diff --git a/.github/dependabot.yml b/.github/dependabot.yml
index b97522ef938..c7a5bee84ff 100644
--- a/.github/dependabot.yml
+++ b/.github/dependabot.yml
@@ -32,6 +32,9 @@ updates:
k8s.io:
patterns:
- "k8s.io/*"
+ go.opentelemetry.io:
+ patterns:
+ - "go.opentelemetry.io/*"
- package-ecosystem: pip
directory: /tools/src/codespell
schedule:
diff --git a/.github/workflows/build_and_test.yaml b/.github/workflows/build_and_test.yaml
index d0a960e8469..258b1f4f99a 100644
--- a/.github/workflows/build_and_test.yaml
+++ b/.github/workflows/build_and_test.yaml
@@ -86,7 +86,7 @@ jobs:
- uses: ./tools/github-actions/setup-deps
- name: Download EG Binaries
- uses: actions/download-artifact@eaceaf801fd36c7dee90939fad912460b18a1ffe # v4.1.2
+ uses: actions/download-artifact@c850b930e6ba138125429b7e5c93fc707a7f8427 # v4.1.4
with:
name: envoy-gateway
path: bin/
@@ -114,7 +114,7 @@ jobs:
- uses: ./tools/github-actions/setup-deps
- name: Download EG Binaries
- uses: actions/download-artifact@eaceaf801fd36c7dee90939fad912460b18a1ffe # v4.1.2
+ uses: actions/download-artifact@c850b930e6ba138125429b7e5c93fc707a7f8427 # v4.1.4
with:
name: envoy-gateway
path: bin/
@@ -139,7 +139,7 @@ jobs:
- uses: ./tools/github-actions/setup-deps
- name: Download EG Binaries
- uses: actions/download-artifact@eaceaf801fd36c7dee90939fad912460b18a1ffe # v4.1.2
+ uses: actions/download-artifact@c850b930e6ba138125429b7e5c93fc707a7f8427 # v4.1.4
with:
name: envoy-gateway
path: bin/
diff --git a/.github/workflows/cherrypick.yaml b/.github/workflows/cherrypick.yaml
index d2bb76c1b92..b12a56af8f3 100644
--- a/.github/workflows/cherrypick.yaml
+++ b/.github/workflows/cherrypick.yaml
@@ -9,23 +9,23 @@ permissions:
contents: read
jobs:
- cherry_pick_release_v0_6:
+ cherry_pick_release_v1_0:
runs-on: ubuntu-22.04
- name: Cherry pick into release-v0.6
- if: ${{ contains(github.event.pull_request.labels.*.name, 'cherrypick/release-v0.6') && github.event.pull_request.merged == true }}
+ name: Cherry pick into release-v1.0
+ if: ${{ contains(github.event.pull_request.labels.*.name, 'cherrypick/release-v1.0') && github.event.pull_request.merged == true }}
steps:
- name: Checkout
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
with:
fetch-depth: 0
- - name: Cherry pick into release/v0.6
+ - name: Cherry pick into release/v1.0
uses: carloscastrojumo/github-cherry-pick-action@a145da1b8142e752d3cbc11aaaa46a535690f0c5 # v1.0.9
with:
- branch: release/v0.6
- title: "[release/v0.6] {old_title}"
- body: "Cherry picking #{old_pull_request_id} onto release/v0.6"
+ branch: release/v1.0
+ title: "[release/v1.0] {old_title}"
+ body: "Cherry picking #{old_pull_request_id} onto release/v1.0"
labels: |
- cherrypick/release-v0.6
+ cherrypick/release-v1.0
# put release manager here
reviewers: |
- arkodg
+ Xunzhuo
diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
index 4fcd67ccb91..ea16d2440db 100644
--- a/.github/workflows/codeql.yml
+++ b/.github/workflows/codeql.yml
@@ -36,14 +36,14 @@ jobs:
- uses: ./tools/github-actions/setup-deps
- name: Initialize CodeQL
- uses: github/codeql-action/init@47b3d888fe66b639e431abf22ebca059152f1eea # v3.24.5
+ uses: github/codeql-action/init@8a470fddafa5cbb6266ee11b37ef4d8aae19c571 # v3.24.6
with:
languages: ${{ matrix.language }}
- name: Autobuild
- uses: github/codeql-action/autobuild@47b3d888fe66b639e431abf22ebca059152f1eea # v3.24.5
+ uses: github/codeql-action/autobuild@8a470fddafa5cbb6266ee11b37ef4d8aae19c571 # v3.24.6
- name: Perform CodeQL Analysis
- uses: github/codeql-action/analyze@47b3d888fe66b639e431abf22ebca059152f1eea # v3.24.5
+ uses: github/codeql-action/analyze@8a470fddafa5cbb6266ee11b37ef4d8aae19c571 # v3.24.6
with:
category: "/language:${{matrix.language}}"
diff --git a/.github/workflows/latest_release.yaml b/.github/workflows/latest_release.yaml
index 271aaf418ee..62c5f087a98 100644
--- a/.github/workflows/latest_release.yaml
+++ b/.github/workflows/latest_release.yaml
@@ -10,6 +10,12 @@ on:
paths-ignore:
- "**/*.png"
+# Limit workflow run or job concurrency,
+# avoid workflow failed when merge more than one PR in short time.
+concurrency:
+ group: ${{ github.workflow }}-${{ github.ref }}
+ cancel-in-progress: true
+
jobs:
latest-release:
runs-on: ubuntu-22.04
diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml
index 12aa55a5b74..3ccb44d4bf0 100644
--- a/.github/workflows/scorecard.yml
+++ b/.github/workflows/scorecard.yml
@@ -40,6 +40,6 @@ jobs:
retention-days: 5
- name: "Upload to code-scanning"
- uses: github/codeql-action/upload-sarif@47b3d888fe66b639e431abf22ebca059152f1eea # v3.24.5
+ uses: github/codeql-action/upload-sarif@8a470fddafa5cbb6266ee11b37ef4d8aae19c571 # v3.24.6
with:
sarif_file: results.sarif
diff --git a/.gitignore b/.gitignore
index a14c25efb35..0dee17ad8f4 100644
--- a/.gitignore
+++ b/.gitignore
@@ -31,3 +31,6 @@ vendor/
# values.yaml file is generated from its template counterpart.
charts/gateway-helm/values.yaml
+
+# VIM
+.*.swp
diff --git a/OWNERS b/OWNERS
index 8ca35470bb6..a38205aca15 100644
--- a/OWNERS
+++ b/OWNERS
@@ -15,6 +15,7 @@ maintainers:
- zirain
- qicz
- zhaohuabing
+- guydc
reviewers:
@@ -25,5 +26,4 @@ reviewers:
- tanujd11
- cnvergence
- shawnh2
-- guydc
- liorokman
diff --git a/VERSION b/VERSION
index 60f63432822..6dc938c1692 100644
--- a/VERSION
+++ b/VERSION
@@ -1 +1 @@
-v0.6.0
+v1.0.0-rc.1
diff --git a/api/v1alpha1/circuitbreaker_types.go b/api/v1alpha1/circuitbreaker_types.go
index 33d394446e2..c9147379aeb 100644
--- a/api/v1alpha1/circuitbreaker_types.go
+++ b/api/v1alpha1/circuitbreaker_types.go
@@ -31,6 +31,14 @@ type CircuitBreaker struct {
// +optional
MaxParallelRequests *int64 `json:"maxParallelRequests,omitempty"`
+ // The maximum number of parallel retries that Envoy will make to the referenced backend defined within a xRoute rule.
+ //
+ // +kubebuilder:validation:Minimum=0
+ // +kubebuilder:validation:Maximum=4294967295
+ // +kubebuilder:default=1024
+ // +optional
+ MaxParallelRetries *int64 `json:"maxParallelRetries,omitempty"`
+
// The maximum number of requests that Envoy will make over a single connection to the referenced backend defined within a xRoute rule.
// Default: unlimited.
//
diff --git a/api/v1alpha1/envoygateway_types.go b/api/v1alpha1/envoygateway_types.go
index 881b4d36443..145fc9b5fca 100644
--- a/api/v1alpha1/envoygateway_types.go
+++ b/api/v1alpha1/envoygateway_types.go
@@ -326,6 +326,25 @@ type RateLimit struct {
// otherwise, don't let the traffic pass and return 500.
// If not set, FailClosed is False.
FailClosed bool `json:"failClosed"`
+
+ // Telemetry defines telemetry configuration for RateLimit.
+ // +optional
+ Telemetry *RateLimitTelemetry `json:"telemetry,omitempty"`
+}
+
+type RateLimitTelemetry struct {
+ // Metrics defines metrics configuration for RateLimit.
+ Metrics *RateLimitMetrics `json:"metrics,omitempty"`
+}
+
+type RateLimitMetrics struct {
+ // Prometheus defines the configuration for prometheus endpoint.
+ Prometheus *RateLimitMetricsPrometheusProvider `json:"prometheus,omitempty"`
+}
+
+type RateLimitMetricsPrometheusProvider struct {
+ // Disable the Prometheus endpoint.
+ Disable bool `json:"disable,omitempty"`
}
// RateLimitDatabaseBackend defines the configuration associated with
diff --git a/api/v1alpha1/kubernetes_helpers.go b/api/v1alpha1/kubernetes_helpers.go
index cd9ec84257c..72f6a380ad9 100644
--- a/api/v1alpha1/kubernetes_helpers.go
+++ b/api/v1alpha1/kubernetes_helpers.go
@@ -162,3 +162,39 @@ func (deployment *KubernetesDeploymentSpec) ApplyMergePatch(old *appv1.Deploymen
return &patchedDeployment, nil
}
+
+// ApplyMergePatch applies a merge patch to a service based on the merge type
+func (service *KubernetesServiceSpec) ApplyMergePatch(old *corev1.Service) (*corev1.Service, error) {
+ if service.Patch == nil {
+ return old, nil
+ }
+
+ var patchedJSON []byte
+ var err error
+
+ // Serialize the current deployment to JSON
+ originalJSON, err := json.Marshal(old)
+ if err != nil {
+ return nil, fmt.Errorf("error marshaling original deployment: %w", err)
+ }
+
+ switch {
+ case service.Patch.Type == nil || *service.Patch.Type == StrategicMerge:
+ patchedJSON, err = strategicpatch.StrategicMergePatch(originalJSON, service.Patch.Value.Raw, corev1.Service{})
+ case *service.Patch.Type == JSONMerge:
+ patchedJSON, err = jsonpatch.MergePatch(originalJSON, service.Patch.Value.Raw)
+ default:
+ return nil, fmt.Errorf("unsupported merge type: %s", *service.Patch.Type)
+ }
+ if err != nil {
+ return nil, fmt.Errorf("error applying merge patch: %w", err)
+ }
+
+ // Deserialize the patched JSON into a new service object
+ var patchedService corev1.Service
+ if err := json.Unmarshal(patchedJSON, &patchedService); err != nil {
+ return nil, fmt.Errorf("error unmarshaling patched service: %w", err)
+ }
+
+ return &patchedService, nil
+}
diff --git a/api/v1alpha1/retry_types.go b/api/v1alpha1/retry_types.go
index 1fea2d6d93b..b77a41218c8 100644
--- a/api/v1alpha1/retry_types.go
+++ b/api/v1alpha1/retry_types.go
@@ -44,7 +44,7 @@ type RetryOn struct {
}
// TriggerEnum specifies the conditions that trigger retries.
-// +kubebuilder:validation:Enum={"5xx","gateway-error","disconnect-reset","connect-failure","retriable-4xx","refused-stream","retriable-status-codes","cancelled","deadline-exceeded","internal","resource-exhausted","unavailable"}
+// +kubebuilder:validation:Enum={"5xx","gateway-error","reset","connect-failure","retriable-4xx","refused-stream","retriable-status-codes","cancelled","deadline-exceeded","internal","resource-exhausted","unavailable"}
type TriggerEnum string
const (
@@ -57,7 +57,7 @@ const (
// The response is a gateway error (502,503 or 504).
GatewayError TriggerEnum = "gateway-error"
// The upstream server does not respond at all (disconnect/reset/read timeout.)
- DisconnectRest TriggerEnum = "disconnect-reset"
+ Reset TriggerEnum = "reset"
// Connection failure to the upstream server (connect timeout, etc.). (Included in *5xx*)
ConnectFailure TriggerEnum = "connect-failure"
// The upstream server responds with a retriable 4xx response code.
diff --git a/api/v1alpha1/shared_types.go b/api/v1alpha1/shared_types.go
index d0df95a9601..4014014e9df 100644
--- a/api/v1alpha1/shared_types.go
+++ b/api/v1alpha1/shared_types.go
@@ -126,10 +126,6 @@ type KubernetesPodSpec struct {
// +optional
Volumes []corev1.Volume `json:"volumes,omitempty"`
- // HostNetwork, If this is set to true, the pod will use host's network namespace.
- // +optional
- HostNetwork bool `json:"hostNetwork,omitempty"`
-
// ImagePullSecrets is an optional list of references to secrets
// in the same namespace to use for pulling any of the images used by this PodSpec.
// If specified, these secrets will be passed to individual puller implementations for them to use.
@@ -268,6 +264,11 @@ type KubernetesServiceSpec struct {
// +kubebuilder:default:="Local"
// +optional
ExternalTrafficPolicy *ServiceExternalTrafficPolicy `json:"externalTrafficPolicy,omitempty"`
+
+ // Patch defines how to perform the patch operation to the service
+ //
+ // +optional
+ Patch *KubernetesPatchSpec `json:"patch,omitempty"`
// TODO: Expose config as use cases are better understood, e.g. labels.
}
diff --git a/api/v1alpha1/validation/envoyproxy_validate.go b/api/v1alpha1/validation/envoyproxy_validate.go
index 6dc7e116c89..bb880891e2c 100644
--- a/api/v1alpha1/validation/envoyproxy_validate.go
+++ b/api/v1alpha1/validation/envoyproxy_validate.go
@@ -9,17 +9,15 @@ import (
"errors"
"fmt"
"net/netip"
- "reflect"
bootstrapv3 "github.com/envoyproxy/go-control-plane/envoy/config/bootstrap/v3"
clusterv3 "github.com/envoyproxy/go-control-plane/envoy/config/cluster/v3"
"github.com/google/go-cmp/cmp"
- "google.golang.org/protobuf/encoding/protojson"
"google.golang.org/protobuf/testing/protocmp"
utilerrors "k8s.io/apimachinery/pkg/util/errors"
- "sigs.k8s.io/yaml"
egv1a1 "github.com/envoyproxy/gateway/api/v1alpha1"
+ "github.com/envoyproxy/gateway/internal/utils/proto"
"github.com/envoyproxy/gateway/internal/xds/bootstrap"
_ "github.com/envoyproxy/gateway/internal/xds/extensions" // register the generated types to support protojson unmarshalling
)
@@ -126,47 +124,47 @@ func validateService(spec *egv1a1.EnvoyProxySpec) []error {
errs = append(errs, fmt.Errorf("loadBalancerIP:%s is an invalid IPv4 address", *serviceLoadBalancerIP))
}
}
+ if patch := spec.Provider.Kubernetes.EnvoyService.Patch; patch != nil {
+ if patch.Value.Raw == nil {
+ errs = append(errs, fmt.Errorf("envoy service patch object cannot be empty"))
+ }
+ if patch.Type != nil && *patch.Type != egv1a1.JSONMerge && *patch.Type != egv1a1.StrategicMerge {
+ errs = append(errs, fmt.Errorf("unsupported envoy service patch type %s", *patch.Type))
+ }
+ }
+
}
return errs
}
func validateBootstrap(boostrapConfig *egv1a1.ProxyBootstrap) error {
+ // Validate user bootstrap config
defaultBootstrap := &bootstrapv3.Bootstrap{}
// TODO: need validate when enable prometheus?
defaultBootstrapStr, err := bootstrap.GetRenderedBootstrapConfig(nil)
if err != nil {
return err
}
+ if err := proto.FromYAML([]byte(defaultBootstrapStr), defaultBootstrap); err != nil {
+ return fmt.Errorf("unable to unmarshal default bootstrap: %w", err)
+ }
+ if err := defaultBootstrap.Validate(); err != nil {
+ return fmt.Errorf("default bootstrap validation failed: %w", err)
+ }
+ // Validate user bootstrap config
userBootstrapStr, err := bootstrap.ApplyBootstrapConfig(boostrapConfig, defaultBootstrapStr)
if err != nil {
return err
}
-
- jsonData, err := yaml.YAMLToJSON([]byte(userBootstrapStr))
- if err != nil {
- return fmt.Errorf("unable to convert user bootstrap to json: %w", err)
- }
-
userBootstrap := &bootstrapv3.Bootstrap{}
- if err := protojson.Unmarshal(jsonData, userBootstrap); err != nil {
- return fmt.Errorf("unable to unmarshal user bootstrap: %w", err)
+ if err := proto.FromYAML([]byte(userBootstrapStr), userBootstrap); err != nil {
+ return fmt.Errorf("failed to parse default bootstrap config: %w", err)
}
-
- // Call Validate method
if err := userBootstrap.Validate(); err != nil {
return fmt.Errorf("validation failed for user bootstrap: %w", err)
}
- jsonData, err = yaml.YAMLToJSON([]byte(defaultBootstrapStr))
- if err != nil {
- return fmt.Errorf("unable to convert default bootstrap to json: %w", err)
- }
-
- if err := protojson.Unmarshal(jsonData, defaultBootstrap); err != nil {
- return fmt.Errorf("unable to unmarshal default bootstrap: %w", err)
- }
-
// Ensure dynamic resources config is same
if userBootstrap.DynamicResources == nil ||
cmp.Diff(userBootstrap.DynamicResources, defaultBootstrap.DynamicResources, protocmp.Transform()) != "" {
@@ -187,9 +185,8 @@ func validateBootstrap(boostrapConfig *egv1a1.ProxyBootstrap) error {
break
}
}
-
- // nolint // Circumvents this error "Error: copylocks: call of reflect.DeepEqual copies lock value:"
- if userXdsCluster == nil || !reflect.DeepEqual(*userXdsCluster.LoadAssignment, *defaultXdsCluster.LoadAssignment) {
+ if userXdsCluster == nil ||
+ cmp.Diff(userXdsCluster.LoadAssignment, defaultXdsCluster.LoadAssignment, protocmp.Transform()) != "" {
return fmt.Errorf("xds_cluster's loadAssigntment cannot be modified")
}
diff --git a/api/v1alpha1/validation/envoyproxy_validate_test.go b/api/v1alpha1/validation/envoyproxy_validate_test.go
index f476a5767af..41d595a4d6d 100644
--- a/api/v1alpha1/validation/envoyproxy_validate_test.go
+++ b/api/v1alpha1/validation/envoyproxy_validate_test.go
@@ -449,7 +449,30 @@ func TestValidateEnvoyProxy(t *testing.T) {
},
expected: true,
}, {
- name: "should invalid when patch type is empty",
+ name: "should be invalid when service patch type is empty",
+ proxy: &egv1a1.EnvoyProxy{
+ ObjectMeta: metav1.ObjectMeta{
+ Namespace: "test",
+ Name: "test",
+ },
+ Spec: egv1a1.EnvoyProxySpec{
+ Provider: &egv1a1.EnvoyProxyProvider{
+ Type: egv1a1.ProviderTypeKubernetes,
+ Kubernetes: &egv1a1.EnvoyProxyKubernetesProvider{
+ EnvoyService: &egv1a1.KubernetesServiceSpec{
+ Patch: &egv1a1.KubernetesPatchSpec{
+ Value: v1.JSON{
+ Raw: []byte{},
+ },
+ },
+ },
+ },
+ },
+ },
+ },
+ expected: true,
+ }, {
+ name: "should be invalid when deployment patch type is empty",
proxy: &egv1a1.EnvoyProxy{
ObjectMeta: metav1.ObjectMeta{
Namespace: "test",
diff --git a/api/v1alpha1/zz_generated.deepcopy.go b/api/v1alpha1/zz_generated.deepcopy.go
index 237b4921293..1e02bc720f7 100644
--- a/api/v1alpha1/zz_generated.deepcopy.go
+++ b/api/v1alpha1/zz_generated.deepcopy.go
@@ -346,6 +346,11 @@ func (in *CircuitBreaker) DeepCopyInto(out *CircuitBreaker) {
*out = new(int64)
**out = **in
}
+ if in.MaxParallelRetries != nil {
+ in, out := &in.MaxParallelRetries, &out.MaxParallelRetries
+ *out = new(int64)
+ **out = **in
+ }
if in.MaxRequestsPerConnection != nil {
in, out := &in.MaxRequestsPerConnection, &out.MaxRequestsPerConnection
*out = new(int64)
@@ -2324,6 +2329,11 @@ func (in *KubernetesServiceSpec) DeepCopyInto(out *KubernetesServiceSpec) {
*out = new(ServiceExternalTrafficPolicy)
**out = **in
}
+ if in.Patch != nil {
+ in, out := &in.Patch, &out.Patch
+ *out = new(KubernetesPatchSpec)
+ (*in).DeepCopyInto(*out)
+ }
}
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new KubernetesServiceSpec.
@@ -2907,6 +2917,11 @@ func (in *RateLimit) DeepCopyInto(out *RateLimit) {
*out = new(v1.Duration)
**out = **in
}
+ if in.Telemetry != nil {
+ in, out := &in.Telemetry, &out.Telemetry
+ *out = new(RateLimitTelemetry)
+ (*in).DeepCopyInto(*out)
+ }
}
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new RateLimit.
@@ -2939,6 +2954,41 @@ func (in *RateLimitDatabaseBackend) DeepCopy() *RateLimitDatabaseBackend {
return out
}
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *RateLimitMetrics) DeepCopyInto(out *RateLimitMetrics) {
+ *out = *in
+ if in.Prometheus != nil {
+ in, out := &in.Prometheus, &out.Prometheus
+ *out = new(RateLimitMetricsPrometheusProvider)
+ **out = **in
+ }
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new RateLimitMetrics.
+func (in *RateLimitMetrics) DeepCopy() *RateLimitMetrics {
+ if in == nil {
+ return nil
+ }
+ out := new(RateLimitMetrics)
+ in.DeepCopyInto(out)
+ return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *RateLimitMetricsPrometheusProvider) DeepCopyInto(out *RateLimitMetricsPrometheusProvider) {
+ *out = *in
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new RateLimitMetricsPrometheusProvider.
+func (in *RateLimitMetricsPrometheusProvider) DeepCopy() *RateLimitMetricsPrometheusProvider {
+ if in == nil {
+ return nil
+ }
+ out := new(RateLimitMetricsPrometheusProvider)
+ in.DeepCopyInto(out)
+ return out
+}
+
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *RateLimitRedisSettings) DeepCopyInto(out *RateLimitRedisSettings) {
*out = *in
@@ -3034,6 +3084,26 @@ func (in *RateLimitSpec) DeepCopy() *RateLimitSpec {
return out
}
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *RateLimitTelemetry) DeepCopyInto(out *RateLimitTelemetry) {
+ *out = *in
+ if in.Metrics != nil {
+ in, out := &in.Metrics, &out.Metrics
+ *out = new(RateLimitMetrics)
+ (*in).DeepCopyInto(*out)
+ }
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new RateLimitTelemetry.
+func (in *RateLimitTelemetry) DeepCopy() *RateLimitTelemetry {
+ if in == nil {
+ return nil
+ }
+ out := new(RateLimitTelemetry)
+ in.DeepCopyInto(out)
+ return out
+}
+
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *RateLimitValue) DeepCopyInto(out *RateLimitValue) {
*out = *in
diff --git a/charts/gateway-helm/README.md b/charts/gateway-helm/README.md
index f5f2b420d21..c2d5f63fe04 100644
--- a/charts/gateway-helm/README.md
+++ b/charts/gateway-helm/README.md
@@ -27,8 +27,9 @@ Helm's [documentation](https://helm.sh/docs) to get started.
Once Helm has been set up correctly, install the chart from dockerhub:
``` shell
- helm install eg oci://docker.io/envoyproxy/gateway-helm -n envoy-gateway-system --create-namespace
+ helm install eg oci://docker.io/envoyproxy/gateway-helm --version v0.0.0-latest -n envoy-gateway-system --create-namespace
```
+You can find all helm chart release in [Dockerhub](https://hub.docker.com/r/envoyproxy/gateway-helm/tags)
### Install from Source Code
@@ -45,7 +46,7 @@ To install the eg chart along with Gateway API CRDs and Envoy Gateway CRDs:
You can install the eg chart along without Gateway API CRDs and Envoy Gateway CRDs, make sure CRDs exist in Cluster first if you want to skip to install them, otherwise EG may fail to start:
``` shell
- helm install eg --create-namespace oci://docker.io/envoyproxy/gateway-helm -n envoy-gateway-system --skip-crds
+ helm install eg --create-namespace oci://docker.io/envoyproxy/gateway-helm --version v0.0.0-latest -n envoy-gateway-system --skip-crds
```
To uninstall the chart:
diff --git a/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_backendtrafficpolicies.yaml b/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_backendtrafficpolicies.yaml
index 858405b5c46..2285b3d79a3 100644
--- a/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_backendtrafficpolicies.yaml
+++ b/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_backendtrafficpolicies.yaml
@@ -69,6 +69,15 @@ spec:
maximum: 4294967295
minimum: 0
type: integer
+ maxParallelRetries:
+ default: 1024
+ description: The maximum number of parallel retries that Envoy
+ will make to the referenced backend defined within a xRoute
+ rule.
+ format: int64
+ maximum: 4294967295
+ minimum: 0
+ type: integer
maxPendingRequests:
default: 1024
description: The maximum number of pending requests that Envoy
@@ -805,7 +814,7 @@ spec:
enum:
- 5xx
- gateway-error
- - disconnect-reset
+ - reset
- connect-failure
- retriable-4xx
- refused-stream
diff --git a/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_envoyproxies.yaml b/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_envoyproxies.yaml
index 437f90927d0..ad32967e71a 100644
--- a/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_envoyproxies.yaml
+++ b/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_envoyproxies.yaml
@@ -3282,10 +3282,6 @@ spec:
should be appended to the pods. By default, no pod
annotations are appended.
type: object
- hostNetwork:
- description: HostNetwork, If this is set to true,
- the pod will use host's network namespace.
- type: boolean
imagePullSecrets:
description: 'ImagePullSecrets is an optional list
of references to secrets in the same namespace to
@@ -6597,6 +6593,22 @@ spec:
x-kubernetes-validations:
- message: loadBalancerIP must be a valid IPv4 address
rule: self.matches(r"^((25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)$")
+ patch:
+ description: Patch defines how to perform the patch operation
+ to the service
+ properties:
+ type:
+ description: "Type is the type of merge operation
+ to perform \n By default, StrategicMerge is used
+ as the patch type."
+ type: string
+ value:
+ description: Object contains the raw configuration
+ for merged object
+ x-kubernetes-preserve-unknown-fields: true
+ required:
+ - value
+ type: object
type:
default: LoadBalancer
description: Type determines how the Service is exposed.
diff --git a/charts/gateway-helm/templates/_rbac.tpl b/charts/gateway-helm/templates/_rbac.tpl
index 9c80ff3a868..104f5f0f014 100644
--- a/charts/gateway-helm/templates/_rbac.tpl
+++ b/charts/gateway-helm/templates/_rbac.tpl
@@ -98,6 +98,7 @@ resources:
- tcproutes
- tlsroutes
- udproutes
+- backendtlspolicies
verbs:
- get
- list
@@ -114,6 +115,7 @@ resources:
- tcproutes/status
- tlsroutes/status
- udproutes/status
+- backendtlspolicies/status
verbs:
- update
{{- end }}
diff --git a/charts/gateway-helm/templates/envoy-gateway-deployment.yaml b/charts/gateway-helm/templates/envoy-gateway-deployment.yaml
index 4bbe5b25146..1ee5c7f7d86 100644
--- a/charts/gateway-helm/templates/envoy-gateway-deployment.yaml
+++ b/charts/gateway-helm/templates/envoy-gateway-deployment.yaml
@@ -58,6 +58,13 @@ spec:
initialDelaySeconds: 15
periodSeconds: 20
name: envoy-gateway
+ ports:
+ {{- range .Values.deployment.ports }}
+ - containerPort: {{ .port }}
+ name: {{ .name }}
+ {{- end}}
+ - containerPort: 19001
+ name: http-metrics
readinessProbe:
httpGet:
path: /readyz
diff --git a/charts/gateway-helm/templates/envoy-gateway-metrics-service.yaml b/charts/gateway-helm/templates/envoy-gateway-metrics-service.yaml
index bd5f1c6b8e2..da17559f0ea 100644
--- a/charts/gateway-helm/templates/envoy-gateway-metrics-service.yaml
+++ b/charts/gateway-helm/templates/envoy-gateway-metrics-service.yaml
@@ -1,6 +1,9 @@
apiVersion: v1
kind: Service
metadata:
+ annotations:
+ prometheus.io/scrape: 'true'
+ prometheus.io/port: '19001'
name: envoy-gateway-metrics-service
namespace: '{{ .Release.Namespace }}'
labels:
@@ -11,4 +14,7 @@ spec:
control-plane: envoy-gateway
{{- include "eg.selectorLabels" . | nindent 4 }}
ports:
- {{- .Values.envoyGatewayMetricsService.ports | toYaml | nindent 2 -}}
+ - name: http
+ port: {{ .Values.envoyGatewayMetricsService.port }}
+ protocol: TCP
+ targetPort: http-metrics
diff --git a/charts/gateway-helm/values.tmpl.yaml b/charts/gateway-helm/values.tmpl.yaml
index fb9c1ae4ebe..269344cd978 100644
--- a/charts/gateway-helm/values.tmpl.yaml
+++ b/charts/gateway-helm/values.tmpl.yaml
@@ -36,11 +36,7 @@ config:
default: info
envoyGatewayMetricsService:
- ports:
- - name: http
- port: 19001
- protocol: TCP
- targetPort: 19001
+ port: 19001
createNamespace: false
diff --git a/examples/kubernetes/application.yaml b/examples/kubernetes/application.yaml
index 27df9d63dd5..f5fa1b75cb3 100644
--- a/examples/kubernetes/application.yaml
+++ b/examples/kubernetes/application.yaml
@@ -37,7 +37,7 @@ spec:
spec:
serviceAccountName: backend
containers:
- - image: gcr.io/k8s-staging-ingressconformance/echoserver:v20221109-7ee2f3e
+ - image: gcr.io/k8s-staging-gateway-api/echo-basic:v20231214-v1.0.0-140-gf544a46e
imagePullPolicy: IfNotPresent
name: backend
ports:
diff --git a/examples/kubernetes/http-routing.yaml b/examples/kubernetes/http-routing.yaml
index bbfc6cec8e0..2aadf48b6fc 100644
--- a/examples/kubernetes/http-routing.yaml
+++ b/examples/kubernetes/http-routing.yaml
@@ -56,7 +56,7 @@ spec:
spec:
containers:
- name: example-backend
- image: gcr.io/k8s-staging-ingressconformance/echoserver:v20221109-7ee2f3e
+ image: gcr.io/k8s-staging-gateway-api/echo-basic:v20231214-v1.0.0-140-gf544a46e
env:
- name: POD_NAME
valueFrom:
@@ -119,7 +119,7 @@ spec:
spec:
containers:
- name: foo-backend
- image: gcr.io/k8s-staging-ingressconformance/echoserver:v20221109-7ee2f3e
+ image: gcr.io/k8s-staging-gateway-api/echo-basic:v20231214-v1.0.0-140-gf544a46e
env:
- name: POD_NAME
valueFrom:
@@ -186,7 +186,7 @@ spec:
spec:
containers:
- name: bar-backend
- image: gcr.io/k8s-staging-ingressconformance/echoserver:v20221109-7ee2f3e
+ image: gcr.io/k8s-staging-gateway-api/echo-basic:v20231214-v1.0.0-140-gf544a46e
env:
- name: POD_NAME
valueFrom:
@@ -233,7 +233,7 @@ spec:
spec:
containers:
- name: bar-canary-backend
- image: gcr.io/k8s-staging-ingressconformance/echoserver:v20221109-7ee2f3e
+ image: gcr.io/k8s-staging-gateway-api/echo-basic:v20231214-v1.0.0-140-gf544a46e
env:
- name: POD_NAME
valueFrom:
diff --git a/examples/kubernetes/mergepatch.yaml b/examples/kubernetes/mergepatch.yaml
index 87b34eb4b16..20cf575c752 100644
--- a/examples/kubernetes/mergepatch.yaml
+++ b/examples/kubernetes/mergepatch.yaml
@@ -78,7 +78,7 @@ spec:
spec:
serviceAccountName: backend
containers:
- - image: gcr.io/k8s-staging-ingressconformance/echoserver:v20221109-7ee2f3e
+ - image: gcr.io/k8s-staging-gateway-api/echo-basic:v20231214-v1.0.0-140-gf544a46e
imagePullPolicy: IfNotPresent
name: backend
ports:
diff --git a/examples/kubernetes/quickstart.yaml b/examples/kubernetes/quickstart.yaml
index e70a4df5996..dcc84ef11c2 100644
--- a/examples/kubernetes/quickstart.yaml
+++ b/examples/kubernetes/quickstart.yaml
@@ -54,7 +54,7 @@ spec:
spec:
serviceAccountName: backend
containers:
- - image: gcr.io/k8s-staging-ingressconformance/echoserver:v20221109-7ee2f3e
+ - image: gcr.io/k8s-staging-gateway-api/echo-basic:v20231214-v1.0.0-140-gf544a46e
imagePullPolicy: IfNotPresent
name: backend
ports:
diff --git a/examples/kubernetes/tcp-routing.yaml b/examples/kubernetes/tcp-routing.yaml
index cc203bd1cf3..619e6662435 100644
--- a/examples/kubernetes/tcp-routing.yaml
+++ b/examples/kubernetes/tcp-routing.yaml
@@ -70,7 +70,7 @@ spec:
version: v1
spec:
containers:
- - image: gcr.io/k8s-staging-ingressconformance/echoserver:v20221109-7ee2f3e
+ - image: gcr.io/k8s-staging-gateway-api/echo-basic:v20231214-v1.0.0-140-gf544a46e
imagePullPolicy: IfNotPresent
name: backend-1
ports:
@@ -104,7 +104,7 @@ spec:
version: v1
spec:
containers:
- - image: gcr.io/k8s-staging-ingressconformance/echoserver:v20221109-7ee2f3e
+ - image: gcr.io/k8s-staging-gateway-api/echo-basic:v20231214-v1.0.0-140-gf544a46e
imagePullPolicy: IfNotPresent
name: backend-2
ports:
diff --git a/examples/kubernetes/tls-passthrough.yaml b/examples/kubernetes/tls-passthrough.yaml
index cde29cb0a74..2fd44e67d73 100644
--- a/examples/kubernetes/tls-passthrough.yaml
+++ b/examples/kubernetes/tls-passthrough.yaml
@@ -28,7 +28,7 @@ spec:
spec:
containers:
- name: passthrough-echoserver
- image: gcr.io/k8s-staging-ingressconformance/echoserver:v20221109-7ee2f3e
+ image: gcr.io/k8s-staging-gateway-api/echo-basic:v20231214-v1.0.0-140-gf544a46e
ports:
- containerPort: 8443
env:
diff --git a/examples/kubernetes/tls-termination.yaml b/examples/kubernetes/tls-termination.yaml
index 0ffc34c4637..14eb84af022 100644
--- a/examples/kubernetes/tls-termination.yaml
+++ b/examples/kubernetes/tls-termination.yaml
@@ -63,7 +63,7 @@ spec:
spec:
serviceAccountName: backend
containers:
- - image: gcr.io/k8s-staging-ingressconformance/echoserver:v20221109-7ee2f3e
+ - image: gcr.io/k8s-staging-gateway-api/echo-basic:v20231214-v1.0.0-140-gf544a46e
imagePullPolicy: IfNotPresent
name: backend
ports:
diff --git a/examples/prometheus/helm-values.yaml b/examples/prometheus/helm-values.yaml
new file mode 100644
index 00000000000..9de08834491
--- /dev/null
+++ b/examples/prometheus/helm-values.yaml
@@ -0,0 +1,25 @@
+# To simplify the deployment, disable non-essential components
+alertmanager:
+ enabled: false
+prometheus-pushgateway:
+ enabled: false
+kube-state-metrics:
+ enabled: false
+prometheus-node-exporter:
+ enabled: false
+server:
+ fullnameOverride: prometheus
+ persistentVolume:
+ enabled: false
+ readinessProbeInitialDelay: 0
+ global:
+ # Speed up scraping a bit from the default
+ scrape_interval: 15s
+ service:
+ # use LoadBalancer to expose prometheus
+ type: LoadBalancer
+ # use dockerhub
+ image:
+ repository: prom/prometheus
+ securityContext: null
+
diff --git a/go.mod b/go.mod
index 920e7c6f6c3..54d75f41d24 100644
--- a/go.mod
+++ b/go.mod
@@ -3,7 +3,8 @@ module github.com/envoyproxy/gateway
go 1.21
require (
- github.com/cncf/xds/go v0.0.0-20231109132714-523115ebc101
+ fortio.org/fortio v1.63.3
+ github.com/cncf/xds/go v0.0.0-20231128003011-0fa0005c9caa
github.com/davecgh/go-spew v1.1.1
github.com/envoyproxy/go-control-plane v0.12.0
github.com/envoyproxy/ratelimit v1.4.1-0.20230427142404-e2a87f41d3a7
@@ -16,8 +17,8 @@ require (
github.com/google/go-cmp v0.6.0
github.com/grafana/tempo v1.5.0
github.com/miekg/dns v1.1.58
- github.com/prometheus/client_golang v1.18.0
- github.com/prometheus/common v0.47.0
+ github.com/prometheus/client_golang v1.19.0
+ github.com/prometheus/common v0.49.0
github.com/spf13/cobra v1.8.0
github.com/spf13/pflag v1.0.5
github.com/stretchr/testify v1.8.4
@@ -26,14 +27,14 @@ require (
go.opentelemetry.io/otel v1.24.0
go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetricgrpc v1.24.0
go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetrichttp v1.24.0
- go.opentelemetry.io/otel/exporters/prometheus v0.45.0
+ go.opentelemetry.io/otel/exporters/prometheus v0.46.0
go.opentelemetry.io/otel/metric v1.24.0
go.opentelemetry.io/otel/sdk/metric v1.24.0
go.opentelemetry.io/proto/otlp v1.1.0
- go.uber.org/zap v1.26.0
- golang.org/x/exp v0.0.0-20231006140011-7918f672742d
+ go.uber.org/zap v1.27.0
+ golang.org/x/exp v0.0.0-20231206192017-f3f8817b8deb
golang.org/x/sys v0.17.0
- google.golang.org/grpc v1.61.1
+ google.golang.org/grpc v1.62.0
google.golang.org/protobuf v1.32.0
gopkg.in/yaml.v3 v3.0.1
k8s.io/api v0.29.2
@@ -49,6 +50,14 @@ require (
sigs.k8s.io/yaml v1.4.0
)
+require (
+ fortio.org/dflag v1.7.0 // indirect
+ fortio.org/log v1.12.0 // indirect
+ fortio.org/sets v1.0.3 // indirect
+ fortio.org/struct2env v0.4.0 // indirect
+ fortio.org/version v1.0.3 // indirect
+)
+
require (
github.com/Azure/go-ansiterm v0.0.0-20210617225240-d185dfc1b5a1 // indirect
github.com/MakeNowJust/heredoc v1.0.0 // indirect
@@ -58,7 +67,7 @@ require (
github.com/cespare/xxhash/v2 v2.2.0 // indirect
github.com/chai2010/gettext-go v1.0.2 // indirect
github.com/emicklei/go-restful/v3 v3.11.0 // indirect
- github.com/envoyproxy/protoc-gen-validate v1.0.2 // indirect
+ github.com/envoyproxy/protoc-gen-validate v1.0.4 // indirect
github.com/evanphx/json-patch v5.9.0+incompatible
github.com/exponent-io/jsonpath v0.0.0-20151013193312-d6023ce2651d // indirect
github.com/fsnotify/fsnotify v1.7.0 // indirect
@@ -73,7 +82,7 @@ require (
github.com/google/gnostic-models v0.6.8 // indirect
github.com/google/gofuzz v1.2.0 // indirect
github.com/google/shlex v0.0.0-20191202100458-e7afc7fbc510 // indirect
- github.com/google/uuid v1.4.0 // indirect
+ github.com/google/uuid v1.6.0 // indirect
github.com/gorilla/websocket v1.5.0 // indirect
github.com/gregjones/httpcache v0.0.0-20180305231024-9cad4c3443a7 // indirect
github.com/grpc-ecosystem/grpc-gateway/v2 v2.19.0 // indirect
@@ -96,7 +105,7 @@ require (
github.com/peterbourgon/diskv v2.0.1+incompatible // indirect
github.com/pkg/errors v0.9.1 // indirect
github.com/pmezard/go-difflib v1.0.0 // indirect
- github.com/prometheus/client_model v0.5.0 // indirect
+ github.com/prometheus/client_model v0.6.0 // indirect
github.com/prometheus/procfs v0.12.0 // indirect
github.com/russross/blackfriday/v2 v2.1.0 // indirect
github.com/sirupsen/logrus v1.9.0 // indirect
@@ -107,18 +116,18 @@ require (
go.starlark.net v0.0.0-20230525235612-a134d8f9ddca // indirect
go.uber.org/multierr v1.11.0 // indirect
golang.org/x/mod v0.14.0 // indirect
- golang.org/x/net v0.20.0 // indirect
- golang.org/x/oauth2 v0.16.0 // indirect
+ golang.org/x/net v0.21.0
+ golang.org/x/oauth2 v0.17.0 // indirect
golang.org/x/sync v0.6.0 // indirect
- golang.org/x/term v0.16.0 // indirect
+ golang.org/x/term v0.17.0 // indirect
golang.org/x/text v0.14.0 // indirect
golang.org/x/time v0.3.0 // indirect
golang.org/x/tools v0.17.0 // indirect
gomodules.xyz/jsonpatch/v2 v2.4.0 // indirect
google.golang.org/appengine v1.6.8 // indirect
- google.golang.org/genproto v0.0.0-20231212172506-995d672761c0 // indirect
- google.golang.org/genproto/googleapis/api v0.0.0-20240102182953-50ed04b92917 // indirect
- google.golang.org/genproto/googleapis/rpc v0.0.0-20240102182953-50ed04b92917 // indirect
+ google.golang.org/genproto v0.0.0-20240123012728-ef4313101c80 // indirect
+ google.golang.org/genproto/googleapis/api v0.0.0-20240123012728-ef4313101c80 // indirect
+ google.golang.org/genproto/googleapis/rpc v0.0.0-20240123012728-ef4313101c80 // indirect
gopkg.in/inf.v0 v0.9.1 // indirect
gopkg.in/yaml.v2 v2.4.0 // indirect
k8s.io/component-base v0.29.2 // indirect
diff --git a/go.sum b/go.sum
index 3e6ac5c9f8f..7e34ee26249 100644
--- a/go.sum
+++ b/go.sum
@@ -1,6 +1,20 @@
cloud.google.com/go v0.26.0/go.mod h1:aQUYkXzVsufM+DwF1aE+0xfcU+56JwCaLick0ClmMTw=
cloud.google.com/go v0.34.0/go.mod h1:aQUYkXzVsufM+DwF1aE+0xfcU+56JwCaLick0ClmMTw=
cloud.google.com/go v0.38.0/go.mod h1:990N+gfupTy94rShfmMCWGDn0LpTmnzTp2qbd1dvSRU=
+fortio.org/assert v1.2.0 h1:XscfvR8yp4xW7OMCvNbCsieRFDxlwdEcb69+JZRp6LA=
+fortio.org/assert v1.2.0/go.mod h1:039mG+/iYDPO8Ibx8TrNuJCm2T2SuhwRI3uL9nHTTls=
+fortio.org/dflag v1.7.0 h1:4Vpo5hMly0rx9VMuyBaDGFK1Mx2S3qjxx1iAIA3KBgU=
+fortio.org/dflag v1.7.0/go.mod h1:FUxv/s3DXhCpy7GsuZa4FJWLR92gsYvG3ylkia8MbBM=
+fortio.org/fortio v1.63.3 h1:t4FoQ70znmYEEST3eyMLDqGaoNJPUDZNvoPRRH0WsaQ=
+fortio.org/fortio v1.63.3/go.mod h1:HFYGCHKrxS+Yuuw/7gcO7hhsEvrKt6t7sh1Xkn/kggw=
+fortio.org/log v1.12.0 h1:5Yg4pL9Pp0jcWeJYixm2xikMCldVaSDMgDFDmQJZfho=
+fortio.org/log v1.12.0/go.mod h1:1tMBG/Elr6YqjmJCWiejJp2FPvXg7/9UAN0Rfpkyt1o=
+fortio.org/sets v1.0.3 h1:HzewdGjH69YmyW06yzplL35lGr+X4OcqQt0qS6jbaO4=
+fortio.org/sets v1.0.3/go.mod h1:QZVj0r6KP/ZD9ebySW9SgxVNy/NjghUfyHW9NN+WU+4=
+fortio.org/struct2env v0.4.0 h1:k5alSOTf3YHiB3MuacjDHQ3YhVWvNZ95ZP/a6MqvyLo=
+fortio.org/struct2env v0.4.0/go.mod h1:lENUe70UwA1zDUCX+8AsO663QCFqYaprk5lnPhjD410=
+fortio.org/version v1.0.3 h1:5gJ3plj6isAOMq52cI5ifo4cC+QHmJF76Wevc5Cp4x0=
+fortio.org/version v1.0.3/go.mod h1:2JQp9Ax+tm6QKiGuzR5nJY63kFeANcgrZ0osoQFDVm0=
github.com/Azure/go-ansiterm v0.0.0-20170929234023-d6e3b3328b78/go.mod h1:LmzpDX56iTiv29bbRTIsUNlaFfuhWRQBWjQdVyAevI8=
github.com/Azure/go-ansiterm v0.0.0-20210617225240-d185dfc1b5a1 h1:UQHMgLO+TxOElx5B5HZ4hJQsoJ/PvUvKRhJHDQXO8P8=
github.com/Azure/go-ansiterm v0.0.0-20210617225240-d185dfc1b5a1/go.mod h1:xomTg63KZ2rFqZQzSB4Vz2SUXa1BpHTVz9L5PTmPC4E=
@@ -51,8 +65,8 @@ github.com/chzyer/logex v1.1.10/go.mod h1:+Ywpsq7O8HXn0nuIou7OrIPyXbp3wmkHB+jjWR
github.com/chzyer/readline v0.0.0-20180603132655-2972be24d48e/go.mod h1:nSuG5e5PlCu98SY8svDHJxuZscDgtXS6KTTbou5AhLI=
github.com/chzyer/test v0.0.0-20180213035817-a1ea475d72b1/go.mod h1:Q3SI9o4m/ZMnBNeIyt5eFwwo7qiLfzFZmjNmxjkiQlU=
github.com/client9/misspell v0.3.4/go.mod h1:qj6jICC3Q7zFZvVWo7KLAzC3yx5G7kyvSDkc90ppPyw=
-github.com/cncf/xds/go v0.0.0-20231109132714-523115ebc101 h1:7To3pQ+pZo0i3dsWEbinPNFs5gPSBOsJtx3wTT94VBY=
-github.com/cncf/xds/go v0.0.0-20231109132714-523115ebc101/go.mod h1:eXthEFrGJvWHgFFCl3hGmgk+/aYT6PnTQLykKQRLhEs=
+github.com/cncf/xds/go v0.0.0-20231128003011-0fa0005c9caa h1:jQCWAUqqlij9Pgj2i/PB79y4KOPYVyFYdROxgaCwdTQ=
+github.com/cncf/xds/go v0.0.0-20231128003011-0fa0005c9caa/go.mod h1:x/1Gn8zydmfq8dk6e9PdstVsDgu9RuyIIJqAaF//0IM=
github.com/cockroachdb/datadriven v0.0.0-20190809214429-80d97fb3cbaa/go.mod h1:zn76sxSg3SzpJ0PPJaLDCu+Bu0Lg3sKTORVIj19EIF8=
github.com/coreos/bbolt v1.3.2/go.mod h1:iRUV2dpdMOn7Bo10OQBFzIJO9kkE559Wcmn+qkEiiKk=
github.com/coreos/etcd v3.3.10+incompatible/go.mod h1:uF7uidLiAD3TWHmW31ZFd/JWoc32PjwdhPthX9715RE=
@@ -91,13 +105,12 @@ github.com/emicklei/go-restful v0.0.0-20170410110728-ff4f55a20633/go.mod h1:otzb
github.com/emicklei/go-restful v2.9.5+incompatible/go.mod h1:otzb+WCGbkyDHkqmQmT5YD2WR4BBwUdeQoFo8l/7tVs=
github.com/emicklei/go-restful/v3 v3.11.0 h1:rAQeMHw1c7zTmncogyy8VvRZwtkmkZ4FxERmMY4rD+g=
github.com/emicklei/go-restful/v3 v3.11.0/go.mod h1:6n3XBCmQQb25CM2LCACGz8ukIrRry+4bhvbpWn3mrbc=
-github.com/envoyproxy/go-control-plane v0.9.0/go.mod h1:YTl/9mNaCwkRvm6d1a2C3ymFceY/DCBVvsKhRF0iEA4=
github.com/envoyproxy/go-control-plane v0.9.1-0.20191026205805-5f8ba28d4473/go.mod h1:YTl/9mNaCwkRvm6d1a2C3ymFceY/DCBVvsKhRF0iEA4=
github.com/envoyproxy/go-control-plane v0.12.0 h1:4X+VP1GHd1Mhj6IB5mMeGbLCleqxjletLK6K0rbxyZI=
github.com/envoyproxy/go-control-plane v0.12.0/go.mod h1:ZBTaoJ23lqITozF0M6G4/IragXCQKCnYbmlmtHvwRG0=
github.com/envoyproxy/protoc-gen-validate v0.1.0/go.mod h1:iSmxcyjqTsJpI2R4NaDN7+kN2VEUnK/pcBlmesArF7c=
-github.com/envoyproxy/protoc-gen-validate v1.0.2 h1:QkIBuU5k+x7/QXPvPPnWXWlCdaBFApVqftFV6k087DA=
-github.com/envoyproxy/protoc-gen-validate v1.0.2/go.mod h1:GpiZQP3dDbg4JouG/NNS7QWXpgx6x8QiMKdmN72jogE=
+github.com/envoyproxy/protoc-gen-validate v1.0.4 h1:gVPz/FMfvh57HdSJQyvBtF00j8JU4zdyUgIUNhlgg0A=
+github.com/envoyproxy/protoc-gen-validate v1.0.4/go.mod h1:qys6tmnRsYrQqIhm2bvKZH4Blx/1gTIZ2UKVY1M+Yew=
github.com/envoyproxy/ratelimit v1.4.1-0.20230427142404-e2a87f41d3a7 h1:yz9/p/8QVPuEjPqRfZDXJmRaURKpKkxCZXUhl22i+cU=
github.com/envoyproxy/ratelimit v1.4.1-0.20230427142404-e2a87f41d3a7/go.mod h1:NmJBO+gDMvSQWvcSWq8wmlgkDmHHAkx1SCxEGva5hKU=
github.com/evanphx/json-patch v4.2.0+incompatible/go.mod h1:50XU6AFN0ol/bzJsmQLiYLvXMP4fmwYFNcr97nuDLSk=
@@ -247,8 +260,8 @@ github.com/google/shlex v0.0.0-20191202100458-e7afc7fbc510 h1:El6M4kTTCOh6aBiKaU
github.com/google/shlex v0.0.0-20191202100458-e7afc7fbc510/go.mod h1:pupxD2MaaD3pAXIBCelhxNneeOaAeabZDe5s4K6zSpQ=
github.com/google/uuid v1.0.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
github.com/google/uuid v1.1.1/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
-github.com/google/uuid v1.4.0 h1:MtMxsa51/r9yyhkyLsVeVt0B+BGQZzpQiTQ4eHZ8bc4=
-github.com/google/uuid v1.4.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
+github.com/google/uuid v1.6.0 h1:NIvaJDMOsjHA8n1jAhLSgzrAzy1Hgr+hNrb57e+94F0=
+github.com/google/uuid v1.6.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
github.com/googleapis/gax-go/v2 v2.0.4/go.mod h1:0Wqv26UfaUD9n4G6kQubkQ+KchISgw+vpHVxEJEs9eg=
github.com/googleapis/gnostic v0.0.0-20170729233727-0c5108395e2d/go.mod h1:sJBsCZ4ayReDTBIg8b9dl28c5xFWyhBTVRp3pOg5EKY=
github.com/googleapis/gnostic v0.1.0/go.mod h1:sJBsCZ4ayReDTBIg8b9dl28c5xFWyhBTVRp3pOg5EKY=
@@ -286,6 +299,8 @@ github.com/jessevdk/go-flags v1.4.0/go.mod h1:4FA24M0QyGHXBuZZK/XkWh8h0e1EYbRYJS
github.com/jonboulle/clockwork v0.1.0/go.mod h1:Ii8DK3G1RaLaWxj9trq07+26W01tbo22gdxWY5EU2bo=
github.com/josharian/intern v1.0.0 h1:vlS4z54oSdjm0bgjRigI+G1HpF+tI+9rE5LLzOg8HmY=
github.com/josharian/intern v1.0.0/go.mod h1:5DoeVV0s6jJacbCEi61lwdGj/aVlrQvzHFFd8Hwg//Y=
+github.com/jpillora/backoff v1.0.0 h1:uvFg412JmmHBHw7iwprIxkPMI+sGQ4kzOWsMeHnm2EA=
+github.com/jpillora/backoff v1.0.0/go.mod h1:J/6gKK9jxlEcS3zixgDgUAsiuZ7yrSoa/FX5e0EB2j4=
github.com/json-iterator/go v1.1.6/go.mod h1:+SdeFBvtyEkXs7REEP0seUULqWtbJapLOCVDaaPEHmU=
github.com/json-iterator/go v1.1.7/go.mod h1:KdQUCv79m/52Kvf8AW2vK1V8akMuk1QjK/uOdHXbAo4=
github.com/json-iterator/go v1.1.8/go.mod h1:KdQUCv79m/52Kvf8AW2vK1V8akMuk1QjK/uOdHXbAo4=
@@ -354,6 +369,8 @@ github.com/munnerz/goautoneg v0.0.0-20120707110453-a547fc61f48d/go.mod h1:+n7T8m
github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 h1:C3w9PqII01/Oq1c1nUAm88MOHcQC9l5mIlSMApZMrHA=
github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822/go.mod h1:+n7T8mK8HuQTcFwEeznm/DIxMOiR9yIdICNftLE1DvQ=
github.com/mwitkow/go-conntrack v0.0.0-20161129095857-cc309e4a2223/go.mod h1:qRWi+5nqEBWmkhHvq77mSJWrCKwh8bxhgT7d/eI7P4U=
+github.com/mwitkow/go-conntrack v0.0.0-20190716064945-2f068394615f h1:KUppIJq7/+SVif2QVs3tOP0zanoHgBEVAwHxUSIzRqU=
+github.com/mwitkow/go-conntrack v0.0.0-20190716064945-2f068394615f/go.mod h1:qRWi+5nqEBWmkhHvq77mSJWrCKwh8bxhgT7d/eI7P4U=
github.com/mxk/go-flowrate v0.0.0-20140419014527-cca7078d478f h1:y5//uYreIhSUg3J1GEMiLbxo1LJaP8RfCpH6pymGZus=
github.com/mxk/go-flowrate v0.0.0-20140419014527-cca7078d478f/go.mod h1:ZdcZmHo+o7JKHSa8/e818NopupXU1YMK5fe1lsApnBw=
github.com/nxadm/tail v1.4.4/go.mod h1:kenIhsEOeOJmVchQTgglprH7qJGnHDVpk1VPCcaMI8A=
@@ -389,19 +406,19 @@ github.com/pquerna/cachecontrol v0.0.0-20171018203845-0dec1b30a021/go.mod h1:prY
github.com/prometheus/client_golang v0.9.1/go.mod h1:7SWBe2y4D6OKWSNQJUaRYU/AaXPKyh/dDVn+NZz0KFw=
github.com/prometheus/client_golang v0.9.3/go.mod h1:/TN21ttK/J9q6uSwhBd54HahCDft0ttaMvbicHlPoso=
github.com/prometheus/client_golang v1.0.0/go.mod h1:db9x61etRT2tGnBNRi70OPL5FsnadC4Ky3P0J6CfImo=
-github.com/prometheus/client_golang v1.18.0 h1:HzFfmkOzH5Q8L8G+kSJKUx5dtG87sewO+FoDDqP5Tbk=
-github.com/prometheus/client_golang v1.18.0/go.mod h1:T+GXkCk5wSJyOqMIzVgvvjFDlkOQntgjkJWKrN5txjA=
+github.com/prometheus/client_golang v1.19.0 h1:ygXvpU1AoN1MhdzckN+PyD9QJOSD4x7kmXYlnfbA6JU=
+github.com/prometheus/client_golang v1.19.0/go.mod h1:ZRM9uEAypZakd+q/x7+gmsvXdURP+DABIEIjnmDdp+k=
github.com/prometheus/client_model v0.0.0-20180712105110-5c3871d89910/go.mod h1:MbSGuTsp3dbXC40dX6PRTWyKYBIrTGTE9sqQNg2J8bo=
github.com/prometheus/client_model v0.0.0-20190129233127-fd36f4220a90/go.mod h1:xMI15A0UPsDsEKsMN9yxemIoYk6Tm2C1GtYGdfGttqA=
github.com/prometheus/client_model v0.0.0-20190812154241-14fe0d1b01d4/go.mod h1:xMI15A0UPsDsEKsMN9yxemIoYk6Tm2C1GtYGdfGttqA=
github.com/prometheus/client_model v0.2.0/go.mod h1:xMI15A0UPsDsEKsMN9yxemIoYk6Tm2C1GtYGdfGttqA=
-github.com/prometheus/client_model v0.5.0 h1:VQw1hfvPvk3Uv6Qf29VrPF32JB6rtbgI6cYPYQjL0Qw=
-github.com/prometheus/client_model v0.5.0/go.mod h1:dTiFglRmd66nLR9Pv9f0mZi7B7fk5Pm3gvsjB5tr+kI=
+github.com/prometheus/client_model v0.6.0 h1:k1v3CzpSRUTrKMppY35TLwPvxHqBu0bYgxZzqGIgaos=
+github.com/prometheus/client_model v0.6.0/go.mod h1:NTQHnmxFpouOD0DpvP4XujX3CdOAGQPoaGhyTchlyt8=
github.com/prometheus/common v0.0.0-20181113130724-41aa239b4cce/go.mod h1:daVV7qP5qjZbuso7PdcryaAu0sAZbrN9i7WWcTMWvro=
github.com/prometheus/common v0.4.0/go.mod h1:TNfzLD0ON7rHzMJeJkieUDPYmFC7Snx/y86RQel1bk4=
github.com/prometheus/common v0.4.1/go.mod h1:TNfzLD0ON7rHzMJeJkieUDPYmFC7Snx/y86RQel1bk4=
-github.com/prometheus/common v0.47.0 h1:p5Cz0FNHo7SnWOmWmoRozVcjEp0bIVU8cV7OShpjL1k=
-github.com/prometheus/common v0.47.0/go.mod h1:0/KsvlIEfPQCQ5I2iNSAWKPZziNCvRs5EC6ILDTlAPc=
+github.com/prometheus/common v0.49.0 h1:ToNTdK4zSnPVJmh698mGFkDor9wBI/iGaJy5dbH1EgI=
+github.com/prometheus/common v0.49.0/go.mod h1:Kxm+EULxRbUkjGU6WFsQqo3ORzB4tyKvlWFOE9mB2sE=
github.com/prometheus/procfs v0.0.0-20181005140218-185b4288413d/go.mod h1:c3At6R/oaqEKCNdg8wHV1ftS6bRYblBhIjjI8uT2IGk=
github.com/prometheus/procfs v0.0.0-20190507164030-5867b95ac084/go.mod h1:TjEm7ze935MbeOT/UhFTIMYKhuLP4wbCsTZCD3I8kEA=
github.com/prometheus/procfs v0.0.2/go.mod h1:TjEm7ze935MbeOT/UhFTIMYKhuLP4wbCsTZCD3I8kEA=
@@ -492,8 +509,8 @@ go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetricgrpc v1.24.0 h1:f2j
go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetricgrpc v1.24.0/go.mod h1:B+bcQI1yTY+N0vqMpoZbEN7+XU4tNM0DmUiOwebFJWI=
go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetrichttp v1.24.0 h1:mM8nKi6/iFQ0iqst80wDHU2ge198Ye/TfN0WBS5U24Y=
go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetrichttp v1.24.0/go.mod h1:0PrIIzDteLSmNyxqcGYRL4mDIo8OTuBAOI/Bn1URxac=
-go.opentelemetry.io/otel/exporters/prometheus v0.45.0 h1:BeIK2KGho0oCWa7LxEGSqfDZbs7Fpv/Viz+FS4P8CXE=
-go.opentelemetry.io/otel/exporters/prometheus v0.45.0/go.mod h1:UVJZPLnfDSvHj+eJuZE+E1GjIBD267mEMfAAHJdghWg=
+go.opentelemetry.io/otel/exporters/prometheus v0.46.0 h1:I8WIFXR351FoLJYuloU4EgXbtNX2URfU/85pUPheIEQ=
+go.opentelemetry.io/otel/exporters/prometheus v0.46.0/go.mod h1:ztwVUHe5DTR/1v7PeuGRnU5Bbd4QKYwApWmuutKsJSs=
go.opentelemetry.io/otel/metric v1.24.0 h1:6EhoGWWK28x1fbpA4tYTOWBkPefTDQnb8WSGXlc88kI=
go.opentelemetry.io/otel/metric v1.24.0/go.mod h1:VYhLe1rFfxuTXLgj4CBiyz+9WYBA8pNGJgDcSFRKBco=
go.opentelemetry.io/otel/sdk v1.24.0 h1:YMPPDNymmQN3ZgczicBY3B6sf9n62Dlj9pWD3ucgoDw=
@@ -514,8 +531,8 @@ go.uber.org/multierr v1.1.0/go.mod h1:wR5kodmAFQ0UK8QlbwjlSNy0Z68gJhDJUG5sjR94q/
go.uber.org/multierr v1.11.0 h1:blXXJkSxSSfBVBlC76pxqeO+LN3aDfLQo+309xJstO0=
go.uber.org/multierr v1.11.0/go.mod h1:20+QtiLqy0Nd6FdQB9TLXag12DsQkrbs3htMFfDN80Y=
go.uber.org/zap v1.10.0/go.mod h1:vwi/ZaCAaUcBkycHslxD9B2zi4UTXhF60s6SWpuDF0Q=
-go.uber.org/zap v1.26.0 h1:sI7k6L95XOKS281NhVKOFCUNIvv9e0w4BF8N3u+tCRo=
-go.uber.org/zap v1.26.0/go.mod h1:dtElttAiwGvoJ/vj4IwHBS/gXsEu/pZ50mUIRWuG0so=
+go.uber.org/zap v1.27.0 h1:aJMhYGrd5QSmlpLMr2MftRKl7t8J8PTZPA732ud/XR8=
+go.uber.org/zap v1.27.0/go.mod h1:GB2qFLM7cTU87MWRP2mPIjqfIDnGu+VIO4V/SdhGo2E=
golang.org/x/crypto v0.0.0-20180904163835-0709b304e793/go.mod h1:6SG95UA2DQfeDnfUPMdvaQW0Q7yPrPDi9nlGo2tz2b4=
golang.org/x/crypto v0.0.0-20181203042331-505ab145d0a9/go.mod h1:6SG95UA2DQfeDnfUPMdvaQW0Q7yPrPDi9nlGo2tz2b4=
golang.org/x/crypto v0.0.0-20190211182817-74369b46fc67/go.mod h1:6SG95UA2DQfeDnfUPMdvaQW0Q7yPrPDi9nlGo2tz2b4=
@@ -528,8 +545,8 @@ golang.org/x/crypto v0.0.0-20200220183623-bac4c82f6975/go.mod h1:LzIPMQfyMNhhGPh
golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc=
golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
-golang.org/x/exp v0.0.0-20231006140011-7918f672742d h1:jtJma62tbqLibJ5sFQz8bKtEM8rJBtfilJ2qTU199MI=
-golang.org/x/exp v0.0.0-20231006140011-7918f672742d/go.mod h1:ldy0pHrwJyGW56pPQzzkH36rKxoZW1tw7ZJpeKx+hdo=
+golang.org/x/exp v0.0.0-20231206192017-f3f8817b8deb h1:c0vyKkb6yr3KR7jEfJaOSv4lG7xPkbN6r52aJz1d8a8=
+golang.org/x/exp v0.0.0-20231206192017-f3f8817b8deb/go.mod h1:iRJReGqOEeBhDZGkGbynYwcHlctCvnjTYIamk7uXpHI=
golang.org/x/lint v0.0.0-20181026193005-c67002cb31c3/go.mod h1:UVdnD1Gm6xHRNCYTkRU2/jEulfH38KcIWyp/GAMgvoE=
golang.org/x/lint v0.0.0-20190227174305-5b3e6a55c961/go.mod h1:wehouNa3lNwaWXcvxsM5YxQ5yQlVC4a0KAMCusXpPoU=
golang.org/x/lint v0.0.0-20190301231843-5614ed5bae6f/go.mod h1:UVdnD1Gm6xHRNCYTkRU2/jEulfH38KcIWyp/GAMgvoE=
@@ -562,13 +579,13 @@ golang.org/x/net v0.0.0-20200520004742-59133d7f0dd7/go.mod h1:qpuaurCH72eLCgpAm/
golang.org/x/net v0.0.0-20201021035429-f5854403a974/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU=
golang.org/x/net v0.0.0-20210226172049-e18ecbb05110/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg=
golang.org/x/net v0.0.0-20220722155237-a158d28d115b/go.mod h1:XRhObCWvk6IyKnWLug+ECip1KBveYUHfp+8e9klMJ9c=
-golang.org/x/net v0.20.0 h1:aCL9BSgETF1k+blQaYUBx9hJ9LOGP3gAVemcZlf1Kpo=
-golang.org/x/net v0.20.0/go.mod h1:z8BVo6PvndSri0LbOE3hAn0apkU+1YvI6E70E9jsnvY=
+golang.org/x/net v0.21.0 h1:AQyQV4dYCvJ7vGmJyKki9+PBdyvhkSd8EIx/qb0AYv4=
+golang.org/x/net v0.21.0/go.mod h1:bIjVDfnllIU7BJ2DNgfnXvpSvtn8VRwhlsaeUTyUS44=
golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U=
golang.org/x/oauth2 v0.0.0-20190226205417-e64efc72b421/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
golang.org/x/oauth2 v0.0.0-20190604053449-0f29369cfe45/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
-golang.org/x/oauth2 v0.16.0 h1:aDkGMBSYxElaoP81NpoUoz2oo2R2wHdZpGToUxfyQrQ=
-golang.org/x/oauth2 v0.16.0/go.mod h1:hqZ+0LWXsiVoZpeld6jVt06P3adbS2Uu911W1SsJv2o=
+golang.org/x/oauth2 v0.17.0 h1:6m3ZPmLEFdVxKKWnKq4VqZ60gutO35zm+zrAHVmHyDQ=
+golang.org/x/oauth2 v0.17.0/go.mod h1:OzPDGQiuQMguemayvdylqddI7qcD9lnSDb+1FiwQ5HA=
golang.org/x/sync v0.0.0-20180314180146-1d60e4601c6f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
golang.org/x/sync v0.0.0-20181108010431-42b317875d0f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
golang.org/x/sync v0.0.0-20181221193216-37e7f081c4d4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
@@ -614,8 +631,8 @@ golang.org/x/sys v0.17.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8=
golang.org/x/term v0.0.0-20220526004731-065cf7ba2467/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8=
-golang.org/x/term v0.16.0 h1:m+B6fahuftsE9qjo0VWp2FW0mB3MTJvR0BaMQrq0pmE=
-golang.org/x/term v0.16.0/go.mod h1:yn7UURbUtPyrVJPGPq404EukNFxcm/foM+bV/bfcDsY=
+golang.org/x/term v0.17.0 h1:mkTF7LCd6WGJNL3K1Ad7kwxNfYAW6a8a8QqtMblp/4U=
+golang.org/x/term v0.17.0/go.mod h1:lLRBjIVuehSbZlaOtGMbcMncT+aqLLLmKrsjNrUguwk=
golang.org/x/text v0.0.0-20160726164857-2910a502d2bf/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
golang.org/x/text v0.3.1-0.20180807135948-17ff2d5776d2/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
@@ -667,21 +684,20 @@ google.golang.org/genproto v0.0.0-20190307195333-5fe7a883aa19/go.mod h1:VzzqZJRn
google.golang.org/genproto v0.0.0-20190418145605-e7d98fc518a7/go.mod h1:VzzqZJRnGkLBvHegQrXjBqPurQTc5/KpmUdxsrq26oE=
google.golang.org/genproto v0.0.0-20190819201941-24fa4b261c55/go.mod h1:DMBHOl98Agz4BDEuKkezgsaosCRResVns1a3J2ZsMNc=
google.golang.org/genproto v0.0.0-20200526211855-cb27e3aa2013/go.mod h1:NbSheEEYHJ7i3ixzK3sjbqSGDJWnxyFXZblF3eUsNvo=
-google.golang.org/genproto v0.0.0-20231212172506-995d672761c0 h1:YJ5pD9rF8o9Qtta0Cmy9rdBwkSjrTCT6XTiUQVOtIos=
-google.golang.org/genproto v0.0.0-20231212172506-995d672761c0/go.mod h1:l/k7rMz0vFTBPy+tFSGvXEd3z+BcoG1k7EHbqm+YBsY=
-google.golang.org/genproto/googleapis/api v0.0.0-20240102182953-50ed04b92917 h1:rcS6EyEaoCO52hQDupoSfrxI3R6C2Tq741is7X8OvnM=
-google.golang.org/genproto/googleapis/api v0.0.0-20240102182953-50ed04b92917/go.mod h1:CmlNWB9lSezaYELKS5Ym1r44VrrbPUa7JTvw+6MbpJ0=
-google.golang.org/genproto/googleapis/rpc v0.0.0-20240102182953-50ed04b92917 h1:6G8oQ016D88m1xAKljMlBOOGWDZkes4kMhgGFlf8WcQ=
-google.golang.org/genproto/googleapis/rpc v0.0.0-20240102182953-50ed04b92917/go.mod h1:xtjpI3tXFPP051KaWnhvxkiubL/6dJ18vLVf7q2pTOU=
+google.golang.org/genproto v0.0.0-20240123012728-ef4313101c80 h1:KAeGQVN3M9nD0/bQXnr/ClcEMJ968gUXJQ9pwfSynuQ=
+google.golang.org/genproto v0.0.0-20240123012728-ef4313101c80/go.mod h1:cc8bqMqtv9gMOr0zHg2Vzff5ULhhL2IXP4sbcn32Dro=
+google.golang.org/genproto/googleapis/api v0.0.0-20240123012728-ef4313101c80 h1:Lj5rbfG876hIAYFjqiJnPHfhXbv+nzTWfm04Fg/XSVU=
+google.golang.org/genproto/googleapis/api v0.0.0-20240123012728-ef4313101c80/go.mod h1:4jWUdICTdgc3Ibxmr8nAJiiLHwQBY0UI0XZcEMaFKaA=
+google.golang.org/genproto/googleapis/rpc v0.0.0-20240123012728-ef4313101c80 h1:AjyfHzEPEFp/NpvfN5g+KDla3EMojjhRVZc1i7cj+oM=
+google.golang.org/genproto/googleapis/rpc v0.0.0-20240123012728-ef4313101c80/go.mod h1:PAREbraiVEVGVdTZsVWjSbbTtSyGbAgIIvni8a8CD5s=
google.golang.org/grpc v1.19.0/go.mod h1:mqu4LbDTu4XGKhr4mRzUsmM4RtVoemTSY81AxZiDr8c=
google.golang.org/grpc v1.21.0/go.mod h1:oYelfM1adQP15Ek0mdvEgi9Df8B9CZIaU1084ijfRaM=
google.golang.org/grpc v1.23.0/go.mod h1:Y5yQAOtifL1yxbo5wqy6BxZv8vAUGQwXBOALyacEbxg=
google.golang.org/grpc v1.23.1/go.mod h1:Y5yQAOtifL1yxbo5wqy6BxZv8vAUGQwXBOALyacEbxg=
-google.golang.org/grpc v1.25.1/go.mod h1:c3i+UQWmh7LiEpx4sFZnkU36qjEYZ0imhYfXVyQciAY=
google.golang.org/grpc v1.26.0/go.mod h1:qbnxyOmOxrQa7FizSgH+ReBfzJrCY1pSN7KXBS8abTk=
google.golang.org/grpc v1.27.0/go.mod h1:qbnxyOmOxrQa7FizSgH+ReBfzJrCY1pSN7KXBS8abTk=
-google.golang.org/grpc v1.61.1 h1:kLAiWrZs7YeDM6MumDe7m3y4aM6wacLzM1Y/wiLP9XY=
-google.golang.org/grpc v1.61.1/go.mod h1:VUbo7IFqmF1QtCAstipjG0GIoq49KvMe9+h1jFLBNJs=
+google.golang.org/grpc v1.62.0 h1:HQKZ/fa1bXkX1oFOvSjmZEUL8wLSaZTjCcLAlmZRtdk=
+google.golang.org/grpc v1.62.0/go.mod h1:IWTG0VlJLCh1SkC58F7np9ka9mx/WNkjl4PGJaiq+QE=
google.golang.org/protobuf v0.0.0-20200109180630-ec00e32a8dfd/go.mod h1:DFci5gLYBciE7Vtevhsrf46CRTquxDuWsQurQQe4oz8=
google.golang.org/protobuf v0.0.0-20200221191635-4d8936d0db64/go.mod h1:kwYJMbMJ01Woi6D6+Kah6886xMZcty6N08ah7+eCXa0=
google.golang.org/protobuf v0.0.0-20200228230310-ab0ca4ff8a60/go.mod h1:cfTl7dwQJ+fmap5saPgwCLgHXTUD7jkjRqWcaiX5VyM=
diff --git a/internal/cmd/egctl/testdata/translate/in/echo-gateway-api.yaml b/internal/cmd/egctl/testdata/translate/in/echo-gateway-api.yaml
index f0e412d92b0..57e3253c71a 100644
--- a/internal/cmd/egctl/testdata/translate/in/echo-gateway-api.yaml
+++ b/internal/cmd/egctl/testdata/translate/in/echo-gateway-api.yaml
@@ -55,7 +55,7 @@ spec:
spec:
serviceAccountName: backend
containers:
- - image: gcr.io/k8s-staging-ingressconformance/echoserver:v20221109-7ee2f3e
+ - image: gcr.io/k8s-staging-gateway-api/echo-basic:v20231214-v1.0.0-140-gf544a46e
imagePullPolicy: IfNotPresent
name: backend
ports:
diff --git a/internal/cmd/egctl/testdata/translate/in/envoy-patch-policy.yaml b/internal/cmd/egctl/testdata/translate/in/envoy-patch-policy.yaml
index e020bc9d429..be98f705f71 100644
--- a/internal/cmd/egctl/testdata/translate/in/envoy-patch-policy.yaml
+++ b/internal/cmd/egctl/testdata/translate/in/envoy-patch-policy.yaml
@@ -59,7 +59,7 @@ spec:
spec:
serviceAccountName: backend
containers:
- - image: gcr.io/k8s-staging-ingressconformance/echoserver:v20221109-7ee2f3e
+ - image: gcr.io/k8s-staging-gateway-api/echo-basic:v20231214-v1.0.0-140-gf544a46e
imagePullPolicy: IfNotPresent
name: backend
ports:
diff --git a/internal/cmd/egctl/testdata/translate/in/jwt-single-route-single-match-to-xds.yaml b/internal/cmd/egctl/testdata/translate/in/jwt-single-route-single-match-to-xds.yaml
index 14efe586c4e..cef3ccc5383 100644
--- a/internal/cmd/egctl/testdata/translate/in/jwt-single-route-single-match-to-xds.yaml
+++ b/internal/cmd/egctl/testdata/translate/in/jwt-single-route-single-match-to-xds.yaml
@@ -55,7 +55,7 @@ spec:
spec:
serviceAccountName: backend
containers:
- - image: gcr.io/k8s-staging-ingressconformance/echoserver:v20221109-7ee2f3e
+ - image: gcr.io/k8s-staging-gateway-api/echo-basic:v20231214-v1.0.0-140-gf544a46e
imagePullPolicy: IfNotPresent
name: backend
ports:
diff --git a/internal/cmd/egctl/testdata/translate/in/quickstart.yaml b/internal/cmd/egctl/testdata/translate/in/quickstart.yaml
index f0e412d92b0..57e3253c71a 100644
--- a/internal/cmd/egctl/testdata/translate/in/quickstart.yaml
+++ b/internal/cmd/egctl/testdata/translate/in/quickstart.yaml
@@ -55,7 +55,7 @@ spec:
spec:
serviceAccountName: backend
containers:
- - image: gcr.io/k8s-staging-ingressconformance/echoserver:v20221109-7ee2f3e
+ - image: gcr.io/k8s-staging-gateway-api/echo-basic:v20231214-v1.0.0-140-gf544a46e
imagePullPolicy: IfNotPresent
name: backend
ports:
diff --git a/internal/cmd/egctl/testdata/translate/out/default-resources.all.yaml b/internal/cmd/egctl/testdata/translate/out/default-resources.all.yaml
index f97ac235765..378f949644a 100644
--- a/internal/cmd/egctl/testdata/translate/out/default-resources.all.yaml
+++ b/internal/cmd/egctl/testdata/translate/out/default-resources.all.yaml
@@ -674,6 +674,9 @@ xds:
dynamicActiveClusters:
- cluster:
'@type': type.googleapis.com/envoy.config.cluster.v3.Cluster
+ circuitBreakers:
+ thresholds:
+ - maxRetries: 1024
commonLbConfig:
localityWeightedLbConfig: {}
connectTimeout: 10s
@@ -690,6 +693,9 @@ xds:
type: EDS
- cluster:
'@type': type.googleapis.com/envoy.config.cluster.v3.Cluster
+ circuitBreakers:
+ thresholds:
+ - maxRetries: 1024
commonLbConfig:
localityWeightedLbConfig: {}
connectTimeout: 10s
@@ -711,6 +717,9 @@ xds:
http2ProtocolOptions: {}
- cluster:
'@type': type.googleapis.com/envoy.config.cluster.v3.Cluster
+ circuitBreakers:
+ thresholds:
+ - maxRetries: 1024
commonLbConfig:
localityWeightedLbConfig: {}
connectTimeout: 10s
@@ -727,6 +736,9 @@ xds:
type: EDS
- cluster:
'@type': type.googleapis.com/envoy.config.cluster.v3.Cluster
+ circuitBreakers:
+ thresholds:
+ - maxRetries: 1024
commonLbConfig:
localityWeightedLbConfig: {}
connectTimeout: 10s
@@ -743,6 +755,9 @@ xds:
type: EDS
- cluster:
'@type': type.googleapis.com/envoy.config.cluster.v3.Cluster
+ circuitBreakers:
+ thresholds:
+ - maxRetries: 1024
commonLbConfig:
localityWeightedLbConfig: {}
connectTimeout: 10s
diff --git a/internal/cmd/egctl/testdata/translate/out/echo-gateway-api.cluster.yaml b/internal/cmd/egctl/testdata/translate/out/echo-gateway-api.cluster.yaml
index c61a2fdf774..3d88f20f51d 100644
--- a/internal/cmd/egctl/testdata/translate/out/echo-gateway-api.cluster.yaml
+++ b/internal/cmd/egctl/testdata/translate/out/echo-gateway-api.cluster.yaml
@@ -92,6 +92,9 @@ xds:
dynamicActiveClusters:
- cluster:
'@type': type.googleapis.com/envoy.config.cluster.v3.Cluster
+ circuitBreakers:
+ thresholds:
+ - maxRetries: 1024
commonLbConfig:
localityWeightedLbConfig: {}
connectTimeout: 10s
diff --git a/internal/cmd/egctl/testdata/translate/out/from-gateway-api-to-xds.all.json b/internal/cmd/egctl/testdata/translate/out/from-gateway-api-to-xds.all.json
index 03b4c4e8622..cc0ba1f1d65 100644
--- a/internal/cmd/egctl/testdata/translate/out/from-gateway-api-to-xds.all.json
+++ b/internal/cmd/egctl/testdata/translate/out/from-gateway-api-to-xds.all.json
@@ -370,6 +370,13 @@
{
"cluster": {
"@type": "type.googleapis.com/envoy.config.cluster.v3.Cluster",
+ "circuitBreakers": {
+ "thresholds": [
+ {
+ "maxRetries": 1024
+ }
+ ]
+ },
"commonLbConfig": {
"localityWeightedLbConfig": {}
},
@@ -392,6 +399,13 @@
{
"cluster": {
"@type": "type.googleapis.com/envoy.config.cluster.v3.Cluster",
+ "circuitBreakers": {
+ "thresholds": [
+ {
+ "maxRetries": 1024
+ }
+ ]
+ },
"commonLbConfig": {
"localityWeightedLbConfig": {}
},
@@ -422,6 +436,13 @@
{
"cluster": {
"@type": "type.googleapis.com/envoy.config.cluster.v3.Cluster",
+ "circuitBreakers": {
+ "thresholds": [
+ {
+ "maxRetries": 1024
+ }
+ ]
+ },
"commonLbConfig": {
"localityWeightedLbConfig": {}
},
@@ -444,6 +465,13 @@
{
"cluster": {
"@type": "type.googleapis.com/envoy.config.cluster.v3.Cluster",
+ "circuitBreakers": {
+ "thresholds": [
+ {
+ "maxRetries": 1024
+ }
+ ]
+ },
"commonLbConfig": {
"localityWeightedLbConfig": {}
},
@@ -466,6 +494,13 @@
{
"cluster": {
"@type": "type.googleapis.com/envoy.config.cluster.v3.Cluster",
+ "circuitBreakers": {
+ "thresholds": [
+ {
+ "maxRetries": 1024
+ }
+ ]
+ },
"commonLbConfig": {
"localityWeightedLbConfig": {}
},
diff --git a/internal/cmd/egctl/testdata/translate/out/from-gateway-api-to-xds.all.yaml b/internal/cmd/egctl/testdata/translate/out/from-gateway-api-to-xds.all.yaml
index 2ebb68e1841..10d3d74192f 100644
--- a/internal/cmd/egctl/testdata/translate/out/from-gateway-api-to-xds.all.yaml
+++ b/internal/cmd/egctl/testdata/translate/out/from-gateway-api-to-xds.all.yaml
@@ -200,6 +200,9 @@ xds:
dynamicActiveClusters:
- cluster:
'@type': type.googleapis.com/envoy.config.cluster.v3.Cluster
+ circuitBreakers:
+ thresholds:
+ - maxRetries: 1024
commonLbConfig:
localityWeightedLbConfig: {}
connectTimeout: 10s
@@ -216,6 +219,9 @@ xds:
type: EDS
- cluster:
'@type': type.googleapis.com/envoy.config.cluster.v3.Cluster
+ circuitBreakers:
+ thresholds:
+ - maxRetries: 1024
commonLbConfig:
localityWeightedLbConfig: {}
connectTimeout: 10s
@@ -237,6 +243,9 @@ xds:
http2ProtocolOptions: {}
- cluster:
'@type': type.googleapis.com/envoy.config.cluster.v3.Cluster
+ circuitBreakers:
+ thresholds:
+ - maxRetries: 1024
commonLbConfig:
localityWeightedLbConfig: {}
connectTimeout: 10s
@@ -253,6 +262,9 @@ xds:
type: EDS
- cluster:
'@type': type.googleapis.com/envoy.config.cluster.v3.Cluster
+ circuitBreakers:
+ thresholds:
+ - maxRetries: 1024
commonLbConfig:
localityWeightedLbConfig: {}
connectTimeout: 10s
@@ -269,6 +281,9 @@ xds:
type: EDS
- cluster:
'@type': type.googleapis.com/envoy.config.cluster.v3.Cluster
+ circuitBreakers:
+ thresholds:
+ - maxRetries: 1024
commonLbConfig:
localityWeightedLbConfig: {}
connectTimeout: 10s
diff --git a/internal/cmd/egctl/testdata/translate/out/from-gateway-api-to-xds.cluster.yaml b/internal/cmd/egctl/testdata/translate/out/from-gateway-api-to-xds.cluster.yaml
index 57fee13d4ac..efdb106b143 100644
--- a/internal/cmd/egctl/testdata/translate/out/from-gateway-api-to-xds.cluster.yaml
+++ b/internal/cmd/egctl/testdata/translate/out/from-gateway-api-to-xds.cluster.yaml
@@ -4,6 +4,9 @@ xds:
dynamicActiveClusters:
- cluster:
'@type': type.googleapis.com/envoy.config.cluster.v3.Cluster
+ circuitBreakers:
+ thresholds:
+ - maxRetries: 1024
commonLbConfig:
localityWeightedLbConfig: {}
connectTimeout: 10s
@@ -20,6 +23,9 @@ xds:
type: EDS
- cluster:
'@type': type.googleapis.com/envoy.config.cluster.v3.Cluster
+ circuitBreakers:
+ thresholds:
+ - maxRetries: 1024
commonLbConfig:
localityWeightedLbConfig: {}
connectTimeout: 10s
@@ -41,6 +47,9 @@ xds:
http2ProtocolOptions: {}
- cluster:
'@type': type.googleapis.com/envoy.config.cluster.v3.Cluster
+ circuitBreakers:
+ thresholds:
+ - maxRetries: 1024
commonLbConfig:
localityWeightedLbConfig: {}
connectTimeout: 10s
@@ -57,6 +66,9 @@ xds:
type: EDS
- cluster:
'@type': type.googleapis.com/envoy.config.cluster.v3.Cluster
+ circuitBreakers:
+ thresholds:
+ - maxRetries: 1024
commonLbConfig:
localityWeightedLbConfig: {}
connectTimeout: 10s
@@ -73,6 +85,9 @@ xds:
type: EDS
- cluster:
'@type': type.googleapis.com/envoy.config.cluster.v3.Cluster
+ circuitBreakers:
+ thresholds:
+ - maxRetries: 1024
commonLbConfig:
localityWeightedLbConfig: {}
connectTimeout: 10s
diff --git a/internal/cmd/egctl/testdata/translate/out/jwt-single-route-single-match-to-xds.all.json b/internal/cmd/egctl/testdata/translate/out/jwt-single-route-single-match-to-xds.all.json
index 8a8d5051c17..f363a4e0f07 100644
--- a/internal/cmd/egctl/testdata/translate/out/jwt-single-route-single-match-to-xds.all.json
+++ b/internal/cmd/egctl/testdata/translate/out/jwt-single-route-single-match-to-xds.all.json
@@ -262,6 +262,13 @@
{
"cluster": {
"@type": "type.googleapis.com/envoy.config.cluster.v3.Cluster",
+ "circuitBreakers": {
+ "thresholds": [
+ {
+ "maxRetries": 1024
+ }
+ ]
+ },
"commonLbConfig": {
"localityWeightedLbConfig": {}
},
@@ -284,6 +291,13 @@
{
"cluster": {
"@type": "type.googleapis.com/envoy.config.cluster.v3.Cluster",
+ "circuitBreakers": {
+ "thresholds": [
+ {
+ "maxRetries": 1024
+ }
+ ]
+ },
"commonLbConfig": {
"localityWeightedLbConfig": {}
},
diff --git a/internal/cmd/egctl/testdata/translate/out/jwt-single-route-single-match-to-xds.all.yaml b/internal/cmd/egctl/testdata/translate/out/jwt-single-route-single-match-to-xds.all.yaml
index e1a2c1e5252..dd1a46b95fa 100644
--- a/internal/cmd/egctl/testdata/translate/out/jwt-single-route-single-match-to-xds.all.yaml
+++ b/internal/cmd/egctl/testdata/translate/out/jwt-single-route-single-match-to-xds.all.yaml
@@ -144,6 +144,9 @@ xds:
dynamicActiveClusters:
- cluster:
'@type': type.googleapis.com/envoy.config.cluster.v3.Cluster
+ circuitBreakers:
+ thresholds:
+ - maxRetries: 1024
commonLbConfig:
localityWeightedLbConfig: {}
connectTimeout: 10s
@@ -160,6 +163,9 @@ xds:
type: EDS
- cluster:
'@type': type.googleapis.com/envoy.config.cluster.v3.Cluster
+ circuitBreakers:
+ thresholds:
+ - maxRetries: 1024
commonLbConfig:
localityWeightedLbConfig: {}
connectTimeout: 10s
diff --git a/internal/cmd/egctl/testdata/translate/out/jwt-single-route-single-match-to-xds.cluster.yaml b/internal/cmd/egctl/testdata/translate/out/jwt-single-route-single-match-to-xds.cluster.yaml
index ea64bf8d0f9..d0add370ce3 100644
--- a/internal/cmd/egctl/testdata/translate/out/jwt-single-route-single-match-to-xds.cluster.yaml
+++ b/internal/cmd/egctl/testdata/translate/out/jwt-single-route-single-match-to-xds.cluster.yaml
@@ -4,6 +4,9 @@ xds:
dynamicActiveClusters:
- cluster:
'@type': type.googleapis.com/envoy.config.cluster.v3.Cluster
+ circuitBreakers:
+ thresholds:
+ - maxRetries: 1024
commonLbConfig:
localityWeightedLbConfig: {}
connectTimeout: 10s
@@ -20,6 +23,9 @@ xds:
type: EDS
- cluster:
'@type': type.googleapis.com/envoy.config.cluster.v3.Cluster
+ circuitBreakers:
+ thresholds:
+ - maxRetries: 1024
commonLbConfig:
localityWeightedLbConfig: {}
connectTimeout: 10s
diff --git a/internal/cmd/egctl/testdata/translate/out/quickstart.all.yaml b/internal/cmd/egctl/testdata/translate/out/quickstart.all.yaml
new file mode 100644
index 00000000000..3f2009bccf3
--- /dev/null
+++ b/internal/cmd/egctl/testdata/translate/out/quickstart.all.yaml
@@ -0,0 +1,124 @@
+gateways:
+- metadata:
+ creationTimestamp: null
+ name: eg
+ namespace: envoy-gateway-system
+ spec:
+ gatewayClassName: eg
+ listeners:
+ - name: http
+ port: 80
+ protocol: HTTP
+ status:
+ listeners:
+ - attachedRoutes: 1
+ conditions:
+ - lastTransitionTime: null
+ message: Sending translated listener configuration to the data plane
+ reason: Programmed
+ status: "True"
+ type: Programmed
+ - lastTransitionTime: null
+ message: Listener has been successfully translated
+ reason: Accepted
+ status: "True"
+ type: Accepted
+ - lastTransitionTime: null
+ message: Listener references have been resolved
+ reason: ResolvedRefs
+ status: "True"
+ type: ResolvedRefs
+ name: http
+ supportedKinds:
+ - group: gateway.networking.k8s.io
+ kind: HTTPRoute
+ - group: gateway.networking.k8s.io
+ kind: GRPCRoute
+httpRoutes:
+- kind: HTTPRoute
+ metadata:
+ creationTimestamp: null
+ name: backend
+ namespace: envoy-gateway-system
+ spec:
+ hostnames:
+ - www.example.com
+ parentRefs:
+ - name: eg
+ rules:
+ - backendRefs:
+ - group: ""
+ kind: Service
+ name: backend
+ port: 3000
+ weight: 1
+ matches:
+ - path:
+ type: PathPrefix
+ value: /
+ status:
+ parents:
+ - conditions:
+ - lastTransitionTime: null
+ message: Route is accepted
+ reason: Accepted
+ status: "True"
+ type: Accepted
+ - lastTransitionTime: null
+ message: Resolved all the Object references for the Route
+ reason: ResolvedRefs
+ status: "True"
+ type: ResolvedRefs
+ controllerName: gateway.envoyproxy.io/gatewayclass-controller
+ parentRef:
+ name: eg
+infraIR:
+ envoy-gateway-system/eg:
+ proxy:
+ listeners:
+ - address: null
+ name: envoy-gateway-system/eg/http
+ ports:
+ - containerPort: 10080
+ name: http
+ protocol: HTTP
+ servicePort: 80
+ metadata:
+ labels:
+ gateway.envoyproxy.io/owning-gateway-name: eg
+ gateway.envoyproxy.io/owning-gateway-namespace: envoy-gateway-system
+ name: envoy-gateway-system/eg
+xdsIR:
+ envoy-gateway-system/eg:
+ accessLog:
+ text:
+ - path: /dev/stdout
+ http:
+ - address: 0.0.0.0
+ hostnames:
+ - '*'
+ isHTTP2: false
+ name: envoy-gateway-system/eg/http
+ path:
+ escapedSlashesAction: UnescapeAndRedirect
+ mergeSlashes: true
+ port: 10080
+ routes:
+ - backendWeights:
+ invalid: 0
+ valid: 0
+ destination:
+ name: httproute/envoy-gateway-system/backend/rule/0
+ settings:
+ - endpoints:
+ - host: 7.7.7.7
+ port: 3000
+ protocol: HTTP
+ weight: 1
+ hostname: www.example.com
+ isHTTP2: false
+ name: httproute/envoy-gateway-system/backend/rule/0/match/0/www_example_com
+ pathMatch:
+ distinct: false
+ name: ""
+ prefix: /
diff --git a/internal/cmd/egctl/translate.go b/internal/cmd/egctl/translate.go
index a97c83261b7..7935950bcbc 100644
--- a/internal/cmd/egctl/translate.go
+++ b/internal/cmd/egctl/translate.go
@@ -27,6 +27,7 @@ import (
v1 "k8s.io/api/core/v1"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
+ "k8s.io/apimachinery/pkg/util/sets"
gwapiv1 "sigs.k8s.io/gateway-api/apis/v1"
gwapiv1a2 "sigs.k8s.io/gateway-api/apis/v1alpha2"
@@ -45,11 +46,14 @@ import (
const (
gatewayAPIType = "gateway-api"
xdsType = "xds"
+ irType = "ir"
)
type TranslationResult struct {
gatewayapi.Resources
- Xds map[string]interface{} `json:"xds,omitempty"`
+ XdsIR gatewayapi.XdsIRMap `json:"xdsIR,omitempty" yaml:"xdsIR,omitempty"`
+ InfraIR gatewayapi.InfraIRMap `json:"infraIR,omitempty" yaml:"infraIR,omitempty"`
+ Xds map[string]interface{} `json:"xds,omitempty"`
}
func newTranslateCommand() *cobra.Command {
@@ -93,6 +97,9 @@ func newTranslateCommand() *cobra.Command {
# Translate Gateway API Resources into All xDS Resources in YAML output,
# also print the Gateway API Resources with updated status in the same output.
egctl experimental translate --from gateway-api --to gateway-api,xds --type all --output yaml --file
+
+ # Translate Gateway API Resources into IR in YAML output,
+ egctl experimental translate --from gateway-api --to ir --output yaml --file
`,
RunE: func(cmd *cobra.Command, args []string) error {
return translate(cmd.OutOrStdout(), inFile, inType, outTypes, output, resourceType, addMissingResources, dnsDomain)
@@ -130,7 +137,7 @@ func getValidInputTypesStr() string {
}
func validOutputTypes() []string {
- return []string{xdsType, gatewayAPIType}
+ return []string{xdsType, gatewayAPIType, irType}
}
func findInvalidOutputType(outTypes []string) string {
@@ -243,6 +250,15 @@ func translate(w io.Writer, inFile, inType string, outTypes []string, output, re
}
result.Xds = res
}
+ if outType == irType {
+ res, err := translateGatewayAPIToIR(resources)
+ if err != nil {
+ return err
+ }
+ result.Resources = res.Resources
+ result.XdsIR = res.XdsIR
+ result.InfraIR = res.InfraIR
+ }
}
// Print
if err = printOutput(w, result, output); err != nil {
@@ -254,6 +270,32 @@ func translate(w io.Writer, inFile, inType string, outTypes []string, output, re
return fmt.Errorf("unable to find translate from input type %s to output type %s", inType, outTypes)
}
+func translateGatewayAPIToIR(resources *gatewayapi.Resources) (*gatewayapi.TranslateResult, error) {
+ if resources.GatewayClass == nil {
+ return nil, fmt.Errorf("the GatewayClass resource is required")
+ }
+
+ t := &gatewayapi.Translator{
+ GatewayControllerName: egv1a1.GatewayControllerName,
+ GatewayClassName: gwapiv1.ObjectName(resources.GatewayClass.Name),
+ GlobalRateLimitEnabled: true,
+ EndpointRoutingDisabled: true,
+ EnvoyPatchPolicyEnabled: true,
+ }
+
+ // Fix the services in the resources section so that they have an IP address - this prevents nasty
+ // errors in the translation.
