewayapi/testdata/securitypolicy-with-extauth-invalid-no-reference-grant.out.yaml mode change 100755 => 100644 internal/gatewayapi/testdata/securitypolicy-with-extauth-invalid-no-service.out.yaml mode change 100755 => 100644 internal/gatewayapi/testdata/securitypolicy-with-extauth.out.yaml create mode 100644 internal/xds/translator/testdata/in/xds-ir/http-route-with-tls-system-truststore.yaml mode change 100755 => 100644 internal/xds/translator/testdata/out/xds-ir/client-ip-detection.clusters.yaml mode change 100755 => 100644 internal/xds/translator/testdata/out/xds-ir/client-ip-detection.endpoints.yaml mode change 100755 => 100644 internal/xds/translator/testdata/out/xds-ir/client-ip-detection.listeners.yaml mode change 100755 => 100644 internal/xds/translator/testdata/out/xds-ir/client-ip-detection.routes.yaml mode change 100755 => 100644 internal/xds/translator/testdata/out/xds-ir/ext-auth.clusters.yaml mode change 100755 => 100644 internal/xds/translator/testdata/out/xds-ir/ext-auth.endpoints.yaml mode change 100755 => 100644 internal/xds/translator/testdata/out/xds-ir/ext-auth.listeners.yaml mode change 100755 => 100644 internal/xds/translator/testdata/out/xds-ir/ext-auth.routes.yaml mode change 100755 => 100644 internal/xds/translator/testdata/out/xds-ir/fault-injection.clusters.yaml mode change 100755 => 100644 internal/xds/translator/testdata/out/xds-ir/fault-injection.endpoints.yaml mode change 100755 => 100644 internal/xds/translator/testdata/out/xds-ir/fault-injection.listeners.yaml mode change 100755 => 100644 internal/xds/translator/testdata/out/xds-ir/fault-injection.routes.yaml create mode 100644 internal/xds/translator/testdata/out/xds-ir/http-route-with-tls-system-truststore.clusters.yaml create mode 100644 internal/xds/translator/testdata/out/xds-ir/http-route-with-tls-system-truststore.endpoints.yaml create mode 100644 internal/xds/translator/testdata/out/xds-ir/http-route-with-tls-system-truststore.listeners.yaml create mode 100644 internal/xds/translator/testdata/out/xds-ir/http-route-with-tls-system-truststore.routes.yaml mode change 100755 => 100644 internal/xds/translator/testdata/out/xds-ir/http-route-with-tlsbundle.clusters.yaml mode change 100755 => 100644 internal/xds/translator/testdata/out/xds-ir/http-route-with-tlsbundle.endpoints.yaml mode change 100755 => 100644 internal/xds/translator/testdata/out/xds-ir/http-route-with-tlsbundle.listeners.yaml mode change 100755 => 100644 internal/xds/translator/testdata/out/xds-ir/http-route-with-tlsbundle.routes.yaml mode change 100755 => 100644 internal/xds/translator/testdata/out/xds-ir/http-route-with-tlsbundle.secrets.yaml diff --git a/.gitignore b/.gitignore index a14c25efb35..0dee17ad8f4 100644 --- a/.gitignore +++ b/.gitignore @@ -31,3 +31,6 @@ vendor/ # values.yaml file is generated from its template counterpart. charts/gateway-helm/values.yaml + +# VIM +.*.swp diff --git a/internal/gatewayapi/backendtlspolicy.go b/internal/gatewayapi/backendtlspolicy.go index 17e09d6e566..015b20f1622 100644 --- a/internal/gatewayapi/backendtlspolicy.go +++ b/internal/gatewayapi/backendtlspolicy.go @@ -6,6 +6,7 @@ package gatewayapi import ( + "k8s.io/utils/ptr" "sigs.k8s.io/gateway-api/apis/v1alpha2" ) @@ -25,7 +26,7 @@ func (t *Translator) ProcessBackendTLSPoliciesAncestorRef(backendTLSPolicies []* gw := gwContext.Gateway if gw.Name == string(status.AncestorRef.Name) && gw.Namespace == NamespaceDerefOrAlpha(status.AncestorRef.Namespace, "default") { for _, lis := range gw.Spec.Listeners { - if lis.Name == *status.AncestorRef.SectionName { + if lis.Name == ptr.Deref(status.AncestorRef.SectionName, "") { exist = true } } diff --git a/internal/gatewayapi/route.go b/internal/gatewayapi/route.go index 0a8713c8799..a6f37269025 100644 --- a/internal/gatewayapi/route.go +++ b/internal/gatewayapi/route.go @@ -1382,7 +1382,13 @@ func getBackendTLSBundle(policies []*gwapiv1a1.BackendTLSPolicy, configmaps []*c return nil, nil } - tlsBundle := &ir.TLSUpstreamConfig{} + tlsBundle := &ir.TLSUpstreamConfig{ + SNI: string(backendTLSPolicy.Spec.TLS.Hostname), + UseSystemTrustStore: ptr.Deref(backendTLSPolicy.Spec.TLS.WellKnownCACerts, "") == gwapiv1a1.WellKnownCACertSystem, + } + if tlsBundle.UseSystemTrustStore { + return tlsBundle, nil + } caRefMap := make(map[string]string) @@ -1408,12 +1414,10 @@ func getBackendTLSBundle(policies []*gwapiv1a1.BackendTLSPolicy, configmaps []*c if ca == "" { return nil, fmt.Errorf("no ca found in referred configmaps") } - - tlsBundle.CACertificate.Certificate = []byte(ca) - - tlsBundle.CACertificate.Name = fmt.Sprintf("%s/%s-ca", backendTLSPolicy.Name, backendTLSPolicy.Namespace) - - tlsBundle.SNI = string(backendTLSPolicy.Spec.TLS.Hostname) + tlsBundle.CACertificate = &ir.TLSCACertificate{ + Certificate: []byte(ca), + Name: fmt.Sprintf("%s/%s-ca", backendTLSPolicy.Name, backendTLSPolicy.Namespace), + } return tlsBundle, nil } diff --git a/internal/gatewayapi/testdata/backendtlspolicy-ca-only.out.yaml b/internal/gatewayapi/testdata/backendtlspolicy-ca-only.out.yaml old mode 100755 new mode 100644 index b2488ea6103..b38d38425b9 --- a/internal/gatewayapi/testdata/backendtlspolicy-ca-only.out.yaml +++ b/internal/gatewayapi/testdata/backendtlspolicy-ca-only.out.yaml @@ -155,10 +155,10 @@ xdsIR: port: 8080 protocol: HTTP tls: - CACertificate: + caCertificate: certificate: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURKekNDQWcrZ0F3SUJBZ0lVQWw2VUtJdUttenRlODFjbGx6NVBmZE4ySWxJd0RRWUpLb1pJaHZjTkFRRUwKQlFBd0l6RVFNQTRHQTFVRUF3d0hiWGxqYVdWdWRERVBNQTBHQTFVRUNnd0dhM1ZpWldSaU1CNFhEVEl6TVRBdwpNakExTkRFMU4xb1hEVEkwTVRBd01UQTFOREUxTjFvd0l6RVFNQTRHQTFVRUF3d0hiWGxqYVdWdWRERVBNQTBHCkExVUVDZ3dHYTNWaVpXUmlNSUlCSWpBTkJna3Foa2lHOXcwQkFRRUZBQU9DQVE4QU1JSUJDZ0tDQVFFQXdTVGMKMXlqOEhXNjJueW5rRmJYbzRWWEt2MmpDMFBNN2RQVmt5ODdGd2VaY1RLTG9XUVZQUUUycDJrTERLNk9Fc3ptTQp5eXIreHhXdHlpdmVyZW1yV3FuS2tOVFloTGZZUGhnUWtjemliN2VVYWxtRmpVYmhXZEx2SGFrYkVnQ29kbjNiCmt6NTdtSW5YMlZwaURPS2c0a3lIZml1WFdwaUJxckN4MEtOTHB4bzNERVFjRmNzUVRlVEh6aDQ3NTJHVjA0UlUKVGkvR0VXeXpJc2w0Umc3dEd0QXdtY0lQZ1VOVWZZMlEzOTBGR3FkSDRhaG4rbXcvNmFGYlczMVc2M2Q5WUpWcQppb3lPVmNhTUlwTTVCL2M3UWM4U3VoQ0kxWUdoVXlnNGNSSExFdzVWdGlraW95RTNYMDRrbmEzalFBajU0WWJSCmJwRWhjMzVhcEtMQjIxSE9VUUlEQVFBQm8xTXdVVEFkQmdOVkhRNEVGZ1FVeXZsMFZJNXZKVlN1WUZYdTdCNDgKNlBiTUVBb3dId1lEVlIwakJCZ3dGb0FVeXZsMFZJNXZKVlN1WUZYdTdCNDg2UGJNRUFvd0R3WURWUjBUQVFILwpCQVV3QXdFQi96QU5CZ2txaGtpRzl3MEJBUXNGQUFPQ0FRRUFNTHhyZ0ZWTXVOUnEyd0F3Y0J0N1NuTlI1Q2Z6CjJNdlhxNUVVbXVhd0lVaTlrYVlqd2RWaURSRUdTams3SlcxN3ZsNTc2SGpEa2RmUndpNEUyOFN5ZFJJblpmNkoKaThIWmNaN2NhSDZEeFIzMzVmZ0hWekxpNU5pVGNlL09qTkJRelEyTUpYVkRkOERCbUc1ZnlhdEppT0pRNGJXRQpBN0ZsUDBSZFAzQ08zR1dFME01aVhPQjJtMXFXa0UyZXlPNFVIdndUcU5RTGRyZEFYZ0RRbGJhbTllNEJHM0dnCmQvNnRoQWtXRGJ0L1FOVCtFSkhEQ3ZoRFJLaDFSdUdIeWcrWSsvbmViVFdXckZXc2t0UnJiT29IQ1ppQ3BYSTEKM2VYRTZudDBZa2d0RHhHMjJLcW5ocEFnOWdVU3MyaGxob3h5dmt6eUYwbXU2TmhQbHdBZ25xNysvUT09Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K name: policy-btls/policies-ca - SNI: example.com + sni: example.com weight: 1 hostname: '*' isHTTP2: false diff --git a/internal/gatewayapi/testdata/backendtlspolicy-default-ns.out.yaml b/internal/gatewayapi/testdata/backendtlspolicy-default-ns.out.yaml old mode 100755 new mode 100644 index b9497558a9f..8b258dac8db --- a/internal/gatewayapi/testdata/backendtlspolicy-default-ns.out.yaml +++ b/internal/gatewayapi/testdata/backendtlspolicy-default-ns.out.yaml @@ -154,10 +154,10 @@ xdsIR: port: 8080 protocol: HTTP tls: - CACertificate: + caCertificate: certificate: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURKekNDQWcrZ0F3SUJBZ0lVQWw2VUtJdUttenRlODFjbGx6NVBmZE4ySWxJd0RRWUpLb1pJaHZjTkFRRUwKQlFBd0l6RVFNQTRHQTFVRUF3d0hiWGxqYVdWdWRERVBNQTBHQTFVRUNnd0dhM1ZpWldSaU1CNFhEVEl6TVRBdwpNakExTkRFMU4xb1hEVEkwTVRBd01UQTFOREUxTjFvd0l6RVFNQTRHQTFVRUF3d0hiWGxqYVdWdWRERVBNQTBHCkExVUVDZ3dHYTNWaVpXUmlNSUlCSWpBTkJna3Foa2lHOXcwQkFRRUZBQU9DQVE4QU1JSUJDZ0tDQVFFQXdTVGMKMXlqOEhXNjJueW5rRmJYbzRWWEt2MmpDMFBNN2RQVmt5ODdGd2VaY1RLTG9XUVZQUUUycDJrTERLNk9Fc3ptTQp5eXIreHhXdHlpdmVyZW1yV3FuS2tOVFloTGZZUGhnUWtjemliN2VVYWxtRmpVYmhXZEx2SGFrYkVnQ29kbjNiCmt6NTdtSW5YMlZwaURPS2c0a3lIZml1WFdwaUJxckN4MEtOTHB4bzNERVFjRmNzUVRlVEh6aDQ3NTJHVjA0UlUKVGkvR0VXeXpJc2w0Umc3dEd0QXdtY0lQZ1VOVWZZMlEzOTBGR3FkSDRhaG4rbXcvNmFGYlczMVc2M2Q5WUpWcQppb3lPVmNhTUlwTTVCL2M3UWM4U3VoQ0kxWUdoVXlnNGNSSExFdzVWdGlraW95RTNYMDRrbmEzalFBajU0WWJSCmJwRWhjMzVhcEtMQjIxSE9VUUlEQVFBQm8xTXdVVEFkQmdOVkhRNEVGZ1FVeXZsMFZJNXZKVlN1WUZYdTdCNDgKNlBiTUVBb3dId1lEVlIwakJCZ3dGb0FVeXZsMFZJNXZKVlN1WUZYdTdCNDg2UGJNRUFvd0R3WURWUjBUQVFILwpCQVV3QXdFQi96QU5CZ2txaGtpRzl3MEJBUXNGQUFPQ0FRRUFNTHhyZ0ZWTXVOUnEyd0F3Y0J0N1NuTlI1Q2Z6CjJNdlhxNUVVbXVhd0lVaTlrYVlqd2RWaURSRUdTams3SlcxN3ZsNTc2SGpEa2RmUndpNEUyOFN5ZFJJblpmNkoKaThIWmNaN2NhSDZEeFIzMzVmZ0hWekxpNU5pVGNlL09qTkJRelEyTUpYVkRkOERCbUc1ZnlhdEppT0pRNGJXRQpBN0ZsUDBSZFAzQ08zR1dFME01aVhPQjJtMXFXa0UyZXlPNFVIdndUcU5RTGRyZEFYZ0RRbGJhbTllNEJHM0dnCmQvNnRoQWtXRGJ0L1FOVCtFSkhEQ3ZoRFJLaDFSdUdIeWcrWSsvbmViVFdXckZXc2t0UnJiT29IQ1ppQ3BYSTEKM2VYRTZudDBZa2d0RHhHMjJLcW5ocEFnOWdVU3MyaGxob3h5dmt6eUYwbXU2TmhQbHdBZ25xNysvUT09Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K name: policy-btls/default-ca - SNI: example.com + sni: example.com weight: 1 hostname: '*' isHTTP2: false diff --git a/internal/gatewayapi/testdata/backendtlspolicy-invalid-ca.out.yaml b/internal/gatewayapi/testdata/backendtlspolicy-invalid-ca.out.yaml old mode 100755 new mode 100644 diff --git a/internal/gatewayapi/testdata/backendtlspolicy-system-truststore.in.yaml b/internal/gatewayapi/testdata/backendtlspolicy-system-truststore.in.yaml new file mode 100644 index 00000000000..88fb94bc116 --- /dev/null +++ b/internal/gatewayapi/testdata/backendtlspolicy-system-truststore.in.yaml @@ -0,0 +1,105 @@ +gateways: + - apiVersion: gateway.networking.k8s.io/v1 + kind: Gateway + metadata: + name: gateway-btls + namespace: envoy-gateway + spec: + gatewayClassName: envoy-gateway-class + listeners: + - name: http + protocol: HTTP + port: 80 + allowedRoutes: + namespaces: + from: All +httpRoutes: + - apiVersion: gateway.networking.k8s.io/v1 + kind: HTTPRoute + metadata: + name: httproute-btls + namespace: envoy-gateway + spec: + parentRefs: + - namespace: envoy-gateway + name: gateway-btls + sectionName: http + rules: + - matches: + - path: + type: Exact + value: "/exact" + backendRefs: + - name: http-backend + namespace: default + port: 8080 + +referenceGrants: + - apiVersion: gateway.networking.k8s.io/v1alpha2 + kind: ReferenceGrant + metadata: + name: refg-route-svc + namespace: default + spec: + from: + - group: gateway.networking.k8s.io + kind: HTTPRoute + namespace: envoy-gateway + - group: gateway.networking.k8s.io + kind: Gateway + namespace: envoy-gateway + - group: gateway.networking.k8s.io + kind: BackendTLSPolicy + namespace: default + to: + - group: "" + kind: Service + +services: + - apiVersion: v1 + kind: Service + metadata: + name: http-backend + namespace: default + spec: + clusterIP: 10.11.12.13 + ports: + - port: 8080 + name: http + protocol: TCP + targetPort: 8080 + + +endpointSlices: + - apiVersion: discovery.k8s.io/v1 + kind: EndpointSlice + metadata: + name: endpointslice-http-backend + namespace: default + labels: + kubernetes.io/service-name: http-backend + addressType: IPv4 + ports: + - name: http + protocol: TCP + port: 8080 + endpoints: + - addresses: + - "10.244.0.11" + conditions: + ready: true +backendTLSPolicies: + - apiVersion: gateway.networking.k8s.io/v1alpha2 + kind: BackendTLSPolicy + metadata: + name: policy-btls + namespace: default + spec: + targetRef: + group: '' + kind: Service + name: http-backend + sectionName: "8080" + tls: + wellKnownCACerts: System + hostname: example.com diff --git a/internal/gatewayapi/testdata/backendtlspolicy-system-truststore.out.yaml b/internal/gatewayapi/testdata/backendtlspolicy-system-truststore.out.yaml new file mode 100644 index 00000000000..760e7864048 --- /dev/null +++ b/internal/gatewayapi/testdata/backendtlspolicy-system-truststore.out.yaml @@ -0,0 +1,163 @@ +backendTLSPolicies: +- apiVersion: gateway.networking.k8s.io/v1alpha2 + kind: BackendTLSPolicy + metadata: + creationTimestamp: null + name: policy-btls + namespace: default + spec: + targetRef: + group: "" + kind: Service + name: http-backend + sectionName: "8080" + tls: + hostname: example.com + wellKnownCACerts: System + status: + ancestors: + - ancestorRef: + name: gateway-btls + namespace: envoy-gateway + sectionName: http + conditions: + - lastTransitionTime: null + message: BackendTLSPolicy is Accepted + reason: Accepted + status: "True" + type: Accepted + controllerName: gateway.envoyproxy.io/gatewayclass-controller +gateways: +- apiVersion: gateway.networking.k8s.io/v1 + kind: Gateway + metadata: + creationTimestamp: null + name: gateway-btls + namespace: envoy-gateway + spec: + gatewayClassName: envoy-gateway-class + listeners: + - allowedRoutes: + namespaces: + from: All + name: http + port: 80 + protocol: HTTP + status: + listeners: + - attachedRoutes: 1 + conditions: + - lastTransitionTime: null + message: Sending translated listener configuration to the data plane + reason: Programmed + status: "True" + type: Programmed + - lastTransitionTime: null + message: Listener has been successfully translated + reason: Accepted + status: "True" + type: Accepted + - lastTransitionTime: null + message: Listener references have been resolved + reason: ResolvedRefs + status: "True" + type: ResolvedRefs + name: http + supportedKinds: + - group: gateway.networking.k8s.io + kind: HTTPRoute + - group: gateway.networking.k8s.io + kind: GRPCRoute +httpRoutes: +- apiVersion: gateway.networking.k8s.io/v1 + kind: HTTPRoute + metadata: + creationTimestamp: null + name: httproute-btls + namespace: envoy-gateway + spec: + parentRefs: + - name: gateway-btls + namespace: envoy-gateway + sectionName: http + rules: + - backendRefs: + - name: http-backend + namespace: default + port: 8080 + matches: + - path: + type: Exact + value: /exact + status: + parents: + - conditions: + - lastTransitionTime: null + message: Route is accepted + reason: Accepted + status: "True" + type: Accepted + - lastTransitionTime: null + message: Resolved all the Object references for the Route + reason: ResolvedRefs + status: "True" + type: ResolvedRefs + controllerName: gateway.envoyproxy.io/gatewayclass-controller + parentRef: + name: gateway-btls + namespace: envoy-gateway + sectionName: http +infraIR: + envoy-gateway/gateway-btls: + proxy: + listeners: + - address: null + name: envoy-gateway/gateway-btls/http + ports: + - containerPort: 10080 + name: http + protocol: HTTP + servicePort: 80 + metadata: + labels: + gateway.envoyproxy.io/owning-gateway-name: gateway-btls + gateway.envoyproxy.io/owning-gateway-namespace: envoy-gateway + name: envoy-gateway/gateway-btls +xdsIR: + envoy-gateway/gateway-btls: + accessLog: + text: + - path: /dev/stdout + http: + - address: 0.0.0.0 + hostnames: + - '*' + isHTTP2: false + name: envoy-gateway/gateway-btls/http + path: + escapedSlashesAction: UnescapeAndRedirect + mergeSlashes: true + port: 10080 + routes: + - backendWeights: + invalid: 0 + valid: 0 + destination: + name: httproute/envoy-gateway/httproute-btls/rule/0 + settings: + - addressType: IP + endpoints: + - host: 10.244.0.11 + port: 8080 + protocol: HTTP + tls: + sni: example.com + useSystemTrustStore: true + weight: 1 + hostname: '*' + isHTTP2: false + name: httproute/envoy-gateway/httproute-btls/rule/0/match/0/* + pathMatch: + distinct: false + exact: /exact + name: "" diff --git a/internal/gatewayapi/testdata/backendtrafficpolicy-status-fault-injection.out.yaml b/internal/gatewayapi/testdata/backendtrafficpolicy-status-fault-injection.out.yaml old mode 100755 new mode 100644 diff --git a/internal/gatewayapi/testdata/backendtrafficpolicy-with-healthcheck.out.yaml b/internal/gatewayapi/testdata/backendtrafficpolicy-with-healthcheck.out.yaml old mode 100755 new mode 100644 diff --git a/internal/gatewayapi/testdata/backendtrafficpolicy-with-timeout-error.out.yaml b/internal/gatewayapi/testdata/backendtrafficpolicy-with-timeout-error.out.yaml old mode 100755 new mode 100644 diff --git a/internal/gatewayapi/testdata/backendtrafficpolicy-with-timeout.out.yaml b/internal/gatewayapi/testdata/backendtrafficpolicy-with-timeout.out.yaml old mode 100755 new mode 100644 diff --git a/internal/gatewayapi/testdata/grpcroute-with-empty-backends.out.yaml b/internal/gatewayapi/testdata/grpcroute-with-empty-backends.out.yaml old mode 100755 new mode 100644 diff --git a/internal/gatewayapi/testdata/httproute-and-backendtrafficpolicy-with-timeout-error.out.yaml b/internal/gatewayapi/testdata/httproute-and-backendtrafficpolicy-with-timeout-error.out.yaml old mode 100755 new mode 100644 diff --git a/internal/gatewayapi/testdata/httproute-and-backendtrafficpolicy-with-timeout.out.yaml b/internal/gatewayapi/testdata/httproute-and-backendtrafficpolicy-with-timeout.out.yaml old mode 100755 new mode 100644 diff --git a/internal/gatewayapi/testdata/httproute-rule-with-empty-backends-and-no-filters.out.yaml b/internal/gatewayapi/testdata/httproute-rule-with-empty-backends-and-no-filters.out.yaml old mode 100755 new mode 100644 diff --git a/internal/gatewayapi/testdata/httproute-with-invalid-backend-ref-unsupported-filter.out.yaml b/internal/gatewayapi/testdata/httproute-with-invalid-backend-ref-unsupported-filter.out.yaml old mode 100755 new mode 100644 diff --git a/internal/gatewayapi/testdata/securitypolicy-with-extauth-invalid-no-matching-port.out.yaml b/internal/gatewayapi/testdata/securitypolicy-with-extauth-invalid-no-matching-port.out.yaml old mode 100755 new mode 100644 diff --git a/internal/gatewayapi/testdata/securitypolicy-with-extauth-invalid-no-reference-grant.out.yaml b/internal/gatewayapi/testdata/securitypolicy-with-extauth-invalid-no-reference-grant.out.yaml old mode 100755 new mode 100644 diff --git a/internal/gatewayapi/testdata/securitypolicy-with-extauth-invalid-no-service.out.yaml b/internal/gatewayapi/testdata/securitypolicy-with-extauth-invalid-no-service.out.yaml old mode 100755 new mode 100644 diff --git a/internal/gatewayapi/testdata/securitypolicy-with-extauth.out.yaml b/internal/gatewayapi/testdata/securitypolicy-with-extauth.out.yaml old mode 100755 new mode 100644 diff --git a/internal/ir/xds.go b/internal/ir/xds.go index 6f553ca3cc6..4bd51d37c0a 100644 --- a/internal/ir/xds.go +++ b/internal/ir/xds.go @@ -309,7 +309,7 @@ type TLSCertificate struct { // +k8s:deepcopy-gen=true type TLSCACertificate struct { // Name of the Secret object. - Name string `json:"name" yaml:"name"` + Name string `json:"name,omitempty" yaml:"name,omitempty"` // Certificate content. Certificate []byte `json:"certificate,omitempty" yaml:"certificate,omitempty"` } @@ -1745,6 +1745,7 @@ type BackOffPolicy struct { // TLSUpstreamConfig contains sni and ca file in []byte format. // +k8s:deepcopy-gen=true type TLSUpstreamConfig struct { - SNI string - CACertificate TLSCACertificate + SNI string `json:"sni,omitempty" yaml:"sni,omitempty"` + UseSystemTrustStore bool `json:"useSystemTrustStore,omitempty" yaml:"useSystemTrustStore,omitempty"` + CACertificate *TLSCACertificate `json:"caCertificate,omitempty" yaml:"caCertificate,omitempty"` } diff --git a/internal/ir/zz_generated.deepcopy.go b/internal/ir/zz_generated.deepcopy.go index e5b6446061b..3e19c4b4602 100644 --- a/internal/ir/zz_generated.deepcopy.go +++ b/internal/ir/zz_generated.deepcopy.go @@ -2092,7 +2092,11 @@ func (in *TLSInspectorConfig) DeepCopy() *TLSInspectorConfig { // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *TLSUpstreamConfig) DeepCopyInto(out *TLSUpstreamConfig) { *out = *in - in.CACertificate.DeepCopyInto(&out.CACertificate) + if in.CACertificate != nil { + in, out := &in.CACertificate, &out.CACertificate + *out = new(TLSCACertificate) + (*in).DeepCopyInto(*out) + } } // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new TLSUpstreamConfig. diff --git a/internal/xds/translator/testdata/in/xds-ir/http-route-with-tls-system-truststore.yaml b/internal/xds/translator/testdata/in/xds-ir/http-route-with-tls-system-truststore.yaml new file mode 100644 index 00000000000..3cc0e5e8766 --- /dev/null +++ b/internal/xds/translator/testdata/in/xds-ir/http-route-with-tls-system-truststore.yaml @@ -0,0 +1,32 @@ +http: + - address: 0.0.0.0 + hostnames: + - '*' + isHTTP2: false + name: envoy-gateway/gateway-btls/http + path: + escapedSlashesAction: UnescapeAndRedirect + mergeSlashes: true + port: 10080 + routes: + - backendWeights: + invalid: 0 + valid: 0 + destination: + name: httproute/envoy-gateway/httproute-btls/rule/0 + settings: + - addressType: IP + endpoints: + - host: 10.244.0.11 + port: 8080 + protocol: HTTP + tls: + sni: example.com + useSystemTrustStore: true + weight: 1 + hostname: '*' + name: httproute/envoy-gateway/httproute-btls/rule/0/match/0/* + pathMatch: + distinct: false + exact: /exact + name: "" diff --git a/internal/xds/translator/testdata/out/xds-ir/client-ip-detection.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/client-ip-detection.clusters.yaml old mode 100755 new mode 100644 diff --git a/internal/xds/translator/testdata/out/xds-ir/client-ip-detection.endpoints.yaml b/internal/xds/translator/testdata/out/xds-ir/client-ip-detection.endpoints.yaml old mode 100755 new mode 100644 diff --git a/internal/xds/translator/testdata/out/xds-ir/client-ip-detection.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/client-ip-detection.listeners.yaml old mode 100755 new mode 100644 diff --git a/internal/xds/translator/testdata/out/xds-ir/client-ip-detection.routes.yaml b/internal/xds/translator/testdata/out/xds-ir/client-ip-detection.routes.yaml old mode 100755 new mode 100644 diff --git a/internal/xds/translator/testdata/out/xds-ir/ext-auth.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/ext-auth.clusters.yaml old mode 100755 new mode 100644 diff --git a/internal/xds/translator/testdata/out/xds-ir/ext-auth.endpoints.yaml b/internal/xds/translator/testdata/out/xds-ir/ext-auth.endpoints.yaml old mode 100755 new mode 100644 diff --git a/internal/xds/translator/testdata/out/xds-ir/ext-auth.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/ext-auth.listeners.yaml old mode 100755 new mode 100644 diff --git a/internal/xds/translator/testdata/out/xds-ir/ext-auth.routes.yaml b/internal/xds/translator/testdata/out/xds-ir/ext-auth.routes.yaml old mode 100755 new mode 100644 diff --git a/internal/xds/translator/testdata/out/xds-ir/fault-injection.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/fault-injection.clusters.yaml old mode 100755 new mode 100644 diff --git a/internal/xds/translator/testdata/out/xds-ir/fault-injection.endpoints.yaml b/internal/xds/translator/testdata/out/xds-ir/fault-injection.endpoints.yaml old mode 100755 new mode 100644 diff --git a/internal/xds/translator/testdata/out/xds-ir/fault-injection.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/fault-injection.listeners.yaml old mode 100755 new mode 100644 diff --git a/internal/xds/translator/testdata/out/xds-ir/fault-injection.routes.yaml b/internal/xds/translator/testdata/out/xds-ir/fault-injection.routes.yaml old mode 100755 new mode 100644 diff --git a/internal/xds/translator/testdata/out/xds-ir/http-route-with-tls-system-truststore.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/http-route-with-tls-system-truststore.clusters.yaml new file mode 100644 index 00000000000..7c3428468f0 --- /dev/null +++ b/internal/xds/translator/testdata/out/xds-ir/http-route-with-tls-system-truststore.clusters.yaml @@ -0,0 +1,26 @@ +- circuitBreakers: + thresholds: + - maxRetries: 1024 + commonLbConfig: + localityWeightedLbConfig: {} + connectTimeout: 10s + dnsLookupFamily: V4_ONLY + edsClusterConfig: + edsConfig: + ads: {} + resourceApiVersion: V3 + serviceName: httproute/envoy-gateway/httproute-btls/rule/0 + lbPolicy: LEAST_REQUEST + name: httproute/envoy-gateway/httproute-btls/rule/0 + outlierDetection: {} + perConnectionBufferLimitBytes: 32768 + transportSocket: + name: envoy.transport_sockets.tls + typedConfig: + '@type': type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.UpstreamTlsContext + commonTlsContext: + validationContext: + trustedCa: + filename: /etc/ssl/certs/ca-certificates.crt + sni: example.com + type: EDS diff --git a/internal/xds/translator/testdata/out/xds-ir/http-route-with-tls-system-truststore.endpoints.yaml b/internal/xds/translator/testdata/out/xds-ir/http-route-with-tls-system-truststore.endpoints.yaml new file mode 100644 index 00000000000..90d97a4e2f6 --- /dev/null +++ b/internal/xds/translator/testdata/out/xds-ir/http-route-with-tls-system-truststore.endpoints.yaml @@ -0,0 +1,12 @@ +- clusterName: httproute/envoy-gateway/httproute-btls/rule/0 + endpoints: + - lbEndpoints: + - endpoint: + address: + socketAddress: + address: 10.244.0.11 + portValue: 8080 + loadBalancingWeight: 1 + loadBalancingWeight: 1 + locality: + region: httproute/envoy-gateway/httproute-btls/rule/0/backend/0 diff --git a/internal/xds/translator/testdata/out/xds-ir/http-route-with-tls-system-truststore.