+ for _, svc := range resources.Services {
+ if svc.Spec.ClusterIP == "" {
+ svc.Spec.ClusterIP = "10.96.1.2"
+ }
+ }
+
+ result := t.Translate(resources)
+
+ return result, nil
+}
+
func translateGatewayAPIToGatewayAPI(resources *gatewayapi.Resources) (gatewayapi.Resources, error) {
if resources.GatewayClass == nil {
return gatewayapi.Resources{}, fmt.Errorf("the GatewayClass resource is required")
@@ -849,21 +891,19 @@ func kubernetesYAMLToResources(str string, addMissingResources bool) (*gatewayap
if provided, found := providedServiceMap[key]; !found {
resources.Services = append(resources.Services, service)
} else {
- providedPorts := map[string]bool{}
+ providedPorts := sets.NewString()
for _, port := range provided.Spec.Ports {
- providedPorts[fmt.Sprintf("%s-%d", port.Protocol, port.Port)] = true
+ portKey := fmt.Sprintf("%s-%d", port.Protocol, port.Port)
+ providedPorts.Insert(portKey)
}
for _, port := range service.Spec.Ports {
- protocol := port.Protocol
- port := port.Port
- name := fmt.Sprintf("%s-%d", protocol, port)
-
- if _, found := providedPorts[name]; !found {
+ name := fmt.Sprintf("%s-%d", port.Protocol, port.Port)
+ if !providedPorts.Has(name) {
servicePort := v1.ServicePort{
Name: name,
- Protocol: protocol,
- Port: port,
+ Protocol: port.Protocol,
+ Port: port.Port,
}
provided.Spec.Ports = append(provided.Spec.Ports, servicePort)
}
diff --git a/internal/cmd/egctl/translate_test.go b/internal/cmd/egctl/translate_test.go
index 11ac62c95a0..001c8bd873b 100644
--- a/internal/cmd/egctl/translate_test.go
+++ b/internal/cmd/egctl/translate_test.go
@@ -192,6 +192,13 @@ func TestTranslate(t *testing.T) {
expect: true,
extraArgs: []string{"--add-missing-resources"},
},
+ {
+ name: "quickstart",
+ from: "gateway-api",
+ to: "ir",
+ output: yamlOutput,
+ expect: true,
+ },
{
name: "quickstart",
from: "gateway-api",
diff --git a/internal/crypto/certgen.go b/internal/crypto/certgen.go
index 5f4ff4a69a5..6c6ef10ccbf 100644
--- a/internal/crypto/certgen.go
+++ b/internal/crypto/certgen.go
@@ -77,6 +77,7 @@ type Certificates struct {
EnvoyPrivateKey []byte
EnvoyRateLimitCertificate []byte
EnvoyRateLimitPrivateKey []byte
+ OIDCHMACSecret []byte
}
// certificateRequest defines a certificate request.
@@ -153,6 +154,11 @@ func GenerateCerts(cfg *config.Server) (*Certificates, error) {
return nil, err
}
+ oidcHMACSecret, err := generateHMACSecret()
+ if err != nil {
+ return nil, err
+ }
+
return &Certificates{
CACertificate: caCertPEM,
EnvoyGatewayCertificate: egCert,
@@ -161,6 +167,7 @@ func GenerateCerts(cfg *config.Server) (*Certificates, error) {
EnvoyPrivateKey: envoyKey,
EnvoyRateLimitCertificate: envoyRateLimitCert,
EnvoyRateLimitPrivateKey: envoyRateLimitKey,
+ OIDCHMACSecret: oidcHMACSecret,
}, nil
default:
// Envoy Gateway, e.g. self-signed CA, is the only supported certificate provider.
@@ -285,3 +292,19 @@ func kubeServiceNames(service, namespace, dnsName string) []string {
fmt.Sprintf("%s.%s.svc.%s", service, namespace, dnsName),
}
}
+
+func generateHMACSecret() ([]byte, error) {
+ // Set the desired length of the secret key in bytes
+ keyLength := 32
+
+ // Create a byte slice to hold the random bytes
+ key := make([]byte, keyLength)
+
+ // Read random bytes from the cryptographically secure random number generator
+ _, err := rand.Read(key)
+ if err != nil {
+ return nil, fmt.Errorf("failed to generate hmack secret key: %w", err)
+ }
+
+ return key, nil
+}
diff --git a/internal/crypto/certgen_test.go b/internal/crypto/certgen_test.go
index 24e4a18ca79..eb09d6d2c34 100644
--- a/internal/crypto/certgen_test.go
+++ b/internal/crypto/certgen_test.go
@@ -7,6 +7,7 @@ package crypto
import (
"crypto/x509"
+ "encoding/base64"
"encoding/pem"
"fmt"
"testing"
@@ -153,3 +154,9 @@ func verifyCert(certPEM []byte, roots *x509.CertPool, dnsname string, currentTim
return nil
}
+
+func TestGenerateHMACSecret(t *testing.T) {
+ bytes, _ := generateHMACSecret()
+ encodedSecret := base64.StdEncoding.EncodeToString(bytes)
+ fmt.Println("Base64 encoded secret:", encodedSecret)
+}
diff --git a/internal/gatewayapi/backendtlspolicy.go b/internal/gatewayapi/backendtlspolicy.go
new file mode 100644
index 00000000000..8c022d34522
--- /dev/null
+++ b/internal/gatewayapi/backendtlspolicy.go
@@ -0,0 +1,202 @@
+// Copyright Envoy Gateway Authors
+// SPDX-License-Identifier: Apache-2.0
+// The full text of the Apache license is available in the LICENSE file at
+// the root of the repo.
+
+package gatewayapi
+
+import (
+ "fmt"
+
+ corev1 "k8s.io/api/core/v1"
+ metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+ "k8s.io/utils/ptr"
+ gwapiv1 "sigs.k8s.io/gateway-api/apis/v1"
+ gwapiv1a2 "sigs.k8s.io/gateway-api/apis/v1alpha2"
+
+ "github.com/envoyproxy/gateway/internal/ir"
+ "github.com/envoyproxy/gateway/internal/status"
+)
+
+func (t *Translator) processBackendTLSPolicy(
+ backendRef gwapiv1.BackendObjectReference,
+ backendNamespace string,
+ parent gwapiv1a2.ParentReference,
+ resources *Resources) *ir.TLSUpstreamConfig {
+ tlsBundle, err := getBackendTLSBundle(resources.BackendTLSPolicies, resources.ConfigMaps, backendRef, backendNamespace)
+ if err == nil && tlsBundle == nil {
+ return nil
+ }
+
+ policy := getBackendTLSPolicy(resources.BackendTLSPolicies, backendRef, backendNamespace)
+
+ ancestor := gwapiv1a2.PolicyAncestorStatus{
+ AncestorRef: parent,
+ ControllerName: gwapiv1.GatewayController(t.GatewayControllerName),
+ }
+
+ if err != nil {
+ status.SetBackendTLSPolicyCondition(
+ policy,
+ ancestor,
+ gwapiv1a2.PolicyConditionAccepted,
+ metav1.ConditionFalse,
+ gwapiv1a2.PolicyReasonInvalid,
+ status.Error2ConditionMsg(err))
+ return nil
+ }
+
+ // Check if the reference from BackendTLSPolicy to BackendRef is permitted by
+ // any ReferenceGrant
+ backendRefKind := KindService
+ if backendRef.Kind != nil {
+ backendRefKind = string(*backendRef.Kind)
+ }
+ if policy.Namespace != backendNamespace {
+ if !t.validateCrossNamespaceRef(
+ crossNamespaceFrom{
+ group: gwapiv1.GroupName,
+ kind: KindBackendTLSPolicy,
+ namespace: policy.Namespace,
+ },
+ crossNamespaceTo{
+ group: "",
+ kind: backendRefKind,
+ namespace: backendNamespace,
+ name: string(backendRef.Name),
+ },
+ resources.ReferenceGrants,
+ ) {
+ status.SetBackendTLSPolicyCondition(
+ policy,
+ ancestor,
+ gwapiv1a2.PolicyConditionAccepted,
+ metav1.ConditionFalse,
+ gwapiv1a2.PolicyReasonInvalid,
+ fmt.Sprintf("target ref to %s %s/%s not permitted by any ReferenceGrant",
+ backendRefKind, backendNamespace, backendRef.Name))
+ return nil
+ }
+ }
+
+ status.SetBackendTLSPolicyCondition(
+ policy,
+ ancestor,
+ gwapiv1a2.PolicyConditionAccepted,
+ metav1.ConditionTrue,
+ gwapiv1a2.PolicyReasonAccepted,
+ "BackendTLSPolicy is Accepted")
+ return tlsBundle
+}
+
+func backendTLSTargetMatched(policy gwapiv1a2.BackendTLSPolicy, target gwapiv1a2.PolicyTargetReferenceWithSectionName) bool {
+
+ policyTarget := policy.Spec.TargetRef
+
+ if target.Group == policyTarget.Group &&
+ target.Kind == policyTarget.Kind &&
+ target.Name == policyTarget.Name &&
+ NamespaceDerefOr(policyTarget.Namespace, policy.Namespace) == string(*target.Namespace) {
+ if policyTarget.SectionName != nil && *policyTarget.SectionName != *target.SectionName {
+ return false
+ }
+ return true
+ }
+ return false
+}
+
+func getBackendTLSPolicy(policies []*gwapiv1a2.BackendTLSPolicy, backendRef gwapiv1a2.BackendObjectReference, backendNamespace string) *gwapiv1a2.BackendTLSPolicy {
+ target := GetTargetBackendReference(backendRef, backendNamespace)
+ for _, policy := range policies {
+ if backendTLSTargetMatched(*policy, target) {
+ return policy
+ }
+ }
+ return nil
+}
+
+func getBackendTLSBundle(policies []*gwapiv1a2.BackendTLSPolicy, configmaps []*corev1.ConfigMap, backendRef gwapiv1a2.BackendObjectReference, backendNamespace string) (*ir.TLSUpstreamConfig, error) {
+
+ backendTLSPolicy := getBackendTLSPolicy(policies, backendRef, backendNamespace)
+
+ if backendTLSPolicy == nil {
+ return nil, nil
+ }
+
+ tlsBundle := &ir.TLSUpstreamConfig{
+ SNI: string(backendTLSPolicy.Spec.TLS.Hostname),
+ UseSystemTrustStore: ptr.Deref(backendTLSPolicy.Spec.TLS.WellKnownCACerts, "") == gwapiv1a2.WellKnownCACertSystem,
+ }
+ if tlsBundle.UseSystemTrustStore {
+ return tlsBundle, nil
+ }
+
+ caRefMap := make(map[string]string)
+
+ for _, caRef := range backendTLSPolicy.Spec.TLS.CACertRefs {
+ caRefMap[string(caRef.Name)] = string(caRef.Kind)
+ }
+
+ ca := ""
+
+ for _, cmap := range configmaps {
+ if kind, ok := caRefMap[cmap.Name]; ok && kind == cmap.Kind {
+ if crt, dataOk := cmap.Data["ca.crt"]; dataOk {
+ if ca != "" {
+ ca += "\n"
+ }
+ ca += crt
+ } else {
+ return nil, fmt.Errorf("no ca found in configmap %s", cmap.Name)
+ }
+ }
+ }
+
+ if ca == "" {
+ return nil, fmt.Errorf("no ca found in referred configmaps")
+ }
+ tlsBundle.CACertificate = &ir.TLSCACertificate{
+ Certificate: []byte(ca),
+ Name: fmt.Sprintf("%s/%s-ca", backendTLSPolicy.Name, backendTLSPolicy.Namespace),
+ }
+
+ return tlsBundle, nil
+}
+
+func (t *Translator) ProcessBackendTLSPoliciesAncestorRef(backendTLSPolicies []*gwapiv1a2.BackendTLSPolicy, gateways []*GatewayContext) []*gwapiv1a2.BackendTLSPolicy {
+
+ var res []*gwapiv1a2.BackendTLSPolicy
+
+ for _, btlsPolicy := range backendTLSPolicies {
+
+ policy := btlsPolicy.DeepCopy()
+ res = append(res, policy)
+
+ if policy.Status.Ancestors != nil {
+ for k, status := range policy.Status.Ancestors {
+ if status.AncestorRef.Kind != nil && *status.AncestorRef.Kind != KindGateway {
+ continue
+ }
+ exist := false
+ for _, gwContext := range gateways {
+ gw := gwContext.Gateway
+ if gw.Name == string(status.AncestorRef.Name) && gw.Namespace == NamespaceDerefOrAlpha(status.AncestorRef.Namespace, "default") {
+ for _, lis := range gw.Spec.Listeners {
+ if lis.Name == ptr.Deref(status.AncestorRef.SectionName, "") {
+ exist = true
+ }
+ }
+ }
+ }
+
+ if !exist {
+ policy.Status.Ancestors = append(policy.Status.Ancestors[:k], policy.Status.Ancestors[k+1:]...)
+ }
+ }
+ } else {
+ policy.Status.Ancestors = []gwapiv1a2.PolicyAncestorStatus{}
+ }
+ }
+
+ return res
+}
diff --git a/internal/gatewayapi/backendtrafficpolicy.go b/internal/gatewayapi/backendtrafficpolicy.go
index c3e4cec23d6..1987ebb6e88 100644
--- a/internal/gatewayapi/backendtrafficpolicy.go
+++ b/internal/gatewayapi/backendtrafficpolicy.go
@@ -16,6 +16,7 @@ import (
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
"k8s.io/apimachinery/pkg/types"
+ "k8s.io/apimachinery/pkg/util/sets"
"k8s.io/utils/ptr"
gwv1a2 "sigs.k8s.io/gateway-api/apis/v1alpha2"
gwv1b1 "sigs.k8s.io/gateway-api/apis/v1beta1"
@@ -71,9 +72,12 @@ func (t *Translator) ProcessBackendTrafficPolicies(backendTrafficPolicies []*egv
gatewayMap[key] = &policyGatewayTargetContext{GatewayContext: gw}
}
+ // Map of Gateway to the routes attached to it
+ gatewayRouteMap := make(map[string]sets.Set[string])
+
// Translate
// 1. First translate Policies targeting xRoutes
- // 2.. Finally, the policies targeting Gateways
+ // 2. Finally, the policies targeting Gateways
// Process the policies targeting xRoutes
for _, policy := range backendTrafficPolicies {
@@ -87,6 +91,26 @@ func (t *Translator) ProcessBackendTrafficPolicies(backendTrafficPolicies []*egv
continue
}
+ // Find the Gateway that the route belongs to and add it to the
+ // gatewayRouteMap, which will be used to check policy overrides
+ for _, p := range GetParentReferences(route) {
+ if p.Kind == nil || *p.Kind == KindGateway {
+ namespace := route.GetNamespace()
+ if p.Namespace != nil {
+ namespace = string(*p.Namespace)
+ }
+ gw := types.NamespacedName{
+ Namespace: namespace,
+ Name: string(p.Name),
+ }.String()
+
+ if _, ok := gatewayRouteMap[gw]; !ok {
+ gatewayRouteMap[gw] = make(sets.Set[string])
+ }
+ gatewayRouteMap[gw].Insert(utils.NamespacedName(route).String())
+ }
+ }
+
t.translateBackendTrafficPolicyForRoute(policy, route, xdsIR)
message := "BackendTrafficPolicy has been accepted."
@@ -110,6 +134,24 @@ func (t *Translator) ProcessBackendTrafficPolicies(backendTrafficPolicies []*egv
message := "BackendTrafficPolicy has been accepted."
status.SetBackendTrafficPolicyAcceptedIfUnset(&policy.Status, message)
+
+ // Check if this policy is overridden by other policies targeting at
+ // route level
+ gw := utils.NamespacedName(gateway).String()
+ if r, ok := gatewayRouteMap[gw]; ok {
+ // Maintain order here to ensure status/string does not change with the same data
+ routes := r.UnsortedList()
+ sort.Strings(routes)
+ message := fmt.Sprintf(
+ "This policy is being overridden by other backendTrafficPolicies for these routes: %v",
+ routes)
+ status.SetBackendTrafficPolicyCondition(policy,
+ egv1a1.PolicyConditionOverridden,
+ metav1.ConditionTrue,
+ egv1a1.PolicyReasonOverridden,
+ message,
+ )
+ }
}
}
@@ -125,9 +167,9 @@ func resolveBTPolicyGatewayTargetRef(policy *egv1a1.BackendTrafficPolicy, gatewa
// Ensure Policy and target are in the same namespace
if policy.Namespace != string(*targetNs) {
-
message := fmt.Sprintf("Namespace:%s TargetRef.Namespace:%s, BackendTrafficPolicy can only target a resource in the same namespace.",
policy.Namespace, *targetNs)
+
status.SetBackendTrafficPolicyCondition(policy,
gwv1a2.PolicyConditionAccepted,
metav1.ConditionFalse,
@@ -146,14 +188,6 @@ func resolveBTPolicyGatewayTargetRef(policy *egv1a1.BackendTrafficPolicy, gatewa
// Gateway not found
if !ok {
- message := fmt.Sprintf("Gateway:%s not found.", policy.Spec.TargetRef.Name)
-
- status.SetBackendTrafficPolicyCondition(policy,
- gwv1a2.PolicyConditionAccepted,
- metav1.ConditionFalse,
- gwv1a2.PolicyReasonTargetNotFound,
- message,
- )
return nil
}
@@ -186,9 +220,9 @@ func resolveBTPolicyRouteTargetRef(policy *egv1a1.BackendTrafficPolicy, routes m
// Ensure Policy and target are in the same namespace
if policy.Namespace != string(*targetNs) {
-
message := fmt.Sprintf("Namespace:%s TargetRef.Namespace:%s, BackendTrafficPolicy can only target a resource in the same namespace.",
policy.Namespace, *targetNs)
+
status.SetBackendTrafficPolicyCondition(policy,
gwv1a2.PolicyConditionAccepted,
metav1.ConditionFalse,
@@ -208,14 +242,6 @@ func resolveBTPolicyRouteTargetRef(policy *egv1a1.BackendTrafficPolicy, routes m
// Route not found
if !ok {
- message := fmt.Sprintf("%s/%s/%s not found.", policy.Spec.TargetRef.Kind, string(*targetNs), policy.Spec.TargetRef.Name)
-
- status.SetBackendTrafficPolicyCondition(policy,
- gwv1a2.PolicyConditionAccepted,
- metav1.ConditionFalse,
- gwv1a2.PolicyReasonTargetNotFound,
- message,
- )
return nil
}
@@ -783,14 +809,15 @@ func (t *Translator) buildHTTPActiveHealthChecker(h *egv1a1.HTTPActiveHealthChec
*irHTTP.Method = strings.ToUpper(*irHTTP.Method)
}
- var irStatuses []ir.HTTPStatus
// deduplicate http statuses
- statusSet := make(map[egv1a1.HTTPStatus]bool, len(h.ExpectedStatuses))
+ statusSet := sets.NewInt()
for _, r := range h.ExpectedStatuses {
- if _, ok := statusSet[r]; !ok {
- statusSet[r] = true
- irStatuses = append(irStatuses, ir.HTTPStatus(r))
- }
+ statusSet.Insert(int(r))
+ }
+ irStatuses := make([]ir.HTTPStatus, 0, statusSet.Len())
+
+ for _, r := range statusSet.List() {
+ irStatuses = append(irStatuses, ir.HTTPStatus(r))
}
irHTTP.ExpectedStatuses = irStatuses
@@ -877,6 +904,15 @@ func (t *Translator) buildCircuitBreaker(policy *egv1a1.BackendTrafficPolicy) *i
}
}
+ if pcb.MaxParallelRetries != nil {
+ if ui32, ok := int64ToUint32(*pcb.MaxParallelRetries); ok {
+ cb.MaxParallelRetries = &ui32
+ } else {
+ setBackendTrafficPolicyTranslationErrorCondition(policy, "Circuit Breaker", fmt.Sprintf("invalid MaxParallelRetries value %d", *pcb.MaxParallelRetries))
+ return nil
+ }
+ }
+
if pcb.MaxRequestsPerConnection != nil {
if ui32, ok := int64ToUint32(*pcb.MaxRequestsPerConnection); ok {
cb.MaxRequestsPerConnection = &ui32
@@ -885,6 +921,7 @@ func (t *Translator) buildCircuitBreaker(policy *egv1a1.BackendTrafficPolicy) *i
return nil
}
}
+
}
return cb
@@ -1106,27 +1143,27 @@ func (t *Translator) buildRetry(policy *egv1a1.BackendTrafficPolicy) *ir.Retry {
}
func makeIrStatusSet(in []egv1a1.HTTPStatus) []ir.HTTPStatus {
- var irStatuses []ir.HTTPStatus
- // deduplicate http statuses
- statusSet := make(map[egv1a1.HTTPStatus]bool, len(in))
+ statusSet := sets.NewInt()
for _, r := range in {
- if _, ok := statusSet[r]; !ok {
- statusSet[r] = true
- irStatuses = append(irStatuses, ir.HTTPStatus(r))
- }
+ statusSet.Insert(int(r))
+ }
+ irStatuses := make([]ir.HTTPStatus, 0, statusSet.Len())
+
+ for _, r := range statusSet.List() {
+ irStatuses = append(irStatuses, ir.HTTPStatus(r))
}
return irStatuses
}
func makeIrTriggerSet(in []egv1a1.TriggerEnum) []ir.TriggerEnum {
- var irTriggers []ir.TriggerEnum
- // deduplicate http statuses
- triggerSet := make(map[egv1a1.TriggerEnum]bool, len(in))
+ triggerSet := sets.NewString()
for _, r := range in {
- if _, ok := triggerSet[r]; !ok {
- triggerSet[r] = true
- irTriggers = append(irTriggers, ir.TriggerEnum(r))
- }
+ triggerSet.Insert(string(r))
+ }
+ irTriggers := make([]ir.TriggerEnum, 0, triggerSet.Len())
+
+ for _, r := range triggerSet.List() {
+ irTriggers = append(irTriggers, ir.TriggerEnum(r))
}
return irTriggers
}
diff --git a/internal/gatewayapi/backendtrafficpolicy_test.go b/internal/gatewayapi/backendtrafficpolicy_test.go
index df943a2032b..d40d1e68c76 100644
--- a/internal/gatewayapi/backendtrafficpolicy_test.go
+++ b/internal/gatewayapi/backendtrafficpolicy_test.go
@@ -7,9 +7,13 @@ package gatewayapi
import (
"math"
+ "reflect"
"testing"
"github.com/stretchr/testify/require"
+
+ egv1a1 "github.com/envoyproxy/gateway/api/v1alpha1"
+ "github.com/envoyproxy/gateway/internal/ir"
)
func TestInt64ToUint32(t *testing.T) {
@@ -50,3 +54,57 @@ func TestInt64ToUint32(t *testing.T) {
})
}
}
+
+func TestMakeIrStatusSet(t *testing.T) {
+ tests := []struct {
+ name string
+ in []egv1a1.HTTPStatus
+ want []ir.HTTPStatus
+ }{
+ {
+ name: "no duplicates",
+ in: []egv1a1.HTTPStatus{200, 404},
+ want: []ir.HTTPStatus{200, 404},
+ },
+ {
+ name: "with duplicates",
+ in: []egv1a1.HTTPStatus{200, 404, 200},
+ want: []ir.HTTPStatus{200, 404},
+ },
+ }
+
+ for _, tt := range tests {
+ t.Run(tt.name, func(t *testing.T) {
+ if got := makeIrStatusSet(tt.in); !reflect.DeepEqual(got, tt.want) {
+ t.Errorf("makeIrStatusSet() = %v, want %v", got, tt.want)
+ }
+ })
+ }
+}
+
+func TestMakeIrTriggerSet(t *testing.T) {
+ tests := []struct {
+ name string
+ in []egv1a1.TriggerEnum
+ want []ir.TriggerEnum
+ }{
+ {
+ name: "no duplicates",
+ in: []egv1a1.TriggerEnum{"5xx", "reset"},
+ want: []ir.TriggerEnum{"5xx", "reset"},
+ },
+ {
+ name: "with duplicates",
+ in: []egv1a1.TriggerEnum{"5xx", "reset", "5xx"},
+ want: []ir.TriggerEnum{"5xx", "reset"},
+ },
+ }
+
+ for _, tt := range tests {
+ t.Run(tt.name, func(t *testing.T) {
+ if got := makeIrTriggerSet(tt.in); !reflect.DeepEqual(got, tt.want) {
+ t.Errorf("makeIrTriggerSet() = %v, want %v", got, tt.want)
+ }
+ })
+ }
+}
diff --git a/internal/gatewayapi/clienttrafficpolicy.go b/internal/gatewayapi/clienttrafficpolicy.go
index f5992db21a8..5960758718c 100644
--- a/internal/gatewayapi/clienttrafficpolicy.go
+++ b/internal/gatewayapi/clienttrafficpolicy.go
@@ -147,7 +147,6 @@ func (t *Translator) ProcessClientTrafficPolicies(resources *Resources,
)
continue
-
}
// Check if another policy targeting the same Gateway exists
@@ -227,9 +226,9 @@ func resolveCTPolicyTargetRef(policy *egv1a1.ClientTrafficPolicy, gateways []*Ga
// Ensure Policy and target Gateway are in the same namespace
if policy.Namespace != string(*targetNs) {
-
message := fmt.Sprintf("Namespace:%s TargetRef.Namespace:%s, ClientTrafficPolicy can only target a Gateway in the same namespace.",
policy.Namespace, *targetNs)
+
status.SetClientTrafficPolicyCondition(policy,
gwv1a2.PolicyConditionAccepted,
metav1.ConditionFalse,
@@ -250,14 +249,6 @@ func resolveCTPolicyTargetRef(policy *egv1a1.ClientTrafficPolicy, gateways []*Ga
// Gateway not found
if gateway == nil {
- message := fmt.Sprintf("Gateway:%s not found.", policy.Spec.TargetRef.Name)
-
- status.SetClientTrafficPolicyCondition(policy,
- gwv1a2.PolicyConditionAccepted,
- metav1.ConditionFalse,
- gwv1a2.PolicyReasonTargetNotFound,
- message,
- )
return nil
}
@@ -271,13 +262,6 @@ func resolveCTPolicyTargetRef(policy *egv1a1.ClientTrafficPolicy, gateways []*Ga
}
}
if !found {
- message := fmt.Sprintf("SectionName(Listener):%s not found.", *(policy.Spec.TargetRef.SectionName))
- status.SetClientTrafficPolicyCondition(policy,
- gwv1a2.PolicyConditionAccepted,
- metav1.ConditionFalse,
- gwv1a2.PolicyReasonTargetNotFound,
- message,
- )
return nil
}
}
@@ -559,6 +543,10 @@ func (t *Translator) translateListenerTLSParameters(policy *egv1a1.ClientTraffic
"caCertificateRef not found in secret %s", caCertRef.Name)
}
+ if err := validateCertificate(secretBytes); err != nil {
+ return fmt.Errorf("invalid certificate in secret %s: %w", caCertRef.Name, err)
+ }
+
irCACert.Certificate = append(irCACert.Certificate, secretBytes...)
} else if string(*caCertRef.Kind) == KindConfigMap {
@@ -573,6 +561,10 @@ func (t *Translator) translateListenerTLSParameters(policy *egv1a1.ClientTraffic
"caCertificateRef not found in configMap %s", caCertRef.Name)
}
+ if err := validateCertificate([]byte(configMapBytes)); err != nil {
+ return fmt.Errorf("invalid certificate in configmap %s: %w", caCertRef.Name, err)
+ }
+
irCACert.Certificate = append(irCACert.Certificate, configMapBytes...)
} else {
return fmt.Errorf("unsupported caCertificateRef kind:%s", string(*caCertRef.Kind))
diff --git a/internal/gatewayapi/envoypatchpolicy.go b/internal/gatewayapi/envoypatchpolicy.go
index 2b3025d809a..1ec835e51a4 100644
--- a/internal/gatewayapi/envoypatchpolicy.go
+++ b/internal/gatewayapi/envoypatchpolicy.go
@@ -45,17 +45,6 @@ func (t *Translator) ProcessEnvoyPatchPolicies(envoyPatchPolicies []*egv1a1.Envo
gwXdsIR, ok := xdsIR[irKey]
if !ok {
- // This status condition will not get updated in the resource because
- // the IR is missing, but it has been kept here in case we publish
- // the status from this layer instead of the xds layer.
- message := fmt.Sprintf("%s:%s not found.", targetKind, policy.Spec.TargetRef.Name)
-
- status.SetEnvoyPatchPolicyCondition(policy,
- gwv1a2.PolicyConditionAccepted,
- metav1.ConditionFalse,
- gwv1a2.PolicyReasonTargetNotFound,
- message,
- )
continue
}
diff --git a/internal/gatewayapi/resource.go b/internal/gatewayapi/resource.go
index a7a16f664b4..6a8f37e33b1 100644
--- a/internal/gatewayapi/resource.go
+++ b/internal/gatewayapi/resource.go
@@ -6,6 +6,10 @@
package gatewayapi
import (
+ "cmp"
+ "reflect"
+
+ "golang.org/x/exp/slices"
v1 "k8s.io/api/core/v1"
discoveryv1 "k8s.io/api/discovery/v1"
"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
@@ -20,41 +24,6 @@ import (
type XdsIRMap map[string]*ir.Xds
type InfraIRMap map[string]*ir.Infra
-type GatewayClassResources map[string]*Resources
-
-// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-// This was generated by controller-gen and moved over from
-// zz_generated.deepcopy.go to this file.
-func (in GatewayClassResources) DeepCopyInto(out *GatewayClassResources) {
- {
- in := &in
- *out = make(GatewayClassResources, len(*in))
- for key, val := range *in {
- var outVal *Resources
- if val == nil {
- (*out)[key] = nil
- } else {
- inVal := (*in)[key]
- in, out := &inVal, &outVal
- *out = new(Resources)
- (*in).DeepCopyInto(*out)
- }
- (*out)[key] = outVal
- }
- }
-}
-
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new GatewayClassResources.
-// This was generated by controller-gen and moved over from
-// zz_generated.deepcopy.go to this file.
-func (in GatewayClassResources) DeepCopy() *GatewayClassResources {
- if in == nil {
- return nil
- }
- out := new(GatewayClassResources)
- in.DeepCopyInto(out)
- return out
-}
// Resources holds the Gateway API and related
// resources that the translators needs as inputs.
@@ -82,6 +51,7 @@ type Resources struct {
ClientTrafficPolicies []*egv1a1.ClientTrafficPolicy `json:"clientTrafficPolicies,omitempty" yaml:"clientTrafficPolicies,omitempty"`
BackendTrafficPolicies []*egv1a1.BackendTrafficPolicy `json:"backendTrafficPolicies,omitempty" yaml:"backendTrafficPolicies,omitempty"`
SecurityPolicies []*egv1a1.SecurityPolicy `json:"securityPolicies,omitempty" yaml:"securityPolicies,omitempty"`
+ BackendTLSPolicies []*gwapiv1a2.BackendTLSPolicy `json:"backendTLSPolicies,omitempty" yaml:"backendTLSPolicies,omitempty"`
}
func NewResources() *Resources {
@@ -101,6 +71,7 @@ func NewResources() *Resources {
ClientTrafficPolicies: []*egv1a1.ClientTrafficPolicy{},
BackendTrafficPolicies: []*egv1a1.BackendTrafficPolicy{},
SecurityPolicies: []*egv1a1.SecurityPolicy{},
+ BackendTLSPolicies: []*gwapiv1a2.BackendTLSPolicy{},
}
}
@@ -171,3 +142,33 @@ func (r *Resources) GetEndpointSlicesForBackend(svcNamespace, svcName string, ba
}
return endpointSlices
}
+
+// ControllerResources holds all the GatewayAPI resources per GatewayClass
+type ControllerResources []*Resources
+
+// DeepCopy creates a new ControllerResources.
+// It is handwritten since the tooling was unable to copy into a new slice
+func (c *ControllerResources) DeepCopy() *ControllerResources {
+ if c == nil {
+ return nil
+ }
+ out := make(ControllerResources, len(*c))
+ copy(out, *c)
+ return &out
+}
+
+// Equal implements the Comparable interface used by watchable.DeepEqual to skip unnecessary updates.
+func (c *ControllerResources) Equal(y *ControllerResources) bool {
+ // Deep copy to avoid modifying the original ordering.
+ c = c.DeepCopy()
+ c.sort()
+ y = y.DeepCopy()
+ y.sort()
+ return reflect.DeepEqual(c, y)
+}
+
+func (c *ControllerResources) sort() {
+ slices.SortFunc(*c, func(c1, c2 *Resources) int {
+ return cmp.Compare(c1.GatewayClass.Name, c2.GatewayClass.Name)
+ })
+}
diff --git a/internal/gatewayapi/resource_test.go b/internal/gatewayapi/resource_test.go
new file mode 100644
index 00000000000..8b9fddc0fcd
--- /dev/null
+++ b/internal/gatewayapi/resource_test.go
@@ -0,0 +1,125 @@
+// Copyright Envoy Gateway Authors
+// SPDX-License-Identifier: Apache-2.0
+// The full text of the Apache license is available in the LICENSE file at
+// the root of the repo.
+
+package gatewayapi
+
+import (
+ "testing"
+
+ "github.com/google/go-cmp/cmp"
+ "github.com/stretchr/testify/require"
+ metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+ gwapiv1 "sigs.k8s.io/gateway-api/apis/v1"
+)
+
+func TestEqualXds(t *testing.T) {
+ tests := []struct {
+ desc string
+ a *ControllerResources
+ b *ControllerResources
+ equal bool
+ }{
+ {
+ desc: "different resources",
+ a: &ControllerResources{
+ {
+ GatewayClass: &gwapiv1.GatewayClass{
+ ObjectMeta: metav1.ObjectMeta{
+ Name: "foo",
+ },
+ },
+ },
+ },
+ b: &ControllerResources{
+ {
+ GatewayClass: &gwapiv1.GatewayClass{
+ ObjectMeta: metav1.ObjectMeta{
+ Name: "bar",
+ },
+ },
+ },
+ },
+ equal: false,
+ },
+ {
+ desc: "same order resources are equal",
+ a: &ControllerResources{
+ {
+ GatewayClass: &gwapiv1.GatewayClass{
+ ObjectMeta: metav1.ObjectMeta{
+ Name: "foo",
+ },
+ },
+ },
+ {
+ GatewayClass: &gwapiv1.GatewayClass{
+ ObjectMeta: metav1.ObjectMeta{
+ Name: "bar",
+ },
+ },
+ },
+ },
+ b: &ControllerResources{
+ {
+ GatewayClass: &gwapiv1.GatewayClass{
+ ObjectMeta: metav1.ObjectMeta{
+ Name: "foo",
+ },
+ },
+ },
+ {
+ GatewayClass: &gwapiv1.GatewayClass{
+ ObjectMeta: metav1.ObjectMeta{
+ Name: "bar",
+ },
+ },
+ },
+ },
+ equal: true,
+ },
+ {
+ desc: "out of order resources are equal",
+ a: &ControllerResources{
+ {
+ GatewayClass: &gwapiv1.GatewayClass{
+ ObjectMeta: metav1.ObjectMeta{
+ Name: "foo",
+ },
+ },
+ },
+ {
+ GatewayClass: &gwapiv1.GatewayClass{
+ ObjectMeta: metav1.ObjectMeta{
+ Name: "bar",
+ },
+ },
+ },
+ },
+ b: &ControllerResources{
+ {
+ GatewayClass: &gwapiv1.GatewayClass{
+ ObjectMeta: metav1.ObjectMeta{
+ Name: "bar",
+ },
+ },
+ },
+ {
+ GatewayClass: &gwapiv1.GatewayClass{
+ ObjectMeta: metav1.ObjectMeta{
+ Name: "foo",
+ },
+ },
+ },
+ },
+ equal: true,
+ },
+ }
+
+ for _, tc := range tests {
+ t.Run(tc.desc, func(t *testing.T) {
+ require.Equal(t, tc.equal, cmp.Equal(tc.a, tc.b))
+ })
+ }
+}
diff --git a/internal/gatewayapi/route.go b/internal/gatewayapi/route.go
index b09e08ba7be..e29c8f0502c 100644
--- a/internal/gatewayapi/route.go
+++ b/internal/gatewayapi/route.go
@@ -7,6 +7,7 @@ package gatewayapi
import (
"fmt"
+ "strconv"
"strings"
"time"
@@ -15,7 +16,7 @@ import (
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
"k8s.io/utils/ptr"
gwapiv1 "sigs.k8s.io/gateway-api/apis/v1"
- gwapiv1a1 "sigs.k8s.io/gateway-api/apis/v1alpha2"
+ gwapiv1a2 "sigs.k8s.io/gateway-api/apis/v1alpha2"
mcsapi "sigs.k8s.io/mcs-api/pkg/apis/v1alpha1"
"github.com/envoyproxy/gateway/internal/ir"
@@ -38,10 +39,10 @@ var (
type RoutesTranslator interface {
ProcessHTTPRoutes(httpRoutes []*gwapiv1.HTTPRoute, gateways []*GatewayContext, resources *Resources, xdsIR XdsIRMap) []*HTTPRouteContext
- ProcessGRPCRoutes(grpcRoutes []*gwapiv1a1.GRPCRoute, gateways []*GatewayContext, resources *Resources, xdsIR XdsIRMap) []*GRPCRouteContext
- ProcessTLSRoutes(tlsRoutes []*gwapiv1a1.TLSRoute, gateways []*GatewayContext, resources *Resources, xdsIR XdsIRMap) []*TLSRouteContext
- ProcessTCPRoutes(tcpRoutes []*gwapiv1a1.TCPRoute, gateways []*GatewayContext, resources *Resources, xdsIR XdsIRMap) []*TCPRouteContext
- ProcessUDPRoutes(udpRoutes []*gwapiv1a1.UDPRoute, gateways []*GatewayContext, resources *Resources, xdsIR XdsIRMap) []*UDPRouteContext
+ ProcessGRPCRoutes(grpcRoutes []*gwapiv1a2.GRPCRoute, gateways []*GatewayContext, resources *Resources, xdsIR XdsIRMap) []*GRPCRouteContext
+ ProcessTLSRoutes(tlsRoutes []*gwapiv1a2.TLSRoute, gateways []*GatewayContext, resources *Resources, xdsIR XdsIRMap) []*TLSRouteContext
+ ProcessTCPRoutes(tcpRoutes []*gwapiv1a2.TCPRoute, gateways []*GatewayContext, resources *Resources, xdsIR XdsIRMap) []*TCPRouteContext
+ ProcessUDPRoutes(udpRoutes []*gwapiv1a2.UDPRoute, gateways []*GatewayContext, resources *Resources, xdsIR XdsIRMap) []*UDPRouteContext
}
func (t *Translator) ProcessHTTPRoutes(httpRoutes []*gwapiv1.HTTPRoute, gateways []*GatewayContext, resources *Resources, xdsIR XdsIRMap) []*HTTPRouteContext {
@@ -72,7 +73,7 @@ func (t *Translator) ProcessHTTPRoutes(httpRoutes []*gwapiv1.HTTPRoute, gateways
return relevantHTTPRoutes
}
-func (t *Translator) ProcessGRPCRoutes(grpcRoutes []*gwapiv1a1.GRPCRoute, gateways []*GatewayContext, resources *Resources, xdsIR XdsIRMap) []*GRPCRouteContext {
+func (t *Translator) ProcessGRPCRoutes(grpcRoutes []*gwapiv1a2.GRPCRoute, gateways []*GatewayContext, resources *Resources, xdsIR XdsIRMap) []*GRPCRouteContext {
var relevantGRPCRoutes []*GRPCRouteContext
for _, g := range grpcRoutes {
@@ -203,13 +204,13 @@ func (t *Translator) processHTTPRouteRules(httpRoute *HTTPRouteContext, parentRe
parentRef.SetCondition(httpRoute,
gwapiv1.RouteConditionResolvedRefs,
metav1.ConditionFalse,
- gwapiv1a1.RouteReasonResolvedRefs,
+ gwapiv1a2.RouteReasonResolvedRefs,
"Mixed endpointslice address type between backendRefs is not supported")
}
// If the route has no valid backends then just use a direct response and don't fuss with weighted responses
for _, ruleRoute := range ruleRoutes {
- if ruleRoute.BackendWeights.Invalid > 0 && ruleRoute.Destination == nil {
+ if ruleRoute.Destination == nil && ruleRoute.Redirect == nil {
ruleRoute.DirectResponse = &ir.DirectResponse{
StatusCode: 500,
}
@@ -493,7 +494,7 @@ func (t *Translator) processGRPCRouteRules(grpcRoute *GRPCRouteContext, parentRe
// If the route has no valid backends then just use a direct response and don't fuss with weighted responses
for _, ruleRoute := range ruleRoutes {
- if ruleRoute.BackendWeights.Invalid > 0 && ruleRoute.Destination == nil {
+ if ruleRoute.Destination == nil && ruleRoute.Redirect == nil {
ruleRoute.DirectResponse = &ir.DirectResponse{
StatusCode: 500,
}
@@ -511,7 +512,7 @@ func (t *Translator) processGRPCRouteRules(grpcRoute *GRPCRouteContext, parentRe
return routeRoutes, nil
}
-func (t *Translator) processGRPCRouteRule(grpcRoute *GRPCRouteContext, ruleIdx int, httpFiltersContext *HTTPFiltersContext, rule gwapiv1a1.GRPCRouteRule) ([]*ir.HTTPRoute, error) {
+func (t *Translator) processGRPCRouteRule(grpcRoute *GRPCRouteContext, ruleIdx int, httpFiltersContext *HTTPFiltersContext, rule gwapiv1a2.GRPCRouteRule) ([]*ir.HTTPRoute, error) {
var ruleRoutes []*ir.HTTPRoute
// If no matches are specified, the implementation MUST match every gRPC request.
@@ -551,10 +552,10 @@ func (t *Translator) processGRPCRouteRule(grpcRoute *GRPCRouteContext, ruleIdx i
if match.Method != nil {
// GRPC's path is in the form of "//"
- switch GRPCMethodMatchTypeDerefOr(match.Method.Type, gwapiv1a1.GRPCMethodMatchExact) {
- case gwapiv1a1.GRPCMethodMatchExact:
+ switch GRPCMethodMatchTypeDerefOr(match.Method.Type, gwapiv1a2.GRPCMethodMatchExact) {
+ case gwapiv1a2.GRPCMethodMatchExact:
t.processGRPCRouteMethodExact(match.Method, irRoute)
- case gwapiv1a1.GRPCMethodMatchRegularExpression:
+ case gwapiv1a2.GRPCMethodMatchRegularExpression:
if match.Method.Service != nil {
if err := regex.Validate(*match.Method.Service); err != nil {
return nil, err
@@ -575,7 +576,7 @@ func (t *Translator) processGRPCRouteRule(grpcRoute *GRPCRouteContext, ruleIdx i
return ruleRoutes, nil
}
-func (t *Translator) processGRPCRouteMethodExact(method *gwapiv1a1.GRPCMethodMatch, irRoute *ir.HTTPRoute) {
+func (t *Translator) processGRPCRouteMethodExact(method *gwapiv1a2.GRPCMethodMatch, irRoute *ir.HTTPRoute) {
switch {
case method.Service != nil && method.Method != nil:
irRoute.PathMatch = &ir.StringMatch{
@@ -594,7 +595,7 @@ func (t *Translator) processGRPCRouteMethodExact(method *gwapiv1a1.GRPCMethodMat
}
}
-func (t *Translator) processGRPCRouteMethodRegularExpression(method *gwapiv1a1.GRPCMethodMatch, irRoute *ir.HTTPRoute) {
+func (t *Translator) processGRPCRouteMethodRegularExpression(method *gwapiv1a2.GRPCMethodMatch, irRoute *ir.HTTPRoute) {
switch {
case method.Service != nil && method.Method != nil:
irRoute.PathMatch = &ir.StringMatch{
@@ -684,7 +685,7 @@ func (t *Translator) processHTTPRouteParentRefListener(route RouteContext, route
return hasHostnameIntersection
}
-func (t *Translator) ProcessTLSRoutes(tlsRoutes []*gwapiv1a1.TLSRoute, gateways []*GatewayContext, resources *Resources, xdsIR XdsIRMap) []*TLSRouteContext {
+func (t *Translator) ProcessTLSRoutes(tlsRoutes []*gwapiv1a2.TLSRoute, gateways []*GatewayContext, resources *Resources, xdsIR XdsIRMap) []*TLSRouteContext {
var relevantTLSRoutes []*TLSRouteContext
for _, tls := range tlsRoutes {
@@ -805,7 +806,7 @@ func (t *Translator) processTLSRouteParentRefs(tlsRoute *TLSRouteContext, resour
}
}
-func (t *Translator) ProcessUDPRoutes(udpRoutes []*gwapiv1a1.UDPRoute, gateways []*GatewayContext, resources *Resources,
+func (t *Translator) ProcessUDPRoutes(udpRoutes []*gwapiv1a2.UDPRoute, gateways []*GatewayContext, resources *Resources,
xdsIR XdsIRMap) []*UDPRouteContext {
var relevantUDPRoutes []*UDPRouteContext
@@ -936,7 +937,7 @@ func (t *Translator) processUDPRouteParentRefs(udpRoute *UDPRouteContext, resour
}
}
-func (t *Translator) ProcessTCPRoutes(tcpRoutes []*gwapiv1a1.TCPRoute, gateways []*GatewayContext, resources *Resources,
+func (t *Translator) ProcessTCPRoutes(tcpRoutes []*gwapiv1a2.TCPRoute, gateways []*GatewayContext, resources *Resources,
xdsIR XdsIRMap) []*TCPRouteContext {
var relevantTCPRoutes []*TCPRouteContext
@@ -1096,6 +1097,7 @@ func (t *Translator) processDestination(backendRefContext BackendRefContext,
addrType *ir.DestinationAddressType
)
protocol := inspectAppProtocolByRouteKind(routeType)
+ var backendTLS *ir.TLSUpstreamConfig
switch KindDerefOr(backendRef.Kind, KindService) {
case KindServiceImport:
serviceImport := resources.GetServiceImport(backendNamespace, string(backendRef.Name))
@@ -1146,6 +1148,19 @@ func (t *Translator) processDestination(backendRefContext BackendRefContext,
uint32(*backendRef.Port))
endpoints = append(endpoints, ep)
}
+
+ backendTLS = t.processBackendTLSPolicy(
+ backendRef.BackendObjectReference,
+ backendNamespace,
+ gwapiv1a2.ParentReference{
+ Group: parentRef.Group,
+ Kind: parentRef.Kind,
+ Namespace: parentRef.Namespace,
+ Name: parentRef.Name,
+ SectionName: parentRef.SectionName,
+ Port: parentRef.Port,
+ },
+ resources)
}
// TODO: support mixed endpointslice address type for the same backendRef
@@ -1153,7 +1168,7 @@ func (t *Translator) processDestination(backendRefContext BackendRefContext,
parentRef.SetCondition(route,
gwapiv1.RouteConditionResolvedRefs,
metav1.ConditionFalse,
- gwapiv1a1.RouteReasonResolvedRefs,
+ gwapiv1a2.RouteReasonResolvedRefs,
"Mixed endpointslice address type for the same backendRef is not supported")
}
@@ -1162,6 +1177,7 @@ func (t *Translator) processDestination(backendRefContext BackendRefContext,
Protocol: protocol,
Endpoints: endpoints,
AddressType: addrType,
+ TLS: backendTLS,
}
return ds, weight
}
@@ -1315,3 +1331,31 @@ func getIREndpointsFromEndpointSlice(endpointSlice *discoveryv1.EndpointSlice, p
return endpoints
}
+
+func GetTargetBackendReference(backendRef gwapiv1a2.BackendObjectReference, namespace string) gwapiv1a2.PolicyTargetReferenceWithSectionName {
+ ref := gwapiv1a2.PolicyTargetReferenceWithSectionName{
+ PolicyTargetReference: gwapiv1a2.PolicyTargetReference{
+ Group: func() gwapiv1a2.Group {
+ if backendRef.Group == nil {
+ return ""
+ }
+ return *backendRef.Group
+ }(),
+ Kind: func() gwapiv1.Kind {
+ if backendRef.Kind == nil {
+ return "Service"
+ }
+ return *backendRef.Kind
+ }(),
+ Name: backendRef.Name,
+ Namespace: NamespacePtr(NamespaceDerefOr(backendRef.Namespace, namespace)),
+ },
+ SectionName: func() *gwapiv1.SectionName {
+ if backendRef.Port != nil {
+ return SectionNamePtr(strconv.Itoa(int(*backendRef.Port)))
+ }
+ return nil
+ }(),
+ }
+ return ref
+}
diff --git a/internal/gatewayapi/runner/runner.go b/internal/gatewayapi/runner/runner.go
index ebc5d612d25..13f2c6b9d08 100644
--- a/internal/gatewayapi/runner/runner.go
+++ b/internal/gatewayapi/runner/runner.go
@@ -9,6 +9,8 @@ import (
"context"
"k8s.io/apimachinery/pkg/runtime/schema"
+ "k8s.io/apimachinery/pkg/types"
+ "k8s.io/apimachinery/pkg/util/sets"
v1 "sigs.k8s.io/gateway-api/apis/v1"
"github.com/envoyproxy/gateway/api/v1alpha1"
@@ -49,29 +51,38 @@ func (r *Runner) Start(ctx context.Context) (err error) {
func (r *Runner) subscribeAndTranslate(ctx context.Context) {
message.HandleSubscription(message.Metadata{Runner: string(v1alpha1.LogComponentGatewayAPIRunner), Message: "provider-resources"}, r.ProviderResources.GatewayAPIResources.Subscribe(ctx),
- func(update message.Update[string, *gatewayapi.GatewayClassResources], errChan chan error) {
+ func(update message.Update[string, *gatewayapi.ControllerResources], errChan chan error) {
r.Logger.Info("received an update")
val := update.Value
// There is only 1 key which is the controller name
// so when a delete is triggered, delete all IR keys
if update.Delete || val == nil {
r.deleteAllIRKeys()
+ r.deleteAllStatusKeys()
return
}
- var curKeys, newKeys []string
+ // IR keys for watchable
+ var curIRKeys, newIRKeys []string
+
// Get current IR keys
for key := range r.InfraIR.LoadAll() {
- curKeys = append(curKeys, key)
+ curIRKeys = append(curIRKeys, key)
}
- for gc, resources := range *val {
+ // Get all status keys from watchable and save them in this StatusesToDelete structure.
+ // Iterating through the controller resources, any valid keys will be removed from statusesToDelete.
+ // Remaining keys will be deleted from watchable before we exit this function.
+ statusesToDelete := r.getAllStatuses()
+
+ for _, resources := range *val {
// Translate and publish IRs.
t := &gatewayapi.Translator{
GatewayControllerName: r.Server.EnvoyGateway.Gateway.ControllerName,
- GatewayClassName: v1.ObjectName(gc),
+ GatewayClassName: v1.ObjectName(resources.GatewayClass.Name),
GlobalRateLimitEnabled: r.EnvoyGateway.RateLimit != nil,
EnvoyPatchPolicyEnabled: r.EnvoyGateway.ExtensionAPIs != nil && r.EnvoyGateway.ExtensionAPIs.EnableEnvoyPatchPolicy,
+ Namespace: r.Namespace,
}
// If an extension is loaded, pass its supported groups/kinds to the translator
@@ -94,7 +105,7 @@ func (r *Runner) subscribeAndTranslate(ctx context.Context) {
errChan <- err
} else {
r.InfraIR.Store(key, val)
- newKeys = append(newKeys, key)
+ newIRKeys = append(newIRKeys, key)
}
}
@@ -113,56 +124,75 @@ func (r *Runner) subscribeAndTranslate(ctx context.Context) {
gateway := gateway
key := utils.NamespacedName(gateway)
r.ProviderResources.GatewayStatuses.Store(key, &gateway.Status)
+ delete(statusesToDelete.GatewayStatusKeys, key)
}
for _, httpRoute := range result.HTTPRoutes {
httpRoute := httpRoute
key := utils.NamespacedName(httpRoute)
r.ProviderResources.HTTPRouteStatuses.Store(key, &httpRoute.Status)
+ delete(statusesToDelete.HTTPRouteStatusKeys, key)
}
for _, grpcRoute := range result.GRPCRoutes {
grpcRoute := grpcRoute
key := utils.NamespacedName(grpcRoute)
r.ProviderResources.GRPCRouteStatuses.Store(key, &grpcRoute.Status)
+ delete(statusesToDelete.GRPCRouteStatusKeys, key)
}
-
for _, tlsRoute := range result.TLSRoutes {
tlsRoute := tlsRoute
key := utils.NamespacedName(tlsRoute)
r.ProviderResources.TLSRouteStatuses.Store(key, &tlsRoute.Status)
+ delete(statusesToDelete.TLSRouteStatusKeys, key)
}
for _, tcpRoute := range result.TCPRoutes {
tcpRoute := tcpRoute
key := utils.NamespacedName(tcpRoute)
r.ProviderResources.TCPRouteStatuses.Store(key, &tcpRoute.Status)
+ delete(statusesToDelete.TCPRouteStatusKeys, key)
}
for _, udpRoute := range result.UDPRoutes {
udpRoute := udpRoute
key := utils.NamespacedName(udpRoute)
r.ProviderResources.UDPRouteStatuses.Store(key, &udpRoute.Status)
+ delete(statusesToDelete.UDPRouteStatusKeys, key)
+ }
+ for _, backendTLSPolicy := range result.BackendTLSPolicies {
+ backendTLSPolicy := backendTLSPolicy
+ key := utils.NamespacedName(backendTLSPolicy)
+ r.ProviderResources.BackendTLSPolicyStatuses.Store(key, &backendTLSPolicy.Status)
+ delete(statusesToDelete.BackendTLSPolicyStatusKeys, key)
}
+
for _, clientTrafficPolicy := range result.ClientTrafficPolicies {
clientTrafficPolicy := clientTrafficPolicy
key := utils.NamespacedName(clientTrafficPolicy)
r.ProviderResources.ClientTrafficPolicyStatuses.Store(key, &clientTrafficPolicy.Status)
+ delete(statusesToDelete.ClientTrafficPolicyStatusKeys, key)
}
for _, backendTrafficPolicy := range result.BackendTrafficPolicies {
backendTrafficPolicy := backendTrafficPolicy
key := utils.NamespacedName(backendTrafficPolicy)
r.ProviderResources.BackendTrafficPolicyStatuses.Store(key, &backendTrafficPolicy.Status)
+ delete(statusesToDelete.BackendTrafficPolicyStatusKeys, key)
}
for _, securityPolicy := range result.SecurityPolicies {
securityPolicy := securityPolicy
key := utils.NamespacedName(securityPolicy)
r.ProviderResources.SecurityPolicyStatuses.Store(key, &securityPolicy.Status)
+ delete(statusesToDelete.SecurityPolicyStatusKeys, key)
}
}
- // Delete keys
+
+ // Delete IR keys
// There is a 1:1 mapping between infra and xds IR keys
- delKeys := getIRKeysToDelete(curKeys, newKeys)
+ delKeys := getIRKeysToDelete(curIRKeys, newIRKeys)
for _, key := range delKeys {
r.InfraIR.Delete(key)
r.XdsIR.Delete(key)
}
+
+ // Delete status keys
+ r.deleteStatusKeys(statusesToDelete)
},
)
r.Logger.Info("shutting down")
@@ -176,27 +206,161 @@ func (r *Runner) deleteAllIRKeys() {
}
}
-// getIRKeysToDelete returns the list of IR keys to delete
-// based on the difference between the current keys and the
-// new keys parameters passed to the function.
-func getIRKeysToDelete(curKeys, newKeys []string) []string {
- var delKeys []string
- remaining := make(map[string]bool)
+type StatusesToDelete struct {
+ GatewayStatusKeys map[types.NamespacedName]bool
+ HTTPRouteStatusKeys map[types.NamespacedName]bool
+ GRPCRouteStatusKeys map[types.NamespacedName]bool
+ TLSRouteStatusKeys map[types.NamespacedName]bool
+ TCPRouteStatusKeys map[types.NamespacedName]bool
+ UDPRouteStatusKeys map[types.NamespacedName]bool
+ BackendTLSPolicyStatusKeys map[types.NamespacedName]bool
+
+ ClientTrafficPolicyStatusKeys map[types.NamespacedName]bool
+ BackendTrafficPolicyStatusKeys map[types.NamespacedName]bool
+ SecurityPolicyStatusKeys map[types.NamespacedName]bool
+}
+
+func (r *Runner) getAllStatuses() *StatusesToDelete {
+ // Maps storing status keys to be deleted
+ ds := &StatusesToDelete{
+ GatewayStatusKeys: make(map[types.NamespacedName]bool),
+ HTTPRouteStatusKeys: make(map[types.NamespacedName]bool),
+ GRPCRouteStatusKeys: make(map[types.NamespacedName]bool),
+ TLSRouteStatusKeys: make(map[types.NamespacedName]bool),
+ TCPRouteStatusKeys: make(map[types.NamespacedName]bool),
+ UDPRouteStatusKeys: make(map[types.NamespacedName]bool),
+
+ ClientTrafficPolicyStatusKeys: make(map[types.NamespacedName]bool),
+ BackendTrafficPolicyStatusKeys: make(map[types.NamespacedName]bool),
+ SecurityPolicyStatusKeys: make(map[types.NamespacedName]bool),
+ BackendTLSPolicyStatusKeys: make(map[types.NamespacedName]bool),
+ }
+
+ // Get current status keys
+ for key := range r.ProviderResources.GatewayStatuses.LoadAll() {
+ ds.GatewayStatusKeys[key] = true
+ }
+ for key := range r.ProviderResources.HTTPRouteStatuses.LoadAll() {
+ ds.HTTPRouteStatusKeys[key] = true
+ }
+ for key := range r.ProviderResources.GRPCRouteStatuses.LoadAll() {
+ ds.GRPCRouteStatusKeys[key] = true
+ }
+ for key := range r.ProviderResources.TLSRouteStatuses.LoadAll() {
+ ds.TLSRouteStatusKeys[key] = true
+ }
+ for key := range r.ProviderResources.TCPRouteStatuses.LoadAll() {
+ ds.TCPRouteStatusKeys[key] = true
+ }
+ for key := range r.ProviderResources.UDPRouteStatuses.LoadAll() {
+ ds.UDPRouteStatusKeys[key] = true
+ }
+ for key := range r.ProviderResources.BackendTLSPolicyStatuses.LoadAll() {
+ ds.BackendTLSPolicyStatusKeys[key] = true
+ }
+
+ for key := range r.ProviderResources.ClientTrafficPolicyStatuses.LoadAll() {
+ ds.ClientTrafficPolicyStatusKeys[key] = true
+ }
+ for key := range r.ProviderResources.BackendTrafficPolicyStatuses.LoadAll() {
+ ds.BackendTrafficPolicyStatusKeys[key] = true
+ }
+ for key := range r.ProviderResources.SecurityPolicyStatuses.LoadAll() {
+ ds.SecurityPolicyStatusKeys[key] = true
+ }
- // Add all current keys to the remaining map
- for _, key := range curKeys {
- remaining[key] = true
+ return ds
+}
+
+func (r *Runner) deleteStatusKeys(ds *StatusesToDelete) {
+ for key := range ds.GatewayStatusKeys {
+ r.ProviderResources.GatewayStatuses.Delete(key)
+ delete(ds.GatewayStatusKeys, key)
+ }
+ for key := range ds.HTTPRouteStatusKeys {
+ r.ProviderResources.HTTPRouteStatuses.Delete(key)
+ delete(ds.HTTPRouteStatusKeys, key)
+ }
+ for key := range ds.GRPCRouteStatusKeys {
+ r.ProviderResources.GRPCRouteStatuses.Delete(key)
+ delete(ds.GRPCRouteStatusKeys, key)
+ }
+ for key := range ds.TLSRouteStatusKeys {
+ r.ProviderResources.TLSRouteStatuses.Delete(key)
+ delete(ds.TLSRouteStatusKeys, key)
+ }
+ for key := range ds.TCPRouteStatusKeys {
+ r.ProviderResources.TCPRouteStatuses.Delete(key)
+ delete(ds.TCPRouteStatusKeys, key)
+ }
+ for key := range ds.UDPRouteStatusKeys {
+ r.ProviderResources.UDPRouteStatuses.Delete(key)
+ delete(ds.UDPRouteStatusKeys, key)
}
- // Delete newKeys from the remaining map
- // to get keys that need to be deleted
- for _, key := range newKeys {
- delete(remaining, key)
+ for key := range ds.ClientTrafficPolicyStatusKeys {
+ r.ProviderResources.ClientTrafficPolicyStatuses.Delete(key)
+ delete(ds.ClientTrafficPolicyStatusKeys, key)
+ }
+ for key := range ds.BackendTrafficPolicyStatusKeys {
+ r.ProviderResources.BackendTrafficPolicyStatuses.Delete(key)
+ delete(ds.BackendTrafficPolicyStatusKeys, key)
+ }
+ for key := range ds.SecurityPolicyStatusKeys {
+ r.ProviderResources.SecurityPolicyStatuses.Delete(key)
+ delete(ds.SecurityPolicyStatusKeys, key)
+ }
+ for key := range ds.BackendTLSPolicyStatusKeys {
+ r.ProviderResources.BackendTLSPolicyStatuses.Delete(key)
+ delete(ds.BackendTLSPolicyStatusKeys, key)
+ }
+}
+
+// deleteAllStatusKeys deletes all status keys stored by the subscriber.
+func (r *Runner) deleteAllStatusKeys() {
+ // Fields of GatewayAPIStatuses
+ for key := range r.ProviderResources.GatewayStatuses.LoadAll() {
+ r.ProviderResources.GatewayStatuses.Delete(key)
+ }
+ for key := range r.ProviderResources.HTTPRouteStatuses.LoadAll() {
+ r.ProviderResources.HTTPRouteStatuses.Delete(key)
+ }
+ for key := range r.ProviderResources.GRPCRouteStatuses.LoadAll() {
+ r.ProviderResources.GRPCRouteStatuses.Delete(key)
+ }
+ for key := range r.ProviderResources.TLSRouteStatuses.LoadAll() {
+ r.ProviderResources.TLSRouteStatuses.Delete(key)
+ }
+ for key := range r.ProviderResources.TCPRouteStatuses.LoadAll() {
+ r.ProviderResources.TCPRouteStatuses.Delete(key)
+ }
+ for key := range r.ProviderResources.UDPRouteStatuses.LoadAll() {
+ r.ProviderResources.UDPRouteStatuses.Delete(key)
+ }
+ for key := range r.ProviderResources.BackendTLSPolicyStatuses.LoadAll() {
+ r.ProviderResources.BackendTLSPolicyStatuses.Delete(key)
}
- for key := range remaining {
- delKeys = append(delKeys, key)
+ // Fields of PolicyStatuses
+ for key := range r.ProviderResources.ClientTrafficPolicyStatuses.LoadAll() {
+ r.ProviderResources.ClientTrafficPolicyStatuses.Delete(key)
+ }
+ for key := range r.ProviderResources.BackendTrafficPolicyStatuses.LoadAll() {
+ r.ProviderResources.BackendTrafficPolicyStatuses.Delete(key)
+ }
+ for key := range r.ProviderResources.SecurityPolicyStatuses.LoadAll() {
+ r.ProviderResources.SecurityPolicyStatuses.Delete(key)
}
+}
+
+// getIRKeysToDelete returns the list of IR keys to delete
+// based on the difference between the current keys and the
+// new keys parameters passed to the function.
+func getIRKeysToDelete(curKeys, newKeys []string) []string {
+ curSet := sets.NewString(curKeys...)
+ newSet := sets.NewString(newKeys...)
+
+ delSet := curSet.Difference(newSet)
- return delKeys
+ return delSet.List()
}
diff --git a/internal/gatewayapi/runner/runner_test.go b/internal/gatewayapi/runner/runner_test.go
index b159933b508..772f0372a3c 100644
--- a/internal/gatewayapi/runner/runner_test.go
+++ b/internal/gatewayapi/runner/runner_test.go
@@ -13,6 +13,9 @@ import (
"github.com/stretchr/testify/assert"
"github.com/stretchr/testify/require"
+ "k8s.io/apimachinery/pkg/types"
+ gwapiv1 "sigs.k8s.io/gateway-api/apis/v1"
+ gwapiv1a2 "sigs.k8s.io/gateway-api/apis/v1alpha2"
egv1a1 "github.com/envoyproxy/gateway/api/v1alpha1"
"github.com/envoyproxy/gateway/internal/envoygateway/config"
@@ -104,3 +107,175 @@ func TestGetIRKeysToDelete(t *testing.T) {
})
}
}
+
+func TestDeleteStatusKeys(t *testing.T) {
+ // Setup
+ pResources := new(message.ProviderResources)
+ xdsIR := new(message.XdsIR)
+ infraIR := new(message.InfraIR)
+ cfg, err := config.New()
+ require.NoError(t, err)
+ r := New(&Config{
+ Server: *cfg,
+ ProviderResources: pResources,
+ XdsIR: xdsIR,
+ InfraIR: infraIR,
+ ExtensionManager: testutils.NewManager(egv1a1.ExtensionManager{}),
+ })
+ ctx := context.Background()
+
+ // Start
+ err = r.Start(ctx)
+ require.NoError(t, err)
+
+ // A new status gets stored
+ keys := []types.NamespacedName{
+ {
+ Name: "test1",
+ Namespace: "test-namespace",
+ },
+ {
+ Name: "test2",
+ Namespace: "test-namespace",
+ },
+ {
+ Name: "test3",
+ Namespace: "test-namespace",
+ },
+ {
+ Name: "test4",
+ Namespace: "test-namespace",
+ },
+ {
+ Name: "test5",
+ Namespace: "test-namespace",
+ },
+ {
+ Name: "test6",
+ Namespace: "test-namespace",
+ },
+ {
+ Name: "test7",
+ Namespace: "test-namespace",
+ },
+ }
+
+ r.ProviderResources.GatewayStatuses.Store(keys[0], &gwapiv1.GatewayStatus{})
+ r.ProviderResources.HTTPRouteStatuses.Store(keys[1], &gwapiv1.HTTPRouteStatus{})
+ r.ProviderResources.GRPCRouteStatuses.Store(keys[2], &gwapiv1a2.GRPCRouteStatus{})
+ r.ProviderResources.TLSRouteStatuses.Store(keys[3], &gwapiv1a2.TLSRouteStatus{})
+ r.ProviderResources.TCPRouteStatuses.Store(keys[4], &gwapiv1a2.TCPRouteStatus{})
+ r.ProviderResources.UDPRouteStatuses.Store(keys[5], &gwapiv1a2.UDPRouteStatus{})
+ r.ProviderResources.UDPRouteStatuses.Store(keys[6], &gwapiv1a2.UDPRouteStatus{})
+
+ // Checks that the keys are successfully stored to DeletableStatus and watchable maps
+ ds := r.getAllStatuses()
+
+ require.True(t, ds.GatewayStatusKeys[keys[0]])
+ require.True(t, ds.HTTPRouteStatusKeys[keys[1]])
+ require.True(t, ds.GRPCRouteStatusKeys[keys[2]])
+ require.True(t, ds.TLSRouteStatusKeys[keys[3]])
+ require.True(t, ds.TCPRouteStatusKeys[keys[4]])
+ require.True(t, ds.UDPRouteStatusKeys[keys[5]])
+ require.True(t, ds.UDPRouteStatusKeys[keys[6]])
+
+ require.Equal(t, 1, r.ProviderResources.GatewayStatuses.Len())
+ require.Equal(t, 1, r.ProviderResources.HTTPRouteStatuses.Len())
+ require.Equal(t, 1, r.ProviderResources.GRPCRouteStatuses.Len())
+ require.Equal(t, 1, r.ProviderResources.TLSRouteStatuses.Len())
+ require.Equal(t, 1, r.ProviderResources.TCPRouteStatuses.Len())
+ require.Equal(t, 2, r.ProviderResources.UDPRouteStatuses.Len())
+
+ // Delete all keys except the last UDPRouteStatus key
+ delete(ds.UDPRouteStatusKeys, keys[6])
+ r.deleteStatusKeys(ds)
+
+ require.Equal(t, 0, r.ProviderResources.GatewayStatuses.Len())
+ require.Equal(t, 0, r.ProviderResources.HTTPRouteStatuses.Len())
+ require.Equal(t, 0, r.ProviderResources.GRPCRouteStatuses.Len())
+ require.Equal(t, 0, r.ProviderResources.TLSRouteStatuses.Len())
+ require.Equal(t, 0, r.ProviderResources.TCPRouteStatuses.Len())
+ require.Equal(t, 1, r.ProviderResources.UDPRouteStatuses.Len())
+}
+
+func TestDeleteAllStatusKeys(t *testing.T) {
+ // Setup
+ pResources := new(message.ProviderResources)
+ xdsIR := new(message.XdsIR)
+ infraIR := new(message.InfraIR)
+ cfg, err := config.New()
+ require.NoError(t, err)
+ r := New(&Config{
+ Server: *cfg,
+ ProviderResources: pResources,
+ XdsIR: xdsIR,
+ InfraIR: infraIR,
+ ExtensionManager: testutils.NewManager(egv1a1.ExtensionManager{}),
+ })
+ ctx := context.Background()
+
+ // Start
+ err = r.Start(ctx)
+ require.NoError(t, err)
+
+ // A new status gets stored
+ keys := []types.NamespacedName{
+ {
+ Name: "test1",
+ Namespace: "test-namespace",
+ },
+ {
+ Name: "test2",
+ Namespace: "test-namespace",
+ },
+ {
+ Name: "test3",
+ Namespace: "test-namespace",
+ },
+ {
+ Name: "test4",
+ Namespace: "test-namespace",
+ },
+ {
+ Name: "test5",
+ Namespace: "test-namespace",
+ },
+ {
+ Name: "test6",
+ Namespace: "test-namespace",
+ },
+ }
+
+ r.ProviderResources.GatewayStatuses.Store(keys[0], &gwapiv1.GatewayStatus{})
+ r.ProviderResources.HTTPRouteStatuses.Store(keys[1], &gwapiv1.HTTPRouteStatus{})
+ r.ProviderResources.GRPCRouteStatuses.Store(keys[2], &gwapiv1a2.GRPCRouteStatus{})
+ r.ProviderResources.TLSRouteStatuses.Store(keys[3], &gwapiv1a2.TLSRouteStatus{})
+ r.ProviderResources.TCPRouteStatuses.Store(keys[4], &gwapiv1a2.TCPRouteStatus{})
+ r.ProviderResources.UDPRouteStatuses.Store(keys[5], &gwapiv1a2.UDPRouteStatus{})
+
+ // Checks that the keys are successfully stored to DeletableStatus and watchable maps
+ ds := r.getAllStatuses()
+
+ require.True(t, ds.GatewayStatusKeys[keys[0]])
+ require.True(t, ds.HTTPRouteStatusKeys[keys[1]])
+ require.True(t, ds.GRPCRouteStatusKeys[keys[2]])
+ require.True(t, ds.TLSRouteStatusKeys[keys[3]])
+ require.True(t, ds.TCPRouteStatusKeys[keys[4]])
+ require.True(t, ds.UDPRouteStatusKeys[keys[5]])
+
+ require.Equal(t, 1, r.ProviderResources.GatewayStatuses.Len())
+ require.Equal(t, 1, r.ProviderResources.HTTPRouteStatuses.Len())
+ require.Equal(t, 1, r.ProviderResources.GRPCRouteStatuses.Len())
+ require.Equal(t, 1, r.ProviderResources.TLSRouteStatuses.Len())
+ require.Equal(t, 1, r.ProviderResources.TCPRouteStatuses.Len())
+ require.Equal(t, 1, r.ProviderResources.UDPRouteStatuses.Len())
+
+ // Delete all keys
+ r.deleteAllStatusKeys()
+ require.Equal(t, 0, r.ProviderResources.GatewayStatuses.Len())
+ require.Equal(t, 0, r.ProviderResources.HTTPRouteStatuses.Len())
+ require.Equal(t, 0, r.ProviderResources.GRPCRouteStatuses.Len())
+ require.Equal(t, 0, r.ProviderResources.TLSRouteStatuses.Len())
+ require.Equal(t, 0, r.ProviderResources.TCPRouteStatuses.Len())
+ require.Equal(t, 0, r.ProviderResources.UDPRouteStatuses.Len())
+}
diff --git a/internal/gatewayapi/securitypolicy.go b/internal/gatewayapi/securitypolicy.go
index 636b7316e11..8e453d3e8c3 100644
--- a/internal/gatewayapi/securitypolicy.go
+++ b/internal/gatewayapi/securitypolicy.go
@@ -19,6 +19,7 @@ import (
v1 "k8s.io/api/core/v1"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
"k8s.io/apimachinery/pkg/types"
+ "k8s.io/apimachinery/pkg/util/sets"
"k8s.io/utils/ptr"
gwapiv1 "sigs.k8s.io/gateway-api/apis/v1"
gwv1a2 "sigs.k8s.io/gateway-api/apis/v1alpha2"
@@ -34,6 +35,10 @@ const (
defaultRedirectURL = "%REQ(x-forwarded-proto)%://%REQ(:authority)%/oauth2/callback"
defaultRedirectPath = "/oauth2/callback"
defaultLogoutPath = "/logout"
+
+ // nolint: gosec
+ oidcHMACSecretName = "envoy-oidc-hmac"
+ oidcHMACSecretKey = "hmac-secret"
)
func (t *Translator) ProcessSecurityPolicies(securityPolicies []*egv1a1.SecurityPolicy,
@@ -65,6 +70,9 @@ func (t *Translator) ProcessSecurityPolicies(securityPolicies []*egv1a1.Security
gatewayMap[key] = &policyGatewayTargetContext{GatewayContext: gw}
}
+ // Map of Gateway to the routes attached to it
+ gatewayRouteMap := make(map[string]sets.Set[string])
+
// Translate
// 1. First translate Policies targeting xRoutes
// 2. Finally, the policies targeting Gateways
@@ -81,6 +89,26 @@ func (t *Translator) ProcessSecurityPolicies(securityPolicies []*egv1a1.Security
continue
}
+ // Find the Gateway that the route belongs to and add it to the
+ // gatewayRouteMap, which will be used to check policy overrides
+ for _, p := range GetParentReferences(route) {
+ if p.Kind == nil || *p.Kind == KindGateway {
+ namespace := route.GetNamespace()
+ if p.Namespace != nil {
+ namespace = string(*p.Namespace)
+ }
+ gw := types.NamespacedName{
+ Namespace: namespace,
+ Name: string(p.Name),
+ }.String()
+
+ if _, ok := gatewayRouteMap[gw]; !ok {
+ gatewayRouteMap[gw] = make(sets.Set[string])
+ }
+ gatewayRouteMap[gw].Insert(utils.NamespacedName(route).String())
+ }
+ }
+
err := t.translateSecurityPolicyForRoute(policy, route, resources, xdsIR)
if err != nil {
status.SetSecurityPolicyCondition(policy,
@@ -119,6 +147,24 @@ func (t *Translator) ProcessSecurityPolicies(securityPolicies []*egv1a1.Security
message := "SecurityPolicy has been accepted."
status.SetSecurityPolicyAccepted(&policy.Status, message)
}
+
+ // Check if this policy is overridden by other policies targeting
+ // at route level
+ gw := utils.NamespacedName(gateway).String()
+ if r, ok := gatewayRouteMap[gw]; ok {
+ // Maintain order here to ensure status/string does not change with the same data
+ routes := r.UnsortedList()
+ sort.Strings(routes)
+ message := fmt.Sprintf(
+ "This policy is being overridden by other securityPolicies for these routes: %v",
+ routes)
+ status.SetSecurityPolicyCondition(policy,
+ egv1a1.PolicyConditionOverridden,
+ metav1.ConditionTrue,
+ egv1a1.PolicyReasonOverridden,
+ message,
+ )
+ }
}
}
@@ -136,10 +182,10 @@ func resolveSecurityPolicyGatewayTargetRef(
// Ensure Policy and target are in the same namespace
if policy.Namespace != string(*targetNs) {
-
message := fmt.Sprintf(
"Namespace:%s TargetRef.Namespace:%s, SecurityPolicy can only target a resource in the same namespace.",
policy.Namespace, *targetNs)
+
status.SetSecurityPolicyCondition(policy,
gwv1a2.PolicyConditionAccepted,
metav1.ConditionFalse,
@@ -158,14 +204,6 @@ func resolveSecurityPolicyGatewayTargetRef(
// Gateway not found
if !ok {
- message := fmt.Sprintf("Gateway:%s not found.", policy.Spec.TargetRef.Name)
-
- status.SetSecurityPolicyCondition(policy,
- gwv1a2.PolicyConditionAccepted,
- metav1.ConditionFalse,
- gwv1a2.PolicyReasonTargetNotFound,
- message,
- )
return nil
}
@@ -200,10 +238,10 @@ func resolveSecurityPolicyRouteTargetRef(
// Ensure Policy and target are in the same namespace
if policy.Namespace != string(*targetNs) {
-
message := fmt.Sprintf(
"Namespace:%s TargetRef.Namespace:%s, SecurityPolicy can only target a resource in the same namespace.",
policy.Namespace, *targetNs)
+
status.SetSecurityPolicyCondition(policy,
gwv1a2.PolicyConditionAccepted,
metav1.ConditionFalse,
@@ -223,17 +261,6 @@ func resolveSecurityPolicyRouteTargetRef(
// Route not found
if !ok {
- message := fmt.Sprintf(
- "%s/%s/%s not found.",
- policy.Spec.TargetRef.Kind,
- string(*targetNs), policy.Spec.TargetRef.Name)
-
- status.SetSecurityPolicyCondition(policy,
- gwv1a2.PolicyConditionAccepted,
- metav1.ConditionFalse,
- gwv1a2.PolicyReasonTargetNotFound,
- message,
- )
return nil
}
@@ -504,6 +531,20 @@ func (t *Translator) buildOIDC(
// Generate a unique cookie suffix for oauth filters
suffix := utils.Digest32(string(policy.UID))
+ // Get the HMAC secret
+ // HMAC secret is generated by the CertGen job and stored in a secret
+ // We need to rotate the HMAC secret in the future, probably the same
+ // way we rotate the certs generated by the CertGen job.
+ hmacSecret := resources.GetSecret(t.Namespace, oidcHMACSecretName)
+ if hmacSecret == nil {
+ return nil, fmt.Errorf("HMAC secret %s/%s not found", t.Namespace, oidcHMACSecretName)
+ }
+ hmacData, ok := hmacSecret.Data[oidcHMACSecretKey]
+ if !ok || len(hmacData) == 0 {
+ return nil, fmt.Errorf(
+ "HMAC secret not found in secret %s/%s", t.Namespace, oidcHMACSecretName)
+ }
+
return &ir.OIDC{
Provider: *provider,
ClientID: oidc.ClientID,
@@ -513,6 +554,7 @@ func (t *Translator) buildOIDC(
RedirectPath: redirectPath,
LogoutPath: logoutPath,
CookieSuffix: suffix,
+ HMACSecret: hmacData,
}, nil
}
@@ -605,10 +647,6 @@ func validateTokenEndpoint(tokenEndpoint string) error {
return fmt.Errorf("error parsing token endpoint URL: %w", err)
}
- if parsedURL.Scheme != "https" {
- return fmt.Errorf("token endpoint URL scheme must be https: %s", tokenEndpoint)
- }
-
if ip, err := netip.ParseAddr(parsedURL.Hostname()); err == nil {
if ip.Unmap().Is4() {
return fmt.Errorf("token endpoint URL must be a domain name: %s", tokenEndpoint)
@@ -650,10 +688,6 @@ func (t *Translator) buildBasicAuth(
usersSecret.Namespace, usersSecret.Name)
}
- if err != nil {
- return nil, err
- }
-
return &ir.BasicAuth{Users: usersSecretBytes}, nil
}
@@ -699,7 +733,7 @@ func (t *Translator) buildExtAuth(
if ds, err = t.processExtServiceDestination(
backendRef,
- policy.Namespace,
+ policy,
protocol,
resources); err != nil {
return nil, err
@@ -732,16 +766,17 @@ func (t *Translator) buildExtAuth(
// TODO: zhaohuabing combine this function with the one in the route translator
func (t *Translator) processExtServiceDestination(
backendRef *gwapiv1.BackendObjectReference,
- ownerNamespace string,
+ policy *egv1a1.SecurityPolicy,
protocol ir.AppProtocol,
resources *Resources) (*ir.DestinationSetting, error) {
var (
endpoints []*ir.DestinationEndpoint
addrType *ir.DestinationAddressType
servicePort v1.ServicePort
+ backendTLS *ir.TLSUpstreamConfig
)
- serviceNamespace := NamespaceDerefOr(backendRef.Namespace, ownerNamespace)
+ serviceNamespace := NamespaceDerefOr(backendRef.Namespace, policy.Namespace)
service := resources.GetService(serviceNamespace, string(backendRef.Name))
for _, port := range service.Spec.Ports {
if port.Port == int32(*backendRef.Port) {
@@ -775,11 +810,27 @@ func (t *Translator) processExtServiceDestination(
"mixed endpointslice address type for the same backendRef is not supported")
}
+ backendTLS = t.processBackendTLSPolicy(
+ *backendRef,
+ serviceNamespace,
+ // Gateway is not the appropriate parent reference here because the owner
+ // of the BackendRef is the security policy, and there is no hierarchy
+ // relationship between the security policy and a gateway.
+ // The owner security policy of the BackendRef is used as the parent reference here.
+ gwv1a2.ParentReference{
+ Group: ptr.To(gwapiv1.Group(egv1a1.GroupName)),
+ Kind: ptr.To(gwapiv1.Kind(egv1a1.KindSecurityPolicy)),
+ Namespace: ptr.To(gwapiv1.Namespace(policy.Namespace)),
+ Name: gwapiv1.ObjectName(policy.Name),
+ },
+ resources)
+
return &ir.DestinationSetting{
Weight: ptr.To(uint32(1)),
Protocol: protocol,
Endpoints: endpoints,
AddressType: addrType,
+ TLS: backendTLS,
}, nil
}
diff --git a/internal/gatewayapi/testdata/backendtlspolicy-ca-only.in.yaml b/internal/gatewayapi/testdata/backendtlspolicy-ca-only.in.yaml
new file mode 100644
index 00000000000..391eeb060bf
--- /dev/null
+++ b/internal/gatewayapi/testdata/backendtlspolicy-ca-only.in.yaml
@@ -0,0 +1,137 @@
+gateways:
+ - apiVersion: gateway.networking.k8s.io/v1
+ kind: Gateway
+ metadata:
+ name: gateway-btls
+ namespace: envoy-gateway
+ spec:
+ gatewayClassName: envoy-gateway-class
+ listeners:
+ - name: http
+ protocol: HTTP
+ port: 80
+ allowedRoutes:
+ namespaces:
+ from: All
+httpRoutes:
+ - apiVersion: gateway.networking.k8s.io/v1
+ kind: HTTPRoute
+ metadata:
+ name: httproute-btls
+ namespace: envoy-gateway
+ spec:
+ parentRefs:
+ - namespace: envoy-gateway
+ name: gateway-btls
+ sectionName: http
+ rules:
+ - matches:
+ - path:
+ type: Exact
+ value: "/exact"
+ backendRefs:
+ - name: http-backend
+ namespace: backends
+ port: 8080
+
+referenceGrants:
+ - apiVersion: gateway.networking.k8s.io/v1alpha2
+ kind: ReferenceGrant
+ metadata:
+ name: refg-route-svc
+ namespace: backends
+ spec:
+ from:
+ - group: gateway.networking.k8s.io
+ kind: HTTPRoute
+ namespace: envoy-gateway
+ - group: gateway.networking.k8s.io
+ kind: Gateway
+ namespace: envoy-gateway
+ - group: gateway.networking.k8s.io
+ kind: BackendTLSPolicy
+ namespace: policies
+ to:
+ - group: ""
+ kind: Service
+
+services:
+ - apiVersion: v1
+ kind: Service
+ metadata:
+ name: http-backend
+ namespace: backends
+ spec:
+ clusterIP: 10.11.12.13
+ ports:
+ - port: 8080
+ name: http
+ protocol: TCP
+ targetPort: 8080
+
+
+endpointSlices:
+ - apiVersion: discovery.k8s.io/v1
+ kind: EndpointSlice
+ metadata:
+ name: endpointslice-http-backend
+ namespace: backends
+ labels:
+ kubernetes.io/service-name: http-backend
+ addressType: IPv4
+ ports:
+ - name: http
+ protocol: TCP
+ port: 8080
+ endpoints:
+ - addresses:
+ - "10.244.0.11"
+ conditions:
+ ready: true
+
+configMaps:
+ - apiVersion: v1
+ kind: ConfigMap
+ metadata:
+ name: ca-cmap
+ namespace: policies
+ data:
+ ca.crt: |
+ -----BEGIN CERTIFICATE-----
+ MIIDJzCCAg+gAwIBAgIUAl6UKIuKmzte81cllz5PfdN2IlIwDQYJKoZIhvcNAQEL
+ BQAwIzEQMA4GA1UEAwwHbXljaWVudDEPMA0GA1UECgwGa3ViZWRiMB4XDTIzMTAw
+ MjA1NDE1N1oXDTI0MTAwMTA1NDE1N1owIzEQMA4GA1UEAwwHbXljaWVudDEPMA0G
+ A1UECgwGa3ViZWRiMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAwSTc
+ 1yj8HW62nynkFbXo4VXKv2jC0PM7dPVky87FweZcTKLoWQVPQE2p2kLDK6OEszmM
+ yyr+xxWtyiveremrWqnKkNTYhLfYPhgQkczib7eUalmFjUbhWdLvHakbEgCodn3b
+ kz57mInX2VpiDOKg4kyHfiuXWpiBqrCx0KNLpxo3DEQcFcsQTeTHzh4752GV04RU
+ Ti/GEWyzIsl4Rg7tGtAwmcIPgUNUfY2Q390FGqdH4ahn+mw/6aFbW31W63d9YJVq
+ ioyOVcaMIpM5B/c7Qc8SuhCI1YGhUyg4cRHLEw5VtikioyE3X04kna3jQAj54YbR
+ bpEhc35apKLB21HOUQIDAQABo1MwUTAdBgNVHQ4EFgQUyvl0VI5vJVSuYFXu7B48
+ 6PbMEAowHwYDVR0jBBgwFoAUyvl0VI5vJVSuYFXu7B486PbMEAowDwYDVR0TAQH/
+ BAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEAMLxrgFVMuNRq2wAwcBt7SnNR5Cfz
+ 2MvXq5EUmuawIUi9kaYjwdViDREGSjk7JW17vl576HjDkdfRwi4E28SydRInZf6J
+ i8HZcZ7caH6DxR335fgHVzLi5NiTce/OjNBQzQ2MJXVDd8DBmG5fyatJiOJQ4bWE
+ A7FlP0RdP3CO3GWE0M5iXOB2m1qWkE2eyO4UHvwTqNQLdrdAXgDQlbam9e4BG3Gg
+ d/6thAkWDbt/QNT+EJHDCvhDRKh1RuGHyg+Y+/nebTWWrFWsktRrbOoHCZiCpXI1
+ 3eXE6nt0YkgtDxG22KqnhpAg9gUSs2hlhoxyvkzyF0mu6NhPlwAgnq7+/Q==
+ -----END CERTIFICATE-----
+backendTLSPolicies:
+ - apiVersion: gateway.networking.k8s.io/v1alpha2
+ kind: BackendTLSPolicy
+ metadata:
+ name: policy-btls
+ namespace: policies
+ spec:
+ targetRef:
+ group: ''
+ kind: Service
+ name: http-backend
+ namespace: backends
+ sectionName: "8080"
+ tls:
+ caCertRefs:
+ - name: ca-cmap
+ group: ''
+ kind: ConfigMap
+ hostname: example.com
diff --git a/internal/gatewayapi/testdata/backendtlspolicy-ca-only.out.yaml b/internal/gatewayapi/testdata/backendtlspolicy-ca-only.out.yaml
new file mode 100644
index 00000000000..b38d38425b9
--- /dev/null
+++ b/internal/gatewayapi/testdata/backendtlspolicy-ca-only.out.yaml
@@ -0,0 +1,169 @@
+backendTLSPolicies:
+- apiVersion: gateway.networking.k8s.io/v1alpha2
+ kind: BackendTLSPolicy
+ metadata:
+ creationTimestamp: null
+ name: policy-btls
+ namespace: policies
+ spec:
+ targetRef:
+ group: ""
+ kind: Service
+ name: http-backend
+ namespace: backends
+ sectionName: "8080"
+ tls:
+ caCertRefs:
+ - group: ""
+ kind: ConfigMap
+ name: ca-cmap
+ hostname: example.com
+ status:
+ ancestors:
+ - ancestorRef:
+ name: gateway-btls
+ namespace: envoy-gateway
+ sectionName: http
+ conditions:
+ - lastTransitionTime: null
+ message: BackendTLSPolicy is Accepted
+ reason: Accepted
+ status: "True"
+ type: Accepted
+ controllerName: gateway.envoyproxy.io/gatewayclass-controller
+gateways:
+- apiVersion: gateway.networking.k8s.io/v1
+ kind: Gateway
+ metadata:
+ creationTimestamp: null
+ name: gateway-btls
+ namespace: envoy-gateway
+ spec:
+ gatewayClassName: envoy-gateway-class
+ listeners:
+ - allowedRoutes:
+ namespaces:
+ from: All
+ name: http
+ port: 80
+ protocol: HTTP
+ status:
+ listeners:
+ - attachedRoutes: 1
+ conditions:
+ - lastTransitionTime: null
+ message: Sending translated listener configuration to the data plane
+ reason: Programmed
+ status: "True"
+ type: Programmed
+ - lastTransitionTime: null
+ message: Listener has been successfully translated
+ reason: Accepted
+ status: "True"
+ type: Accepted
+ - lastTransitionTime: null
+ message: Listener references have been resolved
+ reason: ResolvedRefs
+ status: "True"
+ type: ResolvedRefs
+ name: http
+ supportedKinds:
+ - group: gateway.networking.k8s.io
+ kind: HTTPRoute
+ - group: gateway.networking.k8s.io
+ kind: GRPCRoute
+httpRoutes:
+- apiVersion: gateway.networking.k8s.io/v1
+ kind: HTTPRoute
+ metadata:
+ creationTimestamp: null
+ name: httproute-btls
+ namespace: envoy-gateway
+ spec:
+ parentRefs:
+ - name: gateway-btls
+ namespace: envoy-gateway
+ sectionName: http
+ rules:
+ - backendRefs:
+ - name: http-backend
+ namespace: backends
+ port: 8080
+ matches:
+ - path:
+ type: Exact
+ value: /exact
+ status:
+ parents:
+ - conditions:
+ - lastTransitionTime: null
+ message: Route is accepted
+ reason: Accepted
+ status: "True"
+ type: Accepted
+ - lastTransitionTime: null
+ message: Resolved all the Object references for the Route
+ reason: ResolvedRefs
+ status: "True"
+ type: ResolvedRefs
+ controllerName: gateway.envoyproxy.io/gatewayclass-controller
+ parentRef:
+ name: gateway-btls
+ namespace: envoy-gateway
+ sectionName: http
+infraIR:
+ envoy-gateway/gateway-btls:
+ proxy:
+ listeners:
+ - address: null
+ name: envoy-gateway/gateway-btls/http
+ ports:
+ - containerPort: 10080
+ name: http
+ protocol: HTTP
+ servicePort: 80
+ metadata:
+ labels:
+ gateway.envoyproxy.io/owning-gateway-name: gateway-btls
+ gateway.envoyproxy.io/owning-gateway-namespace: envoy-gateway
+ name: envoy-gateway/gateway-btls
+xdsIR:
+ envoy-gateway/gateway-btls:
+ accessLog:
+ text:
+ - path: /dev/stdout
+ http:
+ - address: 0.0.0.0
+ hostnames:
+ - '*'
+ isHTTP2: false
+ name: envoy-gateway/gateway-btls/http
+ path:
+ escapedSlashesAction: UnescapeAndRedirect
+ mergeSlashes: true
+ port: 10080
+ routes:
+ - backendWeights:
+ invalid: 0
+ valid: 0
+ destination:
+ name: httproute/envoy-gateway/httproute-btls/rule/0
+ settings:
+ - addressType: IP
+ endpoints:
+ - host: 10.244.0.11
+ port: 8080
+ protocol: HTTP
+ tls:
+ caCertificate:
+ certificate: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURKekNDQWcrZ0F3SUJBZ0lVQWw2VUtJdUttenRlODFjbGx6NVBmZE4ySWxJd0RRWUpLb1pJaHZjTkFRRUwKQlFBd0l6RVFNQTRHQTFVRUF3d0hiWGxqYVdWdWRERVBNQTBHQTFVRUNnd0dhM1ZpWldSaU1CNFhEVEl6TVRBdwpNakExTkRFMU4xb1hEVEkwTVRBd01UQTFOREUxTjFvd0l6RVFNQTRHQTFVRUF3d0hiWGxqYVdWdWRERVBNQTBHCkExVUVDZ3dHYTNWaVpXUmlNSUlCSWpBTkJna3Foa2lHOXcwQkFRRUZBQU9DQVE4QU1JSUJDZ0tDQVFFQXdTVGMKMXlqOEhXNjJueW5rRmJYbzRWWEt2MmpDMFBNN2RQVmt5ODdGd2VaY1RLTG9XUVZQUUUycDJrTERLNk9Fc3ptTQp5eXIreHhXdHlpdmVyZW1yV3FuS2tOVFloTGZZUGhnUWtjemliN2VVYWxtRmpVYmhXZEx2SGFrYkVnQ29kbjNiCmt6NTdtSW5YMlZwaURPS2c0a3lIZml1WFdwaUJxckN4MEtOTHB4bzNERVFjRmNzUVRlVEh6aDQ3NTJHVjA0UlUKVGkvR0VXeXpJc2w0Umc3dEd0QXdtY0lQZ1VOVWZZMlEzOTBGR3FkSDRhaG4rbXcvNmFGYlczMVc2M2Q5WUpWcQppb3lPVmNhTUlwTTVCL2M3UWM4U3VoQ0kxWUdoVXlnNGNSSExFdzVWdGlraW95RTNYMDRrbmEzalFBajU0WWJSCmJwRWhjMzVhcEtMQjIxSE9VUUlEQVFBQm8xTXdVVEFkQmdOVkhRNEVGZ1FVeXZsMFZJNXZKVlN1WUZYdTdCNDgKNlBiTUVBb3dId1lEVlIwakJCZ3dGb0FVeXZsMFZJNXZKVlN1WUZYdTdCNDg2UGJNRUFvd0R3WURWUjBUQVFILwpCQVV3QXdFQi96QU5CZ2txaGtpRzl3MEJBUXNGQUFPQ0FRRUFNTHhyZ0ZWTXVOUnEyd0F3Y0J0N1NuTlI1Q2Z6CjJNdlhxNUVVbXVhd0lVaTlrYVlqd2RWaURSRUdTams3SlcxN3ZsNTc2SGpEa2RmUndpNEUyOFN5ZFJJblpmNkoKaThIWmNaN2NhSDZEeFIzMzVmZ0hWekxpNU5pVGNlL09qTkJRelEyTUpYVkRkOERCbUc1ZnlhdEppT0pRNGJXRQpBN0ZsUDBSZFAzQ08zR1dFME01aVhPQjJtMXFXa0UyZXlPNFVIdndUcU5RTGRyZEFYZ0RRbGJhbTllNEJHM0dnCmQvNnRoQWtXRGJ0L1FOVCtFSkhEQ3ZoRFJLaDFSdUdIeWcrWSsvbmViVFdXckZXc2t0UnJiT29IQ1ppQ3BYSTEKM2VYRTZudDBZa2d0RHhHMjJLcW5ocEFnOWdVU3MyaGxob3h5dmt6eUYwbXU2TmhQbHdBZ25xNysvUT09Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K
+ name: policy-btls/policies-ca
+ sni: example.com
+ weight: 1
+ hostname: '*'
+ isHTTP2: false
+ name: httproute/envoy-gateway/httproute-btls/rule/0/match/0/*
+ pathMatch:
+ distinct: false
+ exact: /exact
+ name: ""
diff --git a/internal/gatewayapi/testdata/backendtlspolicy-default-ns.in.yaml b/internal/gatewayapi/testdata/backendtlspolicy-default-ns.in.yaml
new file mode 100644
index 00000000000..f935b78dc7d
--- /dev/null
+++ b/internal/gatewayapi/testdata/backendtlspolicy-default-ns.in.yaml
@@ -0,0 +1,137 @@
+gateways:
+ - apiVersion: gateway.networking.k8s.io/v1
+ kind: Gateway
+ metadata:
+ name: gateway-btls
+ namespace: envoy-gateway
+ spec:
+ gatewayClassName: envoy-gateway-class
+ listeners:
+ - name: http
+ protocol: HTTP
+ port: 80
+ allowedRoutes:
+ namespaces:
+ from: All
+httpRoutes:
+ - apiVersion: gateway.networking.k8s.io/v1
+ kind: HTTPRoute
+ metadata:
+ name: httproute-btls
+ namespace: envoy-gateway
+ spec:
+ parentRefs:
+ - namespace: envoy-gateway
+ name: gateway-btls
+ sectionName: http
+ rules:
+ - matches:
+ - path:
+ type: Exact
+ value: "/exact"
+ backendRefs:
+ - name: http-backend
+ namespace: default
+ port: 8080
+
+referenceGrants:
+ - apiVersion: gateway.networking.k8s.io/v1alpha2
+ kind: ReferenceGrant
+ metadata:
+ name: refg-route-svc
+ namespace: default
+ spec:
+ from:
+ - group: gateway.networking.k8s.io
+ kind: HTTPRoute
+ namespace: envoy-gateway
+ - group: gateway.networking.k8s.io
+ kind: Gateway
+ namespace: envoy-gateway
+ - group: gateway.networking.k8s.io
+ kind: BackendTLSPolicy
+ namespace: default
+ to:
+ - group: ""
+ kind: Service
+
+services:
+ - apiVersion: v1
+ kind: Service
+ metadata:
+ name: http-backend
+ namespace: default
+ spec:
+ clusterIP: 10.11.12.13
+ ports:
+ - port: 8080
+ name: http
+ protocol: TCP
+ targetPort: 8080
+
+
+endpointSlices:
+ - apiVersion: discovery.k8s.io/v1
+ kind: EndpointSlice
+ metadata:
+ name: endpointslice-http-backend
+ namespace: default
+ labels:
+ kubernetes.io/service-name: http-backend
+ addressType: IPv4
+ ports:
+ - name: http
+ protocol: TCP
+ port: 8080
+ endpoints:
+ - addresses:
+ - "10.244.0.11"
+ conditions:
+ ready: true
+
+
+configMaps:
+ - apiVersion: v1
+ kind: ConfigMap
+ metadata:
+ name: ca-cmap
+ namespace: default
+ data:
+ ca.crt: |
+ -----BEGIN CERTIFICATE-----
+ MIIDJzCCAg+gAwIBAgIUAl6UKIuKmzte81cllz5PfdN2IlIwDQYJKoZIhvcNAQEL
+ BQAwIzEQMA4GA1UEAwwHbXljaWVudDEPMA0GA1UECgwGa3ViZWRiMB4XDTIzMTAw
+ MjA1NDE1N1oXDTI0MTAwMTA1NDE1N1owIzEQMA4GA1UEAwwHbXljaWVudDEPMA0G
+ A1UECgwGa3ViZWRiMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAwSTc
+ 1yj8HW62nynkFbXo4VXKv2jC0PM7dPVky87FweZcTKLoWQVPQE2p2kLDK6OEszmM
+ yyr+xxWtyiveremrWqnKkNTYhLfYPhgQkczib7eUalmFjUbhWdLvHakbEgCodn3b
+ kz57mInX2VpiDOKg4kyHfiuXWpiBqrCx0KNLpxo3DEQcFcsQTeTHzh4752GV04RU
+ Ti/GEWyzIsl4Rg7tGtAwmcIPgUNUfY2Q390FGqdH4ahn+mw/6aFbW31W63d9YJVq
+ ioyOVcaMIpM5B/c7Qc8SuhCI1YGhUyg4cRHLEw5VtikioyE3X04kna3jQAj54YbR
+ bpEhc35apKLB21HOUQIDAQABo1MwUTAdBgNVHQ4EFgQUyvl0VI5vJVSuYFXu7B48
+ 6PbMEAowHwYDVR0jBBgwFoAUyvl0VI5vJVSuYFXu7B486PbMEAowDwYDVR0TAQH/
+ BAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEAMLxrgFVMuNRq2wAwcBt7SnNR5Cfz
+ 2MvXq5EUmuawIUi9kaYjwdViDREGSjk7JW17vl576HjDkdfRwi4E28SydRInZf6J
+ i8HZcZ7caH6DxR335fgHVzLi5NiTce/OjNBQzQ2MJXVDd8DBmG5fyatJiOJQ4bWE
+ A7FlP0RdP3CO3GWE0M5iXOB2m1qWkE2eyO4UHvwTqNQLdrdAXgDQlbam9e4BG3Gg
+ d/6thAkWDbt/QNT+EJHDCvhDRKh1RuGHyg+Y+/nebTWWrFWsktRrbOoHCZiCpXI1
+ 3eXE6nt0YkgtDxG22KqnhpAg9gUSs2hlhoxyvkzyF0mu6NhPlwAgnq7+/Q==
+ -----END CERTIFICATE-----
+backendTLSPolicies:
+ - apiVersion: gateway.networking.k8s.io/v1alpha2
+ kind: BackendTLSPolicy
+ metadata:
+ name: policy-btls
+ namespace: default
+ spec:
+ targetRef:
+ group: ''
+ kind: Service
+ name: http-backend
+ sectionName: "8080"
+ tls:
+ caCertRefs:
+ - name: ca-cmap
+ group: ''
+ kind: ConfigMap
+ hostname: example.com
diff --git a/internal/gatewayapi/testdata/backendtlspolicy-default-ns.out.yaml b/internal/gatewayapi/testdata/backendtlspolicy-default-ns.out.yaml
new file mode 100644
index 00000000000..8b258dac8db
--- /dev/null
+++ b/internal/gatewayapi/testdata/backendtlspolicy-default-ns.out.yaml
@@ -0,0 +1,168 @@
+backendTLSPolicies:
+- apiVersion: gateway.networking.k8s.io/v1alpha2
+ kind: BackendTLSPolicy
+ metadata:
+ creationTimestamp: null
+ name: policy-btls
+ namespace: default
+ spec:
+ targetRef:
+ group: ""
+ kind: Service
+ name: http-backend
+ sectionName: "8080"
+ tls:
+ caCertRefs:
+ - group: ""
+ kind: ConfigMap
+ name: ca-cmap
+ hostname: example.com
+ status:
+ ancestors:
+ - ancestorRef:
+ name: gateway-btls
+ namespace: envoy-gateway
+ sectionName: http
+ conditions:
+ - lastTransitionTime: null
+ message: BackendTLSPolicy is Accepted
+ reason: Accepted
+ status: "True"
+ type: Accepted
+ controllerName: gateway.envoyproxy.io/gatewayclass-controller
+gateways:
+- apiVersion: gateway.networking.k8s.io/v1
+ kind: Gateway
+ metadata:
+ creationTimestamp: null
+ name: gateway-btls
+ namespace: envoy-gateway
+ spec:
+ gatewayClassName: envoy-gateway-class
+ listeners:
+ - allowedRoutes:
+ namespaces:
+ from: All
+ name: http
+ port: 80
+ protocol: HTTP
+ status:
+ listeners:
+ - attachedRoutes: 1
+ conditions:
+ - lastTransitionTime: null
+ message: Sending translated listener configuration to the data plane
+ reason: Programmed
+ status: "True"
+ type: Programmed
+ - lastTransitionTime: null
+ message: Listener has been successfully translated
+ reason: Accepted
+ status: "True"
+ type: Accepted
+ - lastTransitionTime: null
+ message: Listener references have been resolved
+ reason: ResolvedRefs
+ status: "True"
+ type: ResolvedRefs
+ name: http
+ supportedKinds:
+ - group: gateway.networking.k8s.io
+ kind: HTTPRoute
+ - group: gateway.networking.k8s.io
+ kind: GRPCRoute
+httpRoutes:
+- apiVersion: gateway.networking.k8s.io/v1
+ kind: HTTPRoute
+ metadata:
+ creationTimestamp: null
+ name: httproute-btls
+ namespace: envoy-gateway
+ spec:
+ parentRefs:
+ - name: gateway-btls
+ namespace: envoy-gateway
+ sectionName: http
+ rules:
+ - backendRefs:
+ - name: http-backend
+ namespace: default
+ port: 8080
+ matches:
+ - path:
+ type: Exact
+ value: /exact
+ status:
+ parents:
+ - conditions:
+ - lastTransitionTime: null
+ message: Route is accepted
+ reason: Accepted
+ status: "True"
+ type: Accepted
+ - lastTransitionTime: null
+ message: Resolved all the Object references for the Route
+ reason: ResolvedRefs
+ status: "True"
+ type: ResolvedRefs
+ controllerName: gateway.envoyproxy.io/gatewayclass-controller
+ parentRef:
+ name: gateway-btls
+ namespace: envoy-gateway
+ sectionName: http
+infraIR:
+ envoy-gateway/gateway-btls:
+ proxy:
+ listeners:
+ - address: null
+ name: envoy-gateway/gateway-btls/http
+ ports:
+ - containerPort: 10080
+ name: http
+ protocol: HTTP
+ servicePort: 80
+ metadata:
+ labels:
+ gateway.envoyproxy.io/owning-gateway-name: gateway-btls
+ gateway.envoyproxy.io/owning-gateway-namespace: envoy-gateway
+ name: envoy-gateway/gateway-btls
+xdsIR:
+ envoy-gateway/gateway-btls:
+ accessLog:
+ text:
+ - path: /dev/stdout
+ http:
+ - address: 0.0.0.0
+ hostnames:
+ - '*'
+ isHTTP2: false
+ name: envoy-gateway/gateway-btls/http
+ path:
+ escapedSlashesAction: UnescapeAndRedirect
+ mergeSlashes: true
+ port: 10080
+ routes:
+ - backendWeights:
+ invalid: 0
+ valid: 0
+ destination:
+ name: httproute/envoy-gateway/httproute-btls/rule/0
+ settings:
+ - addressType: IP
+ endpoints:
+ - host: 10.244.0.11
+ port: 8080
+ protocol: HTTP
+ tls:
+ caCertificate:
+ certificate: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURKekNDQWcrZ0F3SUJBZ0lVQWw2VUtJdUttenRlODFjbGx6NVBmZE4ySWxJd0RRWUpLb1pJaHZjTkFRRUwKQlFBd0l6RVFNQTRHQTFVRUF3d0hiWGxqYVdWdWRERVBNQTBHQTFVRUNnd0dhM1ZpWldSaU1CNFhEVEl6TVRBdwpNakExTkRFMU4xb1hEVEkwTVRBd01UQTFOREUxTjFvd0l6RVFNQTRHQTFVRUF3d0hiWGxqYVdWdWRERVBNQTBHCkExVUVDZ3dHYTNWaVpXUmlNSUlCSWpBTkJna3Foa2lHOXcwQkFRRUZBQU9DQVE4QU1JSUJDZ0tDQVFFQXdTVGMKMXlqOEhXNjJueW5rRmJYbzRWWEt2MmpDMFBNN2RQVmt5ODdGd2VaY1RLTG9XUVZQUUUycDJrTERLNk9Fc3ptTQp5eXIreHhXdHlpdmVyZW1yV3FuS2tOVFloTGZZUGhnUWtjemliN2VVYWxtRmpVYmhXZEx2SGFrYkVnQ29kbjNiCmt6NTdtSW5YMlZwaURPS2c0a3lIZml1WFdwaUJxckN4MEtOTHB4bzNERVFjRmNzUVRlVEh6aDQ3NTJHVjA0UlUKVGkvR0VXeXpJc2w0Umc3dEd0QXdtY0lQZ1VOVWZZMlEzOTBGR3FkSDRhaG4rbXcvNmFGYlczMVc2M2Q5WUpWcQppb3lPVmNhTUlwTTVCL2M3UWM4U3VoQ0kxWUdoVXlnNGNSSExFdzVWdGlraW95RTNYMDRrbmEzalFBajU0WWJSCmJwRWhjMzVhcEtMQjIxSE9VUUlEQVFBQm8xTXdVVEFkQmdOVkhRNEVGZ1FVeXZsMFZJNXZKVlN1WUZYdTdCNDgKNlBiTUVBb3dId1lEVlIwakJCZ3dGb0FVeXZsMFZJNXZKVlN1WUZYdTdCNDg2UGJNRUFvd0R3WURWUjBUQVFILwpCQVV3QXdFQi96QU5CZ2txaGtpRzl3MEJBUXNGQUFPQ0FRRUFNTHhyZ0ZWTXVOUnEyd0F3Y0J0N1NuTlI1Q2Z6CjJNdlhxNUVVbXVhd0lVaTlrYVlqd2RWaURSRUdTams3SlcxN3ZsNTc2SGpEa2RmUndpNEUyOFN5ZFJJblpmNkoKaThIWmNaN2NhSDZEeFIzMzVmZ0hWekxpNU5pVGNlL09qTkJRelEyTUpYVkRkOERCbUc1ZnlhdEppT0pRNGJXRQpBN0ZsUDBSZFAzQ08zR1dFME01aVhPQjJtMXFXa0UyZXlPNFVIdndUcU5RTGRyZEFYZ0RRbGJhbTllNEJHM0dnCmQvNnRoQWtXRGJ0L1FOVCtFSkhEQ3ZoRFJLaDFSdUdIeWcrWSsvbmViVFdXckZXc2t0UnJiT29IQ1ppQ3BYSTEKM2VYRTZudDBZa2d0RHhHMjJLcW5ocEFnOWdVU3MyaGxob3h5dmt6eUYwbXU2TmhQbHdBZ25xNysvUT09Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K
+ name: policy-btls/default-ca
+ sni: example.com
+ weight: 1
+ hostname: '*'
+ isHTTP2: false
+ name: httproute/envoy-gateway/httproute-btls/rule/0/match/0/*
+ pathMatch:
+ distinct: false
+ exact: /exact
+ name: ""
diff --git a/internal/gatewayapi/testdata/backendtlspolicy-invalid-ca.in.yaml b/internal/gatewayapi/testdata/backendtlspolicy-invalid-ca.in.yaml
new file mode 100644
index 00000000000..d11c1a5f289
--- /dev/null
+++ b/internal/gatewayapi/testdata/backendtlspolicy-invalid-ca.in.yaml
@@ -0,0 +1,119 @@
+gateways:
+ - apiVersion: gateway.networking.k8s.io/v1
+ kind: Gateway
+ metadata:
+ name: gateway-btls
+ namespace: envoy-gateway
+ spec:
+ gatewayClassName: envoy-gateway-class
+ listeners:
+ - name: http
+ protocol: HTTP
+ port: 80
+ allowedRoutes:
+ namespaces:
+ from: All
+httpRoutes:
+ - apiVersion: gateway.networking.k8s.io/v1
+ kind: HTTPRoute
+ metadata:
+ name: httproute-btls
+ namespace: envoy-gateway
+ spec:
+ parentRefs:
+ - namespace: envoy-gateway
+ name: gateway-btls
+ sectionName: http
+ rules:
+ - matches:
+ - path:
+ type: Exact
+ value: "/exact"
+ backendRefs:
+ - name: http-backend
+ namespace: backends
+ port: 8080
+
+referenceGrants:
+ - apiVersion: gateway.networking.k8s.io/v1alpha2
+ kind: ReferenceGrant
+ metadata:
+ name: refg-route-svc
+ namespace: backends
+ spec:
+ from:
+ - group: gateway.networking.k8s.io
+ kind: HTTPRoute
+ namespace: envoy-gateway
+ - group: gateway.networking.k8s.io
+ kind: Gateway
+ namespace: envoy-gateway
+ - group: gateway.networking.k8s.io
+ kind: BackendTLSPolicy
+ namespace: policies
+ to:
+ - group: ""
+ kind: Service
+
+services:
+ - apiVersion: v1
+ kind: Service
+ metadata:
+ name: http-backend
+ namespace: backends
+ spec:
+ clusterIP: 10.11.12.13
+ ports:
+ - port: 8080
+ name: http
+ protocol: TCP
+ targetPort: 8080
+
+
+endpointSlices:
+ - apiVersion: discovery.k8s.io/v1
+ kind: EndpointSlice
+ metadata:
+ name: endpointslice-http-backend
+ namespace: backends
+ labels:
+ kubernetes.io/service-name: http-backend
+ addressType: IPv4
+ ports:
+ - name: http
+ protocol: TCP
+ port: 8080
+ endpoints:
+ - addresses:
+ - "10.244.0.11"
+ conditions:
+ ready: true
+
+configMaps:
+ - apiVersion: v1
+ kind: ConfigMap
+ metadata:
+ name: no-ca-cmap
+ namespace: policies
+ data:
+ garbage.crt: |
+ itsAllGarbage
+backendTLSPolicies:
+ - apiVersion: gateway.networking.k8s.io/v1alpha2
+ kind: BackendTLSPolicy
+ metadata:
+ name: policy-btls
+ namespace: policies
+ spec:
+ targetRef:
+ group: ''
+ kind: Service
+ name: http-backend
+ namespace: backends
+ sectionName: "8080"
+ tls:
+ caCertRefs:
+ - name: no-ca-cmap
+ group: ''
+ kind: ConfigMap
+ hostname: example.com
diff --git a/internal/gatewayapi/testdata/backendtlspolicy-invalid-ca.out.yaml b/internal/gatewayapi/testdata/backendtlspolicy-invalid-ca.out.yaml
new file mode 100644
index 00000000000..ae583f55e47
--- /dev/null
+++ b/internal/gatewayapi/testdata/backendtlspolicy-invalid-ca.out.yaml
@@ -0,0 +1,164 @@
+backendTLSPolicies:
+- apiVersion: gateway.networking.k8s.io/v1alpha2
+ kind: BackendTLSPolicy
+ metadata:
+ creationTimestamp: null
+ name: policy-btls
+ namespace: policies
+ spec:
+ targetRef:
+ group: ""
+ kind: Service
+ name: http-backend
+ namespace: backends
+ sectionName: "8080"
+ tls:
+ caCertRefs:
+ - group: ""
+ kind: ConfigMap
+ name: no-ca-cmap
+ hostname: example.com
+ status:
+ ancestors:
+ - ancestorRef:
+ name: gateway-btls
+ namespace: envoy-gateway
+ sectionName: http
+ conditions:
+ - lastTransitionTime: null
+ message: No ca found in configmap no-ca-cmap
+ reason: Invalid
+ status: "False"
+ type: Accepted
+ controllerName: gateway.envoyproxy.io/gatewayclass-controller
+gateways:
+- apiVersion: gateway.networking.k8s.io/v1
+ kind: Gateway
+ metadata:
+ creationTimestamp: null
+ name: gateway-btls
+ namespace: envoy-gateway
+ spec:
+ gatewayClassName: envoy-gateway-class
+ listeners:
+ - allowedRoutes:
+ namespaces:
+ from: All
+ name: http
+ port: 80
+ protocol: HTTP
+ status:
+ listeners:
+ - attachedRoutes: 1
+ conditions:
+ - lastTransitionTime: null
+ message: Sending translated listener configuration to the data plane
+ reason: Programmed
+ status: "True"
+ type: Programmed
+ - lastTransitionTime: null
+ message: Listener has been successfully translated
+ reason: Accepted
+ status: "True"
+ type: Accepted
+ - lastTransitionTime: null
+ message: Listener references have been resolved
+ reason: ResolvedRefs
+ status: "True"
+ type: ResolvedRefs
+ name: http
+ supportedKinds:
+ - group: gateway.networking.k8s.io
+ kind: HTTPRoute
+ - group: gateway.networking.k8s.io
+ kind: GRPCRoute
+httpRoutes:
+- apiVersion: gateway.networking.k8s.io/v1
+ kind: HTTPRoute
+ metadata:
+ creationTimestamp: null
+ name: httproute-btls
+ namespace: envoy-gateway
+ spec:
+ parentRefs:
+ - name: gateway-btls
+ namespace: envoy-gateway
+ sectionName: http
+ rules:
+ - backendRefs:
+ - name: http-backend
+ namespace: backends
+ port: 8080
+ matches:
+ - path:
+ type: Exact
+ value: /exact
+ status:
+ parents:
+ - conditions:
+ - lastTransitionTime: null
+ message: Route is accepted
+ reason: Accepted
+ status: "True"
+ type: Accepted
+ - lastTransitionTime: null
+ message: Resolved all the Object references for the Route
+ reason: ResolvedRefs
+ status: "True"
+ type: ResolvedRefs
+ controllerName: gateway.envoyproxy.io/gatewayclass-controller
+ parentRef:
+ name: gateway-btls
+ namespace: envoy-gateway
+ sectionName: http
+infraIR:
+ envoy-gateway/gateway-btls:
+ proxy:
+ listeners:
+ - address: null
+ name: envoy-gateway/gateway-btls/http
+ ports:
+ - containerPort: 10080
+ name: http
+ protocol: HTTP
+ servicePort: 80
+ metadata:
+ labels:
+ gateway.envoyproxy.io/owning-gateway-name: gateway-btls
+ gateway.envoyproxy.io/owning-gateway-namespace: envoy-gateway
+ name: envoy-gateway/gateway-btls
+xdsIR:
+ envoy-gateway/gateway-btls:
+ accessLog:
+ text:
+ - path: /dev/stdout
+ http:
+ - address: 0.0.0.0
+ hostnames:
+ - '*'
+ isHTTP2: false
+ name: envoy-gateway/gateway-btls/http
+ path:
+ escapedSlashesAction: UnescapeAndRedirect
+ mergeSlashes: true
+ port: 10080
+ routes:
+ - backendWeights:
+ invalid: 0
+ valid: 0
+ destination:
+ name: httproute/envoy-gateway/httproute-btls/rule/0
+ settings:
+ - addressType: IP
+ endpoints:
+ - host: 10.244.0.11
+ port: 8080
+ protocol: HTTP
+ weight: 1
+ hostname: '*'
+ isHTTP2: false
+ name: httproute/envoy-gateway/httproute-btls/rule/0/match/0/*
+ pathMatch:
+ distinct: false
+ exact: /exact
+ name: ""
diff --git a/internal/gatewayapi/testdata/backendtlspolicy-system-truststore.in.yaml b/internal/gatewayapi/testdata/backendtlspolicy-system-truststore.in.yaml
new file mode 100644
index 00000000000..88fb94bc116
--- /dev/null
+++ b/internal/gatewayapi/testdata/backendtlspolicy-system-truststore.in.yaml
@@ -0,0 +1,105 @@
+gateways:
+ - apiVersion: gateway.networking.k8s.io/v1
+ kind: Gateway
+ metadata:
+ name: gateway-btls
+ namespace: envoy-gateway
+ spec:
+ gatewayClassName: envoy-gateway-class
+ listeners:
+ - name: http
+ protocol: HTTP
+ port: 80
+ allowedRoutes:
+ namespaces:
+ from: All
+httpRoutes:
+ - apiVersion: gateway.networking.k8s.io/v1
+ kind: HTTPRoute
+ metadata:
+ name: httproute-btls
+ namespace: envoy-gateway
+ spec:
+ parentRefs:
+ - namespace: envoy-gateway
+ name: gateway-btls
+ sectionName: http
+ rules:
+ - matches:
+ - path:
+ type: Exact
+ value: "/exact"
+ backendRefs:
+ - name: http-backend
+ namespace: default
+ port: 8080
+
+referenceGrants:
+ - apiVersion: gateway.networking.k8s.io/v1alpha2
+ kind: ReferenceGrant
+ metadata:
+ name: refg-route-svc
+ namespace: default
+ spec:
+ from:
+ - group: gateway.networking.k8s.io
+ kind: HTTPRoute
+ namespace: envoy-gateway
+ - group: gateway.networking.k8s.io
+ kind: Gateway
+ namespace: envoy-gateway
+ - group: gateway.networking.k8s.io
+ kind: BackendTLSPolicy
+ namespace: default
+ to:
+ - group: ""
+ kind: Service
+
+services:
+ - apiVersion: v1
+ kind: Service
+ metadata:
+ name: http-backend
+ namespace: default
+ spec:
+ clusterIP: 10.11.12.13
+ ports:
+ - port: 8080
+ name: http
+ protocol: TCP
+ targetPort: 8080
+
+
+endpointSlices:
+ - apiVersion: discovery.k8s.io/v1
+ kind: EndpointSlice
+ metadata:
+ name: endpointslice-http-backend
+ namespace: default
+ labels:
+ kubernetes.io/service-name: http-backend
+ addressType: IPv4
+ ports:
+ - name: http
+ protocol: TCP
+ port: 8080
+ endpoints:
+ - addresses:
+ - "10.244.0.11"
+ conditions:
+ ready: true
+backendTLSPolicies:
+ - apiVersion: gateway.networking.k8s.io/v1alpha2
+ kind: BackendTLSPolicy
+ metadata:
+ name: policy-btls
+ namespace: default
+ spec:
+ targetRef:
+ group: ''
+ kind: Service
+ name: http-backend
+ sectionName: "8080"
+ tls:
+ wellKnownCACerts: System
+ hostname: example.com
diff --git a/internal/gatewayapi/testdata/backendtlspolicy-system-truststore.out.yaml b/internal/gatewayapi/testdata/backendtlspolicy-system-truststore.out.yaml
new file mode 100644
index 00000000000..760e7864048
--- /dev/null
+++ b/internal/gatewayapi/testdata/backendtlspolicy-system-truststore.out.yaml
@@ -0,0 +1,163 @@
+backendTLSPolicies:
+- apiVersion: gateway.networking.k8s.io/v1alpha2
+ kind: BackendTLSPolicy
+ metadata:
+ creationTimestamp: null
+ name: policy-btls
+ namespace: default
+ spec:
+ targetRef:
+ group: ""
+ kind: Service
+ name: http-backend
+ sectionName: "8080"
+ tls:
+ hostname: example.com
+ wellKnownCACerts: System
+ status:
+ ancestors:
+ - ancestorRef:
+ name: gateway-btls
+ namespace: envoy-gateway
+ sectionName: http
+ conditions:
+ - lastTransitionTime: null
+ message: BackendTLSPolicy is Accepted
+ reason: Accepted
+ status: "True"
+ type: Accepted
+ controllerName: gateway.envoyproxy.io/gatewayclass-controller
+gateways:
+- apiVersion: gateway.networking.k8s.io/v1
+ kind: Gateway
+ metadata:
+ creationTimestamp: null
+ name: gateway-btls
+ namespace: envoy-gateway
+ spec:
+ gatewayClassName: envoy-gateway-class
+ listeners:
+ - allowedRoutes:
+ namespaces:
+ from: All
+ name: http
+ port: 80
+ protocol: HTTP
+ status:
+ listeners:
+ - attachedRoutes: 1
+ conditions:
+ - lastTransitionTime: null
+ message: Sending translated listener configuration to the data plane
+ reason: Programmed
+ status: "True"
+ type: Programmed
+ - lastTransitionTime: null
+ message: Listener has been successfully translated
+ reason: Accepted
+ status: "True"
+ type: Accepted
+ - lastTransitionTime: null
+ message: Listener references have been resolved
+ reason: ResolvedRefs
+ status: "True"
+ type: ResolvedRefs
+ name: http
+ supportedKinds:
+ - group: gateway.networking.k8s.io
+ kind: HTTPRoute
+ - group: gateway.networking.k8s.io
+ kind: GRPCRoute
+httpRoutes:
+- apiVersion: gateway.networking.k8s.io/v1
+ kind: HTTPRoute
+ metadata:
+ creationTimestamp: null
+ name: httproute-btls
+ namespace: envoy-gateway
+ spec:
+ parentRefs:
+ - name: gateway-btls
+ namespace: envoy-gateway
+ sectionName: http
+ rules:
+ - backendRefs:
+ - name: http-backend
+ namespace: default
+ port: 8080
+ matches:
+ - path:
+ type: Exact
+ value: /exact
+ status:
+ parents:
+ - conditions:
+ - lastTransitionTime: null
+ message: Route is accepted
+ reason: Accepted
+ status: "True"
+ type: Accepted
+ - lastTransitionTime: null
+ message: Resolved all the Object references for the Route
+ reason: ResolvedRefs
+ status: "True"
+ type: ResolvedRefs
+ controllerName: gateway.envoyproxy.io/gatewayclass-controller
+ parentRef:
+ name: gateway-btls
+ namespace: envoy-gateway
+ sectionName: http
+infraIR:
+ envoy-gateway/gateway-btls:
+ proxy:
+ listeners:
+ - address: null
+ name: envoy-gateway/gateway-btls/http
+ ports:
+ - containerPort: 10080
+ name: http
+ protocol: HTTP
+ servicePort: 80
+ metadata:
+ labels:
+ gateway.envoyproxy.io/owning-gateway-name: gateway-btls
+ gateway.envoyproxy.io/owning-gateway-namespace: envoy-gateway
+ name: envoy-gateway/gateway-btls
+xdsIR:
+ envoy-gateway/gateway-btls:
+ accessLog:
+ text:
+ - path: /dev/stdout
+ http:
+ - address: 0.0.0.0
+ hostnames:
+ - '*'
+ isHTTP2: false
+ name: envoy-gateway/gateway-btls/http
+ path:
+ escapedSlashesAction: UnescapeAndRedirect
+ mergeSlashes: true
+ port: 10080
+ routes:
+ - backendWeights:
+ invalid: 0
+ valid: 0
+ destination:
+ name: httproute/envoy-gateway/httproute-btls/rule/0
+ settings:
+ - addressType: IP
+ endpoints:
+ - host: 10.244.0.11
+ port: 8080
+ protocol: HTTP
+ tls:
+ sni: example.com
+ useSystemTrustStore: true
+ weight: 1
+ hostname: '*'
+ isHTTP2: false
+ name: httproute/envoy-gateway/httproute-btls/rule/0/match/0/*
+ pathMatch:
+ distinct: false
+ exact: /exact
+ name: ""
diff --git a/internal/gatewayapi/testdata/backendtlspolicy-without-referencegrant.in.yaml b/internal/gatewayapi/testdata/backendtlspolicy-without-referencegrant.in.yaml
new file mode 100644
index 00000000000..f773f200881
--- /dev/null
+++ b/internal/gatewayapi/testdata/backendtlspolicy-without-referencegrant.in.yaml
@@ -0,0 +1,134 @@
+gateways:
+ - apiVersion: gateway.networking.k8s.io/v1
+ kind: Gateway
+ metadata:
+ name: gateway-btls
+ namespace: envoy-gateway
+ spec:
+ gatewayClassName: envoy-gateway-class
+ listeners:
+ - name: http
+ protocol: HTTP
+ port: 80
+ allowedRoutes:
+ namespaces:
+ from: All
+httpRoutes:
+ - apiVersion: gateway.networking.k8s.io/v1
+ kind: HTTPRoute
+ metadata:
+ name: httproute-btls
+ namespace: envoy-gateway
+ spec:
+ parentRefs:
+ - namespace: envoy-gateway
+ name: gateway-btls
+ sectionName: http
+ rules:
+ - matches:
+ - path:
+ type: Exact
+ value: "/exact"
+ backendRefs:
+ - name: http-backend
+ namespace: backends
+ port: 8080
+
+referenceGrants:
+ - apiVersion: gateway.networking.k8s.io/v1alpha2
+ kind: ReferenceGrant
+ metadata:
+ name: refg-route-svc
+ namespace: backends
+ spec:
+ from:
+ - group: gateway.networking.k8s.io
+ kind: HTTPRoute
+ namespace: envoy-gateway
+ - group: gateway.networking.k8s.io
+ kind: Gateway
+ namespace: envoy-gateway
+ to:
+ - group: ""
+ kind: Service
+
+services:
+ - apiVersion: v1
+ kind: Service
+ metadata:
+ name: http-backend
+ namespace: backends
+ spec:
+ clusterIP: 10.11.12.13
+ ports:
+ - port: 8080
+ name: http
+ protocol: TCP
+ targetPort: 8080
+
+
+endpointSlices:
+ - apiVersion: discovery.k8s.io/v1
+ kind: EndpointSlice
+ metadata:
+ name: endpointslice-http-backend
+ namespace: backends
+ labels:
+ kubernetes.io/service-name: http-backend
+ addressType: IPv4
+ ports:
+ - name: http
+ protocol: TCP
+ port: 8080
+ endpoints:
+ - addresses:
+ - "10.244.0.11"
+ conditions:
+ ready: true
+
+configMaps:
+ - apiVersion: v1
+ kind: ConfigMap
+ metadata:
+ name: ca-cmap
+ namespace: policies
+ data:
+ ca.crt: |
+ -----BEGIN CERTIFICATE-----
+ MIIDJzCCAg+gAwIBAgIUAl6UKIuKmzte81cllz5PfdN2IlIwDQYJKoZIhvcNAQEL
+ BQAwIzEQMA4GA1UEAwwHbXljaWVudDEPMA0GA1UECgwGa3ViZWRiMB4XDTIzMTAw
+ MjA1NDE1N1oXDTI0MTAwMTA1NDE1N1owIzEQMA4GA1UEAwwHbXljaWVudDEPMA0G
+ A1UECgwGa3ViZWRiMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAwSTc
+ 1yj8HW62nynkFbXo4VXKv2jC0PM7dPVky87FweZcTKLoWQVPQE2p2kLDK6OEszmM
+ yyr+xxWtyiveremrWqnKkNTYhLfYPhgQkczib7eUalmFjUbhWdLvHakbEgCodn3b
+ kz57mInX2VpiDOKg4kyHfiuXWpiBqrCx0KNLpxo3DEQcFcsQTeTHzh4752GV04RU
+ Ti/GEWyzIsl4Rg7tGtAwmcIPgUNUfY2Q390FGqdH4ahn+mw/6aFbW31W63d9YJVq
+ ioyOVcaMIpM5B/c7Qc8SuhCI1YGhUyg4cRHLEw5VtikioyE3X04kna3jQAj54YbR
+ bpEhc35apKLB21HOUQIDAQABo1MwUTAdBgNVHQ4EFgQUyvl0VI5vJVSuYFXu7B48
+ 6PbMEAowHwYDVR0jBBgwFoAUyvl0VI5vJVSuYFXu7B486PbMEAowDwYDVR0TAQH/
+ BAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEAMLxrgFVMuNRq2wAwcBt7SnNR5Cfz
+ 2MvXq5EUmuawIUi9kaYjwdViDREGSjk7JW17vl576HjDkdfRwi4E28SydRInZf6J
+ i8HZcZ7caH6DxR335fgHVzLi5NiTce/OjNBQzQ2MJXVDd8DBmG5fyatJiOJQ4bWE
+ A7FlP0RdP3CO3GWE0M5iXOB2m1qWkE2eyO4UHvwTqNQLdrdAXgDQlbam9e4BG3Gg
+ d/6thAkWDbt/QNT+EJHDCvhDRKh1RuGHyg+Y+/nebTWWrFWsktRrbOoHCZiCpXI1
+ 3eXE6nt0YkgtDxG22KqnhpAg9gUSs2hlhoxyvkzyF0mu6NhPlwAgnq7+/Q==
+ -----END CERTIFICATE-----
+backendTLSPolicies:
+ - apiVersion: gateway.networking.k8s.io/v1alpha2
+ kind: BackendTLSPolicy
+ metadata:
+ name: policy-btls
+ namespace: policies
+ spec:
+ targetRef:
+ group: ''
+ kind: Service
+ name: http-backend
+ namespace: backends
+ sectionName: "8080"
+ tls:
+ caCertRefs:
+ - name: ca-cmap
+ group: ''
+ kind: ConfigMap
+ hostname: example.com
diff --git a/internal/gatewayapi/testdata/backendtlspolicy-without-referencegrant.out.yaml b/internal/gatewayapi/testdata/backendtlspolicy-without-referencegrant.out.yaml
new file mode 100755
index 00000000000..d2f92086f1a
--- /dev/null
+++ b/internal/gatewayapi/testdata/backendtlspolicy-without-referencegrant.out.yaml
@@ -0,0 +1,165 @@
+backendTLSPolicies:
+- apiVersion: gateway.networking.k8s.io/v1alpha2
+ kind: BackendTLSPolicy
+ metadata:
+ creationTimestamp: null
+ name: policy-btls
+ namespace: policies
+ spec:
+ targetRef:
+ group: ""
+ kind: Service
+ name: http-backend
+ namespace: backends
+ sectionName: "8080"
+ tls:
+ caCertRefs:
+ - group: ""
+ kind: ConfigMap
+ name: ca-cmap
+ hostname: example.com
+ status:
+ ancestors:
+ - ancestorRef:
+ name: gateway-btls
+ namespace: envoy-gateway
+ sectionName: http
+ conditions:
+ - lastTransitionTime: null
+ message: target ref to Service backends/http-backend not permitted by any
+ ReferenceGrant
+ reason: Invalid
+ status: "False"
+ type: Accepted
+ controllerName: gateway.envoyproxy.io/gatewayclass-controller
+gateways:
+- apiVersion: gateway.networking.k8s.io/v1
+ kind: Gateway
+ metadata:
+ creationTimestamp: null
+ name: gateway-btls
+ namespace: envoy-gateway
+ spec:
+ gatewayClassName: envoy-gateway-class
+ listeners:
+ - allowedRoutes:
+ namespaces:
+ from: All
+ name: http
+ port: 80
+ protocol: HTTP
+ status:
+ listeners:
+ - attachedRoutes: 1
+ conditions:
+ - lastTransitionTime: null
+ message: Sending translated listener configuration to the data plane
+ reason: Programmed
+ status: "True"
+ type: Programmed
+ - lastTransitionTime: null
+ message: Listener has been successfully translated
+ reason: Accepted
+ status: "True"
+ type: Accepted
+ - lastTransitionTime: null
+ message: Listener references have been resolved
+ reason: ResolvedRefs
+ status: "True"
+ type: ResolvedRefs
+ name: http
+ supportedKinds:
+ - group: gateway.networking.k8s.io
+ kind: HTTPRoute
+ - group: gateway.networking.k8s.io
+ kind: GRPCRoute
+httpRoutes:
+- apiVersion: gateway.networking.k8s.io/v1
+ kind: HTTPRoute
+ metadata:
+ creationTimestamp: null
+ name: httproute-btls
+ namespace: envoy-gateway
+ spec:
+ parentRefs:
+ - name: gateway-btls
+ namespace: envoy-gateway
+ sectionName: http
+ rules:
+ - backendRefs:
+ - name: http-backend
+ namespace: backends
+ port: 8080
+ matches:
+ - path:
+ type: Exact
+ value: /exact
+ status:
+ parents:
+ - conditions:
+ - lastTransitionTime: null
+ message: Route is accepted
+ reason: Accepted
+ status: "True"
+ type: Accepted
+ - lastTransitionTime: null
+ message: Resolved all the Object references for the Route
+ reason: ResolvedRefs
+ status: "True"
+ type: ResolvedRefs
+ controllerName: gateway.envoyproxy.io/gatewayclass-controller
+ parentRef:
+ name: gateway-btls
+ namespace: envoy-gateway
+ sectionName: http
+infraIR:
+ envoy-gateway/gateway-btls:
+ proxy:
+ listeners:
+ - address: null
+ name: envoy-gateway/gateway-btls/http
+ ports:
+ - containerPort: 10080
+ name: http
+ protocol: HTTP
+ servicePort: 80
+ metadata:
+ labels:
+ gateway.envoyproxy.io/owning-gateway-name: gateway-btls
+ gateway.envoyproxy.io/owning-gateway-namespace: envoy-gateway
+ name: envoy-gateway/gateway-btls
+xdsIR:
+ envoy-gateway/gateway-btls:
+ accessLog:
+ text:
+ - path: /dev/stdout
+ http:
+ - address: 0.0.0.0
+ hostnames:
+ - '*'
+ isHTTP2: false
+ name: envoy-gateway/gateway-btls/http
+ path:
+ escapedSlashesAction: UnescapeAndRedirect
+ mergeSlashes: true
+ port: 10080
+ routes:
+ - backendWeights:
+ invalid: 0
+ valid: 0
+ destination:
+ name: httproute/envoy-gateway/httproute-btls/rule/0
+ settings:
+ - addressType: IP
+ endpoints:
+ - host: 10.244.0.11
+ port: 8080
+ protocol: HTTP
+ weight: 1
+ hostname: '*'
+ isHTTP2: false
+ name: httproute/envoy-gateway/httproute-btls/rule/0/match/0/*
+ pathMatch:
+ distinct: false
+ exact: /exact
+ name: ""
diff --git a/internal/gatewayapi/testdata/backendtrafficpolicy-no-status-for-unknown-gateway-or-route.in.yaml b/internal/gatewayapi/testdata/backendtrafficpolicy-no-status-for-unknown-gateway-or-route.in.yaml
new file mode 100644
index 00000000000..aed29a51471
--- /dev/null
+++ b/internal/gatewayapi/testdata/backendtrafficpolicy-no-status-for-unknown-gateway-or-route.in.yaml
@@ -0,0 +1,23 @@
+backendTrafficPolicies:
+- apiVersion: gateway.envoyproxy.io/v1alpha1
+ kind: BackendTrafficPolicy
+ metadata:
+ namespace: envoy-gateway
+ name: target-unknown-gateway
+ spec:
+ targetRef:
+ group: gateway.networking.k8s.io
+ kind: Gateway
+ name: unknown-gateway
+ namespace: envoy-gateway
+- apiVersion: gateway.envoyproxy.io/v1alpha1
+ kind: BackendTrafficPolicy
+ metadata:
+ namespace: envoy-gateway
+ name: target-unknown-httproute
+ spec:
+ targetRef:
+ group: gateway.networking.k8s.io
+ kind: HTTPRoute
+ name: unknown-httproute
+ namespace: envoy-gateway
diff --git a/internal/gatewayapi/testdata/backendtrafficpolicy-no-status-for-unknown-gateway-or-route.out.yaml b/internal/gatewayapi/testdata/backendtrafficpolicy-no-status-for-unknown-gateway-or-route.out.yaml
new file mode 100644
index 00000000000..eb00e89c260
--- /dev/null
+++ b/internal/gatewayapi/testdata/backendtrafficpolicy-no-status-for-unknown-gateway-or-route.out.yaml
@@ -0,0 +1,29 @@
+backendTrafficPolicies:
+- apiVersion: gateway.envoyproxy.io/v1alpha1
+ kind: BackendTrafficPolicy
+ metadata:
+ creationTimestamp: null
+ name: target-unknown-httproute
+ namespace: envoy-gateway
+ spec:
+ targetRef:
+ group: gateway.networking.k8s.io
+ kind: HTTPRoute
+ name: unknown-httproute
+ namespace: envoy-gateway
+ status: {}
+- apiVersion: gateway.envoyproxy.io/v1alpha1
+ kind: BackendTrafficPolicy
+ metadata:
+ creationTimestamp: null
+ name: target-unknown-gateway
+ namespace: envoy-gateway
+ spec:
+ targetRef:
+ group: gateway.networking.k8s.io
+ kind: Gateway
+ name: unknown-gateway
+ namespace: envoy-gateway
+ status: {}
+infraIR: {}
+xdsIR: {}
diff --git a/internal/gatewayapi/testdata/backendtrafficpolicy-status-conditions.out.yaml b/internal/gatewayapi/testdata/backendtrafficpolicy-status-conditions.out.yaml
index 429b235bb9e..72aa59947d9 100644
--- a/internal/gatewayapi/testdata/backendtrafficpolicy-status-conditions.out.yaml
+++ b/internal/gatewayapi/testdata/backendtrafficpolicy-status-conditions.out.yaml
@@ -76,6 +76,12 @@ backendTrafficPolicies:
reason: Accepted
status: "True"
type: Accepted
+ - lastTransitionTime: null
+ message: 'This policy is being overridden by other backendTrafficPolicies for
+ these routes: [envoy-gateway/httproute-1]'
+ reason: Overridden
+ status: "True"
+ type: Overridden
- apiVersion: gateway.envoyproxy.io/v1alpha1
kind: BackendTrafficPolicy
metadata:
diff --git a/internal/gatewayapi/testdata/backendtrafficpolicy-status-fault-injection.out.yaml b/internal/gatewayapi/testdata/backendtrafficpolicy-status-fault-injection.out.yaml
old mode 100755
new mode 100644
index d712794bd95..206efb84d6d
--- a/internal/gatewayapi/testdata/backendtrafficpolicy-status-fault-injection.out.yaml
+++ b/internal/gatewayapi/testdata/backendtrafficpolicy-status-fault-injection.out.yaml
@@ -74,6 +74,12 @@ backendTrafficPolicies:
reason: Accepted
status: "True"
type: Accepted
+ - lastTransitionTime: null
+ message: 'This policy is being overridden by other backendTrafficPolicies for
+ these routes: [default/httproute-1]'
+ reason: Overridden
+ status: "True"
+ type: Overridden
gateways:
- apiVersion: gateway.networking.k8s.io/v1
kind: Gateway
diff --git a/internal/gatewayapi/testdata/backendtrafficpolicy-with-circuitbreakers-error.in.yaml b/internal/gatewayapi/testdata/backendtrafficpolicy-with-circuitbreakers-error.in.yaml
index 42f7cafb4f4..ac4333ec752 100644
--- a/internal/gatewayapi/testdata/backendtrafficpolicy-with-circuitbreakers-error.in.yaml
+++ b/internal/gatewayapi/testdata/backendtrafficpolicy-with-circuitbreakers-error.in.yaml
@@ -62,6 +62,25 @@ httpRoutes:
backendRefs:
- name: service-1
port: 8080
+ - apiVersion: gateway.networking.k8s.io/v1
+ kind: HTTPRoute
+ metadata:
+ namespace: default
+ name: httproute-2
+ spec:
+ hostnames:
+ - gateway.envoyproxy.io
+ parentRefs:
+ - namespace: envoy-gateway
+ name: gateway-2
+ sectionName: http
+ rules:
+ - matches:
+ - path:
+ value: "/foo"
+ backendRefs:
+ - name: service-1
+ port: 8080
backendTrafficPolicies:
- apiVersion: gateway.envoyproxy.io/v1alpha1
kind: BackendTrafficPolicy
@@ -89,3 +108,16 @@ backendTrafficPolicies:
namespace: default
circuitBreaker:
maxRequestsPerConnection: -1
+ - apiVersion: gateway.envoyproxy.io/v1alpha1
+ kind: BackendTrafficPolicy
+ metadata:
+ namespace: default
+ name: policy-for-route2
+ spec:
+ targetRef:
+ group: gateway.networking.k8s.io
+ kind: HTTPRoute
+ name: httproute-2
+ namespace: default
+ circuitBreaker:
+ maxParallelRetries: -1
diff --git a/internal/gatewayapi/testdata/backendtrafficpolicy-with-circuitbreakers-error.out.yaml b/internal/gatewayapi/testdata/backendtrafficpolicy-with-circuitbreakers-error.out.yaml
index af7b979d113..20d781ecc8e 100644
--- a/internal/gatewayapi/testdata/backendtrafficpolicy-with-circuitbreakers-error.out.yaml
+++ b/internal/gatewayapi/testdata/backendtrafficpolicy-with-circuitbreakers-error.out.yaml
@@ -21,6 +21,28 @@ backendTrafficPolicies:
reason: Invalid
status: "False"
type: Accepted
+- apiVersion: gateway.envoyproxy.io/v1alpha1
+ kind: BackendTrafficPolicy
+ metadata:
+ creationTimestamp: null
+ name: policy-for-route2
+ namespace: default
+ spec:
+ circuitBreaker:
+ maxParallelRetries: -1
+ targetRef:
+ group: gateway.networking.k8s.io
+ kind: HTTPRoute
+ name: httproute-2
+ namespace: default
+ status:
+ conditions:
+ - lastTransitionTime: null
+ message: 'Unable to translate Circuit Breaker: invalid MaxParallelRetries value
+ -1'
+ reason: Invalid
+ status: "False"
+ type: Accepted
- apiVersion: gateway.envoyproxy.io/v1alpha1
kind: BackendTrafficPolicy
metadata:
@@ -101,7 +123,7 @@ gateways:
protocol: HTTP
status:
listeners:
- - attachedRoutes: 1
+ - attachedRoutes: 2
conditions:
- lastTransitionTime: null
message: Sending translated listener configuration to the data plane
@@ -197,6 +219,44 @@ httpRoutes:
name: gateway-2
namespace: envoy-gateway
sectionName: http
+- apiVersion: gateway.networking.k8s.io/v1
+ kind: HTTPRoute
+ metadata:
+ creationTimestamp: null
+ name: httproute-2
+ namespace: default
+ spec:
+ hostnames:
+ - gateway.envoyproxy.io
+ parentRefs:
+ - name: gateway-2
+ namespace: envoy-gateway
+ sectionName: http
+ rules:
+ - backendRefs:
+ - name: service-1
+ port: 8080
+ matches:
+ - path:
+ value: /foo
+ status:
+ parents:
+ - conditions:
+ - lastTransitionTime: null
+ message: Route is accepted
+ reason: Accepted
+ status: "True"
+ type: Accepted
+ - lastTransitionTime: null
+ message: Resolved all the Object references for the Route
+ reason: ResolvedRefs
+ status: "True"
+ type: ResolvedRefs
+ controllerName: gateway.envoyproxy.io/gatewayclass-controller
+ parentRef:
+ name: gateway-2
+ namespace: envoy-gateway
+ sectionName: http
infraIR:
envoy-gateway/gateway-1:
proxy:
@@ -274,6 +334,25 @@ xdsIR:
mergeSlashes: true
port: 10080
routes:
+ - backendWeights:
+ invalid: 0
+ valid: 0
+ destination:
+ name: httproute/default/httproute-2/rule/0
+ settings:
+ - addressType: IP
+ endpoints:
+ - host: 7.7.7.7
+ port: 8080
+ protocol: HTTP
+ weight: 1
+ hostname: gateway.envoyproxy.io
+ isHTTP2: false
+ name: httproute/default/httproute-2/rule/0/match/0/gateway_envoyproxy_io
+ pathMatch:
+ distinct: false
+ name: ""
+ prefix: /foo
- backendWeights:
invalid: 0
valid: 0
diff --git a/internal/gatewayapi/testdata/backendtrafficpolicy-with-circuitbreakers.in.yaml b/internal/gatewayapi/testdata/backendtrafficpolicy-with-circuitbreakers.in.yaml
index 8bd4067f17b..dc6513eeec1 100644
--- a/internal/gatewayapi/testdata/backendtrafficpolicy-with-circuitbreakers.in.yaml
+++ b/internal/gatewayapi/testdata/backendtrafficpolicy-with-circuitbreakers.in.yaml
@@ -78,6 +78,7 @@ backendTrafficPolicies:
maxConnections: 2048
maxPendingRequests: 1
maxParallelRequests: 4294967295
+ maxParallelRetries: 1024
maxRequestsPerConnection: 1
- apiVersion: gateway.envoyproxy.io/v1alpha1
kind: BackendTrafficPolicy
@@ -94,4 +95,5 @@ backendTrafficPolicies:
maxConnections: 42
maxPendingRequests: 42
maxParallelRequests: 42
+ maxParallelRetries: 24
maxRequestsPerConnection: 42
diff --git a/internal/gatewayapi/testdata/backendtrafficpolicy-with-circuitbreakers.out.yaml b/internal/gatewayapi/testdata/backendtrafficpolicy-with-circuitbreakers.out.yaml
index f556715f073..7188af68fb8 100644
--- a/internal/gatewayapi/testdata/backendtrafficpolicy-with-circuitbreakers.out.yaml
+++ b/internal/gatewayapi/testdata/backendtrafficpolicy-with-circuitbreakers.out.yaml
@@ -9,6 +9,7 @@ backendTrafficPolicies:
circuitBreaker:
maxConnections: 42
maxParallelRequests: 42
+ maxParallelRetries: 24
maxPendingRequests: 42
maxRequestsPerConnection: 42
targetRef:
@@ -33,6 +34,7 @@ backendTrafficPolicies:
circuitBreaker:
maxConnections: 2048
maxParallelRequests: 4294967295
+ maxParallelRetries: 1024
maxPendingRequests: 1
maxRequestsPerConnection: 1
targetRef:
@@ -254,6 +256,7 @@ xdsIR:
circuitBreaker:
maxConnections: 2048
maxParallelRequests: 4294967295
+ maxParallelRetries: 1024
maxPendingRequests: 1
maxRequestsPerConnection: 1
destination:
@@ -289,6 +292,7 @@ xdsIR:
circuitBreaker:
maxConnections: 42
maxParallelRequests: 42
+ maxParallelRetries: 24
maxPendingRequests: 42
maxRequestsPerConnection: 42
destination:
diff --git a/internal/gatewayapi/testdata/backendtrafficpolicy-with-healthcheck.in.yaml b/internal/gatewayapi/testdata/backendtrafficpolicy-with-healthcheck.in.yaml
index e0b71ac1328..bd11501ac10 100644
--- a/internal/gatewayapi/testdata/backendtrafficpolicy-with-healthcheck.in.yaml
+++ b/internal/gatewayapi/testdata/backendtrafficpolicy-with-healthcheck.in.yaml
@@ -132,6 +132,10 @@ backendTrafficPolicies:
baseEjectionTime: 160s
interval: 2s
maxEjectionPercent: 100
+ consecutive5XxErrors: 5
+ consecutiveGatewayErrors: 0
+ consecutiveLocalOriginFailures: 5
+ splitExternalLocalOriginErrors: false
- apiVersion: gateway.envoyproxy.io/v1alpha1
kind: BackendTrafficPolicy
metadata:
@@ -163,6 +167,10 @@ backendTrafficPolicies:
baseEjectionTime: 150s
interval: 1s
maxEjectionPercent: 100
+ consecutive5XxErrors: 5
+ consecutiveGatewayErrors: 0
+ consecutiveLocalOriginFailures: 5
+ splitExternalLocalOriginErrors: false
- apiVersion: gateway.envoyproxy.io/v1alpha1
kind: BackendTrafficPolicy
metadata:
@@ -189,9 +197,13 @@ backendTrafficPolicies:
type: Text
text: pong
passive:
- baseEjectionTime: 180s
- interval: 1s
- maxEjectionPercent: 100
+ baseEjectionTime: 10s
+ interval: 10s
+ maxEjectionPercent: 10
+ consecutive5XxErrors: 5
+ consecutiveGatewayErrors: 0
+ consecutiveLocalOriginFailures: 5
+ splitExternalLocalOriginErrors: false
- apiVersion: gateway.envoyproxy.io/v1alpha1
kind: BackendTrafficPolicy
metadata:
@@ -221,3 +233,7 @@ backendTrafficPolicies:
baseEjectionTime: 160s
interval: 8ms
maxEjectionPercent: 11
+ consecutive5XxErrors: 5
+ consecutiveGatewayErrors: 0
+ consecutiveLocalOriginFailures: 5
+ splitExternalLocalOriginErrors: false
diff --git a/internal/gatewayapi/testdata/backendtrafficpolicy-with-healthcheck.out.yaml b/internal/gatewayapi/testdata/backendtrafficpolicy-with-healthcheck.out.yaml