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/http-route-with-tls-system-truststore.listeners.yaml new file mode 100644 index 00000000000..4bdeddbb3fc --- /dev/null +++ b/internal/xds/translator/testdata/out/xds-ir/http-route-with-tls-system-truststore.listeners.yaml @@ -0,0 +1,34 @@ +- address: + socketAddress: + address: 0.0.0.0 + portValue: 10080 + defaultFilterChain: + filters: + - name: envoy.filters.network.http_connection_manager + typedConfig: + '@type': type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager + commonHttpProtocolOptions: + headersWithUnderscoresAction: REJECT_REQUEST + http2ProtocolOptions: + initialConnectionWindowSize: 1048576 + initialStreamWindowSize: 65536 + maxConcurrentStreams: 100 + httpFilters: + - name: envoy.filters.http.router + typedConfig: + '@type': type.googleapis.com/envoy.extensions.filters.http.router.v3.Router + suppressEnvoyHeaders: true + mergeSlashes: true + normalizePath: true + pathWithEscapedSlashesAction: UNESCAPE_AND_REDIRECT + rds: + configSource: + ads: {} + resourceApiVersion: V3 + routeConfigName: envoy-gateway/gateway-btls/http + serverHeaderTransformation: PASS_THROUGH + statPrefix: http + useRemoteAddress: true + drainType: MODIFY_ONLY + name: envoy-gateway/gateway-btls/http + perConnectionBufferLimitBytes: 32768 diff --git a/internal/xds/translator/testdata/out/xds-ir/http-route-with-tls-system-truststore.routes.yaml b/internal/xds/translator/testdata/out/xds-ir/http-route-with-tls-system-truststore.routes.yaml new file mode 100644 index 00000000000..bd4f9cfe7e2 --- /dev/null +++ b/internal/xds/translator/testdata/out/xds-ir/http-route-with-tls-system-truststore.routes.yaml @@ -0,0 +1,14 @@ +- ignorePortInHostMatching: true + name: envoy-gateway/gateway-btls/http + virtualHosts: + - domains: + - '*' + name: envoy-gateway/gateway-btls/http/* + routes: + - match: + path: /exact + name: httproute/envoy-gateway/httproute-btls/rule/0/match/0/* + route: + cluster: httproute/envoy-gateway/httproute-btls/rule/0 + upgradeConfigs: + - upgradeType: websocket diff --git a/internal/xds/translator/testdata/out/xds-ir/http-route-with-tlsbundle.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/http-route-with-tlsbundle.clusters.yaml old mode 100755 new mode 100644 diff --git a/internal/xds/translator/testdata/out/xds-ir/http-route-with-tlsbundle.endpoints.yaml b/internal/xds/translator/testdata/out/xds-ir/http-route-with-tlsbundle.endpoints.yaml old mode 100755 new mode 100644 diff --git a/internal/xds/translator/testdata/out/xds-ir/http-route-with-tlsbundle.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/http-route-with-tlsbundle.listeners.yaml old mode 100755 new mode 100644 diff --git a/internal/xds/translator/testdata/out/xds-ir/http-route-with-tlsbundle.routes.yaml b/internal/xds/translator/testdata/out/xds-ir/http-route-with-tlsbundle.routes.yaml old mode 100755 new mode 100644 diff --git a/internal/xds/translator/testdata/out/xds-ir/http-route-with-tlsbundle.secrets.yaml b/internal/xds/translator/testdata/out/xds-ir/http-route-with-tlsbundle.secrets.yaml old mode 100755 new mode 100644 diff --git a/internal/xds/translator/translator.go b/internal/xds/translator/translator.go index c59953f8b32..16b7e7a9d1d 100644 --- a/internal/xds/translator/translator.go +++ b/internal/xds/translator/translator.go @@ -510,8 +510,10 @@ func processXdsCluster(tCtx *types.ResourceVersionTable, httpRoute *ir.HTTPRoute if httpRoute.Destination.Settings[0].TLS != nil { CaSecret := buildXdsUpstreamTLSCASecret(httpRoute.Destination.Settings[0].TLS) - if err := tCtx.AddXdsResource(resourcev3.SecretType, CaSecret); err != nil { - return err + if CaSecret != nil { + if err := tCtx.AddXdsResource(resourcev3.SecretType, CaSecret); err != nil { + return err + } } // for upstreamTLS , a fixed sni can be used. use auto_sni otherwise // https://www.envoyproxy.io/docs/envoy/latest/faq/configuration/sni#faq-how-to-setup-sni:~:text=For%20clusters%2C%20a,for%20trust%20anchor. @@ -599,6 +601,9 @@ const ( func buildXdsUpstreamTLSCASecret(tlsConfig *ir.TLSUpstreamConfig) *tlsv3.Secret { // Build the tls secret + if tlsConfig.UseSystemTrustStore { + return nil + } return &tlsv3.Secret{ Name: tlsConfig.CACertificate.Name, Type: &tlsv3.Secret_ValidationContext{ @@ -613,17 +618,42 @@ func buildXdsUpstreamTLSCASecret(tlsConfig *ir.TLSUpstreamConfig) *tlsv3.Secret func buildXdsUpstreamTLSSocketWthCert(tlsConfig *ir.TLSUpstreamConfig) (*corev3.TransportSocket, error) { - tlsCtx := &tlsv3.UpstreamTlsContext{ - CommonTlsContext: &tlsv3.CommonTlsContext{ - TlsCertificateSdsSecretConfigs: nil, - ValidationContextType: &tlsv3.CommonTlsContext_ValidationContextSdsSecretConfig{ - ValidationContextSdsSecretConfig: &tlsv3.SdsSecretConfig{ - Name: tlsConfig.CACertificate.Name, - SdsConfig: makeConfigSource(), + var tlsCtx *tlsv3.UpstreamTlsContext + + if tlsConfig.UseSystemTrustStore { + tlsCtx = &tlsv3.UpstreamTlsContext{ + CommonTlsContext: &tlsv3.CommonTlsContext{ + ValidationContextType: &tlsv3.CommonTlsContext_ValidationContext{ + ValidationContext: &tlsv3.CertificateValidationContext{ + TrustedCa: &corev3.DataSource{ + Specifier: &corev3.DataSource_Filename{ + // This is the default location for the system trust store + // on Debian derivatives like the envoy-proxy image being used by the infrastructure + // controller. + // See https://www.envoyproxy.io/docs/envoy/latest/intro/arch_overview/security/ssl + // TODO: allow customizing this value via EnvoyGateway so that if a non-standard + // envoy image is being used, this can be modified to match + Filename: "/etc/ssl/certs/ca-certificates.crt", + }, + }, + }, }, }, - }, - Sni: tlsConfig.SNI, + Sni: tlsConfig.SNI, + } + } else { + tlsCtx = &tlsv3.UpstreamTlsContext{ + CommonTlsContext: &tlsv3.CommonTlsContext{ + TlsCertificateSdsSecretConfigs: nil, + ValidationContextType: &tlsv3.CommonTlsContext_ValidationContextSdsSecretConfig{ + ValidationContextSdsSecretConfig: &tlsv3.SdsSecretConfig{ + Name: tlsConfig.CACertificate.Name, + SdsConfig: makeConfigSource(), + }, + }, + }, + Sni: tlsConfig.SNI, + } } tlsCtxAny, err := anypb.New(tlsCtx) diff --git a/internal/xds/translator/translator_test.go b/internal/xds/translator/translator_test.go index 78f307cd68e..7a3d52c480f 100644 --- a/internal/xds/translator/translator_test.go +++ b/internal/xds/translator/translator_test.go @@ -90,6 +90,9 @@ func TestTranslateXds(t *testing.T) { { name: "http-route-dns-cluster", }, + { + name: "http-route-with-tls-system-truststore", + }, { name: "http-route-with-tlsbundle", requireSecrets: true, From 10b39e071abfb63ad9aa39f28e64dc8ee8a1f1b3 Mon Sep 17 00:00:00 2001 From: Xunzhuo Date: Thu, 7 Mar 2024 11:08:22 +0800 Subject: [PATCH 2/4] docs: refactor user guides (#2797) * docs: refactor user guides Signed-off-by: bitliu * fix: relative paths Signed-off-by: bitliu --------- Signed-off-by: bitliu --- site/content/en/latest/install/api.md | 5 +---- site/content/en/latest/user/extensibility/_index.md | 5 +++++ .../user/{ => extensibility}/envoy-patch-policy.md | 6 +++--- site/content/en/latest/user/observability/_index.md | 5 +++++ .../user/{ => observability}/gateway-api-metrics.md | 2 +- .../user/{ => observability}/grafana-integration.md | 2 +- .../user/{ => observability}/proxy-observability.md | 2 +- site/content/en/latest/user/operations/_index.md | 5 +++++ .../user/{ => operations}/customize-envoyproxy.md | 4 ++-- .../en/latest/user/{ => operations}/deployment-mode.md | 2 +- site/content/en/latest/user/{ => operations}/egctl.md | 2 +- site/content/en/latest/user/quickstart.md | 1 + site/content/en/latest/user/security/_index.md | 5 +++++ .../en/latest/user/{ => security}/basic-auth.md | 10 +++++----- site/content/en/latest/user/{ => security}/cors.md | 10 +++++----- .../latest/user/{ => security}/jwt-authentication.md | 10 +++++----- site/content/en/latest/user/{ => security}/oidc.md | 8 ++++---- .../en/latest/user/{ => security}/secure-gateways.md | 10 +++++----- .../en/latest/user/{ => security}/tls-cert-manager.md | 2 +- .../en/latest/user/{ => security}/tls-passthrough.md | 6 +++--- .../en/latest/user/{ => security}/tls-termination.md | 2 +- site/content/en/latest/user/traffic/_index.md | 5 +++++ .../en/latest/user/{ => traffic}/circuit-breaker.md | 4 ++-- .../latest/user/{ => traffic}/client-traffic-policy.md | 6 +++--- .../en/latest/user/{ => traffic}/fault-injection.md | 8 ++++---- .../en/latest/user/{ => traffic}/gateway-address.md | 4 ++-- .../en/latest/user/{ => traffic}/gatewayapi-support.md | 4 ++-- .../en/latest/user/{ => traffic}/global-rate-limit.md | 4 ++-- .../en/latest/user/{ => traffic}/grpc-routing.md | 2 +- .../en/latest/user/{ => traffic}/http-redirect.md | 2 +- .../latest/user/{ => traffic}/http-request-headers.md | 2 +- .../user/{ => traffic}/http-request-mirroring.md | 2 +- .../latest/user/{ => traffic}/http-response-headers.md | 2 +- .../en/latest/user/{ => traffic}/http-routing.md | 2 +- .../en/latest/user/{ => traffic}/http-timeouts.md | 2 +- .../user/{ => traffic}/http-traffic-splitting.md | 2 +- .../en/latest/user/{ => traffic}/http-urlrewrite.md | 2 +- site/content/en/latest/user/{ => traffic}/http3.md | 0 .../en/latest/user/{ => traffic}/local-rate-limit.md | 4 ++-- .../latest/user/{ => traffic}/multicluster-service.md | 0 site/content/en/latest/user/{ => traffic}/retry.md | 4 ++-- .../en/latest/user/{ => traffic}/tcp-routing.md | 2 +- .../en/latest/user/{ => traffic}/udp-routing.md | 6 +++--- 43 files changed, 98 insertions(+), 75 deletions(-) create mode 100644 site/content/en/latest/user/extensibility/_index.md rename site/content/en/latest/user/{ => extensibility}/envoy-patch-policy.md (96%) create mode 100644 site/content/en/latest/user/observability/_index.md rename site/content/en/latest/user/{ => observability}/gateway-api-metrics.md (96%) rename site/content/en/latest/user/{ => observability}/grafana-integration.md (96%) rename site/content/en/latest/user/{ => observability}/proxy-observability.md (97%) create mode 100644 site/content/en/latest/user/operations/_index.md rename site/content/en/latest/user/{ => operations}/customize-envoyproxy.md (98%) rename site/content/en/latest/user/{ => operations}/deployment-mode.md (99%) rename site/content/en/latest/user/{ => operations}/egctl.md (99%) create mode 100644 site/content/en/latest/user/security/_index.md rename site/content/en/latest/user/{ => security}/basic-auth.md (89%) rename site/content/en/latest/user/{ => security}/cors.md (90%) rename site/content/en/latest/user/{ => security}/jwt-authentication.md (91%) rename site/content/en/latest/user/{ => security}/oidc.md (92%) rename site/content/en/latest/user/{ => security}/secure-gateways.md (96%) rename site/content/en/latest/user/{ => security}/tls-cert-manager.md (99%) rename site/content/en/latest/user/{ => security}/tls-passthrough.md (91%) rename site/content/en/latest/user/{ => security}/tls-termination.md (96%) create mode 100644 site/content/en/latest/user/traffic/_index.md rename site/content/en/latest/user/{ => traffic}/circuit-breaker.md (96%) rename site/content/en/latest/user/{ => traffic}/client-traffic-policy.md (97%) rename site/content/en/latest/user/{ => traffic}/fault-injection.md (94%) rename site/content/en/latest/user/{ => traffic}/gateway-address.md (93%) rename site/content/en/latest/user/{ => traffic}/gatewayapi-support.md (98%) rename site/content/en/latest/user/{ => traffic}/global-rate-limit.md (99%) rename site/content/en/latest/user/{ => traffic}/grpc-routing.md (98%) rename site/content/en/latest/user/{ => traffic}/http-redirect.md (98%) rename site/content/en/latest/user/{ => traffic}/http-request-headers.md (98%) rename site/content/en/latest/user/{ => traffic}/http-request-mirroring.md (99%) rename site/content/en/latest/user/{ => traffic}/http-response-headers.md (98%) rename site/content/en/latest/user/{ => traffic}/http-routing.md (98%) rename site/content/en/latest/user/{ => traffic}/http-timeouts.md (96%) rename site/content/en/latest/user/{ => traffic}/http-traffic-splitting.md (98%) rename site/content/en/latest/user/{ => traffic}/http-urlrewrite.md (98%) rename site/content/en/latest/user/{ => traffic}/http3.md (100%) rename site/content/en/latest/user/{ => traffic}/local-rate-limit.md (97%) rename site/content/en/latest/user/{ => traffic}/multicluster-service.md (100%) rename site/content/en/latest/user/{ => traffic}/retry.md (87%) rename site/content/en/latest/user/{ => traffic}/tcp-routing.md (98%) rename site/content/en/latest/user/{ => traffic}/udp-routing.md (92%) diff --git a/site/content/en/latest/install/api.md b/site/content/en/latest/install/api.md index 165a91d01e6..a1ab34ca0bf 100644 --- a/site/content/en/latest/install/api.md +++ b/site/content/en/latest/install/api.md @@ -1,7 +1,4 @@ -+++ -title = "gateway-helm" -+++ - +# gateway-helm ![Version: v0.0.0-latest](https://img.shields.io/badge/Version-v0.0.0--latest-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: latest](https://img.shields.io/badge/AppVersion-latest-informational?style=flat-square) diff --git a/site/content/en/latest/user/extensibility/_index.md b/site/content/en/latest/user/extensibility/_index.md new file mode 100644 index 00000000000..9560b0dd241 --- /dev/null +++ b/site/content/en/latest/user/extensibility/_index.md @@ -0,0 +1,5 @@ +--- +title: "Extensibility" +weight: 4 +description: This section includes User Guides of Extensibility. +--- diff --git a/site/content/en/latest/user/envoy-patch-policy.md b/site/content/en/latest/user/extensibility/envoy-patch-policy.md similarity index 96% rename from site/content/en/latest/user/envoy-patch-policy.md rename to site/content/en/latest/user/extensibility/envoy-patch-policy.md index dc403d57bc0..994436c9473 100644 --- a/site/content/en/latest/user/envoy-patch-policy.md +++ b/site/content/en/latest/user/extensibility/envoy-patch-policy.md @@ -22,7 +22,7 @@ not exposed by Envoy Gateway APIs today. ### Prerequisites -* Follow the steps from the [Quickstart](../quickstart) guide to install Envoy Gateway and the example manifest. +* Follow the steps from the [Quickstart](../../quickstart) guide to install Envoy Gateway and the example manifest. Before proceeding, you should be able to query the example backend using HTTP. ### Enable EnvoyPatchPolicy @@ -233,8 +233,8 @@ across versions for these reasons * Envoy Gateway might alter the xDS translation creating a different xDS output such as changing the `name` field of resources. -[EnvoyPatchPolicy]: ../../api/extension_types#envoypatchpolicy -[EnvoyGateway]: ../../api/extension_types#envoygateway +[EnvoyPatchPolicy]: ../../../api/extension_types#envoypatchpolicy +[EnvoyGateway]: ../../../api/extension_types#envoygateway [JSON Patch]: https://datatracker.ietf.org/doc/html/rfc6902 [xDS]: https://www.envoyproxy.io/docs/envoy/latest/intro/arch_overview/operations/dynamic_configuration [Local Reply Modification]: https://www.envoyproxy.io/docs/envoy/latest/configuration/http/http_conn_man/local_reply diff --git a/site/content/en/latest/user/observability/_index.md b/site/content/en/latest/user/observability/_index.md new file mode 100644 index 00000000000..ed877d4355b --- /dev/null +++ b/site/content/en/latest/user/observability/_index.md @@ -0,0 +1,5 @@ +--- +title: "Observability" +weight: 4 +description: This section includes User Guides of Observability. +--- diff --git a/site/content/en/latest/user/gateway-api-metrics.md b/site/content/en/latest/user/observability/gateway-api-metrics.md similarity index 96% rename from site/content/en/latest/user/gateway-api-metrics.md rename to site/content/en/latest/user/observability/gateway-api-metrics.md index a7764edbfc1..e99a8dee692 100644 --- a/site/content/en/latest/user/gateway-api-metrics.md +++ b/site/content/en/latest/user/observability/gateway-api-metrics.md @@ -7,7 +7,7 @@ The project also provides example dashboard for visualising the metrics using Gr ## Prerequisites -Follow the steps from the [Quickstart Guide](../quickstart) to install Envoy Gateway and the example manifest. +Follow the steps from the [Quickstart Guide](../../quickstart) to install Envoy Gateway and the example manifest. Before proceeding, you should be able to query the example backend using HTTP. Run the following commands to install the metrics stack, with the Gateway API State Metrics configuration, on your kubernetes cluster: diff --git a/site/content/en/latest/user/grafana-integration.md b/site/content/en/latest/user/observability/grafana-integration.md similarity index 96% rename from site/content/en/latest/user/grafana-integration.md rename to site/content/en/latest/user/observability/grafana-integration.md index 3c1aa0a8b6d..b7c58e0d582 100644 --- a/site/content/en/latest/user/grafana-integration.md +++ b/site/content/en/latest/user/observability/grafana-integration.md @@ -7,7 +7,7 @@ This guide shows you how to visualise the metrics exposed to prometheus using gr ## Prerequisites -Follow the steps from the [Quickstart Guide](../quickstart) to install Envoy Gateway and the example manifest. +Follow the steps from the [Quickstart Guide](../../quickstart) to install Envoy Gateway and the example manifest. Before proceeding, you should be able to query the example backend using HTTP. Follow the steps from the [Proxy Observability](../proxy-observability#Metrics) to enable prometheus metrics. diff --git a/site/content/en/latest/user/proxy-observability.md b/site/content/en/latest/user/observability/proxy-observability.md similarity index 97% rename from site/content/en/latest/user/proxy-observability.md rename to site/content/en/latest/user/observability/proxy-observability.md index f9d8f2d5a0d..c521b62cbe9 100644 --- a/site/content/en/latest/user/proxy-observability.md +++ b/site/content/en/latest/user/observability/proxy-observability.md @@ -7,7 +7,7 @@ This guide show you how to config proxy observability, includes metrics, logs, a ## Prerequisites -Follow the steps from the [Quickstart Guide](../quickstart) to install Envoy Gateway and the example manifest. +Follow the steps from the [Quickstart Guide](../../quickstart) to install Envoy Gateway and the example manifest. Before proceeding, you should be able to query the example backend using HTTP. [FluentBit](https://fluentbit.io/) is used to collect logs from the EnvoyProxy instances and forward them to Loki. Install FluentBit: diff --git a/site/content/en/latest/user/operations/_index.md b/site/content/en/latest/user/operations/_index.md new file mode 100644 index 00000000000..0341d46ad0a --- /dev/null +++ b/site/content/en/latest/user/operations/_index.md @@ -0,0 +1,5 @@ +--- +title: "Operations" +weight: 4 +description: This section includes User Guides of Operations. +--- diff --git a/site/content/en/latest/user/customize-envoyproxy.md b/site/content/en/latest/user/operations/customize-envoyproxy.md similarity index 98% rename from site/content/en/latest/user/customize-envoyproxy.md rename to site/content/en/latest/user/operations/customize-envoyproxy.md index 3bc0c0c96d6..5d78247fbbd 100644 --- a/site/content/en/latest/user/customize-envoyproxy.md +++ b/site/content/en/latest/user/operations/customize-envoyproxy.md @@ -8,7 +8,7 @@ Service. To learn more about GatewayClass and ParametersRef, please refer to [Ga ## Installation -Follow the steps from the [Quickstart Guide](../quickstart) to install Envoy Gateway and the example manifest. +Follow the steps from the [Quickstart Guide](../../quickstart) to install Envoy Gateway and the example manifest. Before proceeding, you should be able to query the example backend using HTTP. ## Add GatewayClass ParametersRef @@ -368,5 +368,5 @@ EOF ``` [Gateway API documentation]: https://gateway-api.sigs.k8s.io/ -[EnvoyProxy]: ../../api/extension_types#envoyproxy +[EnvoyProxy]: ../../../api/extension_types#envoyproxy [egctl translate]: ../egctl/#validating-gateway-api-configuration diff --git a/site/content/en/latest/user/deployment-mode.md b/site/content/en/latest/user/operations/deployment-mode.md similarity index 99% rename from site/content/en/latest/user/deployment-mode.md rename to site/content/en/latest/user/operations/deployment-mode.md index 534a55754e8..2a2fa651951 100644 --- a/site/content/en/latest/user/deployment-mode.md +++ b/site/content/en/latest/user/operations/deployment-mode.md @@ -410,6 +410,6 @@ Handling connection for 8889 ``` [GatewayClass]: https://gateway-api.sigs.k8s.io/api-types/gatewayclass/ -[Namespaced deployment mode]: ../../api/extension_types#kuberneteswatchmode +[Namespaced deployment mode]: ../../../api/extension_types#kuberneteswatchmode [issue1231]: https://github.com/envoyproxy/gateway/issues/1231 [issue1117]: https://github.com/envoyproxy/gateway/issues/1117 diff --git a/site/content/en/latest/user/egctl.md b/site/content/en/latest/user/operations/egctl.md similarity index 99% rename from site/content/en/latest/user/egctl.md rename to site/content/en/latest/user/operations/egctl.md index cb361673fd1..80a5f5f7fce 100644 --- a/site/content/en/latest/user/egctl.md +++ b/site/content/en/latest/user/operations/egctl.md @@ -824,7 +824,7 @@ product backend ResolvedRefs True ResolvedRefs [Multi-tenancy]: ../deployment-mode#multi-tenancy -[EnvoyProxy]: ../../api/extension_types#envoyproxy +[EnvoyProxy]: ../../../api/extension_types#envoyproxy ## egctl experimental dashboard diff --git a/site/content/en/latest/user/quickstart.md b/site/content/en/latest/user/quickstart.md index c0850751c75..21a79c1ed5c 100644 --- a/site/content/en/latest/user/quickstart.md +++ b/site/content/en/latest/user/quickstart.md @@ -1,6 +1,7 @@ --- title: "Quickstart" weight: 1 +description: Get started with Envoy Gateway in a few simple steps. --- This guide will help you get started with Envoy Gateway in a few simple steps. diff --git a/site/content/en/latest/user/security/_index.md b/site/content/en/latest/user/security/_index.md new file mode 100644 index 00000000000..f469d0c55a5 --- /dev/null +++ b/site/content/en/latest/user/security/_index.md @@ -0,0 +1,5 @@ +--- +title: "Security" +weight: 2 +description: This section includes User Guides of Security. +--- diff --git a/site/content/en/latest/user/basic-auth.md b/site/content/en/latest/user/security/basic-auth.md similarity index 89% rename from site/content/en/latest/user/basic-auth.md rename to site/content/en/latest/user/security/basic-auth.md index 6affe9e5c87..4576c6e60b4 100644 --- a/site/content/en/latest/user/basic-auth.md +++ b/site/content/en/latest/user/security/basic-auth.md @@ -12,7 +12,7 @@ This instantiated resource can be linked to a [Gateway][Gateway], [HTTPRoute][HT ## Prerequisites -Follow the steps from the [Quickstart](../quickstart) guide to install Envoy Gateway and the example manifest. +Follow the steps from the [Quickstart](../../quickstart) guide to install Envoy Gateway and the example manifest. Before proceeding, you should be able to query the example backend using HTTP. ## Configuration @@ -78,7 +78,7 @@ kubectl get securitypolicy/basic-auth-example -o yaml ## Testing -Ensure the `GATEWAY_HOST` environment variable from the [Quickstart](../quickstart) guide is set. If not, follow the +Ensure the `GATEWAY_HOST` environment variable from the [Quickstart](../../quickstart) guide is set. If not, follow the Quickstart instructions to set the variable. ```shell @@ -117,7 +117,7 @@ The request should be allowed and you should see the response from the backend s ## Clean-Up -Follow the steps from the [Quickstart](../quickstart) guide to uninstall Envoy Gateway and the example manifest. +Follow the steps from the [Quickstart](../../quickstart) guide to uninstall Envoy Gateway and the example manifest. Delete the SecurityPolicy and the secret @@ -128,9 +128,9 @@ kubectl delete secret/basic-auth ## Next Steps -Checkout the [Developer Guide](../../contributions/develop/) to get involved in the project. +Checkout the [Developer Guide](../../../contributions/develop/) to get involved in the project. -[SecurityPolicy]: ../../design/security-policy/ +[SecurityPolicy]: ../../../design/security-policy/ [http Basic authentication]: https://tools.ietf.org/html/rfc2617 [Gateway]: https://gateway-api.sigs.k8s.io/api-types/gateway [HTTPRoute]: https://gateway-api.sigs.k8s.io/api-types/httproute diff --git a/site/content/en/latest/user/cors.md b/site/content/en/latest/user/security/cors.md similarity index 90% rename from site/content/en/latest/user/cors.md rename to site/content/en/latest/user/security/cors.md index 886d795a66a..184b566afd1 100644 --- a/site/content/en/latest/user/cors.md +++ b/site/content/en/latest/user/security/cors.md @@ -11,7 +11,7 @@ This instantiated resource can be linked to a [Gateway][Gateway], [HTTPRoute][HT ## Prerequisites -Follow the steps from the [Quickstart](../quickstart) guide to install Envoy Gateway and the example manifest. +Follow the steps from the [Quickstart](../../quickstart) guide to install Envoy Gateway and the example manifest. Before proceeding, you should be able to query the example backend using HTTP. ## Configuration @@ -57,7 +57,7 @@ kubectl get securitypolicy/cors-example -o yaml ## Testing -Ensure the `GATEWAY_HOST` environment variable from the [Quickstart](../quickstart) guide is set. If not, follow the +Ensure the `GATEWAY_HOST` environment variable from the [Quickstart](../../quickstart) guide is set. If not, follow the Quickstart instructions to set the variable. ```shell @@ -122,7 +122,7 @@ filter to work. Otherwise, the OPTIONS request won't match the routes and the CO ## Clean-Up -Follow the steps from the [Quickstart](../quickstart) guide to uninstall Envoy Gateway and the