old mode 100755
new mode 100644
index 78b8946cc3e..021877b870a
--- a/internal/gatewayapi/testdata/backendtrafficpolicy-with-healthcheck.out.yaml
+++ b/internal/gatewayapi/testdata/backendtrafficpolicy-with-healthcheck.out.yaml
@@ -24,8 +24,12 @@ backendTrafficPolicies:
unhealthyThreshold: 3
passive:
baseEjectionTime: 2m30s
+ consecutive5XxErrors: 5
+ consecutiveGatewayErrors: 0
+ consecutiveLocalOriginFailures: 5
interval: 1s
maxEjectionPercent: 100
+ splitExternalLocalOriginErrors: false
targetRef:
group: gateway.networking.k8s.io
kind: HTTPRoute
@@ -60,9 +64,13 @@ backendTrafficPolicies:
type: TCP
unhealthyThreshold: 3
passive:
- baseEjectionTime: 3m0s
- interval: 1s
- maxEjectionPercent: 100
+ baseEjectionTime: 10s
+ consecutive5XxErrors: 5
+ consecutiveGatewayErrors: 0
+ consecutiveLocalOriginFailures: 5
+ interval: 10s
+ maxEjectionPercent: 10
+ splitExternalLocalOriginErrors: false
targetRef:
group: gateway.networking.k8s.io
kind: HTTPRoute
@@ -98,8 +106,12 @@ backendTrafficPolicies:
unhealthyThreshold: 3
passive:
baseEjectionTime: 2m40s
+ consecutive5XxErrors: 5
+ consecutiveGatewayErrors: 0
+ consecutiveLocalOriginFailures: 5
interval: 8ms
maxEjectionPercent: 11
+ splitExternalLocalOriginErrors: false
targetRef:
group: gateway.networking.k8s.io
kind: HTTPRoute
@@ -137,8 +149,12 @@ backendTrafficPolicies:
unhealthyThreshold: 3
passive:
baseEjectionTime: 2m40s
+ consecutive5XxErrors: 5
+ consecutiveGatewayErrors: 0
+ consecutiveLocalOriginFailures: 5
interval: 2s
maxEjectionPercent: 100
+ splitExternalLocalOriginErrors: false
targetRef:
group: gateway.networking.k8s.io
kind: Gateway
@@ -456,8 +472,12 @@ xdsIR:
unhealthyThreshold: 3
passive:
baseEjectionTime: 2m40s
+ consecutive5XxErrors: 5
+ consecutiveGatewayErrors: 0
+ consecutiveLocalOriginFailures: 5
interval: 2s
maxEjectionPercent: 100
+ splitExternalLocalOriginErrors: false
hostname: '*'
isHTTP2: true
name: grpcroute/default/grpcroute-1/rule/0/match/-1/*
@@ -500,9 +520,13 @@ xdsIR:
timeout: 1s
unhealthyThreshold: 3
passive:
- baseEjectionTime: 3m0s
- interval: 1s
- maxEjectionPercent: 100
+ baseEjectionTime: 10s
+ consecutive5XxErrors: 5
+ consecutiveGatewayErrors: 0
+ consecutiveLocalOriginFailures: 5
+ interval: 10s
+ maxEjectionPercent: 10
+ splitExternalLocalOriginErrors: false
hostname: gateway.envoyproxy.io
isHTTP2: false
name: httproute/default/httproute-2/rule/0/match/0/gateway_envoyproxy_io
@@ -535,8 +559,12 @@ xdsIR:
unhealthyThreshold: 3
passive:
baseEjectionTime: 2m40s
+ consecutive5XxErrors: 5
+ consecutiveGatewayErrors: 0
+ consecutiveLocalOriginFailures: 5
interval: 8ms
maxEjectionPercent: 11
+ splitExternalLocalOriginErrors: false
hostname: gateway.envoyproxy.io
isHTTP2: false
name: httproute/default/httproute-3/rule/0/match/0/gateway_envoyproxy_io
@@ -572,8 +600,12 @@ xdsIR:
unhealthyThreshold: 3
passive:
baseEjectionTime: 2m30s
+ consecutive5XxErrors: 5
+ consecutiveGatewayErrors: 0
+ consecutiveLocalOriginFailures: 5
interval: 1s
maxEjectionPercent: 100
+ splitExternalLocalOriginErrors: false
hostname: gateway.envoyproxy.io
isHTTP2: false
name: httproute/default/httproute-1/rule/0/match/0/gateway_envoyproxy_io
diff --git a/internal/gatewayapi/testdata/backendtrafficpolicy-with-loadbalancer.out.yaml b/internal/gatewayapi/testdata/backendtrafficpolicy-with-loadbalancer.out.yaml
index bab8fe348b4..cdb4de42bbc 100644
--- a/internal/gatewayapi/testdata/backendtrafficpolicy-with-loadbalancer.out.yaml
+++ b/internal/gatewayapi/testdata/backendtrafficpolicy-with-loadbalancer.out.yaml
@@ -89,6 +89,12 @@ backendTrafficPolicies:
reason: Accepted
status: "True"
type: Accepted
+ - lastTransitionTime: null
+ message: 'This policy is being overridden by other backendTrafficPolicies for
+ these routes: [default/httproute-1 default/httproute-2]'
+ reason: Overridden
+ status: "True"
+ type: Overridden
gateways:
- apiVersion: gateway.networking.k8s.io/v1
kind: Gateway
diff --git a/internal/gatewayapi/testdata/backendtrafficpolicy-with-timeout-error.out.yaml b/internal/gatewayapi/testdata/backendtrafficpolicy-with-timeout-error.out.yaml
old mode 100755
new mode 100644
diff --git a/internal/gatewayapi/testdata/backendtrafficpolicy-with-timeout.out.yaml b/internal/gatewayapi/testdata/backendtrafficpolicy-with-timeout.out.yaml
old mode 100755
new mode 100644
diff --git a/internal/gatewayapi/testdata/clienttrafficpolicy-http3.in.yaml b/internal/gatewayapi/testdata/clienttrafficpolicy-http3.in.yaml
index a57e6d4f189..7454914952b 100644
--- a/internal/gatewayapi/testdata/clienttrafficpolicy-http3.in.yaml
+++ b/internal/gatewayapi/testdata/clienttrafficpolicy-http3.in.yaml
@@ -38,7 +38,7 @@ secrets:
name: tls-secret-1
type: kubernetes.io/tls
data:
- tls.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUNxRENDQVpBQ0NRREVNZ1lZblFyQ29EQU5CZ2txaGtpRzl3MEJBUXNGQURBV01SUXdFZ1lEVlFRRERBdG0KYjI4dVltRnlMbU52YlRBZUZ3MHlNekF4TURVeE16UXpNalJhRncweU5EQXhNRFV4TXpRek1qUmFNQll4RkRBUwpCZ05WQkFNTUMyWnZieTVpWVhJdVkyOXRNSUlCSWpBTkJna3Foa2lHOXcwQkFRRUZBQU9DQVE4QU1JSUJDZ0tDCkFRRUFuZEh6d21wS2NUSUViamhGZ2RXd1RSTjc1Y3A4b3VsWnhMMUdydlI2SXc3ejdqaTBSNFcvTm85bkdmOU0KWVAyQ1JqaXN6NTFtd3hTeGVCcm9jTGVBK21reGkxK2lEdk5kQytyU0x4MTN6RUxTQ25xYnVzUHM3bUdmSlpxOAo5TGhlbmx5bzQzaDVjYTZINUxqTXd1L1JHVWlGMzFYck5yaVlGQlB2RTJyQitkd24vTkVrUTRoOFJxcXlwcmtuCkYvcWM5Sk1ZQVlGRld1VkNwa0lFbmRYMUN5dlFOT2FkZmN2cmd6dDV2SmwwT2kxQWdyaU5hWGJFUEdudWY3STQKcXBCSEdVWE5lMVdsOVdlVklxS1g0T2FFWERWQzZGQzdHOHptZWVMVzFBa1lFVm5pcFg2b1NCK0JjL1NIVlZOaApzQkxSbXRuc3pmTnRUMlFyZCttcGt4ODBaUUlEQVFBQk1BMEdDU3FHU0liM0RRRUJDd1VBQTRJQkFRQ1VKOElDCkJveUVqT3V3enBHYVJoR044QjRqT1B6aHVDT0V0ZDM3UzAybHUwN09IenlCdmJzVEd6S3dCZ0x5bVdmR2tINEIKajdDTHNwOEZ6TkhLWnVhQmdwblo5SjZETE9Od2ZXZTJBWXA3TGRmT0tWQlVkTVhRaU9tN2pKOUhob0Ntdk1ONwpic2pjaFdKb013ckZmK3dkQUthdHowcUFQeWhMeWUvRnFtaVZ4a09SWmF3K1Q5bURaK0g0OXVBU2d1SnVOTXlRClY2RXlYNmd0Z1dxMzc2SHZhWE1TLzNoYW1Zb1ZXWEk1TXhpUE9ZeG5BQmtKQjRTQ2dJUmVqYkpmVmFRdG9RNGEKejAyaVVMZW5ESUllUU9Zb2JLY01CWGYxQjRQQVFtc2VocVZJYnpzUUNHaTU0VkRyczZiWmQvN0pzMXpDcHBncwpKaUQ1SXFNaktXRHdxN2FLCi0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K
+ tls.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUREVENDQWZXZ0F3SUJBZ0lVRUZNaFA5ZUo5WEFCV3NRNVptNmJSazJjTE5Rd0RRWUpLb1pJaHZjTkFRRUwKQlFBd0ZqRVVNQklHQTFVRUF3d0xabTl2TG1KaGNpNWpiMjB3SGhjTk1qUXdNakk1TURrek1ERXdXaGNOTXpRdwpNakkyTURrek1ERXdXakFXTVJRd0VnWURWUVFEREF0bWIyOHVZbUZ5TG1OdmJUQ0NBU0l3RFFZSktvWklodmNOCkFRRUJCUUFEZ2dFUEFEQ0NBUW9DZ2dFQkFKbEk2WXhFOVprQ1BzNnBDUXhickNtZWl4OVA1RGZ4OVJ1NUxENFQKSm1kVzdJS2R0UVYvd2ZMbXRzdTc2QithVGRDaldlMEJUZmVPT1JCYlIzY1BBRzZFbFFMaWNsUVVydW4zcStncwpKcEsrSTdjSStqNXc4STY4WEg1V1E3clZVdGJ3SHBxYncrY1ZuQnFJVU9MaUlhdGpJZjdLWDUxTTF1RjljZkVICkU0RG5jSDZyYnI1OS9SRlpCc2toeHM1T3p3Sklmb2hreXZGd2V1VHd4Sy9WcGpJKzdPYzQ4QUJDWHBOTzlEL3EKRWgrck9hdWpBTWNYZ0hRSVRrQ2lpVVRjVW82TFNIOXZMWlB0YXFmem9acTZuaE1xcFc2NUUxcEF3RjNqeVRUeAphNUk4SmNmU0Zqa2llWjIwTFVRTW43TThVNHhIamFvL2d2SDBDQWZkQjdSTFUyc0NBd0VBQWFOVE1GRXdIUVlEClZSME9CQllFRk9SQ0U4dS8xRERXN2loWnA3Y3g5dFNtUG02T01COEdBMVVkSXdRWU1CYUFGT1JDRTh1LzFERFcKN2loWnA3Y3g5dFNtUG02T01BOEdBMVVkRXdFQi93UUZNQU1CQWY4d0RRWUpLb1pJaHZjTkFRRUxCUUFEZ2dFQgpBRnQ1M3pqc3FUYUg1YThFMmNodm1XQWdDcnhSSzhiVkxNeGl3TkdqYm1FUFJ6K3c2TngrazBBOEtFY0lEc0tjClNYY2k1OHU0b1didFZKQmx6YS9adWpIUjZQMUJuT3BsK2FveTc4NGJiZDRQMzl3VExvWGZNZmJCQ20xdmV2aDkKQUpLbncyWnRxcjRta2JMY3hFcWxxM3NCTEZBUzlzUUxuS05DZTJjR0xkVHAyYm9HK3FjZ3lRZ0NJTTZmOEVNdgpXUGlmQ01NR3V6Sy9HUkY0YlBPL1lGNDhld0R1M1VlaWgwWFhkVUFPRTlDdFVhOE5JaGMxVVBhT3pQcnRZVnFyClpPR2t2L0t1K0I3OGg4U0VzTzlYclFjdXdiT25KeDZLdFIrYWV5a3ZBcFhDUTNmWkMvYllLQUFSK1A4QUpvUVoKYndJVW1YaTRnajVtK2JLUGhlK2lyK0U9Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0=
tls.key: LS0tLS1CRUdJTiBQUklWQVRFIEtFWS0tLS0tCk1JSUV2UUlCQURBTkJna3Foa2lHOXcwQkFRRUZBQVNDQktjd2dnU2pBZ0VBQW9JQkFRQ2QwZlBDYWtweE1nUnUKT0VXQjFiQk5FM3ZseW55aTZWbkV2VWF1OUhvakR2UHVPTFJIaGI4MmoyY1ovMHhnL1lKR09LelBuV2JERkxGNApHdWh3dDRENmFUR0xYNklPODEwTDZ0SXZIWGZNUXRJS2VwdTZ3K3p1WVo4bG1yejB1RjZlWEtqamVIbHhyb2ZrCnVNekM3OUVaU0lYZlZlczJ1SmdVRSs4VGFzSDUzQ2Y4MFNSRGlIeEdxckttdVNjWCtwejBreGdCZ1VWYTVVS20KUWdTZDFmVUxLOUEwNXAxOXkrdURPM204bVhRNkxVQ0N1STFwZHNROGFlNS9zamlxa0VjWlJjMTdWYVgxWjVVaQpvcGZnNW9SY05VTG9VTHNiek9aNTR0YlVDUmdSV2VLbGZxaElINEZ6OUlkVlUyR3dFdEdhMmV6TjgyMVBaQ3QzCjZhbVRIelJsQWdNQkFBRUNnZ0VBWTFGTUlLNDVXTkVNUHJ6RTZUY3NNdVV2RkdhQVZ4bVk5NW5SMEtwajdvb3IKY21CVys2ZXN0TTQ4S1AwaitPbXd3VFpMY29Cd3VoWGN0V1Bob1lXcDhteWUxRUlEdjNyaHRHMDdocEQ1NGg2dgpCZzh3ejdFYStzMk9sT0N6UnlKNzBSY281YlhjWDNGaGJjdnFlRWJwaFFyQnpOSEtLMjZ4cmZqNWZIT3p6T1FGCmJHdUZ3SDVic3JGdFhlajJXM3c4eW90N0ZQSDV3S3RpdnhvSWU5RjMyOXNnOU9EQnZqWnpiaG1LVTArckFTK1kKRGVield2bFJyaEUrbXVmQTN6M0N0QXhDOFJpNzNscFNoTDRQQWlvcG1SUXlxZXRXMjYzOFFxcnM0R3hnNzhwbApJUXJXTmNBc2s3Slg5d3RZenV6UFBXSXRWTTFscFJiQVRhNTJqdFl2NVFLQmdRRE5tMTFtZTRYam1ZSFV2cStZCmFTUzdwK2UybXZEMHVaOU9JeFluQnBWMGkrckNlYnFFMkE1Rm5hcDQ5Yld4QTgwUElldlVkeUpCL2pUUkoxcVMKRUpXQkpMWm1LVkg2K1QwdWw1ZUtOcWxFTFZHU0dCSXNpeE9SUXpDZHBoMkx0UmtBMHVjSVUzY3hiUmVMZkZCRQpiSkdZWENCdlNGcWd0VDlvZTFldVpMVmFOd0tCZ1FERWdENzJENk81eGIweEQ1NDQ1M0RPMUJhZmd6aThCWDRTCk1SaVd2LzFUQ0w5N05sRWtoeXovNmtQd1owbXJRcE5CMzZFdkpKZFVteHdkU2MyWDhrOGcxMC85NVlLQkdWQWoKL3d0YVZYbE9WeEFvK0ZSelpZeFpyQ29uWWFSMHVwUzFybDRtenN4REhlZU9mUVZUTUgwUjdZN0pnbTA5dXQ4SwplanAvSXZBb1F3S0JnQjNaRWlRUWhvMVYrWjBTMlpiOG5KS0plMy9zMmxJTXFHM0ZkaS9RS3Q0eWViQWx6OGY5ClBZVXBzRmZEQTg5Z3grSU1nSm5sZVptdTk2ZnRXSjZmdmJSenllN216TG5zZU05TXZua1lHbGFGWmJRWnZubXMKN3ZoRmtzY3dHRlh4d21GMlBJZmU1Z3pNMDRBeVdjeTFIaVhLS2dNOXM3cGsxWUdyZGowZzdacmRBb0dCQUtLNApDR3MrbkRmMEZTMFJYOWFEWVJrRTdBNy9YUFhtSG5YMkRnU1h5N0Q4NTRPaWdTTWNoUmtPNTErbVNJejNQbllvCk41T1FXM2lHVVl1M1YvYmhnc0VSUzM1V2xmRk9BdDBzRUR5bjF5SVdXcDF5dG93d3BUNkVvUXVuZ2NYZjA5RjMKS1NROXowd3M4VmsvRWkvSFVXcU5LOWFXbU51cmFaT0ZqL2REK1ZkOUFvR0FMWFN3dEE3K043RDRkN0VEMURSRQpHTWdZNVd3OHFvdDZSdUNlNkpUY0FnU3B1MkhNU3JVY2dXclpiQnJZb09FUnVNQjFoMVJydk5ybU1qQlM0VW9FClgyZC8vbGhpOG1wL2VESWN3UDNRa2puanBJRFJWMFN1eWxrUkVaZURKZjVZb3R6eDdFdkJhbzFIbkQrWEg4eUIKVUtmWGJTaHZKVUdhRmgxT3Q1Y3JoM1k9Ci0tLS0tRU5EIFBSSVZBVEUgS0VZLS0tLS0K
httpRoutes:
- apiVersion: gateway.networking.k8s.io/v1
diff --git a/internal/gatewayapi/testdata/clienttrafficpolicy-http3.out.yaml b/internal/gatewayapi/testdata/clienttrafficpolicy-http3.out.yaml
index cafbbaa06ae..64c1d83b367 100644
--- a/internal/gatewayapi/testdata/clienttrafficpolicy-http3.out.yaml
+++ b/internal/gatewayapi/testdata/clienttrafficpolicy-http3.out.yaml
@@ -160,6 +160,6 @@ xdsIR:
certificates:
- name: envoy-gateway/tls-secret-1
privateKey: LS0tLS1CRUdJTiBQUklWQVRFIEtFWS0tLS0tCk1JSUV2UUlCQURBTkJna3Foa2lHOXcwQkFRRUZBQVNDQktjd2dnU2pBZ0VBQW9JQkFRQ2QwZlBDYWtweE1nUnUKT0VXQjFiQk5FM3ZseW55aTZWbkV2VWF1OUhvakR2UHVPTFJIaGI4MmoyY1ovMHhnL1lKR09LelBuV2JERkxGNApHdWh3dDRENmFUR0xYNklPODEwTDZ0SXZIWGZNUXRJS2VwdTZ3K3p1WVo4bG1yejB1RjZlWEtqamVIbHhyb2ZrCnVNekM3OUVaU0lYZlZlczJ1SmdVRSs4VGFzSDUzQ2Y4MFNSRGlIeEdxckttdVNjWCtwejBreGdCZ1VWYTVVS20KUWdTZDFmVUxLOUEwNXAxOXkrdURPM204bVhRNkxVQ0N1STFwZHNROGFlNS9zamlxa0VjWlJjMTdWYVgxWjVVaQpvcGZnNW9SY05VTG9VTHNiek9aNTR0YlVDUmdSV2VLbGZxaElINEZ6OUlkVlUyR3dFdEdhMmV6TjgyMVBaQ3QzCjZhbVRIelJsQWdNQkFBRUNnZ0VBWTFGTUlLNDVXTkVNUHJ6RTZUY3NNdVV2RkdhQVZ4bVk5NW5SMEtwajdvb3IKY21CVys2ZXN0TTQ4S1AwaitPbXd3VFpMY29Cd3VoWGN0V1Bob1lXcDhteWUxRUlEdjNyaHRHMDdocEQ1NGg2dgpCZzh3ejdFYStzMk9sT0N6UnlKNzBSY281YlhjWDNGaGJjdnFlRWJwaFFyQnpOSEtLMjZ4cmZqNWZIT3p6T1FGCmJHdUZ3SDVic3JGdFhlajJXM3c4eW90N0ZQSDV3S3RpdnhvSWU5RjMyOXNnOU9EQnZqWnpiaG1LVTArckFTK1kKRGVield2bFJyaEUrbXVmQTN6M0N0QXhDOFJpNzNscFNoTDRQQWlvcG1SUXlxZXRXMjYzOFFxcnM0R3hnNzhwbApJUXJXTmNBc2s3Slg5d3RZenV6UFBXSXRWTTFscFJiQVRhNTJqdFl2NVFLQmdRRE5tMTFtZTRYam1ZSFV2cStZCmFTUzdwK2UybXZEMHVaOU9JeFluQnBWMGkrckNlYnFFMkE1Rm5hcDQ5Yld4QTgwUElldlVkeUpCL2pUUkoxcVMKRUpXQkpMWm1LVkg2K1QwdWw1ZUtOcWxFTFZHU0dCSXNpeE9SUXpDZHBoMkx0UmtBMHVjSVUzY3hiUmVMZkZCRQpiSkdZWENCdlNGcWd0VDlvZTFldVpMVmFOd0tCZ1FERWdENzJENk81eGIweEQ1NDQ1M0RPMUJhZmd6aThCWDRTCk1SaVd2LzFUQ0w5N05sRWtoeXovNmtQd1owbXJRcE5CMzZFdkpKZFVteHdkU2MyWDhrOGcxMC85NVlLQkdWQWoKL3d0YVZYbE9WeEFvK0ZSelpZeFpyQ29uWWFSMHVwUzFybDRtenN4REhlZU9mUVZUTUgwUjdZN0pnbTA5dXQ4SwplanAvSXZBb1F3S0JnQjNaRWlRUWhvMVYrWjBTMlpiOG5KS0plMy9zMmxJTXFHM0ZkaS9RS3Q0eWViQWx6OGY5ClBZVXBzRmZEQTg5Z3grSU1nSm5sZVptdTk2ZnRXSjZmdmJSenllN216TG5zZU05TXZua1lHbGFGWmJRWnZubXMKN3ZoRmtzY3dHRlh4d21GMlBJZmU1Z3pNMDRBeVdjeTFIaVhLS2dNOXM3cGsxWUdyZGowZzdacmRBb0dCQUtLNApDR3MrbkRmMEZTMFJYOWFEWVJrRTdBNy9YUFhtSG5YMkRnU1h5N0Q4NTRPaWdTTWNoUmtPNTErbVNJejNQbllvCk41T1FXM2lHVVl1M1YvYmhnc0VSUzM1V2xmRk9BdDBzRUR5bjF5SVdXcDF5dG93d3BUNkVvUXVuZ2NYZjA5RjMKS1NROXowd3M4VmsvRWkvSFVXcU5LOWFXbU51cmFaT0ZqL2REK1ZkOUFvR0FMWFN3dEE3K043RDRkN0VEMURSRQpHTWdZNVd3OHFvdDZSdUNlNkpUY0FnU3B1MkhNU3JVY2dXclpiQnJZb09FUnVNQjFoMVJydk5ybU1qQlM0VW9FClgyZC8vbGhpOG1wL2VESWN3UDNRa2puanBJRFJWMFN1eWxrUkVaZURKZjVZb3R6eDdFdkJhbzFIbkQrWEg4eUIKVUtmWGJTaHZKVUdhRmgxT3Q1Y3JoM1k9Ci0tLS0tRU5EIFBSSVZBVEUgS0VZLS0tLS0K
- serverCertificate: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUNxRENDQVpBQ0NRREVNZ1lZblFyQ29EQU5CZ2txaGtpRzl3MEJBUXNGQURBV01SUXdFZ1lEVlFRRERBdG0KYjI4dVltRnlMbU52YlRBZUZ3MHlNekF4TURVeE16UXpNalJhRncweU5EQXhNRFV4TXpRek1qUmFNQll4RkRBUwpCZ05WQkFNTUMyWnZieTVpWVhJdVkyOXRNSUlCSWpBTkJna3Foa2lHOXcwQkFRRUZBQU9DQVE4QU1JSUJDZ0tDCkFRRUFuZEh6d21wS2NUSUViamhGZ2RXd1RSTjc1Y3A4b3VsWnhMMUdydlI2SXc3ejdqaTBSNFcvTm85bkdmOU0KWVAyQ1JqaXN6NTFtd3hTeGVCcm9jTGVBK21reGkxK2lEdk5kQytyU0x4MTN6RUxTQ25xYnVzUHM3bUdmSlpxOAo5TGhlbmx5bzQzaDVjYTZINUxqTXd1L1JHVWlGMzFYck5yaVlGQlB2RTJyQitkd24vTkVrUTRoOFJxcXlwcmtuCkYvcWM5Sk1ZQVlGRld1VkNwa0lFbmRYMUN5dlFOT2FkZmN2cmd6dDV2SmwwT2kxQWdyaU5hWGJFUEdudWY3STQKcXBCSEdVWE5lMVdsOVdlVklxS1g0T2FFWERWQzZGQzdHOHptZWVMVzFBa1lFVm5pcFg2b1NCK0JjL1NIVlZOaApzQkxSbXRuc3pmTnRUMlFyZCttcGt4ODBaUUlEQVFBQk1BMEdDU3FHU0liM0RRRUJDd1VBQTRJQkFRQ1VKOElDCkJveUVqT3V3enBHYVJoR044QjRqT1B6aHVDT0V0ZDM3UzAybHUwN09IenlCdmJzVEd6S3dCZ0x5bVdmR2tINEIKajdDTHNwOEZ6TkhLWnVhQmdwblo5SjZETE9Od2ZXZTJBWXA3TGRmT0tWQlVkTVhRaU9tN2pKOUhob0Ntdk1ONwpic2pjaFdKb013ckZmK3dkQUthdHowcUFQeWhMeWUvRnFtaVZ4a09SWmF3K1Q5bURaK0g0OXVBU2d1SnVOTXlRClY2RXlYNmd0Z1dxMzc2SHZhWE1TLzNoYW1Zb1ZXWEk1TXhpUE9ZeG5BQmtKQjRTQ2dJUmVqYkpmVmFRdG9RNGEKejAyaVVMZW5ESUllUU9Zb2JLY01CWGYxQjRQQVFtc2VocVZJYnpzUUNHaTU0VkRyczZiWmQvN0pzMXpDcHBncwpKaUQ1SXFNaktXRHdxN2FLCi0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K
+ serverCertificate: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUREVENDQWZXZ0F3SUJBZ0lVRUZNaFA5ZUo5WEFCV3NRNVptNmJSazJjTE5Rd0RRWUpLb1pJaHZjTkFRRUwKQlFBd0ZqRVVNQklHQTFVRUF3d0xabTl2TG1KaGNpNWpiMjB3SGhjTk1qUXdNakk1TURrek1ERXdXaGNOTXpRdwpNakkyTURrek1ERXdXakFXTVJRd0VnWURWUVFEREF0bWIyOHVZbUZ5TG1OdmJUQ0NBU0l3RFFZSktvWklodmNOCkFRRUJCUUFEZ2dFUEFEQ0NBUW9DZ2dFQkFKbEk2WXhFOVprQ1BzNnBDUXhickNtZWl4OVA1RGZ4OVJ1NUxENFQKSm1kVzdJS2R0UVYvd2ZMbXRzdTc2QithVGRDaldlMEJUZmVPT1JCYlIzY1BBRzZFbFFMaWNsUVVydW4zcStncwpKcEsrSTdjSStqNXc4STY4WEg1V1E3clZVdGJ3SHBxYncrY1ZuQnFJVU9MaUlhdGpJZjdLWDUxTTF1RjljZkVICkU0RG5jSDZyYnI1OS9SRlpCc2toeHM1T3p3Sklmb2hreXZGd2V1VHd4Sy9WcGpJKzdPYzQ4QUJDWHBOTzlEL3EKRWgrck9hdWpBTWNYZ0hRSVRrQ2lpVVRjVW82TFNIOXZMWlB0YXFmem9acTZuaE1xcFc2NUUxcEF3RjNqeVRUeAphNUk4SmNmU0Zqa2llWjIwTFVRTW43TThVNHhIamFvL2d2SDBDQWZkQjdSTFUyc0NBd0VBQWFOVE1GRXdIUVlEClZSME9CQllFRk9SQ0U4dS8xRERXN2loWnA3Y3g5dFNtUG02T01COEdBMVVkSXdRWU1CYUFGT1JDRTh1LzFERFcKN2loWnA3Y3g5dFNtUG02T01BOEdBMVVkRXdFQi93UUZNQU1CQWY4d0RRWUpLb1pJaHZjTkFRRUxCUUFEZ2dFQgpBRnQ1M3pqc3FUYUg1YThFMmNodm1XQWdDcnhSSzhiVkxNeGl3TkdqYm1FUFJ6K3c2TngrazBBOEtFY0lEc0tjClNYY2k1OHU0b1didFZKQmx6YS9adWpIUjZQMUJuT3BsK2FveTc4NGJiZDRQMzl3VExvWGZNZmJCQ20xdmV2aDkKQUpLbncyWnRxcjRta2JMY3hFcWxxM3NCTEZBUzlzUUxuS05DZTJjR0xkVHAyYm9HK3FjZ3lRZ0NJTTZmOEVNdgpXUGlmQ01NR3V6Sy9HUkY0YlBPL1lGNDhld0R1M1VlaWgwWFhkVUFPRTlDdFVhOE5JaGMxVVBhT3pQcnRZVnFyClpPR2t2L0t1K0I3OGg4U0VzTzlYclFjdXdiT25KeDZLdFIrYWV5a3ZBcFhDUTNmWkMvYllLQUFSK1A4QUpvUVoKYndJVW1YaTRnajVtK2JLUGhlK2lyK0U9Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0=
maxVersion: "1.3"
minVersion: "1.2"
diff --git a/internal/gatewayapi/testdata/clienttrafficpolicy-no-status-for-unknown-gateway.in.yaml b/internal/gatewayapi/testdata/clienttrafficpolicy-no-status-for-unknown-gateway.in.yaml
new file mode 100644
index 00000000000..85d8004b375
--- /dev/null
+++ b/internal/gatewayapi/testdata/clienttrafficpolicy-no-status-for-unknown-gateway.in.yaml
@@ -0,0 +1,12 @@
+clientTrafficPolicies:
+- apiVersion: gateway.envoyproxy.io/v1alpha1
+ kind: ClientTrafficPolicy
+ metadata:
+ namespace: envoy-gateway
+ name: target-unknown-gateway
+ spec:
+ targetRef:
+ group: gateway.networking.k8s.io
+ kind: Gateway
+ name: unknown-gateway
+ namespace: envoy-gateway
diff --git a/internal/gatewayapi/testdata/clienttrafficpolicy-no-status-for-unknown-gateway.out.yaml b/internal/gatewayapi/testdata/clienttrafficpolicy-no-status-for-unknown-gateway.out.yaml
new file mode 100644
index 00000000000..bb1b94a2748
--- /dev/null
+++ b/internal/gatewayapi/testdata/clienttrafficpolicy-no-status-for-unknown-gateway.out.yaml
@@ -0,0 +1,16 @@
+clientTrafficPolicies:
+- apiVersion: gateway.envoyproxy.io/v1alpha1
+ kind: ClientTrafficPolicy
+ metadata:
+ creationTimestamp: null
+ name: target-unknown-gateway
+ namespace: envoy-gateway
+ spec:
+ targetRef:
+ group: gateway.networking.k8s.io
+ kind: Gateway
+ name: unknown-gateway
+ namespace: envoy-gateway
+ status: {}
+infraIR: {}
+xdsIR: {}
diff --git a/internal/gatewayapi/testdata/clienttrafficpolicy-tls-settings.in.yaml b/internal/gatewayapi/testdata/clienttrafficpolicy-tls-settings.in.yaml
index 3e4588c1c6f..7d23dc8b307 100644
--- a/internal/gatewayapi/testdata/clienttrafficpolicy-tls-settings.in.yaml
+++ b/internal/gatewayapi/testdata/clienttrafficpolicy-tls-settings.in.yaml
@@ -57,5 +57,5 @@ secrets:
name: tls-secret-1
type: kubernetes.io/tls
data:
- tls.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUNxRENDQVpBQ0NRREVNZ1lZblFyQ29EQU5CZ2txaGtpRzl3MEJBUXNGQURBV01SUXdFZ1lEVlFRRERBdG0KYjI4dVltRnlMbU52YlRBZUZ3MHlNekF4TURVeE16UXpNalJhRncweU5EQXhNRFV4TXpRek1qUmFNQll4RkRBUwpCZ05WQkFNTUMyWnZieTVpWVhJdVkyOXRNSUlCSWpBTkJna3Foa2lHOXcwQkFRRUZBQU9DQVE4QU1JSUJDZ0tDCkFRRUFuZEh6d21wS2NUSUViamhGZ2RXd1RSTjc1Y3A4b3VsWnhMMUdydlI2SXc3ejdqaTBSNFcvTm85bkdmOU0KWVAyQ1JqaXN6NTFtd3hTeGVCcm9jTGVBK21reGkxK2lEdk5kQytyU0x4MTN6RUxTQ25xYnVzUHM3bUdmSlpxOAo5TGhlbmx5bzQzaDVjYTZINUxqTXd1L1JHVWlGMzFYck5yaVlGQlB2RTJyQitkd24vTkVrUTRoOFJxcXlwcmtuCkYvcWM5Sk1ZQVlGRld1VkNwa0lFbmRYMUN5dlFOT2FkZmN2cmd6dDV2SmwwT2kxQWdyaU5hWGJFUEdudWY3STQKcXBCSEdVWE5lMVdsOVdlVklxS1g0T2FFWERWQzZGQzdHOHptZWVMVzFBa1lFVm5pcFg2b1NCK0JjL1NIVlZOaApzQkxSbXRuc3pmTnRUMlFyZCttcGt4ODBaUUlEQVFBQk1BMEdDU3FHU0liM0RRRUJDd1VBQTRJQkFRQ1VKOElDCkJveUVqT3V3enBHYVJoR044QjRqT1B6aHVDT0V0ZDM3UzAybHUwN09IenlCdmJzVEd6S3dCZ0x5bVdmR2tINEIKajdDTHNwOEZ6TkhLWnVhQmdwblo5SjZETE9Od2ZXZTJBWXA3TGRmT0tWQlVkTVhRaU9tN2pKOUhob0Ntdk1ONwpic2pjaFdKb013ckZmK3dkQUthdHowcUFQeWhMeWUvRnFtaVZ4a09SWmF3K1Q5bURaK0g0OXVBU2d1SnVOTXlRClY2RXlYNmd0Z1dxMzc2SHZhWE1TLzNoYW1Zb1ZXWEk1TXhpUE9ZeG5BQmtKQjRTQ2dJUmVqYkpmVmFRdG9RNGEKejAyaVVMZW5ESUllUU9Zb2JLY01CWGYxQjRQQVFtc2VocVZJYnpzUUNHaTU0VkRyczZiWmQvN0pzMXpDcHBncwpKaUQ1SXFNaktXRHdxN2FLCi0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K
+ tls.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUREVENDQWZXZ0F3SUJBZ0lVRUZNaFA5ZUo5WEFCV3NRNVptNmJSazJjTE5Rd0RRWUpLb1pJaHZjTkFRRUwKQlFBd0ZqRVVNQklHQTFVRUF3d0xabTl2TG1KaGNpNWpiMjB3SGhjTk1qUXdNakk1TURrek1ERXdXaGNOTXpRdwpNakkyTURrek1ERXdXakFXTVJRd0VnWURWUVFEREF0bWIyOHVZbUZ5TG1OdmJUQ0NBU0l3RFFZSktvWklodmNOCkFRRUJCUUFEZ2dFUEFEQ0NBUW9DZ2dFQkFKbEk2WXhFOVprQ1BzNnBDUXhickNtZWl4OVA1RGZ4OVJ1NUxENFQKSm1kVzdJS2R0UVYvd2ZMbXRzdTc2QithVGRDaldlMEJUZmVPT1JCYlIzY1BBRzZFbFFMaWNsUVVydW4zcStncwpKcEsrSTdjSStqNXc4STY4WEg1V1E3clZVdGJ3SHBxYncrY1ZuQnFJVU9MaUlhdGpJZjdLWDUxTTF1RjljZkVICkU0RG5jSDZyYnI1OS9SRlpCc2toeHM1T3p3Sklmb2hreXZGd2V1VHd4Sy9WcGpJKzdPYzQ4QUJDWHBOTzlEL3EKRWgrck9hdWpBTWNYZ0hRSVRrQ2lpVVRjVW82TFNIOXZMWlB0YXFmem9acTZuaE1xcFc2NUUxcEF3RjNqeVRUeAphNUk4SmNmU0Zqa2llWjIwTFVRTW43TThVNHhIamFvL2d2SDBDQWZkQjdSTFUyc0NBd0VBQWFOVE1GRXdIUVlEClZSME9CQllFRk9SQ0U4dS8xRERXN2loWnA3Y3g5dFNtUG02T01COEdBMVVkSXdRWU1CYUFGT1JDRTh1LzFERFcKN2loWnA3Y3g5dFNtUG02T01BOEdBMVVkRXdFQi93UUZNQU1CQWY4d0RRWUpLb1pJaHZjTkFRRUxCUUFEZ2dFQgpBRnQ1M3pqc3FUYUg1YThFMmNodm1XQWdDcnhSSzhiVkxNeGl3TkdqYm1FUFJ6K3c2TngrazBBOEtFY0lEc0tjClNYY2k1OHU0b1didFZKQmx6YS9adWpIUjZQMUJuT3BsK2FveTc4NGJiZDRQMzl3VExvWGZNZmJCQ20xdmV2aDkKQUpLbncyWnRxcjRta2JMY3hFcWxxM3NCTEZBUzlzUUxuS05DZTJjR0xkVHAyYm9HK3FjZ3lRZ0NJTTZmOEVNdgpXUGlmQ01NR3V6Sy9HUkY0YlBPL1lGNDhld0R1M1VlaWgwWFhkVUFPRTlDdFVhOE5JaGMxVVBhT3pQcnRZVnFyClpPR2t2L0t1K0I3OGg4U0VzTzlYclFjdXdiT25KeDZLdFIrYWV5a3ZBcFhDUTNmWkMvYllLQUFSK1A4QUpvUVoKYndJVW1YaTRnajVtK2JLUGhlK2lyK0U9Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0=
tls.key: LS0tLS1CRUdJTiBQUklWQVRFIEtFWS0tLS0tCk1JSUV2UUlCQURBTkJna3Foa2lHOXcwQkFRRUZBQVNDQktjd2dnU2pBZ0VBQW9JQkFRQ2QwZlBDYWtweE1nUnUKT0VXQjFiQk5FM3ZseW55aTZWbkV2VWF1OUhvakR2UHVPTFJIaGI4MmoyY1ovMHhnL1lKR09LelBuV2JERkxGNApHdWh3dDRENmFUR0xYNklPODEwTDZ0SXZIWGZNUXRJS2VwdTZ3K3p1WVo4bG1yejB1RjZlWEtqamVIbHhyb2ZrCnVNekM3OUVaU0lYZlZlczJ1SmdVRSs4VGFzSDUzQ2Y4MFNSRGlIeEdxckttdVNjWCtwejBreGdCZ1VWYTVVS20KUWdTZDFmVUxLOUEwNXAxOXkrdURPM204bVhRNkxVQ0N1STFwZHNROGFlNS9zamlxa0VjWlJjMTdWYVgxWjVVaQpvcGZnNW9SY05VTG9VTHNiek9aNTR0YlVDUmdSV2VLbGZxaElINEZ6OUlkVlUyR3dFdEdhMmV6TjgyMVBaQ3QzCjZhbVRIelJsQWdNQkFBRUNnZ0VBWTFGTUlLNDVXTkVNUHJ6RTZUY3NNdVV2RkdhQVZ4bVk5NW5SMEtwajdvb3IKY21CVys2ZXN0TTQ4S1AwaitPbXd3VFpMY29Cd3VoWGN0V1Bob1lXcDhteWUxRUlEdjNyaHRHMDdocEQ1NGg2dgpCZzh3ejdFYStzMk9sT0N6UnlKNzBSY281YlhjWDNGaGJjdnFlRWJwaFFyQnpOSEtLMjZ4cmZqNWZIT3p6T1FGCmJHdUZ3SDVic3JGdFhlajJXM3c4eW90N0ZQSDV3S3RpdnhvSWU5RjMyOXNnOU9EQnZqWnpiaG1LVTArckFTK1kKRGVield2bFJyaEUrbXVmQTN6M0N0QXhDOFJpNzNscFNoTDRQQWlvcG1SUXlxZXRXMjYzOFFxcnM0R3hnNzhwbApJUXJXTmNBc2s3Slg5d3RZenV6UFBXSXRWTTFscFJiQVRhNTJqdFl2NVFLQmdRRE5tMTFtZTRYam1ZSFV2cStZCmFTUzdwK2UybXZEMHVaOU9JeFluQnBWMGkrckNlYnFFMkE1Rm5hcDQ5Yld4QTgwUElldlVkeUpCL2pUUkoxcVMKRUpXQkpMWm1LVkg2K1QwdWw1ZUtOcWxFTFZHU0dCSXNpeE9SUXpDZHBoMkx0UmtBMHVjSVUzY3hiUmVMZkZCRQpiSkdZWENCdlNGcWd0VDlvZTFldVpMVmFOd0tCZ1FERWdENzJENk81eGIweEQ1NDQ1M0RPMUJhZmd6aThCWDRTCk1SaVd2LzFUQ0w5N05sRWtoeXovNmtQd1owbXJRcE5CMzZFdkpKZFVteHdkU2MyWDhrOGcxMC85NVlLQkdWQWoKL3d0YVZYbE9WeEFvK0ZSelpZeFpyQ29uWWFSMHVwUzFybDRtenN4REhlZU9mUVZUTUgwUjdZN0pnbTA5dXQ4SwplanAvSXZBb1F3S0JnQjNaRWlRUWhvMVYrWjBTMlpiOG5KS0plMy9zMmxJTXFHM0ZkaS9RS3Q0eWViQWx6OGY5ClBZVXBzRmZEQTg5Z3grSU1nSm5sZVptdTk2ZnRXSjZmdmJSenllN216TG5zZU05TXZua1lHbGFGWmJRWnZubXMKN3ZoRmtzY3dHRlh4d21GMlBJZmU1Z3pNMDRBeVdjeTFIaVhLS2dNOXM3cGsxWUdyZGowZzdacmRBb0dCQUtLNApDR3MrbkRmMEZTMFJYOWFEWVJrRTdBNy9YUFhtSG5YMkRnU1h5N0Q4NTRPaWdTTWNoUmtPNTErbVNJejNQbllvCk41T1FXM2lHVVl1M1YvYmhnc0VSUzM1V2xmRk9BdDBzRUR5bjF5SVdXcDF5dG93d3BUNkVvUXVuZ2NYZjA5RjMKS1NROXowd3M4VmsvRWkvSFVXcU5LOWFXbU51cmFaT0ZqL2REK1ZkOUFvR0FMWFN3dEE3K043RDRkN0VEMURSRQpHTWdZNVd3OHFvdDZSdUNlNkpUY0FnU3B1MkhNU3JVY2dXclpiQnJZb09FUnVNQjFoMVJydk5ybU1qQlM0VW9FClgyZC8vbGhpOG1wL2VESWN3UDNRa2puanBJRFJWMFN1eWxrUkVaZURKZjVZb3R6eDdFdkJhbzFIbkQrWEg4eUIKVUtmWGJTaHZKVUdhRmgxT3Q1Y3JoM1k9Ci0tLS0tRU5EIFBSSVZBVEUgS0VZLS0tLS0K
diff --git a/internal/gatewayapi/testdata/clienttrafficpolicy-tls-settings.out.yaml b/internal/gatewayapi/testdata/clienttrafficpolicy-tls-settings.out.yaml
index 70adfea5072..cdf07611a29 100644
--- a/internal/gatewayapi/testdata/clienttrafficpolicy-tls-settings.out.yaml
+++ b/internal/gatewayapi/testdata/clienttrafficpolicy-tls-settings.out.yaml
@@ -152,7 +152,7 @@ xdsIR:
certificates:
- name: envoy-gateway/tls-secret-1
privateKey: LS0tLS1CRUdJTiBQUklWQVRFIEtFWS0tLS0tCk1JSUV2UUlCQURBTkJna3Foa2lHOXcwQkFRRUZBQVNDQktjd2dnU2pBZ0VBQW9JQkFRQ2QwZlBDYWtweE1nUnUKT0VXQjFiQk5FM3ZseW55aTZWbkV2VWF1OUhvakR2UHVPTFJIaGI4MmoyY1ovMHhnL1lKR09LelBuV2JERkxGNApHdWh3dDRENmFUR0xYNklPODEwTDZ0SXZIWGZNUXRJS2VwdTZ3K3p1WVo4bG1yejB1RjZlWEtqamVIbHhyb2ZrCnVNekM3OUVaU0lYZlZlczJ1SmdVRSs4VGFzSDUzQ2Y4MFNSRGlIeEdxckttdVNjWCtwejBreGdCZ1VWYTVVS20KUWdTZDFmVUxLOUEwNXAxOXkrdURPM204bVhRNkxVQ0N1STFwZHNROGFlNS9zamlxa0VjWlJjMTdWYVgxWjVVaQpvcGZnNW9SY05VTG9VTHNiek9aNTR0YlVDUmdSV2VLbGZxaElINEZ6OUlkVlUyR3dFdEdhMmV6TjgyMVBaQ3QzCjZhbVRIelJsQWdNQkFBRUNnZ0VBWTFGTUlLNDVXTkVNUHJ6RTZUY3NNdVV2RkdhQVZ4bVk5NW5SMEtwajdvb3IKY21CVys2ZXN0TTQ4S1AwaitPbXd3VFpMY29Cd3VoWGN0V1Bob1lXcDhteWUxRUlEdjNyaHRHMDdocEQ1NGg2dgpCZzh3ejdFYStzMk9sT0N6UnlKNzBSY281YlhjWDNGaGJjdnFlRWJwaFFyQnpOSEtLMjZ4cmZqNWZIT3p6T1FGCmJHdUZ3SDVic3JGdFhlajJXM3c4eW90N0ZQSDV3S3RpdnhvSWU5RjMyOXNnOU9EQnZqWnpiaG1LVTArckFTK1kKRGVield2bFJyaEUrbXVmQTN6M0N0QXhDOFJpNzNscFNoTDRQQWlvcG1SUXlxZXRXMjYzOFFxcnM0R3hnNzhwbApJUXJXTmNBc2s3Slg5d3RZenV6UFBXSXRWTTFscFJiQVRhNTJqdFl2NVFLQmdRRE5tMTFtZTRYam1ZSFV2cStZCmFTUzdwK2UybXZEMHVaOU9JeFluQnBWMGkrckNlYnFFMkE1Rm5hcDQ5Yld4QTgwUElldlVkeUpCL2pUUkoxcVMKRUpXQkpMWm1LVkg2K1QwdWw1ZUtOcWxFTFZHU0dCSXNpeE9SUXpDZHBoMkx0UmtBMHVjSVUzY3hiUmVMZkZCRQpiSkdZWENCdlNGcWd0VDlvZTFldVpMVmFOd0tCZ1FERWdENzJENk81eGIweEQ1NDQ1M0RPMUJhZmd6aThCWDRTCk1SaVd2LzFUQ0w5N05sRWtoeXovNmtQd1owbXJRcE5CMzZFdkpKZFVteHdkU2MyWDhrOGcxMC85NVlLQkdWQWoKL3d0YVZYbE9WeEFvK0ZSelpZeFpyQ29uWWFSMHVwUzFybDRtenN4REhlZU9mUVZUTUgwUjdZN0pnbTA5dXQ4SwplanAvSXZBb1F3S0JnQjNaRWlRUWhvMVYrWjBTMlpiOG5KS0plMy9zMmxJTXFHM0ZkaS9RS3Q0eWViQWx6OGY5ClBZVXBzRmZEQTg5Z3grSU1nSm5sZVptdTk2ZnRXSjZmdmJSenllN216TG5zZU05TXZua1lHbGFGWmJRWnZubXMKN3ZoRmtzY3dHRlh4d21GMlBJZmU1Z3pNMDRBeVdjeTFIaVhLS2dNOXM3cGsxWUdyZGowZzdacmRBb0dCQUtLNApDR3MrbkRmMEZTMFJYOWFEWVJrRTdBNy9YUFhtSG5YMkRnU1h5N0Q4NTRPaWdTTWNoUmtPNTErbVNJejNQbllvCk41T1FXM2lHVVl1M1YvYmhnc0VSUzM1V2xmRk9BdDBzRUR5bjF5SVdXcDF5dG93d3BUNkVvUXVuZ2NYZjA5RjMKS1NROXowd3M4VmsvRWkvSFVXcU5LOWFXbU51cmFaT0ZqL2REK1ZkOUFvR0FMWFN3dEE3K043RDRkN0VEMURSRQpHTWdZNVd3OHFvdDZSdUNlNkpUY0FnU3B1MkhNU3JVY2dXclpiQnJZb09FUnVNQjFoMVJydk5ybU1qQlM0VW9FClgyZC8vbGhpOG1wL2VESWN3UDNRa2puanBJRFJWMFN1eWxrUkVaZURKZjVZb3R6eDdFdkJhbzFIbkQrWEg4eUIKVUtmWGJTaHZKVUdhRmgxT3Q1Y3JoM1k9Ci0tLS0tRU5EIFBSSVZBVEUgS0VZLS0tLS0K
- serverCertificate: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUNxRENDQVpBQ0NRREVNZ1lZblFyQ29EQU5CZ2txaGtpRzl3MEJBUXNGQURBV01SUXdFZ1lEVlFRRERBdG0KYjI4dVltRnlMbU52YlRBZUZ3MHlNekF4TURVeE16UXpNalJhRncweU5EQXhNRFV4TXpRek1qUmFNQll4RkRBUwpCZ05WQkFNTUMyWnZieTVpWVhJdVkyOXRNSUlCSWpBTkJna3Foa2lHOXcwQkFRRUZBQU9DQVE4QU1JSUJDZ0tDCkFRRUFuZEh6d21wS2NUSUViamhGZ2RXd1RSTjc1Y3A4b3VsWnhMMUdydlI2SXc3ejdqaTBSNFcvTm85bkdmOU0KWVAyQ1JqaXN6NTFtd3hTeGVCcm9jTGVBK21reGkxK2lEdk5kQytyU0x4MTN6RUxTQ25xYnVzUHM3bUdmSlpxOAo5TGhlbmx5bzQzaDVjYTZINUxqTXd1L1JHVWlGMzFYck5yaVlGQlB2RTJyQitkd24vTkVrUTRoOFJxcXlwcmtuCkYvcWM5Sk1ZQVlGRld1VkNwa0lFbmRYMUN5dlFOT2FkZmN2cmd6dDV2SmwwT2kxQWdyaU5hWGJFUEdudWY3STQKcXBCSEdVWE5lMVdsOVdlVklxS1g0T2FFWERWQzZGQzdHOHptZWVMVzFBa1lFVm5pcFg2b1NCK0JjL1NIVlZOaApzQkxSbXRuc3pmTnRUMlFyZCttcGt4ODBaUUlEQVFBQk1BMEdDU3FHU0liM0RRRUJDd1VBQTRJQkFRQ1VKOElDCkJveUVqT3V3enBHYVJoR044QjRqT1B6aHVDT0V0ZDM3UzAybHUwN09IenlCdmJzVEd6S3dCZ0x5bVdmR2tINEIKajdDTHNwOEZ6TkhLWnVhQmdwblo5SjZETE9Od2ZXZTJBWXA3TGRmT0tWQlVkTVhRaU9tN2pKOUhob0Ntdk1ONwpic2pjaFdKb013ckZmK3dkQUthdHowcUFQeWhMeWUvRnFtaVZ4a09SWmF3K1Q5bURaK0g0OXVBU2d1SnVOTXlRClY2RXlYNmd0Z1dxMzc2SHZhWE1TLzNoYW1Zb1ZXWEk1TXhpUE9ZeG5BQmtKQjRTQ2dJUmVqYkpmVmFRdG9RNGEKejAyaVVMZW5ESUllUU9Zb2JLY01CWGYxQjRQQVFtc2VocVZJYnpzUUNHaTU0VkRyczZiWmQvN0pzMXpDcHBncwpKaUQ1SXFNaktXRHdxN2FLCi0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K
+ serverCertificate: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUREVENDQWZXZ0F3SUJBZ0lVRUZNaFA5ZUo5WEFCV3NRNVptNmJSazJjTE5Rd0RRWUpLb1pJaHZjTkFRRUwKQlFBd0ZqRVVNQklHQTFVRUF3d0xabTl2TG1KaGNpNWpiMjB3SGhjTk1qUXdNakk1TURrek1ERXdXaGNOTXpRdwpNakkyTURrek1ERXdXakFXTVJRd0VnWURWUVFEREF0bWIyOHVZbUZ5TG1OdmJUQ0NBU0l3RFFZSktvWklodmNOCkFRRUJCUUFEZ2dFUEFEQ0NBUW9DZ2dFQkFKbEk2WXhFOVprQ1BzNnBDUXhickNtZWl4OVA1RGZ4OVJ1NUxENFQKSm1kVzdJS2R0UVYvd2ZMbXRzdTc2QithVGRDaldlMEJUZmVPT1JCYlIzY1BBRzZFbFFMaWNsUVVydW4zcStncwpKcEsrSTdjSStqNXc4STY4WEg1V1E3clZVdGJ3SHBxYncrY1ZuQnFJVU9MaUlhdGpJZjdLWDUxTTF1RjljZkVICkU0RG5jSDZyYnI1OS9SRlpCc2toeHM1T3p3Sklmb2hreXZGd2V1VHd4Sy9WcGpJKzdPYzQ4QUJDWHBOTzlEL3EKRWgrck9hdWpBTWNYZ0hRSVRrQ2lpVVRjVW82TFNIOXZMWlB0YXFmem9acTZuaE1xcFc2NUUxcEF3RjNqeVRUeAphNUk4SmNmU0Zqa2llWjIwTFVRTW43TThVNHhIamFvL2d2SDBDQWZkQjdSTFUyc0NBd0VBQWFOVE1GRXdIUVlEClZSME9CQllFRk9SQ0U4dS8xRERXN2loWnA3Y3g5dFNtUG02T01COEdBMVVkSXdRWU1CYUFGT1JDRTh1LzFERFcKN2loWnA3Y3g5dFNtUG02T01BOEdBMVVkRXdFQi93UUZNQU1CQWY4d0RRWUpLb1pJaHZjTkFRRUxCUUFEZ2dFQgpBRnQ1M3pqc3FUYUg1YThFMmNodm1XQWdDcnhSSzhiVkxNeGl3TkdqYm1FUFJ6K3c2TngrazBBOEtFY0lEc0tjClNYY2k1OHU0b1didFZKQmx6YS9adWpIUjZQMUJuT3BsK2FveTc4NGJiZDRQMzl3VExvWGZNZmJCQ20xdmV2aDkKQUpLbncyWnRxcjRta2JMY3hFcWxxM3NCTEZBUzlzUUxuS05DZTJjR0xkVHAyYm9HK3FjZ3lRZ0NJTTZmOEVNdgpXUGlmQ01NR3V6Sy9HUkY0YlBPL1lGNDhld0R1M1VlaWgwWFhkVUFPRTlDdFVhOE5JaGMxVVBhT3pQcnRZVnFyClpPR2t2L0t1K0I3OGg4U0VzTzlYclFjdXdiT25KeDZLdFIrYWV5a3ZBcFhDUTNmWkMvYllLQUFSK1A4QUpvUVoKYndJVW1YaTRnajVtK2JLUGhlK2lyK0U9Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0=
ciphers:
- cipher1
- cipher2
diff --git a/internal/gatewayapi/testdata/envoypatchpolicy-no-status-for-unknown-gateway.in.yaml b/internal/gatewayapi/testdata/envoypatchpolicy-no-status-for-unknown-gateway.in.yaml
new file mode 100644
index 00000000000..f23931ad622
--- /dev/null
+++ b/internal/gatewayapi/testdata/envoypatchpolicy-no-status-for-unknown-gateway.in.yaml
@@ -0,0 +1,13 @@
+envoyPatchPolicies:
+- apiVersion: gateway.envoyproxy.io/v1alpha1
+ kind: EnvoyPatchPolicy
+ metadata:
+ namespace: envoy-gateway
+ name: target-unknown-gateway
+ spec:
+ type: "JSONPatch"
+ targetRef:
+ group: gateway.networking.k8s.io
+ kind: Gateway
+ name: unknown-gateway
+ namespace: envoy-gateway
diff --git a/internal/gatewayapi/testdata/envoypatchpolicy-no-status-for-unknown-gateway.out.yaml b/internal/gatewayapi/testdata/envoypatchpolicy-no-status-for-unknown-gateway.out.yaml
new file mode 100644
index 00000000000..fca40f1fe38
--- /dev/null
+++ b/internal/gatewayapi/testdata/envoypatchpolicy-no-status-for-unknown-gateway.out.yaml
@@ -0,0 +1,2 @@
+infraIR: {}
+xdsIR: {}
diff --git a/internal/gatewayapi/testdata/gateway-infrastructure.in.yaml b/internal/gatewayapi/testdata/gateway-infrastructure.in.yaml
index 0ce21aaf14e..fa6d6455124 100644
--- a/internal/gatewayapi/testdata/gateway-infrastructure.in.yaml
+++ b/internal/gatewayapi/testdata/gateway-infrastructure.in.yaml
@@ -71,6 +71,6 @@ secrets:
name: tls-secret-1
type: kubernetes.io/tls
data:
- tls.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUNxRENDQVpBQ0NRREVNZ1lZblFyQ29EQU5CZ2txaGtpRzl3MEJBUXNGQURBV01SUXdFZ1lEVlFRRERBdG0KYjI4dVltRnlMbU52YlRBZUZ3MHlNekF4TURVeE16UXpNalJhRncweU5EQXhNRFV4TXpRek1qUmFNQll4RkRBUwpCZ05WQkFNTUMyWnZieTVpWVhJdVkyOXRNSUlCSWpBTkJna3Foa2lHOXcwQkFRRUZBQU9DQVE4QU1JSUJDZ0tDCkFRRUFuZEh6d21wS2NUSUViamhGZ2RXd1RSTjc1Y3A4b3VsWnhMMUdydlI2SXc3ejdqaTBSNFcvTm85bkdmOU0KWVAyQ1JqaXN6NTFtd3hTeGVCcm9jTGVBK21reGkxK2lEdk5kQytyU0x4MTN6RUxTQ25xYnVzUHM3bUdmSlpxOAo5TGhlbmx5bzQzaDVjYTZINUxqTXd1L1JHVWlGMzFYck5yaVlGQlB2RTJyQitkd24vTkVrUTRoOFJxcXlwcmtuCkYvcWM5Sk1ZQVlGRld1VkNwa0lFbmRYMUN5dlFOT2FkZmN2cmd6dDV2SmwwT2kxQWdyaU5hWGJFUEdudWY3STQKcXBCSEdVWE5lMVdsOVdlVklxS1g0T2FFWERWQzZGQzdHOHptZWVMVzFBa1lFVm5pcFg2b1NCK0JjL1NIVlZOaApzQkxSbXRuc3pmTnRUMlFyZCttcGt4ODBaUUlEQVFBQk1BMEdDU3FHU0liM0RRRUJDd1VBQTRJQkFRQ1VKOElDCkJveUVqT3V3enBHYVJoR044QjRqT1B6aHVDT0V0ZDM3UzAybHUwN09IenlCdmJzVEd6S3dCZ0x5bVdmR2tINEIKajdDTHNwOEZ6TkhLWnVhQmdwblo5SjZETE9Od2ZXZTJBWXA3TGRmT0tWQlVkTVhRaU9tN2pKOUhob0Ntdk1ONwpic2pjaFdKb013ckZmK3dkQUthdHowcUFQeWhMeWUvRnFtaVZ4a09SWmF3K1Q5bURaK0g0OXVBU2d1SnVOTXlRClY2RXlYNmd0Z1dxMzc2SHZhWE1TLzNoYW1Zb1ZXWEk1TXhpUE9ZeG5BQmtKQjRTQ2dJUmVqYkpmVmFRdG9RNGEKejAyaVVMZW5ESUllUU9Zb2JLY01CWGYxQjRQQVFtc2VocVZJYnpzUUNHaTU0VkRyczZiWmQvN0pzMXpDcHBncwpKaUQ1SXFNaktXRHdxN2FLCi0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K
+ tls.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUREVENDQWZXZ0F3SUJBZ0lVRUZNaFA5ZUo5WEFCV3NRNVptNmJSazJjTE5Rd0RRWUpLb1pJaHZjTkFRRUwKQlFBd0ZqRVVNQklHQTFVRUF3d0xabTl2TG1KaGNpNWpiMjB3SGhjTk1qUXdNakk1TURrek1ERXdXaGNOTXpRdwpNakkyTURrek1ERXdXakFXTVJRd0VnWURWUVFEREF0bWIyOHVZbUZ5TG1OdmJUQ0NBU0l3RFFZSktvWklodmNOCkFRRUJCUUFEZ2dFUEFEQ0NBUW9DZ2dFQkFKbEk2WXhFOVprQ1BzNnBDUXhickNtZWl4OVA1RGZ4OVJ1NUxENFQKSm1kVzdJS2R0UVYvd2ZMbXRzdTc2QithVGRDaldlMEJUZmVPT1JCYlIzY1BBRzZFbFFMaWNsUVVydW4zcStncwpKcEsrSTdjSStqNXc4STY4WEg1V1E3clZVdGJ3SHBxYncrY1ZuQnFJVU9MaUlhdGpJZjdLWDUxTTF1RjljZkVICkU0RG5jSDZyYnI1OS9SRlpCc2toeHM1T3p3Sklmb2hreXZGd2V1VHd4Sy9WcGpJKzdPYzQ4QUJDWHBOTzlEL3EKRWgrck9hdWpBTWNYZ0hRSVRrQ2lpVVRjVW82TFNIOXZMWlB0YXFmem9acTZuaE1xcFc2NUUxcEF3RjNqeVRUeAphNUk4SmNmU0Zqa2llWjIwTFVRTW43TThVNHhIamFvL2d2SDBDQWZkQjdSTFUyc0NBd0VBQWFOVE1GRXdIUVlEClZSME9CQllFRk9SQ0U4dS8xRERXN2loWnA3Y3g5dFNtUG02T01COEdBMVVkSXdRWU1CYUFGT1JDRTh1LzFERFcKN2loWnA3Y3g5dFNtUG02T01BOEdBMVVkRXdFQi93UUZNQU1CQWY4d0RRWUpLb1pJaHZjTkFRRUxCUUFEZ2dFQgpBRnQ1M3pqc3FUYUg1YThFMmNodm1XQWdDcnhSSzhiVkxNeGl3TkdqYm1FUFJ6K3c2TngrazBBOEtFY0lEc0tjClNYY2k1OHU0b1didFZKQmx6YS9adWpIUjZQMUJuT3BsK2FveTc4NGJiZDRQMzl3VExvWGZNZmJCQ20xdmV2aDkKQUpLbncyWnRxcjRta2JMY3hFcWxxM3NCTEZBUzlzUUxuS05DZTJjR0xkVHAyYm9HK3FjZ3lRZ0NJTTZmOEVNdgpXUGlmQ01NR3V6Sy9HUkY0YlBPL1lGNDhld0R1M1VlaWgwWFhkVUFPRTlDdFVhOE5JaGMxVVBhT3pQcnRZVnFyClpPR2t2L0t1K0I3OGg4U0VzTzlYclFjdXdiT25KeDZLdFIrYWV5a3ZBcFhDUTNmWkMvYllLQUFSK1A4QUpvUVoKYndJVW1YaTRnajVtK2JLUGhlK2lyK0U9Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0=
tls.key: LS0tLS1CRUdJTiBQUklWQVRFIEtFWS0tLS0tCk1JSUV2UUlCQURBTkJna3Foa2lHOXcwQkFRRUZBQVNDQktjd2dnU2pBZ0VBQW9JQkFRQ2QwZlBDYWtweE1nUnUKT0VXQjFiQk5FM3ZseW55aTZWbkV2VWF1OUhvakR2UHVPTFJIaGI4MmoyY1ovMHhnL1lKR09LelBuV2JERkxGNApHdWh3dDRENmFUR0xYNklPODEwTDZ0SXZIWGZNUXRJS2VwdTZ3K3p1WVo4bG1yejB1RjZlWEtqamVIbHhyb2ZrCnVNekM3OUVaU0lYZlZlczJ1SmdVRSs4VGFzSDUzQ2Y4MFNSRGlIeEdxckttdVNjWCtwejBreGdCZ1VWYTVVS20KUWdTZDFmVUxLOUEwNXAxOXkrdURPM204bVhRNkxVQ0N1STFwZHNROGFlNS9zamlxa0VjWlJjMTdWYVgxWjVVaQpvcGZnNW9SY05VTG9VTHNiek9aNTR0YlVDUmdSV2VLbGZxaElINEZ6OUlkVlUyR3dFdEdhMmV6TjgyMVBaQ3QzCjZhbVRIelJsQWdNQkFBRUNnZ0VBWTFGTUlLNDVXTkVNUHJ6RTZUY3NNdVV2RkdhQVZ4bVk5NW5SMEtwajdvb3IKY21CVys2ZXN0TTQ4S1AwaitPbXd3VFpMY29Cd3VoWGN0V1Bob1lXcDhteWUxRUlEdjNyaHRHMDdocEQ1NGg2dgpCZzh3ejdFYStzMk9sT0N6UnlKNzBSY281YlhjWDNGaGJjdnFlRWJwaFFyQnpOSEtLMjZ4cmZqNWZIT3p6T1FGCmJHdUZ3SDVic3JGdFhlajJXM3c4eW90N0ZQSDV3S3RpdnhvSWU5RjMyOXNnOU9EQnZqWnpiaG1LVTArckFTK1kKRGVield2bFJyaEUrbXVmQTN6M0N0QXhDOFJpNzNscFNoTDRQQWlvcG1SUXlxZXRXMjYzOFFxcnM0R3hnNzhwbApJUXJXTmNBc2s3Slg5d3RZenV6UFBXSXRWTTFscFJiQVRhNTJqdFl2NVFLQmdRRE5tMTFtZTRYam1ZSFV2cStZCmFTUzdwK2UybXZEMHVaOU9JeFluQnBWMGkrckNlYnFFMkE1Rm5hcDQ5Yld4QTgwUElldlVkeUpCL2pUUkoxcVMKRUpXQkpMWm1LVkg2K1QwdWw1ZUtOcWxFTFZHU0dCSXNpeE9SUXpDZHBoMkx0UmtBMHVjSVUzY3hiUmVMZkZCRQpiSkdZWENCdlNGcWd0VDlvZTFldVpMVmFOd0tCZ1FERWdENzJENk81eGIweEQ1NDQ1M0RPMUJhZmd6aThCWDRTCk1SaVd2LzFUQ0w5N05sRWtoeXovNmtQd1owbXJRcE5CMzZFdkpKZFVteHdkU2MyWDhrOGcxMC85NVlLQkdWQWoKL3d0YVZYbE9WeEFvK0ZSelpZeFpyQ29uWWFSMHVwUzFybDRtenN4REhlZU9mUVZUTUgwUjdZN0pnbTA5dXQ4SwplanAvSXZBb1F3S0JnQjNaRWlRUWhvMVYrWjBTMlpiOG5KS0plMy9zMmxJTXFHM0ZkaS9RS3Q0eWViQWx6OGY5ClBZVXBzRmZEQTg5Z3grSU1nSm5sZVptdTk2ZnRXSjZmdmJSenllN216TG5zZU05TXZua1lHbGFGWmJRWnZubXMKN3ZoRmtzY3dHRlh4d21GMlBJZmU1Z3pNMDRBeVdjeTFIaVhLS2dNOXM3cGsxWUdyZGowZzdacmRBb0dCQUtLNApDR3MrbkRmMEZTMFJYOWFEWVJrRTdBNy9YUFhtSG5YMkRnU1h5N0Q4NTRPaWdTTWNoUmtPNTErbVNJejNQbllvCk41T1FXM2lHVVl1M1YvYmhnc0VSUzM1V2xmRk9BdDBzRUR5bjF5SVdXcDF5dG93d3BUNkVvUXVuZ2NYZjA5RjMKS1NROXowd3M4VmsvRWkvSFVXcU5LOWFXbU51cmFaT0ZqL2REK1ZkOUFvR0FMWFN3dEE3K043RDRkN0VEMURSRQpHTWdZNVd3OHFvdDZSdUNlNkpUY0FnU3B1MkhNU3JVY2dXclpiQnJZb09FUnVNQjFoMVJydk5ybU1qQlM0VW9FClgyZC8vbGhpOG1wL2VESWN3UDNRa2puanBJRFJWMFN1eWxrUkVaZURKZjVZb3R6eDdFdkJhbzFIbkQrWEg4eUIKVUtmWGJTaHZKVUdhRmgxT3Q1Y3JoM1k9Ci0tLS0tRU5EIFBSSVZBVEUgS0VZLS0tLS0K
diff --git a/internal/gatewayapi/testdata/gateway-infrastructure.out.yaml b/internal/gatewayapi/testdata/gateway-infrastructure.out.yaml
index c83cb118ca4..2eac73861c6 100644
--- a/internal/gatewayapi/testdata/gateway-infrastructure.out.yaml
+++ b/internal/gatewayapi/testdata/gateway-infrastructure.out.yaml
@@ -147,4 +147,4 @@ xdsIR:
certificates:
- name: default/tls-secret-1
privateKey: LS0tLS1CRUdJTiBQUklWQVRFIEtFWS0tLS0tCk1JSUV2UUlCQURBTkJna3Foa2lHOXcwQkFRRUZBQVNDQktjd2dnU2pBZ0VBQW9JQkFRQ2QwZlBDYWtweE1nUnUKT0VXQjFiQk5FM3ZseW55aTZWbkV2VWF1OUhvakR2UHVPTFJIaGI4MmoyY1ovMHhnL1lKR09LelBuV2JERkxGNApHdWh3dDRENmFUR0xYNklPODEwTDZ0SXZIWGZNUXRJS2VwdTZ3K3p1WVo4bG1yejB1RjZlWEtqamVIbHhyb2ZrCnVNekM3OUVaU0lYZlZlczJ1SmdVRSs4VGFzSDUzQ2Y4MFNSRGlIeEdxckttdVNjWCtwejBreGdCZ1VWYTVVS20KUWdTZDFmVUxLOUEwNXAxOXkrdURPM204bVhRNkxVQ0N1STFwZHNROGFlNS9zamlxa0VjWlJjMTdWYVgxWjVVaQpvcGZnNW9SY05VTG9VTHNiek9aNTR0YlVDUmdSV2VLbGZxaElINEZ6OUlkVlUyR3dFdEdhMmV6TjgyMVBaQ3QzCjZhbVRIelJsQWdNQkFBRUNnZ0VBWTFGTUlLNDVXTkVNUHJ6RTZUY3NNdVV2RkdhQVZ4bVk5NW5SMEtwajdvb3IKY21CVys2ZXN0TTQ4S1AwaitPbXd3VFpMY29Cd3VoWGN0V1Bob1lXcDhteWUxRUlEdjNyaHRHMDdocEQ1NGg2dgpCZzh3ejdFYStzMk9sT0N6UnlKNzBSY281YlhjWDNGaGJjdnFlRWJwaFFyQnpOSEtLMjZ4cmZqNWZIT3p6T1FGCmJHdUZ3SDVic3JGdFhlajJXM3c4eW90N0ZQSDV3S3RpdnhvSWU5RjMyOXNnOU9EQnZqWnpiaG1LVTArckFTK1kKRGVield2bFJyaEUrbXVmQTN6M0N0QXhDOFJpNzNscFNoTDRQQWlvcG1SUXlxZXRXMjYzOFFxcnM0R3hnNzhwbApJUXJXTmNBc2s3Slg5d3RZenV6UFBXSXRWTTFscFJiQVRhNTJqdFl2NVFLQmdRRE5tMTFtZTRYam1ZSFV2cStZCmFTUzdwK2UybXZEMHVaOU9JeFluQnBWMGkrckNlYnFFMkE1Rm5hcDQ5Yld4QTgwUElldlVkeUpCL2pUUkoxcVMKRUpXQkpMWm1LVkg2K1QwdWw1ZUtOcWxFTFZHU0dCSXNpeE9SUXpDZHBoMkx0UmtBMHVjSVUzY3hiUmVMZkZCRQpiSkdZWENCdlNGcWd0VDlvZTFldVpMVmFOd0tCZ1FERWdENzJENk81eGIweEQ1NDQ1M0RPMUJhZmd6aThCWDRTCk1SaVd2LzFUQ0w5N05sRWtoeXovNmtQd1owbXJRcE5CMzZFdkpKZFVteHdkU2MyWDhrOGcxMC85NVlLQkdWQWoKL3d0YVZYbE9WeEFvK0ZSelpZeFpyQ29uWWFSMHVwUzFybDRtenN4REhlZU9mUVZUTUgwUjdZN0pnbTA5dXQ4SwplanAvSXZBb1F3S0JnQjNaRWlRUWhvMVYrWjBTMlpiOG5KS0plMy9zMmxJTXFHM0ZkaS9RS3Q0eWViQWx6OGY5ClBZVXBzRmZEQTg5Z3grSU1nSm5sZVptdTk2ZnRXSjZmdmJSenllN216TG5zZU05TXZua1lHbGFGWmJRWnZubXMKN3ZoRmtzY3dHRlh4d21GMlBJZmU1Z3pNMDRBeVdjeTFIaVhLS2dNOXM3cGsxWUdyZGowZzdacmRBb0dCQUtLNApDR3MrbkRmMEZTMFJYOWFEWVJrRTdBNy9YUFhtSG5YMkRnU1h5N0Q4NTRPaWdTTWNoUmtPNTErbVNJejNQbllvCk41T1FXM2lHVVl1M1YvYmhnc0VSUzM1V2xmRk9BdDBzRUR5bjF5SVdXcDF5dG93d3BUNkVvUXVuZ2NYZjA5RjMKS1NROXowd3M4VmsvRWkvSFVXcU5LOWFXbU51cmFaT0ZqL2REK1ZkOUFvR0FMWFN3dEE3K043RDRkN0VEMURSRQpHTWdZNVd3OHFvdDZSdUNlNkpUY0FnU3B1MkhNU3JVY2dXclpiQnJZb09FUnVNQjFoMVJydk5ybU1qQlM0VW9FClgyZC8vbGhpOG1wL2VESWN3UDNRa2puanBJRFJWMFN1eWxrUkVaZURKZjVZb3R6eDdFdkJhbzFIbkQrWEg4eUIKVUtmWGJTaHZKVUdhRmgxT3Q1Y3JoM1k9Ci0tLS0tRU5EIFBSSVZBVEUgS0VZLS0tLS0K
- serverCertificate: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUNxRENDQVpBQ0NRREVNZ1lZblFyQ29EQU5CZ2txaGtpRzl3MEJBUXNGQURBV01SUXdFZ1lEVlFRRERBdG0KYjI4dVltRnlMbU52YlRBZUZ3MHlNekF4TURVeE16UXpNalJhRncweU5EQXhNRFV4TXpRek1qUmFNQll4RkRBUwpCZ05WQkFNTUMyWnZieTVpWVhJdVkyOXRNSUlCSWpBTkJna3Foa2lHOXcwQkFRRUZBQU9DQVE4QU1JSUJDZ0tDCkFRRUFuZEh6d21wS2NUSUViamhGZ2RXd1RSTjc1Y3A4b3VsWnhMMUdydlI2SXc3ejdqaTBSNFcvTm85bkdmOU0KWVAyQ1JqaXN6NTFtd3hTeGVCcm9jTGVBK21reGkxK2lEdk5kQytyU0x4MTN6RUxTQ25xYnVzUHM3bUdmSlpxOAo5TGhlbmx5bzQzaDVjYTZINUxqTXd1L1JHVWlGMzFYck5yaVlGQlB2RTJyQitkd24vTkVrUTRoOFJxcXlwcmtuCkYvcWM5Sk1ZQVlGRld1VkNwa0lFbmRYMUN5dlFOT2FkZmN2cmd6dDV2SmwwT2kxQWdyaU5hWGJFUEdudWY3STQKcXBCSEdVWE5lMVdsOVdlVklxS1g0T2FFWERWQzZGQzdHOHptZWVMVzFBa1lFVm5pcFg2b1NCK0JjL1NIVlZOaApzQkxSbXRuc3pmTnRUMlFyZCttcGt4ODBaUUlEQVFBQk1BMEdDU3FHU0liM0RRRUJDd1VBQTRJQkFRQ1VKOElDCkJveUVqT3V3enBHYVJoR044QjRqT1B6aHVDT0V0ZDM3UzAybHUwN09IenlCdmJzVEd6S3dCZ0x5bVdmR2tINEIKajdDTHNwOEZ6TkhLWnVhQmdwblo5SjZETE9Od2ZXZTJBWXA3TGRmT0tWQlVkTVhRaU9tN2pKOUhob0Ntdk1ONwpic2pjaFdKb013ckZmK3dkQUthdHowcUFQeWhMeWUvRnFtaVZ4a09SWmF3K1Q5bURaK0g0OXVBU2d1SnVOTXlRClY2RXlYNmd0Z1dxMzc2SHZhWE1TLzNoYW1Zb1ZXWEk1TXhpUE9ZeG5BQmtKQjRTQ2dJUmVqYkpmVmFRdG9RNGEKejAyaVVMZW5ESUllUU9Zb2JLY01CWGYxQjRQQVFtc2VocVZJYnpzUUNHaTU0VkRyczZiWmQvN0pzMXpDcHBncwpKaUQ1SXFNaktXRHdxN2FLCi0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K
+ serverCertificate: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUREVENDQWZXZ0F3SUJBZ0lVRUZNaFA5ZUo5WEFCV3NRNVptNmJSazJjTE5Rd0RRWUpLb1pJaHZjTkFRRUwKQlFBd0ZqRVVNQklHQTFVRUF3d0xabTl2TG1KaGNpNWpiMjB3SGhjTk1qUXdNakk1TURrek1ERXdXaGNOTXpRdwpNakkyTURrek1ERXdXakFXTVJRd0VnWURWUVFEREF0bWIyOHVZbUZ5TG1OdmJUQ0NBU0l3RFFZSktvWklodmNOCkFRRUJCUUFEZ2dFUEFEQ0NBUW9DZ2dFQkFKbEk2WXhFOVprQ1BzNnBDUXhickNtZWl4OVA1RGZ4OVJ1NUxENFQKSm1kVzdJS2R0UVYvd2ZMbXRzdTc2QithVGRDaldlMEJUZmVPT1JCYlIzY1BBRzZFbFFMaWNsUVVydW4zcStncwpKcEsrSTdjSStqNXc4STY4WEg1V1E3clZVdGJ3SHBxYncrY1ZuQnFJVU9MaUlhdGpJZjdLWDUxTTF1RjljZkVICkU0RG5jSDZyYnI1OS9SRlpCc2toeHM1T3p3Sklmb2hreXZGd2V1VHd4Sy9WcGpJKzdPYzQ4QUJDWHBOTzlEL3EKRWgrck9hdWpBTWNYZ0hRSVRrQ2lpVVRjVW82TFNIOXZMWlB0YXFmem9acTZuaE1xcFc2NUUxcEF3RjNqeVRUeAphNUk4SmNmU0Zqa2llWjIwTFVRTW43TThVNHhIamFvL2d2SDBDQWZkQjdSTFUyc0NBd0VBQWFOVE1GRXdIUVlEClZSME9CQllFRk9SQ0U4dS8xRERXN2loWnA3Y3g5dFNtUG02T01COEdBMVVkSXdRWU1CYUFGT1JDRTh1LzFERFcKN2loWnA3Y3g5dFNtUG02T01BOEdBMVVkRXdFQi93UUZNQU1CQWY4d0RRWUpLb1pJaHZjTkFRRUxCUUFEZ2dFQgpBRnQ1M3pqc3FUYUg1YThFMmNodm1XQWdDcnhSSzhiVkxNeGl3TkdqYm1FUFJ6K3c2TngrazBBOEtFY0lEc0tjClNYY2k1OHU0b1didFZKQmx6YS9adWpIUjZQMUJuT3BsK2FveTc4NGJiZDRQMzl3VExvWGZNZmJCQ20xdmV2aDkKQUpLbncyWnRxcjRta2JMY3hFcWxxM3NCTEZBUzlzUUxuS05DZTJjR0xkVHAyYm9HK3FjZ3lRZ0NJTTZmOEVNdgpXUGlmQ01NR3V6Sy9HUkY0YlBPL1lGNDhld0R1M1VlaWgwWFhkVUFPRTlDdFVhOE5JaGMxVVBhT3pQcnRZVnFyClpPR2t2L0t1K0I3OGg4U0VzTzlYclFjdXdiT25KeDZLdFIrYWV5a3ZBcFhDUTNmWkMvYllLQUFSK1A4QUpvUVoKYndJVW1YaTRnajVtK2JLUGhlK2lyK0U9Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0=
diff --git a/internal/gatewayapi/testdata/gateway-with-listener-with-invalid-multiple-tls-configuration.in.yaml b/internal/gatewayapi/testdata/gateway-with-listener-with-invalid-multiple-tls-configuration.in.yaml
index c0239e032f6..be3ac0e7b8f 100644
--- a/internal/gatewayapi/testdata/gateway-with-listener-with-invalid-multiple-tls-configuration.in.yaml
+++ b/internal/gatewayapi/testdata/gateway-with-listener-with-invalid-multiple-tls-configuration.in.yaml
@@ -28,7 +28,7 @@ secrets:
name: tls-secret-ecdsa-1
type: kubernetes.io/tls
data:
- tls.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUJHekNCd2dJSkFJL3gxc0NEL0lSa01Bb0dDQ3FHU000OUJBTUNNQll4RkRBU0JnTlZCQU1NQzJadmJ5NWkKWVhJdVkyOXRNQjRYRFRJek1ERXdOVEl4TlRNeU9Wb1hEVEkwTURFd05USXhOVE15T1Zvd0ZqRVVNQklHQTFVRQpBd3dMWm05dkxtSmhjaTVqYjIwd1dUQVRCZ2NxaGtqT1BRSUJCZ2dxaGtqT1BRTUJCd05DQUFRZmxXMnR6T3M4Cm82Nk5USVRmYUhucEc2UzI3Y2hkSldzallKdWJISkFtT2tYdS8rVGxLTXhGUzl4R2tHK09BQjAyR0ZQaHhQVzcKRnFaTFJoOEp0YlZkTUFvR0NDcUdTTTQ5QkFNQ0EwZ0FNRVVDSVFEdlplU1pBZ1VWV2VpM3o0ZEhOTEd0aHpiaQoxRHZ0anRQekhYZ1R3WS92YmdJZ05KWStNcTRweFJnNit3eU04R1R4czVUV3k5Zml5RGhMUEU5QnhlbEsxSjQ9Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K
+ tls.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUJnVENDQVNlZ0F3SUJBZ0lVRm1sOExCRzBvL1FLNFErWjdrODI0c0MyaUZ3d0NnWUlLb1pJemowRUF3SXcKRmpFVU1CSUdBMVVFQXd3TFptOXZMbUpoY2k1amIyMHdIaGNOTWpRd01qSTVNRGt6TURFd1doY05NelF3TWpJMgpNRGt6TURFd1dqQVdNUlF3RWdZRFZRUUREQXRtYjI4dVltRnlMbU52YlRCWk1CTUdCeXFHU000OUFnRUdDQ3FHClNNNDlBd0VIQTBJQUJMYVl2cUt1VlZveERvNTJlV3p2WUI1anc3RU1GODZybXlvaTVadWF5emRNdnBnNHpCcjgKUktCak5zK1QxakI4T0t1Y1MvN1JVRHgwcHorOTc2ek0zaU9qVXpCUk1CMEdBMVVkRGdRV0JCVE82K2NnMFIwZAp3dHJ6SlFQRzZnNzZoQkJVelRBZkJnTlZIU01FR0RBV2dCVE82K2NnMFIwZHd0cnpKUVBHNmc3NmhCQlV6VEFQCkJnTlZIUk1CQWY4RUJUQURBUUgvTUFvR0NDcUdTTTQ5QkFNQ0EwZ0FNRVVDSVFDMlhwUFFnUXpXYWUzYjVwWnQKR2N1TWZESjBjME9QS2NuZWdrWFoyQzRCM2dJZ1Uvc1Jrd0lwTFFOUlYrRWFZdzRQNVQ1Z1BFNlkrVnBtQzk4aApvVmpaL3pRPQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg==
tls.key: LS0tLS1CRUdJTiBFQyBQUklWQVRFIEtFWS0tLS0tCk1IY0NBUUVFSUxEbnZNM1RKM3NHYm9EeTF4T3dqSVppVFNWeWZXVWF5YVExcWdrdUdacEtvQW9HQ0NxR1NNNDkKQXdFSG9VUURRZ0FFSDVWdHJjenJQS091alV5RTMyaDU2UnVrdHUzSVhTVnJJMkNibXh5UUpqcEY3di9rNVNqTQpSVXZjUnBCdmpnQWROaGhUNGNUMXV4YW1TMFlmQ2JXMVhRPT0KLS0tLS1FTkQgRUMgUFJJVkFURSBLRVktLS0tLQo=
- apiVersion: v1
kind: Secret
@@ -37,8 +37,8 @@ secrets:
name: tls-secret-ecdsa-2
type: kubernetes.io/tls
data:
- tls.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUJWekNCM3dJSkFJN1BZQlRZU0NXYk1Bb0dDQ3FHU000OUJBTUNNQll4RkRBU0JnTlZCQU1NQzJadmJ5NWkKWVhJdVkyOXRNQjRYRFRJek1ERXdOVEl4TlRjek1Gb1hEVEkwTURFd05USXhOVGN6TUZvd0ZqRVVNQklHQTFVRQpBd3dMWm05dkxtSmhjaTVqYjIwd2RqQVFCZ2NxaGtqT1BRSUJCZ1VyZ1FRQUlnTmlBQVRqK3RQWThsV3ZyUjlyCjU0U0FhOGNuQnRJTUZnLzZJajUxR1JBWitXR1FjZW1KUlEzblBCUHJoc1Y5dGp1TXZVdkxORCtINkJ0eWduNVUKMjJNM2w3OE9aUkZsNGszZHBPd2xlZUpOUVBqbHl3MGNCdGNwVzJhWUdPUVREMndxVzdNd0NnWUlLb1pJemowRQpBd0lEWndBd1pBSXdXblBCV3NLQ3M2ZUV4RFVXN0tSL0ZoNjBVbXAzUmF4bjBjaWFKYVhGc1NPQ0NQQmZydDJjCm1zOGRneUVTczFkQ0FqQnJaaVNweWNkc0RCTXJNZGhJaHBLV0dTWG0zTGVJeFlEYmMwK3JZaHpKZDZkdmNHWHQKcjZXUkJlbzV4eW5RWXZ3PQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg==
- tls.key: LS0tLS1CRUdJTiBFQyBQUklWQVRFIEtFWS0tLS0tCk1JR2tBZ0VCQkRCTFhMK3ExWFBhYnpzZGhyOXVwcWlWTTQwcTBXUVkwMTYvZlVJNFEzL1gvR2NyZHhTTUQrZEQKQk9HZHZLZFlvLzZnQndZRks0RUVBQ0toWkFOaUFBVGordFBZOGxXdnJSOXI1NFNBYThjbkJ0SU1GZy82SWo1MQpHUkFaK1dHUWNlbUpSUTNuUEJQcmhzVjl0anVNdlV2TE5EK0g2QnR5Z241VTIyTTNsNzhPWlJGbDRrM2RwT3dsCmVlSk5RUGpseXcwY0J0Y3BXMmFZR09RVEQyd3FXN009Ci0tLS0tRU5EIEVDIFBSSVZBVEUgS0VZLS0tLS0K
+ tls.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUJ2VENDQVVTZ0F3SUJBZ0lVU2l2SkdURHdva1M3aGVZLzJjc1JzejR2SkIwd0NnWUlLb1pJemowRUF3SXcKRmpFVU1CSUdBMVVFQXd3TFptOXZMbUpoY2k1amIyMHdIaGNOTWpRd01qSTVNRGt6TURFd1doY05NelF3TWpJMgpNRGt6TURFd1dqQVdNUlF3RWdZRFZRUUREQXRtYjI4dVltRnlMbU52YlRCMk1CQUdCeXFHU000OUFnRUdCU3VCCkJBQWlBMklBQkZ2cnZSZWJhYVd1UzZNQUVJZDZ3WmZPS3Z1Q1R5VU1PbFpKcUZDRjlUa3pNWWw4Q2lvZnluT3QKQ3JzMHZ2YTlrZC9QMkpNR0JKcWdZZXZid290clJpMTJxTG5IMDQvam9HSWpqVE9LbzNJb2ZyK0ZrOHdMdkFlMwpPMVpLdFI5c3pxTlRNRkV3SFFZRFZSME9CQllFRklLczFRRm5vRHQ5K3Fva1I0T0RXYk16MWYrUE1COEdBMVVkCkl3UVlNQmFBRklLczFRRm5vRHQ5K3Fva1I0T0RXYk16MWYrUE1BOEdBMVVkRXdFQi93UUZNQU1CQWY4d0NnWUkKS29aSXpqMEVBd0lEWndBd1pBSXdIMzF0SHlmVVAwNFhIcGJXR2UxWjFJYUJaQndJdGg1NURVNGhqZlB1OG0rSgpXdjdiVzh6VFNnd0xpcW9yZmN1bkFqQTBnaE5KQkExWDJYdElLRG1sM3M3L1Z4OEZKY1MwNHZwQ2hoK2xBYkxTCnZlYWEyOFIzVExFWTNVK1FUWEkvd0lrPQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg==
+ tls.key: LS0tLS1CRUdJTiBQUklWQVRFIEtFWS0tLS0tCk1JSUV2UUlCQURBTkJna3Foa2lHOXcwQkFRRUZBQVNDQktjd2dnU2pBZ0VBQW9JQkFRQ2QwZlBDYWtweE1nUnUKT0VXQjFiQk5FM3ZseW55aTZWbkV2VWF1OUhvakR2UHVPTFJIaGI4MmoyY1ovMHhnL1lKR09LelBuV2JERkxGNApHdWh3dDRENmFUR0xYNklPODEwTDZ0SXZIWGZNUXRJS2VwdTZ3K3p1WVo4bG1yejB1RjZlWEtqamVIbHhyb2ZrCnVNekM3OUVaU0lYZlZlczJ1SmdVRSs4VGFzSDUzQ2Y4MFNSRGlIeEdxckttdVNjWCtwejBreGdCZ1VWYTVVS20KUWdTZDFmVUxLOUEwNXAxOXkrdURPM204bVhRNkxVQ0N1STFwZHNROGFlNS9zamlxa0VjWlJjMTdWYVgxWjVVaQpvcGZnNW9SY05VTG9VTHNiek9aNTR0YlVDUmdSV2VLbGZxaElINEZ6OUlkVlUyR3dFdEdhMmV6TjgyMVBaQ3QzCjZhbVRIelJsQWdNQkFBRUNnZ0VBWTFGTUlLNDVXTkVNUHJ6RTZUY3NNdVV2RkdhQVZ4bVk5NW5SMEtwajdvb3IKY21CVys2ZXN0TTQ4S1AwaitPbXd3VFpMY29Cd3VoWGN0V1Bob1lXcDhteWUxRUlEdjNyaHRHMDdocEQ1NGg2dgpCZzh3ejdFYStzMk9sT0N6UnlKNzBSY281YlhjWDNGaGJjdnFlRWJwaFFyQnpOSEtLMjZ4cmZqNWZIT3p6T1FGCmJHdUZ3SDVic3JGdFhlajJXM3c4eW90N0ZQSDV3S3RpdnhvSWU5RjMyOXNnOU9EQnZqWnpiaG1LVTArckFTK1kKRGVield2bFJyaEUrbXVmQTN6M0N0QXhDOFJpNzNscFNoTDRQQWlvcG1SUXlxZXRXMjYzOFFxcnM0R3hnNzhwbApJUXJXTmNBc2s3Slg5d3RZenV6UFBXSXRWTTFscFJiQVRhNTJqdFl2NVFLQmdRRE5tMTFtZTRYam1ZSFV2cStZCmFTUzdwK2UybXZEMHVaOU9JeFluQnBWMGkrckNlYnFFMkE1Rm5hcDQ5Yld4QTgwUElldlVkeUpCL2pUUkoxcVMKRUpXQkpMWm1LVkg2K1QwdWw1ZUtOcWxFTFZHU0dCSXNpeE9SUXpDZHBoMkx0UmtBMHVjSVUzY3hiUmVMZkZCRQpiSkdZWENCdlNGcWd0VDlvZTFldVpMVmFOd0tCZ1FERWdENzJENk81eGIweEQ1NDQ1M0RPMUJhZmd6aThCWDRTCk1SaVd2LzFUQ0w5N05sRWtoeXovNmtQd1owbXJRcE5CMzZFdkpKZFVteHdkU2MyWDhrOGcxMC85NVlLQkdWQWoKL3d0YVZYbE9WeEFvK0ZSelpZeFpyQ29uWWFSMHVwUzFybDRtenN4REhlZU9mUVZUTUgwUjdZN0pnbTA5dXQ4SwplanAvSXZBb1F3S0JnQjNaRWlRUWhvMVYrWjBTMlpiOG5KS0plMy9zMmxJTXFHM0ZkaS9RS3Q0eWViQWx6OGY5ClBZVXBzRmZEQTg5Z3grSU1nSm5sZVptdTk2ZnRXSjZmdmJSenllN216TG5zZU05TXZua1lHbGFGWmJRWnZubXMKN3ZoRmtzY3dHRlh4d21GMlBJZmU1Z3pNMDRBeVdjeTFIaVhLS2dNOXM3cGsxWUdyZGowZzdacmRBb0dCQUtLNApDR3MrbkRmMEZTMFJYOWFEWVJrRTdBNy9YUFhtSG5YMkRnU1h5N0Q4NTRPaWdTTWNoUmtPNTErbVNJejNQbllvCk41T1FXM2lHVVl1M1YvYmhnc0VSUzM1V2xmRk9BdDBzRUR5bjF5SVdXcDF5dG93d3BUNkVvUXVuZ2NYZjA5RjMKS1NROXowd3M4VmsvRWkvSFVXcU5LOWFXbU51cmFaT0ZqL2REK1ZkOUFvR0FMWFN3dEE3K043RDRkN0VEMURSRQpHTWdZNVd3OHFvdDZSdUNlNkpUY0FnU3B1MkhNU3JVY2dXclpiQnJZb09FUnVNQjFoMVJydk5ybU1qQlM0VW9FClgyZC8vbGhpOG1wL2VESWN3UDNRa2puanBJRFJWMFN1eWxrUkVaZURKZjVZb3R6eDdFdkJhbzFIbkQrWEg4eUIKVUtmWGJTaHZKVUdhRmgxT3Q1Y3JoM1k9Ci0tLS0tRU5EIFBSSVZBVEUgS0VZLS0tLS0K
- apiVersion: v1
kind: Secret
metadata:
diff --git a/internal/gatewayapi/testdata/gateway-with-listener-with-invalid-tls-configuration-no-valid-certificate-for-fqdn.in.yaml b/internal/gatewayapi/testdata/gateway-with-listener-with-invalid-tls-configuration-no-valid-certificate-for-fqdn.in.yaml
index 1833950ff0c..0c3a5060b85 100644
--- a/internal/gatewayapi/testdata/gateway-with-listener-with-invalid-tls-configuration-no-valid-certificate-for-fqdn.in.yaml
+++ b/internal/gatewayapi/testdata/gateway-with-listener-with-invalid-tls-configuration-no-valid-certificate-for-fqdn.in.yaml
@@ -26,7 +26,7 @@ secrets:
name: tls-secret-1
type: kubernetes.io/tls
data:
- tls.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUNxRENDQVpBQ0NRREVNZ1lZblFyQ29EQU5CZ2txaGtpRzl3MEJBUXNGQURBV01SUXdFZ1lEVlFRRERBdG0KYjI4dVltRnlMbU52YlRBZUZ3MHlNekF4TURVeE16UXpNalJhRncweU5EQXhNRFV4TXpRek1qUmFNQll4RkRBUwpCZ05WQkFNTUMyWnZieTVpWVhJdVkyOXRNSUlCSWpBTkJna3Foa2lHOXcwQkFRRUZBQU9DQVE4QU1JSUJDZ0tDCkFRRUFuZEh6d21wS2NUSUViamhGZ2RXd1RSTjc1Y3A4b3VsWnhMMUdydlI2SXc3ejdqaTBSNFcvTm85bkdmOU0KWVAyQ1JqaXN6NTFtd3hTeGVCcm9jTGVBK21reGkxK2lEdk5kQytyU0x4MTN6RUxTQ25xYnVzUHM3bUdmSlpxOAo5TGhlbmx5bzQzaDVjYTZINUxqTXd1L1JHVWlGMzFYck5yaVlGQlB2RTJyQitkd24vTkVrUTRoOFJxcXlwcmtuCkYvcWM5Sk1ZQVlGRld1VkNwa0lFbmRYMUN5dlFOT2FkZmN2cmd6dDV2SmwwT2kxQWdyaU5hWGJFUEdudWY3STQKcXBCSEdVWE5lMVdsOVdlVklxS1g0T2FFWERWQzZGQzdHOHptZWVMVzFBa1lFVm5pcFg2b1NCK0JjL1NIVlZOaApzQkxSbXRuc3pmTnRUMlFyZCttcGt4ODBaUUlEQVFBQk1BMEdDU3FHU0liM0RRRUJDd1VBQTRJQkFRQ1VKOElDCkJveUVqT3V3enBHYVJoR044QjRqT1B6aHVDT0V0ZDM3UzAybHUwN09IenlCdmJzVEd6S3dCZ0x5bVdmR2tINEIKajdDTHNwOEZ6TkhLWnVhQmdwblo5SjZETE9Od2ZXZTJBWXA3TGRmT0tWQlVkTVhRaU9tN2pKOUhob0Ntdk1ONwpic2pjaFdKb013ckZmK3dkQUthdHowcUFQeWhMeWUvRnFtaVZ4a09SWmF3K1Q5bURaK0g0OXVBU2d1SnVOTXlRClY2RXlYNmd0Z1dxMzc2SHZhWE1TLzNoYW1Zb1ZXWEk1TXhpUE9ZeG5BQmtKQjRTQ2dJUmVqYkpmVmFRdG9RNGEKejAyaVVMZW5ESUllUU9Zb2JLY01CWGYxQjRQQVFtc2VocVZJYnpzUUNHaTU0VkRyczZiWmQvN0pzMXpDcHBncwpKaUQ1SXFNaktXRHdxN2FLCi0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K