example manifest. +Follow the steps from the [Quickstart](../../quickstart) guide to uninstall Envoy Gateway and the example manifest. Delete the SecurityPolicy: @@ -132,9 +132,9 @@ kubectl delete securitypolicy/cors-example ## Next Steps -Checkout the [Developer Guide](../../contributions/develop/) to get involved in the project. +Checkout the [Developer Guide](../../../contributions/develop/) to get involved in the project. -[SecurityPolicy]: ../../design/security-policy/ +[SecurityPolicy]: ../../../design/security-policy/ [cors]: https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS [Gateway]: https://gateway-api.sigs.k8s.io/api-types/gateway [HTTPRoute]: https://gateway-api.sigs.k8s.io/api-types/httproute diff --git a/site/content/en/latest/user/jwt-authentication.md b/site/content/en/latest/user/security/jwt-authentication.md similarity index 91% rename from site/content/en/latest/user/jwt-authentication.md rename to site/content/en/latest/user/security/jwt-authentication.md index 368b6af9d09..a4897302979 100644 --- a/site/content/en/latest/user/jwt-authentication.md +++ b/site/content/en/latest/user/security/jwt-authentication.md @@ -11,7 +11,7 @@ This instantiated resource can be linked to a [Gateway][Gateway], [HTTPRoute][HT ## Prerequisites -Follow the steps from the [Quickstart](../quickstart) guide to install Envoy Gateway and the example manifest. +Follow the steps from the [Quickstart](../../quickstart) guide to install Envoy Gateway and the example manifest. For GRPC - follow the steps from the [GRPC Routing](../grpc-routing) example. Before proceeding, you should be able to query the example backend using HTTP or GRPC. @@ -71,7 +71,7 @@ kubectl get securitypolicy/jwt-example -o yaml ## Testing -Ensure the `GATEWAY_HOST` environment variable from the [Quickstart](../quickstart) guide is set. If not, follow the +Ensure the `GATEWAY_HOST` environment variable from the [Quickstart](../../quickstart) guide is set. If not, follow the Quickstart instructions to set the variable. ```shell @@ -150,7 +150,7 @@ You should see the below response ## Clean-Up -Follow the steps from the [Quickstart](../quickstart) guide to uninstall Envoy Gateway and the example manifest. +Follow the steps from the [Quickstart](../../quickstart) guide to uninstall Envoy Gateway and the example manifest. Delete the SecurityPolicy: @@ -160,9 +160,9 @@ kubectl delete securitypolicy/jwt-example ## Next Steps -Checkout the [Developer Guide](../../contributions/develop/) to get involved in the project. +Checkout the [Developer Guide](../../../contributions/develop/) to get involved in the project. -[SecurityPolicy]: ../../design/security-policy/ +[SecurityPolicy]: ../../../design/security-policy/ [jwt]: https://tools.ietf.org/html/rfc7519 [jwks]: https://tools.ietf.org/html/rfc7517 [Gateway]: https://gateway-api.sigs.k8s.io/api-types/gateway diff --git a/site/content/en/latest/user/oidc.md b/site/content/en/latest/user/security/oidc.md similarity index 92% rename from site/content/en/latest/user/oidc.md rename to site/content/en/latest/user/security/oidc.md index 6d4deba8efd..adf85206006 100644 --- a/site/content/en/latest/user/oidc.md +++ b/site/content/en/latest/user/security/oidc.md @@ -13,7 +13,7 @@ This instantiated resource can be linked to a [Gateway][Gateway] and [HTTPRoute] ## Prerequisites -Follow the steps from the [Quickstart](../quickstart) guide to install Envoy Gateway and the example manifest. +Follow the steps from the [Quickstart](../../quickstart) guide to install Envoy Gateway and the example manifest. Before proceeding, you should be able to query the example backend using HTTP. OIDC authentication requires the redirect URL to be HTTPS. Follow the [Secure Gateways](../secure-gateways) guide @@ -110,7 +110,7 @@ successfully login, you should see the response from the backend service. ## Clean-Up -Follow the steps from the [Quickstart](../quickstart) guide to uninstall Envoy Gateway and the example manifest. +Follow the steps from the [Quickstart](../../quickstart) guide to uninstall Envoy Gateway and the example manifest. Delete the SecurityPolicy and the secret: @@ -121,10 +121,10 @@ kubectl delete secret/my-app-client-secret ## Next Steps -Checkout the [Developer Guide](../../contributions/develop/) to get involved in the project. +Checkout the [Developer Guide](../../../contributions/develop/) to get involved in the project. [oidc]: https://openid.net/connect/ [google-oidc]: https://developers.google.com/identity/protocols/oauth2/openid-connect -[SecurityPolicy]: ../../design/security-policy/ +[SecurityPolicy]: ../../../design/security-policy/ [Gateway]: https://gateway-api.sigs.k8s.io/api-types/gateway [HTTPRoute]: https://gateway-api.sigs.k8s.io/api-types/httproute diff --git a/site/content/en/latest/user/secure-gateways.md b/site/content/en/latest/user/security/secure-gateways.md similarity index 96% rename from site/content/en/latest/user/secure-gateways.md rename to site/content/en/latest/user/security/secure-gateways.md index 805aeb8b1a6..70a3049289b 100644 --- a/site/content/en/latest/user/secure-gateways.md +++ b/site/content/en/latest/user/security/secure-gateways.md @@ -11,7 +11,7 @@ testing and demonstration purposes only. ## Installation -Follow the steps from the [Quickstart Guide](../quickstart) to install Envoy Gateway and the example manifest. +Follow the steps from the [Quickstart Guide](../../quickstart) to install Envoy Gateway and the example manifest. Before proceeding, you should be able to query the example backend using HTTP. ## TLS Certificates @@ -242,7 +242,7 @@ Lastly, test connectivity using the above [Testing section](#testing). ## Clean-Up -Follow the steps from the [Quickstart Guide](../quickstart) to uninstall Envoy Gateway and the example manifest. +Follow the steps from the [Quickstart Guide](../../quickstart) to uninstall Envoy Gateway and the example manifest. Delete the Secrets: @@ -257,7 +257,7 @@ This section gives a walkthrough to generate RSA and ECDSA derived certificates ## Prerequisites -Follow the steps from the [Quickstart Guide](../quickstart) to install Envoy Gateway and the example manifest. +Follow the steps from the [Quickstart Guide](../../quickstart) to install Envoy Gateway and the example manifest. Before proceeding, you should be able to query the example backend using HTTP. Follow the steps in the [TLS Certificates](../secure-gateways#tls-certificates) section in the guide to generate self-signed RSA derived Server certificate and private key, and configure those in the Gateway listener configuration to terminate HTTPS traffic. @@ -369,7 +369,7 @@ This sections gives a walkthrough to generate multiple certificates correspondin ## Prerequisites -Follow the steps from the [Quickstart Guide](../quickstart) to install Envoy Gateway and the example manifest. +Follow the steps from the [Quickstart Guide](../../quickstart) to install Envoy Gateway and the example manifest. Before proceeding, you should be able to query the example backend using HTTP. Follow the steps in the [TLS Certificates](../secure-gateways#tls-certificates) section in the guide to generate self-signed RSA derived Server certificate and private key, and configure those in the Gateway listener configuration to terminate HTTPS traffic. @@ -450,6 +450,6 @@ Refer to the steps mentioned earlier in the guide under [Testing in clusters wit ## Next Steps -Checkout the [Developer Guide](../../contributions/develop/) to get involved in the project. +Checkout the [Developer Guide](../../../contributions/develop/) to get involved in the project. [ReferenceGrant]: https://gateway-api.sigs.k8s.io/api-types/referencegrant/ diff --git a/site/content/en/latest/user/tls-cert-manager.md b/site/content/en/latest/user/security/tls-cert-manager.md similarity index 99% rename from site/content/en/latest/user/tls-cert-manager.md rename to site/content/en/latest/user/security/tls-cert-manager.md index d3077a86bd0..690a5e02e04 100644 --- a/site/content/en/latest/user/tls-cert-manager.md +++ b/site/content/en/latest/user/security/tls-cert-manager.md @@ -18,7 +18,7 @@ Changing to the Let's Encrypt production environment is straight-forward after t ## Installation -Follow the steps from the [Quickstart Guide](../quickstart) to install Envoy Gateway and the example manifest. +Follow the steps from the [Quickstart Guide](../../quickstart) to install Envoy Gateway and the example manifest. Before proceeding, you should be able to query the example backend using HTTP. ## Deploying cert-manager diff --git a/site/content/en/latest/user/tls-passthrough.md b/site/content/en/latest/user/security/tls-passthrough.md similarity index 91% rename from site/content/en/latest/user/tls-passthrough.md rename to site/content/en/latest/user/security/tls-passthrough.md index 34af20e5dce..f732b71236b 100644 --- a/site/content/en/latest/user/tls-passthrough.md +++ b/site/content/en/latest/user/security/tls-passthrough.md @@ -12,7 +12,7 @@ to terminate the TLS connection, while the Gateway routes the requests to the ap ## Installation -Follow the steps from the [Quickstart Guide](../quickstart) to install Envoy Gateway and the example manifest. +Follow the steps from the [Quickstart Guide](../../quickstart) to install Envoy Gateway and the example manifest. Before proceeding, you should be able to query the example backend using HTTP. ## TLS Certificates @@ -106,7 +106,7 @@ curl -v -HHost:passthrough.example.com --resolve "passthrough.example.com:6443:$ ## Clean-Up -Follow the steps from the [Quickstart Guide](../quickstart) to uninstall Envoy Gateway and the example manifest. +Follow the steps from the [Quickstart Guide](../../quickstart) to uninstall Envoy Gateway and the example manifest. Delete the Secret: @@ -116,4 +116,4 @@ kubectl delete secret/server-certs ## Next Steps -Checkout the [Developer Guide](../../contributions/develop/) to get involved in the project. +Checkout the [Developer Guide](../../../contributions/develop/) to get involved in the project. diff --git a/site/content/en/latest/user/tls-termination.md b/site/content/en/latest/user/security/tls-termination.md similarity index 96% rename from site/content/en/latest/user/tls-termination.md rename to site/content/en/latest/user/security/tls-termination.md index eb0d2d6932c..1c75b40e6db 100644 --- a/site/content/en/latest/user/tls-termination.md +++ b/site/content/en/latest/user/security/tls-termination.md @@ -10,7 +10,7 @@ This guide will walk through the steps required to configure TLS Terminate mode ## Installation -Follow the steps from the [Quickstart Guide](../quickstart) to install Envoy Gateway. +Follow the steps from the [Quickstart Guide](../../quickstart) to install Envoy Gateway. ## TLS Certificates Generate the certificates and keys used by the Gateway to terminate client TLS connections. diff --git a/site/content/en/latest/user/traffic/_index.md b/site/content/en/latest/user/traffic/_index.md new file mode 100644 index 00000000000..87e84e04907 --- /dev/null +++ b/site/content/en/latest/user/traffic/_index.md @@ -0,0 +1,5 @@ +--- +title: "Traffic" +weight: 1 +description: This section includes User Guides of Traffic Management. +--- diff --git a/site/content/en/latest/user/circuit-breaker.md b/site/content/en/latest/user/traffic/circuit-breaker.md similarity index 96% rename from site/content/en/latest/user/circuit-breaker.md rename to site/content/en/latest/user/traffic/circuit-breaker.md index b870b116a13..2a797fc24c4 100644 --- a/site/content/en/latest/user/circuit-breaker.md +++ b/site/content/en/latest/user/traffic/circuit-breaker.md @@ -20,7 +20,7 @@ This instantiated resource can be linked to a [Gateway][], [HTTPRoute][] or [GRP ### Install Envoy Gateway -* Follow the installation step from the [Quickstart Guide](../quickstart) to install Envoy Gateway and sample resources. +* Follow the installation step from the [Quickstart Guide](../../quickstart) to install Envoy Gateway and sample resources. ### Install the hey load testing tool * The `hey` CLI will be used to generate load and measure response times. Follow the installation instruction from the [Hey project] docs. @@ -116,7 +116,7 @@ With the new circuit breaker settings, and due to the slowness of the backend, o * Upstream traffic was limited, alleviating the pressure on the degraded service. [Envoy Circuit Breakers]: https://www.envoyproxy.io/docs/envoy/latest/intro/arch_overview/upstream/circuit_breaking -[BackendTrafficPolicy]: ../../api/extension_types#backendtrafficpolicy +[BackendTrafficPolicy]: ../../../api/extension_types#backendtrafficpolicy [Gateway]: https://gateway-api.sigs.k8s.io/api-types/gateway/ [HTTPRoute]: https://gateway-api.sigs.k8s.io/api-types/httproute/ [GRPCRoute]: https://gateway-api.sigs.k8s.io/api-types/grpcroute/ diff --git a/site/content/en/latest/user/client-traffic-policy.md b/site/content/en/latest/user/traffic/client-traffic-policy.md similarity index 97% rename from site/content/en/latest/user/client-traffic-policy.md rename to site/content/en/latest/user/traffic/client-traffic-policy.md index 7b7e7938dd2..7b37f8d4338 100644 --- a/site/content/en/latest/user/client-traffic-policy.md +++ b/site/content/en/latest/user/traffic/client-traffic-policy.md @@ -18,7 +18,7 @@ This API was added as a new policy attachment resource that can be applied to Ga ### Prerequisites -* Follow the steps from the [Quickstart](../quickstart) guide to install Envoy Gateway and the example manifest. +* Follow the steps from the [Quickstart](../../quickstart) guide to install Envoy Gateway and the example manifest. Before proceeding, you should be able to query the example backend using HTTP. ### Support TCP keepalive for downstream client @@ -464,5 +464,5 @@ curl -v http://$GATEWAY_HOST/get \ request timeout ``` -[ClientTrafficPolicy]: ../../api/extension_types#clienttrafficpolicy -[BackendTrafficPolicy]: ../../api/extension_types#backendtrafficpolicy +[ClientTrafficPolicy]: ../../../api/extension_types#clienttrafficpolicy +[BackendTrafficPolicy]: ../../../api/extension_types#backendtrafficpolicy diff --git a/site/content/en/latest/user/fault-injection.md b/site/content/en/latest/user/traffic/fault-injection.md similarity index 94% rename from site/content/en/latest/user/fault-injection.md rename to site/content/en/latest/user/traffic/fault-injection.md index 0c2a366447a..c033d12aed3 100644 --- a/site/content/en/latest/user/fault-injection.md +++ b/site/content/en/latest/user/traffic/fault-injection.md @@ -13,7 +13,7 @@ This instantiated resource can be linked to a [Gateway][], [HTTPRoute][] or [GRP ## Prerequisites -Follow the steps from the [Quickstart](../quickstart) guide to install Envoy Gateway and the example manifest. +Follow the steps from the [Quickstart](../../quickstart) guide to install Envoy Gateway and the example manifest. For GRPC - follow the steps from the [GRPC Routing](../grpc-routing) example. Before proceeding, you should be able to query the example backend using HTTP or GRPC. @@ -170,7 +170,7 @@ kubectl get backendtrafficpolicy/fault-injection-abort -o yaml ## Testing -Ensure the `GATEWAY_HOST` environment variable from the [Quickstart](../quickstart) guide is set. If not, follow the +Ensure the `GATEWAY_HOST` environment variable from the [Quickstart](../../quickstart) guide is set. If not, follow the Quickstart instructions to set the variable. ```shell @@ -238,7 +238,7 @@ Error invoking method "yages.Echo/Ping": rpc error: code = Unavailable desc = fa ## Clean-Up -Follow the steps from the [Quickstart](../quickstart) guide to uninstall Envoy Gateway and the example manifest. +Follow the steps from the [Quickstart](../../quickstart) guide to uninstall Envoy Gateway and the example manifest. Delete the BackendTrafficPolicy: @@ -247,7 +247,7 @@ kubectl delete BackendTrafficPolicy/fault-injection-abort ``` [Envoy fault injection]: https://www.envoyproxy.io/docs/envoy/latest/configuration/http/http_filters/fault_filter.html -[BackendTrafficPolicy]: ../../api/extension_types#backendtrafficpolicy +[BackendTrafficPolicy]: ../../../api/extension_types#backendtrafficpolicy [Gateway]: https://gateway-api.sigs.k8s.io/api-types/gateway/ [HTTPRoute]: https://gateway-api.sigs.k8s.io/api-types/httproute/ [GRPCRoute]: https://gateway-api.sigs.k8s.io/api-types/grpcroute/ diff --git a/site/content/en/latest/user/gateway-address.md b/site/content/en/latest/user/traffic/gateway-address.md similarity index 93% rename from site/content/en/latest/user/gateway-address.md rename to site/content/en/latest/user/traffic/gateway-address.md index b87b19ec805..d211d315c1a 100644 --- a/site/content/en/latest/user/gateway-address.md +++ b/site/content/en/latest/user/traffic/gateway-address.md @@ -10,7 +10,7 @@ Depending on the Service Type, the addresses of gateway can be used as: ## Prerequisites -Follow the steps from the [Quickstart](../quickstart) to install Envoy Gateway and the example manifest. +Follow the steps from the [Quickstart](../../quickstart) to install Envoy Gateway and the example manifest. ## External IPs @@ -62,4 +62,4 @@ this will __require__ the address to be of type `IPAddress` and the [ServiceType [Addresses]: https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.GatewayAddress [External IPs]: https://kubernetes.io/docs/concepts/services-networking/service/#external-ips [Cluster IP]: https://kubernetes.io/docs/concepts/services-networking/service/#type-clusterip -[ServiceType]: ../../api/extension_types#servicetype +[ServiceType]: ../../../api/extension_types#servicetype diff --git a/site/content/en/latest/user/gatewayapi-support.md b/site/content/en/latest/user/traffic/gatewayapi-support.md similarity index 98% rename from site/content/en/latest/user/gatewayapi-support.md rename to site/content/en/latest/user/traffic/gatewayapi-support.md index a8d27dd6a36..e8d34d43b17 100644 --- a/site/content/en/latest/user/gatewayapi-support.md +++ b/site/content/en/latest/user/traffic/gatewayapi-support.md @@ -94,7 +94,7 @@ these types of cross-namespace references. Envoy Gateway supports the following namespace. - Allowing a Gateway's [SecretObjectReference][] to reference a secret in a different namespace. -[system design]: ../../design/system-design/ +[system design]: ../../../design/system-design/ [Gateway API]: https://gateway-api.sigs.k8s.io/ [GatewayClass]: https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.GatewayClass [parameters reference]: https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.ParametersReference @@ -112,7 +112,7 @@ these types of cross-namespace references. Envoy Gateway supports the following [SecretObjectReference]: https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.SecretObjectReference [rate limiting]: ../rate-limit/ [request authentication]: ../jwt-authentication/ -[EnvoyProxy]: ../../api/extension_types#envoyproxy +[EnvoyProxy]: ../../../api/extension_types#envoyproxy [resolving conflicts]: https://gateway-api.sigs.k8s.io/concepts/guidelines/?h=conflict#conflicts [ExtensionRefs]: https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.HTTPRouteFilterType [grpc-filter]: https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1alpha2.GRPCRouteFilter diff --git a/site/content/en/latest/user/global-rate-limit.md b/site/content/en/latest/user/traffic/global-rate-limit.md similarity index 99% rename from site/content/en/latest/user/global-rate-limit.md rename to site/content/en/latest/user/traffic/global-rate-limit.md index 1c44b356b13..6a67a9573fe 100644 --- a/site/content/en/latest/user/global-rate-limit.md +++ b/site/content/en/latest/user/traffic/global-rate-limit.md @@ -27,7 +27,7 @@ has its own 100r/s rate limit bucket. ### Install Envoy Gateway -* Follow the steps from the [Quickstart Guide](../quickstart) to install Envoy Gateway and the HTTPRoute example manifest. +* Follow the steps from the [Quickstart Guide](../../quickstart) to install Envoy Gateway and the HTTPRoute example manifest. Before proceeding, you should be able to query the example backend using HTTP. ### Install Redis @@ -825,7 +825,7 @@ kubectl rollout restart deployment envoy-gateway -n envoy-gateway-system [Global Rate Limiting]: https://www.envoyproxy.io/docs/envoy/latest/intro/arch_overview/other_features/global_rate_limiting [Local rate limiting]: https://www.envoyproxy.io/docs/envoy/latest/intro/arch_overview/other_features/local_rate_limiting -[BackendTrafficPolicy]: ../../api/extension_types#backendtrafficpolicy +[BackendTrafficPolicy]: ../../../api/extension_types#backendtrafficpolicy [Envoy Ratelimit]: https://github.com/envoyproxy/ratelimit [EnvoyGateway]: https://gateway.envoyproxy.io/latest/api/config_types.html#envoygateway [Gateway]: https://gateway-api.sigs.k8s.io/api-types/gateway/ diff --git a/site/content/en/latest/user/grpc-routing.md b/site/content/en/latest/user/traffic/grpc-routing.md similarity index 98% rename from site/content/en/latest/user/grpc-routing.md rename to site/content/en/latest/user/traffic/grpc-routing.md index 5334514b7cc..0d6ccb963be 100644 --- a/site/content/en/latest/user/grpc-routing.md +++ b/site/content/en/latest/user/traffic/grpc-routing.md @@ -7,7 +7,7 @@ To learn more about gRPC routing, refer to the [Gateway API documentation][]. ## Prerequisites -Follow the steps from the [Quickstart](../quickstart) guide to install Envoy Gateway and the example manifest. +Follow the steps from the [Quickstart](../../quickstart) guide to install Envoy Gateway and the example manifest. Before proceeding, you should be able to query the example backend using HTTP. ## Installation diff --git a/site/content/en/latest/user/http-redirect.md b/site/content/en/latest/user/traffic/http-redirect.md similarity index 98% rename from site/content/en/latest/user/http-redirect.md rename to site/content/en/latest/user/traffic/http-redirect.md index 1ef88e53fa3..ac6a3aceb18 100644 --- a/site/content/en/latest/user/http-redirect.md +++ b/site/content/en/latest/user/traffic/http-redirect.md @@ -9,7 +9,7 @@ learn more about HTTP routing, refer to the [Gateway API documentation][]. ## Prerequisites -Follow the steps from the [Quickstart](../quickstart) to install Envoy Gateway and the example manifest. +Follow the steps from the [Quickstart](../../quickstart) to install Envoy Gateway and the example manifest. Before proceeding, you should be able to query the example backend using HTTPS. ## Redirects diff --git a/site/content/en/latest/user/http-request-headers.md b/site/content/en/latest/user/traffic/http-request-headers.md similarity index 98% rename from site/content/en/latest/user/http-request-headers.md rename to site/content/en/latest/user/traffic/http-request-headers.md index 25b675a16d7..af946da719e 100644 --- a/site/content/en/latest/user/http-request-headers.md +++ b/site/content/en/latest/user/traffic/http-request-headers.md @@ -14,7 +14,7 @@ client. ## Prerequisites -Follow the steps from the [Quickstart Guide](../quickstart) to install Envoy Gateway and the example manifest. +Follow the steps from the [Quickstart Guide](../../quickstart) to install Envoy Gateway and the example manifest. Before proceeding, you should be able to query the example backend using HTTP. ## Adding Request Headers diff --git a/site/content/en/latest/user/http-request-mirroring.md b/site/content/en/latest/user/traffic/http-request-mirroring.md similarity index 99% rename from site/content/en/latest/user/http-request-mirroring.md rename to site/content/en/latest/user/traffic/http-request-mirroring.md index ff95375f02c..0398cf3780b 100644 --- a/site/content/en/latest/user/http-request-mirroring.md +++ b/site/content/en/latest/user/traffic/http-request-mirroring.md @@ -244,7 +244,7 @@ EOF Error from server: error when creating "STDIN": admission webhook "validate.gateway.networking.k8s.io" denied the request: spec.rules[0].filters: Invalid value: "RequestMirror": cannot be used multiple times in the same rule ``` -[Quickstart Guide]: ../quickstart/ +[Quickstart Guide]: ../../quickstart/ [Traffic Splitting]: ../http-traffic-splitting/ [HTTPRoute]: https://gateway-api.sigs.k8s.io/api-types/httproute/ [backendRefs]: https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.BackendRef diff --git a/site/content/en/latest/user/http-response-headers.md b/site/content/en/latest/user/traffic/http-response-headers.md similarity index 98% rename from site/content/en/latest/user/http-response-headers.md rename to site/content/en/latest/user/traffic/http-response-headers.md index 76cf33362b4..13efc8af19a 100644 --- a/site/content/en/latest/user/http-response-headers.md +++ b/site/content/en/latest/user/traffic/http-response-headers.md @@ -12,7 +12,7 @@ upstream service. ## Prerequisites -Follow the steps from the [Quickstart Guide](../quickstart) to install Envoy Gateway and the example manifest. +Follow the steps from the [Quickstart Guide](../../quickstart) to install Envoy Gateway and the example manifest. Before proceeding, you should be able to query the example backend using HTTP. ## Adding Response Headers diff --git a/site/content/en/latest/user/http-routing.md b/site/content/en/latest/user/traffic/http-routing.md similarity index 98% rename from site/content/en/latest/user/http-routing.md rename to site/content/en/latest/user/traffic/http-routing.md index