+ tls.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUREVENDQWZXZ0F3SUJBZ0lVRUZNaFA5ZUo5WEFCV3NRNVptNmJSazJjTE5Rd0RRWUpLb1pJaHZjTkFRRUwKQlFBd0ZqRVVNQklHQTFVRUF3d0xabTl2TG1KaGNpNWpiMjB3SGhjTk1qUXdNakk1TURrek1ERXdXaGNOTXpRdwpNakkyTURrek1ERXdXakFXTVJRd0VnWURWUVFEREF0bWIyOHVZbUZ5TG1OdmJUQ0NBU0l3RFFZSktvWklodmNOCkFRRUJCUUFEZ2dFUEFEQ0NBUW9DZ2dFQkFKbEk2WXhFOVprQ1BzNnBDUXhickNtZWl4OVA1RGZ4OVJ1NUxENFQKSm1kVzdJS2R0UVYvd2ZMbXRzdTc2QithVGRDaldlMEJUZmVPT1JCYlIzY1BBRzZFbFFMaWNsUVVydW4zcStncwpKcEsrSTdjSStqNXc4STY4WEg1V1E3clZVdGJ3SHBxYncrY1ZuQnFJVU9MaUlhdGpJZjdLWDUxTTF1RjljZkVICkU0RG5jSDZyYnI1OS9SRlpCc2toeHM1T3p3Sklmb2hreXZGd2V1VHd4Sy9WcGpJKzdPYzQ4QUJDWHBOTzlEL3EKRWgrck9hdWpBTWNYZ0hRSVRrQ2lpVVRjVW82TFNIOXZMWlB0YXFmem9acTZuaE1xcFc2NUUxcEF3RjNqeVRUeAphNUk4SmNmU0Zqa2llWjIwTFVRTW43TThVNHhIamFvL2d2SDBDQWZkQjdSTFUyc0NBd0VBQWFOVE1GRXdIUVlEClZSME9CQllFRk9SQ0U4dS8xRERXN2loWnA3Y3g5dFNtUG02T01COEdBMVVkSXdRWU1CYUFGT1JDRTh1LzFERFcKN2loWnA3Y3g5dFNtUG02T01BOEdBMVVkRXdFQi93UUZNQU1CQWY4d0RRWUpLb1pJaHZjTkFRRUxCUUFEZ2dFQgpBRnQ1M3pqc3FUYUg1YThFMmNodm1XQWdDcnhSSzhiVkxNeGl3TkdqYm1FUFJ6K3c2TngrazBBOEtFY0lEc0tjClNYY2k1OHU0b1didFZKQmx6YS9adWpIUjZQMUJuT3BsK2FveTc4NGJiZDRQMzl3VExvWGZNZmJCQ20xdmV2aDkKQUpLbncyWnRxcjRta2JMY3hFcWxxM3NCTEZBUzlzUUxuS05DZTJjR0xkVHAyYm9HK3FjZ3lRZ0NJTTZmOEVNdgpXUGlmQ01NR3V6Sy9HUkY0YlBPL1lGNDhld0R1M1VlaWgwWFhkVUFPRTlDdFVhOE5JaGMxVVBhT3pQcnRZVnFyClpPR2t2L0t1K0I3OGg4U0VzTzlYclFjdXdiT25KeDZLdFIrYWV5a3ZBcFhDUTNmWkMvYllLQUFSK1A4QUpvUVoKYndJVW1YaTRnajVtK2JLUGhlK2lyK0U9Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0=
tls.key: LS0tLS1CRUdJTiBQUklWQVRFIEtFWS0tLS0tCk1JSUV2UUlCQURBTkJna3Foa2lHOXcwQkFRRUZBQVNDQktjd2dnU2pBZ0VBQW9JQkFRQ2QwZlBDYWtweE1nUnUKT0VXQjFiQk5FM3ZseW55aTZWbkV2VWF1OUhvakR2UHVPTFJIaGI4MmoyY1ovMHhnL1lKR09LelBuV2JERkxGNApHdWh3dDRENmFUR0xYNklPODEwTDZ0SXZIWGZNUXRJS2VwdTZ3K3p1WVo4bG1yejB1RjZlWEtqamVIbHhyb2ZrCnVNekM3OUVaU0lYZlZlczJ1SmdVRSs4VGFzSDUzQ2Y4MFNSRGlIeEdxckttdVNjWCtwejBreGdCZ1VWYTVVS20KUWdTZDFmVUxLOUEwNXAxOXkrdURPM204bVhRNkxVQ0N1STFwZHNROGFlNS9zamlxa0VjWlJjMTdWYVgxWjVVaQpvcGZnNW9SY05VTG9VTHNiek9aNTR0YlVDUmdSV2VLbGZxaElINEZ6OUlkVlUyR3dFdEdhMmV6TjgyMVBaQ3QzCjZhbVRIelJsQWdNQkFBRUNnZ0VBWTFGTUlLNDVXTkVNUHJ6RTZUY3NNdVV2RkdhQVZ4bVk5NW5SMEtwajdvb3IKY21CVys2ZXN0TTQ4S1AwaitPbXd3VFpMY29Cd3VoWGN0V1Bob1lXcDhteWUxRUlEdjNyaHRHMDdocEQ1NGg2dgpCZzh3ejdFYStzMk9sT0N6UnlKNzBSY281YlhjWDNGaGJjdnFlRWJwaFFyQnpOSEtLMjZ4cmZqNWZIT3p6T1FGCmJHdUZ3SDVic3JGdFhlajJXM3c4eW90N0ZQSDV3S3RpdnhvSWU5RjMyOXNnOU9EQnZqWnpiaG1LVTArckFTK1kKRGVield2bFJyaEUrbXVmQTN6M0N0QXhDOFJpNzNscFNoTDRQQWlvcG1SUXlxZXRXMjYzOFFxcnM0R3hnNzhwbApJUXJXTmNBc2s3Slg5d3RZenV6UFBXSXRWTTFscFJiQVRhNTJqdFl2NVFLQmdRRE5tMTFtZTRYam1ZSFV2cStZCmFTUzdwK2UybXZEMHVaOU9JeFluQnBWMGkrckNlYnFFMkE1Rm5hcDQ5Yld4QTgwUElldlVkeUpCL2pUUkoxcVMKRUpXQkpMWm1LVkg2K1QwdWw1ZUtOcWxFTFZHU0dCSXNpeE9SUXpDZHBoMkx0UmtBMHVjSVUzY3hiUmVMZkZCRQpiSkdZWENCdlNGcWd0VDlvZTFldVpMVmFOd0tCZ1FERWdENzJENk81eGIweEQ1NDQ1M0RPMUJhZmd6aThCWDRTCk1SaVd2LzFUQ0w5N05sRWtoeXovNmtQd1owbXJRcE5CMzZFdkpKZFVteHdkU2MyWDhrOGcxMC85NVlLQkdWQWoKL3d0YVZYbE9WeEFvK0ZSelpZeFpyQ29uWWFSMHVwUzFybDRtenN4REhlZU9mUVZUTUgwUjdZN0pnbTA5dXQ4SwplanAvSXZBb1F3S0JnQjNaRWlRUWhvMVYrWjBTMlpiOG5KS0plMy9zMmxJTXFHM0ZkaS9RS3Q0eWViQWx6OGY5ClBZVXBzRmZEQTg5Z3grSU1nSm5sZVptdTk2ZnRXSjZmdmJSenllN216TG5zZU05TXZua1lHbGFGWmJRWnZubXMKN3ZoRmtzY3dHRlh4d21GMlBJZmU1Z3pNMDRBeVdjeTFIaVhLS2dNOXM3cGsxWUdyZGowZzdacmRBb0dCQUtLNApDR3MrbkRmMEZTMFJYOWFEWVJrRTdBNy9YUFhtSG5YMkRnU1h5N0Q4NTRPaWdTTWNoUmtPNTErbVNJejNQbllvCk41T1FXM2lHVVl1M1YvYmhnc0VSUzM1V2xmRk9BdDBzRUR5bjF5SVdXcDF5dG93d3BUNkVvUXVuZ2NYZjA5RjMKS1NROXowd3M4VmsvRWkvSFVXcU5LOWFXbU51cmFaT0ZqL2REK1ZkOUFvR0FMWFN3dEE3K043RDRkN0VEMURSRQpHTWdZNVd3OHFvdDZSdUNlNkpUY0FnU3B1MkhNU3JVY2dXclpiQnJZb09FUnVNQjFoMVJydk5ybU1qQlM0VW9FClgyZC8vbGhpOG1wL2VESWN3UDNRa2puanBJRFJWMFN1eWxrUkVaZURKZjVZb3R6eDdFdkJhbzFIbkQrWEg4eUIKVUtmWGJTaHZKVUdhRmgxT3Q1Y3JoM1k9Ci0tLS0tRU5EIFBSSVZBVEUgS0VZLS0tLS0K
httpRoutes:
- apiVersion: gateway.networking.k8s.io/v1
diff --git a/internal/gatewayapi/testdata/gateway-with-listener-with-tls-secret-in-other-namespace-allowed-by-refgrant.in.yaml b/internal/gatewayapi/testdata/gateway-with-listener-with-tls-secret-in-other-namespace-allowed-by-refgrant.in.yaml
index 702318e694c..2882a44c180 100644
--- a/internal/gatewayapi/testdata/gateway-with-listener-with-tls-secret-in-other-namespace-allowed-by-refgrant.in.yaml
+++ b/internal/gatewayapi/testdata/gateway-with-listener-with-tls-secret-in-other-namespace-allowed-by-refgrant.in.yaml
@@ -26,7 +26,7 @@ secrets:
name: tls-secret-1
type: kubernetes.io/tls
data:
- tls.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUNxRENDQVpBQ0NRREVNZ1lZblFyQ29EQU5CZ2txaGtpRzl3MEJBUXNGQURBV01SUXdFZ1lEVlFRRERBdG0KYjI4dVltRnlMbU52YlRBZUZ3MHlNekF4TURVeE16UXpNalJhRncweU5EQXhNRFV4TXpRek1qUmFNQll4RkRBUwpCZ05WQkFNTUMyWnZieTVpWVhJdVkyOXRNSUlCSWpBTkJna3Foa2lHOXcwQkFRRUZBQU9DQVE4QU1JSUJDZ0tDCkFRRUFuZEh6d21wS2NUSUViamhGZ2RXd1RSTjc1Y3A4b3VsWnhMMUdydlI2SXc3ejdqaTBSNFcvTm85bkdmOU0KWVAyQ1JqaXN6NTFtd3hTeGVCcm9jTGVBK21reGkxK2lEdk5kQytyU0x4MTN6RUxTQ25xYnVzUHM3bUdmSlpxOAo5TGhlbmx5bzQzaDVjYTZINUxqTXd1L1JHVWlGMzFYck5yaVlGQlB2RTJyQitkd24vTkVrUTRoOFJxcXlwcmtuCkYvcWM5Sk1ZQVlGRld1VkNwa0lFbmRYMUN5dlFOT2FkZmN2cmd6dDV2SmwwT2kxQWdyaU5hWGJFUEdudWY3STQKcXBCSEdVWE5lMVdsOVdlVklxS1g0T2FFWERWQzZGQzdHOHptZWVMVzFBa1lFVm5pcFg2b1NCK0JjL1NIVlZOaApzQkxSbXRuc3pmTnRUMlFyZCttcGt4ODBaUUlEQVFBQk1BMEdDU3FHU0liM0RRRUJDd1VBQTRJQkFRQ1VKOElDCkJveUVqT3V3enBHYVJoR044QjRqT1B6aHVDT0V0ZDM3UzAybHUwN09IenlCdmJzVEd6S3dCZ0x5bVdmR2tINEIKajdDTHNwOEZ6TkhLWnVhQmdwblo5SjZETE9Od2ZXZTJBWXA3TGRmT0tWQlVkTVhRaU9tN2pKOUhob0Ntdk1ONwpic2pjaFdKb013ckZmK3dkQUthdHowcUFQeWhMeWUvRnFtaVZ4a09SWmF3K1Q5bURaK0g0OXVBU2d1SnVOTXlRClY2RXlYNmd0Z1dxMzc2SHZhWE1TLzNoYW1Zb1ZXWEk1TXhpUE9ZeG5BQmtKQjRTQ2dJUmVqYkpmVmFRdG9RNGEKejAyaVVMZW5ESUllUU9Zb2JLY01CWGYxQjRQQVFtc2VocVZJYnpzUUNHaTU0VkRyczZiWmQvN0pzMXpDcHBncwpKaUQ1SXFNaktXRHdxN2FLCi0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K
+ tls.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUREVENDQWZXZ0F3SUJBZ0lVRUZNaFA5ZUo5WEFCV3NRNVptNmJSazJjTE5Rd0RRWUpLb1pJaHZjTkFRRUwKQlFBd0ZqRVVNQklHQTFVRUF3d0xabTl2TG1KaGNpNWpiMjB3SGhjTk1qUXdNakk1TURrek1ERXdXaGNOTXpRdwpNakkyTURrek1ERXdXakFXTVJRd0VnWURWUVFEREF0bWIyOHVZbUZ5TG1OdmJUQ0NBU0l3RFFZSktvWklodmNOCkFRRUJCUUFEZ2dFUEFEQ0NBUW9DZ2dFQkFKbEk2WXhFOVprQ1BzNnBDUXhickNtZWl4OVA1RGZ4OVJ1NUxENFQKSm1kVzdJS2R0UVYvd2ZMbXRzdTc2QithVGRDaldlMEJUZmVPT1JCYlIzY1BBRzZFbFFMaWNsUVVydW4zcStncwpKcEsrSTdjSStqNXc4STY4WEg1V1E3clZVdGJ3SHBxYncrY1ZuQnFJVU9MaUlhdGpJZjdLWDUxTTF1RjljZkVICkU0RG5jSDZyYnI1OS9SRlpCc2toeHM1T3p3Sklmb2hreXZGd2V1VHd4Sy9WcGpJKzdPYzQ4QUJDWHBOTzlEL3EKRWgrck9hdWpBTWNYZ0hRSVRrQ2lpVVRjVW82TFNIOXZMWlB0YXFmem9acTZuaE1xcFc2NUUxcEF3RjNqeVRUeAphNUk4SmNmU0Zqa2llWjIwTFVRTW43TThVNHhIamFvL2d2SDBDQWZkQjdSTFUyc0NBd0VBQWFOVE1GRXdIUVlEClZSME9CQllFRk9SQ0U4dS8xRERXN2loWnA3Y3g5dFNtUG02T01COEdBMVVkSXdRWU1CYUFGT1JDRTh1LzFERFcKN2loWnA3Y3g5dFNtUG02T01BOEdBMVVkRXdFQi93UUZNQU1CQWY4d0RRWUpLb1pJaHZjTkFRRUxCUUFEZ2dFQgpBRnQ1M3pqc3FUYUg1YThFMmNodm1XQWdDcnhSSzhiVkxNeGl3TkdqYm1FUFJ6K3c2TngrazBBOEtFY0lEc0tjClNYY2k1OHU0b1didFZKQmx6YS9adWpIUjZQMUJuT3BsK2FveTc4NGJiZDRQMzl3VExvWGZNZmJCQ20xdmV2aDkKQUpLbncyWnRxcjRta2JMY3hFcWxxM3NCTEZBUzlzUUxuS05DZTJjR0xkVHAyYm9HK3FjZ3lRZ0NJTTZmOEVNdgpXUGlmQ01NR3V6Sy9HUkY0YlBPL1lGNDhld0R1M1VlaWgwWFhkVUFPRTlDdFVhOE5JaGMxVVBhT3pQcnRZVnFyClpPR2t2L0t1K0I3OGg4U0VzTzlYclFjdXdiT25KeDZLdFIrYWV5a3ZBcFhDUTNmWkMvYllLQUFSK1A4QUpvUVoKYndJVW1YaTRnajVtK2JLUGhlK2lyK0U9Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0=
tls.key: LS0tLS1CRUdJTiBQUklWQVRFIEtFWS0tLS0tCk1JSUV2UUlCQURBTkJna3Foa2lHOXcwQkFRRUZBQVNDQktjd2dnU2pBZ0VBQW9JQkFRQ2QwZlBDYWtweE1nUnUKT0VXQjFiQk5FM3ZseW55aTZWbkV2VWF1OUhvakR2UHVPTFJIaGI4MmoyY1ovMHhnL1lKR09LelBuV2JERkxGNApHdWh3dDRENmFUR0xYNklPODEwTDZ0SXZIWGZNUXRJS2VwdTZ3K3p1WVo4bG1yejB1RjZlWEtqamVIbHhyb2ZrCnVNekM3OUVaU0lYZlZlczJ1SmdVRSs4VGFzSDUzQ2Y4MFNSRGlIeEdxckttdVNjWCtwejBreGdCZ1VWYTVVS20KUWdTZDFmVUxLOUEwNXAxOXkrdURPM204bVhRNkxVQ0N1STFwZHNROGFlNS9zamlxa0VjWlJjMTdWYVgxWjVVaQpvcGZnNW9SY05VTG9VTHNiek9aNTR0YlVDUmdSV2VLbGZxaElINEZ6OUlkVlUyR3dFdEdhMmV6TjgyMVBaQ3QzCjZhbVRIelJsQWdNQkFBRUNnZ0VBWTFGTUlLNDVXTkVNUHJ6RTZUY3NNdVV2RkdhQVZ4bVk5NW5SMEtwajdvb3IKY21CVys2ZXN0TTQ4S1AwaitPbXd3VFpMY29Cd3VoWGN0V1Bob1lXcDhteWUxRUlEdjNyaHRHMDdocEQ1NGg2dgpCZzh3ejdFYStzMk9sT0N6UnlKNzBSY281YlhjWDNGaGJjdnFlRWJwaFFyQnpOSEtLMjZ4cmZqNWZIT3p6T1FGCmJHdUZ3SDVic3JGdFhlajJXM3c4eW90N0ZQSDV3S3RpdnhvSWU5RjMyOXNnOU9EQnZqWnpiaG1LVTArckFTK1kKRGVield2bFJyaEUrbXVmQTN6M0N0QXhDOFJpNzNscFNoTDRQQWlvcG1SUXlxZXRXMjYzOFFxcnM0R3hnNzhwbApJUXJXTmNBc2s3Slg5d3RZenV6UFBXSXRWTTFscFJiQVRhNTJqdFl2NVFLQmdRRE5tMTFtZTRYam1ZSFV2cStZCmFTUzdwK2UybXZEMHVaOU9JeFluQnBWMGkrckNlYnFFMkE1Rm5hcDQ5Yld4QTgwUElldlVkeUpCL2pUUkoxcVMKRUpXQkpMWm1LVkg2K1QwdWw1ZUtOcWxFTFZHU0dCSXNpeE9SUXpDZHBoMkx0UmtBMHVjSVUzY3hiUmVMZkZCRQpiSkdZWENCdlNGcWd0VDlvZTFldVpMVmFOd0tCZ1FERWdENzJENk81eGIweEQ1NDQ1M0RPMUJhZmd6aThCWDRTCk1SaVd2LzFUQ0w5N05sRWtoeXovNmtQd1owbXJRcE5CMzZFdkpKZFVteHdkU2MyWDhrOGcxMC85NVlLQkdWQWoKL3d0YVZYbE9WeEFvK0ZSelpZeFpyQ29uWWFSMHVwUzFybDRtenN4REhlZU9mUVZUTUgwUjdZN0pnbTA5dXQ4SwplanAvSXZBb1F3S0JnQjNaRWlRUWhvMVYrWjBTMlpiOG5KS0plMy9zMmxJTXFHM0ZkaS9RS3Q0eWViQWx6OGY5ClBZVXBzRmZEQTg5Z3grSU1nSm5sZVptdTk2ZnRXSjZmdmJSenllN216TG5zZU05TXZua1lHbGFGWmJRWnZubXMKN3ZoRmtzY3dHRlh4d21GMlBJZmU1Z3pNMDRBeVdjeTFIaVhLS2dNOXM3cGsxWUdyZGowZzdacmRBb0dCQUtLNApDR3MrbkRmMEZTMFJYOWFEWVJrRTdBNy9YUFhtSG5YMkRnU1h5N0Q4NTRPaWdTTWNoUmtPNTErbVNJejNQbllvCk41T1FXM2lHVVl1M1YvYmhnc0VSUzM1V2xmRk9BdDBzRUR5bjF5SVdXcDF5dG93d3BUNkVvUXVuZ2NYZjA5RjMKS1NROXowd3M4VmsvRWkvSFVXcU5LOWFXbU51cmFaT0ZqL2REK1ZkOUFvR0FMWFN3dEE3K043RDRkN0VEMURSRQpHTWdZNVd3OHFvdDZSdUNlNkpUY0FnU3B1MkhNU3JVY2dXclpiQnJZb09FUnVNQjFoMVJydk5ybU1qQlM0VW9FClgyZC8vbGhpOG1wL2VESWN3UDNRa2puanBJRFJWMFN1eWxrUkVaZURKZjVZb3R6eDdFdkJhbzFIbkQrWEg4eUIKVUtmWGJTaHZKVUdhRmgxT3Q1Y3JoM1k9Ci0tLS0tRU5EIFBSSVZBVEUgS0VZLS0tLS0K
httpRoutes:
- apiVersion: gateway.networking.k8s.io/v1
diff --git a/internal/gatewayapi/testdata/gateway-with-listener-with-tls-secret-in-other-namespace-allowed-by-refgrant.out.yaml b/internal/gatewayapi/testdata/gateway-with-listener-with-tls-secret-in-other-namespace-allowed-by-refgrant.out.yaml
index 3149574f2a7..b1f4d6530d0 100644
--- a/internal/gatewayapi/testdata/gateway-with-listener-with-tls-secret-in-other-namespace-allowed-by-refgrant.out.yaml
+++ b/internal/gatewayapi/testdata/gateway-with-listener-with-tls-secret-in-other-namespace-allowed-by-refgrant.out.yaml
@@ -136,4 +136,4 @@ xdsIR:
certificates:
- name: default/tls-secret-1
privateKey: LS0tLS1CRUdJTiBQUklWQVRFIEtFWS0tLS0tCk1JSUV2UUlCQURBTkJna3Foa2lHOXcwQkFRRUZBQVNDQktjd2dnU2pBZ0VBQW9JQkFRQ2QwZlBDYWtweE1nUnUKT0VXQjFiQk5FM3ZseW55aTZWbkV2VWF1OUhvakR2UHVPTFJIaGI4MmoyY1ovMHhnL1lKR09LelBuV2JERkxGNApHdWh3dDRENmFUR0xYNklPODEwTDZ0SXZIWGZNUXRJS2VwdTZ3K3p1WVo4bG1yejB1RjZlWEtqamVIbHhyb2ZrCnVNekM3OUVaU0lYZlZlczJ1SmdVRSs4VGFzSDUzQ2Y4MFNSRGlIeEdxckttdVNjWCtwejBreGdCZ1VWYTVVS20KUWdTZDFmVUxLOUEwNXAxOXkrdURPM204bVhRNkxVQ0N1STFwZHNROGFlNS9zamlxa0VjWlJjMTdWYVgxWjVVaQpvcGZnNW9SY05VTG9VTHNiek9aNTR0YlVDUmdSV2VLbGZxaElINEZ6OUlkVlUyR3dFdEdhMmV6TjgyMVBaQ3QzCjZhbVRIelJsQWdNQkFBRUNnZ0VBWTFGTUlLNDVXTkVNUHJ6RTZUY3NNdVV2RkdhQVZ4bVk5NW5SMEtwajdvb3IKY21CVys2ZXN0TTQ4S1AwaitPbXd3VFpMY29Cd3VoWGN0V1Bob1lXcDhteWUxRUlEdjNyaHRHMDdocEQ1NGg2dgpCZzh3ejdFYStzMk9sT0N6UnlKNzBSY281YlhjWDNGaGJjdnFlRWJwaFFyQnpOSEtLMjZ4cmZqNWZIT3p6T1FGCmJHdUZ3SDVic3JGdFhlajJXM3c4eW90N0ZQSDV3S3RpdnhvSWU5RjMyOXNnOU9EQnZqWnpiaG1LVTArckFTK1kKRGVield2bFJyaEUrbXVmQTN6M0N0QXhDOFJpNzNscFNoTDRQQWlvcG1SUXlxZXRXMjYzOFFxcnM0R3hnNzhwbApJUXJXTmNBc2s3Slg5d3RZenV6UFBXSXRWTTFscFJiQVRhNTJqdFl2NVFLQmdRRE5tMTFtZTRYam1ZSFV2cStZCmFTUzdwK2UybXZEMHVaOU9JeFluQnBWMGkrckNlYnFFMkE1Rm5hcDQ5Yld4QTgwUElldlVkeUpCL2pUUkoxcVMKRUpXQkpMWm1LVkg2K1QwdWw1ZUtOcWxFTFZHU0dCSXNpeE9SUXpDZHBoMkx0UmtBMHVjSVUzY3hiUmVMZkZCRQpiSkdZWENCdlNGcWd0VDlvZTFldVpMVmFOd0tCZ1FERWdENzJENk81eGIweEQ1NDQ1M0RPMUJhZmd6aThCWDRTCk1SaVd2LzFUQ0w5N05sRWtoeXovNmtQd1owbXJRcE5CMzZFdkpKZFVteHdkU2MyWDhrOGcxMC85NVlLQkdWQWoKL3d0YVZYbE9WeEFvK0ZSelpZeFpyQ29uWWFSMHVwUzFybDRtenN4REhlZU9mUVZUTUgwUjdZN0pnbTA5dXQ4SwplanAvSXZBb1F3S0JnQjNaRWlRUWhvMVYrWjBTMlpiOG5KS0plMy9zMmxJTXFHM0ZkaS9RS3Q0eWViQWx6OGY5ClBZVXBzRmZEQTg5Z3grSU1nSm5sZVptdTk2ZnRXSjZmdmJSenllN216TG5zZU05TXZua1lHbGFGWmJRWnZubXMKN3ZoRmtzY3dHRlh4d21GMlBJZmU1Z3pNMDRBeVdjeTFIaVhLS2dNOXM3cGsxWUdyZGowZzdacmRBb0dCQUtLNApDR3MrbkRmMEZTMFJYOWFEWVJrRTdBNy9YUFhtSG5YMkRnU1h5N0Q4NTRPaWdTTWNoUmtPNTErbVNJejNQbllvCk41T1FXM2lHVVl1M1YvYmhnc0VSUzM1V2xmRk9BdDBzRUR5bjF5SVdXcDF5dG93d3BUNkVvUXVuZ2NYZjA5RjMKS1NROXowd3M4VmsvRWkvSFVXcU5LOWFXbU51cmFaT0ZqL2REK1ZkOUFvR0FMWFN3dEE3K043RDRkN0VEMURSRQpHTWdZNVd3OHFvdDZSdUNlNkpUY0FnU3B1MkhNU3JVY2dXclpiQnJZb09FUnVNQjFoMVJydk5ybU1qQlM0VW9FClgyZC8vbGhpOG1wL2VESWN3UDNRa2puanBJRFJWMFN1eWxrUkVaZURKZjVZb3R6eDdFdkJhbzFIbkQrWEg4eUIKVUtmWGJTaHZKVUdhRmgxT3Q1Y3JoM1k9Ci0tLS0tRU5EIFBSSVZBVEUgS0VZLS0tLS0K
- serverCertificate: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUNxRENDQVpBQ0NRREVNZ1lZblFyQ29EQU5CZ2txaGtpRzl3MEJBUXNGQURBV01SUXdFZ1lEVlFRRERBdG0KYjI4dVltRnlMbU52YlRBZUZ3MHlNekF4TURVeE16UXpNalJhRncweU5EQXhNRFV4TXpRek1qUmFNQll4RkRBUwpCZ05WQkFNTUMyWnZieTVpWVhJdVkyOXRNSUlCSWpBTkJna3Foa2lHOXcwQkFRRUZBQU9DQVE4QU1JSUJDZ0tDCkFRRUFuZEh6d21wS2NUSUViamhGZ2RXd1RSTjc1Y3A4b3VsWnhMMUdydlI2SXc3ejdqaTBSNFcvTm85bkdmOU0KWVAyQ1JqaXN6NTFtd3hTeGVCcm9jTGVBK21reGkxK2lEdk5kQytyU0x4MTN6RUxTQ25xYnVzUHM3bUdmSlpxOAo5TGhlbmx5bzQzaDVjYTZINUxqTXd1L1JHVWlGMzFYck5yaVlGQlB2RTJyQitkd24vTkVrUTRoOFJxcXlwcmtuCkYvcWM5Sk1ZQVlGRld1VkNwa0lFbmRYMUN5dlFOT2FkZmN2cmd6dDV2SmwwT2kxQWdyaU5hWGJFUEdudWY3STQKcXBCSEdVWE5lMVdsOVdlVklxS1g0T2FFWERWQzZGQzdHOHptZWVMVzFBa1lFVm5pcFg2b1NCK0JjL1NIVlZOaApzQkxSbXRuc3pmTnRUMlFyZCttcGt4ODBaUUlEQVFBQk1BMEdDU3FHU0liM0RRRUJDd1VBQTRJQkFRQ1VKOElDCkJveUVqT3V3enBHYVJoR044QjRqT1B6aHVDT0V0ZDM3UzAybHUwN09IenlCdmJzVEd6S3dCZ0x5bVdmR2tINEIKajdDTHNwOEZ6TkhLWnVhQmdwblo5SjZETE9Od2ZXZTJBWXA3TGRmT0tWQlVkTVhRaU9tN2pKOUhob0Ntdk1ONwpic2pjaFdKb013ckZmK3dkQUthdHowcUFQeWhMeWUvRnFtaVZ4a09SWmF3K1Q5bURaK0g0OXVBU2d1SnVOTXlRClY2RXlYNmd0Z1dxMzc2SHZhWE1TLzNoYW1Zb1ZXWEk1TXhpUE9ZeG5BQmtKQjRTQ2dJUmVqYkpmVmFRdG9RNGEKejAyaVVMZW5ESUllUU9Zb2JLY01CWGYxQjRQQVFtc2VocVZJYnpzUUNHaTU0VkRyczZiWmQvN0pzMXpDcHBncwpKaUQ1SXFNaktXRHdxN2FLCi0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K
+ serverCertificate: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUREVENDQWZXZ0F3SUJBZ0lVRUZNaFA5ZUo5WEFCV3NRNVptNmJSazJjTE5Rd0RRWUpLb1pJaHZjTkFRRUwKQlFBd0ZqRVVNQklHQTFVRUF3d0xabTl2TG1KaGNpNWpiMjB3SGhjTk1qUXdNakk1TURrek1ERXdXaGNOTXpRdwpNakkyTURrek1ERXdXakFXTVJRd0VnWURWUVFEREF0bWIyOHVZbUZ5TG1OdmJUQ0NBU0l3RFFZSktvWklodmNOCkFRRUJCUUFEZ2dFUEFEQ0NBUW9DZ2dFQkFKbEk2WXhFOVprQ1BzNnBDUXhickNtZWl4OVA1RGZ4OVJ1NUxENFQKSm1kVzdJS2R0UVYvd2ZMbXRzdTc2QithVGRDaldlMEJUZmVPT1JCYlIzY1BBRzZFbFFMaWNsUVVydW4zcStncwpKcEsrSTdjSStqNXc4STY4WEg1V1E3clZVdGJ3SHBxYncrY1ZuQnFJVU9MaUlhdGpJZjdLWDUxTTF1RjljZkVICkU0RG5jSDZyYnI1OS9SRlpCc2toeHM1T3p3Sklmb2hreXZGd2V1VHd4Sy9WcGpJKzdPYzQ4QUJDWHBOTzlEL3EKRWgrck9hdWpBTWNYZ0hRSVRrQ2lpVVRjVW82TFNIOXZMWlB0YXFmem9acTZuaE1xcFc2NUUxcEF3RjNqeVRUeAphNUk4SmNmU0Zqa2llWjIwTFVRTW43TThVNHhIamFvL2d2SDBDQWZkQjdSTFUyc0NBd0VBQWFOVE1GRXdIUVlEClZSME9CQllFRk9SQ0U4dS8xRERXN2loWnA3Y3g5dFNtUG02T01COEdBMVVkSXdRWU1CYUFGT1JDRTh1LzFERFcKN2loWnA3Y3g5dFNtUG02T01BOEdBMVVkRXdFQi93UUZNQU1CQWY4d0RRWUpLb1pJaHZjTkFRRUxCUUFEZ2dFQgpBRnQ1M3pqc3FUYUg1YThFMmNodm1XQWdDcnhSSzhiVkxNeGl3TkdqYm1FUFJ6K3c2TngrazBBOEtFY0lEc0tjClNYY2k1OHU0b1didFZKQmx6YS9adWpIUjZQMUJuT3BsK2FveTc4NGJiZDRQMzl3VExvWGZNZmJCQ20xdmV2aDkKQUpLbncyWnRxcjRta2JMY3hFcWxxM3NCTEZBUzlzUUxuS05DZTJjR0xkVHAyYm9HK3FjZ3lRZ0NJTTZmOEVNdgpXUGlmQ01NR3V6Sy9HUkY0YlBPL1lGNDhld0R1M1VlaWgwWFhkVUFPRTlDdFVhOE5JaGMxVVBhT3pQcnRZVnFyClpPR2t2L0t1K0I3OGg4U0VzTzlYclFjdXdiT25KeDZLdFIrYWV5a3ZBcFhDUTNmWkMvYllLQUFSK1A4QUpvUVoKYndJVW1YaTRnajVtK2JLUGhlK2lyK0U9Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0=
diff --git a/internal/gatewayapi/testdata/gateway-with-listener-with-tls-terminate-and-passthrough.in.yaml b/internal/gatewayapi/testdata/gateway-with-listener-with-tls-terminate-and-passthrough.in.yaml
index 233c609eea1..09c8d213737 100644
--- a/internal/gatewayapi/testdata/gateway-with-listener-with-tls-terminate-and-passthrough.in.yaml
+++ b/internal/gatewayapi/testdata/gateway-with-listener-with-tls-terminate-and-passthrough.in.yaml
@@ -66,5 +66,5 @@ secrets:
name: tls-secret-1
type: kubernetes.io/tls
data:
- tls.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUNxRENDQVpBQ0NRREVNZ1lZblFyQ29EQU5CZ2txaGtpRzl3MEJBUXNGQURBV01SUXdFZ1lEVlFRRERBdG0KYjI4dVltRnlMbU52YlRBZUZ3MHlNekF4TURVeE16UXpNalJhRncweU5EQXhNRFV4TXpRek1qUmFNQll4RkRBUwpCZ05WQkFNTUMyWnZieTVpWVhJdVkyOXRNSUlCSWpBTkJna3Foa2lHOXcwQkFRRUZBQU9DQVE4QU1JSUJDZ0tDCkFRRUFuZEh6d21wS2NUSUViamhGZ2RXd1RSTjc1Y3A4b3VsWnhMMUdydlI2SXc3ejdqaTBSNFcvTm85bkdmOU0KWVAyQ1JqaXN6NTFtd3hTeGVCcm9jTGVBK21reGkxK2lEdk5kQytyU0x4MTN6RUxTQ25xYnVzUHM3bUdmSlpxOAo5TGhlbmx5bzQzaDVjYTZINUxqTXd1L1JHVWlGMzFYck5yaVlGQlB2RTJyQitkd24vTkVrUTRoOFJxcXlwcmtuCkYvcWM5Sk1ZQVlGRld1VkNwa0lFbmRYMUN5dlFOT2FkZmN2cmd6dDV2SmwwT2kxQWdyaU5hWGJFUEdudWY3STQKcXBCSEdVWE5lMVdsOVdlVklxS1g0T2FFWERWQzZGQzdHOHptZWVMVzFBa1lFVm5pcFg2b1NCK0JjL1NIVlZOaApzQkxSbXRuc3pmTnRUMlFyZCttcGt4ODBaUUlEQVFBQk1BMEdDU3FHU0liM0RRRUJDd1VBQTRJQkFRQ1VKOElDCkJveUVqT3V3enBHYVJoR044QjRqT1B6aHVDT0V0ZDM3UzAybHUwN09IenlCdmJzVEd6S3dCZ0x5bVdmR2tINEIKajdDTHNwOEZ6TkhLWnVhQmdwblo5SjZETE9Od2ZXZTJBWXA3TGRmT0tWQlVkTVhRaU9tN2pKOUhob0Ntdk1ONwpic2pjaFdKb013ckZmK3dkQUthdHowcUFQeWhMeWUvRnFtaVZ4a09SWmF3K1Q5bURaK0g0OXVBU2d1SnVOTXlRClY2RXlYNmd0Z1dxMzc2SHZhWE1TLzNoYW1Zb1ZXWEk1TXhpUE9ZeG5BQmtKQjRTQ2dJUmVqYkpmVmFRdG9RNGEKejAyaVVMZW5ESUllUU9Zb2JLY01CWGYxQjRQQVFtc2VocVZJYnpzUUNHaTU0VkRyczZiWmQvN0pzMXpDcHBncwpKaUQ1SXFNaktXRHdxN2FLCi0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K
+ tls.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUREVENDQWZXZ0F3SUJBZ0lVRUZNaFA5ZUo5WEFCV3NRNVptNmJSazJjTE5Rd0RRWUpLb1pJaHZjTkFRRUwKQlFBd0ZqRVVNQklHQTFVRUF3d0xabTl2TG1KaGNpNWpiMjB3SGhjTk1qUXdNakk1TURrek1ERXdXaGNOTXpRdwpNakkyTURrek1ERXdXakFXTVJRd0VnWURWUVFEREF0bWIyOHVZbUZ5TG1OdmJUQ0NBU0l3RFFZSktvWklodmNOCkFRRUJCUUFEZ2dFUEFEQ0NBUW9DZ2dFQkFKbEk2WXhFOVprQ1BzNnBDUXhickNtZWl4OVA1RGZ4OVJ1NUxENFQKSm1kVzdJS2R0UVYvd2ZMbXRzdTc2QithVGRDaldlMEJUZmVPT1JCYlIzY1BBRzZFbFFMaWNsUVVydW4zcStncwpKcEsrSTdjSStqNXc4STY4WEg1V1E3clZVdGJ3SHBxYncrY1ZuQnFJVU9MaUlhdGpJZjdLWDUxTTF1RjljZkVICkU0RG5jSDZyYnI1OS9SRlpCc2toeHM1T3p3Sklmb2hreXZGd2V1VHd4Sy9WcGpJKzdPYzQ4QUJDWHBOTzlEL3EKRWgrck9hdWpBTWNYZ0hRSVRrQ2lpVVRjVW82TFNIOXZMWlB0YXFmem9acTZuaE1xcFc2NUUxcEF3RjNqeVRUeAphNUk4SmNmU0Zqa2llWjIwTFVRTW43TThVNHhIamFvL2d2SDBDQWZkQjdSTFUyc0NBd0VBQWFOVE1GRXdIUVlEClZSME9CQllFRk9SQ0U4dS8xRERXN2loWnA3Y3g5dFNtUG02T01COEdBMVVkSXdRWU1CYUFGT1JDRTh1LzFERFcKN2loWnA3Y3g5dFNtUG02T01BOEdBMVVkRXdFQi93UUZNQU1CQWY4d0RRWUpLb1pJaHZjTkFRRUxCUUFEZ2dFQgpBRnQ1M3pqc3FUYUg1YThFMmNodm1XQWdDcnhSSzhiVkxNeGl3TkdqYm1FUFJ6K3c2TngrazBBOEtFY0lEc0tjClNYY2k1OHU0b1didFZKQmx6YS9adWpIUjZQMUJuT3BsK2FveTc4NGJiZDRQMzl3VExvWGZNZmJCQ20xdmV2aDkKQUpLbncyWnRxcjRta2JMY3hFcWxxM3NCTEZBUzlzUUxuS05DZTJjR0xkVHAyYm9HK3FjZ3lRZ0NJTTZmOEVNdgpXUGlmQ01NR3V6Sy9HUkY0YlBPL1lGNDhld0R1M1VlaWgwWFhkVUFPRTlDdFVhOE5JaGMxVVBhT3pQcnRZVnFyClpPR2t2L0t1K0I3OGg4U0VzTzlYclFjdXdiT25KeDZLdFIrYWV5a3ZBcFhDUTNmWkMvYllLQUFSK1A4QUpvUVoKYndJVW1YaTRnajVtK2JLUGhlK2lyK0U9Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0=
tls.key: LS0tLS1CRUdJTiBQUklWQVRFIEtFWS0tLS0tCk1JSUV2UUlCQURBTkJna3Foa2lHOXcwQkFRRUZBQVNDQktjd2dnU2pBZ0VBQW9JQkFRQ2QwZlBDYWtweE1nUnUKT0VXQjFiQk5FM3ZseW55aTZWbkV2VWF1OUhvakR2UHVPTFJIaGI4MmoyY1ovMHhnL1lKR09LelBuV2JERkxGNApHdWh3dDRENmFUR0xYNklPODEwTDZ0SXZIWGZNUXRJS2VwdTZ3K3p1WVo4bG1yejB1RjZlWEtqamVIbHhyb2ZrCnVNekM3OUVaU0lYZlZlczJ1SmdVRSs4VGFzSDUzQ2Y4MFNSRGlIeEdxckttdVNjWCtwejBreGdCZ1VWYTVVS20KUWdTZDFmVUxLOUEwNXAxOXkrdURPM204bVhRNkxVQ0N1STFwZHNROGFlNS9zamlxa0VjWlJjMTdWYVgxWjVVaQpvcGZnNW9SY05VTG9VTHNiek9aNTR0YlVDUmdSV2VLbGZxaElINEZ6OUlkVlUyR3dFdEdhMmV6TjgyMVBaQ3QzCjZhbVRIelJsQWdNQkFBRUNnZ0VBWTFGTUlLNDVXTkVNUHJ6RTZUY3NNdVV2RkdhQVZ4bVk5NW5SMEtwajdvb3IKY21CVys2ZXN0TTQ4S1AwaitPbXd3VFpMY29Cd3VoWGN0V1Bob1lXcDhteWUxRUlEdjNyaHRHMDdocEQ1NGg2dgpCZzh3ejdFYStzMk9sT0N6UnlKNzBSY281YlhjWDNGaGJjdnFlRWJwaFFyQnpOSEtLMjZ4cmZqNWZIT3p6T1FGCmJHdUZ3SDVic3JGdFhlajJXM3c4eW90N0ZQSDV3S3RpdnhvSWU5RjMyOXNnOU9EQnZqWnpiaG1LVTArckFTK1kKRGVield2bFJyaEUrbXVmQTN6M0N0QXhDOFJpNzNscFNoTDRQQWlvcG1SUXlxZXRXMjYzOFFxcnM0R3hnNzhwbApJUXJXTmNBc2s3Slg5d3RZenV6UFBXSXRWTTFscFJiQVRhNTJqdFl2NVFLQmdRRE5tMTFtZTRYam1ZSFV2cStZCmFTUzdwK2UybXZEMHVaOU9JeFluQnBWMGkrckNlYnFFMkE1Rm5hcDQ5Yld4QTgwUElldlVkeUpCL2pUUkoxcVMKRUpXQkpMWm1LVkg2K1QwdWw1ZUtOcWxFTFZHU0dCSXNpeE9SUXpDZHBoMkx0UmtBMHVjSVUzY3hiUmVMZkZCRQpiSkdZWENCdlNGcWd0VDlvZTFldVpMVmFOd0tCZ1FERWdENzJENk81eGIweEQ1NDQ1M0RPMUJhZmd6aThCWDRTCk1SaVd2LzFUQ0w5N05sRWtoeXovNmtQd1owbXJRcE5CMzZFdkpKZFVteHdkU2MyWDhrOGcxMC85NVlLQkdWQWoKL3d0YVZYbE9WeEFvK0ZSelpZeFpyQ29uWWFSMHVwUzFybDRtenN4REhlZU9mUVZUTUgwUjdZN0pnbTA5dXQ4SwplanAvSXZBb1F3S0JnQjNaRWlRUWhvMVYrWjBTMlpiOG5KS0plMy9zMmxJTXFHM0ZkaS9RS3Q0eWViQWx6OGY5ClBZVXBzRmZEQTg5Z3grSU1nSm5sZVptdTk2ZnRXSjZmdmJSenllN216TG5zZU05TXZua1lHbGFGWmJRWnZubXMKN3ZoRmtzY3dHRlh4d21GMlBJZmU1Z3pNMDRBeVdjeTFIaVhLS2dNOXM3cGsxWUdyZGowZzdacmRBb0dCQUtLNApDR3MrbkRmMEZTMFJYOWFEWVJrRTdBNy9YUFhtSG5YMkRnU1h5N0Q4NTRPaWdTTWNoUmtPNTErbVNJejNQbllvCk41T1FXM2lHVVl1M1YvYmhnc0VSUzM1V2xmRk9BdDBzRUR5bjF5SVdXcDF5dG93d3BUNkVvUXVuZ2NYZjA5RjMKS1NROXowd3M4VmsvRWkvSFVXcU5LOWFXbU51cmFaT0ZqL2REK1ZkOUFvR0FMWFN3dEE3K043RDRkN0VEMURSRQpHTWdZNVd3OHFvdDZSdUNlNkpUY0FnU3B1MkhNU3JVY2dXclpiQnJZb09FUnVNQjFoMVJydk5ybU1qQlM0VW9FClgyZC8vbGhpOG1wL2VESWN3UDNRa2puanBJRFJWMFN1eWxrUkVaZURKZjVZb3R6eDdFdkJhbzFIbkQrWEg4eUIKVUtmWGJTaHZKVUdhRmgxT3Q1Y3JoM1k9Ci0tLS0tRU5EIFBSSVZBVEUgS0VZLS0tLS0K
diff --git a/internal/gatewayapi/testdata/gateway-with-listener-with-tls-terminate-and-passthrough.out.yaml b/internal/gatewayapi/testdata/gateway-with-listener-with-tls-terminate-and-passthrough.out.yaml
index 10d648c3c07..88856e37f64 100644
--- a/internal/gatewayapi/testdata/gateway-with-listener-with-tls-terminate-and-passthrough.out.yaml
+++ b/internal/gatewayapi/testdata/gateway-with-listener-with-tls-terminate-and-passthrough.out.yaml
@@ -205,7 +205,7 @@ xdsIR:
certificates:
- name: envoy-gateway/tls-secret-1
privateKey: LS0tLS1CRUdJTiBQUklWQVRFIEtFWS0tLS0tCk1JSUV2UUlCQURBTkJna3Foa2lHOXcwQkFRRUZBQVNDQktjd2dnU2pBZ0VBQW9JQkFRQ2QwZlBDYWtweE1nUnUKT0VXQjFiQk5FM3ZseW55aTZWbkV2VWF1OUhvakR2UHVPTFJIaGI4MmoyY1ovMHhnL1lKR09LelBuV2JERkxGNApHdWh3dDRENmFUR0xYNklPODEwTDZ0SXZIWGZNUXRJS2VwdTZ3K3p1WVo4bG1yejB1RjZlWEtqamVIbHhyb2ZrCnVNekM3OUVaU0lYZlZlczJ1SmdVRSs4VGFzSDUzQ2Y4MFNSRGlIeEdxckttdVNjWCtwejBreGdCZ1VWYTVVS20KUWdTZDFmVUxLOUEwNXAxOXkrdURPM204bVhRNkxVQ0N1STFwZHNROGFlNS9zamlxa0VjWlJjMTdWYVgxWjVVaQpvcGZnNW9SY05VTG9VTHNiek9aNTR0YlVDUmdSV2VLbGZxaElINEZ6OUlkVlUyR3dFdEdhMmV6TjgyMVBaQ3QzCjZhbVRIelJsQWdNQkFBRUNnZ0VBWTFGTUlLNDVXTkVNUHJ6RTZUY3NNdVV2RkdhQVZ4bVk5NW5SMEtwajdvb3IKY21CVys2ZXN0TTQ4S1AwaitPbXd3VFpMY29Cd3VoWGN0V1Bob1lXcDhteWUxRUlEdjNyaHRHMDdocEQ1NGg2dgpCZzh3ejdFYStzMk9sT0N6UnlKNzBSY281YlhjWDNGaGJjdnFlRWJwaFFyQnpOSEtLMjZ4cmZqNWZIT3p6T1FGCmJHdUZ3SDVic3JGdFhlajJXM3c4eW90N0ZQSDV3S3RpdnhvSWU5RjMyOXNnOU9EQnZqWnpiaG1LVTArckFTK1kKRGVield2bFJyaEUrbXVmQTN6M0N0QXhDOFJpNzNscFNoTDRQQWlvcG1SUXlxZXRXMjYzOFFxcnM0R3hnNzhwbApJUXJXTmNBc2s3Slg5d3RZenV6UFBXSXRWTTFscFJiQVRhNTJqdFl2NVFLQmdRRE5tMTFtZTRYam1ZSFV2cStZCmFTUzdwK2UybXZEMHVaOU9JeFluQnBWMGkrckNlYnFFMkE1Rm5hcDQ5Yld4QTgwUElldlVkeUpCL2pUUkoxcVMKRUpXQkpMWm1LVkg2K1QwdWw1ZUtOcWxFTFZHU0dCSXNpeE9SUXpDZHBoMkx0UmtBMHVjSVUzY3hiUmVMZkZCRQpiSkdZWENCdlNGcWd0VDlvZTFldVpMVmFOd0tCZ1FERWdENzJENk81eGIweEQ1NDQ1M0RPMUJhZmd6aThCWDRTCk1SaVd2LzFUQ0w5N05sRWtoeXovNmtQd1owbXJRcE5CMzZFdkpKZFVteHdkU2MyWDhrOGcxMC85NVlLQkdWQWoKL3d0YVZYbE9WeEFvK0ZSelpZeFpyQ29uWWFSMHVwUzFybDRtenN4REhlZU9mUVZUTUgwUjdZN0pnbTA5dXQ4SwplanAvSXZBb1F3S0JnQjNaRWlRUWhvMVYrWjBTMlpiOG5KS0plMy9zMmxJTXFHM0ZkaS9RS3Q0eWViQWx6OGY5ClBZVXBzRmZEQTg5Z3grSU1nSm5sZVptdTk2ZnRXSjZmdmJSenllN216TG5zZU05TXZua1lHbGFGWmJRWnZubXMKN3ZoRmtzY3dHRlh4d21GMlBJZmU1Z3pNMDRBeVdjeTFIaVhLS2dNOXM3cGsxWUdyZGowZzdacmRBb0dCQUtLNApDR3MrbkRmMEZTMFJYOWFEWVJrRTdBNy9YUFhtSG5YMkRnU1h5N0Q4NTRPaWdTTWNoUmtPNTErbVNJejNQbllvCk41T1FXM2lHVVl1M1YvYmhnc0VSUzM1V2xmRk9BdDBzRUR5bjF5SVdXcDF5dG93d3BUNkVvUXVuZ2NYZjA5RjMKS1NROXowd3M4VmsvRWkvSFVXcU5LOWFXbU51cmFaT0ZqL2REK1ZkOUFvR0FMWFN3dEE3K043RDRkN0VEMURSRQpHTWdZNVd3OHFvdDZSdUNlNkpUY0FnU3B1MkhNU3JVY2dXclpiQnJZb09FUnVNQjFoMVJydk5ybU1qQlM0VW9FClgyZC8vbGhpOG1wL2VESWN3UDNRa2puanBJRFJWMFN1eWxrUkVaZURKZjVZb3R6eDdFdkJhbzFIbkQrWEg4eUIKVUtmWGJTaHZKVUdhRmgxT3Q1Y3JoM1k9Ci0tLS0tRU5EIFBSSVZBVEUgS0VZLS0tLS0K
- serverCertificate: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUNxRENDQVpBQ0NRREVNZ1lZblFyQ29EQU5CZ2txaGtpRzl3MEJBUXNGQURBV01SUXdFZ1lEVlFRRERBdG0KYjI4dVltRnlMbU52YlRBZUZ3MHlNekF4TURVeE16UXpNalJhRncweU5EQXhNRFV4TXpRek1qUmFNQll4RkRBUwpCZ05WQkFNTUMyWnZieTVpWVhJdVkyOXRNSUlCSWpBTkJna3Foa2lHOXcwQkFRRUZBQU9DQVE4QU1JSUJDZ0tDCkFRRUFuZEh6d21wS2NUSUViamhGZ2RXd1RSTjc1Y3A4b3VsWnhMMUdydlI2SXc3ejdqaTBSNFcvTm85bkdmOU0KWVAyQ1JqaXN6NTFtd3hTeGVCcm9jTGVBK21reGkxK2lEdk5kQytyU0x4MTN6RUxTQ25xYnVzUHM3bUdmSlpxOAo5TGhlbmx5bzQzaDVjYTZINUxqTXd1L1JHVWlGMzFYck5yaVlGQlB2RTJyQitkd24vTkVrUTRoOFJxcXlwcmtuCkYvcWM5Sk1ZQVlGRld1VkNwa0lFbmRYMUN5dlFOT2FkZmN2cmd6dDV2SmwwT2kxQWdyaU5hWGJFUEdudWY3STQKcXBCSEdVWE5lMVdsOVdlVklxS1g0T2FFWERWQzZGQzdHOHptZWVMVzFBa1lFVm5pcFg2b1NCK0JjL1NIVlZOaApzQkxSbXRuc3pmTnRUMlFyZCttcGt4ODBaUUlEQVFBQk1BMEdDU3FHU0liM0RRRUJDd1VBQTRJQkFRQ1VKOElDCkJveUVqT3V3enBHYVJoR044QjRqT1B6aHVDT0V0ZDM3UzAybHUwN09IenlCdmJzVEd6S3dCZ0x5bVdmR2tINEIKajdDTHNwOEZ6TkhLWnVhQmdwblo5SjZETE9Od2ZXZTJBWXA3TGRmT0tWQlVkTVhRaU9tN2pKOUhob0Ntdk1ONwpic2pjaFdKb013ckZmK3dkQUthdHowcUFQeWhMeWUvRnFtaVZ4a09SWmF3K1Q5bURaK0g0OXVBU2d1SnVOTXlRClY2RXlYNmd0Z1dxMzc2SHZhWE1TLzNoYW1Zb1ZXWEk1TXhpUE9ZeG5BQmtKQjRTQ2dJUmVqYkpmVmFRdG9RNGEKejAyaVVMZW5ESUllUU9Zb2JLY01CWGYxQjRQQVFtc2VocVZJYnpzUUNHaTU0VkRyczZiWmQvN0pzMXpDcHBncwpKaUQ1SXFNaktXRHdxN2FLCi0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K
+ serverCertificate: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUREVENDQWZXZ0F3SUJBZ0lVRUZNaFA5ZUo5WEFCV3NRNVptNmJSazJjTE5Rd0RRWUpLb1pJaHZjTkFRRUwKQlFBd0ZqRVVNQklHQTFVRUF3d0xabTl2TG1KaGNpNWpiMjB3SGhjTk1qUXdNakk1TURrek1ERXdXaGNOTXpRdwpNakkyTURrek1ERXdXakFXTVJRd0VnWURWUVFEREF0bWIyOHVZbUZ5TG1OdmJUQ0NBU0l3RFFZSktvWklodmNOCkFRRUJCUUFEZ2dFUEFEQ0NBUW9DZ2dFQkFKbEk2WXhFOVprQ1BzNnBDUXhickNtZWl4OVA1RGZ4OVJ1NUxENFQKSm1kVzdJS2R0UVYvd2ZMbXRzdTc2QithVGRDaldlMEJUZmVPT1JCYlIzY1BBRzZFbFFMaWNsUVVydW4zcStncwpKcEsrSTdjSStqNXc4STY4WEg1V1E3clZVdGJ3SHBxYncrY1ZuQnFJVU9MaUlhdGpJZjdLWDUxTTF1RjljZkVICkU0RG5jSDZyYnI1OS9SRlpCc2toeHM1T3p3Sklmb2hreXZGd2V1VHd4Sy9WcGpJKzdPYzQ4QUJDWHBOTzlEL3EKRWgrck9hdWpBTWNYZ0hRSVRrQ2lpVVRjVW82TFNIOXZMWlB0YXFmem9acTZuaE1xcFc2NUUxcEF3RjNqeVRUeAphNUk4SmNmU0Zqa2llWjIwTFVRTW43TThVNHhIamFvL2d2SDBDQWZkQjdSTFUyc0NBd0VBQWFOVE1GRXdIUVlEClZSME9CQllFRk9SQ0U4dS8xRERXN2loWnA3Y3g5dFNtUG02T01COEdBMVVkSXdRWU1CYUFGT1JDRTh1LzFERFcKN2loWnA3Y3g5dFNtUG02T01BOEdBMVVkRXdFQi93UUZNQU1CQWY4d0RRWUpLb1pJaHZjTkFRRUxCUUFEZ2dFQgpBRnQ1M3pqc3FUYUg1YThFMmNodm1XQWdDcnhSSzhiVkxNeGl3TkdqYm1FUFJ6K3c2TngrazBBOEtFY0lEc0tjClNYY2k1OHU0b1didFZKQmx6YS9adWpIUjZQMUJuT3BsK2FveTc4NGJiZDRQMzl3VExvWGZNZmJCQ20xdmV2aDkKQUpLbncyWnRxcjRta2JMY3hFcWxxM3NCTEZBUzlzUUxuS05DZTJjR0xkVHAyYm9HK3FjZ3lRZ0NJTTZmOEVNdgpXUGlmQ01NR3V6Sy9HUkY0YlBPL1lGNDhld0R1M1VlaWgwWFhkVUFPRTlDdFVhOE5JaGMxVVBhT3pQcnRZVnFyClpPR2t2L0t1K0I3OGg4U0VzTzlYclFjdXdiT25KeDZLdFIrYWV5a3ZBcFhDUTNmWkMvYllLQUFSK1A4QUpvUVoKYndJVW1YaTRnajVtK2JLUGhlK2lyK0U9Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0=
tcp:
- address: 0.0.0.0
destination:
diff --git a/internal/gatewayapi/testdata/gateway-with-listener-with-valid-multiple-tls-configuration-with-same-algorithm-different-fqdn.in.yaml b/internal/gatewayapi/testdata/gateway-with-listener-with-valid-multiple-tls-configuration-with-same-algorithm-different-fqdn.in.yaml
index 2d042047881..82743664172 100644
--- a/internal/gatewayapi/testdata/gateway-with-listener-with-valid-multiple-tls-configuration-with-same-algorithm-different-fqdn.in.yaml
+++ b/internal/gatewayapi/testdata/gateway-with-listener-with-valid-multiple-tls-configuration-with-same-algorithm-different-fqdn.in.yaml
@@ -26,7 +26,7 @@ secrets:
name: tls-secret-ecdsa-1
type: kubernetes.io/tls
data:
- tls.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUJHekNCd2dJSkFJL3gxc0NEL0lSa01Bb0dDQ3FHU000OUJBTUNNQll4RkRBU0JnTlZCQU1NQzJadmJ5NWkKWVhJdVkyOXRNQjRYRFRJek1ERXdOVEl4TlRNeU9Wb1hEVEkwTURFd05USXhOVE15T1Zvd0ZqRVVNQklHQTFVRQpBd3dMWm05dkxtSmhjaTVqYjIwd1dUQVRCZ2NxaGtqT1BRSUJCZ2dxaGtqT1BRTUJCd05DQUFRZmxXMnR6T3M4Cm82Nk5USVRmYUhucEc2UzI3Y2hkSldzallKdWJISkFtT2tYdS8rVGxLTXhGUzl4R2tHK09BQjAyR0ZQaHhQVzcKRnFaTFJoOEp0YlZkTUFvR0NDcUdTTTQ5QkFNQ0EwZ0FNRVVDSVFEdlplU1pBZ1VWV2VpM3o0ZEhOTEd0aHpiaQoxRHZ0anRQekhYZ1R3WS92YmdJZ05KWStNcTRweFJnNit3eU04R1R4czVUV3k5Zml5RGhMUEU5QnhlbEsxSjQ9Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K
+ tls.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUJnVENDQVNlZ0F3SUJBZ0lVRm1sOExCRzBvL1FLNFErWjdrODI0c0MyaUZ3d0NnWUlLb1pJemowRUF3SXcKRmpFVU1CSUdBMVVFQXd3TFptOXZMbUpoY2k1amIyMHdIaGNOTWpRd01qSTVNRGt6TURFd1doY05NelF3TWpJMgpNRGt6TURFd1dqQVdNUlF3RWdZRFZRUUREQXRtYjI4dVltRnlMbU52YlRCWk1CTUdCeXFHU000OUFnRUdDQ3FHClNNNDlBd0VIQTBJQUJMYVl2cUt1VlZveERvNTJlV3p2WUI1anc3RU1GODZybXlvaTVadWF5emRNdnBnNHpCcjgKUktCak5zK1QxakI4T0t1Y1MvN1JVRHgwcHorOTc2ek0zaU9qVXpCUk1CMEdBMVVkRGdRV0JCVE82K2NnMFIwZAp3dHJ6SlFQRzZnNzZoQkJVelRBZkJnTlZIU01FR0RBV2dCVE82K2NnMFIwZHd0cnpKUVBHNmc3NmhCQlV6VEFQCkJnTlZIUk1CQWY4RUJUQURBUUgvTUFvR0NDcUdTTTQ5QkFNQ0EwZ0FNRVVDSVFDMlhwUFFnUXpXYWUzYjVwWnQKR2N1TWZESjBjME9QS2NuZWdrWFoyQzRCM2dJZ1Uvc1Jrd0lwTFFOUlYrRWFZdzRQNVQ1Z1BFNlkrVnBtQzk4aApvVmpaL3pRPQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0t
tls.key: LS0tLS1CRUdJTiBFQyBQUklWQVRFIEtFWS0tLS0tCk1IY0NBUUVFSUxEbnZNM1RKM3NHYm9EeTF4T3dqSVppVFNWeWZXVWF5YVExcWdrdUdacEtvQW9HQ0NxR1NNNDkKQXdFSG9VUURRZ0FFSDVWdHJjenJQS091alV5RTMyaDU2UnVrdHUzSVhTVnJJMkNibXh5UUpqcEY3di9rNVNqTQpSVXZjUnBCdmpnQWROaGhUNGNUMXV4YW1TMFlmQ2JXMVhRPT0KLS0tLS1FTkQgRUMgUFJJVkFURSBLRVktLS0tLQo=
- apiVersion: v1
kind: Secret
diff --git a/internal/gatewayapi/testdata/gateway-with-listener-with-valid-multiple-tls-configuration-with-same-algorithm-different-fqdn.out.yaml b/internal/gatewayapi/testdata/gateway-with-listener-with-valid-multiple-tls-configuration-with-same-algorithm-different-fqdn.out.yaml
index f4d7c106a12..6d6ac8724c6 100644
--- a/internal/gatewayapi/testdata/gateway-with-listener-with-valid-multiple-tls-configuration-with-same-algorithm-different-fqdn.out.yaml
+++ b/internal/gatewayapi/testdata/gateway-with-listener-with-valid-multiple-tls-configuration-with-same-algorithm-different-fqdn.out.yaml
@@ -138,7 +138,7 @@ xdsIR:
certificates:
- name: envoy-gateway/tls-secret-ecdsa-1
privateKey: LS0tLS1CRUdJTiBFQyBQUklWQVRFIEtFWS0tLS0tCk1IY0NBUUVFSUxEbnZNM1RKM3NHYm9EeTF4T3dqSVppVFNWeWZXVWF5YVExcWdrdUdacEtvQW9HQ0NxR1NNNDkKQXdFSG9VUURRZ0FFSDVWdHJjenJQS091alV5RTMyaDU2UnVrdHUzSVhTVnJJMkNibXh5UUpqcEY3di9rNVNqTQpSVXZjUnBCdmpnQWROaGhUNGNUMXV4YW1TMFlmQ2JXMVhRPT0KLS0tLS1FTkQgRUMgUFJJVkFURSBLRVktLS0tLQo=
- serverCertificate: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUJHekNCd2dJSkFJL3gxc0NEL0lSa01Bb0dDQ3FHU000OUJBTUNNQll4RkRBU0JnTlZCQU1NQzJadmJ5NWkKWVhJdVkyOXRNQjRYRFRJek1ERXdOVEl4TlRNeU9Wb1hEVEkwTURFd05USXhOVE15T1Zvd0ZqRVVNQklHQTFVRQpBd3dMWm05dkxtSmhjaTVqYjIwd1dUQVRCZ2NxaGtqT1BRSUJCZ2dxaGtqT1BRTUJCd05DQUFRZmxXMnR6T3M4Cm82Nk5USVRmYUhucEc2UzI3Y2hkSldzallKdWJISkFtT2tYdS8rVGxLTXhGUzl4R2tHK09BQjAyR0ZQaHhQVzcKRnFaTFJoOEp0YlZkTUFvR0NDcUdTTTQ5QkFNQ0EwZ0FNRVVDSVFEdlplU1pBZ1VWV2VpM3o0ZEhOTEd0aHpiaQoxRHZ0anRQekhYZ1R3WS92YmdJZ05KWStNcTRweFJnNit3eU04R1R4czVUV3k5Zml5RGhMUEU5QnhlbEsxSjQ9Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K
+ serverCertificate: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUJnVENDQVNlZ0F3SUJBZ0lVRm1sOExCRzBvL1FLNFErWjdrODI0c0MyaUZ3d0NnWUlLb1pJemowRUF3SXcKRmpFVU1CSUdBMVVFQXd3TFptOXZMbUpoY2k1amIyMHdIaGNOTWpRd01qSTVNRGt6TURFd1doY05NelF3TWpJMgpNRGt6TURFd1dqQVdNUlF3RWdZRFZRUUREQXRtYjI4dVltRnlMbU52YlRCWk1CTUdCeXFHU000OUFnRUdDQ3FHClNNNDlBd0VIQTBJQUJMYVl2cUt1VlZveERvNTJlV3p2WUI1anc3RU1GODZybXlvaTVadWF5emRNdnBnNHpCcjgKUktCak5zK1QxakI4T0t1Y1MvN1JVRHgwcHorOTc2ek0zaU9qVXpCUk1CMEdBMVVkRGdRV0JCVE82K2NnMFIwZAp3dHJ6SlFQRzZnNzZoQkJVelRBZkJnTlZIU01FR0RBV2dCVE82K2NnMFIwZHd0cnpKUVBHNmc3NmhCQlV6VEFQCkJnTlZIUk1CQWY4RUJUQURBUUgvTUFvR0NDcUdTTTQ5QkFNQ0EwZ0FNRVVDSVFDMlhwUFFnUXpXYWUzYjVwWnQKR2N1TWZESjBjME9QS2NuZWdrWFoyQzRCM2dJZ1Uvc1Jrd0lwTFFOUlYrRWFZdzRQNVQ1Z1BFNlkrVnBtQzk4aApvVmpaL3pRPQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0t
- name: envoy-gateway/tls-secret-ecdsa-2
privateKey: LS0tLS1CRUdJTiBFQyBQUklWQVRFIEtFWS0tLS0tCk1JR2tBZ0VCQkRDUUE5VWo0SkR5c0Q0MlJIMGI2cjU5NTlXTmlXU2ZKZlMxK2RvTjk0TzZCUGdaQUJiUTI4eTIKUTZsM3pZdklLeFNnQndZRks0RUVBQ0toWkFOaUFBUjR5MGNMZUVoNnJaQ3gyUzFLTDlrMUg4d28xcTlLYmNjMgpmdTBhaUIrcHFxZndCS0FjaHJ2SlJUNzQreWdNUHFSLzc0Sjd1NngzU1pBN1ZLZDFnaGFQWkF1SWpQUTFrZndICjlDdmlMc25RZ3JDeENWU2U2ZG1xL2twajFNdEJyU2M9Ci0tLS0tRU5EIEVDIFBSSVZBVEUgS0VZLS0tLS0K
serverCertificate: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUJZakNCNlFJSkFNcDhYTGNsWGJ2NU1Bb0dDQ3FHU000OUJBTUNNQnN4R1RBWEJnTlZCQU1NRUhSbGMzUXUKWlhoaGJYQnNaUzVqYjIwd0hoY05Nak13TlRJMU1UUXhNRFF5V2hjTk1qUXdOVEkwTVRReE1EUXlXakFiTVJrdwpGd1lEVlFRRERCQjBaWE4wTG1WNFlXMXdiR1V1WTI5dE1IWXdFQVlIS29aSXpqMENBUVlGSzRFRUFDSURZZ0FFCmVNdEhDM2hJZXEyUXNka3RTaS9aTlIvTUtOYXZTbTNITm43dEdvZ2ZxYXFuOEFTZ0hJYTd5VVUrK1Bzb0RENmsKZisrQ2U3dXNkMG1RTzFTbmRZSVdqMlFMaUl6ME5aSDhCL1FyNGk3SjBJS3dzUWxVbnVuWnF2NUtZOVRMUWEwbgpNQW9HQ0NxR1NNNDlCQU1DQTJnQU1HVUNNUUNHVGpQa2hqZE1KcWUrVjFGRWpteUk2andEV0FDalhucFRuaXhVCnM2dUNKZjVNNUw1TmpGYmkydGplMGlES0UxVUNNQXdxSjZmOUs2bUhUd2JxVGkzTVNFMmQxODl6aUcyWVZCaUQKYmVXcHc0UjF5ZTdHRFJvVm9veG9ob2lERjdsNm13PT0KLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo=
diff --git a/internal/gatewayapi/testdata/gateway-with-listener-with-valid-multiple-tls-configuration.in.yaml b/internal/gatewayapi/testdata/gateway-with-listener-with-valid-multiple-tls-configuration.in.yaml
index 940d551a501..58abae4129e 100644
--- a/internal/gatewayapi/testdata/gateway-with-listener-with-valid-multiple-tls-configuration.in.yaml
+++ b/internal/gatewayapi/testdata/gateway-with-listener-with-valid-multiple-tls-configuration.in.yaml
@@ -26,7 +26,7 @@ secrets:
name: tls-secret-1
type: kubernetes.io/tls
data:
- tls.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUNxRENDQVpBQ0NRREVNZ1lZblFyQ29EQU5CZ2txaGtpRzl3MEJBUXNGQURBV01SUXdFZ1lEVlFRRERBdG0KYjI4dVltRnlMbU52YlRBZUZ3MHlNekF4TURVeE16UXpNalJhRncweU5EQXhNRFV4TXpRek1qUmFNQll4RkRBUwpCZ05WQkFNTUMyWnZieTVpWVhJdVkyOXRNSUlCSWpBTkJna3Foa2lHOXcwQkFRRUZBQU9DQVE4QU1JSUJDZ0tDCkFRRUFuZEh6d21wS2NUSUViamhGZ2RXd1RSTjc1Y3A4b3VsWnhMMUdydlI2SXc3ejdqaTBSNFcvTm85bkdmOU0KWVAyQ1JqaXN6NTFtd3hTeGVCcm9jTGVBK21reGkxK2lEdk5kQytyU0x4MTN6RUxTQ25xYnVzUHM3bUdmSlpxOAo5TGhlbmx5bzQzaDVjYTZINUxqTXd1L1JHVWlGMzFYck5yaVlGQlB2RTJyQitkd24vTkVrUTRoOFJxcXlwcmtuCkYvcWM5Sk1ZQVlGRld1VkNwa0lFbmRYMUN5dlFOT2FkZmN2cmd6dDV2SmwwT2kxQWdyaU5hWGJFUEdudWY3STQKcXBCSEdVWE5lMVdsOVdlVklxS1g0T2FFWERWQzZGQzdHOHptZWVMVzFBa1lFVm5pcFg2b1NCK0JjL1NIVlZOaApzQkxSbXRuc3pmTnRUMlFyZCttcGt4ODBaUUlEQVFBQk1BMEdDU3FHU0liM0RRRUJDd1VBQTRJQkFRQ1VKOElDCkJveUVqT3V3enBHYVJoR044QjRqT1B6aHVDT0V0ZDM3UzAybHUwN09IenlCdmJzVEd6S3dCZ0x5bVdmR2tINEIKajdDTHNwOEZ6TkhLWnVhQmdwblo5SjZETE9Od2ZXZTJBWXA3TGRmT0tWQlVkTVhRaU9tN2pKOUhob0Ntdk1ONwpic2pjaFdKb013ckZmK3dkQUthdHowcUFQeWhMeWUvRnFtaVZ4a09SWmF3K1Q5bURaK0g0OXVBU2d1SnVOTXlRClY2RXlYNmd0Z1dxMzc2SHZhWE1TLzNoYW1Zb1ZXWEk1TXhpUE9ZeG5BQmtKQjRTQ2dJUmVqYkpmVmFRdG9RNGEKejAyaVVMZW5ESUllUU9Zb2JLY01CWGYxQjRQQVFtc2VocVZJYnpzUUNHaTU0VkRyczZiWmQvN0pzMXpDcHBncwpKaUQ1SXFNaktXRHdxN2FLCi0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K
+ tls.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUREVENDQWZXZ0F3SUJBZ0lVRUZNaFA5ZUo5WEFCV3NRNVptNmJSazJjTE5Rd0RRWUpLb1pJaHZjTkFRRUwKQlFBd0ZqRVVNQklHQTFVRUF3d0xabTl2TG1KaGNpNWpiMjB3SGhjTk1qUXdNakk1TURrek1ERXdXaGNOTXpRdwpNakkyTURrek1ERXdXakFXTVJRd0VnWURWUVFEREF0bWIyOHVZbUZ5TG1OdmJUQ0NBU0l3RFFZSktvWklodmNOCkFRRUJCUUFEZ2dFUEFEQ0NBUW9DZ2dFQkFKbEk2WXhFOVprQ1BzNnBDUXhickNtZWl4OVA1RGZ4OVJ1NUxENFQKSm1kVzdJS2R0UVYvd2ZMbXRzdTc2QithVGRDaldlMEJUZmVPT1JCYlIzY1BBRzZFbFFMaWNsUVVydW4zcStncwpKcEsrSTdjSStqNXc4STY4WEg1V1E3clZVdGJ3SHBxYncrY1ZuQnFJVU9MaUlhdGpJZjdLWDUxTTF1RjljZkVICkU0RG5jSDZyYnI1OS9SRlpCc2toeHM1T3p3Sklmb2hreXZGd2V1VHd4Sy9WcGpJKzdPYzQ4QUJDWHBOTzlEL3EKRWgrck9hdWpBTWNYZ0hRSVRrQ2lpVVRjVW82TFNIOXZMWlB0YXFmem9acTZuaE1xcFc2NUUxcEF3RjNqeVRUeAphNUk4SmNmU0Zqa2llWjIwTFVRTW43TThVNHhIamFvL2d2SDBDQWZkQjdSTFUyc0NBd0VBQWFOVE1GRXdIUVlEClZSME9CQllFRk9SQ0U4dS8xRERXN2loWnA3Y3g5dFNtUG02T01COEdBMVVkSXdRWU1CYUFGT1JDRTh1LzFERFcKN2loWnA3Y3g5dFNtUG02T01BOEdBMVVkRXdFQi93UUZNQU1CQWY4d0RRWUpLb1pJaHZjTkFRRUxCUUFEZ2dFQgpBRnQ1M3pqc3FUYUg1YThFMmNodm1XQWdDcnhSSzhiVkxNeGl3TkdqYm1FUFJ6K3c2TngrazBBOEtFY0lEc0tjClNYY2k1OHU0b1didFZKQmx6YS9adWpIUjZQMUJuT3BsK2FveTc4NGJiZDRQMzl3VExvWGZNZmJCQ20xdmV2aDkKQUpLbncyWnRxcjRta2JMY3hFcWxxM3NCTEZBUzlzUUxuS05DZTJjR0xkVHAyYm9HK3FjZ3lRZ0NJTTZmOEVNdgpXUGlmQ01NR3V6Sy9HUkY0YlBPL1lGNDhld0R1M1VlaWgwWFhkVUFPRTlDdFVhOE5JaGMxVVBhT3pQcnRZVnFyClpPR2t2L0t1K0I3OGg4U0VzTzlYclFjdXdiT25KeDZLdFIrYWV5a3ZBcFhDUTNmWkMvYllLQUFSK1A4QUpvUVoKYndJVW1YaTRnajVtK2JLUGhlK2lyK0U9Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0=
tls.key: LS0tLS1CRUdJTiBQUklWQVRFIEtFWS0tLS0tCk1JSUV2UUlCQURBTkJna3Foa2lHOXcwQkFRRUZBQVNDQktjd2dnU2pBZ0VBQW9JQkFRQ2QwZlBDYWtweE1nUnUKT0VXQjFiQk5FM3ZseW55aTZWbkV2VWF1OUhvakR2UHVPTFJIaGI4MmoyY1ovMHhnL1lKR09LelBuV2JERkxGNApHdWh3dDRENmFUR0xYNklPODEwTDZ0SXZIWGZNUXRJS2VwdTZ3K3p1WVo4bG1yejB1RjZlWEtqamVIbHhyb2ZrCnVNekM3OUVaU0lYZlZlczJ1SmdVRSs4VGFzSDUzQ2Y4MFNSRGlIeEdxckttdVNjWCtwejBreGdCZ1VWYTVVS20KUWdTZDFmVUxLOUEwNXAxOXkrdURPM204bVhRNkxVQ0N1STFwZHNROGFlNS9zamlxa0VjWlJjMTdWYVgxWjVVaQpvcGZnNW9SY05VTG9VTHNiek9aNTR0YlVDUmdSV2VLbGZxaElINEZ6OUlkVlUyR3dFdEdhMmV6TjgyMVBaQ3QzCjZhbVRIelJsQWdNQkFBRUNnZ0VBWTFGTUlLNDVXTkVNUHJ6RTZUY3NNdVV2RkdhQVZ4bVk5NW5SMEtwajdvb3IKY21CVys2ZXN0TTQ4S1AwaitPbXd3VFpMY29Cd3VoWGN0V1Bob1lXcDhteWUxRUlEdjNyaHRHMDdocEQ1NGg2dgpCZzh3ejdFYStzMk9sT0N6UnlKNzBSY281YlhjWDNGaGJjdnFlRWJwaFFyQnpOSEtLMjZ4cmZqNWZIT3p6T1FGCmJHdUZ3SDVic3JGdFhlajJXM3c4eW90N0ZQSDV3S3RpdnhvSWU5RjMyOXNnOU9EQnZqWnpiaG1LVTArckFTK1kKRGVield2bFJyaEUrbXVmQTN6M0N0QXhDOFJpNzNscFNoTDRQQWlvcG1SUXlxZXRXMjYzOFFxcnM0R3hnNzhwbApJUXJXTmNBc2s3Slg5d3RZenV6UFBXSXRWTTFscFJiQVRhNTJqdFl2NVFLQmdRRE5tMTFtZTRYam1ZSFV2cStZCmFTUzdwK2UybXZEMHVaOU9JeFluQnBWMGkrckNlYnFFMkE1Rm5hcDQ5Yld4QTgwUElldlVkeUpCL2pUUkoxcVMKRUpXQkpMWm1LVkg2K1QwdWw1ZUtOcWxFTFZHU0dCSXNpeE9SUXpDZHBoMkx0UmtBMHVjSVUzY3hiUmVMZkZCRQpiSkdZWENCdlNGcWd0VDlvZTFldVpMVmFOd0tCZ1FERWdENzJENk81eGIweEQ1NDQ1M0RPMUJhZmd6aThCWDRTCk1SaVd2LzFUQ0w5N05sRWtoeXovNmtQd1owbXJRcE5CMzZFdkpKZFVteHdkU2MyWDhrOGcxMC85NVlLQkdWQWoKL3d0YVZYbE9WeEFvK0ZSelpZeFpyQ29uWWFSMHVwUzFybDRtenN4REhlZU9mUVZUTUgwUjdZN0pnbTA5dXQ4SwplanAvSXZBb1F3S0JnQjNaRWlRUWhvMVYrWjBTMlpiOG5KS0plMy9zMmxJTXFHM0ZkaS9RS3Q0eWViQWx6OGY5ClBZVXBzRmZEQTg5Z3grSU1nSm5sZVptdTk2ZnRXSjZmdmJSenllN216TG5zZU05TXZua1lHbGFGWmJRWnZubXMKN3ZoRmtzY3dHRlh4d21GMlBJZmU1Z3pNMDRBeVdjeTFIaVhLS2dNOXM3cGsxWUdyZGowZzdacmRBb0dCQUtLNApDR3MrbkRmMEZTMFJYOWFEWVJrRTdBNy9YUFhtSG5YMkRnU1h5N0Q4NTRPaWdTTWNoUmtPNTErbVNJejNQbllvCk41T1FXM2lHVVl1M1YvYmhnc0VSUzM1V2xmRk9BdDBzRUR5bjF5SVdXcDF5dG93d3BUNkVvUXVuZ2NYZjA5RjMKS1NROXowd3M4VmsvRWkvSFVXcU5LOWFXbU51cmFaT0ZqL2REK1ZkOUFvR0FMWFN3dEE3K043RDRkN0VEMURSRQpHTWdZNVd3OHFvdDZSdUNlNkpUY0FnU3B1MkhNU3JVY2dXclpiQnJZb09FUnVNQjFoMVJydk5ybU1qQlM0VW9FClgyZC8vbGhpOG1wL2VESWN3UDNRa2puanBJRFJWMFN1eWxrUkVaZURKZjVZb3R6eDdFdkJhbzFIbkQrWEg4eUIKVUtmWGJTaHZKVUdhRmgxT3Q1Y3JoM1k9Ci0tLS0tRU5EIFBSSVZBVEUgS0VZLS0tLS0K
- apiVersion: v1
kind: Secret
@@ -35,7 +35,7 @@ secrets:
name: tls-secret-ecdsa-1
type: kubernetes.io/tls
data:
- tls.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUJHekNCd2dJSkFJL3gxc0NEL0lSa01Bb0dDQ3FHU000OUJBTUNNQll4RkRBU0JnTlZCQU1NQzJadmJ5NWkKWVhJdVkyOXRNQjRYRFRJek1ERXdOVEl4TlRNeU9Wb1hEVEkwTURFd05USXhOVE15T1Zvd0ZqRVVNQklHQTFVRQpBd3dMWm05dkxtSmhjaTVqYjIwd1dUQVRCZ2NxaGtqT1BRSUJCZ2dxaGtqT1BRTUJCd05DQUFRZmxXMnR6T3M4Cm82Nk5USVRmYUhucEc2UzI3Y2hkSldzallKdWJISkFtT2tYdS8rVGxLTXhGUzl4R2tHK09BQjAyR0ZQaHhQVzcKRnFaTFJoOEp0YlZkTUFvR0NDcUdTTTQ5QkFNQ0EwZ0FNRVVDSVFEdlplU1pBZ1VWV2VpM3o0ZEhOTEd0aHpiaQoxRHZ0anRQekhYZ1R3WS92YmdJZ05KWStNcTRweFJnNit3eU04R1R4czVUV3k5Zml5RGhMUEU5QnhlbEsxSjQ9Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K
+ tls.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUJnVENDQVNlZ0F3SUJBZ0lVRm1sOExCRzBvL1FLNFErWjdrODI0c0MyaUZ3d0NnWUlLb1pJemowRUF3SXcKRmpFVU1CSUdBMVVFQXd3TFptOXZMbUpoY2k1amIyMHdIaGNOTWpRd01qSTVNRGt6TURFd1doY05NelF3TWpJMgpNRGt6TURFd1dqQVdNUlF3RWdZRFZRUUREQXRtYjI4dVltRnlMbU52YlRCWk1CTUdCeXFHU000OUFnRUdDQ3FHClNNNDlBd0VIQTBJQUJMYVl2cUt1VlZveERvNTJlV3p2WUI1anc3RU1GODZybXlvaTVadWF5emRNdnBnNHpCcjgKUktCak5zK1QxakI4T0t1Y1MvN1JVRHgwcHorOTc2ek0zaU9qVXpCUk1CMEdBMVVkRGdRV0JCVE82K2NnMFIwZAp3dHJ6SlFQRzZnNzZoQkJVelRBZkJnTlZIU01FR0RBV2dCVE82K2NnMFIwZHd0cnpKUVBHNmc3NmhCQlV6VEFQCkJnTlZIUk1CQWY4RUJUQURBUUgvTUFvR0NDcUdTTTQ5QkFNQ0EwZ0FNRVVDSVFDMlhwUFFnUXpXYWUzYjVwWnQKR2N1TWZESjBjME9QS2NuZWdrWFoyQzRCM2dJZ1Uvc1Jrd0lwTFFOUlYrRWFZdzRQNVQ1Z1BFNlkrVnBtQzk4aApvVmpaL3pRPQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0t
tls.key: LS0tLS1CRUdJTiBFQyBQUklWQVRFIEtFWS0tLS0tCk1IY0NBUUVFSUxEbnZNM1RKM3NHYm9EeTF4T3dqSVppVFNWeWZXVWF5YVExcWdrdUdacEtvQW9HQ0NxR1NNNDkKQXdFSG9VUURRZ0FFSDVWdHJjenJQS091alV5RTMyaDU2UnVrdHUzSVhTVnJJMkNibXh5UUpqcEY3di9rNVNqTQpSVXZjUnBCdmpnQWROaGhUNGNUMXV4YW1TMFlmQ2JXMVhRPT0KLS0tLS1FTkQgRUMgUFJJVkFURSBLRVktLS0tLQo=
httpRoutes:
- apiVersion: gateway.networking.k8s.io/v1
diff --git a/internal/gatewayapi/testdata/gateway-with-listener-with-valid-multiple-tls-configuration.out.yaml b/internal/gatewayapi/testdata/gateway-with-listener-with-valid-multiple-tls-configuration.out.yaml
index d7ead7a8e2b..a4499bc066e 100644
--- a/internal/gatewayapi/testdata/gateway-with-listener-with-valid-multiple-tls-configuration.out.yaml
+++ b/internal/gatewayapi/testdata/gateway-with-listener-with-valid-multiple-tls-configuration.out.yaml
@@ -138,7 +138,7 @@ xdsIR:
certificates:
- name: envoy-gateway/tls-secret-1
privateKey: LS0tLS1CRUdJTiBQUklWQVRFIEtFWS0tLS0tCk1JSUV2UUlCQURBTkJna3Foa2lHOXcwQkFRRUZBQVNDQktjd2dnU2pBZ0VBQW9JQkFRQ2QwZlBDYWtweE1nUnUKT0VXQjFiQk5FM3ZseW55aTZWbkV2VWF1OUhvakR2UHVPTFJIaGI4MmoyY1ovMHhnL1lKR09LelBuV2JERkxGNApHdWh3dDRENmFUR0xYNklPODEwTDZ0SXZIWGZNUXRJS2VwdTZ3K3p1WVo4bG1yejB1RjZlWEtqamVIbHhyb2ZrCnVNekM3OUVaU0lYZlZlczJ1SmdVRSs4VGFzSDUzQ2Y4MFNSRGlIeEdxckttdVNjWCtwejBreGdCZ1VWYTVVS20KUWdTZDFmVUxLOUEwNXAxOXkrdURPM204bVhRNkxVQ0N1STFwZHNROGFlNS9zamlxa0VjWlJjMTdWYVgxWjVVaQpvcGZnNW9SY05VTG9VTHNiek9aNTR0YlVDUmdSV2VLbGZxaElINEZ6OUlkVlUyR3dFdEdhMmV6TjgyMVBaQ3QzCjZhbVRIelJsQWdNQkFBRUNnZ0VBWTFGTUlLNDVXTkVNUHJ6RTZUY3NNdVV2RkdhQVZ4bVk5NW5SMEtwajdvb3IKY21CVys2ZXN0TTQ4S1AwaitPbXd3VFpMY29Cd3VoWGN0V1Bob1lXcDhteWUxRUlEdjNyaHRHMDdocEQ1NGg2dgpCZzh3ejdFYStzMk9sT0N6UnlKNzBSY281YlhjWDNGaGJjdnFlRWJwaFFyQnpOSEtLMjZ4cmZqNWZIT3p6T1FGCmJHdUZ3SDVic3JGdFhlajJXM3c4eW90N0ZQSDV3S3RpdnhvSWU5RjMyOXNnOU9EQnZqWnpiaG1LVTArckFTK1kKRGVield2bFJyaEUrbXVmQTN6M0N0QXhDOFJpNzNscFNoTDRQQWlvcG1SUXlxZXRXMjYzOFFxcnM0R3hnNzhwbApJUXJXTmNBc2s3Slg5d3RZenV6UFBXSXRWTTFscFJiQVRhNTJqdFl2NVFLQmdRRE5tMTFtZTRYam1ZSFV2cStZCmFTUzdwK2UybXZEMHVaOU9JeFluQnBWMGkrckNlYnFFMkE1Rm5hcDQ5Yld4QTgwUElldlVkeUpCL2pUUkoxcVMKRUpXQkpMWm1LVkg2K1QwdWw1ZUtOcWxFTFZHU0dCSXNpeE9SUXpDZHBoMkx0UmtBMHVjSVUzY3hiUmVMZkZCRQpiSkdZWENCdlNGcWd0VDlvZTFldVpMVmFOd0tCZ1FERWdENzJENk81eGIweEQ1NDQ1M0RPMUJhZmd6aThCWDRTCk1SaVd2LzFUQ0w5N05sRWtoeXovNmtQd1owbXJRcE5CMzZFdkpKZFVteHdkU2MyWDhrOGcxMC85NVlLQkdWQWoKL3d0YVZYbE9WeEFvK0ZSelpZeFpyQ29uWWFSMHVwUzFybDRtenN4REhlZU9mUVZUTUgwUjdZN0pnbTA5dXQ4SwplanAvSXZBb1F3S0JnQjNaRWlRUWhvMVYrWjBTMlpiOG5KS0plMy9zMmxJTXFHM0ZkaS9RS3Q0eWViQWx6OGY5ClBZVXBzRmZEQTg5Z3grSU1nSm5sZVptdTk2ZnRXSjZmdmJSenllN216TG5zZU05TXZua1lHbGFGWmJRWnZubXMKN3ZoRmtzY3dHRlh4d21GMlBJZmU1Z3pNMDRBeVdjeTFIaVhLS2dNOXM3cGsxWUdyZGowZzdacmRBb0dCQUtLNApDR3MrbkRmMEZTMFJYOWFEWVJrRTdBNy9YUFhtSG5YMkRnU1h5N0Q4NTRPaWdTTWNoUmtPNTErbVNJejNQbllvCk41T1FXM2lHVVl1M1YvYmhnc0VSUzM1V2xmRk9BdDBzRUR5bjF5SVdXcDF5dG93d3BUNkVvUXVuZ2NYZjA5RjMKS1NROXowd3M4VmsvRWkvSFVXcU5LOWFXbU51cmFaT0ZqL2REK1ZkOUFvR0FMWFN3dEE3K043RDRkN0VEMURSRQpHTWdZNVd3OHFvdDZSdUNlNkpUY0FnU3B1MkhNU3JVY2dXclpiQnJZb09FUnVNQjFoMVJydk5ybU1qQlM0VW9FClgyZC8vbGhpOG1wL2VESWN3UDNRa2puanBJRFJWMFN1eWxrUkVaZURKZjVZb3R6eDdFdkJhbzFIbkQrWEg4eUIKVUtmWGJTaHZKVUdhRmgxT3Q1Y3JoM1k9Ci0tLS0tRU5EIFBSSVZBVEUgS0VZLS0tLS0K
- serverCertificate: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUNxRENDQVpBQ0NRREVNZ1lZblFyQ29EQU5CZ2txaGtpRzl3MEJBUXNGQURBV01SUXdFZ1lEVlFRRERBdG0KYjI4dVltRnlMbU52YlRBZUZ3MHlNekF4TURVeE16UXpNalJhRncweU5EQXhNRFV4TXpRek1qUmFNQll4RkRBUwpCZ05WQkFNTUMyWnZieTVpWVhJdVkyOXRNSUlCSWpBTkJna3Foa2lHOXcwQkFRRUZBQU9DQVE4QU1JSUJDZ0tDCkFRRUFuZEh6d21wS2NUSUViamhGZ2RXd1RSTjc1Y3A4b3VsWnhMMUdydlI2SXc3ejdqaTBSNFcvTm85bkdmOU0KWVAyQ1JqaXN6NTFtd3hTeGVCcm9jTGVBK21reGkxK2lEdk5kQytyU0x4MTN6RUxTQ25xYnVzUHM3bUdmSlpxOAo5TGhlbmx5bzQzaDVjYTZINUxqTXd1L1JHVWlGMzFYck5yaVlGQlB2RTJyQitkd24vTkVrUTRoOFJxcXlwcmtuCkYvcWM5Sk1ZQVlGRld1VkNwa0lFbmRYMUN5dlFOT2FkZmN2cmd6dDV2SmwwT2kxQWdyaU5hWGJFUEdudWY3STQKcXBCSEdVWE5lMVdsOVdlVklxS1g0T2FFWERWQzZGQzdHOHptZWVMVzFBa1lFVm5pcFg2b1NCK0JjL1NIVlZOaApzQkxSbXRuc3pmTnRUMlFyZCttcGt4ODBaUUlEQVFBQk1BMEdDU3FHU0liM0RRRUJDd1VBQTRJQkFRQ1VKOElDCkJveUVqT3V3enBHYVJoR044QjRqT1B6aHVDT0V0ZDM3UzAybHUwN09IenlCdmJzVEd6S3dCZ0x5bVdmR2tINEIKajdDTHNwOEZ6TkhLWnVhQmdwblo5SjZETE9Od2ZXZTJBWXA3TGRmT0tWQlVkTVhRaU9tN2pKOUhob0Ntdk1ONwpic2pjaFdKb013ckZmK3dkQUthdHowcUFQeWhMeWUvRnFtaVZ4a09SWmF3K1Q5bURaK0g0OXVBU2d1SnVOTXlRClY2RXlYNmd0Z1dxMzc2SHZhWE1TLzNoYW1Zb1ZXWEk1TXhpUE9ZeG5BQmtKQjRTQ2dJUmVqYkpmVmFRdG9RNGEKejAyaVVMZW5ESUllUU9Zb2JLY01CWGYxQjRQQVFtc2VocVZJYnpzUUNHaTU0VkRyczZiWmQvN0pzMXpDcHBncwpKaUQ1SXFNaktXRHdxN2FLCi0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K
+ serverCertificate: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUREVENDQWZXZ0F3SUJBZ0lVRUZNaFA5ZUo5WEFCV3NRNVptNmJSazJjTE5Rd0RRWUpLb1pJaHZjTkFRRUwKQlFBd0ZqRVVNQklHQTFVRUF3d0xabTl2TG1KaGNpNWpiMjB3SGhjTk1qUXdNakk1TURrek1ERXdXaGNOTXpRdwpNakkyTURrek1ERXdXakFXTVJRd0VnWURWUVFEREF0bWIyOHVZbUZ5TG1OdmJUQ0NBU0l3RFFZSktvWklodmNOCkFRRUJCUUFEZ2dFUEFEQ0NBUW9DZ2dFQkFKbEk2WXhFOVprQ1BzNnBDUXhickNtZWl4OVA1RGZ4OVJ1NUxENFQKSm1kVzdJS2R0UVYvd2ZMbXRzdTc2QithVGRDaldlMEJUZmVPT1JCYlIzY1BBRzZFbFFMaWNsUVVydW4zcStncwpKcEsrSTdjSStqNXc4STY4WEg1V1E3clZVdGJ3SHBxYncrY1ZuQnFJVU9MaUlhdGpJZjdLWDUxTTF1RjljZkVICkU0RG5jSDZyYnI1OS9SRlpCc2toeHM1T3p3Sklmb2hreXZGd2V1VHd4Sy9WcGpJKzdPYzQ4QUJDWHBOTzlEL3EKRWgrck9hdWpBTWNYZ0hRSVRrQ2lpVVRjVW82TFNIOXZMWlB0YXFmem9acTZuaE1xcFc2NUUxcEF3RjNqeVRUeAphNUk4SmNmU0Zqa2llWjIwTFVRTW43TThVNHhIamFvL2d2SDBDQWZkQjdSTFUyc0NBd0VBQWFOVE1GRXdIUVlEClZSME9CQllFRk9SQ0U4dS8xRERXN2loWnA3Y3g5dFNtUG02T01COEdBMVVkSXdRWU1CYUFGT1JDRTh1LzFERFcKN2loWnA3Y3g5dFNtUG02T01BOEdBMVVkRXdFQi93UUZNQU1CQWY4d0RRWUpLb1pJaHZjTkFRRUxCUUFEZ2dFQgpBRnQ1M3pqc3FUYUg1YThFMmNodm1XQWdDcnhSSzhiVkxNeGl3TkdqYm1FUFJ6K3c2TngrazBBOEtFY0lEc0tjClNYY2k1OHU0b1didFZKQmx6YS9adWpIUjZQMUJuT3BsK2FveTc4NGJiZDRQMzl3VExvWGZNZmJCQ20xdmV2aDkKQUpLbncyWnRxcjRta2JMY3hFcWxxM3NCTEZBUzlzUUxuS05DZTJjR0xkVHAyYm9HK3FjZ3lRZ0NJTTZmOEVNdgpXUGlmQ01NR3V6Sy9HUkY0YlBPL1lGNDhld0R1M1VlaWgwWFhkVUFPRTlDdFVhOE5JaGMxVVBhT3pQcnRZVnFyClpPR2t2L0t1K0I3OGg4U0VzTzlYclFjdXdiT25KeDZLdFIrYWV5a3ZBcFhDUTNmWkMvYllLQUFSK1A4QUpvUVoKYndJVW1YaTRnajVtK2JLUGhlK2lyK0U9Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0=
- name: envoy-gateway/tls-secret-ecdsa-1
privateKey: LS0tLS1CRUdJTiBFQyBQUklWQVRFIEtFWS0tLS0tCk1IY0NBUUVFSUxEbnZNM1RKM3NHYm9EeTF4T3dqSVppVFNWeWZXVWF5YVExcWdrdUdacEtvQW9HQ0NxR1NNNDkKQXdFSG9VUURRZ0FFSDVWdHJjenJQS091alV5RTMyaDU2UnVrdHUzSVhTVnJJMkNibXh5UUpqcEY3di9rNVNqTQpSVXZjUnBCdmpnQWROaGhUNGNUMXV4YW1TMFlmQ2JXMVhRPT0KLS0tLS1FTkQgRUMgUFJJVkFURSBLRVktLS0tLQo=
- serverCertificate: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUJHekNCd2dJSkFJL3gxc0NEL0lSa01Bb0dDQ3FHU000OUJBTUNNQll4RkRBU0JnTlZCQU1NQzJadmJ5NWkKWVhJdVkyOXRNQjRYRFRJek1ERXdOVEl4TlRNeU9Wb1hEVEkwTURFd05USXhOVE15T1Zvd0ZqRVVNQklHQTFVRQpBd3dMWm05dkxtSmhjaTVqYjIwd1dUQVRCZ2NxaGtqT1BRSUJCZ2dxaGtqT1BRTUJCd05DQUFRZmxXMnR6T3M4Cm82Nk5USVRmYUhucEc2UzI3Y2hkSldzallKdWJISkFtT2tYdS8rVGxLTXhGUzl4R2tHK09BQjAyR0ZQaHhQVzcKRnFaTFJoOEp0YlZkTUFvR0NDcUdTTTQ5QkFNQ0EwZ0FNRVVDSVFEdlplU1pBZ1VWV2VpM3o0ZEhOTEd0aHpiaQoxRHZ0anRQekhYZ1R3WS92YmdJZ05KWStNcTRweFJnNit3eU04R1R4czVUV3k5Zml5RGhMUEU5QnhlbEsxSjQ9Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K
+ serverCertificate: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUJnVENDQVNlZ0F3SUJBZ0lVRm1sOExCRzBvL1FLNFErWjdrODI0c0MyaUZ3d0NnWUlLb1pJemowRUF3SXcKRmpFVU1CSUdBMVVFQXd3TFptOXZMbUpoY2k1amIyMHdIaGNOTWpRd01qSTVNRGt6TURFd1doY05NelF3TWpJMgpNRGt6TURFd1dqQVdNUlF3RWdZRFZRUUREQXRtYjI4dVltRnlMbU52YlRCWk1CTUdCeXFHU000OUFnRUdDQ3FHClNNNDlBd0VIQTBJQUJMYVl2cUt1VlZveERvNTJlV3p2WUI1anc3RU1GODZybXlvaTVadWF5emRNdnBnNHpCcjgKUktCak5zK1QxakI4T0t1Y1MvN1JVRHgwcHorOTc2ek0zaU9qVXpCUk1CMEdBMVVkRGdRV0JCVE82K2NnMFIwZAp3dHJ6SlFQRzZnNzZoQkJVelRBZkJnTlZIU01FR0RBV2dCVE82K2NnMFIwZHd0cnpKUVBHNmc3NmhCQlV6VEFQCkJnTlZIUk1CQWY4RUJUQURBUUgvTUFvR0NDcUdTTTQ5QkFNQ0EwZ0FNRVVDSVFDMlhwUFFnUXpXYWUzYjVwWnQKR2N1TWZESjBjME9QS2NuZWdrWFoyQzRCM2dJZ1Uvc1Jrd0lwTFFOUlYrRWFZdzRQNVQ1Z1BFNlkrVnBtQzk4aApvVmpaL3pRPQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0t
diff --git a/internal/gatewayapi/testdata/gateway-with-listener-with-valid-tls-configuration.in.yaml b/internal/gatewayapi/testdata/gateway-with-listener-with-valid-tls-configuration.in.yaml
index e85e71e7482..6949425c355 100644
--- a/internal/gatewayapi/testdata/gateway-with-listener-with-valid-tls-configuration.in.yaml
+++ b/internal/gatewayapi/testdata/gateway-with-listener-with-valid-tls-configuration.in.yaml
@@ -25,7 +25,7 @@ secrets:
name: tls-secret-1
type: kubernetes.io/tls
data:
- tls.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUNxRENDQVpBQ0NRREVNZ1lZblFyQ29EQU5CZ2txaGtpRzl3MEJBUXNGQURBV01SUXdFZ1lEVlFRRERBdG0KYjI4dVltRnlMbU52YlRBZUZ3MHlNekF4TURVeE16UXpNalJhRncweU5EQXhNRFV4TXpRek1qUmFNQll4RkRBUwpCZ05WQkFNTUMyWnZieTVpWVhJdVkyOXRNSUlCSWpBTkJna3Foa2lHOXcwQkFRRUZBQU9DQVE4QU1JSUJDZ0tDCkFRRUFuZEh6d21wS2NUSUViamhGZ2RXd1RSTjc1Y3A4b3VsWnhMMUdydlI2SXc3ejdqaTBSNFcvTm85bkdmOU0KWVAyQ1JqaXN6NTFtd3hTeGVCcm9jTGVBK21reGkxK2lEdk5kQytyU0x4MTN6RUxTQ25xYnVzUHM3bUdmSlpxOAo5TGhlbmx5bzQzaDVjYTZINUxqTXd1L1JHVWlGMzFYck5yaVlGQlB2RTJyQitkd24vTkVrUTRoOFJxcXlwcmtuCkYvcWM5Sk1ZQVlGRld1VkNwa0lFbmRYMUN5dlFOT2FkZmN2cmd6dDV2SmwwT2kxQWdyaU5hWGJFUEdudWY3STQKcXBCSEdVWE5lMVdsOVdlVklxS1g0T2FFWERWQzZGQzdHOHptZWVMVzFBa1lFVm5pcFg2b1NCK0JjL1NIVlZOaApzQkxSbXRuc3pmTnRUMlFyZCttcGt4ODBaUUlEQVFBQk1BMEdDU3FHU0liM0RRRUJDd1VBQTRJQkFRQ1VKOElDCkJveUVqT3V3enBHYVJoR044QjRqT1B6aHVDT0V0ZDM3UzAybHUwN09IenlCdmJzVEd6S3dCZ0x5bVdmR2tINEIKajdDTHNwOEZ6TkhLWnVhQmdwblo5SjZETE9Od2ZXZTJBWXA3TGRmT0tWQlVkTVhRaU9tN2pKOUhob0Ntdk1ONwpic2pjaFdKb013ckZmK3dkQUthdHowcUFQeWhMeWUvRnFtaVZ4a09SWmF3K1Q5bURaK0g0OXVBU2d1SnVOTXlRClY2RXlYNmd0Z1dxMzc2SHZhWE1TLzNoYW1Zb1ZXWEk1TXhpUE9ZeG5BQmtKQjRTQ2dJUmVqYkpmVmFRdG9RNGEKejAyaVVMZW5ESUllUU9Zb2JLY01CWGYxQjRQQVFtc2VocVZJYnpzUUNHaTU0VkRyczZiWmQvN0pzMXpDcHBncwpKaUQ1SXFNaktXRHdxN2FLCi0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K