d5bae431c4d..82d3609f91f 100644 --- a/site/content/en/latest/user/http-routing.md +++ b/site/content/en/latest/user/traffic/http-routing.md @@ -9,7 +9,7 @@ Services. To learn more about HTTP routing, refer to the [Gateway API documentat ## Prerequisites -Follow the steps from the [Quickstart](../quickstart) guide to install Envoy Gateway and the example manifest. +Follow the steps from the [Quickstart](../../quickstart) guide to install Envoy Gateway and the example manifest. Before proceeding, you should be able to query the example backend using HTTP. ## Installation diff --git a/site/content/en/latest/user/http-timeouts.md b/site/content/en/latest/user/traffic/http-timeouts.md similarity index 96% rename from site/content/en/latest/user/http-timeouts.md rename to site/content/en/latest/user/traffic/http-timeouts.md index a23e1fa5b69..c3abc192611 100644 --- a/site/content/en/latest/user/http-timeouts.md +++ b/site/content/en/latest/user/traffic/http-timeouts.md @@ -12,7 +12,7 @@ __Note:__ The Request duration must be >= BackendRequest duration ## Installation -Follow the steps from the [Quickstart Guide](../quickstart) to install Envoy Gateway and the example manifest. +Follow the steps from the [Quickstart Guide](../../quickstart) to install Envoy Gateway and the example manifest. Before proceeding, you should be able to query the example backend using HTTP. ## Verification diff --git a/site/content/en/latest/user/http-traffic-splitting.md b/site/content/en/latest/user/traffic/http-traffic-splitting.md similarity index 98% rename from site/content/en/latest/user/http-traffic-splitting.md rename to site/content/en/latest/user/traffic/http-traffic-splitting.md index abc4a550ae3..ef240753ad8 100644 --- a/site/content/en/latest/user/http-traffic-splitting.md +++ b/site/content/en/latest/user/traffic/http-traffic-splitting.md @@ -8,7 +8,7 @@ with status code `500` for all requests that would have been sent to that backen ## Installation -Follow the steps from the [Quickstart Guide](../quickstart) to install Envoy Gateway and the example manifest. +Follow the steps from the [Quickstart Guide](../../quickstart) to install Envoy Gateway and the example manifest. Before proceeding, you should be able to query the example backend using HTTP. ## Single backendRef diff --git a/site/content/en/latest/user/http-urlrewrite.md b/site/content/en/latest/user/traffic/http-urlrewrite.md similarity index 98% rename from site/content/en/latest/user/http-urlrewrite.md rename to site/content/en/latest/user/traffic/http-urlrewrite.md index 945a24a7a44..062f6086392 100644 --- a/site/content/en/latest/user/http-urlrewrite.md +++ b/site/content/en/latest/user/traffic/http-urlrewrite.md @@ -7,7 +7,7 @@ used on a Route rule. This MUST NOT be used on the same Route rule as a HTTPRequ ## Prerequisites -Follow the steps from the [Quickstart Guide](../quickstart) to install Envoy Gateway and the example manifest. +Follow the steps from the [Quickstart Guide](../../quickstart) to install Envoy Gateway and the example manifest. Before proceeding, you should be able to query the example backend using HTTP. ## Rewrite URL Prefix Path diff --git a/site/content/en/latest/user/http3.md b/site/content/en/latest/user/traffic/http3.md similarity index 100% rename from site/content/en/latest/user/http3.md rename to site/content/en/latest/user/traffic/http3.md diff --git a/site/content/en/latest/user/local-rate-limit.md b/site/content/en/latest/user/traffic/local-rate-limit.md similarity index 97% rename from site/content/en/latest/user/local-rate-limit.md rename to site/content/en/latest/user/traffic/local-rate-limit.md index 633d198015e..822e2dd5e56 100644 --- a/site/content/en/latest/user/local-rate-limit.md +++ b/site/content/en/latest/user/traffic/local-rate-limit.md @@ -28,7 +28,7 @@ has its own 100r/s rate limit bucket. ### Install Envoy Gateway -* Follow the steps from the [Quickstart Guide](../quickstart) to install Envoy Gateway and the HTTPRoute example manifest. +* Follow the steps from the [Quickstart Guide](../../quickstart) to install Envoy Gateway and the HTTPRoute example manifest. Before proceeding, you should be able to query the example backend using HTTP. ## Rate Limit Specific User @@ -276,7 +276,7 @@ you should use [Global Rate Limiting][]. [Global Rate Limiting]: https://www.envoyproxy.io/docs/envoy/latest/intro/arch_overview/other_features/global_rate_limiting [Local rate limiting]: https://www.envoyproxy.io/docs/envoy/latest/intro/arch_overview/other_features/local_rate_limiting -[BackendTrafficPolicy]: ../../api/extension_types#backendtrafficpolicy +[BackendTrafficPolicy]: ../../../api/extension_types#backendtrafficpolicy [Gateway]: https://gateway-api.sigs.k8s.io/api-types/gateway/ [HTTPRoute]: https://gateway-api.sigs.k8s.io/api-types/httproute/ [GRPCRoute]: https://gateway-api.sigs.k8s.io/api-types/grpcroute/ diff --git a/site/content/en/latest/user/multicluster-service.md b/site/content/en/latest/user/traffic/multicluster-service.md similarity index 100% rename from site/content/en/latest/user/multicluster-service.md rename to site/content/en/latest/user/traffic/multicluster-service.md diff --git a/site/content/en/latest/user/retry.md b/site/content/en/latest/user/traffic/retry.md similarity index 87% rename from site/content/en/latest/user/retry.md rename to site/content/en/latest/user/traffic/retry.md index 7a553f84f56..ad40202a107 100644 --- a/site/content/en/latest/user/retry.md +++ b/site/content/en/latest/user/traffic/retry.md @@ -9,13 +9,13 @@ Envoy Gateway supports the following retry settings: - **RetryOn**: specifies the retry trigger condition. - **PerRetryPolicy**: is the retry policy to be applied per retry attempt. -Envoy Gateway introduces a new CRD called [BackendTrafficPolicy](../../api/extension_types#backendtrafficpolicy) that allows the user to describe their desired retry settings. This instantiated resource can be linked to a [Gateway](https://gateway-api.sigs.k8s.io/api-types/gateway/), [HTTPRoute](https://gateway-api.sigs.k8s.io/api-types/httproute/) or [GRPCRoute](https://gateway-api.sigs.k8s.io/api-types/grpcroute/) resource. +Envoy Gateway introduces a new CRD called [BackendTrafficPolicy](../../../api/extension_types#backendtrafficpolicy) that allows the user to describe their desired retry settings. This instantiated resource can be linked to a [Gateway](https://gateway-api.sigs.k8s.io/api-types/gateway/), [HTTPRoute](https://gateway-api.sigs.k8s.io/api-types/httproute/) or [GRPCRoute](https://gateway-api.sigs.k8s.io/api-types/grpcroute/) resource. **Note**: There are distinct circuit breaker counters for each `BackendReference` in an `xRoute` rule. Even if a `BackendTrafficPolicy` targets a `Gateway`, each `BackendReference` in that gateway still has separate circuit breaker counter. ## Prerequisites -Follow the installation step from the [Quickstart Guide](../quickstart) to install Envoy Gateway and sample resources. +Follow the installation step from the [Quickstart Guide](../../quickstart) to install Envoy Gateway and sample resources. ## Test and customize retry settings diff --git a/site/content/en/latest/user/tcp-routing.md b/site/content/en/latest/user/traffic/tcp-routing.md similarity index 98% rename from site/content/en/latest/user/tcp-routing.md rename to site/content/en/latest/user/traffic/tcp-routing.md index 4928432f24b..854522c7b98 100644 --- a/site/content/en/latest/user/tcp-routing.md +++ b/site/content/en/latest/user/traffic/tcp-routing.md @@ -8,7 +8,7 @@ HTTP routing, refer to the [Gateway API documentation][]. ## Installation -Follow the steps from the [Quickstart](../quickstart) guide to install Envoy Gateway and the example manifest. +Follow the steps from the [Quickstart](../../quickstart) guide to install Envoy Gateway and the example manifest. Before proceeding, you should be able to query the example backend using HTTP. ## Configuration diff --git a/site/content/en/latest/user/udp-routing.md b/site/content/en/latest/user/traffic/udp-routing.md similarity index 92% rename from site/content/en/latest/user/udp-routing.md rename to site/content/en/latest/user/traffic/udp-routing.md index 6cd4c83ffb2..521d0b41acc 100644 --- a/site/content/en/latest/user/udp-routing.md +++ b/site/content/en/latest/user/traffic/udp-routing.md @@ -12,7 +12,7 @@ For additional information, refer to Envoy's [UDP proxy documentation][]. ## Prerequisites -Follow the steps from the [Quickstart](../quickstart) guide to install Envoy Gateway and the example manifest. +Follow the steps from the [Quickstart](../../quickstart) guide to install Envoy Gateway and the example manifest. Before proceeding, you should be able to query the example backend using HTTP. ## Installation @@ -128,7 +128,7 @@ _udp.foo.bar.com. 0 IN SRV 0 0 42376 . ## Clean-Up -Follow the steps from the [Quickstart Guide](../quickstart) to uninstall Envoy Gateway. +Follow the steps from the [Quickstart Guide](../../quickstart) to uninstall Envoy Gateway. Delete the CoreDNS example manifest and the UDPRoute: @@ -141,7 +141,7 @@ kubectl delete udproute/coredns ## Next Steps -Checkout the [Developer Guide](../../contributions/develop/) to get involved in the project. +Checkout the [Developer Guide](../../../contributions/develop/) to get involved in the project. [UDPRoute]: https://gateway-api.sigs.k8s.io/references/spec/#gateway.networking.k8s.io/v1alpha2.UDPRoute [UDP proxy documentation]: https://www.envoyproxy.io/docs/envoy/latest/configuration/listeners/udp_filters/udp_proxy From bdda774ac3f164272d11176124be1f9121434f5e Mon Sep 17 00:00:00 2001 From: Xunzhuo Date: Thu, 7 Mar 2024 12:01:55 +0800 Subject: [PATCH 3/4] Fix gen check (#2814) * fix: gen-check error Signed-off-by: bitliu * run lint for docs Signed-off-by: bitliu --------- Signed-off-by: bitliu --- .github/workflows/build_and_test.yaml | 1 - site/content/en/latest/install/api.md | 5 ++++- 2 files changed, 4 insertions(+), 2 deletions(-) diff --git a/.github/workflows/build_and_test.yaml b/.github/workflows/build_and_test.yaml index 540ec319b6e..258b1f4f99a 100644 --- a/.github/workflows/build_and_test.yaml +++ b/.github/workflows/build_and_test.yaml @@ -12,7 +12,6 @@ on: - "release/v*" paths-ignore: - "**/*.png" - - 'site/**' permissions: contents: read diff --git a/site/content/en/latest/install/api.md b/site/content/en/latest/install/api.md index a1ab34ca0bf..165a91d01e6 100644 --- a/site/content/en/latest/install/api.md +++ b/site/content/en/latest/install/api.md @@ -1,4 +1,7 @@ -# gateway-helm ++++ +title = "gateway-helm" ++++ + ![Version: v0.0.0-latest](https://img.shields.io/badge/Version-v0.0.0--latest-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: latest](https://img.shields.io/badge/AppVersion-latest-informational?style=flat-square) From 44ede66ea284b1b8cb406dd7f7982a94a518d231 Mon Sep 17 00:00:00 2001 From: Dennis Zhou Date: Thu, 7 Mar 2024 15:41:17 +0800 Subject: [PATCH 4/4] refactor: set instead of map for mergeGateways (#2803) * refactor:set[T] instead of map[T]bool Signed-off-by: Dennis Zhou * fix lint Signed-off-by: Dennis Zhou --------- Signed-off-by: Dennis Zhou Co-authored-by: Xunzhuo --- internal/cmd/egctl/translate.go | 17 +++--- internal/gatewayapi/backendtrafficpolicy.go | 41 ++++++------- .../gatewayapi/backendtrafficpolicy_test.go | 58 +++++++++++++++++++ internal/gatewayapi/runner/runner.go | 22 ++----- internal/ir/xds.go | 29 +++++----- internal/provider/kubernetes/controller.go | 11 +++- internal/provider/kubernetes/predicates.go | 8 +-- .../provider/kubernetes/predicates_test.go | 9 +-- 8 files changed, 120 insertions(+), 75 deletions(-) diff --git a/internal/cmd/egctl/translate.go b/internal/cmd/egctl/translate.go index a97c83261b7..c8c3d51d24a 100644 --- a/internal/cmd/egctl/translate.go +++ b/internal/cmd/egctl/translate.go @@ -27,6 +27,7 @@ import ( v1 "k8s.io/api/core/v1" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" "k8s.io/apimachinery/pkg/apis/meta/v1/unstructured" + "k8s.io/apimachinery/pkg/util/sets" gwapiv1 "sigs.k8s.io/gateway-api/apis/v1" gwapiv1a2 "sigs.k8s.io/gateway-api/apis/v1alpha2" @@ -849,21 +850,19 @@ func kubernetesYAMLToResources(str string, addMissingResources bool) (*gatewayap if provided, found := providedServiceMap[key]; !found { resources.Services = append(resources.Services, service) } else { - providedPorts := map[string]bool{} + providedPorts := sets.NewString() for _, port := range provided.Spec.Ports { - providedPorts[fmt.Sprintf("%s-%d", port.Protocol, port.Port)] = true + portKey := fmt.Sprintf("%s-%d", port.Protocol, port.Port) + providedPorts.Insert(portKey) } for _, port := range service.Spec.Ports { - protocol := port.Protocol - port := port.Port - name := fmt.Sprintf("%s-%d", protocol, port) - - if _, found := providedPorts[name]; !found { + name := fmt.Sprintf("%s-%d", port.Protocol, port.Port) + if !providedPorts.Has(name) { servicePort := v1.ServicePort{ Name: name, - Protocol: protocol, - Port: port, + Protocol: port.Protocol, + Port: port.Port, } provided.Spec.Ports = append(provided.Spec.Ports, servicePort) } diff --git a/internal/gatewayapi/backendtrafficpolicy.go b/internal/gatewayapi/backendtrafficpolicy.go index ecabbfef29b..f57f17e5726 100644 --- a/internal/gatewayapi/backendtrafficpolicy.go +++ b/internal/gatewayapi/backendtrafficpolicy.go @@ -825,14 +825,15 @@ func (t *Translator) buildHTTPActiveHealthChecker(h *egv1a1.HTTPActiveHealthChec *irHTTP.Method = strings.ToUpper(*irHTTP.Method) } - var irStatuses []ir.HTTPStatus // deduplicate http statuses - statusSet := make(map[egv1a1.HTTPStatus]bool, len(h.ExpectedStatuses)) + statusSet := sets.NewInt() for _, r := range h.ExpectedStatuses { - if _, ok := statusSet[r]; !ok { - statusSet[r] = true - irStatuses = append(irStatuses, ir.HTTPStatus(r)) - } + statusSet.Insert(int(r)) + } + irStatuses := make([]ir.HTTPStatus, 0, statusSet.Len()) + + for _, r := range statusSet.List() { + irStatuses = append(irStatuses, ir.HTTPStatus(r)) } irHTTP.ExpectedStatuses = irStatuses @@ -1158,27 +1159,27 @@ func (t *Translator) buildRetry(policy *egv1a1.BackendTrafficPolicy) *ir.Retry { } func makeIrStatusSet(in []egv1a1.HTTPStatus) []ir.HTTPStatus { - var irStatuses []ir.HTTPStatus - // deduplicate http statuses - statusSet := make(map[egv1a1.HTTPStatus]bool, len(in)) + statusSet := sets.NewInt() for _, r := range in { - if _, ok := statusSet[r]; !ok { - statusSet[r] = true - irStatuses = append(irStatuses, ir.HTTPStatus(r)) - } + statusSet.Insert(int(r)) + } + irStatuses := make([]ir.HTTPStatus, 0, statusSet.Len()) + + for _, r := range statusSet.List() { + irStatuses = append(irStatuses, ir.HTTPStatus(r)) } return irStatuses } func makeIrTriggerSet(in []egv1a1.TriggerEnum) []ir.TriggerEnum { - var irTriggers []ir.TriggerEnum - // deduplicate http statuses - triggerSet := make(map[egv1a1.TriggerEnum]bool, len(in)) + triggerSet := sets.NewString() for _, r := range in { - if _, ok := triggerSet[r]; !ok { - triggerSet[r] = true - irTriggers = append(irTriggers, ir.TriggerEnum(r)) - } + triggerSet.Insert(string(r)) + } + irTriggers := make([]ir.TriggerEnum, 0, triggerSet.Len()) + + for _, r := range triggerSet.List() { + irTriggers = append(irTriggers, ir.TriggerEnum(r)) } return irTriggers } diff --git a/internal/gatewayapi/backendtrafficpolicy_test.go b/internal/gatewayapi/backendtrafficpolicy_test.go index df943a2032b..d40d1e68c76 100644 --- a/internal/gatewayapi/backendtrafficpolicy_test.go +++ b/internal/gatewayapi/backendtrafficpolicy_test.go @@ -7,9 +7,13 @@ package gatewayapi import ( "math" + "reflect" "testing" "github.com/stretchr/testify/require" + + egv1a1 "github.com/envoyproxy/gateway/api/v1alpha1" + "github.com/envoyproxy/gateway/internal/ir" ) func TestInt64ToUint32(t *testing.T) { @@ -50,3 +54,57 @@ func TestInt64ToUint32(t *testing.T) { }) } } + +func TestMakeIrStatusSet(t *testing.T) { + tests := []struct { + name string + in []egv1a1.HTTPStatus + want []ir.HTTPStatus + }{ + { + name: "no duplicates", + in: []egv1a1.HTTPStatus{200, 404}, + want: []ir.HTTPStatus{200, 404}, + }, + { + name: "with duplicates", + in: []egv1a1.HTTPStatus{200, 404, 200}, + want: []ir.HTTPStatus{200, 404}, + }, + } + + for _, tt := range tests { + t.Run(tt.name, func(t *testing.T) { + if got := makeIrStatusSet(tt.in); !reflect.DeepEqual(got, tt.want) { + t.Errorf("makeIrStatusSet() = %v, want %v", got, tt.want) + } + }) + } +} + +func TestMakeIrTriggerSet(t *testing.T) { + tests := []struct { + name string + in []egv1a1.TriggerEnum + want []ir.TriggerEnum + }{ + { + name: "no duplicates", + in: []egv1a1.TriggerEnum{"5xx", "reset"}, + want: []ir.TriggerEnum{"5xx", "reset"}, + }, + { + name: "with duplicates", + in: []egv1a1.TriggerEnum{"5xx", "reset", "5xx"}, + want: []ir.TriggerEnum{"5xx", "reset"}, + }, + } + + for _, tt := range tests { + t.Run(tt.name, func(t *testing.T) { + if got := makeIrTriggerSet(tt.in); !reflect.DeepEqual(got, tt.want) { + t.Errorf("makeIrTriggerSet() = %v, want %v", got, tt.want) + } + }) + } +} diff --git a/internal/gatewayapi/runner/runner.go b/internal/gatewayapi/runner/runner.go index 2b34b8ad33f..13f2c6b9d08 100644 --- a/internal/gatewayapi/runner/runner.go +++ b/internal/gatewayapi/runner/runner.go @@ -10,6 +10,7 @@ import ( "k8s.io/apimachinery/pkg/runtime/schema" "k8s.io/apimachinery/pkg/types" + "k8s.io/apimachinery/pkg/util/sets" v1 "sigs.k8s.io/gateway-api/apis/v1" "github.com/envoyproxy/gateway/api/v1alpha1" @@ -356,23 +357,10 @@ func (r *Runner) deleteAllStatusKeys() { // based on the difference between the current keys and the // new keys parameters passed to the function. func getIRKeysToDelete(curKeys, newKeys []string) []string { - var delKeys []string - remaining := make(map[string]bool) + curSet := sets.NewString(curKeys...) + newSet := sets.NewString(newKeys...) - // Add all current keys to the remaining map - for _, key := range curKeys { - remaining[key] = true - } - - // Delete newKeys from the remaining map - // to get keys that need to be deleted - for _, key := range newKeys { - delete(remaining, key) - } - - for key := range remaining { - delKeys = append(delKeys, key) - } + delSet := curSet.Difference(newSet) - return delKeys + return delSet.List() } diff --git a/internal/ir/xds.go b/internal/ir/xds.go index 4bd51d37c0a..7d1af7c0602 100644 --- a/internal/ir/xds.go +++ b/internal/ir/xds.go @@ -16,6 +16,7 @@ import ( apiextensionsv1 "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" "k8s.io/apimachinery/pkg/apis/meta/v1/unstructured" + "k8s.io/apimachinery/pkg/util/sets" "k8s.io/apimachinery/pkg/util/validation" "sigs.k8s.io/yaml" @@ -714,53 +715,49 @@ func (h HTTPRoute) Validate() error { } } if len(h.AddRequestHeaders) > 0 { - occurred := map[string]bool{} + occurred := sets.NewString() for _, header := range h.AddRequestHeaders { if err := header.Validate(); err != nil { errs = errors.Join(errs, err) } - if !occurred[header.Name] { - occurred[header.Name] = true - } else { + if occurred.Has(header.Name) { errs = errors.Join(errs, ErrAddHeaderDuplicate) break } + occurred.Insert(header.Name) } } if len(h.RemoveRequestHeaders) > 0 { - occurred := map[string]bool{} + occurred := sets.NewString() for _, header := range h.RemoveRequestHeaders { - if !occurred[header] { - occurred[header] = true - } else { + if occurred.Has(header) { errs = errors.Join(errs, ErrRemoveHeaderDuplicate) break } + occurred.Insert(header) } } if len(h.AddResponseHeaders) > 0 { - occurred := map[string]bool{} + occurred := sets.NewString() for _, header := range h.AddResponseHeaders { if err := header.Validate(); err != nil { errs = errors.Join(errs, err) } - if !occurred[header.Name] { - occurred[header.Name] = true - } else { + if occurred.Has(header.Name) { errs = errors.Join(errs, ErrAddHeaderDuplicate) break } + occurred.Insert(header.Name) } } if len(h.RemoveResponseHeaders) > 0 { - occurred := map[string]bool{} + occurred := sets.NewString() for _, header := range h.RemoveResponseHeaders { - if !occurred[header] { - occurred[header] = true - } else { + if occurred.Has(header) { errs = errors.Join(errs, ErrRemoveHeaderDuplicate) break } + occurred.Insert(header) } } if h.LoadBalancer != nil { diff --git a/internal/provider/kubernetes/controller.go b/internal/provider/kubernetes/controller.go index 5e66e0e6a7b..fb3ade2bcff 100644 --- a/internal/provider/kubernetes/controller.go +++ b/internal/provider/kubernetes/controller.go @@ -18,6 +18,7 @@ import ( "k8s.io/apimachinery/pkg/fields" "k8s.io/apimachinery/pkg/runtime/schema" "k8s.io/apimachinery/pkg/types" + "k8s.io/apimachinery/pkg/util/sets" "k8s.io/client-go/discovery" "sigs.k8s.io/controller-runtime/pkg/client" "sigs.k8s.io/controller-runtime/pkg/controller" @@ -51,7 +52,7 @@ type gatewayAPIReconciler struct { namespace string namespaceLabel *metav1.LabelSelector envoyGateway *egv1a1.EnvoyGateway - mergeGateways map[string]bool + mergeGateways sets.Set[string] resources *message.ProviderResources extGVKs []schema.GroupVersionKind } @@ -87,7 +88,7 @@ func newGatewayAPIController(mgr manager.Manager, cfg *config.Server, su status. extGVKs: extGVKs, store: newProviderStore(), envoyGateway: cfg.EnvoyGateway, - mergeGateways: map[string]bool{}, + mergeGateways: sets.New[string](), } if byNamespaceSelector { @@ -356,7 +357,11 @@ func (r *gatewayAPIReconciler) Reconcile(ctx context.Context, _ reconcile.Reques } if gwcResource.EnvoyProxy != nil && gwcResource.EnvoyProxy.Spec.MergeGateways != nil { - r.mergeGateways[acceptedGC.Name] = *gwcResource.EnvoyProxy.Spec.MergeGateways + if *gwcResource.EnvoyProxy.Spec.MergeGateways { + r.mergeGateways.Insert(acceptedGC.Name) + } else { + r.mergeGateways.Delete(acceptedGC.Name) + } } if err := r.updateStatusForGatewayClass(ctx, acceptedGC, true, string(gwapiv1.GatewayClassReasonAccepted), status.MsgValidGatewayClass); err != nil { diff --git a/internal/provider/kubernetes/predicates.go b/internal/provider/kubernetes/predicates.go index f77b46ea99a..3585a2913ae 100644 --- a/internal/provider/kubernetes/predicates.go +++ b/internal/provider/kubernetes/predicates.go @@ -238,7 +238,7 @@ func (r *gatewayAPIReconciler) validateServiceForReconcile(obj client.Object) bo // Merged gateways will have only this label, update status of all Gateways under found GatewayClass. gcName, ok := labels[gatewayapi.OwningGatewayClassLabel] - if ok && r.mergeGateways[gcName] { + if ok && r.mergeGateways.Has(gcName) { if err := r.updateStatusForGatewaysUnderGatewayClass(ctx, gcName); err != nil { r.log.Info("no Gateways found under GatewayClass", "name", gcName) return false @@ -390,7 +390,7 @@ func (r *gatewayAPIReconciler) validateDeploymentForReconcile(obj client.Object) // Merged gateways will have only this label, update status of all Gateways under found GatewayClass. gcName, ok := labels[gatewayapi.OwningGatewayClassLabel] - if ok && r.mergeGateways[gcName] { + if ok && r.mergeGateways.Has(gcName) { if err := r.updateStatusForGatewaysUnderGatewayClass(ctx, gcName); err != nil { r.log.Info("no Gateways found under GatewayClass", "name", gcName) return false @@ -406,7 +406,7 @@ func (r *gatewayAPIReconciler) validateDeploymentForReconcile(obj client.Object) func (r *gatewayAPIReconciler) envoyDeploymentForGateway(ctx context.Context, gateway *gwapiv1.Gateway) (*appsv1.Deployment, error) { key := types.NamespacedName{ Namespace: r.namespace, - Name: infraName(gateway, r.mergeGateways[string(gateway.Spec.GatewayClassName)]), + Name: infraName(gateway, r.mergeGateways.Has(string(gateway.Spec.GatewayClassName))), } deployment := new(appsv1.Deployment) if err := r.client.Get(ctx, key, deployment); err != nil { @@ -422,7 +422,7 @@ func (r *gatewayAPIReconciler) envoyDeploymentForGateway(ctx context.Context, ga func (r *gatewayAPIReconciler) envoyServiceForGateway(ctx context.Context, gateway *gwapiv1.Gateway) (*corev1.Service, error) { key := types.NamespacedName{ Namespace: r.namespace, - Name: infraName(gateway, r.mergeGateways[string(gateway.Spec.GatewayClassName)]), + Name: infraName(gateway, r.mergeGateways.Has(string(gateway.Spec.GatewayClassName))), } svc := new(corev1.Service) if err := r.client.Get(ctx, key, svc); err != nil { diff --git a/internal/provider/kubernetes/predicates_test.go b/internal/provider/kubernetes/predicates_test.go index cd88d7b7100..f923eef8a26 100644 --- a/internal/provider/kubernetes/predicates_test.go +++ b/internal/provider/kubernetes/predicates_test.go @@ -13,6 +13,7 @@ import ( corev1 "k8s.io/api/core/v1" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" "k8s.io/apimachinery/pkg/types" + "k8s.io/apimachinery/pkg/util/sets" "k8s.io/utils/ptr" "sigs.k8s.io/controller-runtime/pkg/client" fakeclient "sigs.k8s.io/controller-runtime/pkg/client/fake" @@ -556,9 +557,7 @@ func TestValidateServiceForReconcile(t *testing.T) { r := gatewayAPIReconciler{ classController: v1alpha1.GatewayControllerName, log: logger, - mergeGateways: map[string]bool{ - "test-mg": true, - }, + mergeGateways: sets.New[string]("test-mg"), } for _, tc := range testCases { @@ -653,9 +652,7 @@ func TestValidateDeploymentForReconcile(t *testing.T) { r := gatewayAPIReconciler{ classController: v1alpha1.GatewayControllerName, log: logger, - mergeGateways: map[string]bool{ - "test-mg": true, - }, + mergeGateways: sets.New[string]("test-mg"), } for _, tc := range testCases {