+ tls.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUREVENDQWZXZ0F3SUJBZ0lVRUZNaFA5ZUo5WEFCV3NRNVptNmJSazJjTE5Rd0RRWUpLb1pJaHZjTkFRRUwKQlFBd0ZqRVVNQklHQTFVRUF3d0xabTl2TG1KaGNpNWpiMjB3SGhjTk1qUXdNakk1TURrek1ERXdXaGNOTXpRdwpNakkyTURrek1ERXdXakFXTVJRd0VnWURWUVFEREF0bWIyOHVZbUZ5TG1OdmJUQ0NBU0l3RFFZSktvWklodmNOCkFRRUJCUUFEZ2dFUEFEQ0NBUW9DZ2dFQkFKbEk2WXhFOVprQ1BzNnBDUXhickNtZWl4OVA1RGZ4OVJ1NUxENFQKSm1kVzdJS2R0UVYvd2ZMbXRzdTc2QithVGRDaldlMEJUZmVPT1JCYlIzY1BBRzZFbFFMaWNsUVVydW4zcStncwpKcEsrSTdjSStqNXc4STY4WEg1V1E3clZVdGJ3SHBxYncrY1ZuQnFJVU9MaUlhdGpJZjdLWDUxTTF1RjljZkVICkU0RG5jSDZyYnI1OS9SRlpCc2toeHM1T3p3Sklmb2hreXZGd2V1VHd4Sy9WcGpJKzdPYzQ4QUJDWHBOTzlEL3EKRWgrck9hdWpBTWNYZ0hRSVRrQ2lpVVRjVW82TFNIOXZMWlB0YXFmem9acTZuaE1xcFc2NUUxcEF3RjNqeVRUeAphNUk4SmNmU0Zqa2llWjIwTFVRTW43TThVNHhIamFvL2d2SDBDQWZkQjdSTFUyc0NBd0VBQWFOVE1GRXdIUVlEClZSME9CQllFRk9SQ0U4dS8xRERXN2loWnA3Y3g5dFNtUG02T01COEdBMVVkSXdRWU1CYUFGT1JDRTh1LzFERFcKN2loWnA3Y3g5dFNtUG02T01BOEdBMVVkRXdFQi93UUZNQU1CQWY4d0RRWUpLb1pJaHZjTkFRRUxCUUFEZ2dFQgpBRnQ1M3pqc3FUYUg1YThFMmNodm1XQWdDcnhSSzhiVkxNeGl3TkdqYm1FUFJ6K3c2TngrazBBOEtFY0lEc0tjClNYY2k1OHU0b1didFZKQmx6YS9adWpIUjZQMUJuT3BsK2FveTc4NGJiZDRQMzl3VExvWGZNZmJCQ20xdmV2aDkKQUpLbncyWnRxcjRta2JMY3hFcWxxM3NCTEZBUzlzUUxuS05DZTJjR0xkVHAyYm9HK3FjZ3lRZ0NJTTZmOEVNdgpXUGlmQ01NR3V6Sy9HUkY0YlBPL1lGNDhld0R1M1VlaWgwWFhkVUFPRTlDdFVhOE5JaGMxVVBhT3pQcnRZVnFyClpPR2t2L0t1K0I3OGg4U0VzTzlYclFjdXdiT25KeDZLdFIrYWV5a3ZBcFhDUTNmWkMvYllLQUFSK1A4QUpvUVoKYndJVW1YaTRnajVtK2JLUGhlK2lyK0U9Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0=
tls.key: LS0tLS1CRUdJTiBQUklWQVRFIEtFWS0tLS0tCk1JSUV2UUlCQURBTkJna3Foa2lHOXcwQkFRRUZBQVNDQktjd2dnU2pBZ0VBQW9JQkFRQ2QwZlBDYWtweE1nUnUKT0VXQjFiQk5FM3ZseW55aTZWbkV2VWF1OUhvakR2UHVPTFJIaGI4MmoyY1ovMHhnL1lKR09LelBuV2JERkxGNApHdWh3dDRENmFUR0xYNklPODEwTDZ0SXZIWGZNUXRJS2VwdTZ3K3p1WVo4bG1yejB1RjZlWEtqamVIbHhyb2ZrCnVNekM3OUVaU0lYZlZlczJ1SmdVRSs4VGFzSDUzQ2Y4MFNSRGlIeEdxckttdVNjWCtwejBreGdCZ1VWYTVVS20KUWdTZDFmVUxLOUEwNXAxOXkrdURPM204bVhRNkxVQ0N1STFwZHNROGFlNS9zamlxa0VjWlJjMTdWYVgxWjVVaQpvcGZnNW9SY05VTG9VTHNiek9aNTR0YlVDUmdSV2VLbGZxaElINEZ6OUlkVlUyR3dFdEdhMmV6TjgyMVBaQ3QzCjZhbVRIelJsQWdNQkFBRUNnZ0VBWTFGTUlLNDVXTkVNUHJ6RTZUY3NNdVV2RkdhQVZ4bVk5NW5SMEtwajdvb3IKY21CVys2ZXN0TTQ4S1AwaitPbXd3VFpMY29Cd3VoWGN0V1Bob1lXcDhteWUxRUlEdjNyaHRHMDdocEQ1NGg2dgpCZzh3ejdFYStzMk9sT0N6UnlKNzBSY281YlhjWDNGaGJjdnFlRWJwaFFyQnpOSEtLMjZ4cmZqNWZIT3p6T1FGCmJHdUZ3SDVic3JGdFhlajJXM3c4eW90N0ZQSDV3S3RpdnhvSWU5RjMyOXNnOU9EQnZqWnpiaG1LVTArckFTK1kKRGVield2bFJyaEUrbXVmQTN6M0N0QXhDOFJpNzNscFNoTDRQQWlvcG1SUXlxZXRXMjYzOFFxcnM0R3hnNzhwbApJUXJXTmNBc2s3Slg5d3RZenV6UFBXSXRWTTFscFJiQVRhNTJqdFl2NVFLQmdRRE5tMTFtZTRYam1ZSFV2cStZCmFTUzdwK2UybXZEMHVaOU9JeFluQnBWMGkrckNlYnFFMkE1Rm5hcDQ5Yld4QTgwUElldlVkeUpCL2pUUkoxcVMKRUpXQkpMWm1LVkg2K1QwdWw1ZUtOcWxFTFZHU0dCSXNpeE9SUXpDZHBoMkx0UmtBMHVjSVUzY3hiUmVMZkZCRQpiSkdZWENCdlNGcWd0VDlvZTFldVpMVmFOd0tCZ1FERWdENzJENk81eGIweEQ1NDQ1M0RPMUJhZmd6aThCWDRTCk1SaVd2LzFUQ0w5N05sRWtoeXovNmtQd1owbXJRcE5CMzZFdkpKZFVteHdkU2MyWDhrOGcxMC85NVlLQkdWQWoKL3d0YVZYbE9WeEFvK0ZSelpZeFpyQ29uWWFSMHVwUzFybDRtenN4REhlZU9mUVZUTUgwUjdZN0pnbTA5dXQ4SwplanAvSXZBb1F3S0JnQjNaRWlRUWhvMVYrWjBTMlpiOG5KS0plMy9zMmxJTXFHM0ZkaS9RS3Q0eWViQWx6OGY5ClBZVXBzRmZEQTg5Z3grSU1nSm5sZVptdTk2ZnRXSjZmdmJSenllN216TG5zZU05TXZua1lHbGFGWmJRWnZubXMKN3ZoRmtzY3dHRlh4d21GMlBJZmU1Z3pNMDRBeVdjeTFIaVhLS2dNOXM3cGsxWUdyZGowZzdacmRBb0dCQUtLNApDR3MrbkRmMEZTMFJYOWFEWVJrRTdBNy9YUFhtSG5YMkRnU1h5N0Q4NTRPaWdTTWNoUmtPNTErbVNJejNQbllvCk41T1FXM2lHVVl1M1YvYmhnc0VSUzM1V2xmRk9BdDBzRUR5bjF5SVdXcDF5dG93d3BUNkVvUXVuZ2NYZjA5RjMKS1NROXowd3M4VmsvRWkvSFVXcU5LOWFXbU51cmFaT0ZqL2REK1ZkOUFvR0FMWFN3dEE3K043RDRkN0VEMURSRQpHTWdZNVd3OHFvdDZSdUNlNkpUY0FnU3B1MkhNU3JVY2dXclpiQnJZb09FUnVNQjFoMVJydk5ybU1qQlM0VW9FClgyZC8vbGhpOG1wL2VESWN3UDNRa2puanBJRFJWMFN1eWxrUkVaZURKZjVZb3R6eDdFdkJhbzFIbkQrWEg4eUIKVUtmWGJTaHZKVUdhRmgxT3Q1Y3JoM1k9Ci0tLS0tRU5EIFBSSVZBVEUgS0VZLS0tLS0K
httpRoutes:
- apiVersion: gateway.networking.k8s.io/v1
diff --git a/internal/gatewayapi/testdata/gateway-with-listener-with-valid-tls-configuration.out.yaml b/internal/gatewayapi/testdata/gateway-with-listener-with-valid-tls-configuration.out.yaml
index 3c5182cc5a2..9380a03ce6c 100644
--- a/internal/gatewayapi/testdata/gateway-with-listener-with-valid-tls-configuration.out.yaml
+++ b/internal/gatewayapi/testdata/gateway-with-listener-with-valid-tls-configuration.out.yaml
@@ -135,4 +135,4 @@ xdsIR:
certificates:
- name: envoy-gateway/tls-secret-1
privateKey: LS0tLS1CRUdJTiBQUklWQVRFIEtFWS0tLS0tCk1JSUV2UUlCQURBTkJna3Foa2lHOXcwQkFRRUZBQVNDQktjd2dnU2pBZ0VBQW9JQkFRQ2QwZlBDYWtweE1nUnUKT0VXQjFiQk5FM3ZseW55aTZWbkV2VWF1OUhvakR2UHVPTFJIaGI4MmoyY1ovMHhnL1lKR09LelBuV2JERkxGNApHdWh3dDRENmFUR0xYNklPODEwTDZ0SXZIWGZNUXRJS2VwdTZ3K3p1WVo4bG1yejB1RjZlWEtqamVIbHhyb2ZrCnVNekM3OUVaU0lYZlZlczJ1SmdVRSs4VGFzSDUzQ2Y4MFNSRGlIeEdxckttdVNjWCtwejBreGdCZ1VWYTVVS20KUWdTZDFmVUxLOUEwNXAxOXkrdURPM204bVhRNkxVQ0N1STFwZHNROGFlNS9zamlxa0VjWlJjMTdWYVgxWjVVaQpvcGZnNW9SY05VTG9VTHNiek9aNTR0YlVDUmdSV2VLbGZxaElINEZ6OUlkVlUyR3dFdEdhMmV6TjgyMVBaQ3QzCjZhbVRIelJsQWdNQkFBRUNnZ0VBWTFGTUlLNDVXTkVNUHJ6RTZUY3NNdVV2RkdhQVZ4bVk5NW5SMEtwajdvb3IKY21CVys2ZXN0TTQ4S1AwaitPbXd3VFpMY29Cd3VoWGN0V1Bob1lXcDhteWUxRUlEdjNyaHRHMDdocEQ1NGg2dgpCZzh3ejdFYStzMk9sT0N6UnlKNzBSY281YlhjWDNGaGJjdnFlRWJwaFFyQnpOSEtLMjZ4cmZqNWZIT3p6T1FGCmJHdUZ3SDVic3JGdFhlajJXM3c4eW90N0ZQSDV3S3RpdnhvSWU5RjMyOXNnOU9EQnZqWnpiaG1LVTArckFTK1kKRGVield2bFJyaEUrbXVmQTN6M0N0QXhDOFJpNzNscFNoTDRQQWlvcG1SUXlxZXRXMjYzOFFxcnM0R3hnNzhwbApJUXJXTmNBc2s3Slg5d3RZenV6UFBXSXRWTTFscFJiQVRhNTJqdFl2NVFLQmdRRE5tMTFtZTRYam1ZSFV2cStZCmFTUzdwK2UybXZEMHVaOU9JeFluQnBWMGkrckNlYnFFMkE1Rm5hcDQ5Yld4QTgwUElldlVkeUpCL2pUUkoxcVMKRUpXQkpMWm1LVkg2K1QwdWw1ZUtOcWxFTFZHU0dCSXNpeE9SUXpDZHBoMkx0UmtBMHVjSVUzY3hiUmVMZkZCRQpiSkdZWENCdlNGcWd0VDlvZTFldVpMVmFOd0tCZ1FERWdENzJENk81eGIweEQ1NDQ1M0RPMUJhZmd6aThCWDRTCk1SaVd2LzFUQ0w5N05sRWtoeXovNmtQd1owbXJRcE5CMzZFdkpKZFVteHdkU2MyWDhrOGcxMC85NVlLQkdWQWoKL3d0YVZYbE9WeEFvK0ZSelpZeFpyQ29uWWFSMHVwUzFybDRtenN4REhlZU9mUVZUTUgwUjdZN0pnbTA5dXQ4SwplanAvSXZBb1F3S0JnQjNaRWlRUWhvMVYrWjBTMlpiOG5KS0plMy9zMmxJTXFHM0ZkaS9RS3Q0eWViQWx6OGY5ClBZVXBzRmZEQTg5Z3grSU1nSm5sZVptdTk2ZnRXSjZmdmJSenllN216TG5zZU05TXZua1lHbGFGWmJRWnZubXMKN3ZoRmtzY3dHRlh4d21GMlBJZmU1Z3pNMDRBeVdjeTFIaVhLS2dNOXM3cGsxWUdyZGowZzdacmRBb0dCQUtLNApDR3MrbkRmMEZTMFJYOWFEWVJrRTdBNy9YUFhtSG5YMkRnU1h5N0Q4NTRPaWdTTWNoUmtPNTErbVNJejNQbllvCk41T1FXM2lHVVl1M1YvYmhnc0VSUzM1V2xmRk9BdDBzRUR5bjF5SVdXcDF5dG93d3BUNkVvUXVuZ2NYZjA5RjMKS1NROXowd3M4VmsvRWkvSFVXcU5LOWFXbU51cmFaT0ZqL2REK1ZkOUFvR0FMWFN3dEE3K043RDRkN0VEMURSRQpHTWdZNVd3OHFvdDZSdUNlNkpUY0FnU3B1MkhNU3JVY2dXclpiQnJZb09FUnVNQjFoMVJydk5ybU1qQlM0VW9FClgyZC8vbGhpOG1wL2VESWN3UDNRa2puanBJRFJWMFN1eWxrUkVaZURKZjVZb3R6eDdFdkJhbzFIbkQrWEg4eUIKVUtmWGJTaHZKVUdhRmgxT3Q1Y3JoM1k9Ci0tLS0tRU5EIFBSSVZBVEUgS0VZLS0tLS0K
- serverCertificate: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUNxRENDQVpBQ0NRREVNZ1lZblFyQ29EQU5CZ2txaGtpRzl3MEJBUXNGQURBV01SUXdFZ1lEVlFRRERBdG0KYjI4dVltRnlMbU52YlRBZUZ3MHlNekF4TURVeE16UXpNalJhRncweU5EQXhNRFV4TXpRek1qUmFNQll4RkRBUwpCZ05WQkFNTUMyWnZieTVpWVhJdVkyOXRNSUlCSWpBTkJna3Foa2lHOXcwQkFRRUZBQU9DQVE4QU1JSUJDZ0tDCkFRRUFuZEh6d21wS2NUSUViamhGZ2RXd1RSTjc1Y3A4b3VsWnhMMUdydlI2SXc3ejdqaTBSNFcvTm85bkdmOU0KWVAyQ1JqaXN6NTFtd3hTeGVCcm9jTGVBK21reGkxK2lEdk5kQytyU0x4MTN6RUxTQ25xYnVzUHM3bUdmSlpxOAo5TGhlbmx5bzQzaDVjYTZINUxqTXd1L1JHVWlGMzFYck5yaVlGQlB2RTJyQitkd24vTkVrUTRoOFJxcXlwcmtuCkYvcWM5Sk1ZQVlGRld1VkNwa0lFbmRYMUN5dlFOT2FkZmN2cmd6dDV2SmwwT2kxQWdyaU5hWGJFUEdudWY3STQKcXBCSEdVWE5lMVdsOVdlVklxS1g0T2FFWERWQzZGQzdHOHptZWVMVzFBa1lFVm5pcFg2b1NCK0JjL1NIVlZOaApzQkxSbXRuc3pmTnRUMlFyZCttcGt4ODBaUUlEQVFBQk1BMEdDU3FHU0liM0RRRUJDd1VBQTRJQkFRQ1VKOElDCkJveUVqT3V3enBHYVJoR044QjRqT1B6aHVDT0V0ZDM3UzAybHUwN09IenlCdmJzVEd6S3dCZ0x5bVdmR2tINEIKajdDTHNwOEZ6TkhLWnVhQmdwblo5SjZETE9Od2ZXZTJBWXA3TGRmT0tWQlVkTVhRaU9tN2pKOUhob0Ntdk1ONwpic2pjaFdKb013ckZmK3dkQUthdHowcUFQeWhMeWUvRnFtaVZ4a09SWmF3K1Q5bURaK0g0OXVBU2d1SnVOTXlRClY2RXlYNmd0Z1dxMzc2SHZhWE1TLzNoYW1Zb1ZXWEk1TXhpUE9ZeG5BQmtKQjRTQ2dJUmVqYkpmVmFRdG9RNGEKejAyaVVMZW5ESUllUU9Zb2JLY01CWGYxQjRQQVFtc2VocVZJYnpzUUNHaTU0VkRyczZiWmQvN0pzMXpDcHBncwpKaUQ1SXFNaktXRHdxN2FLCi0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K
+ serverCertificate: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUREVENDQWZXZ0F3SUJBZ0lVRUZNaFA5ZUo5WEFCV3NRNVptNmJSazJjTE5Rd0RRWUpLb1pJaHZjTkFRRUwKQlFBd0ZqRVVNQklHQTFVRUF3d0xabTl2TG1KaGNpNWpiMjB3SGhjTk1qUXdNakk1TURrek1ERXdXaGNOTXpRdwpNakkyTURrek1ERXdXakFXTVJRd0VnWURWUVFEREF0bWIyOHVZbUZ5TG1OdmJUQ0NBU0l3RFFZSktvWklodmNOCkFRRUJCUUFEZ2dFUEFEQ0NBUW9DZ2dFQkFKbEk2WXhFOVprQ1BzNnBDUXhickNtZWl4OVA1RGZ4OVJ1NUxENFQKSm1kVzdJS2R0UVYvd2ZMbXRzdTc2QithVGRDaldlMEJUZmVPT1JCYlIzY1BBRzZFbFFMaWNsUVVydW4zcStncwpKcEsrSTdjSStqNXc4STY4WEg1V1E3clZVdGJ3SHBxYncrY1ZuQnFJVU9MaUlhdGpJZjdLWDUxTTF1RjljZkVICkU0RG5jSDZyYnI1OS9SRlpCc2toeHM1T3p3Sklmb2hreXZGd2V1VHd4Sy9WcGpJKzdPYzQ4QUJDWHBOTzlEL3EKRWgrck9hdWpBTWNYZ0hRSVRrQ2lpVVRjVW82TFNIOXZMWlB0YXFmem9acTZuaE1xcFc2NUUxcEF3RjNqeVRUeAphNUk4SmNmU0Zqa2llWjIwTFVRTW43TThVNHhIamFvL2d2SDBDQWZkQjdSTFUyc0NBd0VBQWFOVE1GRXdIUVlEClZSME9CQllFRk9SQ0U4dS8xRERXN2loWnA3Y3g5dFNtUG02T01COEdBMVVkSXdRWU1CYUFGT1JDRTh1LzFERFcKN2loWnA3Y3g5dFNtUG02T01BOEdBMVVkRXdFQi93UUZNQU1CQWY4d0RRWUpLb1pJaHZjTkFRRUxCUUFEZ2dFQgpBRnQ1M3pqc3FUYUg1YThFMmNodm1XQWdDcnhSSzhiVkxNeGl3TkdqYm1FUFJ6K3c2TngrazBBOEtFY0lEc0tjClNYY2k1OHU0b1didFZKQmx6YS9adWpIUjZQMUJuT3BsK2FveTc4NGJiZDRQMzl3VExvWGZNZmJCQ20xdmV2aDkKQUpLbncyWnRxcjRta2JMY3hFcWxxM3NCTEZBUzlzUUxuS05DZTJjR0xkVHAyYm9HK3FjZ3lRZ0NJTTZmOEVNdgpXUGlmQ01NR3V6Sy9HUkY0YlBPL1lGNDhld0R1M1VlaWgwWFhkVUFPRTlDdFVhOE5JaGMxVVBhT3pQcnRZVnFyClpPR2t2L0t1K0I3OGg4U0VzTzlYclFjdXdiT25KeDZLdFIrYWV5a3ZBcFhDUTNmWkMvYllLQUFSK1A4QUpvUVoKYndJVW1YaTRnajVtK2JLUGhlK2lyK0U9Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0=
diff --git a/internal/gatewayapi/testdata/gateway-with-stale-status-condition.in.yaml b/internal/gatewayapi/testdata/gateway-with-stale-status-condition.in.yaml
index e1020d2369a..f40fbbe8307 100644
--- a/internal/gatewayapi/testdata/gateway-with-stale-status-condition.in.yaml
+++ b/internal/gatewayapi/testdata/gateway-with-stale-status-condition.in.yaml
@@ -64,6 +64,6 @@ secrets:
name: tls-secret-1
type: kubernetes.io/tls
data:
- tls.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUNxRENDQVpBQ0NRREVNZ1lZblFyQ29EQU5CZ2txaGtpRzl3MEJBUXNGQURBV01SUXdFZ1lEVlFRRERBdG0KYjI4dVltRnlMbU52YlRBZUZ3MHlNekF4TURVeE16UXpNalJhRncweU5EQXhNRFV4TXpRek1qUmFNQll4RkRBUwpCZ05WQkFNTUMyWnZieTVpWVhJdVkyOXRNSUlCSWpBTkJna3Foa2lHOXcwQkFRRUZBQU9DQVE4QU1JSUJDZ0tDCkFRRUFuZEh6d21wS2NUSUViamhGZ2RXd1RSTjc1Y3A4b3VsWnhMMUdydlI2SXc3ejdqaTBSNFcvTm85bkdmOU0KWVAyQ1JqaXN6NTFtd3hTeGVCcm9jTGVBK21reGkxK2lEdk5kQytyU0x4MTN6RUxTQ25xYnVzUHM3bUdmSlpxOAo5TGhlbmx5bzQzaDVjYTZINUxqTXd1L1JHVWlGMzFYck5yaVlGQlB2RTJyQitkd24vTkVrUTRoOFJxcXlwcmtuCkYvcWM5Sk1ZQVlGRld1VkNwa0lFbmRYMUN5dlFOT2FkZmN2cmd6dDV2SmwwT2kxQWdyaU5hWGJFUEdudWY3STQKcXBCSEdVWE5lMVdsOVdlVklxS1g0T2FFWERWQzZGQzdHOHptZWVMVzFBa1lFVm5pcFg2b1NCK0JjL1NIVlZOaApzQkxSbXRuc3pmTnRUMlFyZCttcGt4ODBaUUlEQVFBQk1BMEdDU3FHU0liM0RRRUJDd1VBQTRJQkFRQ1VKOElDCkJveUVqT3V3enBHYVJoR044QjRqT1B6aHVDT0V0ZDM3UzAybHUwN09IenlCdmJzVEd6S3dCZ0x5bVdmR2tINEIKajdDTHNwOEZ6TkhLWnVhQmdwblo5SjZETE9Od2ZXZTJBWXA3TGRmT0tWQlVkTVhRaU9tN2pKOUhob0Ntdk1ONwpic2pjaFdKb013ckZmK3dkQUthdHowcUFQeWhMeWUvRnFtaVZ4a09SWmF3K1Q5bURaK0g0OXVBU2d1SnVOTXlRClY2RXlYNmd0Z1dxMzc2SHZhWE1TLzNoYW1Zb1ZXWEk1TXhpUE9ZeG5BQmtKQjRTQ2dJUmVqYkpmVmFRdG9RNGEKejAyaVVMZW5ESUllUU9Zb2JLY01CWGYxQjRQQVFtc2VocVZJYnpzUUNHaTU0VkRyczZiWmQvN0pzMXpDcHBncwpKaUQ1SXFNaktXRHdxN2FLCi0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K
+ tls.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUREVENDQWZXZ0F3SUJBZ0lVRUZNaFA5ZUo5WEFCV3NRNVptNmJSazJjTE5Rd0RRWUpLb1pJaHZjTkFRRUwKQlFBd0ZqRVVNQklHQTFVRUF3d0xabTl2TG1KaGNpNWpiMjB3SGhjTk1qUXdNakk1TURrek1ERXdXaGNOTXpRdwpNakkyTURrek1ERXdXakFXTVJRd0VnWURWUVFEREF0bWIyOHVZbUZ5TG1OdmJUQ0NBU0l3RFFZSktvWklodmNOCkFRRUJCUUFEZ2dFUEFEQ0NBUW9DZ2dFQkFKbEk2WXhFOVprQ1BzNnBDUXhickNtZWl4OVA1RGZ4OVJ1NUxENFQKSm1kVzdJS2R0UVYvd2ZMbXRzdTc2QithVGRDaldlMEJUZmVPT1JCYlIzY1BBRzZFbFFMaWNsUVVydW4zcStncwpKcEsrSTdjSStqNXc4STY4WEg1V1E3clZVdGJ3SHBxYncrY1ZuQnFJVU9MaUlhdGpJZjdLWDUxTTF1RjljZkVICkU0RG5jSDZyYnI1OS9SRlpCc2toeHM1T3p3Sklmb2hreXZGd2V1VHd4Sy9WcGpJKzdPYzQ4QUJDWHBOTzlEL3EKRWgrck9hdWpBTWNYZ0hRSVRrQ2lpVVRjVW82TFNIOXZMWlB0YXFmem9acTZuaE1xcFc2NUUxcEF3RjNqeVRUeAphNUk4SmNmU0Zqa2llWjIwTFVRTW43TThVNHhIamFvL2d2SDBDQWZkQjdSTFUyc0NBd0VBQWFOVE1GRXdIUVlEClZSME9CQllFRk9SQ0U4dS8xRERXN2loWnA3Y3g5dFNtUG02T01COEdBMVVkSXdRWU1CYUFGT1JDRTh1LzFERFcKN2loWnA3Y3g5dFNtUG02T01BOEdBMVVkRXdFQi93UUZNQU1CQWY4d0RRWUpLb1pJaHZjTkFRRUxCUUFEZ2dFQgpBRnQ1M3pqc3FUYUg1YThFMmNodm1XQWdDcnhSSzhiVkxNeGl3TkdqYm1FUFJ6K3c2TngrazBBOEtFY0lEc0tjClNYY2k1OHU0b1didFZKQmx6YS9adWpIUjZQMUJuT3BsK2FveTc4NGJiZDRQMzl3VExvWGZNZmJCQ20xdmV2aDkKQUpLbncyWnRxcjRta2JMY3hFcWxxM3NCTEZBUzlzUUxuS05DZTJjR0xkVHAyYm9HK3FjZ3lRZ0NJTTZmOEVNdgpXUGlmQ01NR3V6Sy9HUkY0YlBPL1lGNDhld0R1M1VlaWgwWFhkVUFPRTlDdFVhOE5JaGMxVVBhT3pQcnRZVnFyClpPR2t2L0t1K0I3OGg4U0VzTzlYclFjdXdiT25KeDZLdFIrYWV5a3ZBcFhDUTNmWkMvYllLQUFSK1A4QUpvUVoKYndJVW1YaTRnajVtK2JLUGhlK2lyK0U9Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0=
tls.key: LS0tLS1CRUdJTiBQUklWQVRFIEtFWS0tLS0tCk1JSUV2UUlCQURBTkJna3Foa2lHOXcwQkFRRUZBQVNDQktjd2dnU2pBZ0VBQW9JQkFRQ2QwZlBDYWtweE1nUnUKT0VXQjFiQk5FM3ZseW55aTZWbkV2VWF1OUhvakR2UHVPTFJIaGI4MmoyY1ovMHhnL1lKR09LelBuV2JERkxGNApHdWh3dDRENmFUR0xYNklPODEwTDZ0SXZIWGZNUXRJS2VwdTZ3K3p1WVo4bG1yejB1RjZlWEtqamVIbHhyb2ZrCnVNekM3OUVaU0lYZlZlczJ1SmdVRSs4VGFzSDUzQ2Y4MFNSRGlIeEdxckttdVNjWCtwejBreGdCZ1VWYTVVS20KUWdTZDFmVUxLOUEwNXAxOXkrdURPM204bVhRNkxVQ0N1STFwZHNROGFlNS9zamlxa0VjWlJjMTdWYVgxWjVVaQpvcGZnNW9SY05VTG9VTHNiek9aNTR0YlVDUmdSV2VLbGZxaElINEZ6OUlkVlUyR3dFdEdhMmV6TjgyMVBaQ3QzCjZhbVRIelJsQWdNQkFBRUNnZ0VBWTFGTUlLNDVXTkVNUHJ6RTZUY3NNdVV2RkdhQVZ4bVk5NW5SMEtwajdvb3IKY21CVys2ZXN0TTQ4S1AwaitPbXd3VFpMY29Cd3VoWGN0V1Bob1lXcDhteWUxRUlEdjNyaHRHMDdocEQ1NGg2dgpCZzh3ejdFYStzMk9sT0N6UnlKNzBSY281YlhjWDNGaGJjdnFlRWJwaFFyQnpOSEtLMjZ4cmZqNWZIT3p6T1FGCmJHdUZ3SDVic3JGdFhlajJXM3c4eW90N0ZQSDV3S3RpdnhvSWU5RjMyOXNnOU9EQnZqWnpiaG1LVTArckFTK1kKRGVield2bFJyaEUrbXVmQTN6M0N0QXhDOFJpNzNscFNoTDRQQWlvcG1SUXlxZXRXMjYzOFFxcnM0R3hnNzhwbApJUXJXTmNBc2s3Slg5d3RZenV6UFBXSXRWTTFscFJiQVRhNTJqdFl2NVFLQmdRRE5tMTFtZTRYam1ZSFV2cStZCmFTUzdwK2UybXZEMHVaOU9JeFluQnBWMGkrckNlYnFFMkE1Rm5hcDQ5Yld4QTgwUElldlVkeUpCL2pUUkoxcVMKRUpXQkpMWm1LVkg2K1QwdWw1ZUtOcWxFTFZHU0dCSXNpeE9SUXpDZHBoMkx0UmtBMHVjSVUzY3hiUmVMZkZCRQpiSkdZWENCdlNGcWd0VDlvZTFldVpMVmFOd0tCZ1FERWdENzJENk81eGIweEQ1NDQ1M0RPMUJhZmd6aThCWDRTCk1SaVd2LzFUQ0w5N05sRWtoeXovNmtQd1owbXJRcE5CMzZFdkpKZFVteHdkU2MyWDhrOGcxMC85NVlLQkdWQWoKL3d0YVZYbE9WeEFvK0ZSelpZeFpyQ29uWWFSMHVwUzFybDRtenN4REhlZU9mUVZUTUgwUjdZN0pnbTA5dXQ4SwplanAvSXZBb1F3S0JnQjNaRWlRUWhvMVYrWjBTMlpiOG5KS0plMy9zMmxJTXFHM0ZkaS9RS3Q0eWViQWx6OGY5ClBZVXBzRmZEQTg5Z3grSU1nSm5sZVptdTk2ZnRXSjZmdmJSenllN216TG5zZU05TXZua1lHbGFGWmJRWnZubXMKN3ZoRmtzY3dHRlh4d21GMlBJZmU1Z3pNMDRBeVdjeTFIaVhLS2dNOXM3cGsxWUdyZGowZzdacmRBb0dCQUtLNApDR3MrbkRmMEZTMFJYOWFEWVJrRTdBNy9YUFhtSG5YMkRnU1h5N0Q4NTRPaWdTTWNoUmtPNTErbVNJejNQbllvCk41T1FXM2lHVVl1M1YvYmhnc0VSUzM1V2xmRk9BdDBzRUR5bjF5SVdXcDF5dG93d3BUNkVvUXVuZ2NYZjA5RjMKS1NROXowd3M4VmsvRWkvSFVXcU5LOWFXbU51cmFaT0ZqL2REK1ZkOUFvR0FMWFN3dEE3K043RDRkN0VEMURSRQpHTWdZNVd3OHFvdDZSdUNlNkpUY0FnU3B1MkhNU3JVY2dXclpiQnJZb09FUnVNQjFoMVJydk5ybU1qQlM0VW9FClgyZC8vbGhpOG1wL2VESWN3UDNRa2puanBJRFJWMFN1eWxrUkVaZURKZjVZb3R6eDdFdkJhbzFIbkQrWEg4eUIKVUtmWGJTaHZKVUdhRmgxT3Q1Y3JoM1k9Ci0tLS0tRU5EIFBSSVZBVEUgS0VZLS0tLS0K
diff --git a/internal/gatewayapi/testdata/gateway-with-stale-status-condition.out.yaml b/internal/gatewayapi/testdata/gateway-with-stale-status-condition.out.yaml
index 72c9325677f..05ae433a1a5 100644
--- a/internal/gatewayapi/testdata/gateway-with-stale-status-condition.out.yaml
+++ b/internal/gatewayapi/testdata/gateway-with-stale-status-condition.out.yaml
@@ -135,4 +135,4 @@ xdsIR:
certificates:
- name: default/tls-secret-1
privateKey: LS0tLS1CRUdJTiBQUklWQVRFIEtFWS0tLS0tCk1JSUV2UUlCQURBTkJna3Foa2lHOXcwQkFRRUZBQVNDQktjd2dnU2pBZ0VBQW9JQkFRQ2QwZlBDYWtweE1nUnUKT0VXQjFiQk5FM3ZseW55aTZWbkV2VWF1OUhvakR2UHVPTFJIaGI4MmoyY1ovMHhnL1lKR09LelBuV2JERkxGNApHdWh3dDRENmFUR0xYNklPODEwTDZ0SXZIWGZNUXRJS2VwdTZ3K3p1WVo4bG1yejB1RjZlWEtqamVIbHhyb2ZrCnVNekM3OUVaU0lYZlZlczJ1SmdVRSs4VGFzSDUzQ2Y4MFNSRGlIeEdxckttdVNjWCtwejBreGdCZ1VWYTVVS20KUWdTZDFmVUxLOUEwNXAxOXkrdURPM204bVhRNkxVQ0N1STFwZHNROGFlNS9zamlxa0VjWlJjMTdWYVgxWjVVaQpvcGZnNW9SY05VTG9VTHNiek9aNTR0YlVDUmdSV2VLbGZxaElINEZ6OUlkVlUyR3dFdEdhMmV6TjgyMVBaQ3QzCjZhbVRIelJsQWdNQkFBRUNnZ0VBWTFGTUlLNDVXTkVNUHJ6RTZUY3NNdVV2RkdhQVZ4bVk5NW5SMEtwajdvb3IKY21CVys2ZXN0TTQ4S1AwaitPbXd3VFpMY29Cd3VoWGN0V1Bob1lXcDhteWUxRUlEdjNyaHRHMDdocEQ1NGg2dgpCZzh3ejdFYStzMk9sT0N6UnlKNzBSY281YlhjWDNGaGJjdnFlRWJwaFFyQnpOSEtLMjZ4cmZqNWZIT3p6T1FGCmJHdUZ3SDVic3JGdFhlajJXM3c4eW90N0ZQSDV3S3RpdnhvSWU5RjMyOXNnOU9EQnZqWnpiaG1LVTArckFTK1kKRGVield2bFJyaEUrbXVmQTN6M0N0QXhDOFJpNzNscFNoTDRQQWlvcG1SUXlxZXRXMjYzOFFxcnM0R3hnNzhwbApJUXJXTmNBc2s3Slg5d3RZenV6UFBXSXRWTTFscFJiQVRhNTJqdFl2NVFLQmdRRE5tMTFtZTRYam1ZSFV2cStZCmFTUzdwK2UybXZEMHVaOU9JeFluQnBWMGkrckNlYnFFMkE1Rm5hcDQ5Yld4QTgwUElldlVkeUpCL2pUUkoxcVMKRUpXQkpMWm1LVkg2K1QwdWw1ZUtOcWxFTFZHU0dCSXNpeE9SUXpDZHBoMkx0UmtBMHVjSVUzY3hiUmVMZkZCRQpiSkdZWENCdlNGcWd0VDlvZTFldVpMVmFOd0tCZ1FERWdENzJENk81eGIweEQ1NDQ1M0RPMUJhZmd6aThCWDRTCk1SaVd2LzFUQ0w5N05sRWtoeXovNmtQd1owbXJRcE5CMzZFdkpKZFVteHdkU2MyWDhrOGcxMC85NVlLQkdWQWoKL3d0YVZYbE9WeEFvK0ZSelpZeFpyQ29uWWFSMHVwUzFybDRtenN4REhlZU9mUVZUTUgwUjdZN0pnbTA5dXQ4SwplanAvSXZBb1F3S0JnQjNaRWlRUWhvMVYrWjBTMlpiOG5KS0plMy9zMmxJTXFHM0ZkaS9RS3Q0eWViQWx6OGY5ClBZVXBzRmZEQTg5Z3grSU1nSm5sZVptdTk2ZnRXSjZmdmJSenllN216TG5zZU05TXZua1lHbGFGWmJRWnZubXMKN3ZoRmtzY3dHRlh4d21GMlBJZmU1Z3pNMDRBeVdjeTFIaVhLS2dNOXM3cGsxWUdyZGowZzdacmRBb0dCQUtLNApDR3MrbkRmMEZTMFJYOWFEWVJrRTdBNy9YUFhtSG5YMkRnU1h5N0Q4NTRPaWdTTWNoUmtPNTErbVNJejNQbllvCk41T1FXM2lHVVl1M1YvYmhnc0VSUzM1V2xmRk9BdDBzRUR5bjF5SVdXcDF5dG93d3BUNkVvUXVuZ2NYZjA5RjMKS1NROXowd3M4VmsvRWkvSFVXcU5LOWFXbU51cmFaT0ZqL2REK1ZkOUFvR0FMWFN3dEE3K043RDRkN0VEMURSRQpHTWdZNVd3OHFvdDZSdUNlNkpUY0FnU3B1MkhNU3JVY2dXclpiQnJZb09FUnVNQjFoMVJydk5ybU1qQlM0VW9FClgyZC8vbGhpOG1wL2VESWN3UDNRa2puanBJRFJWMFN1eWxrUkVaZURKZjVZb3R6eDdFdkJhbzFIbkQrWEg4eUIKVUtmWGJTaHZKVUdhRmgxT3Q1Y3JoM1k9Ci0tLS0tRU5EIFBSSVZBVEUgS0VZLS0tLS0K
- serverCertificate: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUNxRENDQVpBQ0NRREVNZ1lZblFyQ29EQU5CZ2txaGtpRzl3MEJBUXNGQURBV01SUXdFZ1lEVlFRRERBdG0KYjI4dVltRnlMbU52YlRBZUZ3MHlNekF4TURVeE16UXpNalJhRncweU5EQXhNRFV4TXpRek1qUmFNQll4RkRBUwpCZ05WQkFNTUMyWnZieTVpWVhJdVkyOXRNSUlCSWpBTkJna3Foa2lHOXcwQkFRRUZBQU9DQVE4QU1JSUJDZ0tDCkFRRUFuZEh6d21wS2NUSUViamhGZ2RXd1RSTjc1Y3A4b3VsWnhMMUdydlI2SXc3ejdqaTBSNFcvTm85bkdmOU0KWVAyQ1JqaXN6NTFtd3hTeGVCcm9jTGVBK21reGkxK2lEdk5kQytyU0x4MTN6RUxTQ25xYnVzUHM3bUdmSlpxOAo5TGhlbmx5bzQzaDVjYTZINUxqTXd1L1JHVWlGMzFYck5yaVlGQlB2RTJyQitkd24vTkVrUTRoOFJxcXlwcmtuCkYvcWM5Sk1ZQVlGRld1VkNwa0lFbmRYMUN5dlFOT2FkZmN2cmd6dDV2SmwwT2kxQWdyaU5hWGJFUEdudWY3STQKcXBCSEdVWE5lMVdsOVdlVklxS1g0T2FFWERWQzZGQzdHOHptZWVMVzFBa1lFVm5pcFg2b1NCK0JjL1NIVlZOaApzQkxSbXRuc3pmTnRUMlFyZCttcGt4ODBaUUlEQVFBQk1BMEdDU3FHU0liM0RRRUJDd1VBQTRJQkFRQ1VKOElDCkJveUVqT3V3enBHYVJoR044QjRqT1B6aHVDT0V0ZDM3UzAybHUwN09IenlCdmJzVEd6S3dCZ0x5bVdmR2tINEIKajdDTHNwOEZ6TkhLWnVhQmdwblo5SjZETE9Od2ZXZTJBWXA3TGRmT0tWQlVkTVhRaU9tN2pKOUhob0Ntdk1ONwpic2pjaFdKb013ckZmK3dkQUthdHowcUFQeWhMeWUvRnFtaVZ4a09SWmF3K1Q5bURaK0g0OXVBU2d1SnVOTXlRClY2RXlYNmd0Z1dxMzc2SHZhWE1TLzNoYW1Zb1ZXWEk1TXhpUE9ZeG5BQmtKQjRTQ2dJUmVqYkpmVmFRdG9RNGEKejAyaVVMZW5ESUllUU9Zb2JLY01CWGYxQjRQQVFtc2VocVZJYnpzUUNHaTU0VkRyczZiWmQvN0pzMXpDcHBncwpKaUQ1SXFNaktXRHdxN2FLCi0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K
+ serverCertificate: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUREVENDQWZXZ0F3SUJBZ0lVRUZNaFA5ZUo5WEFCV3NRNVptNmJSazJjTE5Rd0RRWUpLb1pJaHZjTkFRRUwKQlFBd0ZqRVVNQklHQTFVRUF3d0xabTl2TG1KaGNpNWpiMjB3SGhjTk1qUXdNakk1TURrek1ERXdXaGNOTXpRdwpNakkyTURrek1ERXdXakFXTVJRd0VnWURWUVFEREF0bWIyOHVZbUZ5TG1OdmJUQ0NBU0l3RFFZSktvWklodmNOCkFRRUJCUUFEZ2dFUEFEQ0NBUW9DZ2dFQkFKbEk2WXhFOVprQ1BzNnBDUXhickNtZWl4OVA1RGZ4OVJ1NUxENFQKSm1kVzdJS2R0UVYvd2ZMbXRzdTc2QithVGRDaldlMEJUZmVPT1JCYlIzY1BBRzZFbFFMaWNsUVVydW4zcStncwpKcEsrSTdjSStqNXc4STY4WEg1V1E3clZVdGJ3SHBxYncrY1ZuQnFJVU9MaUlhdGpJZjdLWDUxTTF1RjljZkVICkU0RG5jSDZyYnI1OS9SRlpCc2toeHM1T3p3Sklmb2hreXZGd2V1VHd4Sy9WcGpJKzdPYzQ4QUJDWHBOTzlEL3EKRWgrck9hdWpBTWNYZ0hRSVRrQ2lpVVRjVW82TFNIOXZMWlB0YXFmem9acTZuaE1xcFc2NUUxcEF3RjNqeVRUeAphNUk4SmNmU0Zqa2llWjIwTFVRTW43TThVNHhIamFvL2d2SDBDQWZkQjdSTFUyc0NBd0VBQWFOVE1GRXdIUVlEClZSME9CQllFRk9SQ0U4dS8xRERXN2loWnA3Y3g5dFNtUG02T01COEdBMVVkSXdRWU1CYUFGT1JDRTh1LzFERFcKN2loWnA3Y3g5dFNtUG02T01BOEdBMVVkRXdFQi93UUZNQU1CQWY4d0RRWUpLb1pJaHZjTkFRRUxCUUFEZ2dFQgpBRnQ1M3pqc3FUYUg1YThFMmNodm1XQWdDcnhSSzhiVkxNeGl3TkdqYm1FUFJ6K3c2TngrazBBOEtFY0lEc0tjClNYY2k1OHU0b1didFZKQmx6YS9adWpIUjZQMUJuT3BsK2FveTc4NGJiZDRQMzl3VExvWGZNZmJCQ20xdmV2aDkKQUpLbncyWnRxcjRta2JMY3hFcWxxM3NCTEZBUzlzUUxuS05DZTJjR0xkVHAyYm9HK3FjZ3lRZ0NJTTZmOEVNdgpXUGlmQ01NR3V6Sy9HUkY0YlBPL1lGNDhld0R1M1VlaWgwWFhkVUFPRTlDdFVhOE5JaGMxVVBhT3pQcnRZVnFyClpPR2t2L0t1K0I3OGg4U0VzTzlYclFjdXdiT25KeDZLdFIrYWV5a3ZBcFhDUTNmWkMvYllLQUFSK1A4QUpvUVoKYndJVW1YaTRnajVtK2JLUGhlK2lyK0U9Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0=
diff --git a/internal/gatewayapi/testdata/grpcroute-with-empty-backends.in.yaml b/internal/gatewayapi/testdata/grpcroute-with-empty-backends.in.yaml
new file mode 100644
index 00000000000..69bfd7a1f20
--- /dev/null
+++ b/internal/gatewayapi/testdata/grpcroute-with-empty-backends.in.yaml
@@ -0,0 +1,31 @@
+gateways:
+- apiVersion: gateway.networking.k8s.io/v1
+ kind: Gateway
+ metadata:
+ namespace: envoy-gateway
+ name: gateway-1
+ spec:
+ gatewayClassName: envoy-gateway-class
+ listeners:
+ - name: http
+ protocol: HTTP
+ port: 80
+ allowedRoutes:
+ namespaces:
+ from: All
+grpcRoutes:
+- apiVersion: gateway.networking.k8s.io/v1alpha2
+ kind: GRPCRoute
+ metadata:
+ namespace: default
+ name: grpcroute-1
+ spec:
+ parentRefs:
+ - namespace: envoy-gateway
+ name: gateway-1
+ sectionName: http
+ rules:
+ - matches:
+ - method:
+ service: com.ExampleExact
+ type: Exact
diff --git a/internal/gatewayapi/testdata/grpcroute-with-empty-backends.out.yaml b/internal/gatewayapi/testdata/grpcroute-with-empty-backends.out.yaml
new file mode 100644
index 00000000000..57d5ad03bf5
--- /dev/null
+++ b/internal/gatewayapi/testdata/grpcroute-with-empty-backends.out.yaml
@@ -0,0 +1,120 @@
+gateways:
+- apiVersion: gateway.networking.k8s.io/v1
+ kind: Gateway
+ metadata:
+ creationTimestamp: null
+ name: gateway-1
+ namespace: envoy-gateway
+ spec:
+ gatewayClassName: envoy-gateway-class
+ listeners:
+ - allowedRoutes:
+ namespaces:
+ from: All
+ name: http
+ port: 80
+ protocol: HTTP
+ status:
+ listeners:
+ - attachedRoutes: 1
+ conditions:
+ - lastTransitionTime: null
+ message: Sending translated listener configuration to the data plane
+ reason: Programmed
+ status: "True"
+ type: Programmed
+ - lastTransitionTime: null
+ message: Listener has been successfully translated
+ reason: Accepted
+ status: "True"
+ type: Accepted
+ - lastTransitionTime: null
+ message: Listener references have been resolved
+ reason: ResolvedRefs
+ status: "True"
+ type: ResolvedRefs
+ name: http
+ supportedKinds:
+ - group: gateway.networking.k8s.io
+ kind: HTTPRoute
+ - group: gateway.networking.k8s.io
+ kind: GRPCRoute
+grpcRoutes:
+- apiVersion: gateway.networking.k8s.io/v1alpha2
+ kind: GRPCRoute
+ metadata:
+ creationTimestamp: null
+ name: grpcroute-1
+ namespace: default
+ spec:
+ parentRefs:
+ - name: gateway-1
+ namespace: envoy-gateway
+ sectionName: http
+ rules:
+ - matches:
+ - method:
+ service: com.ExampleExact
+ type: Exact
+ status:
+ parents:
+ - conditions:
+ - lastTransitionTime: null
+ message: Route is accepted
+ reason: Accepted
+ status: "True"
+ type: Accepted
+ - lastTransitionTime: null
+ message: Resolved all the Object references for the Route
+ reason: ResolvedRefs
+ status: "True"
+ type: ResolvedRefs
+ controllerName: gateway.envoyproxy.io/gatewayclass-controller
+ parentRef:
+ name: gateway-1
+ namespace: envoy-gateway
+ sectionName: http
+infraIR:
+ envoy-gateway/gateway-1:
+ proxy:
+ listeners:
+ - address: null
+ name: envoy-gateway/gateway-1/http
+ ports:
+ - containerPort: 10080
+ name: http
+ protocol: HTTP
+ servicePort: 80
+ metadata:
+ labels:
+ gateway.envoyproxy.io/owning-gateway-name: gateway-1
+ gateway.envoyproxy.io/owning-gateway-namespace: envoy-gateway
+ name: envoy-gateway/gateway-1
+xdsIR:
+ envoy-gateway/gateway-1:
+ accessLog:
+ text:
+ - path: /dev/stdout
+ http:
+ - address: 0.0.0.0
+ hostnames:
+ - '*'
+ isHTTP2: true
+ name: envoy-gateway/gateway-1/http
+ path:
+ escapedSlashesAction: UnescapeAndRedirect
+ mergeSlashes: true
+ port: 10080
+ routes:
+ - backendWeights:
+ invalid: 0
+ valid: 0
+ directResponse:
+ statusCode: 500
+ hostname: '*'
+ isHTTP2: true
+ name: grpcroute/default/grpcroute-1/rule/0/match/0/*
+ pathMatch:
+ distinct: false
+ name: ""
+ prefix: /com.ExampleExact
diff --git a/internal/gatewayapi/testdata/httproute-and-backendtrafficpolicy-with-timeout-error.out.yaml b/internal/gatewayapi/testdata/httproute-and-backendtrafficpolicy-with-timeout-error.out.yaml
old mode 100755
new mode 100644
diff --git a/internal/gatewayapi/testdata/httproute-and-backendtrafficpolicy-with-timeout.out.yaml b/internal/gatewayapi/testdata/httproute-and-backendtrafficpolicy-with-timeout.out.yaml
old mode 100755
new mode 100644
diff --git a/internal/gatewayapi/testdata/httproute-attaching-to-gateway-with-two-listeners-with-different-ports.in.yaml b/internal/gatewayapi/testdata/httproute-attaching-to-gateway-with-two-listeners-with-different-ports.in.yaml
index 8674e7a9633..2a5c0e34b53 100644
--- a/internal/gatewayapi/testdata/httproute-attaching-to-gateway-with-two-listeners-with-different-ports.in.yaml
+++ b/internal/gatewayapi/testdata/httproute-attaching-to-gateway-with-two-listeners-with-different-ports.in.yaml
@@ -31,7 +31,7 @@ secrets:
name: tls-secret-1
type: kubernetes.io/tls
data:
- tls.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUNxRENDQVpBQ0NRREVNZ1lZblFyQ29EQU5CZ2txaGtpRzl3MEJBUXNGQURBV01SUXdFZ1lEVlFRRERBdG0KYjI4dVltRnlMbU52YlRBZUZ3MHlNekF4TURVeE16UXpNalJhRncweU5EQXhNRFV4TXpRek1qUmFNQll4RkRBUwpCZ05WQkFNTUMyWnZieTVpWVhJdVkyOXRNSUlCSWpBTkJna3Foa2lHOXcwQkFRRUZBQU9DQVE4QU1JSUJDZ0tDCkFRRUFuZEh6d21wS2NUSUViamhGZ2RXd1RSTjc1Y3A4b3VsWnhMMUdydlI2SXc3ejdqaTBSNFcvTm85bkdmOU0KWVAyQ1JqaXN6NTFtd3hTeGVCcm9jTGVBK21reGkxK2lEdk5kQytyU0x4MTN6RUxTQ25xYnVzUHM3bUdmSlpxOAo5TGhlbmx5bzQzaDVjYTZINUxqTXd1L1JHVWlGMzFYck5yaVlGQlB2RTJyQitkd24vTkVrUTRoOFJxcXlwcmtuCkYvcWM5Sk1ZQVlGRld1VkNwa0lFbmRYMUN5dlFOT2FkZmN2cmd6dDV2SmwwT2kxQWdyaU5hWGJFUEdudWY3STQKcXBCSEdVWE5lMVdsOVdlVklxS1g0T2FFWERWQzZGQzdHOHptZWVMVzFBa1lFVm5pcFg2b1NCK0JjL1NIVlZOaApzQkxSbXRuc3pmTnRUMlFyZCttcGt4ODBaUUlEQVFBQk1BMEdDU3FHU0liM0RRRUJDd1VBQTRJQkFRQ1VKOElDCkJveUVqT3V3enBHYVJoR044QjRqT1B6aHVDT0V0ZDM3UzAybHUwN09IenlCdmJzVEd6S3dCZ0x5bVdmR2tINEIKajdDTHNwOEZ6TkhLWnVhQmdwblo5SjZETE9Od2ZXZTJBWXA3TGRmT0tWQlVkTVhRaU9tN2pKOUhob0Ntdk1ONwpic2pjaFdKb013ckZmK3dkQUthdHowcUFQeWhMeWUvRnFtaVZ4a09SWmF3K1Q5bURaK0g0OXVBU2d1SnVOTXlRClY2RXlYNmd0Z1dxMzc2SHZhWE1TLzNoYW1Zb1ZXWEk1TXhpUE9ZeG5BQmtKQjRTQ2dJUmVqYkpmVmFRdG9RNGEKejAyaVVMZW5ESUllUU9Zb2JLY01CWGYxQjRQQVFtc2VocVZJYnpzUUNHaTU0VkRyczZiWmQvN0pzMXpDcHBncwpKaUQ1SXFNaktXRHdxN2FLCi0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K
+ tls.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUREVENDQWZXZ0F3SUJBZ0lVRUZNaFA5ZUo5WEFCV3NRNVptNmJSazJjTE5Rd0RRWUpLb1pJaHZjTkFRRUwKQlFBd0ZqRVVNQklHQTFVRUF3d0xabTl2TG1KaGNpNWpiMjB3SGhjTk1qUXdNakk1TURrek1ERXdXaGNOTXpRdwpNakkyTURrek1ERXdXakFXTVJRd0VnWURWUVFEREF0bWIyOHVZbUZ5TG1OdmJUQ0NBU0l3RFFZSktvWklodmNOCkFRRUJCUUFEZ2dFUEFEQ0NBUW9DZ2dFQkFKbEk2WXhFOVprQ1BzNnBDUXhickNtZWl4OVA1RGZ4OVJ1NUxENFQKSm1kVzdJS2R0UVYvd2ZMbXRzdTc2QithVGRDaldlMEJUZmVPT1JCYlIzY1BBRzZFbFFMaWNsUVVydW4zcStncwpKcEsrSTdjSStqNXc4STY4WEg1V1E3clZVdGJ3SHBxYncrY1ZuQnFJVU9MaUlhdGpJZjdLWDUxTTF1RjljZkVICkU0RG5jSDZyYnI1OS9SRlpCc2toeHM1T3p3Sklmb2hreXZGd2V1VHd4Sy9WcGpJKzdPYzQ4QUJDWHBOTzlEL3EKRWgrck9hdWpBTWNYZ0hRSVRrQ2lpVVRjVW82TFNIOXZMWlB0YXFmem9acTZuaE1xcFc2NUUxcEF3RjNqeVRUeAphNUk4SmNmU0Zqa2llWjIwTFVRTW43TThVNHhIamFvL2d2SDBDQWZkQjdSTFUyc0NBd0VBQWFOVE1GRXdIUVlEClZSME9CQllFRk9SQ0U4dS8xRERXN2loWnA3Y3g5dFNtUG02T01COEdBMVVkSXdRWU1CYUFGT1JDRTh1LzFERFcKN2loWnA3Y3g5dFNtUG02T01BOEdBMVVkRXdFQi93UUZNQU1CQWY4d0RRWUpLb1pJaHZjTkFRRUxCUUFEZ2dFQgpBRnQ1M3pqc3FUYUg1YThFMmNodm1XQWdDcnhSSzhiVkxNeGl3TkdqYm1FUFJ6K3c2TngrazBBOEtFY0lEc0tjClNYY2k1OHU0b1didFZKQmx6YS9adWpIUjZQMUJuT3BsK2FveTc4NGJiZDRQMzl3VExvWGZNZmJCQ20xdmV2aDkKQUpLbncyWnRxcjRta2JMY3hFcWxxM3NCTEZBUzlzUUxuS05DZTJjR0xkVHAyYm9HK3FjZ3lRZ0NJTTZmOEVNdgpXUGlmQ01NR3V6Sy9HUkY0YlBPL1lGNDhld0R1M1VlaWgwWFhkVUFPRTlDdFVhOE5JaGMxVVBhT3pQcnRZVnFyClpPR2t2L0t1K0I3OGg4U0VzTzlYclFjdXdiT25KeDZLdFIrYWV5a3ZBcFhDUTNmWkMvYllLQUFSK1A4QUpvUVoKYndJVW1YaTRnajVtK2JLUGhlK2lyK0U9Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0=
tls.key: LS0tLS1CRUdJTiBQUklWQVRFIEtFWS0tLS0tCk1JSUV2UUlCQURBTkJna3Foa2lHOXcwQkFRRUZBQVNDQktjd2dnU2pBZ0VBQW9JQkFRQ2QwZlBDYWtweE1nUnUKT0VXQjFiQk5FM3ZseW55aTZWbkV2VWF1OUhvakR2UHVPTFJIaGI4MmoyY1ovMHhnL1lKR09LelBuV2JERkxGNApHdWh3dDRENmFUR0xYNklPODEwTDZ0SXZIWGZNUXRJS2VwdTZ3K3p1WVo4bG1yejB1RjZlWEtqamVIbHhyb2ZrCnVNekM3OUVaU0lYZlZlczJ1SmdVRSs4VGFzSDUzQ2Y4MFNSRGlIeEdxckttdVNjWCtwejBreGdCZ1VWYTVVS20KUWdTZDFmVUxLOUEwNXAxOXkrdURPM204bVhRNkxVQ0N1STFwZHNROGFlNS9zamlxa0VjWlJjMTdWYVgxWjVVaQpvcGZnNW9SY05VTG9VTHNiek9aNTR0YlVDUmdSV2VLbGZxaElINEZ6OUlkVlUyR3dFdEdhMmV6TjgyMVBaQ3QzCjZhbVRIelJsQWdNQkFBRUNnZ0VBWTFGTUlLNDVXTkVNUHJ6RTZUY3NNdVV2RkdhQVZ4bVk5NW5SMEtwajdvb3IKY21CVys2ZXN0TTQ4S1AwaitPbXd3VFpMY29Cd3VoWGN0V1Bob1lXcDhteWUxRUlEdjNyaHRHMDdocEQ1NGg2dgpCZzh3ejdFYStzMk9sT0N6UnlKNzBSY281YlhjWDNGaGJjdnFlRWJwaFFyQnpOSEtLMjZ4cmZqNWZIT3p6T1FGCmJHdUZ3SDVic3JGdFhlajJXM3c4eW90N0ZQSDV3S3RpdnhvSWU5RjMyOXNnOU9EQnZqWnpiaG1LVTArckFTK1kKRGVield2bFJyaEUrbXVmQTN6M0N0QXhDOFJpNzNscFNoTDRQQWlvcG1SUXlxZXRXMjYzOFFxcnM0R3hnNzhwbApJUXJXTmNBc2s3Slg5d3RZenV6UFBXSXRWTTFscFJiQVRhNTJqdFl2NVFLQmdRRE5tMTFtZTRYam1ZSFV2cStZCmFTUzdwK2UybXZEMHVaOU9JeFluQnBWMGkrckNlYnFFMkE1Rm5hcDQ5Yld4QTgwUElldlVkeUpCL2pUUkoxcVMKRUpXQkpMWm1LVkg2K1QwdWw1ZUtOcWxFTFZHU0dCSXNpeE9SUXpDZHBoMkx0UmtBMHVjSVUzY3hiUmVMZkZCRQpiSkdZWENCdlNGcWd0VDlvZTFldVpMVmFOd0tCZ1FERWdENzJENk81eGIweEQ1NDQ1M0RPMUJhZmd6aThCWDRTCk1SaVd2LzFUQ0w5N05sRWtoeXovNmtQd1owbXJRcE5CMzZFdkpKZFVteHdkU2MyWDhrOGcxMC85NVlLQkdWQWoKL3d0YVZYbE9WeEFvK0ZSelpZeFpyQ29uWWFSMHVwUzFybDRtenN4REhlZU9mUVZUTUgwUjdZN0pnbTA5dXQ4SwplanAvSXZBb1F3S0JnQjNaRWlRUWhvMVYrWjBTMlpiOG5KS0plMy9zMmxJTXFHM0ZkaS9RS3Q0eWViQWx6OGY5ClBZVXBzRmZEQTg5Z3grSU1nSm5sZVptdTk2ZnRXSjZmdmJSenllN216TG5zZU05TXZua1lHbGFGWmJRWnZubXMKN3ZoRmtzY3dHRlh4d21GMlBJZmU1Z3pNMDRBeVdjeTFIaVhLS2dNOXM3cGsxWUdyZGowZzdacmRBb0dCQUtLNApDR3MrbkRmMEZTMFJYOWFEWVJrRTdBNy9YUFhtSG5YMkRnU1h5N0Q4NTRPaWdTTWNoUmtPNTErbVNJejNQbllvCk41T1FXM2lHVVl1M1YvYmhnc0VSUzM1V2xmRk9BdDBzRUR5bjF5SVdXcDF5dG93d3BUNkVvUXVuZ2NYZjA5RjMKS1NROXowd3M4VmsvRWkvSFVXcU5LOWFXbU51cmFaT0ZqL2REK1ZkOUFvR0FMWFN3dEE3K043RDRkN0VEMURSRQpHTWdZNVd3OHFvdDZSdUNlNkpUY0FnU3B1MkhNU3JVY2dXclpiQnJZb09FUnVNQjFoMVJydk5ybU1qQlM0VW9FClgyZC8vbGhpOG1wL2VESWN3UDNRa2puanBJRFJWMFN1eWxrUkVaZURKZjVZb3R6eDdFdkJhbzFIbkQrWEg4eUIKVUtmWGJTaHZKVUdhRmgxT3Q1Y3JoM1k9Ci0tLS0tRU5EIFBSSVZBVEUgS0VZLS0tLS0K
httpRoutes:
- apiVersion: gateway.networking.k8s.io/v1
diff --git a/internal/gatewayapi/testdata/httproute-attaching-to-gateway-with-two-listeners-with-different-ports.out.yaml b/internal/gatewayapi/testdata/httproute-attaching-to-gateway-with-two-listeners-with-different-ports.out.yaml
index 5637d770bc7..2fd05635ddf 100644
--- a/internal/gatewayapi/testdata/httproute-attaching-to-gateway-with-two-listeners-with-different-ports.out.yaml
+++ b/internal/gatewayapi/testdata/httproute-attaching-to-gateway-with-two-listeners-with-different-ports.out.yaml
@@ -200,4 +200,4 @@ xdsIR:
certificates:
- name: envoy-gateway/tls-secret-1
privateKey: LS0tLS1CRUdJTiBQUklWQVRFIEtFWS0tLS0tCk1JSUV2UUlCQURBTkJna3Foa2lHOXcwQkFRRUZBQVNDQktjd2dnU2pBZ0VBQW9JQkFRQ2QwZlBDYWtweE1nUnUKT0VXQjFiQk5FM3ZseW55aTZWbkV2VWF1OUhvakR2UHVPTFJIaGI4MmoyY1ovMHhnL1lKR09LelBuV2JERkxGNApHdWh3dDRENmFUR0xYNklPODEwTDZ0SXZIWGZNUXRJS2VwdTZ3K3p1WVo4bG1yejB1RjZlWEtqamVIbHhyb2ZrCnVNekM3OUVaU0lYZlZlczJ1SmdVRSs4VGFzSDUzQ2Y4MFNSRGlIeEdxckttdVNjWCtwejBreGdCZ1VWYTVVS20KUWdTZDFmVUxLOUEwNXAxOXkrdURPM204bVhRNkxVQ0N1STFwZHNROGFlNS9zamlxa0VjWlJjMTdWYVgxWjVVaQpvcGZnNW9SY05VTG9VTHNiek9aNTR0YlVDUmdSV2VLbGZxaElINEZ6OUlkVlUyR3dFdEdhMmV6TjgyMVBaQ3QzCjZhbVRIelJsQWdNQkFBRUNnZ0VBWTFGTUlLNDVXTkVNUHJ6RTZUY3NNdVV2RkdhQVZ4bVk5NW5SMEtwajdvb3IKY21CVys2ZXN0TTQ4S1AwaitPbXd3VFpMY29Cd3VoWGN0V1Bob1lXcDhteWUxRUlEdjNyaHRHMDdocEQ1NGg2dgpCZzh3ejdFYStzMk9sT0N6UnlKNzBSY281YlhjWDNGaGJjdnFlRWJwaFFyQnpOSEtLMjZ4cmZqNWZIT3p6T1FGCmJHdUZ3SDVic3JGdFhlajJXM3c4eW90N0ZQSDV3S3RpdnhvSWU5RjMyOXNnOU9EQnZqWnpiaG1LVTArckFTK1kKRGVield2bFJyaEUrbXVmQTN6M0N0QXhDOFJpNzNscFNoTDRQQWlvcG1SUXlxZXRXMjYzOFFxcnM0R3hnNzhwbApJUXJXTmNBc2s3Slg5d3RZenV6UFBXSXRWTTFscFJiQVRhNTJqdFl2NVFLQmdRRE5tMTFtZTRYam1ZSFV2cStZCmFTUzdwK2UybXZEMHVaOU9JeFluQnBWMGkrckNlYnFFMkE1Rm5hcDQ5Yld4QTgwUElldlVkeUpCL2pUUkoxcVMKRUpXQkpMWm1LVkg2K1QwdWw1ZUtOcWxFTFZHU0dCSXNpeE9SUXpDZHBoMkx0UmtBMHVjSVUzY3hiUmVMZkZCRQpiSkdZWENCdlNGcWd0VDlvZTFldVpMVmFOd0tCZ1FERWdENzJENk81eGIweEQ1NDQ1M0RPMUJhZmd6aThCWDRTCk1SaVd2LzFUQ0w5N05sRWtoeXovNmtQd1owbXJRcE5CMzZFdkpKZFVteHdkU2MyWDhrOGcxMC85NVlLQkdWQWoKL3d0YVZYbE9WeEFvK0ZSelpZeFpyQ29uWWFSMHVwUzFybDRtenN4REhlZU9mUVZUTUgwUjdZN0pnbTA5dXQ4SwplanAvSXZBb1F3S0JnQjNaRWlRUWhvMVYrWjBTMlpiOG5KS0plMy9zMmxJTXFHM0ZkaS9RS3Q0eWViQWx6OGY5ClBZVXBzRmZEQTg5Z3grSU1nSm5sZVptdTk2ZnRXSjZmdmJSenllN216TG5zZU05TXZua1lHbGFGWmJRWnZubXMKN3ZoRmtzY3dHRlh4d21GMlBJZmU1Z3pNMDRBeVdjeTFIaVhLS2dNOXM3cGsxWUdyZGowZzdacmRBb0dCQUtLNApDR3MrbkRmMEZTMFJYOWFEWVJrRTdBNy9YUFhtSG5YMkRnU1h5N0Q4NTRPaWdTTWNoUmtPNTErbVNJejNQbllvCk41T1FXM2lHVVl1M1YvYmhnc0VSUzM1V2xmRk9BdDBzRUR5bjF5SVdXcDF5dG93d3BUNkVvUXVuZ2NYZjA5RjMKS1NROXowd3M4VmsvRWkvSFVXcU5LOWFXbU51cmFaT0ZqL2REK1ZkOUFvR0FMWFN3dEE3K043RDRkN0VEMURSRQpHTWdZNVd3OHFvdDZSdUNlNkpUY0FnU3B1MkhNU3JVY2dXclpiQnJZb09FUnVNQjFoMVJydk5ybU1qQlM0VW9FClgyZC8vbGhpOG1wL2VESWN3UDNRa2puanBJRFJWMFN1eWxrUkVaZURKZjVZb3R6eDdFdkJhbzFIbkQrWEg4eUIKVUtmWGJTaHZKVUdhRmgxT3Q1Y3JoM1k9Ci0tLS0tRU5EIFBSSVZBVEUgS0VZLS0tLS0K
- serverCertificate: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUNxRENDQVpBQ0NRREVNZ1lZblFyQ29EQU5CZ2txaGtpRzl3MEJBUXNGQURBV01SUXdFZ1lEVlFRRERBdG0KYjI4dVltRnlMbU52YlRBZUZ3MHlNekF4TURVeE16UXpNalJhRncweU5EQXhNRFV4TXpRek1qUmFNQll4RkRBUwpCZ05WQkFNTUMyWnZieTVpWVhJdVkyOXRNSUlCSWpBTkJna3Foa2lHOXcwQkFRRUZBQU9DQVE4QU1JSUJDZ0tDCkFRRUFuZEh6d21wS2NUSUViamhGZ2RXd1RSTjc1Y3A4b3VsWnhMMUdydlI2SXc3ejdqaTBSNFcvTm85bkdmOU0KWVAyQ1JqaXN6NTFtd3hTeGVCcm9jTGVBK21reGkxK2lEdk5kQytyU0x4MTN6RUxTQ25xYnVzUHM3bUdmSlpxOAo5TGhlbmx5bzQzaDVjYTZINUxqTXd1L1JHVWlGMzFYck5yaVlGQlB2RTJyQitkd24vTkVrUTRoOFJxcXlwcmtuCkYvcWM5Sk1ZQVlGRld1VkNwa0lFbmRYMUN5dlFOT2FkZmN2cmd6dDV2SmwwT2kxQWdyaU5hWGJFUEdudWY3STQKcXBCSEdVWE5lMVdsOVdlVklxS1g0T2FFWERWQzZGQzdHOHptZWVMVzFBa1lFVm5pcFg2b1NCK0JjL1NIVlZOaApzQkxSbXRuc3pmTnRUMlFyZCttcGt4ODBaUUlEQVFBQk1BMEdDU3FHU0liM0RRRUJDd1VBQTRJQkFRQ1VKOElDCkJveUVqT3V3enBHYVJoR044QjRqT1B6aHVDT0V0ZDM3UzAybHUwN09IenlCdmJzVEd6S3dCZ0x5bVdmR2tINEIKajdDTHNwOEZ6TkhLWnVhQmdwblo5SjZETE9Od2ZXZTJBWXA3TGRmT0tWQlVkTVhRaU9tN2pKOUhob0Ntdk1ONwpic2pjaFdKb013ckZmK3dkQUthdHowcUFQeWhMeWUvRnFtaVZ4a09SWmF3K1Q5bURaK0g0OXVBU2d1SnVOTXlRClY2RXlYNmd0Z1dxMzc2SHZhWE1TLzNoYW1Zb1ZXWEk1TXhpUE9ZeG5BQmtKQjRTQ2dJUmVqYkpmVmFRdG9RNGEKejAyaVVMZW5ESUllUU9Zb2JLY01CWGYxQjRQQVFtc2VocVZJYnpzUUNHaTU0VkRyczZiWmQvN0pzMXpDcHBncwpKaUQ1SXFNaktXRHdxN2FLCi0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K
+ serverCertificate: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUREVENDQWZXZ0F3SUJBZ0lVRUZNaFA5ZUo5WEFCV3NRNVptNmJSazJjTE5Rd0RRWUpLb1pJaHZjTkFRRUwKQlFBd0ZqRVVNQklHQTFVRUF3d0xabTl2TG1KaGNpNWpiMjB3SGhjTk1qUXdNakk1TURrek1ERXdXaGNOTXpRdwpNakkyTURrek1ERXdXakFXTVJRd0VnWURWUVFEREF0bWIyOHVZbUZ5TG1OdmJUQ0NBU0l3RFFZSktvWklodmNOCkFRRUJCUUFEZ2dFUEFEQ0NBUW9DZ2dFQkFKbEk2WXhFOVprQ1BzNnBDUXhickNtZWl4OVA1RGZ4OVJ1NUxENFQKSm1kVzdJS2R0UVYvd2ZMbXRzdTc2QithVGRDaldlMEJUZmVPT1JCYlIzY1BBRzZFbFFMaWNsUVVydW4zcStncwpKcEsrSTdjSStqNXc4STY4WEg1V1E3clZVdGJ3SHBxYncrY1ZuQnFJVU9MaUlhdGpJZjdLWDUxTTF1RjljZkVICkU0RG5jSDZyYnI1OS9SRlpCc2toeHM1T3p3Sklmb2hreXZGd2V1VHd4Sy9WcGpJKzdPYzQ4QUJDWHBOTzlEL3EKRWgrck9hdWpBTWNYZ0hRSVRrQ2lpVVRjVW82TFNIOXZMWlB0YXFmem9acTZuaE1xcFc2NUUxcEF3RjNqeVRUeAphNUk4SmNmU0Zqa2llWjIwTFVRTW43TThVNHhIamFvL2d2SDBDQWZkQjdSTFUyc0NBd0VBQWFOVE1GRXdIUVlEClZSME9CQllFRk9SQ0U4dS8xRERXN2loWnA3Y3g5dFNtUG02T01COEdBMVVkSXdRWU1CYUFGT1JDRTh1LzFERFcKN2loWnA3Y3g5dFNtUG02T01BOEdBMVVkRXdFQi93UUZNQU1CQWY4d0RRWUpLb1pJaHZjTkFRRUxCUUFEZ2dFQgpBRnQ1M3pqc3FUYUg1YThFMmNodm1XQWdDcnhSSzhiVkxNeGl3TkdqYm1FUFJ6K3c2TngrazBBOEtFY0lEc0tjClNYY2k1OHU0b1didFZKQmx6YS9adWpIUjZQMUJuT3BsK2FveTc4NGJiZDRQMzl3VExvWGZNZmJCQ20xdmV2aDkKQUpLbncyWnRxcjRta2JMY3hFcWxxM3NCTEZBUzlzUUxuS05DZTJjR0xkVHAyYm9HK3FjZ3lRZ0NJTTZmOEVNdgpXUGlmQ01NR3V6Sy9HUkY0YlBPL1lGNDhld0R1M1VlaWgwWFhkVUFPRTlDdFVhOE5JaGMxVVBhT3pQcnRZVnFyClpPR2t2L0t1K0I3OGg4U0VzTzlYclFjdXdiT25KeDZLdFIrYWV5a3ZBcFhDUTNmWkMvYllLQUFSK1A4QUpvUVoKYndJVW1YaTRnajVtK2JLUGhlK2lyK0U9Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0=
diff --git a/internal/gatewayapi/testdata/httproute-rule-with-empty-backends-and-no-filters.in.yaml b/internal/gatewayapi/testdata/httproute-rule-with-empty-backends-and-no-filters.in.yaml
new file mode 100644
index 00000000000..ba4acbbc755
--- /dev/null
+++ b/internal/gatewayapi/testdata/httproute-rule-with-empty-backends-and-no-filters.in.yaml
@@ -0,0 +1,29 @@
+gateways:
+ - apiVersion: gateway.networking.k8s.io/v1
+ kind: Gateway
+ metadata:
+ namespace: envoy-gateway
+ name: gateway-1
+ spec:
+ gatewayClassName: envoy-gateway-class
+ listeners:
+ - name: http
+ protocol: HTTP
+ port: 80
+ allowedRoutes:
+ namespaces:
+ from: All
+httpRoutes:
+ - apiVersion: gateway.networking.k8s.io/v1
+ kind: HTTPRoute
+ metadata:
+ namespace: default
+ name: httproute-1
+ spec:
+ parentRefs:
+ - namespace: envoy-gateway
+ name: gateway-1
+ rules:
+ - matches:
+ - path:
+ value: "/"
diff --git a/internal/gatewayapi/testdata/httproute-rule-with-empty-backends-and-no-filters.out.yaml b/internal/gatewayapi/testdata/httproute-rule-with-empty-backends-and-no-filters.out.yaml
new file mode 100644
index 00000000000..d49bb265d46
--- /dev/null
+++ b/internal/gatewayapi/testdata/httproute-rule-with-empty-backends-and-no-filters.out.yaml
@@ -0,0 +1,117 @@
+gateways:
+- apiVersion: gateway.networking.k8s.io/v1
+ kind: Gateway
+ metadata:
+ creationTimestamp: null
+ name: gateway-1
+ namespace: envoy-gateway
+ spec:
+ gatewayClassName: envoy-gateway-class
+ listeners:
+ - allowedRoutes:
+ namespaces:
+ from: All
+ name: http
+ port: 80
+ protocol: HTTP
+ status:
+ listeners:
+ - attachedRoutes: 1
+ conditions:
+ - lastTransitionTime: null
+ message: Sending translated listener configuration to the data plane
+ reason: Programmed
+ status: "True"
+ type: Programmed
+ - lastTransitionTime: null
+ message: Listener has been successfully translated
+ reason: Accepted
+ status: "True"
+ type: Accepted
+ - lastTransitionTime: null
+ message: Listener references have been resolved
+ reason: ResolvedRefs
+ status: "True"
+ type: ResolvedRefs
+ name: http
+ supportedKinds:
+ - group: gateway.networking.k8s.io
+ kind: HTTPRoute
+ - group: gateway.networking.k8s.io
+ kind: GRPCRoute
+httpRoutes:
+- apiVersion: gateway.networking.k8s.io/v1
+ kind: HTTPRoute
+ metadata:
+ creationTimestamp: null
+ name: httproute-1
+ namespace: default
+ spec:
+ parentRefs:
+ - name: gateway-1
+ namespace: envoy-gateway
+ rules:
+ - matches:
+ - path:
+ value: /
+ status:
+ parents:
+ - conditions:
+ - lastTransitionTime: null
+ message: Route is accepted
+ reason: Accepted
+ status: "True"
+ type: Accepted
+ - lastTransitionTime: null
+ message: Resolved all the Object references for the Route
+ reason: ResolvedRefs
+ status: "True"
+ type: ResolvedRefs
+ controllerName: gateway.envoyproxy.io/gatewayclass-controller
+ parentRef:
+ name: gateway-1
+ namespace: envoy-gateway
+infraIR:
+ envoy-gateway/gateway-1:
+ proxy:
+ listeners:
+ - address: null
+ name: envoy-gateway/gateway-1/http
+ ports:
+ - containerPort: 10080
+ name: http
+ protocol: HTTP
+ servicePort: 80
+ metadata:
+ labels:
+ gateway.envoyproxy.io/owning-gateway-name: gateway-1
+ gateway.envoyproxy.io/owning-gateway-namespace: envoy-gateway
+ name: envoy-gateway/gateway-1
+xdsIR:
+ envoy-gateway/gateway-1:
+ accessLog:
+ text:
+ - path: /dev/stdout
+ http:
+ - address: 0.0.0.0
+ hostnames:
+ - '*'
+ isHTTP2: false
+ name: envoy-gateway/gateway-1/http
+ path:
+ escapedSlashesAction: UnescapeAndRedirect
+ mergeSlashes: true
+ port: 10080
+ routes:
+ - backendWeights:
+ invalid: 0
+ valid: 0
+ directResponse:
+ statusCode: 500
+ hostname: '*'
+ isHTTP2: false
+ name: httproute/default/httproute-1/rule/0/match/0/*
+ pathMatch:
+ distinct: false
+ name: ""
+ prefix: /
diff --git a/internal/gatewayapi/testdata/httproute-with-invalid-backend-ref-unsupported-filter.out.yaml b/internal/gatewayapi/testdata/httproute-with-invalid-backend-ref-unsupported-filter.out.yaml
old mode 100755
new mode 100644
diff --git a/internal/gatewayapi/testdata/httproute-with-redirect-filter-full-path-replace-https.in.yaml b/internal/gatewayapi/testdata/httproute-with-redirect-filter-full-path-replace-https.in.yaml
index d36b84da5fb..1ac8958982c 100644
--- a/internal/gatewayapi/testdata/httproute-with-redirect-filter-full-path-replace-https.in.yaml
+++ b/internal/gatewayapi/testdata/httproute-with-redirect-filter-full-path-replace-https.in.yaml
@@ -31,9 +31,6 @@ httpRoutes:
- matches:
- path:
value: "/"
- backendRefs:
- - name: service-1
- port: 8080
filters:
- type: RequestRedirect
requestRedirect:
@@ -42,4 +39,3 @@ httpRoutes:
path:
type: ReplaceFullPath
replaceFullPath: /redirected
-
diff --git a/internal/gatewayapi/testdata/httproute-with-redirect-filter-full-path-replace-https.out.yaml b/internal/gatewayapi/testdata/httproute-with-redirect-filter-full-path-replace-https.out.yaml
index a786efec283..95a7cbdc1d4 100644
--- a/internal/gatewayapi/testdata/httproute-with-redirect-filter-full-path-replace-https.out.yaml
+++ b/internal/gatewayapi/testdata/httproute-with-redirect-filter-full-path-replace-https.out.yaml
@@ -55,10 +55,7 @@ httpRoutes:
namespace: envoy-gateway
sectionName: http
rules:
- - backendRefs:
- - name: service-1
- port: 8080
- filters:
+ - filters:
- requestRedirect:
path:
replaceFullPath: /redirected
diff --git a/internal/gatewayapi/testdata/httproute-with-redirect-filter-hostname.in.yaml b/internal/gatewayapi/testdata/httproute-with-redirect-filter-hostname.in.yaml
index 7eac1daafb2..149f4163f8e 100644
--- a/internal/gatewayapi/testdata/httproute-with-redirect-filter-hostname.in.yaml
+++ b/internal/gatewayapi/testdata/httproute-with-redirect-filter-hostname.in.yaml
@@ -31,13 +31,9 @@ httpRoutes:
- matches:
- path:
value: "/"
- backendRefs:
- - name: service-1
- port: 8080
filters:
- type: RequestRedirect
requestRedirect:
scheme: https
statusCode: 301
hostname: "redirected.com"
-
diff --git a/internal/gatewayapi/testdata/httproute-with-redirect-filter-hostname.out.yaml b/internal/gatewayapi/testdata/httproute-with-redirect-filter-hostname.out.yaml
index 97f129b026c..77254975bde 100644
--- a/internal/gatewayapi/testdata/httproute-with-redirect-filter-hostname.out.yaml
+++ b/internal/gatewayapi/testdata/httproute-with-redirect-filter-hostname.out.yaml
@@ -55,10 +55,7 @@ httpRoutes:
namespace: envoy-gateway
sectionName: http
rules:
- - backendRefs:
- - name: service-1
- port: 8080
- filters:
+ - filters:
- requestRedirect:
hostname: redirected.com
scheme: https
diff --git a/internal/gatewayapi/testdata/httproute-with-redirect-filter-invalid-scheme.in.yaml b/internal/gatewayapi/testdata/httproute-with-redirect-filter-invalid-scheme.in.yaml
index ef891674a55..d95553bf0a0 100644
--- a/internal/gatewayapi/testdata/httproute-with-redirect-filter-invalid-scheme.in.yaml
+++ b/internal/gatewayapi/testdata/httproute-with-redirect-filter-invalid-scheme.in.yaml
@@ -31,12 +31,8 @@ httpRoutes:
- matches:
- path:
value: "/"
- backendRefs:
- - name: service-1
- port: 8080
filters:
- type: RequestRedirect
requestRedirect:
scheme: unknown
statusCode: 301
-
diff --git a/internal/gatewayapi/testdata/httproute-with-redirect-filter-invalid-scheme.out.yaml b/internal/gatewayapi/testdata/httproute-with-redirect-filter-invalid-scheme.out.yaml
index fd69702ae5f..96974409276 100644
--- a/internal/gatewayapi/testdata/httproute-with-redirect-filter-invalid-scheme.out.yaml
+++ b/internal/gatewayapi/testdata/httproute-with-redirect-filter-invalid-scheme.out.yaml
@@ -55,10 +55,7 @@ httpRoutes:
namespace: envoy-gateway
sectionName: http
rules:
- - backendRefs:
- - name: service-1
- port: 8080
- filters:
+ - filters:
- requestRedirect:
scheme: unknown
statusCode: 301
diff --git a/internal/gatewayapi/testdata/httproute-with-redirect-filter-invalid-status.in.yaml b/internal/gatewayapi/testdata/httproute-with-redirect-filter-invalid-status.in.yaml
index 02986648009..67bbbe014a4 100644
--- a/internal/gatewayapi/testdata/httproute-with-redirect-filter-invalid-status.in.yaml
+++ b/internal/gatewayapi/testdata/httproute-with-redirect-filter-invalid-status.in.yaml
@@ -31,9 +31,6 @@ httpRoutes:
- matches:
- path:
value: "/"
- backendRefs:
- - name: service-1
- port: 8080
filters:
- type: RequestRedirect
requestRedirect:
diff --git a/internal/gatewayapi/testdata/httproute-with-redirect-filter-invalid-status.out.yaml b/internal/gatewayapi/testdata/httproute-with-redirect-filter-invalid-status.out.yaml
index 1a8712b17e1..e330972e2a8 100644
--- a/internal/gatewayapi/testdata/httproute-with-redirect-filter-invalid-status.out.yaml
+++ b/internal/gatewayapi/testdata/httproute-with-redirect-filter-invalid-status.out.yaml
@@ -55,10 +55,7 @@ httpRoutes:
namespace: envoy-gateway
sectionName: http
rules:
- - backendRefs:
- - name: service-1
- port: 8080
- filters:
+ - filters:
- requestRedirect:
scheme: https
statusCode: 666
diff --git a/internal/gatewayapi/testdata/httproute-with-redirect-filter-prefix-replace-with-port-http.in.yaml b/internal/gatewayapi/testdata/httproute-with-redirect-filter-prefix-replace-with-port-http.in.yaml
index 34c0b50fe8c..b473b7489a6 100644
--- a/internal/gatewayapi/testdata/httproute-with-redirect-filter-prefix-replace-with-port-http.in.yaml
+++ b/internal/gatewayapi/testdata/httproute-with-redirect-filter-prefix-replace-with-port-http.in.yaml
@@ -31,9 +31,6 @@ httpRoutes:
- matches:
- path:
value: "/"
- backendRefs:
- - name: service-1
- port: 8080
filters:
- type: RequestRedirect
requestRedirect:
@@ -43,4 +40,3 @@ httpRoutes:
path:
type: ReplacePrefixMatch
replacePrefixMatch: /redirected
-
diff --git a/internal/gatewayapi/testdata/httproute-with-redirect-filter-prefix-replace-with-port-http.out.yaml b/internal/gatewayapi/testdata/httproute-with-redirect-filter-prefix-replace-with-port-http.out.yaml
index 09be04932d9..961afbb26f1 100644
--- a/internal/gatewayapi/testdata/httproute-with-redirect-filter-prefix-replace-with-port-http.out.yaml
+++ b/internal/gatewayapi/testdata/httproute-with-redirect-filter-prefix-replace-with-port-http.out.yaml
@@ -55,10 +55,7 @@ httpRoutes:
namespace: envoy-gateway
sectionName: http
rules:
- - backendRefs:
- - name: service-1
- port: 8080
- filters:
+ - filters:
- requestRedirect:
path:
replacePrefixMatch: /redirected
diff --git a/internal/gatewayapi/testdata/securitypolicy-no-status-for-unknown-gateway-or-route.in.yaml b/internal/gatewayapi/testdata/securitypolicy-no-status-for-unknown-gateway-or-route.in.yaml
new file mode 100644
index 00000000000..91d4841271b
--- /dev/null
+++ b/internal/gatewayapi/testdata/securitypolicy-no-status-for-unknown-gateway-or-route.in.yaml
@@ -0,0 +1,23 @@
+securityPolicies:
+- apiVersion: gateway.envoyproxy.io/v1alpha1
+ kind: SecurityPolicy
+ metadata:
+ namespace: envoy-gateway
+ name: target-unknown-gateway
+ spec:
+ targetRef:
+ group: gateway.networking.k8s.io
+ kind: Gateway
+ name: unknown-gateway
+ namespace: envoy-gateway
+- apiVersion: gateway.envoyproxy.io/v1alpha1
+ kind: SecurityPolicy
+ metadata:
+ namespace: envoy-gateway
+ name: target-unknown-httproute
+ spec:
+ targetRef:
+ group: gateway.networking.k8s.io
+ kind: HTTPRoute
+ name: unknown-httproute
+ namespace: envoy-gateway
diff --git a/internal/gatewayapi/testdata/securitypolicy-no-status-for-unknown-gateway-or-route.out.yaml b/internal/gatewayapi/testdata/securitypolicy-no-status-for-unknown-gateway-or-route.out.yaml
new file mode 100644
index 00000000000..5ce1f5dc799
--- /dev/null
+++ b/internal/gatewayapi/testdata/securitypolicy-no-status-for-unknown-gateway-or-route.out.yaml
@@ -0,0 +1,29 @@
+infraIR: {}
+securityPolicies:
+- apiVersion: gateway.envoyproxy.io/v1alpha1
+ kind: SecurityPolicy
+ metadata:
+ creationTimestamp: null
+ name: target-unknown-httproute
+ namespace: envoy-gateway
+ spec:
+ targetRef:
+ group: gateway.networking.k8s.io
+ kind: HTTPRoute
+ name: unknown-httproute
+ namespace: envoy-gateway
+ status: {}
+- apiVersion: gateway.envoyproxy.io/v1alpha1
+ kind: SecurityPolicy
+ metadata:
+ creationTimestamp: null
+ name: target-unknown-gateway
+ namespace: envoy-gateway
+ spec:
+ targetRef:
+ group: gateway.networking.k8s.io
+ kind: Gateway
+ name: unknown-gateway
+ namespace: envoy-gateway
+ status: {}
+xdsIR: {}
diff --git a/internal/gatewayapi/testdata/securitypolicy-status-conditions.out.yaml b/internal/gatewayapi/testdata/securitypolicy-status-conditions.out.yaml
index a0317b8cb59..8cca6b5c0cc 100644
--- a/internal/gatewayapi/testdata/securitypolicy-status-conditions.out.yaml
+++ b/internal/gatewayapi/testdata/securitypolicy-status-conditions.out.yaml
@@ -318,6 +318,12 @@ securityPolicies:
reason: Accepted
status: "True"
type: Accepted
+ - lastTransitionTime: null
+ message: 'This policy is being overridden by other securityPolicies for these
+ routes: [envoy-gateway/httproute-1]'
+ reason: Overridden
+ status: "True"
+ type: Overridden
- apiVersion: gateway.envoyproxy.io/v1alpha1
kind: SecurityPolicy
metadata:
diff --git a/internal/gatewayapi/testdata/securitypolicy-with-extauth-invalid-no-matching-port.in.yaml b/internal/gatewayapi/testdata/securitypolicy-with-extauth-invalid-no-matching-port.in.yaml
index 9838d7d3776..91b51dbf237 100644
--- a/internal/gatewayapi/testdata/securitypolicy-with-extauth-invalid-no-matching-port.in.yaml
+++ b/internal/gatewayapi/testdata/securitypolicy-with-extauth-invalid-no-matching-port.in.yaml
@@ -57,9 +57,9 @@ securityPolicies:
extAuth:
http:
backendRef:
- Name: http-backend
- Namespace: default
- Port: 80
+ name: http-backend
+ namespace: default
+ port: 80
headersToBackend:
- header1
- header2
diff --git a/internal/gatewayapi/testdata/securitypolicy-with-extauth-invalid-no-matching-port.out.yaml b/internal/gatewayapi/testdata/securitypolicy-with-extauth-invalid-no-matching-port.out.yaml
old mode 100755
new mode 100644
diff --git a/internal/gatewayapi/testdata/securitypolicy-with-extauth-invalid-no-port.in.yaml b/internal/gatewayapi/testdata/securitypolicy-with-extauth-invalid-no-port.in.yaml
new file mode 100644
index 00000000000..1f38853fbe1
--- /dev/null
+++ b/internal/gatewayapi/testdata/securitypolicy-with-extauth-invalid-no-port.in.yaml
@@ -0,0 +1,64 @@
+gateways:
+ - apiVersion: gateway.networking.k8s.io/v1
+ kind: Gateway
+ metadata:
+ namespace: default
+ name: gateway-1
+ spec:
+ gatewayClassName: envoy-gateway-class
+ listeners:
+ - name: http
+ protocol: HTTP
+ port: 80
+ allowedRoutes:
+ namespaces:
+ from: All
+httpRoutes:
+ - apiVersion: gateway.networking.k8s.io/v1
+ kind: HTTPRoute
+ metadata:
+ namespace: default
+ name: httproute-1
+ spec:
+ hostnames:
+ - www.foo.com
+ parentRefs:
+ - namespace: default
+ name: gateway-1
+ sectionName: http
+ rules:
+ - matches:
+ - path:
+ value: /foo
+ backendRefs:
+ - name: service-1
+ port: 8080
+services:
+ - apiVersion: v1
+ kind: Service
+ metadata:
+ namespace: default
+ name: http-backend
+ spec:
+ ports:
+ - port: 8080
+securityPolicies:
+ - apiVersion: gateway.envoyproxy.io/v1alpha1
+ kind: SecurityPolicy
+ metadata:
+ namespace: default
+ name: policy-for-gateway
+ spec:
+ targetRef:
+ group: gateway.networking.k8s.io
+ kind: Gateway
+ name: gateway-1
+ namespace: default
+ extAuth:
+ http:
+ backendRef:
+ name: http-backend
+ namespace: default
+ headersToBackend:
+ - header1
+ - header2
diff --git a/internal/gatewayapi/testdata/securitypolicy-with-extauth-invalid-no-port.out.yaml b/internal/gatewayapi/testdata/securitypolicy-with-extauth-invalid-no-port.out.yaml
new file mode 100755
index 00000000000..309e4b30baf
--- /dev/null
+++ b/internal/gatewayapi/testdata/securitypolicy-with-extauth-invalid-no-port.out.yaml
@@ -0,0 +1,160 @@
+gateways:
+- apiVersion: gateway.networking.k8s.io/v1
+ kind: Gateway
+ metadata:
+ creationTimestamp: null
+ name: gateway-1
+ namespace: default
+ spec:
+ gatewayClassName: envoy-gateway-class
+ listeners:
+ - allowedRoutes:
+ namespaces:
+ from: All
+ name: http
+ port: 80
+ protocol: HTTP
+ status:
+ listeners:
+ - attachedRoutes: 1
+ conditions:
+ - lastTransitionTime: null
+ message: Sending translated listener configuration to the data plane
+ reason: Programmed
+ status: "True"
+ type: Programmed
+ - lastTransitionTime: null
+ message: Listener has been successfully translated
+ reason: Accepted
+ status: "True"
+ type: Accepted
+ - lastTransitionTime: null
+ message: Listener references have been resolved
+ reason: ResolvedRefs
+ status: "True"
+ type: ResolvedRefs
+ name: http
+ supportedKinds:
+ - group: gateway.networking.k8s.io
+ kind: HTTPRoute
+ - group: gateway.networking.k8s.io
+ kind: GRPCRoute
+httpRoutes:
+- apiVersion: gateway.networking.k8s.io/v1
+ kind: HTTPRoute
+ metadata:
+ creationTimestamp: null
+ name: httproute-1
+ namespace: default
+ spec:
+ hostnames:
+ - www.foo.com
+ parentRefs:
+ - name: gateway-1
+ namespace: default
+ sectionName: http
+ rules:
+ - backendRefs:
+ - name: service-1
+ port: 8080
+ matches:
+ - path:
+ value: /foo
+ status:
+ parents:
+ - conditions:
+ - lastTransitionTime: null
+ message: Route is accepted
+ reason: Accepted
+ status: "True"
+ type: Accepted
+ - lastTransitionTime: null
+ message: Resolved all the Object references for the Route
+ reason: ResolvedRefs
+ status: "True"
+ type: ResolvedRefs
+ controllerName: gateway.envoyproxy.io/gatewayclass-controller
+ parentRef:
+ name: gateway-1
+ namespace: default
+ sectionName: http
+infraIR:
+ default/gateway-1:
+ proxy:
+ listeners:
+ - address: null
+ name: default/gateway-1/http
+ ports:
+ - containerPort: 10080
+ name: http
+ protocol: HTTP
+ servicePort: 80
+ metadata:
+ labels:
+ gateway.envoyproxy.io/owning-gateway-name: gateway-1
+ gateway.envoyproxy.io/owning-gateway-namespace: default
+ name: default/gateway-1
+securityPolicies:
+- apiVersion: gateway.envoyproxy.io/v1alpha1
+ kind: SecurityPolicy
+ metadata:
+ creationTimestamp: null
+ name: policy-for-gateway
+ namespace: default
+ spec:
+ extAuth:
+ http:
+ backendRef:
+ name: http-backend
+ namespace: default
+ headersToBackend:
+ - header1
+ - header2
+ targetRef:
+ group: gateway.networking.k8s.io
+ kind: Gateway
+ name: gateway-1
+ namespace: default
+ status:
+ conditions:
+ - lastTransitionTime: null
+ message: A valid port number corresponding to a port on the Service must be
+ specified
+ reason: Invalid
+ status: "False"
+ type: Accepted
+xdsIR:
+ default/gateway-1:
+ accessLog:
+ text:
+ - path: /dev/stdout
+ http:
+ - address: 0.0.0.0
+ hostnames:
+ - '*'
+ isHTTP2: false
+ name: default/gateway-1/http
+ path:
+ escapedSlashesAction: UnescapeAndRedirect
+ mergeSlashes: true
+ port: 10080
+ routes:
+ - backendWeights:
+ invalid: 0
+ valid: 0
+ destination:
+ name: httproute/default/httproute-1/rule/0
+ settings:
+ - addressType: IP
+ endpoints:
+ - host: 7.7.7.7
+ port: 8080
+ protocol: HTTP
+ weight: 1
+ hostname: www.foo.com
+ isHTTP2: false
+ name: httproute/default/httproute-1/rule/0/match/0/www_foo_com
+ pathMatch:
+ distinct: false
+ name: ""
+ prefix: /foo
diff --git a/internal/gatewayapi/testdata/securitypolicy-with-extauth-invalid-no-reference-grant.in.yaml b/internal/gatewayapi/testdata/securitypolicy-with-extauth-invalid-no-reference-grant.in.yaml
index 5664148bdb0..64b15b558b4 100644
--- a/internal/gatewayapi/testdata/securitypolicy-with-extauth-invalid-no-reference-grant.in.yaml
+++ b/internal/gatewayapi/testdata/securitypolicy-with-extauth-invalid-no-reference-grant.in.yaml
@@ -57,9 +57,9 @@ securityPolicies:
extAuth:
http:
backendRef:
- Name: http-backend
- Namespace: envoy-gateway
- Port: 80
+ name: http-backend
+ namespace: envoy-gateway
+ port: 80
headersToBackend:
- header1
- header2
diff --git a/internal/gatewayapi/testdata/securitypolicy-with-extauth-invalid-no-reference-grant.out.yaml b/internal/gatewayapi/testdata/securitypolicy-with-extauth-invalid-no-reference-grant.out.yaml
old mode 100755
new mode 100644
diff --git a/internal/gatewayapi/testdata/securitypolicy-with-extauth-invalid-no-service.in.yaml b/internal/gatewayapi/testdata/securitypolicy-with-extauth-invalid-no-service.in.yaml
index a74b1b099b6..2ab00957c3f 100644
--- a/internal/gatewayapi/testdata/securitypolicy-with-extauth-invalid-no-service.in.yaml
+++ b/internal/gatewayapi/testdata/securitypolicy-with-extauth-invalid-no-service.in.yaml
@@ -48,9 +48,9 @@ securityPolicies:
extAuth:
http:
backendRef:
- Name: http-backend
- Namespace: default
- Port: 80
+ name: http-backend
+ namespace: default
+ port: 80
headersToBackend:
- header1
- header2
diff --git a/internal/gatewayapi/testdata/securitypolicy-with-extauth-invalid-no-service.out.yaml b/internal/gatewayapi/testdata/securitypolicy-with-extauth-invalid-no-service.out.yaml
old mode 100755
new mode 100644
diff --git a/internal/gatewayapi/testdata/securitypolicy-with-extauth-with-backendtlspolicy.in.yaml b/internal/gatewayapi/testdata/securitypolicy-with-extauth-with-backendtlspolicy.in.yaml
new file mode 100644
index 00000000000..a088e08d16d
--- /dev/null
+++ b/internal/gatewayapi/testdata/securitypolicy-with-extauth-with-backendtlspolicy.in.yaml
@@ -0,0 +1,231 @@
+gateways:
+ - apiVersion: gateway.networking.k8s.io/v1
+ kind: Gateway
+ metadata:
+ namespace: default
+ name: gateway-1
+ spec:
+ gatewayClassName: envoy-gateway-class
+ listeners:
+ - name: http
+ protocol: HTTP
+ port: 80
+ allowedRoutes:
+ namespaces:
+ from: All
+httpRoutes:
+ - apiVersion: gateway.networking.k8s.io/v1
+ kind: HTTPRoute
+ metadata:
+ namespace: default
+ name: httproute-1
+ spec:
+ hostnames:
+ - www.foo.com
+ parentRefs:
+ - namespace: default
+ name: gateway-1
+ sectionName: http
+ rules:
+ - matches:
+ - path:
+ value: /foo
+ backendRefs:
+ - name: service-1
+ port: 8080
+ - apiVersion: gateway.networking.k8s.io/v1
+ kind: HTTPRoute
+ metadata:
+ namespace: default
+ name: httproute-2
+ spec:
+ hostnames:
+ - www.bar.com
+ parentRefs:
+ - namespace: default
+ name: gateway-1
+ sectionName: http
+ rules:
+ - matches:
+ - path:
+ value: /bar
+ backendRefs:
+ - name: service-1
+ port: 8080
+services:
+ - apiVersion: v1
+ kind: Service
+ metadata:
+ namespace: envoy-gateway
+ name: http-backend
+ spec:
+ ports:
+ - port: 80
+ name: http
+ protocol: TCP
+ - apiVersion: v1
+ kind: Service
+ metadata:
+ namespace: default
+ name: grpc-backend
+ spec:
+ ports:
+ - port: 9000
+ name: grpc
+ protocol: TCP
+endpointSlices:
+ - apiVersion: discovery.k8s.io/v1
+ kind: EndpointSlice
+ metadata:
+ name: endpointslice-http-backend
+ namespace: envoy-gateway
+ labels:
+ kubernetes.io/service-name: http-backend
+ addressType: IPv4
+ ports:
+ - name: http
+ protocol: TCP
+ port: 80
+ endpoints:
+ - addresses:
+ - 7.7.7.7
+ conditions:
+ ready: true
+ - apiVersion: discovery.k8s.io/v1
+ kind: EndpointSlice
+ metadata:
+ name: endpointslice-grpc-backend
+ namespace: default
+ labels:
+ kubernetes.io/service-name: grpc-backend
+ addressType: IPv4
+ ports:
+ - name: grpc
+ protocol: TCP
+ port: 9000
+ endpoints:
+ - addresses:
+ - 8.8.8.8
+ conditions:
+ ready: true
+referenceGrants:
+ - apiVersion: gateway.networking.k8s.io/v1alpha2
+ kind: ReferenceGrant
+ metadata:
+ namespace: envoy-gateway
+ name: referencegrant-1
+ spec:
+ from:
+ - group: gateway.envoyproxy.io
+ kind: SecurityPolicy
+ namespace: default
+ - group: gateway.networking.k8s.io
+ kind: BackendTLSPolicy
+ namespace: default
+ to:
+ - group: ''
+ kind: Service
+configMaps:
+ - apiVersion: v1
+ kind: ConfigMap
+ metadata:
+ name: ca-cmap
+ namespace: default
+ data:
+ ca.crt: |
+ -----BEGIN CERTIFICATE-----
+ MIIDJzCCAg+gAwIBAgIUAl6UKIuKmzte81cllz5PfdN2IlIwDQYJKoZIhvcNAQEL
+ BQAwIzEQMA4GA1UEAwwHbXljaWVudDEPMA0GA1UECgwGa3ViZWRiMB4XDTIzMTAw
+ MjA1NDE1N1oXDTI0MTAwMTA1NDE1N1owIzEQMA4GA1UEAwwHbXljaWVudDEPMA0G
+ A1UECgwGa3ViZWRiMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAwSTc
+ 1yj8HW62nynkFbXo4VXKv2jC0PM7dPVky87FweZcTKLoWQVPQE2p2kLDK6OEszmM
+ yyr+xxWtyiveremrWqnKkNTYhLfYPhgQkczib7eUalmFjUbhWdLvHakbEgCodn3b
+ kz57mInX2VpiDOKg4kyHfiuXWpiBqrCx0KNLpxo3DEQcFcsQTeTHzh4752GV04RU
+ Ti/GEWyzIsl4Rg7tGtAwmcIPgUNUfY2Q390FGqdH4ahn+mw/6aFbW31W63d9YJVq
+ ioyOVcaMIpM5B/c7Qc8SuhCI1YGhUyg4cRHLEw5VtikioyE3X04kna3jQAj54YbR
+ bpEhc35apKLB21HOUQIDAQABo1MwUTAdBgNVHQ4EFgQUyvl0VI5vJVSuYFXu7B48
+ 6PbMEAowHwYDVR0jBBgwFoAUyvl0VI5vJVSuYFXu7B486PbMEAowDwYDVR0TAQH/
+ BAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEAMLxrgFVMuNRq2wAwcBt7SnNR5Cfz
+ 2MvXq5EUmuawIUi9kaYjwdViDREGSjk7JW17vl576HjDkdfRwi4E28SydRInZf6J
+ i8HZcZ7caH6DxR335fgHVzLi5NiTce/OjNBQzQ2MJXVDd8DBmG5fyatJiOJQ4bWE
+ A7FlP0RdP3CO3GWE0M5iXOB2m1qWkE2eyO4UHvwTqNQLdrdAXgDQlbam9e4BG3Gg
+ d/6thAkWDbt/QNT+EJHDCvhDRKh1RuGHyg+Y+/nebTWWrFWsktRrbOoHCZiCpXI1
+ 3eXE6nt0YkgtDxG22KqnhpAg9gUSs2hlhoxyvkzyF0mu6NhPlwAgnq7+/Q==
+ -----END CERTIFICATE-----
+backendTLSPolicies:
+ - apiVersion: gateway.networking.k8s.io/v1alpha2
+ kind: BackendTLSPolicy
+ metadata:
+ name: policy-btls-http
+ namespace: default
+ spec:
+ targetRef:
+ group: ''
+ kind: Service
+ name: http-backend
+ namespace: envoy-gateway
+ sectionName: "80"
+ tls:
+ caCertRefs:
+ - name: ca-cmap
+ group: ''
+ kind: ConfigMap
+ hostname: http-backend
+ - apiVersion: gateway.networking.k8s.io/v1alpha2
+ kind: BackendTLSPolicy
+ metadata:
+ name: policy-btls-grpc
+ namespace: default
+ spec:
+ targetRef:
+ group: ''
+ kind: Service
+ name: grpc-backend
+ sectionName: "9000"
+ tls:
+ caCertRefs:
+ - name: ca-cmap
+ group: ''
+ kind: ConfigMap
+ hostname: grpc-backend
+securityPolicies:
+ - apiVersion: gateway.envoyproxy.io/v1alpha1
+ kind: SecurityPolicy
+ metadata:
+ namespace: default
+ name: policy-for-gateway
+ spec:
+ targetRef:
+ group: gateway.networking.k8s.io
+ kind: Gateway
+ name: gateway-1
+ namespace: default
+ extAuth:
+ http:
+ backendRef:
+ Name: http-backend
+ Namespace: envoy-gateway
+ Port: 80
+ Path: /auth
+ headersToBackend:
+ - header1
+ - header2
+ - apiVersion: gateway.envoyproxy.io/v1alpha1
+ kind: SecurityPolicy
+ metadata:
+ namespace: default
+ name: policy-for-http-route
+ spec:
+ targetRef:
+ group: gateway.networking.k8s.io
+ kind: HTTPRoute
+ name: httproute-1
+ namespace: default
+ extAuth:
+ headersToExtAuth:
+ - header1
+ - header2
+ grpc:
+ backendRef:
+ name: grpc-backend
+ port: 9000
diff --git a/internal/gatewayapi/testdata/securitypolicy-with-extauth-with-backendtlspolicy.out.yaml b/internal/gatewayapi/testdata/securitypolicy-with-extauth-with-backendtlspolicy.out.yaml
new file mode 100755
index 00000000000..e97cdf5ea7a
--- /dev/null
+++ b/internal/gatewayapi/testdata/securitypolicy-with-extauth-with-backendtlspolicy.out.yaml
@@ -0,0 +1,358 @@
+backendTLSPolicies:
+- apiVersion: gateway.networking.k8s.io/v1alpha2
+ kind: BackendTLSPolicy
+ metadata:
+ creationTimestamp: null
+ name: policy-btls-http
+ namespace: default
+ spec:
+ targetRef:
+ group: ""
+ kind: Service
+ name: http-backend
+ namespace: envoy-gateway
+ sectionName: "80"
+ tls:
+ caCertRefs:
+ - group: ""
+ kind: ConfigMap
+ name: ca-cmap
+ hostname: http-backend
+ status:
+ ancestors:
+ - ancestorRef:
+ group: gateway.envoyproxy.io
+ kind: SecurityPolicy
+ name: policy-for-gateway
+ namespace: default
+ conditions:
+ - lastTransitionTime: null
+ message: BackendTLSPolicy is Accepted
+ reason: Accepted
+ status: "True"
+ type: Accepted
+ controllerName: gateway.envoyproxy.io/gatewayclass-controller
+- apiVersion: gateway.networking.k8s.io/v1alpha2
+ kind: BackendTLSPolicy
+ metadata:
+ creationTimestamp: null
+ name: policy-btls-grpc
+ namespace: default
+ spec:
+ targetRef:
+ group: ""
+ kind: Service
+ name: grpc-backend
+ sectionName: "9000"
+ tls:
+ caCertRefs:
+ - group: ""
+ kind: ConfigMap
+ name: ca-cmap
+ hostname: grpc-backend
+ status:
+ ancestors:
+ - ancestorRef:
+ group: gateway.envoyproxy.io
+ kind: SecurityPolicy
+ name: policy-for-http-route
+ namespace: default
+ conditions:
+ - lastTransitionTime: null
+ message: BackendTLSPolicy is Accepted
+ reason: Accepted
+ status: "True"
+ type: Accepted
+ controllerName: gateway.envoyproxy.io/gatewayclass-controller
+gateways:
+- apiVersion: gateway.networking.k8s.io/v1
+ kind: Gateway
+ metadata:
+ creationTimestamp: null
+ name: gateway-1
+ namespace: default
+ spec:
+ gatewayClassName: envoy-gateway-class
+ listeners:
+ - allowedRoutes:
+ namespaces:
+ from: All
+ name: http
+ port: 80
+ protocol: HTTP
+ status:
+ listeners:
+ - attachedRoutes: 2
+ conditions:
+ - lastTransitionTime: null
+ message: Sending translated listener configuration to the data plane
+ reason: Programmed
+ status: "True"
+ type: Programmed
+ - lastTransitionTime: null
+ message: Listener has been successfully translated
+ reason: Accepted
+ status: "True"
+ type: Accepted
+ - lastTransitionTime: null
+ message: Listener references have been resolved
+ reason: ResolvedRefs
+ status: "True"
+ type: ResolvedRefs
+ name: http
+ supportedKinds:
+ - group: gateway.networking.k8s.io
+ kind: HTTPRoute
+ - group: gateway.networking.k8s.io
+ kind: GRPCRoute
+httpRoutes:
+- apiVersion: gateway.networking.k8s.io/v1
+ kind: HTTPRoute
+ metadata:
+ creationTimestamp: null
+ name: httproute-1
+ namespace: default
+ spec:
+ hostnames:
+ - www.foo.com
+ parentRefs:
+ - name: gateway-1
+ namespace: default
+ sectionName: http
+ rules:
+ - backendRefs:
+ - name: service-1
+ port: 8080
+ matches:
+ - path:
+ value: /foo
+ status:
+ parents:
+ - conditions:
+ - lastTransitionTime: null
+ message: Route is accepted
+ reason: Accepted
+ status: "True"
+ type: Accepted
+ - lastTransitionTime: null
+ message: Resolved all the Object references for the Route
+ reason: ResolvedRefs
+ status: "True"
+ type: ResolvedRefs
+ controllerName: gateway.envoyproxy.io/gatewayclass-controller
+ parentRef:
+ name: gateway-1
+ namespace: default
+ sectionName: http
+- apiVersion: gateway.networking.k8s.io/v1
+ kind: HTTPRoute
+ metadata:
+ creationTimestamp: null
+ name: httproute-2
+ namespace: default
+ spec:
+ hostnames:
+ - www.bar.com
+ parentRefs:
+ - name: gateway-1
+ namespace: default
+ sectionName: http
+ rules:
+ - backendRefs:
+ - name: service-1
+ port: 8080
+ matches:
+ - path:
+ value: /bar
+ status:
+ parents:
+ - conditions:
+ - lastTransitionTime: null
+ message: Route is accepted
+ reason: Accepted
+ status: "True"
+ type: Accepted
+ - lastTransitionTime: null
+ message: Resolved all the Object references for the Route
+ reason: ResolvedRefs
+ status: "True"
+ type: ResolvedRefs
+ controllerName: gateway.envoyproxy.io/gatewayclass-controller
+ parentRef:
+ name: gateway-1
+ namespace: default
+ sectionName: http
+infraIR:
+ default/gateway-1:
+ proxy:
+ listeners:
+ - address: null
+ name: default/gateway-1/http
+ ports:
+ - containerPort: 10080
+ name: http
+ protocol: HTTP
+ servicePort: 80
+ metadata:
+ labels:
+ gateway.envoyproxy.io/owning-gateway-name: gateway-1
+ gateway.envoyproxy.io/owning-gateway-namespace: default
+ name: default/gateway-1
+securityPolicies:
+- apiVersion: gateway.envoyproxy.io/v1alpha1
+ kind: SecurityPolicy
+ metadata:
+ creationTimestamp: null
+ name: policy-for-http-route
+ namespace: default
+ spec:
+ extAuth:
+ grpc:
+ backendRef:
+ name: grpc-backend
+ port: 9000
+ headersToExtAuth:
+ - header1
+ - header2
+ targetRef:
+ group: gateway.networking.k8s.io
+ kind: HTTPRoute
+ name: httproute-1
+ namespace: default
+ status:
+ conditions:
+ - lastTransitionTime: null
+ message: SecurityPolicy has been accepted.
+ reason: Accepted
+ status: "True"
+ type: Accepted
+- apiVersion: gateway.envoyproxy.io/v1alpha1
+ kind: SecurityPolicy
+ metadata:
+ creationTimestamp: null
+ name: policy-for-gateway
+ namespace: default
+ spec:
+ extAuth:
+ http:
+ backendRef:
+ name: http-backend
+ namespace: envoy-gateway
+ port: 80
+ headersToBackend:
+ - header1
+ - header2
+ path: /auth
+ targetRef:
+ group: gateway.networking.k8s.io
+ kind: Gateway
+ name: gateway-1
+ namespace: default
+ status:
+ conditions:
+ - lastTransitionTime: null
+ message: SecurityPolicy has been accepted.
+ reason: Accepted
+ status: "True"
+ type: Accepted
+ - lastTransitionTime: null
+ message: 'This policy is being overridden by other securityPolicies for these
+ routes: [default/httproute-1]'
+ reason: Overridden
+ status: "True"
+ type: Overridden
+xdsIR:
+ default/gateway-1:
+ accessLog:
+ text:
+ - path: /dev/stdout
+ http:
+ - address: 0.0.0.0
+ hostnames:
+ - '*'
+ isHTTP2: false
+ name: default/gateway-1/http
+ path:
+ escapedSlashesAction: UnescapeAndRedirect
+ mergeSlashes: true
+ port: 10080
+ routes:
+ - backendWeights:
+ invalid: 0
+ valid: 0
+ destination:
+ name: httproute/default/httproute-1/rule/0
+ settings:
+ - addressType: IP
+ endpoints:
+ - host: 7.7.7.7
+ port: 8080
+ protocol: HTTP
+ weight: 1
+ extAuth:
+ grpc:
+ authority: grpc-backend.default:9000
+ destination:
+ name: securitypolicy/default/policy-for-http-route/grpc-backend
+ settings:
+ - addressType: IP
+ endpoints:
+ - host: 8.8.8.8
+ port: 9000
+ protocol: GRPC
+ tls:
+ caCertificate:
+ certificate: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURKekNDQWcrZ0F3SUJBZ0lVQWw2VUtJdUttenRlODFjbGx6NVBmZE4ySWxJd0RRWUpLb1pJaHZjTkFRRUwKQlFBd0l6RVFNQTRHQTFVRUF3d0hiWGxqYVdWdWRERVBNQTBHQTFVRUNnd0dhM1ZpWldSaU1CNFhEVEl6TVRBdwpNakExTkRFMU4xb1hEVEkwTVRBd01UQTFOREUxTjFvd0l6RVFNQTRHQTFVRUF3d0hiWGxqYVdWdWRERVBNQTBHCkExVUVDZ3dHYTNWaVpXUmlNSUlCSWpBTkJna3Foa2lHOXcwQkFRRUZBQU9DQVE4QU1JSUJDZ0tDQVFFQXdTVGMKMXlqOEhXNjJueW5rRmJYbzRWWEt2MmpDMFBNN2RQVmt5ODdGd2VaY1RLTG9XUVZQUUUycDJrTERLNk9Fc3ptTQp5eXIreHhXdHlpdmVyZW1yV3FuS2tOVFloTGZZUGhnUWtjemliN2VVYWxtRmpVYmhXZEx2SGFrYkVnQ29kbjNiCmt6NTdtSW5YMlZwaURPS2c0a3lIZml1WFdwaUJxckN4MEtOTHB4bzNERVFjRmNzUVRlVEh6aDQ3NTJHVjA0UlUKVGkvR0VXeXpJc2w0Umc3dEd0QXdtY0lQZ1VOVWZZMlEzOTBGR3FkSDRhaG4rbXcvNmFGYlczMVc2M2Q5WUpWcQppb3lPVmNhTUlwTTVCL2M3UWM4U3VoQ0kxWUdoVXlnNGNSSExFdzVWdGlraW95RTNYMDRrbmEzalFBajU0WWJSCmJwRWhjMzVhcEtMQjIxSE9VUUlEQVFBQm8xTXdVVEFkQmdOVkhRNEVGZ1FVeXZsMFZJNXZKVlN1WUZYdTdCNDgKNlBiTUVBb3dId1lEVlIwakJCZ3dGb0FVeXZsMFZJNXZKVlN1WUZYdTdCNDg2UGJNRUFvd0R3WURWUjBUQVFILwpCQVV3QXdFQi96QU5CZ2txaGtpRzl3MEJBUXNGQUFPQ0FRRUFNTHhyZ0ZWTXVOUnEyd0F3Y0J0N1NuTlI1Q2Z6CjJNdlhxNUVVbXVhd0lVaTlrYVlqd2RWaURSRUdTams3SlcxN3ZsNTc2SGpEa2RmUndpNEUyOFN5ZFJJblpmNkoKaThIWmNaN2NhSDZEeFIzMzVmZ0hWekxpNU5pVGNlL09qTkJRelEyTUpYVkRkOERCbUc1ZnlhdEppT0pRNGJXRQpBN0ZsUDBSZFAzQ08zR1dFME01aVhPQjJtMXFXa0UyZXlPNFVIdndUcU5RTGRyZEFYZ0RRbGJhbTllNEJHM0dnCmQvNnRoQWtXRGJ0L1FOVCtFSkhEQ3ZoRFJLaDFSdUdIeWcrWSsvbmViVFdXckZXc2t0UnJiT29IQ1ppQ3BYSTEKM2VYRTZudDBZa2d0RHhHMjJLcW5ocEFnOWdVU3MyaGxob3h5dmt6eUYwbXU2TmhQbHdBZ25xNysvUT09Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K
+ name: policy-btls-grpc/default-ca
+ sni: grpc-backend
+ weight: 1
+ headersToExtAuth:
+ - header1
+ - header2
+ hostname: www.foo.com
+ isHTTP2: false
+ name: httproute/default/httproute-1/rule/0/match/0/www_foo_com
+ pathMatch:
+ distinct: false
+ name: ""
+ prefix: /foo
+ - backendWeights:
+ invalid: 0
+ valid: 0
+ destination:
+ name: httproute/default/httproute-2/rule/0
+ settings:
+ - addressType: IP
+ endpoints:
+ - host: 7.7.7.7
+ port: 8080
+ protocol: HTTP
+ weight: 1
+ extAuth:
+ http:
+ authority: http-backend.envoy-gateway:80
+ destination:
+ name: securitypolicy/default/policy-for-gateway/http-backend
+ settings:
+ - addressType: IP
+ endpoints:
+ - host: 7.7.7.7
+ port: 80
+ protocol: HTTP
+ tls:
+ caCertificate:
+ certificate: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURKekNDQWcrZ0F3SUJBZ0lVQWw2VUtJdUttenRlODFjbGx6NVBmZE4ySWxJd0RRWUpLb1pJaHZjTkFRRUwKQlFBd0l6RVFNQTRHQTFVRUF3d0hiWGxqYVdWdWRERVBNQTBHQTFVRUNnd0dhM1ZpWldSaU1CNFhEVEl6TVRBdwpNakExTkRFMU4xb1hEVEkwTVRBd01UQTFOREUxTjFvd0l6RVFNQTRHQTFVRUF3d0hiWGxqYVdWdWRERVBNQTBHCkExVUVDZ3dHYTNWaVpXUmlNSUlCSWpBTkJna3Foa2lHOXcwQkFRRUZBQU9DQVE4QU1JSUJDZ0tDQVFFQXdTVGMKMXlqOEhXNjJueW5rRmJYbzRWWEt2MmpDMFBNN2RQVmt5ODdGd2VaY1RLTG9XUVZQUUUycDJrTERLNk9Fc3ptTQp5eXIreHhXdHlpdmVyZW1yV3FuS2tOVFloTGZZUGhnUWtjemliN2VVYWxtRmpVYmhXZEx2SGFrYkVnQ29kbjNiCmt6NTdtSW5YMlZwaURPS2c0a3lIZml1WFdwaUJxckN4MEtOTHB4bzNERVFjRmNzUVRlVEh6aDQ3NTJHVjA0UlUKVGkvR0VXeXpJc2w0Umc3dEd0QXdtY0lQZ1VOVWZZMlEzOTBGR3FkSDRhaG4rbXcvNmFGYlczMVc2M2Q5WUpWcQppb3lPVmNhTUlwTTVCL2M3UWM4U3VoQ0kxWUdoVXlnNGNSSExFdzVWdGlraW95RTNYMDRrbmEzalFBajU0WWJSCmJwRWhjMzVhcEtMQjIxSE9VUUlEQVFBQm8xTXdVVEFkQmdOVkhRNEVGZ1FVeXZsMFZJNXZKVlN1WUZYdTdCNDgKNlBiTUVBb3dId1lEVlIwakJCZ3dGb0FVeXZsMFZJNXZKVlN1WUZYdTdCNDg2UGJNRUFvd0R3WURWUjBUQVFILwpCQVV3QXdFQi96QU5CZ2txaGtpRzl3MEJBUXNGQUFPQ0FRRUFNTHhyZ0ZWTXVOUnEyd0F3Y0J0N1NuTlI1Q2Z6CjJNdlhxNUVVbXVhd0lVaTlrYVlqd2RWaURSRUdTams3SlcxN3ZsNTc2SGpEa2RmUndpNEUyOFN5ZFJJblpmNkoKaThIWmNaN2NhSDZEeFIzMzVmZ0hWekxpNU5pVGNlL09qTkJRelEyTUpYVkRkOERCbUc1ZnlhdEppT0pRNGJXRQpBN0ZsUDBSZFAzQ08zR1dFME01aVhPQjJtMXFXa0UyZXlPNFVIdndUcU5RTGRyZEFYZ0RRbGJhbTllNEJHM0dnCmQvNnRoQWtXRGJ0L1FOVCtFSkhEQ3ZoRFJLaDFSdUdIeWcrWSsvbmViVFdXckZXc2t0UnJiT29IQ1ppQ3BYSTEKM2VYRTZudDBZa2d0RHhHMjJLcW5ocEFnOWdVU3MyaGxob3h5dmt6eUYwbXU2TmhQbHdBZ25xNysvUT09Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K
+ name: policy-btls-http/default-ca
+ sni: http-backend
+ weight: 1
+ headersToBackend:
+ - header1
+ - header2
+ path: /auth
+ hostname: www.bar.com
+ isHTTP2: false
+ name: httproute/default/httproute-2/rule/0/match/0/www_bar_com
+ pathMatch:
+ distinct: false
+ name: ""
+ prefix: /bar
diff --git a/internal/gatewayapi/testdata/securitypolicy-with-extauth.out.yaml b/internal/gatewayapi/testdata/securitypolicy-with-extauth.out.yaml
old mode 100755
new mode 100644
index 76d0285f006..8879fdb22dd
--- a/internal/gatewayapi/testdata/securitypolicy-with-extauth.out.yaml
+++ b/internal/gatewayapi/testdata/securitypolicy-with-extauth.out.yaml
@@ -189,6 +189,12 @@ securityPolicies:
reason: Accepted
status: "True"
type: Accepted
+ - lastTransitionTime: null
+ message: 'This policy is being overridden by other securityPolicies for these
+ routes: [default/httproute-1]'
+ reason: Overridden
+ status: "True"
+ type: Overridden
xdsIR:
default/gateway-1:
accessLog:
diff --git a/internal/gatewayapi/testdata/securitypolicy-with-jwt-and-invalid-oidc.out.yaml b/internal/gatewayapi/testdata/securitypolicy-with-jwt-and-invalid-oidc.out.yaml
index 17072300d82..6e5d2d09d03 100644
--- a/internal/gatewayapi/testdata/securitypolicy-with-jwt-and-invalid-oidc.out.yaml
+++ b/internal/gatewayapi/testdata/securitypolicy-with-jwt-and-invalid-oidc.out.yaml
@@ -209,6 +209,12 @@ securityPolicies:
reason: Invalid
status: "False"
type: Accepted
+ - lastTransitionTime: null
+ message: 'This policy is being overridden by other securityPolicies for these
+ routes: [default/httproute-2]'
+ reason: Overridden
+ status: "True"
+ type: Overridden
xdsIR:
envoy-gateway/gateway-1:
accessLog:
diff --git a/internal/gatewayapi/testdata/securitypolicy-with-oidc.in.yaml b/internal/gatewayapi/testdata/securitypolicy-with-oidc.in.yaml
index 086607d5939..303d05191f7 100644
--- a/internal/gatewayapi/testdata/securitypolicy-with-oidc.in.yaml
+++ b/internal/gatewayapi/testdata/securitypolicy-with-oidc.in.yaml
@@ -20,6 +20,13 @@ secrets:
name: client3-secret
data:
client-secret: Y2xpZW50MTpzZWNyZXQK
+- apiVersion: v1
+ kind: Secret
+ metadata:
+ namespace: envoy-gateway-system
+ name: envoy-oidc-hmac
+ data:
+ hmac-secret: qrOYACHXoe7UEDI/raOjNSx+Z9ufXSc/22C3T6X/zPY=
gateways:
- apiVersion: gateway.networking.k8s.io/v1
kind: Gateway
diff --git a/internal/gatewayapi/testdata/securitypolicy-with-oidc.out.yaml b/internal/gatewayapi/testdata/securitypolicy-with-oidc.out.yaml
index a0953830c23..44a0bba8d14 100644
--- a/internal/gatewayapi/testdata/securitypolicy-with-oidc.out.yaml
+++ b/internal/gatewayapi/testdata/securitypolicy-with-oidc.out.yaml
@@ -199,6 +199,12 @@ securityPolicies:
reason: Accepted
status: "True"
type: Accepted
+ - lastTransitionTime: null
+ message: 'This policy is being overridden by other securityPolicies for these
+ routes: [default/httproute-1]'
+ reason: Overridden
+ status: "True"
+ type: Overridden
xdsIR:
envoy-gateway/gateway-1:
accessLog:
@@ -234,6 +240,7 @@ xdsIR:
clientID: client2.oauth.foo.com
clientSecret: Y2xpZW50MTpzZWNyZXQK
cookieSuffix: 5f93c2e4
+ hmacSecret: qrOYACHXoe7UEDI/raOjNSx+Z9ufXSc/22C3T6X/zPY=
logoutPath: /foo/logout
provider:
authorizationEndpoint: https://oauth.foo.com/oauth2/v2/auth
@@ -267,6 +274,7 @@ xdsIR:
clientID: client1.apps.googleusercontent.com
clientSecret: Y2xpZW50MTpzZWNyZXQK
cookieSuffix: b0a1b740
+ hmacSecret: qrOYACHXoe7UEDI/raOjNSx+Z9ufXSc/22C3T6X/zPY=
logoutPath: /bar/logout
provider:
authorizationEndpoint: https://accounts.google.com/o/oauth2/v2/auth
diff --git a/internal/gatewayapi/testdata/tcproute-attaching-to-gateway-with-listener-tls-terminate.in.yaml b/internal/gatewayapi/testdata/tcproute-attaching-to-gateway-with-listener-tls-terminate.in.yaml
index ec0c3d12932..b4beac9da1e 100644
--- a/internal/gatewayapi/testdata/tcproute-attaching-to-gateway-with-listener-tls-terminate.in.yaml
+++ b/internal/gatewayapi/testdata/tcproute-attaching-to-gateway-with-listener-tls-terminate.in.yaml
@@ -42,5 +42,5 @@ secrets:
name: tls-secret-1
type: kubernetes.io/tls
data:
- tls.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUNxRENDQVpBQ0NRREVNZ1lZblFyQ29EQU5CZ2txaGtpRzl3MEJBUXNGQURBV01SUXdFZ1lEVlFRRERBdG0KYjI4dVltRnlMbU52YlRBZUZ3MHlNekF4TURVeE16UXpNalJhRncweU5EQXhNRFV4TXpRek1qUmFNQll4RkRBUwpCZ05WQkFNTUMyWnZieTVpWVhJdVkyOXRNSUlCSWpBTkJna3Foa2lHOXcwQkFRRUZBQU9DQVE4QU1JSUJDZ0tDCkFRRUFuZEh6d21wS2NUSUViamhGZ2RXd1RSTjc1Y3A4b3VsWnhMMUdydlI2SXc3ejdqaTBSNFcvTm85bkdmOU0KWVAyQ1JqaXN6NTFtd3hTeGVCcm9jTGVBK21reGkxK2lEdk5kQytyU0x4MTN6RUxTQ25xYnVzUHM3bUdmSlpxOAo5TGhlbmx5bzQzaDVjYTZINUxqTXd1L1JHVWlGMzFYck5yaVlGQlB2RTJyQitkd24vTkVrUTRoOFJxcXlwcmtuCkYvcWM5Sk1ZQVlGRld1VkNwa0lFbmRYMUN5dlFOT2FkZmN2cmd6dDV2SmwwT2kxQWdyaU5hWGJFUEdudWY3STQKcXBCSEdVWE5lMVdsOVdlVklxS1g0T2FFWERWQzZGQzdHOHptZWVMVzFBa1lFVm5pcFg2b1NCK0JjL1NIVlZOaApzQkxSbXRuc3pmTnRUMlFyZCttcGt4ODBaUUlEQVFBQk1BMEdDU3FHU0liM0RRRUJDd1VBQTRJQkFRQ1VKOElDCkJveUVqT3V3enBHYVJoR044QjRqT1B6aHVDT0V0ZDM3UzAybHUwN09IenlCdmJzVEd6S3dCZ0x5bVdmR2tINEIKajdDTHNwOEZ6TkhLWnVhQmdwblo5SjZETE9Od2ZXZTJBWXA3TGRmT0tWQlVkTVhRaU9tN2pKOUhob0Ntdk1ONwpic2pjaFdKb013ckZmK3dkQUthdHowcUFQeWhMeWUvRnFtaVZ4a09SWmF3K1Q5bURaK0g0OXVBU2d1SnVOTXlRClY2RXlYNmd0Z1dxMzc2SHZhWE1TLzNoYW1Zb1ZXWEk1TXhpUE9ZeG5BQmtKQjRTQ2dJUmVqYkpmVmFRdG9RNGEKejAyaVVMZW5ESUllUU9Zb2JLY01CWGYxQjRQQVFtc2VocVZJYnpzUUNHaTU0VkRyczZiWmQvN0pzMXpDcHBncwpKaUQ1SXFNaktXRHdxN2FLCi0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K
+ tls.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUREVENDQWZXZ0F3SUJBZ0lVRUZNaFA5ZUo5WEFCV3NRNVptNmJSazJjTE5Rd0RRWUpLb1pJaHZjTkFRRUwKQlFBd0ZqRVVNQklHQTFVRUF3d0xabTl2TG1KaGNpNWpiMjB3SGhjTk1qUXdNakk1TURrek1ERXdXaGNOTXpRdwpNakkyTURrek1ERXdXakFXTVJRd0VnWURWUVFEREF0bWIyOHVZbUZ5TG1OdmJUQ0NBU0l3RFFZSktvWklodmNOCkFRRUJCUUFEZ2dFUEFEQ0NBUW9DZ2dFQkFKbEk2WXhFOVprQ1BzNnBDUXhickNtZWl4OVA1RGZ4OVJ1NUxENFQKSm1kVzdJS2R0UVYvd2ZMbXRzdTc2QithVGRDaldlMEJUZmVPT1JCYlIzY1BBRzZFbFFMaWNsUVVydW4zcStncwpKcEsrSTdjSStqNXc4STY4WEg1V1E3clZVdGJ3SHBxYncrY1ZuQnFJVU9MaUlhdGpJZjdLWDUxTTF1RjljZkVICkU0RG5jSDZyYnI1OS9SRlpCc2toeHM1T3p3Sklmb2hreXZGd2V1VHd4Sy9WcGpJKzdPYzQ4QUJDWHBOTzlEL3EKRWgrck9hdWpBTWNYZ0hRSVRrQ2lpVVRjVW82TFNIOXZMWlB0YXFmem9acTZuaE1xcFc2NUUxcEF3RjNqeVRUeAphNUk4SmNmU0Zqa2llWjIwTFVRTW43TThVNHhIamFvL2d2SDBDQWZkQjdSTFUyc0NBd0VBQWFOVE1GRXdIUVlEClZSME9CQllFRk9SQ0U4dS8xRERXN2loWnA3Y3g5dFNtUG02T01COEdBMVVkSXdRWU1CYUFGT1JDRTh1LzFERFcKN2loWnA3Y3g5dFNtUG02T01BOEdBMVVkRXdFQi93UUZNQU1CQWY4d0RRWUpLb1pJaHZjTkFRRUxCUUFEZ2dFQgpBRnQ1M3pqc3FUYUg1YThFMmNodm1XQWdDcnhSSzhiVkxNeGl3TkdqYm1FUFJ6K3c2TngrazBBOEtFY0lEc0tjClNYY2k1OHU0b1didFZKQmx6YS9adWpIUjZQMUJuT3BsK2FveTc4NGJiZDRQMzl3VExvWGZNZmJCQ20xdmV2aDkKQUpLbncyWnRxcjRta2JMY3hFcWxxM3NCTEZBUzlzUUxuS05DZTJjR0xkVHAyYm9HK3FjZ3lRZ0NJTTZmOEVNdgpXUGlmQ01NR3V6Sy9HUkY0YlBPL1lGNDhld0R1M1VlaWgwWFhkVUFPRTlDdFVhOE5JaGMxVVBhT3pQcnRZVnFyClpPR2t2L0t1K0I3OGg4U0VzTzlYclFjdXdiT25KeDZLdFIrYWV5a3ZBcFhDUTNmWkMvYllLQUFSK1A4QUpvUVoKYndJVW1YaTRnajVtK2JLUGhlK2lyK0U9Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0=
tls.key: LS0tLS1CRUdJTiBQUklWQVRFIEtFWS0tLS0tCk1JSUV2UUlCQURBTkJna3Foa2lHOXcwQkFRRUZBQVNDQktjd2dnU2pBZ0VBQW9JQkFRQ2QwZlBDYWtweE1nUnUKT0VXQjFiQk5FM3ZseW55aTZWbkV2VWF1OUhvakR2UHVPTFJIaGI4MmoyY1ovMHhnL1lKR09LelBuV2JERkxGNApHdWh3dDRENmFUR0xYNklPODEwTDZ0SXZIWGZNUXRJS2VwdTZ3K3p1WVo4bG1yejB1RjZlWEtqamVIbHhyb2ZrCnVNekM3OUVaU0lYZlZlczJ1SmdVRSs4VGFzSDUzQ2Y4MFNSRGlIeEdxckttdVNjWCtwejBreGdCZ1VWYTVVS20KUWdTZDFmVUxLOUEwNXAxOXkrdURPM204bVhRNkxVQ0N1STFwZHNROGFlNS9zamlxa0VjWlJjMTdWYVgxWjVVaQpvcGZnNW9SY05VTG9VTHNiek9aNTR0YlVDUmdSV2VLbGZxaElINEZ6OUlkVlUyR3dFdEdhMmV6TjgyMVBaQ3QzCjZhbVRIelJsQWdNQkFBRUNnZ0VBWTFGTUlLNDVXTkVNUHJ6RTZUY3NNdVV2RkdhQVZ4bVk5NW5SMEtwajdvb3IKY21CVys2ZXN0TTQ4S1AwaitPbXd3VFpMY29Cd3VoWGN0V1Bob1lXcDhteWUxRUlEdjNyaHRHMDdocEQ1NGg2dgpCZzh3ejdFYStzMk9sT0N6UnlKNzBSY281YlhjWDNGaGJjdnFlRWJwaFFyQnpOSEtLMjZ4cmZqNWZIT3p6T1FGCmJHdUZ3SDVic3JGdFhlajJXM3c4eW90N0ZQSDV3S3RpdnhvSWU5RjMyOXNnOU9EQnZqWnpiaG1LVTArckFTK1kKRGVield2bFJyaEUrbXVmQTN6M0N0QXhDOFJpNzNscFNoTDRQQWlvcG1SUXlxZXRXMjYzOFFxcnM0R3hnNzhwbApJUXJXTmNBc2s3Slg5d3RZenV6UFBXSXRWTTFscFJiQVRhNTJqdFl2NVFLQmdRRE5tMTFtZTRYam1ZSFV2cStZCmFTUzdwK2UybXZEMHVaOU9JeFluQnBWMGkrckNlYnFFMkE1Rm5hcDQ5Yld4QTgwUElldlVkeUpCL2pUUkoxcVMKRUpXQkpMWm1LVkg2K1QwdWw1ZUtOcWxFTFZHU0dCSXNpeE9SUXpDZHBoMkx0UmtBMHVjSVUzY3hiUmVMZkZCRQpiSkdZWENCdlNGcWd0VDlvZTFldVpMVmFOd0tCZ1FERWdENzJENk81eGIweEQ1NDQ1M0RPMUJhZmd6aThCWDRTCk1SaVd2LzFUQ0w5N05sRWtoeXovNmtQd1owbXJRcE5CMzZFdkpKZFVteHdkU2MyWDhrOGcxMC85NVlLQkdWQWoKL3d0YVZYbE9WeEFvK0ZSelpZeFpyQ29uWWFSMHVwUzFybDRtenN4REhlZU9mUVZUTUgwUjdZN0pnbTA5dXQ4SwplanAvSXZBb1F3S0JnQjNaRWlRUWhvMVYrWjBTMlpiOG5KS0plMy9zMmxJTXFHM0ZkaS9RS3Q0eWViQWx6OGY5ClBZVXBzRmZEQTg5Z3grSU1nSm5sZVptdTk2ZnRXSjZmdmJSenllN216TG5zZU05TXZua1lHbGFGWmJRWnZubXMKN3ZoRmtzY3dHRlh4d21GMlBJZmU1Z3pNMDRBeVdjeTFIaVhLS2dNOXM3cGsxWUdyZGowZzdacmRBb0dCQUtLNApDR3MrbkRmMEZTMFJYOWFEWVJrRTdBNy9YUFhtSG5YMkRnU1h5N0Q4NTRPaWdTTWNoUmtPNTErbVNJejNQbllvCk41T1FXM2lHVVl1M1YvYmhnc0VSUzM1V2xmRk9BdDBzRUR5bjF5SVdXcDF5dG93d3BUNkVvUXVuZ2NYZjA5RjMKS1NROXowd3M4VmsvRWkvSFVXcU5LOWFXbU51cmFaT0ZqL2REK1ZkOUFvR0FMWFN3dEE3K043RDRkN0VEMURSRQpHTWdZNVd3OHFvdDZSdUNlNkpUY0FnU3B1MkhNU3JVY2dXclpiQnJZb09FUnVNQjFoMVJydk5ybU1qQlM0VW9FClgyZC8vbGhpOG1wL2VESWN3UDNRa2puanBJRFJWMFN1eWxrUkVaZURKZjVZb3R6eDdFdkJhbzFIbkQrWEg4eUIKVUtmWGJTaHZKVUdhRmgxT3Q1Y3JoM1k9Ci0tLS0tRU5EIFBSSVZBVEUgS0VZLS0tLS0K
diff --git a/internal/gatewayapi/testdata/tcproute-attaching-to-gateway-with-listener-tls-terminate.out.yaml b/internal/gatewayapi/testdata/tcproute-attaching-to-gateway-with-listener-tls-terminate.out.yaml
index 5a2f7ef478a..b4ac4a13faa 100644
--- a/internal/gatewayapi/testdata/tcproute-attaching-to-gateway-with-listener-tls-terminate.out.yaml
+++ b/internal/gatewayapi/testdata/tcproute-attaching-to-gateway-with-listener-tls-terminate.out.yaml
@@ -114,4 +114,4 @@ xdsIR:
certificates:
- name: envoy-gateway/tls-secret-1
privateKey: LS0tLS1CRUdJTiBQUklWQVRFIEtFWS0tLS0tCk1JSUV2UUlCQURBTkJna3Foa2lHOXcwQkFRRUZBQVNDQktjd2dnU2pBZ0VBQW9JQkFRQ2QwZlBDYWtweE1nUnUKT0VXQjFiQk5FM3ZseW55aTZWbkV2VWF1OUhvakR2UHVPTFJIaGI4MmoyY1ovMHhnL1lKR09LelBuV2JERkxGNApHdWh3dDRENmFUR0xYNklPODEwTDZ0SXZIWGZNUXRJS2VwdTZ3K3p1WVo4bG1yejB1RjZlWEtqamVIbHhyb2ZrCnVNekM3OUVaU0lYZlZlczJ1SmdVRSs4VGFzSDUzQ2Y4MFNSRGlIeEdxckttdVNjWCtwejBreGdCZ1VWYTVVS20KUWdTZDFmVUxLOUEwNXAxOXkrdURPM204bVhRNkxVQ0N1STFwZHNROGFlNS9zamlxa0VjWlJjMTdWYVgxWjVVaQpvcGZnNW9SY05VTG9VTHNiek9aNTR0YlVDUmdSV2VLbGZxaElINEZ6OUlkVlUyR3dFdEdhMmV6TjgyMVBaQ3QzCjZhbVRIelJsQWdNQkFBRUNnZ0VBWTFGTUlLNDVXTkVNUHJ6RTZUY3NNdVV2RkdhQVZ4bVk5NW5SMEtwajdvb3IKY21CVys2ZXN0TTQ4S1AwaitPbXd3VFpMY29Cd3VoWGN0V1Bob1lXcDhteWUxRUlEdjNyaHRHMDdocEQ1NGg2dgpCZzh3ejdFYStzMk9sT0N6UnlKNzBSY281YlhjWDNGaGJjdnFlRWJwaFFyQnpOSEtLMjZ4cmZqNWZIT3p6T1FGCmJHdUZ3SDVic3JGdFhlajJXM3c4eW90N0ZQSDV3S3RpdnhvSWU5RjMyOXNnOU9EQnZqWnpiaG1LVTArckFTK1kKRGVield2bFJyaEUrbXVmQTN6M0N0QXhDOFJpNzNscFNoTDRQQWlvcG1SUXlxZXRXMjYzOFFxcnM0R3hnNzhwbApJUXJXTmNBc2s3Slg5d3RZenV6UFBXSXRWTTFscFJiQVRhNTJqdFl2NVFLQmdRRE5tMTFtZTRYam1ZSFV2cStZCmFTUzdwK2UybXZEMHVaOU9JeFluQnBWMGkrckNlYnFFMkE1Rm5hcDQ5Yld4QTgwUElldlVkeUpCL2pUUkoxcVMKRUpXQkpMWm1LVkg2K1QwdWw1ZUtOcWxFTFZHU0dCSXNpeE9SUXpDZHBoMkx0UmtBMHVjSVUzY3hiUmVMZkZCRQpiSkdZWENCdlNGcWd0VDlvZTFldVpMVmFOd0tCZ1FERWdENzJENk81eGIweEQ1NDQ1M0RPMUJhZmd6aThCWDRTCk1SaVd2LzFUQ0w5N05sRWtoeXovNmtQd1owbXJRcE5CMzZFdkpKZFVteHdkU2MyWDhrOGcxMC85NVlLQkdWQWoKL3d0YVZYbE9WeEFvK0ZSelpZeFpyQ29uWWFSMHVwUzFybDRtenN4REhlZU9mUVZUTUgwUjdZN0pnbTA5dXQ4SwplanAvSXZBb1F3S0JnQjNaRWlRUWhvMVYrWjBTMlpiOG5KS0plMy9zMmxJTXFHM0ZkaS9RS3Q0eWViQWx6OGY5ClBZVXBzRmZEQTg5Z3grSU1nSm5sZVptdTk2ZnRXSjZmdmJSenllN216TG5zZU05TXZua1lHbGFGWmJRWnZubXMKN3ZoRmtzY3dHRlh4d21GMlBJZmU1Z3pNMDRBeVdjeTFIaVhLS2dNOXM3cGsxWUdyZGowZzdacmRBb0dCQUtLNApDR3MrbkRmMEZTMFJYOWFEWVJrRTdBNy9YUFhtSG5YMkRnU1h5N0Q4NTRPaWdTTWNoUmtPNTErbVNJejNQbllvCk41T1FXM2lHVVl1M1YvYmhnc0VSUzM1V2xmRk9BdDBzRUR5bjF5SVdXcDF5dG93d3BUNkVvUXVuZ2NYZjA5RjMKS1NROXowd3M4VmsvRWkvSFVXcU5LOWFXbU51cmFaT0ZqL2REK1ZkOUFvR0FMWFN3dEE3K043RDRkN0VEMURSRQpHTWdZNVd3OHFvdDZSdUNlNkpUY0FnU3B1MkhNU3JVY2dXclpiQnJZb09FUnVNQjFoMVJydk5ybU1qQlM0VW9FClgyZC8vbGhpOG1wL2VESWN3UDNRa2puanBJRFJWMFN1eWxrUkVaZURKZjVZb3R6eDdFdkJhbzFIbkQrWEg4eUIKVUtmWGJTaHZKVUdhRmgxT3Q1Y3JoM1k9Ci0tLS0tRU5EIFBSSVZBVEUgS0VZLS0tLS0K
- serverCertificate: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUNxRENDQVpBQ0NRREVNZ1lZblFyQ29EQU5CZ2txaGtpRzl3MEJBUXNGQURBV01SUXdFZ1lEVlFRRERBdG0KYjI4dVltRnlMbU52YlRBZUZ3MHlNekF4TURVeE16UXpNalJhRncweU5EQXhNRFV4TXpRek1qUmFNQll4RkRBUwpCZ05WQkFNTUMyWnZieTVpWVhJdVkyOXRNSUlCSWpBTkJna3Foa2lHOXcwQkFRRUZBQU9DQVE4QU1JSUJDZ0tDCkFRRUFuZEh6d21wS2NUSUViamhGZ2RXd1RSTjc1Y3A4b3VsWnhMMUdydlI2SXc3ejdqaTBSNFcvTm85bkdmOU0KWVAyQ1JqaXN6NTFtd3hTeGVCcm9jTGVBK21reGkxK2lEdk5kQytyU0x4MTN6RUxTQ25xYnVzUHM3bUdmSlpxOAo5TGhlbmx5bzQzaDVjYTZINUxqTXd1L1JHVWlGMzFYck5yaVlGQlB2RTJyQitkd24vTkVrUTRoOFJxcXlwcmtuCkYvcWM5Sk1ZQVlGRld1VkNwa0lFbmRYMUN5dlFOT2FkZmN2cmd6dDV2SmwwT2kxQWdyaU5hWGJFUEdudWY3STQKcXBCSEdVWE5lMVdsOVdlVklxS1g0T2FFWERWQzZGQzdHOHptZWVMVzFBa1lFVm5pcFg2b1NCK0JjL1NIVlZOaApzQkxSbXRuc3pmTnRUMlFyZCttcGt4ODBaUUlEQVFBQk1BMEdDU3FHU0liM0RRRUJDd1VBQTRJQkFRQ1VKOElDCkJveUVqT3V3enBHYVJoR044QjRqT1B6aHVDT0V0ZDM3UzAybHUwN09IenlCdmJzVEd6S3dCZ0x5bVdmR2tINEIKajdDTHNwOEZ6TkhLWnVhQmdwblo5SjZETE9Od2ZXZTJBWXA3TGRmT0tWQlVkTVhRaU9tN2pKOUhob0Ntdk1ONwpic2pjaFdKb013ckZmK3dkQUthdHowcUFQeWhMeWUvRnFtaVZ4a09SWmF3K1Q5bURaK0g0OXVBU2d1SnVOTXlRClY2RXlYNmd0Z1dxMzc2SHZhWE1TLzNoYW1Zb1ZXWEk1TXhpUE9ZeG5BQmtKQjRTQ2dJUmVqYkpmVmFRdG9RNGEKejAyaVVMZW5ESUllUU9Zb2JLY01CWGYxQjRQQVFtc2VocVZJYnpzUUNHaTU0VkRyczZiWmQvN0pzMXpDcHBncwpKaUQ1SXFNaktXRHdxN2FLCi0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K
+ serverCertificate: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUREVENDQWZXZ0F3SUJBZ0lVRUZNaFA5ZUo5WEFCV3NRNVptNmJSazJjTE5Rd0RRWUpLb1pJaHZjTkFRRUwKQlFBd0ZqRVVNQklHQTFVRUF3d0xabTl2TG1KaGNpNWpiMjB3SGhjTk1qUXdNakk1TURrek1ERXdXaGNOTXpRdwpNakkyTURrek1ERXdXakFXTVJRd0VnWURWUVFEREF0bWIyOHVZbUZ5TG1OdmJUQ0NBU0l3RFFZSktvWklodmNOCkFRRUJCUUFEZ2dFUEFEQ0NBUW9DZ2dFQkFKbEk2WXhFOVprQ1BzNnBDUXhickNtZWl4OVA1RGZ4OVJ1NUxENFQKSm1kVzdJS2R0UVYvd2ZMbXRzdTc2QithVGRDaldlMEJUZmVPT1JCYlIzY1BBRzZFbFFMaWNsUVVydW4zcStncwpKcEsrSTdjSStqNXc4STY4WEg1V1E3clZVdGJ3SHBxYncrY1ZuQnFJVU9MaUlhdGpJZjdLWDUxTTF1RjljZkVICkU0RG5jSDZyYnI1OS9SRlpCc2toeHM1T3p3Sklmb2hreXZGd2V1VHd4Sy9WcGpJKzdPYzQ4QUJDWHBOTzlEL3EKRWgrck9hdWpBTWNYZ0hRSVRrQ2lpVVRjVW82TFNIOXZMWlB0YXFmem9acTZuaE1xcFc2NUUxcEF3RjNqeVRUeAphNUk4SmNmU0Zqa2llWjIwTFVRTW43TThVNHhIamFvL2d2SDBDQWZkQjdSTFUyc0NBd0VBQWFOVE1GRXdIUVlEClZSME9CQllFRk9SQ0U4dS8xRERXN2loWnA3Y3g5dFNtUG02T01COEdBMVVkSXdRWU1CYUFGT1JDRTh1LzFERFcKN2loWnA3Y3g5dFNtUG02T01BOEdBMVVkRXdFQi93UUZNQU1CQWY4d0RRWUpLb1pJaHZjTkFRRUxCUUFEZ2dFQgpBRnQ1M3pqc3FUYUg1YThFMmNodm1XQWdDcnhSSzhiVkxNeGl3TkdqYm1FUFJ6K3c2TngrazBBOEtFY0lEc0tjClNYY2k1OHU0b1didFZKQmx6YS9adWpIUjZQMUJuT3BsK2FveTc4NGJiZDRQMzl3VExvWGZNZmJCQ20xdmV2aDkKQUpLbncyWnRxcjRta2JMY3hFcWxxM3NCTEZBUzlzUUxuS05DZTJjR0xkVHAyYm9HK3FjZ3lRZ0NJTTZmOEVNdgpXUGlmQ01NR3V6Sy9HUkY0YlBPL1lGNDhld0R1M1VlaWgwWFhkVUFPRTlDdFVhOE5JaGMxVVBhT3pQcnRZVnFyClpPR2t2L0t1K0I3OGg4U0VzTzlYclFjdXdiT25KeDZLdFIrYWV5a3ZBcFhDUTNmWkMvYllLQUFSK1A4QUpvUVoKYndJVW1YaTRnajVtK2JLUGhlK2lyK0U9Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0=
diff --git a/internal/gatewayapi/testdata/tls/ecdsa-p256-cert.pem b/internal/gatewayapi/testdata/tls/ecdsa-p256-cert.pem
index 494e899e3d2..2ca528b4937 100644
--- a/internal/gatewayapi/testdata/tls/ecdsa-p256-cert.pem
+++ b/internal/gatewayapi/testdata/tls/ecdsa-p256-cert.pem
@@ -1,8 +1,11 @@
-----BEGIN CERTIFICATE-----
-MIIBGzCBwgIJAI/x1sCD/IRkMAoGCCqGSM49BAMCMBYxFDASBgNVBAMMC2Zvby5i
-YXIuY29tMB4XDTIzMDEwNTIxNTMyOVoXDTI0MDEwNTIxNTMyOVowFjEUMBIGA1UE
-AwwLZm9vLmJhci5jb20wWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAQflW2tzOs8
-o66NTITfaHnpG6S27chdJWsjYJubHJAmOkXu/+TlKMxFS9xGkG+OAB02GFPhxPW7
-FqZLRh8JtbVdMAoGCCqGSM49BAMCA0gAMEUCIQDvZeSZAgUVWei3z4dHNLGthzbi
-1DvtjtPzHXgTwY/vbgIgNJY+Mq4pxRg6+wyM8GTxs5TWy9fiyDhLPE9BxelK1J4=
+MIIBgTCCASegAwIBAgIUFml8LBG0o/QK4Q+Z7k824sC2iFwwCgYIKoZIzj0EAwIw
+FjEUMBIGA1UEAwwLZm9vLmJhci5jb20wHhcNMjQwMjI5MDkzMDEwWhcNMzQwMjI2
+MDkzMDEwWjAWMRQwEgYDVQQDDAtmb28uYmFyLmNvbTBZMBMGByqGSM49AgEGCCqG
+SM49AwEHA0IABLaYvqKuVVoxDo52eWzvYB5jw7EMF86rmyoi5ZuayzdMvpg4zBr8
+RKBjNs+T1jB8OKucS/7RUDx0pz+976zM3iOjUzBRMB0GA1UdDgQWBBTO6+cg0R0d
+wtrzJQPG6g76hBBUzTAfBgNVHSMEGDAWgBTO6+cg0R0dwtrzJQPG6g76hBBUzTAP
+BgNVHRMBAf8EBTADAQH/MAoGCCqGSM49BAMCA0gAMEUCIQC2XpPQgQzWae3b5pZt
+GcuMfDJ0c0OPKcnegkXZ2C4B3gIgU/sRkwIpLQNRV+EaYw4P5T5gPE6Y+VpmC98h
+oVjZ/zQ=
-----END CERTIFICATE-----
diff --git a/internal/gatewayapi/testdata/tls/ecdsa-p256.key b/internal/gatewayapi/testdata/tls/ecdsa-p256.key
index 857ab7b7080..b5678c1fb56 100644
--- a/internal/gatewayapi/testdata/tls/ecdsa-p256.key
+++ b/internal/gatewayapi/testdata/tls/ecdsa-p256.key
@@ -1,5 +1,5 @@
-----BEGIN EC PRIVATE KEY-----
-MHcCAQEEILDnvM3TJ3sGboDy1xOwjIZiTSVyfWUayaQ1qgkuGZpKoAoGCCqGSM49
-AwEHoUQDQgAEH5VtrczrPKOujUyE32h56Ruktu3IXSVrI2CbmxyQJjpF7v/k5SjM
-RUvcRpBvjgAdNhhT4cT1uxamS0YfCbW1XQ==
+MHcCAQEEIAyfKQvPBudXRh0LLmtVRJPYl6e+GgzvgctFexKh9a1GoAoGCCqGSM49
+AwEHoUQDQgAEtpi+oq5VWjEOjnZ5bO9gHmPDsQwXzqubKiLlm5rLN0y+mDjMGvxE
+oGM2z5PWMHw4q5xL/tFQPHSnP73vrMzeIw==
-----END EC PRIVATE KEY-----
diff --git a/internal/gatewayapi/testdata/tls/ecdsa-p384-cert.pem b/internal/gatewayapi/testdata/tls/ecdsa-p384-cert.pem
index 5ed4f7858d9..3d55a9124e8 100644
--- a/internal/gatewayapi/testdata/tls/ecdsa-p384-cert.pem
+++ b/internal/gatewayapi/testdata/tls/ecdsa-p384-cert.pem
@@ -1,10 +1,12 @@
-----BEGIN CERTIFICATE-----
-MIIBVzCB3wIJAI7PYBTYSCWbMAoGCCqGSM49BAMCMBYxFDASBgNVBAMMC2Zvby5i
-YXIuY29tMB4XDTIzMDEwNTIxNTczMFoXDTI0MDEwNTIxNTczMFowFjEUMBIGA1UE
-AwwLZm9vLmJhci5jb20wdjAQBgcqhkjOPQIBBgUrgQQAIgNiAATj+tPY8lWvrR9r
-54SAa8cnBtIMFg/6Ij51GRAZ+WGQcemJRQ3nPBPrhsV9tjuMvUvLND+H6Btygn5U
-22M3l78OZRFl4k3dpOwleeJNQPjlyw0cBtcpW2aYGOQTD2wqW7MwCgYIKoZIzj0E
-AwIDZwAwZAIwWnPBWsKCs6eExDUW7KR/Fh60Ump3Raxn0ciaJaXFsSOCCPBfrt2c
-ms8dgyESs1dCAjBrZiSpycdsDBMrMdhIhpKWGSXm3LeIxYDbc0+rYhzJd6dvcGXt
-r6WRBeo5xynQYvw=
+MIIBvTCCAUSgAwIBAgIUSivJGTDwokS7heY/2csRsz4vJB0wCgYIKoZIzj0EAwIw
+FjEUMBIGA1UEAwwLZm9vLmJhci5jb20wHhcNMjQwMjI5MDkzMDEwWhcNMzQwMjI2
+MDkzMDEwWjAWMRQwEgYDVQQDDAtmb28uYmFyLmNvbTB2MBAGByqGSM49AgEGBSuB
+BAAiA2IABFvrvRebaaWuS6MAEId6wZfOKvuCTyUMOlZJqFCF9TkzMYl8CiofynOt
+Crs0vva9kd/P2JMGBJqgYevbwotrRi12qLnH04/joGIjjTOKo3Iofr+Fk8wLvAe3
+O1ZKtR9szqNTMFEwHQYDVR0OBBYEFIKs1QFnoDt9+qokR4ODWbMz1f+PMB8GA1Ud
+IwQYMBaAFIKs1QFnoDt9+qokR4ODWbMz1f+PMA8GA1UdEwEB/wQFMAMBAf8wCgYI
+KoZIzj0EAwIDZwAwZAIwH31tHyfUP04XHpbWGe1Z1IaBZBwIth55DU4hjfPu8m+J
+Wv7bW8zTSgwLiqorfcunAjA0ghNJBA1X2XtIKDml3s7/Vx8FJcS04vpChh+lAbLS
+veaa28R3TLEY3U+QTXI/wIk=
-----END CERTIFICATE-----
diff --git a/internal/gatewayapi/testdata/tls/ecdsa-p384.key b/internal/gatewayapi/testdata/tls/ecdsa-p384.key
index ea832b72dea..4626890e668 100644
--- a/internal/gatewayapi/testdata/tls/ecdsa-p384.key
+++ b/internal/gatewayapi/testdata/tls/ecdsa-p384.key
@@ -1,6 +1,6 @@
-----BEGIN EC PRIVATE KEY-----
-MIGkAgEBBDBLXL+q1XPabzsdhr9upqiVM40q0WQY016/fUI4Q3/X/GcrdxSMD+dD
-BOGdvKdYo/6gBwYFK4EEACKhZANiAATj+tPY8lWvrR9r54SAa8cnBtIMFg/6Ij51
-GRAZ+WGQcemJRQ3nPBPrhsV9tjuMvUvLND+H6Btygn5U22M3l78OZRFl4k3dpOwl
-eeJNQPjlyw0cBtcpW2aYGOQTD2wqW7M=
+MIGkAgEBBDCeNj3chbP4g2cPOizPipLiJ6tCQAXf4rjSHHksQ1b6KV7xyDP6iVAK
+BVoyR/aipR+gBwYFK4EEACKhZANiAARb670Xm2mlrkujABCHesGXzir7gk8lDDpW
+SahQhfU5MzGJfAoqH8pzrQq7NL72vZHfz9iTBgSaoGHr28KLa0Ytdqi5x9OP46Bi
+I40ziqNyKH6/hZPMC7wHtztWSrUfbM4=
-----END EC PRIVATE KEY-----
diff --git a/internal/gatewayapi/testdata/tls/gen-certs.sh b/internal/gatewayapi/testdata/tls/gen-certs.sh
new file mode 100755
index 00000000000..8d428ed4a33
--- /dev/null
+++ b/internal/gatewayapi/testdata/tls/gen-certs.sh
@@ -0,0 +1,31 @@
+#!/bin/bash
+
+# The following commands were used to generate test key/cert pairs
+# using openssl (LibreSSL 3.3.6)
+
+CERT_VALIDITY_DAYS=3650
+
+# RSA
+
+openssl req -x509 -nodes -days $CERT_VALIDITY_DAYS -newkey rsa:2048 -keyout rsa-pkcs8.key -out rsa-cert.pem -subj "/CN=foo.bar.com"
+openssl rsa -in rsa-pkcs8.key -out rsa-pkcs1.key
+
+# RSA with SAN extension
+
+openssl req -x509 -nodes -days $CERT_VALIDITY_DAYS -newkey rsa:2048 -keyout rsa-pkcs8-san.key -out rsa-cert-san.pem -subj "/CN=Test Inc" -addext "subjectAltName = DNS:foo.bar.com"
+openssl rsa -in rsa-pkcs8-san.key -out rsa-pkcs1-san.key
+
+# RSA with wildcard SAN domain
+
+openssl req -x509 -nodes -days $CERT_VALIDITY_DAYS -newkey rsa:2048 -keyout rsa-pkcs8-wildcard.key -out rsa-cert-wildcard.pem -subj "/CN=Test Inc" -addext "subjectAltName = DNS:*, DNS:*.example.com"
+openssl rsa -in rsa-pkcs8-wildcard.key -out rsa-pkcs1-wildcard.key
+
+# ECDSA-p256
+
+openssl ecparam -name prime256v1 -genkey -noout -out ecdsa-p256.key
+openssl req -new -x509 -days $CERT_VALIDITY_DAYS -key ecdsa-p256.key -out ecdsa-p256-cert.pem -subj "/CN=foo.bar.com"
+
+# ECDSA-p384
+
+openssl ecparam -name secp384r1 -genkey -noout -out ecdsa-p384.key
+openssl req -new -x509 -days $CERT_VALIDITY_DAYS -key ecdsa-p384.key -out ecdsa-p384-cert.pem -subj "/CN=foo.bar.com"
diff --git a/internal/gatewayapi/testdata/tls/rsa-cert-san.pem b/internal/gatewayapi/testdata/tls/rsa-cert-san.pem
index e93228ec78d..3dfef07bcb4 100644
--- a/internal/gatewayapi/testdata/tls/rsa-cert-san.pem
+++ b/internal/gatewayapi/testdata/tls/rsa-cert-san.pem
@@ -1,17 +1,19 @@
-----BEGIN CERTIFICATE-----
-MIICwzCCAaugAwIBAgIJALIkgUYn9+gBMA0GCSqGSIb3DQEBCwUAMBMxETAPBgNV
-BAMMCFRlc3QgSW5jMB4XDTIzMDUyMzE1MjE0M1oXDTI0MDUyMjE1MjE0M1owEzER
-MA8GA1UEAwwIVGVzdCBJbmMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIB
-AQC0L/x6IQj/cwE4nOzPemiHQcGj/juIj7x/S3qng2aE61KTHijcFHXENK0ZBEEs
-FYAlLuZhctV7J2FRbNYM3nwCjBVGx6Z7NUJE9/Why4IFb/tLJ+oM6Eb4lEbfoNSv
-1dEp7Jx9F241ro6LHiLq2WwhpT28kUy0CHY+VaVLKsiYklpS3y7ohObgyibWnQlb
-ldJUO2VWan0xzvW41MMRlyJUMQFCKkmi5EYFU03NeDAjKaBcx8/4KIlyaG+1L8LP
-WMe2jX9SV8lo1+ctk/I/e64HSZY5b/JZYlZAXT4GlV/94b/lxdg3KitN7eo5L0i4
-5GAEyyb7pUn502IAyxBVhJCrAgMBAAGjGjAYMBYGA1UdEQQPMA2CC2Zvby5iYXIu
-Y29tMA0GCSqGSIb3DQEBCwUAA4IBAQCM/KbyWD+tEAQh/bU5hOhFUMsqhhKQca9B
-KOVSjLBsaeQZqMpIz383xSRlT+TV3zwmILRsQpHusQiET7fzQUSuGD+9MR+GvrWi
-8fGCIAqO9LEak65wRNMD2YkE3lQV4q7RnRZGM1FykRV2ERUG9dSAepqEpHO2CCjX
-LLVnfs6zIggGI1VfkxgrLB9ggss1W5yo1GXGKxglncYx6rJyJvAJ1vfsvvDyztwY
-DU1+IRV9pbiFEmv2oWxgOJmtBC0mRXdfMp0mm52S2ss3y2hAc8GmLxdLaPYxYuf+
-4XmZjO6dwpG1D7W+ZC6JSMyTsrj4ldHJoaSytXr2oyVc2bgM4/Qk
+MIIDHzCCAgegAwIBAgIUWL1B/R492wfVLSDYPTpACUMQTiMwDQYJKoZIhvcNAQEL
+BQAwEzERMA8GA1UEAwwIVGVzdCBJbmMwHhcNMjQwMjI5MDkzMDEwWhcNMzQwMjI2
+MDkzMDEwWjATMREwDwYDVQQDDAhUZXN0IEluYzCCASIwDQYJKoZIhvcNAQEBBQAD
+ggEPADCCAQoCggEBAMpoxyIyxqyqk/s1BCrUhbH0k+PyOGdb1sI5EazA/p9BpmSI
+zX99ViqFuha+gf1Q0Ght/Wh5Fy4UKzcgo4Jv3qd3r82q+M0VojAj7RBajiwsPSDV
+u6hNiy4CE9Ic2abqmh1HMlbQnaYafXkZoRhvCH3enZ1h2tfRprmwa+vYO3HlLk9k
+x2Z3xcXIaePNoBOe71U9t/gsKakjnIk7rV0S//BW6YYEYlHRxTbSeoyqsSC0ImL/
+gT+0dm/rmtU0e1LVUMGzQI/BFMqD/hUgSrweH0t7BjFOsIK2S62loQ87HQOx5ntV
+aPO4C8TAdxheUcCscoUQ233tsMo9qPy6paQTfgMCAwEAAaNrMGkwHQYDVR0OBBYE
+FLxFSbDoGbAEZAHoayV/xzIHMTu5MB8GA1UdIwQYMBaAFLxFSbDoGbAEZAHoayV/
+xzIHMTu5MA8GA1UdEwEB/wQFMAMBAf8wFgYDVR0RBA8wDYILZm9vLmJhci5jb20w
+DQYJKoZIhvcNAQELBQADggEBAJ6zTuAm5LPUv1A6Y6ASzRqepEfzHJb2AdBKQKG4
+oPqQlqbs2HyILGjGv//h8YU17LKV6W0fQ7bvUlHTiIdlh3mBL838r1cLGO2LaUf1
+JNhtKY+kT9I+KxV1ZPkrASLb2/6673bOyOdTU4D6OSPsywtvZ7qWM564hm2qw62G
+2SgiC4+F61/BkcvG3XRhhAcLpCxyyrzdAuXsnhOHHLziJZ9byLTceWoGnIPk8qA5
+yKpnsH2LPYPUeY1HxNTNTUc0+BQpjikqPmdSyYGi4EUwBEhMVYZBhJLjmaEL3Dee
+7zt7DFeERauy/uHL+LteokP0E7eKgAk+amoJxY+PYv2jMZk=
-----END CERTIFICATE-----
diff --git a/internal/gatewayapi/testdata/tls/rsa-cert-wildcard.pem b/internal/gatewayapi/testdata/tls/rsa-cert-wildcard.pem
index 5523bd0f8e9..a4f1c00ce69 100644
--- a/internal/gatewayapi/testdata/tls/rsa-cert-wildcard.pem
+++ b/internal/gatewayapi/testdata/tls/rsa-cert-wildcard.pem
@@ -1,17 +1,19 @@
-----BEGIN CERTIFICATE-----
-MIICyDCCAbCgAwIBAgIJAL5nI4X+aWq+MA0GCSqGSIb3DQEBCwUAMBMxETAPBgNV
-BAMMCFRlc3QgSU5DMB4XDTIzMDUyNTExMDIwN1oXDTI0MDUyNDExMDIwN1owEzER
-MA8GA1UEAwwIVGVzdCBJTkMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIB
-AQC+S+OoUyYzvmyctlU9Ch2D4EALqlk6vddJkEaw/9UGnhfWRUOHt4Q2HlEe/O2Y
-VNIS3jOEbh4kxGgKIyFhP5yBFY17O/IkY/17cc3TScWU3fngoTBcczR6sWenN8EJ
-Cwt4nN+LYHiIKGrDIexngsnHFzdwB5QW0QrDBrA1CUWU7CrWQe8vwa6o1u8lm8wD
-PiMMk7M6nbCRgTMPEsEdWK80PFKILkvysXR5Pe6zNcIh3Nv1Iy9d38YJGL9UT8rH
-RQ+Vdfjw6+LonetJULUgR5usy09ayDArYEqMVYUunhr8br/p05+x/JUbKrkvw3cK
-Y5ZJHqyy7jXvjywQZlRy4j7TAgMBAAGjHzAdMBsGA1UdEQQUMBKCASqCDSouZXhh
-bXBsZS5jb20wDQYJKoZIhvcNAQELBQADggEBACsEj7aXFcv0ssjo++k8LBTP07vZ
-9xMTBlA4XHioxIR4tKYkRk4fNcSyGwtro80Yd4Y75klWAvif0bHhEN54A6+PaHnP
-+WbZNXu0n/espxD6qgUWz/UMzR2crYjbPtCurbXkXS9UgugLIMrcp24ZvTYi6ONm
-lguYhiDiMcfqXInxRQlW8G3EeGW/IJnSHxN2tb2IV53ACLCL8gCDl3V/XZGLwdex
-uKIN80PPKHnZeyXUKiiDaN5hbTZjb78W+TYKGBEOF1mWGOcPH0bVawRX2YTYq4O6
-I/BBQn9cgy9Koeklp/cg/oKEc0aetLdkvwE+52ZDmw40Ixi3eLQaXz90MqM=
+MIIDJDCCAgygAwIBAgIUSrSbKLf0bLEGogWx/gCw2GCtvxEwDQYJKoZIhvcNAQEL
+BQAwEzERMA8GA1UEAwwIVGVzdCBJbmMwHhcNMjQwMjI5MDkzMDEwWhcNMzQwMjI2
+MDkzMDEwWjATMREwDwYDVQQDDAhUZXN0IEluYzCCASIwDQYJKoZIhvcNAQEBBQAD
+ggEPADCCAQoCggEBAK1JzjPIiWg3qoHSrAddkeJjaMP9iyMTi/BPo9cJPoRE8Zi7
+WapUrXL/9A9r+jHMyGIZNZNdcZ5cY2Xv0LP8ZxVy2lk0+3wtYzHnpGYGVtyq2tet
+DhFsiPl82YRjC0mzWa4QMz4SXzFHNgIDpRdhfrovmseuWGQE8pV4Ud9UK/SKilMO
+qtB5JirLP2Vs5T1oWicWLQvfbGwv7sFDdr9bG0XtSQp17HSgo50SDE5+BjSmptFw
+1VcKLlqahMXBDDiorgwhIhGGKpESeM0P7bFhVmkM3ash2xSTBuFUBDlE4JOahzws
+DXrupUhDdS1hdc2fPrjhFAlJfWEYZ6BlZjysiVUCAwEAAaNwMG4wHQYDVR0OBBYE
+FBQufK1LibuVm9Ts/VjBx8L3uiNeMB8GA1UdIwQYMBaAFBQufK1LibuVm9Ts/VjB
+x8L3uiNeMA8GA1UdEwEB/wQFMAMBAf8wGwYDVR0RBBQwEoIBKoINKi5leGFtcGxl
+LmNvbTANBgkqhkiG9w0BAQsFAAOCAQEAfPS41agevWMV3ZXt0COFG3uYfPFXnVw6
+P41p9O6GkdYsuqFvPeTyyH2/dAIKKwSzM/pthg8Kn8LZlmJyFNnA1stJxn5XdbV1
+pPqj8UvYCBzyjMIqmRyoiyLiQlbohMa0UdEBKcH/PdLE9K8TGJrZgoGXqq1WmitD
+3vcPjSePKEiUJVS9lChySs0KY5B+hUQD0Jj6npFD4Zk0xqdxh0rWueCqq7vjqEYz
+pj4Pwrufn1PBTmfxMuV/UJV5ebikeuZP35kWzLR7ZWAL7wuDdWp/6o4yk3QLanDQ
+CwgCFcX+ss+0VyuM3YerTOUU8QVJJx4UZANZx6+43pdJZOcntPZ4CA==
-----END CERTIFICATE-----
diff --git a/internal/gatewayapi/testdata/tls/rsa-cert.pem b/internal/gatewayapi/testdata/tls/rsa-cert.pem
index 3d50bf11d76..84a712c4899 100644
--- a/internal/gatewayapi/testdata/tls/rsa-cert.pem
+++ b/internal/gatewayapi/testdata/tls/rsa-cert.pem
@@ -1,17 +1,19 @@
-----BEGIN CERTIFICATE-----
-MIICqDCCAZACCQDEMgYYnQrCoDANBgkqhkiG9w0BAQsFADAWMRQwEgYDVQQDDAtm
-b28uYmFyLmNvbTAeFw0yMzAxMDUxMzQzMjRaFw0yNDAxMDUxMzQzMjRaMBYxFDAS
-BgNVBAMMC2Zvby5iYXIuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKC
-AQEAndHzwmpKcTIEbjhFgdWwTRN75cp8oulZxL1GrvR6Iw7z7ji0R4W/No9nGf9M
-YP2CRjisz51mwxSxeBrocLeA+mkxi1+iDvNdC+rSLx13zELSCnqbusPs7mGfJZq8
-9Lhenlyo43h5ca6H5LjMwu/RGUiF31XrNriYFBPvE2rB+dwn/NEkQ4h8Rqqyprkn
-F/qc9JMYAYFFWuVCpkIEndX1CyvQNOadfcvrgzt5vJl0Oi1AgriNaXbEPGnuf7I4
-qpBHGUXNe1Wl9WeVIqKX4OaEXDVC6FC7G8zmeeLW1AkYEVnipX6oSB+Bc/SHVVNh
-sBLRmtnszfNtT2Qrd+mpkx80ZQIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQCUJ8IC
-BoyEjOuwzpGaRhGN8B4jOPzhuCOEtd37S02lu07OHzyBvbsTGzKwBgLymWfGkH4B
-j7CLsp8FzNHKZuaBgpnZ9J6DLONwfWe2AYp7LdfOKVBUdMXQiOm7jJ9HhoCmvMN7
-bsjchWJoMwrFf+wdAKatz0qAPyhLye/FqmiVxkORZaw+T9mDZ+H49uASguJuNMyQ
-V6EyX6gtgWq376HvaXMS/3hamYoVWXI5MxiPOYxnABkJB4SCgIRejbJfVaQtoQ4a
-z02iULenDIIeQOYobKcMBXf1B4PAQmsehqVIbzsQCGi54VDrs6bZd/7Js1zCppgs
-JiD5IqMjKWDwq7aK
+MIIDDTCCAfWgAwIBAgIUEFMhP9eJ9XABWsQ5Zm6bRk2cLNQwDQYJKoZIhvcNAQEL
+BQAwFjEUMBIGA1UEAwwLZm9vLmJhci5jb20wHhcNMjQwMjI5MDkzMDEwWhcNMzQw
+MjI2MDkzMDEwWjAWMRQwEgYDVQQDDAtmb28uYmFyLmNvbTCCASIwDQYJKoZIhvcN
+AQEBBQADggEPADCCAQoCggEBAJlI6YxE9ZkCPs6pCQxbrCmeix9P5Dfx9Ru5LD4T
+JmdW7IKdtQV/wfLmtsu76B+aTdCjWe0BTfeOORBbR3cPAG6ElQLiclQUrun3q+gs
+JpK+I7cI+j5w8I68XH5WQ7rVUtbwHpqbw+cVnBqIUOLiIatjIf7KX51M1uF9cfEH
+E4DncH6rbr59/RFZBskhxs5OzwJIfohkyvFweuTwxK/VpjI+7Oc48ABCXpNO9D/q
+Eh+rOaujAMcXgHQITkCiiUTcUo6LSH9vLZPtaqfzoZq6nhMqpW65E1pAwF3jyTTx
+a5I8JcfSFjkieZ20LUQMn7M8U4xHjao/gvH0CAfdB7RLU2sCAwEAAaNTMFEwHQYD
+VR0OBBYEFORCE8u/1DDW7ihZp7cx9tSmPm6OMB8GA1UdIwQYMBaAFORCE8u/1DDW
+7ihZp7cx9tSmPm6OMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEB
+AFt53zjsqTaH5a8E2chvmWAgCrxRK8bVLMxiwNGjbmEPRz+w6Nx+k0A8KEcIDsKc
+SXci58u4oWbtVJBlza/ZujHR6P1BnOpl+aoy784bbd4P39wTLoXfMfbBCm1vevh9
+AJKnw2Ztqr4mkbLcxEqlq3sBLFAS9sQLnKNCe2cGLdTp2boG+qcgyQgCIM6f8EMv
+WPifCMMGuzK/GRF4bPO/YF48ewDu3Ueih0XXdUAOE9CtUa8NIhc1UPaOzPrtYVqr
+ZOGkv/Ku+B78h8SEsO9XrQcuwbOnJx6KtR+aeykvApXCQ3fZC/bYKAAR+P8AJoQZ
+bwIUmXi4gj5m+bKPhe+ir+E=
-----END CERTIFICATE-----
diff --git a/internal/gatewayapi/testdata/tls/rsa-pkcs1-san.key b/internal/gatewayapi/testdata/tls/rsa-pkcs1-san.key
index b72cca8cccb..4a103794b70 100644
--- a/internal/gatewayapi/testdata/tls/rsa-pkcs1-san.key
+++ b/internal/gatewayapi/testdata/tls/rsa-pkcs1-san.key
@@ -1,27 +1,28 @@
------BEGIN RSA PRIVATE KEY-----
-MIIEpAIBAAKCAQEAtC/8eiEI/3MBOJzsz3poh0HBo/47iI+8f0t6p4NmhOtSkx4o
-3BR1xDStGQRBLBWAJS7mYXLVeydhUWzWDN58AowVRsemezVCRPf1ocuCBW/7Syfq
-DOhG+JRG36DUr9XRKeycfRduNa6Oix4i6tlsIaU9vJFMtAh2PlWlSyrImJJaUt8u
-6ITm4Mom1p0JW5XSVDtlVmp9Mc71uNTDEZciVDEBQipJouRGBVNNzXgwIymgXMfP
-+CiJcmhvtS/Cz1jHto1/UlfJaNfnLZPyP3uuB0mWOW/yWWJWQF0+BpVf/eG/5cXY
-NyorTe3qOS9IuORgBMsm+6VJ+dNiAMsQVYSQqwIDAQABAoIBAAoaosLKdXG1pjzh
-d9oOmCv1gQFMMVRwEvbkaaVZFfegJoo/Z7UnpI7zET3U4j6xmfT700llohj81VU2
-kC46j6Oo7UyBx5EjJGsvqGOBQPJDHElTnKlKoSgxUGQb5bFSgR8juIa/OJvkBPRC
-JV0cAhdE59haIX369355WQKFDKiZfDU3lSg7+wxraP4VktNFGXXKhdzF0X+JtB41
-ZKUQxUvOmk0Zrqf2F7hYVPlTLOtlTJ22B001Sr0hQMdMouJ/F32sljHBvnznkFpL
-2oDB8f/UVQE4Y6TKu1n73tWsIbbi6BF9YeRlHVNjKc0OkDM52NSnvHVy/SKiSesj
-0JmVQJECgYEA55vzDApXvVlwbA3XlB+1M2wihEM1KbAB/VXjj6z9rv5rSBmFyv+0
-jpzePHWC+mMhJvBT9vAzUuOLtbArF0ebUdj+jGwN+reKahCTQwi6cifk48ZKiIlv
-mHvU0EZkh5+ueuXYwGVGOxp4EKZsoczVEs2fuvu0NlcvGIPnVsYVtCMCgYEAxym8
-iE4uDFA3tPfSa8VkKEiTyIi/KgjbafAtQf1VpXMtBXT9rSAaobacrpb9V9f7GUrU
-4hIEZxTja50gYcBONujEqm3rnDayne7NxuziVtjAqN4vl9hH/rXjjnP8OZykVKVE
-a380IuDhHOtFzbzB59NOu0KBXwiYILT7/A7IFdkCgYEA1nDe1OwSlp9j5rfePSgq
-dmUNhFZRt7pd7TiDzLhH3al0nTn8VZrxiwWVAndvAPOdc1ca9s0pR/qklWF6VECZ
-f2uhK1S0kMk1X8TfBDbloeJsG7Sxt79AUvd8cCZs1+GyA9oiGOjr4Lc+KXRdqmVj
-dthppw97qMCKO3GNVRtsZu8CgYEAnPrAp483rGzt+636JQgI0dei5EUkqDUi/HVa
-ttC/WRFXQx3bdUIAu8X76YEJXtvWBzF8alRZNAa62m+WvnWdMJp3qP3K3+4dC27W
-sxyzqlBeSrwWN1E6LgGfwwCYpbBZtn4tV62Dopot1WV8N5W4IMnlHKRm5EkZ323H
-z/y2qMECgYAXEL7vJSsPKPicrwVnlDGdg5cJeUHuDIk5PILYczP4Y4S881B6Di6A
-iQYIh18N8MdcSvM28cUT1smvLWjRLjz4F5nSnTPm4Ewjn5Xe/RddIQydSH3D8avG
-lXoMvfFMQajS8UNTIW5c+2eI/LN5G62UM5tuy/BRBQmYTGpmK+34Ig==
------END RSA PRIVATE KEY-----
+-----BEGIN PRIVATE KEY-----
+MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQDKaMciMsasqpP7
+NQQq1IWx9JPj8jhnW9bCORGswP6fQaZkiM1/fVYqhboWvoH9UNBobf1oeRcuFCs3
+IKOCb96nd6/NqvjNFaIwI+0QWo4sLD0g1buoTYsuAhPSHNmm6podRzJW0J2mGn15
+GaEYbwh93p2dYdrX0aa5sGvr2Dtx5S5PZMdmd8XFyGnjzaATnu9VPbf4LCmpI5yJ
+O61dEv/wVumGBGJR0cU20nqMqrEgtCJi/4E/tHZv65rVNHtS1VDBs0CPwRTKg/4V
+IEq8Hh9LewYxTrCCtkutpaEPOx0DseZ7VWjzuAvEwHcYXlHArHKFENt97bDKPaj8
+uqWkE34DAgMBAAECggEAOh5v32/5ACdSqnUEp0+yu/BgbrlkXLlQJyC/5HzeH9h3
+8LIfX5YbocYYMuOs65HC5dl/Q/pRH5gG+KNUj+WTZz7EqieHnUuy8GPAdEusOx7Q
+xpbYdXEen61VB6XlETqX2gRRfgAU5FcC5Dzpttxa8dl0JHauof2/A96WfnfuSbtk
+GlCLQdMg+pstPWq3rXeUQ09LFQdOCsZsUz76QzlxXo2YlCDcIQVprT0YlkZ5iIFM
+2HkFtaJGBW6bTNjiTyqSQTkz35AIk8mIZbuqjLZC65WKpwgbscVMxl5eRRuSQ06o
+BFnZYJDLeeDmD7yV2vFS14WNDnohPyw9dcAzRO614QKBgQDoSJ7InpRExuud2Cij
+36xMfwcXpmfh63EBDhmgw6L4EhJ25zKm1ZzKL+ULAzLos/Y3w69Rf1X6miHZ93Gk
+EjHFGKorY8TRegJny/uhUNqEc0KzB2BhSucXFGs6XTWM2qGXGRK2ecepJjTX7uy3
+Z2Pq/wD396BDb7gt+L71PSWD2QKBgQDfE064ojNLQ2yszXmL283TzI+Cadcs28GV
+f+5cV97QSEimSsgK9hrg7PzdcEk7jkAye1GgRldqEoH+9lrIH8ltTIkiw/F8lvkw
+3UM9XvR9MKPEGKuxxFo0I/ksxtaHcSALpkFQMgakC5386XgOiIcOaM7hib3hrWBx
+HKpZuq0TOwKBgAg3OVaDNV9RYdgNYzKYoLF79LZDbn0xJKgS5ZkoEkWP7hNCjioU
+eB02oHVJQa21X8oNI9BQHqxkczoQZHaXJieAfdRXDQkTta4SKu5Du9bfdMZ8Rk5q
+pc3NLRW9Yj1/JiQAAQdvOz6iWVAh5UF/aKtRJamfmo2IEA2gNLDb3s3RAoGAUcXq
+HZSX6QcWV2IbJEG2+eUK1mumDTOhiwQShJdRfliBCTRwkFQXFkzJhQMcVVCYB+lc
+yrv+X0vZi3UTYjkExaRAwRXC+ED/qAH0HBMq3Jlv7vp8NfYcevCU7u0UxyGY9axE
+VPmBpbD8gTG0aN9zYrzY2aR8jrXXnJ89cxcTSvECgYEAvtFZMBh+noQxMttnh0/L
+LwrAjedj8pWOAPzCdDFxvgzVp1mdi7GxbH4noEhcPhTlZ53Wfi3oOB4uhcGdXWpk
+HbjIWVUWczRKh15dICHNcbykU55T6p1jpPyYXsJfmonCWVYt9yppsLJ5wCu648J3
+QT4FZnPrtsI8mIcPI24A4xU=
+-----END PRIVATE KEY-----
diff --git a/internal/gatewayapi/testdata/tls/rsa-pkcs1-wildcard.key b/internal/gatewayapi/testdata/tls/rsa-pkcs1-wildcard.key
index f4db1ed6b96..4b212d5fa8b 100644
--- a/internal/gatewayapi/testdata/tls/rsa-pkcs1-wildcard.key
+++ b/internal/gatewayapi/testdata/tls/rsa-pkcs1-wildcard.key
@@ -1,27 +1,28 @@
------BEGIN RSA PRIVATE KEY-----
-MIIEpAIBAAKCAQEAvkvjqFMmM75snLZVPQodg+BAC6pZOr3XSZBGsP/VBp4X1kVD
-h7eENh5RHvztmFTSEt4zhG4eJMRoCiMhYT+cgRWNezvyJGP9e3HN00nFlN354KEw
-XHM0erFnpzfBCQsLeJzfi2B4iChqwyHsZ4LJxxc3cAeUFtEKwwawNQlFlOwq1kHv
-L8GuqNbvJZvMAz4jDJOzOp2wkYEzDxLBHVivNDxSiC5L8rF0eT3uszXCIdzb9SMv
-Xd/GCRi/VE/Kx0UPlXX48Ovi6J3rSVC1IEebrMtPWsgwK2BKjFWFLp4a/G6/6dOf
-sfyVGyq5L8N3CmOWSR6ssu41748sEGZUcuI+0wIDAQABAoIBACUBDNwGjz8woF44
-9opQFT03tjyOe5t4nwynCZgRp5MJ2wjHn0Ic5ZDAhHXKKUmd9NvGaa4u2526s6CF
-BFCs1foj/scf+Q4qg3glwSh9B/bS02xi68yOen4BUW6q4NapVym1F6M6tzWC5n/b
-cOUQAby9PwKB9sIZFEaoXktx6h3zGNQh0zx8P63xN2HylQEi0RLhT6Sx7lYlTyF5
-RMCbEdmnC0F7kALF1he2LiaOcKTsfOLJOBW4/aoq+p619kphkeezUsJKPWXLO9Zz
-xES0o8OyaSE8xw9Qw8tPNN4uiumBL2h7KBh9tukB9gfVOQLvMNDTrZlkX9zKkUIu
-K2rHUcECgYEA5tkfKtfBIpAzribfIorUgCyb34esFf4Db1IIjJdkoQL0Djf7EA1v
-uyJdeXSf5v5gzUAOKJi5YMATpBc0IwtXAr5rTfy0gXM/lz/7X0JiVo2Or3XwBC0S
-dKL1TogsGyDEVk31mlN+cX3J4fICAl08LlQRQxYlP66J6Pzx+UKxhFUCgYEA0wew
-W+uy2BCVpdpg6+0/U7HMYuztCxEWfLtswHU+aWCC0yrw1WaBWFLvH/oInTNKhkj3
-j2OU5C1dt+Pn+BQonuTB0eRd9Klsb/cFaU1nwF/gSLg2BDettn4gaSnU+Hb7tb+n
-DIcIrVzrObdXsjj2J9YbbOKmtPww2gqgmQo1nocCgYEAupw1t7plo/0R6ev+YLv9
-gAePkajpEXYfbLPRuWUAsa/jfkL+r0FNWucyzOXcBS0JL6JiT6r14CIlPnaLbPDT
-y6IGuCpZ+HMjqq7ME3tkZzdTar9Z4OZWjvbUekFV9jAMxv+KVNC93BylQAMUYLjh
-10maErMqNUpwrWkcajThr2kCgYBr+t00y6/heur3yHwbfHQQ4UNRwyWvqfi1rjmB
-aPyccvO+FZTRvPemOBl/ZTMPLPWPLLrvteazsrrno0hI2hfG5gp+2blxvVdtGxq7
-vQ2/k89xpkCNe+f5HyR6axs8X7WAVCan9FhuTMNX7waCfT8HNzklR/xBU2Gz0AhJ
-Br5U9QKBgQDSM+WSM/wQs4W8yJM6hZuP2ejuiOfZKIgZ/NShVArp+p7r/rvTD8S5
-lM0nF5IIhrOtFunGDji15629L5HVBfdf39+ctSpuh8yEAkiWFW1JQPimjSC/kxH0
-g0iOAtMTPeuW9I5EI9k6n7Ll1TGLJAchtyjtRDGELXiftW110f3GoQ==
------END RSA PRIVATE KEY-----
+-----BEGIN PRIVATE KEY-----
+MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQCtSc4zyIloN6qB
+0qwHXZHiY2jD/YsjE4vwT6PXCT6ERPGYu1mqVK1y//QPa/oxzMhiGTWTXXGeXGNl
+79Cz/GcVctpZNPt8LWMx56RmBlbcqtrXrQ4RbIj5fNmEYwtJs1muEDM+El8xRzYC
+A6UXYX66L5rHrlhkBPKVeFHfVCv0iopTDqrQeSYqyz9lbOU9aFonFi0L32xsL+7B
+Q3a/WxtF7UkKdex0oKOdEgxOfgY0pqbRcNVXCi5amoTFwQw4qK4MISIRhiqREnjN
+D+2xYVZpDN2rIdsUkwbhVAQ5ROCTmoc8LA167qVIQ3UtYXXNnz644RQJSX1hGGeg
+ZWY8rIlVAgMBAAECggEAJjN4jSreu8ZVxNPcD62dfPJcRKSOuTdUaLAt1rhXe1I1
+jm1yyV1sdUcelw2/NJ5H6HRVPrzhUL9ePDkfYaY5VV2h6/uFmyzoSrado84u9OuH
+Xfds/ANYuONAknJBKUir8vboTP1A1fy0V8JU8TARf1sCPJXfL4F1tuS0685C+F/6
+djrRq8ijw7wBgfptXeecVB1uqrKflKU4i86gCX6fC9KIa4YOHUUrR/d1epe1KujW
+5JZtbgIrsWT8Yk/m47R6Azk1UotZVxKbZyCYsQB9iTfLSXU9mIC7uPuYw9qwBiRo
+YR00BVI3BtUrcvoQtL3P7jWA/f0EHmOKCRLGOaNFkQKBgQDyB+MSSqbWhuwXVc2g
+RViOUqQtthqku+9kZce1O8NZTDjAoCP7K5TIs8RoZLnIS12r4V3X9B4NkkxDwBvj
+ngM1MBppNlKrRvGTLIqtsu9dsSzzNueZZLAtovIg4aEP2cBLmoc4XcDQiDdU/EjB
+TypTbDm40z9pBl3EBRXdFCxlaQKBgQC3SjejSRC3vAuA8QNeX2RyOB7qU5M/5EMJ
+FeNB3KNzper/b17bgumhG8XE+fw9OhyWg8kipHbicddO3UsNYF6wOpTf5XUmPhJJ
+rxX3ibB3imjuMnrBBc9oEQYrHYe7e8hqb8e8tsrl23t1zNTYfEAV/mgGGvSKLkb+
+x4zkfDTrDQKBgQDhw1Ggoln2Cmz3Z2Yjdgwg1h2nNhKsT1ICyJ39A/44sczOgZKO
+nBxxCp7O8gYKO6LozZQH+QJ/jlPtbqmVLLO5TWGVesKqWcbFjereE+cL8lUHmdN3
+VmCwcSqCWXUvn+Kroz026t0Mp8NVVu9Wwk2s+2rsaMDharrUOhom2sZ+4QKBgQCp
+QYDlaShl8uFQnb91m3NfQlHSI4E7o+b/cdXdUQkjV1kNrmOTI23pF4NmpU53n70c
+hO/s7KDX9TZVHmcbIB3wcPhfVT38JZ+vqV4Iq35otUi2hajzrBDeUbI3iFp6GBF3
+sGdq7gWpgyecHZ2DmCF57edTk/qzy45F4jJKICSh1QKBgDoHRNBc84OghC3mnpkq
+h/dERHHhseCqFa79Z/47hGM02YOhm8PdkIFBubwGZYO8slx+OLFmg9hdf1vahJBg
+G36uNic5VarCL4x3RsMiZCwmokP9AR52D/vvnxR47jbP/x+4B2qc6fwJVAQNhFg0
+KtOqp0kWe61o2COcNV/PVxj3
+-----END PRIVATE KEY-----
diff --git a/internal/gatewayapi/testdata/tls/rsa-pkcs1.key b/internal/gatewayapi/testdata/tls/rsa-pkcs1.key
index ae6bd93b605..d07adaf014b 100644
--- a/internal/gatewayapi/testdata/tls/rsa-pkcs1.key
+++ b/internal/gatewayapi/testdata/tls/rsa-pkcs1.key
@@ -1,27 +1,28 @@
------BEGIN RSA PRIVATE KEY-----
-MIIEowIBAAKCAQEAndHzwmpKcTIEbjhFgdWwTRN75cp8oulZxL1GrvR6Iw7z7ji0
-R4W/No9nGf9MYP2CRjisz51mwxSxeBrocLeA+mkxi1+iDvNdC+rSLx13zELSCnqb
-usPs7mGfJZq89Lhenlyo43h5ca6H5LjMwu/RGUiF31XrNriYFBPvE2rB+dwn/NEk
-Q4h8RqqyprknF/qc9JMYAYFFWuVCpkIEndX1CyvQNOadfcvrgzt5vJl0Oi1AgriN
-aXbEPGnuf7I4qpBHGUXNe1Wl9WeVIqKX4OaEXDVC6FC7G8zmeeLW1AkYEVnipX6o
-SB+Bc/SHVVNhsBLRmtnszfNtT2Qrd+mpkx80ZQIDAQABAoIBAGNRTCCuOVjRDD68
-xOk3LDLlLxRmgFcZmPeZ0dCqY+6KK3JgVvunrLTOPCj9I/jpsME2S3KAcLoV3LVj
-4aGFqfJsntRCA7964bRtO4aQ+eIerwYPMM+xGvrNjpTgs0cie9EXKOW13F9xYW3L
-6nhG6YUKwczRyitusa34+Xxzs8zkBWxrhcB+W7KxbV3o9lt8PMqLexTx+cCrYr8a
-CHvRd9vbIPTgwb42c24ZilNPqwEvmA3m81r5Ua4RPprnwN89wrQMQvEYu95aUoS+
-DwIqKZkUMqnrVtut/EKq7OBsYO/KZSEK1jXALJOyV/cLWM7szz1iLVTNZaUWwE2u
-do7WL+UCgYEAzZtdZnuF45mB1L6vmGkku6fntprw9LmfTiMWJwaVdIvqwnm6hNgO
-RZ2qePW1sQPNDyHr1HciQf400SdakhCVgSS2ZilR+vk9LpeXijapRC1RkhgSLIsT
-kUMwnaYdi7UZANLnCFN3MW0Xi3xQRGyRmFwgb0haoLU/aHtXrmS1WjcCgYEAxIA+
-9g+jucW9MQ+eOOdwztQWn4M4vAV+EjEYlr/9Uwi/ezZRJIcs/+pD8GdJq0KTQd+h
-LySXVJscHUnNl/JPINdP/eWCgRlQI/8LWlV5TlcQKPhUc2WMWawqJ2GkdLqUta5e
-Js7MQx3njn0FUzB9Ee2OyYJtPbrfCno6fyLwKEMCgYAd2RIkEIaNVfmdEtmW/JyS
-iXt/7NpSDKhtxXYv0CreMnmwJc/H/T2FKbBXwwPPYMfiDICZ5XmZrven7Vien720
-c8nu5sy57HjPTL55GBpWhWW0Gb55rO74RZLHMBhV8cJhdjyH3uYMzNOAMlnMtR4l
-yioDPbO6ZNWBq3Y9IO2a3QKBgQCiuAhrPpw39BUtEV/Wg2EZBOwO/1z15h519g4E
-l8uw/OeDooEjHIUZDudfpkiM9z52KDeTkFt4hlGLt1f24YLBEUt+VpXxTgLdLBA8
-p9ciFlqdcraMMKU+hKELp4HF39PRdykkPc9MLPFZPxIvx1FqjSvWlpjbq2mThY/3
-Q/lXfQKBgC10sLQO/jew+HexA9Q0RBjIGOVsPKqLekbgnuiU3AIEqbthzEq1HIFq
-2Wwa2KDhEbjAdYdUa7za5jIwUuFKBF9nf/5YYvJqf3gyHMD90JI546SA0VdErspZ
-ERGXgyX+WKLc8exLwWqNR5w/lx/MgVCn120obyVBmhYdTreXK4d2
------END RSA PRIVATE KEY-----
+-----BEGIN PRIVATE KEY-----
+MIIEugIBADANBgkqhkiG9w0BAQEFAASCBKQwggSgAgEAAoIBAQCZSOmMRPWZAj7O
+qQkMW6wpnosfT+Q38fUbuSw+EyZnVuyCnbUFf8Hy5rbLu+gfmk3Qo1ntAU33jjkQ
+W0d3DwBuhJUC4nJUFK7p96voLCaSviO3CPo+cPCOvFx+VkO61VLW8B6am8PnFZwa
+iFDi4iGrYyH+yl+dTNbhfXHxBxOA53B+q26+ff0RWQbJIcbOTs8CSH6IZMrxcHrk
+8MSv1aYyPuznOPAAQl6TTvQ/6hIfqzmrowDHF4B0CE5AoolE3FKOi0h/by2T7Wqn
+86Gaup4TKqVuuRNaQMBd48k08WuSPCXH0hY5InmdtC1EDJ+zPFOMR42qP4Lx9AgH
+3Qe0S1NrAgMBAAECgf96g/PYxvaZy4Bn1NrJBd8LZOgcbZc2gnx6Ikv/UXZ0Nhlx
+EYiKjeFjV6HW5oEXrZ+/mPf4dusVaL74U9VojuPJceAeRrjL3eOhbHtcx+0gcGLg
+XxF9TRap65TuUd1ai04hGwYf75sbP7RKbPivwZgUAe0CpVufchnXqrsYr8pJY51O
+WVkSqz4RY9Wm0k5G1JFyIyEC9umDlujcHNtRVmafkNfAtCliPrFKc/n9nJfO6RFP
+7g7V/IvqnuIr7PE3Gn6PaT+Bgg448td5JzPpTA5ZBcBo2orz/kxYPFpr/gPUBqQd
+o6nWqw76ZxwPldwLhJ+XYNX7ouctUSCL9u77fyECgYEAyv7Dlxf+KQlfDwmo/r1T
+0L1ZnH472hiIedSheyVBHbEVTSmr42BRljW4DbRcQM4VcxxDkGrR76RGe9og6mzc
+Rv8+VlCX2+qy9p5m6ZXrbAw30zC/5mPkRWubhUhi+9eCMZa/hAI/RFv269DrBD2/
+6kg0F8X0O/6wI+WpatK3W0cCgYEAwU9A6bJpfaXKKXPGmOG/nUxTyzyqYjKNZJd/
+9GhEnuGjK5CAEVPJa8kZvfQzlWmwZafq0DhqI8vLaFCDf8Y8E99Man3GWhUb3V/J
+qNQQS356NCfZw7lxoKKBIvT6cwihTnsE/R4HCsal2wwN4Zl9HWNBgamS7TLkz1Lh
+fwRDkL0CgYBZ49j+5nwA9gpnIVL5gyNDcyXke63LVUPSF0tuub+NA2a4ZbSdGoDm
+cGFRiEW12Mx8zc5JfFP8t5USsTQUOyKMOekD1ep5UwPu25Qc6et3TC3IUnUX87IY
+357dtYFHnlYj2WpzbX9QqRy9riT0GtgKSfDvehQ+IPkk3EVabXcObwKBgGGxC70O
+zQESp/gK6nKYo5161V4Aapr1sT8E0UVS7Fre7Pc3L4GSNliiaL/2iZsYrmyxT5mq
+6PjuJP2yssIADJx+XL/0kCk2Qb6+icsoYJPGdzukaAjhzuq/NUPVSjyYP+zJftvs
+MOLhQTBSBzHbv776SkCc0gPNlJSx7gOixAKBAoGAJBGUn3e5AfComA1E1DxRyLZj
+T0PkACePjD+xkFJhwDhCgswhm4UJg1fAo1hBQRFttpVC/uBLck18MEAI1vdfSyPv
+kSg5kVqPju3sg39TMgOVewjP3E3AMQGug1P71Yk2zYJPlh95dLU5HJVno6ovB+Pm
+Lqy+Mzx3wkF0d8ePXQ4=
+-----END PRIVATE KEY-----
diff --git a/internal/gatewayapi/testdata/tls/rsa-pkcs8-san.key b/internal/gatewayapi/testdata/tls/rsa-pkcs8-san.key
index bf0e9e378a7..4a103794b70 100644
--- a/internal/gatewayapi/testdata/tls/rsa-pkcs8-san.key
+++ b/internal/gatewayapi/testdata/tls/rsa-pkcs8-san.key
@@ -1,28 +1,28 @@
-----BEGIN PRIVATE KEY-----
-MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQC0L/x6IQj/cwE4
-nOzPemiHQcGj/juIj7x/S3qng2aE61KTHijcFHXENK0ZBEEsFYAlLuZhctV7J2FR
-bNYM3nwCjBVGx6Z7NUJE9/Why4IFb/tLJ+oM6Eb4lEbfoNSv1dEp7Jx9F241ro6L
-HiLq2WwhpT28kUy0CHY+VaVLKsiYklpS3y7ohObgyibWnQlbldJUO2VWan0xzvW4
-1MMRlyJUMQFCKkmi5EYFU03NeDAjKaBcx8/4KIlyaG+1L8LPWMe2jX9SV8lo1+ct
-k/I/e64HSZY5b/JZYlZAXT4GlV/94b/lxdg3KitN7eo5L0i45GAEyyb7pUn502IA
-yxBVhJCrAgMBAAECggEAChqiwsp1cbWmPOF32g6YK/WBAUwxVHAS9uRppVkV96Am
-ij9ntSekjvMRPdTiPrGZ9PvTSWWiGPzVVTaQLjqPo6jtTIHHkSMkay+oY4FA8kMc
-SVOcqUqhKDFQZBvlsVKBHyO4hr84m+QE9EIlXRwCF0Tn2Fohffr3fnlZAoUMqJl8
-NTeVKDv7DGto/hWS00UZdcqF3MXRf4m0HjVkpRDFS86aTRmup/YXuFhU+VMs62VM
-nbYHTTVKvSFAx0yi4n8XfayWMcG+fOeQWkvagMHx/9RVAThjpMq7Wfve1awhtuLo
-EX1h5GUdU2MpzQ6QMznY1Ke8dXL9IqJJ6yPQmZVAkQKBgQDnm/MMCle9WXBsDdeU
-H7UzbCKEQzUpsAH9VeOPrP2u/mtIGYXK/7SOnN48dYL6YyEm8FP28DNS44u1sCsX
-R5tR2P6MbA36t4pqEJNDCLpyJ+TjxkqIiW+Ye9TQRmSHn6565djAZUY7GngQpmyh
-zNUSzZ+6+7Q2Vy8Yg+dWxhW0IwKBgQDHKbyITi4MUDe099JrxWQoSJPIiL8qCNtp
-8C1B/VWlcy0FdP2tIBqhtpyulv1X1/sZStTiEgRnFONrnSBhwE426MSqbeucNrKd
-7s3G7OJW2MCo3i+X2Ef+teOOc/w5nKRUpURrfzQi4OEc60XNvMHn0067QoFfCJgg
-tPv8DsgV2QKBgQDWcN7U7BKWn2Pmt949KCp2ZQ2EVlG3ul3tOIPMuEfdqXSdOfxV
-mvGLBZUCd28A851zVxr2zSlH+qSVYXpUQJl/a6ErVLSQyTVfxN8ENuWh4mwbtLG3
-v0BS93xwJmzX4bID2iIY6Ovgtz4pdF2qZWN22GmnD3uowIo7cY1VG2xm7wKBgQCc
-+sCnjzesbO37rfolCAjR16LkRSSoNSL8dVq20L9ZEVdDHdt1QgC7xfvpgQle29YH
-MXxqVFk0Brrab5a+dZ0wmneo/crf7h0LbtazHLOqUF5KvBY3UTouAZ/DAJilsFm2
-fi1XrYOimi3VZXw3lbggyeUcpGbkSRnfbcfP/LaowQKBgBcQvu8lKw8o+JyvBWeU
-MZ2Dlwl5Qe4MiTk8gthzM/hjhLzzUHoOLoCJBgiHXw3wx1xK8zbxxRPWya8taNEu
-PPgXmdKdM+bgTCOfld79F10hDJ1IfcPxq8aVegy98UxBqNLxQ1Mhblz7Z4j8s3kb
-rZQzm27L8FEFCZhMamYr7fgi
+MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQDKaMciMsasqpP7
+NQQq1IWx9JPj8jhnW9bCORGswP6fQaZkiM1/fVYqhboWvoH9UNBobf1oeRcuFCs3
+IKOCb96nd6/NqvjNFaIwI+0QWo4sLD0g1buoTYsuAhPSHNmm6podRzJW0J2mGn15
+GaEYbwh93p2dYdrX0aa5sGvr2Dtx5S5PZMdmd8XFyGnjzaATnu9VPbf4LCmpI5yJ
+O61dEv/wVumGBGJR0cU20nqMqrEgtCJi/4E/tHZv65rVNHtS1VDBs0CPwRTKg/4V
+IEq8Hh9LewYxTrCCtkutpaEPOx0DseZ7VWjzuAvEwHcYXlHArHKFENt97bDKPaj8
+uqWkE34DAgMBAAECggEAOh5v32/5ACdSqnUEp0+yu/BgbrlkXLlQJyC/5HzeH9h3
+8LIfX5YbocYYMuOs65HC5dl/Q/pRH5gG+KNUj+WTZz7EqieHnUuy8GPAdEusOx7Q
+xpbYdXEen61VB6XlETqX2gRRfgAU5FcC5Dzpttxa8dl0JHauof2/A96WfnfuSbtk
+GlCLQdMg+pstPWq3rXeUQ09LFQdOCsZsUz76QzlxXo2YlCDcIQVprT0YlkZ5iIFM
+2HkFtaJGBW6bTNjiTyqSQTkz35AIk8mIZbuqjLZC65WKpwgbscVMxl5eRRuSQ06o
+BFnZYJDLeeDmD7yV2vFS14WNDnohPyw9dcAzRO614QKBgQDoSJ7InpRExuud2Cij
+36xMfwcXpmfh63EBDhmgw6L4EhJ25zKm1ZzKL+ULAzLos/Y3w69Rf1X6miHZ93Gk
+EjHFGKorY8TRegJny/uhUNqEc0KzB2BhSucXFGs6XTWM2qGXGRK2ecepJjTX7uy3
+Z2Pq/wD396BDb7gt+L71PSWD2QKBgQDfE064ojNLQ2yszXmL283TzI+Cadcs28GV
+f+5cV97QSEimSsgK9hrg7PzdcEk7jkAye1GgRldqEoH+9lrIH8ltTIkiw/F8lvkw
+3UM9XvR9MKPEGKuxxFo0I/ksxtaHcSALpkFQMgakC5386XgOiIcOaM7hib3hrWBx
+HKpZuq0TOwKBgAg3OVaDNV9RYdgNYzKYoLF79LZDbn0xJKgS5ZkoEkWP7hNCjioU
+eB02oHVJQa21X8oNI9BQHqxkczoQZHaXJieAfdRXDQkTta4SKu5Du9bfdMZ8Rk5q
+pc3NLRW9Yj1/JiQAAQdvOz6iWVAh5UF/aKtRJamfmo2IEA2gNLDb3s3RAoGAUcXq
+HZSX6QcWV2IbJEG2+eUK1mumDTOhiwQShJdRfliBCTRwkFQXFkzJhQMcVVCYB+lc
+yrv+X0vZi3UTYjkExaRAwRXC+ED/qAH0HBMq3Jlv7vp8NfYcevCU7u0UxyGY9axE
+VPmBpbD8gTG0aN9zYrzY2aR8jrXXnJ89cxcTSvECgYEAvtFZMBh+noQxMttnh0/L
+LwrAjedj8pWOAPzCdDFxvgzVp1mdi7GxbH4noEhcPhTlZ53Wfi3oOB4uhcGdXWpk
+HbjIWVUWczRKh15dICHNcbykU55T6p1jpPyYXsJfmonCWVYt9yppsLJ5wCu648J3
+QT4FZnPrtsI8mIcPI24A4xU=
-----END PRIVATE KEY-----
diff --git a/internal/gatewayapi/testdata/tls/rsa-pkcs8-wildcard.key b/internal/gatewayapi/testdata/tls/rsa-pkcs8-wildcard.key
index b7f022d0d21..4b212d5fa8b 100644
--- a/internal/gatewayapi/testdata/tls/rsa-pkcs8-wildcard.key
+++ b/internal/gatewayapi/testdata/tls/rsa-pkcs8-wildcard.key
@@ -1,28 +1,28 @@
-----BEGIN PRIVATE KEY-----
-MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQC+S+OoUyYzvmyc
-tlU9Ch2D4EALqlk6vddJkEaw/9UGnhfWRUOHt4Q2HlEe/O2YVNIS3jOEbh4kxGgK
-IyFhP5yBFY17O/IkY/17cc3TScWU3fngoTBcczR6sWenN8EJCwt4nN+LYHiIKGrD
-IexngsnHFzdwB5QW0QrDBrA1CUWU7CrWQe8vwa6o1u8lm8wDPiMMk7M6nbCRgTMP
-EsEdWK80PFKILkvysXR5Pe6zNcIh3Nv1Iy9d38YJGL9UT8rHRQ+Vdfjw6+LonetJ
-ULUgR5usy09ayDArYEqMVYUunhr8br/p05+x/JUbKrkvw3cKY5ZJHqyy7jXvjywQ
-ZlRy4j7TAgMBAAECggEAJQEM3AaPPzCgXjj2ilAVPTe2PI57m3ifDKcJmBGnkwnb
-CMefQhzlkMCEdcopSZ3028Zpri7bnbqzoIUEUKzV+iP+xx/5DiqDeCXBKH0H9tLT
-bGLrzI56fgFRbqrg1qlXKbUXozq3NYLmf9tw5RABvL0/AoH2whkURqheS3HqHfMY
-1CHTPHw/rfE3YfKVASLREuFPpLHuViVPIXlEwJsR2acLQXuQAsXWF7YuJo5wpOx8
-4sk4Fbj9qir6nrX2SmGR57NSwko9Zcs71nPERLSjw7JpITzHD1DDy0803i6K6YEv
-aHsoGH226QH2B9U5Au8w0NOtmWRf3MqRQi4rasdRwQKBgQDm2R8q18EikDOuJt8i
-itSALJvfh6wV/gNvUgiMl2ShAvQON/sQDW+7Il15dJ/m/mDNQA4omLlgwBOkFzQj
-C1cCvmtN/LSBcz+XP/tfQmJWjY6vdfAELRJ0ovVOiCwbIMRWTfWaU35xfcnh8gIC
-XTwuVBFDFiU/rono/PH5QrGEVQKBgQDTB7Bb67LYEJWl2mDr7T9Tscxi7O0LERZ8
-u2zAdT5pYILTKvDVZoFYUu8f+gidM0qGSPePY5TkLV234+f4FCie5MHR5F30qWxv
-9wVpTWfAX+BIuDYEN622fiBpKdT4dvu1v6cMhwitXOs5t1eyOPYn1hts4qa0/DDa
-CqCZCjWehwKBgQC6nDW3umWj/RHp6/5gu/2AB4+RqOkRdh9ss9G5ZQCxr+N+Qv6v
-QU1a5zLM5dwFLQkvomJPqvXgIiU+dots8NPLoga4Kln4cyOqrswTe2RnN1Nqv1ng
-5laO9tR6QVX2MAzG/4pU0L3cHKVAAxRguOHXSZoSsyo1SnCtaRxqNOGvaQKBgGv6
-3TTLr+F66vfIfBt8dBDhQ1HDJa+p+LWuOYFo/Jxy874VlNG896Y4GX9lMw8s9Y8s
-uu+15rOyuuejSEjaF8bmCn7ZuXG9V20bGru9Db+Tz3GmQI175/kfJHprGzxftYBU
-Jqf0WG5Mw1fvBoJ9Pwc3OSVH/EFTYbPQCEkGvlT1AoGBANIz5ZIz/BCzhbzIkzqF
-m4/Z6O6I59koiBn81KFUCun6nuv+u9MPxLmUzScXkgiGs60W6cYOOLXnrb0vkdUF
-91/f35y1Km6HzIQCSJYVbUlA+KaNIL+TEfSDSI4C0xM965b0jkQj2TqfsuXVMYsk
-ByG3KO1EMYQteJ+1bXXR/cah
+MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQCtSc4zyIloN6qB
+0qwHXZHiY2jD/YsjE4vwT6PXCT6ERPGYu1mqVK1y//QPa/oxzMhiGTWTXXGeXGNl
+79Cz/GcVctpZNPt8LWMx56RmBlbcqtrXrQ4RbIj5fNmEYwtJs1muEDM+El8xRzYC
+A6UXYX66L5rHrlhkBPKVeFHfVCv0iopTDqrQeSYqyz9lbOU9aFonFi0L32xsL+7B
+Q3a/WxtF7UkKdex0oKOdEgxOfgY0pqbRcNVXCi5amoTFwQw4qK4MISIRhiqREnjN
+D+2xYVZpDN2rIdsUkwbhVAQ5ROCTmoc8LA167qVIQ3UtYXXNnz644RQJSX1hGGeg
+ZWY8rIlVAgMBAAECggEAJjN4jSreu8ZVxNPcD62dfPJcRKSOuTdUaLAt1rhXe1I1
+jm1yyV1sdUcelw2/NJ5H6HRVPrzhUL9ePDkfYaY5VV2h6/uFmyzoSrado84u9OuH
+Xfds/ANYuONAknJBKUir8vboTP1A1fy0V8JU8TARf1sCPJXfL4F1tuS0685C+F/6
+djrRq8ijw7wBgfptXeecVB1uqrKflKU4i86gCX6fC9KIa4YOHUUrR/d1epe1KujW
+5JZtbgIrsWT8Yk/m47R6Azk1UotZVxKbZyCYsQB9iTfLSXU9mIC7uPuYw9qwBiRo
+YR00BVI3BtUrcvoQtL3P7jWA/f0EHmOKCRLGOaNFkQKBgQDyB+MSSqbWhuwXVc2g
+RViOUqQtthqku+9kZce1O8NZTDjAoCP7K5TIs8RoZLnIS12r4V3X9B4NkkxDwBvj
+ngM1MBppNlKrRvGTLIqtsu9dsSzzNueZZLAtovIg4aEP2cBLmoc4XcDQiDdU/EjB
+TypTbDm40z9pBl3EBRXdFCxlaQKBgQC3SjejSRC3vAuA8QNeX2RyOB7qU5M/5EMJ
+FeNB3KNzper/b17bgumhG8XE+fw9OhyWg8kipHbicddO3UsNYF6wOpTf5XUmPhJJ
+rxX3ibB3imjuMnrBBc9oEQYrHYe7e8hqb8e8tsrl23t1zNTYfEAV/mgGGvSKLkb+
+x4zkfDTrDQKBgQDhw1Ggoln2Cmz3Z2Yjdgwg1h2nNhKsT1ICyJ39A/44sczOgZKO
+nBxxCp7O8gYKO6LozZQH+QJ/jlPtbqmVLLO5TWGVesKqWcbFjereE+cL8lUHmdN3
+VmCwcSqCWXUvn+Kroz026t0Mp8NVVu9Wwk2s+2rsaMDharrUOhom2sZ+4QKBgQCp
+QYDlaShl8uFQnb91m3NfQlHSI4E7o+b/cdXdUQkjV1kNrmOTI23pF4NmpU53n70c
+hO/s7KDX9TZVHmcbIB3wcPhfVT38JZ+vqV4Iq35otUi2hajzrBDeUbI3iFp6GBF3
+sGdq7gWpgyecHZ2DmCF57edTk/qzy45F4jJKICSh1QKBgDoHRNBc84OghC3mnpkq
+h/dERHHhseCqFa79Z/47hGM02YOhm8PdkIFBubwGZYO8slx+OLFmg9hdf1vahJBg
+G36uNic5VarCL4x3RsMiZCwmokP9AR52D/vvnxR47jbP/x+4B2qc6fwJVAQNhFg0
+KtOqp0kWe61o2COcNV/PVxj3
-----END PRIVATE KEY-----
diff --git a/internal/gatewayapi/testdata/tls/rsa-pkcs8.key b/internal/gatewayapi/testdata/tls/rsa-pkcs8.key
index cb2c0aec206..d07adaf014b 100644
--- a/internal/gatewayapi/testdata/tls/rsa-pkcs8.key
+++ b/internal/gatewayapi/testdata/tls/rsa-pkcs8.key
@@ -1,28 +1,28 @@
-----BEGIN PRIVATE KEY-----
-MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQCd0fPCakpxMgRu
-OEWB1bBNE3vlynyi6VnEvUau9HojDvPuOLRHhb82j2cZ/0xg/YJGOKzPnWbDFLF4
-Guhwt4D6aTGLX6IO810L6tIvHXfMQtIKepu6w+zuYZ8lmrz0uF6eXKjjeHlxrofk
-uMzC79EZSIXfVes2uJgUE+8TasH53Cf80SRDiHxGqrKmuScX+pz0kxgBgUVa5UKm
-QgSd1fULK9A05p19y+uDO3m8mXQ6LUCCuI1pdsQ8ae5/sjiqkEcZRc17VaX1Z5Ui
-opfg5oRcNULoULsbzOZ54tbUCRgRWeKlfqhIH4Fz9IdVU2GwEtGa2ezN821PZCt3
-6amTHzRlAgMBAAECggEAY1FMIK45WNEMPrzE6TcsMuUvFGaAVxmY95nR0Kpj7oor
-cmBW+6estM48KP0j+OmwwTZLcoBwuhXctWPhoYWp8mye1EIDv3rhtG07hpD54h6v
-Bg8wz7Ea+s2OlOCzRyJ70Rco5bXcX3FhbcvqeEbphQrBzNHKK26xrfj5fHOzzOQF
-bGuFwH5bsrFtXej2W3w8yot7FPH5wKtivxoIe9F329sg9ODBvjZzbhmKU0+rAS+Y
-DebzWvlRrhE+mufA3z3CtAxC8Ri73lpShL4PAiopmRQyqetW2638Qqrs4Gxg78pl
-IQrWNcAsk7JX9wtYzuzPPWItVM1lpRbATa52jtYv5QKBgQDNm11me4XjmYHUvq+Y
-aSS7p+e2mvD0uZ9OIxYnBpV0i+rCebqE2A5Fnap49bWxA80PIevUdyJB/jTRJ1qS
-EJWBJLZmKVH6+T0ul5eKNqlELVGSGBIsixORQzCdph2LtRkA0ucIU3cxbReLfFBE
-bJGYXCBvSFqgtT9oe1euZLVaNwKBgQDEgD72D6O5xb0xD54453DO1Bafgzi8BX4S
-MRiWv/1TCL97NlEkhyz/6kPwZ0mrQpNB36EvJJdUmxwdSc2X8k8g10/95YKBGVAj
-/wtaVXlOVxAo+FRzZYxZrConYaR0upS1rl4mzsxDHeeOfQVTMH0R7Y7Jgm09ut8K
-ejp/IvAoQwKBgB3ZEiQQho1V+Z0S2Zb8nJKJe3/s2lIMqG3Fdi/QKt4yebAlz8f9
-PYUpsFfDA89gx+IMgJnleZmu96ftWJ6fvbRzye7mzLnseM9MvnkYGlaFZbQZvnms
-7vhFkscwGFXxwmF2PIfe5gzM04AyWcy1HiXKKgM9s7pk1YGrdj0g7ZrdAoGBAKK4
-CGs+nDf0FS0RX9aDYRkE7A7/XPXmHnX2DgSXy7D854OigSMchRkO51+mSIz3PnYo
-N5OQW3iGUYu3V/bhgsERS35WlfFOAt0sEDyn1yIWWp1ytowwpT6EoQungcXf09F3
-KSQ9z0ws8Vk/Ei/HUWqNK9aWmNuraZOFj/dD+Vd9AoGALXSwtA7+N7D4d7ED1DRE
-GMgY5Ww8qot6RuCe6JTcAgSpu2HMSrUcgWrZbBrYoOERuMB1h1RrvNrmMjBS4UoE
-X2d//lhi8mp/eDIcwP3QkjnjpIDRV0SuylkREZeDJf5Yotzx7EvBao1HnD+XH8yB
-UKfXbShvJUGaFh1Ot5crh3Y=
+MIIEugIBADANBgkqhkiG9w0BAQEFAASCBKQwggSgAgEAAoIBAQCZSOmMRPWZAj7O
+qQkMW6wpnosfT+Q38fUbuSw+EyZnVuyCnbUFf8Hy5rbLu+gfmk3Qo1ntAU33jjkQ
+W0d3DwBuhJUC4nJUFK7p96voLCaSviO3CPo+cPCOvFx+VkO61VLW8B6am8PnFZwa
+iFDi4iGrYyH+yl+dTNbhfXHxBxOA53B+q26+ff0RWQbJIcbOTs8CSH6IZMrxcHrk
+8MSv1aYyPuznOPAAQl6TTvQ/6hIfqzmrowDHF4B0CE5AoolE3FKOi0h/by2T7Wqn
+86Gaup4TKqVuuRNaQMBd48k08WuSPCXH0hY5InmdtC1EDJ+zPFOMR42qP4Lx9AgH
+3Qe0S1NrAgMBAAECgf96g/PYxvaZy4Bn1NrJBd8LZOgcbZc2gnx6Ikv/UXZ0Nhlx
+EYiKjeFjV6HW5oEXrZ+/mPf4dusVaL74U9VojuPJceAeRrjL3eOhbHtcx+0gcGLg
+XxF9TRap65TuUd1ai04hGwYf75sbP7RKbPivwZgUAe0CpVufchnXqrsYr8pJY51O
+WVkSqz4RY9Wm0k5G1JFyIyEC9umDlujcHNtRVmafkNfAtCliPrFKc/n9nJfO6RFP
+7g7V/IvqnuIr7PE3Gn6PaT+Bgg448td5JzPpTA5ZBcBo2orz/kxYPFpr/gPUBqQd
+o6nWqw76ZxwPldwLhJ+XYNX7ouctUSCL9u77fyECgYEAyv7Dlxf+KQlfDwmo/r1T
+0L1ZnH472hiIedSheyVBHbEVTSmr42BRljW4DbRcQM4VcxxDkGrR76RGe9og6mzc
+Rv8+VlCX2+qy9p5m6ZXrbAw30zC/5mPkRWubhUhi+9eCMZa/hAI/RFv269DrBD2/
+6kg0F8X0O/6wI+WpatK3W0cCgYEAwU9A6bJpfaXKKXPGmOG/nUxTyzyqYjKNZJd/
+9GhEnuGjK5CAEVPJa8kZvfQzlWmwZafq0DhqI8vLaFCDf8Y8E99Man3GWhUb3V/J
+qNQQS356NCfZw7lxoKKBIvT6cwihTnsE/R4HCsal2wwN4Zl9HWNBgamS7TLkz1Lh
+fwRDkL0CgYBZ49j+5nwA9gpnIVL5gyNDcyXke63LVUPSF0tuub+NA2a4ZbSdGoDm
+cGFRiEW12Mx8zc5JfFP8t5USsTQUOyKMOekD1ep5UwPu25Qc6et3TC3IUnUX87IY
+357dtYFHnlYj2WpzbX9QqRy9riT0GtgKSfDvehQ+IPkk3EVabXcObwKBgGGxC70O
+zQESp/gK6nKYo5161V4Aapr1sT8E0UVS7Fre7Pc3L4GSNliiaL/2iZsYrmyxT5mq
+6PjuJP2yssIADJx+XL/0kCk2Qb6+icsoYJPGdzukaAjhzuq/NUPVSjyYP+zJftvs
+MOLhQTBSBzHbv776SkCc0gPNlJSx7gOixAKBAoGAJBGUn3e5AfComA1E1DxRyLZj
+T0PkACePjD+xkFJhwDhCgswhm4UJg1fAo1hBQRFttpVC/uBLck18MEAI1vdfSyPv
+kSg5kVqPju3sg39TMgOVewjP3E3AMQGug1P71Yk2zYJPlh95dLU5HJVno6ovB+Pm
+Lqy+Mzx3wkF0d8ePXQ4=
-----END PRIVATE KEY-----
diff --git a/internal/gatewayapi/tls.go b/internal/gatewayapi/tls.go
index 356b152b770..f37c53b9526 100644
--- a/internal/gatewayapi/tls.go
+++ b/internal/gatewayapi/tls.go
@@ -9,6 +9,7 @@ import (
"crypto/x509"
"encoding/pem"
"fmt"
+ "time"
corev1 "k8s.io/api/core/v1"
v1 "sigs.k8s.io/gateway-api/apis/v1"
@@ -24,6 +25,10 @@ func validateTLSSecretsData(secrets []*corev1.Secret, host *v1.Hostname) error {
for _, secret := range secrets {
certData := secret.Data[corev1.TLSCertKey]
+ if err := validateCertificate(certData); err != nil {
+ return fmt.Errorf("%s/%s must contain valid %s and %s, unable to validate certificate in %s: %w", secret.Namespace, secret.Name, corev1.TLSCertKey, corev1.TLSPrivateKeyKey, corev1.TLSCertKey, err)
+ }
+
certBlock, _ := pem.Decode(certData)
if certBlock == nil {
return fmt.Errorf("%s/%s must contain valid %s and %s, unable to decode pem data in %s", secret.Namespace, secret.Name, corev1.TLSCertKey, corev1.TLSPrivateKeyKey, corev1.TLSCertKey)
@@ -96,3 +101,24 @@ func verifyHostname(cert *x509.Certificate, host *v1.Hostname) ([]string, error)
return nil, x509.HostnameError{Certificate: cert, Host: string(*host)}
}
+
+func validateCertificate(data []byte) error {
+ block, _ := pem.Decode(data)
+ if block == nil {
+ return fmt.Errorf("pem decode failed")
+ }
+ certs, err := x509.ParseCertificates(block.Bytes)
+ if err != nil {
+ return err
+ }
+ now := time.Now()
+ for _, cert := range certs {
+ if now.After(cert.NotAfter) {
+ return fmt.Errorf("certificate is expired")
+ }
+ if now.Before(cert.NotBefore) {
+ return fmt.Errorf("certificate is not yet valid")
+ }
+ }
+ return nil
+}
diff --git a/internal/gatewayapi/tls_test.go b/internal/gatewayapi/tls_test.go
index f1d1d2706f6..a53e53948b2 100644
--- a/internal/gatewayapi/tls_test.go
+++ b/internal/gatewayapi/tls_test.go
@@ -46,38 +46,8 @@ func createTestSecrets(t *testing.T, certFile, keyFile string) []*corev1.Secret
}}
}
-/*
-TestValidateTLSSecretData ensures that we can properly validate the contents of a K8s tls secret.
-The test assumes the secret is valid and was able to be applied to a cluster.
-
-The following commands were used to generate test key/cert pairs
-using openssl (LibreSSL 3.3.6)
-
-# RSA
-
- openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout rsa-pkcs8.key -out rsa-cert.pem -subj "/CN=foo.bar.com"`
- openssl rsa -in rsa-pkcs8.key -out rsa-pkcs1.key
-
-# RSA with SAN extension
-
- openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout rsa-pkcs8-san.key -out rsa-cert-san.pem -subj "/CN=Test Inc" -addext "subjectAltName = DNS:foo.bar.com"
- openssl rsa -in rsa-pkcs8-san.key -out rsa-pkcs1-san.key
-
-# RSA with wildcard SAN domain
-
- openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout rsa-pkcs8-wildcard.key -out rsa-cert-wildcard.pem -subj "/CN=Test Inc" -addext "subjectAltName = DNS:*, DNS:*.example.com"
- openssl rsa -in rsa-pkcs8-wildcard.key -out rsa-pkcs1-wildcard.key
-
-# ECDSA-p256
-
- openssl ecparam -name prime256v1 -genkey -noout -out ecdsa-p256.key
- openssl req -new -x509 -days 365 -key ecdsa-p256.key -out ecdsa-p256-cert.pem -subj "/CN=foo.bar.com"
-
-# ECDSA-p384
-
- openssl ecparam -name secp384r1 -genkey -noout -out ecdsa-p384.key
- openssl req -new -x509 -days 365 -key ecdsa-p384.key -out ecdsa-p384-cert.pem -subj "/CN=foo.bar.com"
-*/
+// TestValidateTLSSecretData ensures that we can properly validate the contents of a K8s tls secret.
+// The test assumes the secret is valid and was able to be applied to a cluster.
func TestValidateTLSSecretsData(t *testing.T) {
type testCase struct {
Name string
@@ -135,7 +105,7 @@ func TestValidateTLSSecretsData(t *testing.T) {
CertFile: "malformed-encoding.pem",
KeyFile: "rsa-pkcs8.key",
Domain: "*",
- ExpectedErr: errors.New("test/secret must contain valid tls.crt and tls.key, unable to decode pem data in tls.crt"),
+ ExpectedErr: errors.New("test/secret must contain valid tls.crt and tls.key, unable to validate certificate in tls.crt: pem decode failed"),
},
{
Name: "malformed-key-pem-encoding",
@@ -149,7 +119,7 @@ func TestValidateTLSSecretsData(t *testing.T) {
CertFile: "malformed-cert.pem",
KeyFile: "rsa-pkcs8.key",
Domain: "*",
- ExpectedErr: errors.New("test/secret must contain valid tls.crt and tls.key, unable to parse certificate in tls.crt: x509: malformed certificate"),
+ ExpectedErr: errors.New("test/secret must contain valid tls.crt and tls.key, unable to validate certificate in tls.crt: x509: malformed certificate"),
},
{
Name: "malformed-pkcs8-key",
@@ -202,3 +172,48 @@ func TestValidateTLSSecretsData(t *testing.T) {
})
}
}
+
+func TestValidateCertificate(t *testing.T) {
+ type testCase struct {
+ Name string
+ CertFile string
+ ExpectedErr error
+ }
+
+ testCases := []testCase{
+ {
+ Name: "valid-rsa-cert",
+ CertFile: "rsa-cert.pem",
+ ExpectedErr: nil,
+ },
+ {
+ Name: "valid-ecdsa-p256-cert",
+ CertFile: "ecdsa-p256-cert.pem",
+ ExpectedErr: nil,
+ },
+ {
+ Name: "valid-ecdsa-p384-cert",
+ CertFile: "ecdsa-p384-cert.pem",
+ ExpectedErr: nil,
+ },
+ {
+ Name: "malformed-cert",
+ CertFile: "malformed-cert.pem",
+ ExpectedErr: errors.New("x509: malformed certificate"),
+ },
+ }
+
+ for _, tc := range testCases {
+ tc := tc
+ t.Run(tc.Name, func(t *testing.T) {
+ certData, err := os.ReadFile(filepath.Join("testdata", "tls", tc.CertFile))
+ require.NoError(t, err)
+ err = validateCertificate(certData)
+ if tc.ExpectedErr == nil {
+ require.NoError(t, err)
+ } else {
+ require.EqualError(t, err, tc.ExpectedErr.Error())
+ }
+ })
+ }
+}
diff --git a/internal/gatewayapi/translator.go b/internal/gatewayapi/translator.go
index 5163deca337..51b7b6fb7dd 100644
--- a/internal/gatewayapi/translator.go
+++ b/internal/gatewayapi/translator.go
@@ -9,6 +9,7 @@ import (
"golang.org/x/exp/maps"
"k8s.io/apimachinery/pkg/runtime/schema"
gwapiv1 "sigs.k8s.io/gateway-api/apis/v1"
+ egv1a2 "sigs.k8s.io/gateway-api/apis/v1alpha2"
egv1a1 "github.com/envoyproxy/gateway/api/v1alpha1"
"github.com/envoyproxy/gateway/internal/ir"
@@ -17,6 +18,7 @@ import (
const (
KindConfigMap = "ConfigMap"
KindClientTrafficPolicy = "ClientTrafficPolicy"
+ KindBackendTLSPolicy = "BackendTLSPolicy"
KindEnvoyProxy = "EnvoyProxy"
KindGateway = "Gateway"
KindGatewayClass = "GatewayClass"
@@ -91,6 +93,9 @@ type Translator struct {
// introduced by an Extension so that the translator can
// store referenced resources in the IR for later use.
ExtensionGroupKinds []schema.GroupKind
+
+ // Namespace is the namespace that Envoy Gateway runs in.
+ Namespace string
}
type TranslateResult struct {
@@ -108,6 +113,7 @@ func newTranslateResult(gateways []*GatewayContext,
clientTrafficPolicies []*egv1a1.ClientTrafficPolicy,
backendTrafficPolicies []*egv1a1.BackendTrafficPolicy,
securityPolicies []*egv1a1.SecurityPolicy,
+ backendTLSPolicies []*egv1a2.BackendTLSPolicy,
xdsIR XdsIRMap, infraIR InfraIRMap) *TranslateResult {
translateResult := &TranslateResult{
XdsIR: xdsIR,
@@ -136,6 +142,7 @@ func newTranslateResult(gateways []*GatewayContext,
translateResult.ClientTrafficPolicies = append(translateResult.ClientTrafficPolicies, clientTrafficPolicies...)
translateResult.BackendTrafficPolicies = append(translateResult.BackendTrafficPolicies, backendTrafficPolicies...)
translateResult.SecurityPolicies = append(translateResult.SecurityPolicies, securityPolicies...)
+ translateResult.BackendTLSPolicies = append(translateResult.BackendTLSPolicies, backendTLSPolicies...)
return translateResult
}
@@ -200,12 +207,15 @@ func (t *Translator) Translate(resources *Resources) *TranslateResult {
securityPolicies := t.ProcessSecurityPolicies(
resources.SecurityPolicies, gateways, routes, resources, xdsIR)
+ backendTLSPolicies := t.ProcessBackendTLSPoliciesAncestorRef(
+ resources.BackendTLSPolicies, gateways)
+
// Sort xdsIR based on the Gateway API spec
sortXdsIRMap(xdsIR)
return newTranslateResult(gateways, httpRoutes, grpcRoutes, tlsRoutes,
tcpRoutes, udpRoutes, clientTrafficPolicies, backendTrafficPolicies,
- securityPolicies, xdsIR, infraIR)
+ securityPolicies, backendTLSPolicies, xdsIR, infraIR)
}
diff --git a/internal/gatewayapi/translator_test.go b/internal/gatewayapi/translator_test.go
index c67500dceba..ffadaf8bcbf 100644
--- a/internal/gatewayapi/translator_test.go
+++ b/internal/gatewayapi/translator_test.go
@@ -77,6 +77,7 @@ func TestTranslate(t *testing.T) {
GatewayClassName: "envoy-gateway-class",
GlobalRateLimitEnabled: true,
EnvoyPatchPolicyEnabled: envoyPatchPolicyEnabled,
+ Namespace: "envoy-gateway-system",
}
// Add common test fixtures
@@ -241,8 +242,12 @@ func TestTranslate(t *testing.T) {
want := &TranslateResult{}
mustUnmarshal(t, output, want)
- opts := cmpopts.IgnoreFields(metav1.Condition{}, "LastTransitionTime")
- require.Empty(t, cmp.Diff(want, got, opts))
+ opts := []cmp.Option{
+ cmpopts.IgnoreFields(metav1.Condition{}, "LastTransitionTime"),
+ cmpopts.EquateEmpty(),
+ }
+
+ require.Empty(t, cmp.Diff(want, got, opts...))
})
}
}
diff --git a/internal/gatewayapi/zz_generated.deepcopy.go b/internal/gatewayapi/zz_generated.deepcopy.go
index eb31a82d5e9..30c6c2938b1 100644
--- a/internal/gatewayapi/zz_generated.deepcopy.go
+++ b/internal/gatewayapi/zz_generated.deepcopy.go
@@ -227,6 +227,17 @@ func (in *Resources) DeepCopyInto(out *Resources) {
}
}
}
+ if in.BackendTLSPolicies != nil {
+ in, out := &in.BackendTLSPolicies, &out.BackendTLSPolicies
+ *out = make([]*v1alpha2.BackendTLSPolicy, len(*in))
+ for i := range *in {
+ if (*in)[i] != nil {
+ in, out := &(*in)[i], &(*out)[i]
+ *out = new(v1alpha2.BackendTLSPolicy)
+ (*in).DeepCopyInto(*out)
+ }
+ }
+ }
}
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Resources.
diff --git a/internal/infrastructure/kubernetes/proxy/resource_provider.go b/internal/infrastructure/kubernetes/proxy/resource_provider.go
index fd4107ea0de..2a11f7317d3 100644
--- a/internal/infrastructure/kubernetes/proxy/resource_provider.go
+++ b/internal/infrastructure/kubernetes/proxy/resource_provider.go
@@ -147,6 +147,12 @@ func (r *ResourceRender) Service() (*corev1.Service, error) {
Spec: serviceSpec,
}
+ // apply merge patch to service
+ var err error
+ if svc, err = envoyServiceConfig.ApplyMergePatch(svc); err != nil {
+ return nil, err
+ }
+
return svc, nil
}
@@ -248,7 +254,6 @@ func (r *ResourceRender) Deployment() (*appsv1.Deployment, error) {
RestartPolicy: corev1.RestartPolicyAlways,
SchedulerName: "default-scheduler",
SecurityContext: deploymentConfig.Pod.SecurityContext,
- HostNetwork: deploymentConfig.Pod.HostNetwork,
Affinity: deploymentConfig.Pod.Affinity,
Tolerations: deploymentConfig.Pod.Tolerations,
Volumes: expectedDeploymentVolumes(r.infra.Name, deploymentConfig),
@@ -268,8 +273,8 @@ func (r *ResourceRender) Deployment() (*appsv1.Deployment, error) {
}
// apply merge patch to deployment
- if merged, err := deploymentConfig.ApplyMergePatch(deployment); err == nil {
- deployment = merged
+ if deployment, err = deploymentConfig.ApplyMergePatch(deployment); err != nil {
+ return nil, err
}
return deployment, nil
diff --git a/internal/infrastructure/kubernetes/proxy/resource_provider_test.go b/internal/infrastructure/kubernetes/proxy/resource_provider_test.go
index 2e228082687..8f08c81084c 100644
--- a/internal/infrastructure/kubernetes/proxy/resource_provider_test.go
+++ b/internal/infrastructure/kubernetes/proxy/resource_provider_test.go
@@ -6,6 +6,7 @@
package proxy
import (
+ "flag"
"fmt"
"os"
"sort"
@@ -29,6 +30,10 @@ import (
"github.com/envoyproxy/gateway/internal/ir"
)
+var (
+ overrideTestData = flag.Bool("override-testdata", false, "if override the test output data.")
+)
+
const (
// envoyHTTPPort is the container port number of Envoy's HTTP endpoint.
envoyHTTPPort = int32(8080)
@@ -116,7 +121,6 @@ func TestDeployment(t *testing.T) {
SecurityContext: &corev1.PodSecurityContext{
RunAsUser: ptr.To[int64](1000),
},
- HostNetwork: true,
},
Container: &egv1a1.KubernetesContainerSpec{
Image: ptr.To("envoyproxy/envoy:v1.2.3"),
@@ -333,11 +337,13 @@ func TestDeployment(t *testing.T) {
bootstrap: `test bootstrap config`,
},
{
- caseName: "enable-prometheus",
+ caseName: "disable-prometheus",
infra: newTestInfra(),
telemetry: &egv1a1.ProxyTelemetry{
Metrics: &egv1a1.ProxyMetrics{
- Prometheus: &egv1a1.ProxyPrometheusProvider{},
+ Prometheus: &egv1a1.ProxyPrometheusProvider{
+ Disable: true,
+ },
},
},
},
@@ -509,14 +515,6 @@ func TestDeployment(t *testing.T) {
if tc.telemetry != nil {
tc.infra.Proxy.Config.Spec.Telemetry = tc.telemetry
- } else {
- tc.infra.Proxy.Config.Spec.Telemetry = &egv1a1.ProxyTelemetry{
- Metrics: &egv1a1.ProxyMetrics{
- Prometheus: &egv1a1.ProxyPrometheusProvider{
- Disable: true,
- },
- },
- }
}
if len(tc.proxyLogging) > 0 {
@@ -550,6 +548,15 @@ func TestDeployment(t *testing.T) {
})
}
+ if *overrideTestData {
+ deploymentYAML, err := yaml.Marshal(dp)
+ require.NoError(t, err)
+ // nolint: gosec
+ err = os.WriteFile(fmt.Sprintf("testdata/deployments/%s.yaml", tc.caseName), deploymentYAML, 0644)
+ require.NoError(t, err)
+ return
+ }
+
sortEnv(dp.Spec.Template.Spec.Containers[0].Env)
sortEnv(expected.Spec.Template.Spec.Containers[0].Env)
assert.Equal(t, expected, dp)
@@ -623,6 +630,18 @@ func TestService(t *testing.T) {
Type: &svcType,
},
},
+ {
+ caseName: "patch-service",
+ infra: newTestInfra(),
+ service: &egv1a1.KubernetesServiceSpec{
+ Patch: &egv1a1.KubernetesPatchSpec{
+ Type: ptr.To(egv1a1.StrategicMerge),
+ Value: v1.JSON{
+ Raw: []byte("{\"metadata\":{\"name\":\"foo\"}}"),
+ },
+ },
+ },
+ },
}
for _, tc := range cases {
t.Run(tc.caseName, func(t *testing.T) {
diff --git a/internal/infrastructure/kubernetes/proxy/testdata/deployments/bootstrap.yaml b/internal/infrastructure/kubernetes/proxy/testdata/deployments/bootstrap.yaml
index e684044d8ca..1e4064a3162 100644
--- a/internal/infrastructure/kubernetes/proxy/testdata/deployments/bootstrap.yaml
+++ b/internal/infrastructure/kubernetes/proxy/testdata/deployments/bootstrap.yaml
@@ -1,161 +1,171 @@
apiVersion: apps/v1
kind: Deployment
metadata:
+ creationTimestamp: null
labels:
- app.kubernetes.io/name: envoy
app.kubernetes.io/component: proxy
app.kubernetes.io/managed-by: envoy-gateway
+ app.kubernetes.io/name: envoy
gateway.envoyproxy.io/owning-gateway-name: default
gateway.envoyproxy.io/owning-gateway-namespace: default
name: envoy-default-37a8eec1
namespace: envoy-gateway-system
spec:
+ progressDeadlineSeconds: 600
replicas: 1
- strategy:
- type: RollingUpdate
+ revisionHistoryLimit: 10
selector:
matchLabels:
- app.kubernetes.io/name: envoy
app.kubernetes.io/component: proxy
app.kubernetes.io/managed-by: envoy-gateway
+ app.kubernetes.io/name: envoy
gateway.envoyproxy.io/owning-gateway-name: default
gateway.envoyproxy.io/owning-gateway-namespace: default
+ strategy:
+ type: RollingUpdate
template:
metadata:
+ annotations:
+ prometheus.io/path: /stats/prometheus
+ prometheus.io/port: "19001"
+ prometheus.io/scrape: "true"
+ creationTimestamp: null
labels:
- app.kubernetes.io/name: envoy
app.kubernetes.io/component: proxy
app.kubernetes.io/managed-by: envoy-gateway
+ app.kubernetes.io/name: envoy
gateway.envoyproxy.io/owning-gateway-name: default
gateway.envoyproxy.io/owning-gateway-namespace: default
spec:
automountServiceAccountToken: false
containers:
- - args:
- - --service-cluster default
- - --service-node $(ENVOY_POD_NAME)
- - --config-yaml test bootstrap config
- - --log-level warn
- - --cpuset-threads
- command:
- - envoy
- env:
- - name: ENVOY_GATEWAY_NAMESPACE
- valueFrom:
- fieldRef:
- apiVersion: v1
- fieldPath: metadata.namespace
- - name: ENVOY_POD_NAME
- valueFrom:
- fieldRef:
- apiVersion: v1
- fieldPath: metadata.name
- image: envoyproxy/envoy:distroless-dev
- imagePullPolicy: IfNotPresent
- lifecycle:
- preStop:
- httpGet:
- path: /shutdown/ready
- port: 19002
- scheme: HTTP
- name: envoy
- ports:
- - containerPort: 8080
- name: EnvoyH-d76a15e2
- protocol: TCP
- - containerPort: 8443
- name: EnvoyH-6658f727
- protocol: TCP
- resources:
- requests:
- cpu: 100m
- memory: 512Mi
- readinessProbe:
- httpGet:
- path: /ready
- port: 19001
- scheme: HTTP
- timeoutSeconds: 1
- periodSeconds: 10
- successThreshold: 1
- failureThreshold: 3
- terminationMessagePath: /dev/termination-log
- terminationMessagePolicy: File
- volumeMounts:
- - mountPath: /certs
- name: certs
- readOnly: true
- - mountPath: /sds
- name: sds
- - args:
- - envoy
- - shutdown-manager
- command:
- - envoy-gateway
- env:
- - name: ENVOY_GATEWAY_NAMESPACE
- valueFrom:
- fieldRef:
- apiVersion: v1
- fieldPath: metadata.namespace
- - name: ENVOY_POD_NAME
- valueFrom:
- fieldRef:
- apiVersion: v1
- fieldPath: metadata.name
- image: envoyproxy/gateway-dev:latest
- imagePullPolicy: IfNotPresent
- lifecycle:
- preStop:
- exec:
- command:
- - envoy-gateway
- - envoy
- - shutdown
- name: shutdown-manager
- resources:
- requests:
- cpu: 10m
- memory: 32Mi
- readinessProbe:
- httpGet:
- path: /healthz
- port: 19002
- scheme: HTTP
- timeoutSeconds: 1
- periodSeconds: 10
- successThreshold: 1
- failureThreshold: 3
- livenessProbe:
+ - args:
+ - --service-cluster default
+ - --service-node $(ENVOY_POD_NAME)
+ - --config-yaml test bootstrap config
+ - --log-level warn
+ - --cpuset-threads
+ command:
+ - envoy
+ env:
+ - name: ENVOY_GATEWAY_NAMESPACE
+ valueFrom:
+ fieldRef:
+ apiVersion: v1
+ fieldPath: metadata.namespace
+ - name: ENVOY_POD_NAME
+ valueFrom:
+ fieldRef:
+ apiVersion: v1
+ fieldPath: metadata.name
+ image: envoyproxy/envoy:distroless-dev
+ imagePullPolicy: IfNotPresent
+ lifecycle:
+ preStop:
httpGet:
- path: /healthz
+ path: /shutdown/ready
port: 19002
scheme: HTTP
- timeoutSeconds: 1
- periodSeconds: 10
- successThreshold: 1
- failureThreshold: 3
- terminationMessagePath: /dev/termination-log
- terminationMessagePolicy: File
+ name: envoy
+ ports:
+ - containerPort: 8080
+ name: EnvoyH-d76a15e2
+ protocol: TCP
+ - containerPort: 8443
+ name: EnvoyH-6658f727
+ protocol: TCP
+ - containerPort: 19001
+ name: metrics
+ protocol: TCP
+ readinessProbe:
+ failureThreshold: 3
+ httpGet:
+ path: /ready
+ port: 19001
+ scheme: HTTP
+ periodSeconds: 10
+ successThreshold: 1
+ timeoutSeconds: 1
+ resources:
+ requests:
+ cpu: 100m
+ memory: 512Mi
+ terminationMessagePath: /dev/termination-log
+ terminationMessagePolicy: File
+ volumeMounts:
+ - mountPath: /certs
+ name: certs
+ readOnly: true
+ - mountPath: /sds
+ name: sds
+ - args:
+ - envoy
+ - shutdown-manager
+ command:
+ - envoy-gateway
+ env:
+ - name: ENVOY_GATEWAY_NAMESPACE
+ valueFrom:
+ fieldRef:
+ apiVersion: v1
+ fieldPath: metadata.namespace
+ - name: ENVOY_POD_NAME
+ valueFrom:
+ fieldRef:
+ apiVersion: v1
+ fieldPath: metadata.name
+ image: envoyproxy/gateway-dev:latest
+ imagePullPolicy: IfNotPresent
+ lifecycle:
+ preStop:
+ exec:
+ command:
+ - envoy-gateway
+ - envoy
+ - shutdown
+ livenessProbe:
+ failureThreshold: 3
+ httpGet:
+ path: /healthz
+ port: 19002
+ scheme: HTTP
+ periodSeconds: 10
+ successThreshold: 1
+ timeoutSeconds: 1
+ name: shutdown-manager
+ readinessProbe:
+ failureThreshold: 3
+ httpGet:
+ path: /healthz
+ port: 19002
+ scheme: HTTP
+ periodSeconds: 10
+ successThreshold: 1
+ timeoutSeconds: 1
+ resources:
+ requests:
+ cpu: 10m
+ memory: 32Mi
+ terminationMessagePath: /dev/termination-log
+ terminationMessagePolicy: File
dnsPolicy: ClusterFirst
restartPolicy: Always
schedulerName: default-scheduler
serviceAccountName: envoy-default-37a8eec1
terminationGracePeriodSeconds: 900
volumes:
- - name: certs
- secret:
- secretName: envoy
- defaultMode: 420
- - configMap:
- defaultMode: 420
- items:
- - key: xds-trusted-ca.json
- path: xds-trusted-ca.json
- - key: xds-certificate.json
- path: xds-certificate.json
- name: envoy-default-37a8eec1
- optional: false
- name: sds
- revisionHistoryLimit: 10
- progressDeadlineSeconds: 600
+ - name: certs
+ secret:
+ defaultMode: 420
+ secretName: envoy
+ - configMap:
+ defaultMode: 420
+ items:
+ - key: xds-trusted-ca.json
+ path: xds-trusted-ca.json
+ - key: xds-certificate.json
+ path: xds-certificate.json
+ name: envoy-default-37a8eec1
+ optional: false
+ name: sds
+status: {}
diff --git a/internal/infrastructure/kubernetes/proxy/testdata/deployments/component-level.yaml b/internal/infrastructure/kubernetes/proxy/testdata/deployments/component-level.yaml
index f2640964efd..11b7ff5d5ff 100644
--- a/internal/infrastructure/kubernetes/proxy/testdata/deployments/component-level.yaml
+++ b/internal/infrastructure/kubernetes/proxy/testdata/deployments/component-level.yaml
@@ -1,162 +1,172 @@
apiVersion: apps/v1
kind: Deployment
metadata:
+ creationTimestamp: null
labels:
- app.kubernetes.io/name: envoy
app.kubernetes.io/component: proxy
app.kubernetes.io/managed-by: envoy-gateway
+ app.kubernetes.io/name: envoy
gateway.envoyproxy.io/owning-gateway-name: default
gateway.envoyproxy.io/owning-gateway-namespace: default
name: envoy-default-37a8eec1
namespace: envoy-gateway-system
spec:
+ progressDeadlineSeconds: 600
replicas: 1
- strategy:
- type: RollingUpdate
+ revisionHistoryLimit: 10
selector:
matchLabels:
- app.kubernetes.io/name: envoy
app.kubernetes.io/component: proxy
app.kubernetes.io/managed-by: envoy-gateway
+ app.kubernetes.io/name: envoy
gateway.envoyproxy.io/owning-gateway-name: default
gateway.envoyproxy.io/owning-gateway-namespace: default
+ strategy:
+ type: RollingUpdate
template:
metadata:
+ annotations:
+ prometheus.io/path: /stats/prometheus
+ prometheus.io/port: "19001"
+ prometheus.io/scrape: "true"
+ creationTimestamp: null
labels:
- app.kubernetes.io/name: envoy
app.kubernetes.io/component: proxy
app.kubernetes.io/managed-by: envoy-gateway
+ app.kubernetes.io/name: envoy
gateway.envoyproxy.io/owning-gateway-name: default
gateway.envoyproxy.io/owning-gateway-namespace: default
spec:
automountServiceAccountToken: false
containers:
- - args:
- - --service-cluster default
- - --service-node $(ENVOY_POD_NAME)
- - --config-yaml test bootstrap config
- - --log-level error
- - --cpuset-threads
- - --component-log-level filter:info
- command:
- - envoy
- env:
- - name: ENVOY_GATEWAY_NAMESPACE
- valueFrom:
- fieldRef:
- apiVersion: v1
- fieldPath: metadata.namespace
- - name: ENVOY_POD_NAME
- valueFrom:
- fieldRef:
- apiVersion: v1
- fieldPath: metadata.name
- image: envoyproxy/envoy:distroless-dev
- imagePullPolicy: IfNotPresent
- lifecycle:
- preStop:
- httpGet:
- path: /shutdown/ready
- port: 19002
- scheme: HTTP
- name: envoy
- ports:
- - containerPort: 8080
- name: EnvoyH-d76a15e2
- protocol: TCP
- - containerPort: 8443
- name: EnvoyH-6658f727
- protocol: TCP
- resources:
- requests:
- cpu: 100m
- memory: 512Mi
- readinessProbe:
- httpGet:
- path: /ready
- port: 19001
- scheme: HTTP
- timeoutSeconds: 1
- periodSeconds: 10
- successThreshold: 1
- failureThreshold: 3
- terminationMessagePath: /dev/termination-log
- terminationMessagePolicy: File
- volumeMounts:
- - mountPath: /certs
- name: certs
- readOnly: true
- - mountPath: /sds
- name: sds
- - args:
- - envoy
- - shutdown-manager
- command:
- - envoy-gateway
- env:
- - name: ENVOY_GATEWAY_NAMESPACE
- valueFrom:
- fieldRef:
- apiVersion: v1
- fieldPath: metadata.namespace
- - name: ENVOY_POD_NAME
- valueFrom:
- fieldRef:
- apiVersion: v1
- fieldPath: metadata.name
- image: envoyproxy/gateway-dev:latest
- imagePullPolicy: IfNotPresent
- lifecycle:
- preStop:
- exec:
- command:
- - envoy-gateway
- - envoy
- - shutdown
- name: shutdown-manager
- resources:
- requests:
- cpu: 10m
- memory: 32Mi
- readinessProbe:
- httpGet:
- path: /healthz
- port: 19002
- scheme: HTTP
- timeoutSeconds: 1
- periodSeconds: 10
- successThreshold: 1
- failureThreshold: 3
- livenessProbe:
+ - args:
+ - --service-cluster default
+ - --service-node $(ENVOY_POD_NAME)
+ - --config-yaml test bootstrap config
+ - --log-level error
+ - --cpuset-threads
+ - --component-log-level filter:info
+ command:
+ - envoy
+ env:
+ - name: ENVOY_GATEWAY_NAMESPACE
+ valueFrom:
+ fieldRef:
+ apiVersion: v1
+ fieldPath: metadata.namespace
+ - name: ENVOY_POD_NAME
+ valueFrom:
+ fieldRef:
+ apiVersion: v1
+ fieldPath: metadata.name
+ image: envoyproxy/envoy:distroless-dev
+ imagePullPolicy: IfNotPresent
+ lifecycle:
+ preStop:
httpGet:
- path: /healthz
+ path: /shutdown/ready
port: 19002
scheme: HTTP
- timeoutSeconds: 1
- periodSeconds: 10
- successThreshold: 1
- failureThreshold: 3
- terminationMessagePath: /dev/termination-log
- terminationMessagePolicy: File
+ name: envoy
+ ports:
+ - containerPort: 8080
+ name: EnvoyH-d76a15e2
+ protocol: TCP
+ - containerPort: 8443
+ name: EnvoyH-6658f727
+ protocol: TCP
+ - containerPort: 19001
+ name: metrics
+ protocol: TCP
+ readinessProbe:
+ failureThreshold: 3
+ httpGet:
+ path: /ready
+ port: 19001
+ scheme: HTTP
+ periodSeconds: 10
+ successThreshold: 1
+ timeoutSeconds: 1
+ resources:
+ requests:
+ cpu: 100m
+ memory: 512Mi
+ terminationMessagePath: /dev/termination-log
+ terminationMessagePolicy: File
+ volumeMounts:
+ - mountPath: /certs
+ name: certs
+ readOnly: true
+ - mountPath: /sds
+ name: sds
+ - args:
+ - envoy
+ - shutdown-manager
+ command:
+ - envoy-gateway
+ env:
+ - name: ENVOY_GATEWAY_NAMESPACE
+ valueFrom:
+ fieldRef:
+ apiVersion: v1
+ fieldPath: metadata.namespace
+ - name: ENVOY_POD_NAME
+ valueFrom:
+ fieldRef:
+ apiVersion: v1
+ fieldPath: metadata.name
+ image: envoyproxy/gateway-dev:latest
+ imagePullPolicy: IfNotPresent
+ lifecycle:
+ preStop:
+ exec:
+ command:
+ - envoy-gateway
+ - envoy
+ - shutdown
+ livenessProbe:
+ failureThreshold: 3
+ httpGet:
+ path: /healthz
+ port: 19002
+ scheme: HTTP
+ periodSeconds: 10
+ successThreshold: 1
+ timeoutSeconds: 1
+ name: shutdown-manager
+ readinessProbe:
+ failureThreshold: 3
+ httpGet:
+ path: /healthz
+ port: 19002
+ scheme: HTTP
+ periodSeconds: 10
+ successThreshold: 1
+ timeoutSeconds: 1
+ resources:
+ requests:
+ cpu: 10m
+ memory: 32Mi
+ terminationMessagePath: /dev/termination-log
+ terminationMessagePolicy: File
dnsPolicy: ClusterFirst
restartPolicy: Always
schedulerName: default-scheduler
serviceAccountName: envoy-default-37a8eec1
terminationGracePeriodSeconds: 900
volumes:
- - name: certs
- secret:
- secretName: envoy
- defaultMode: 420
- - configMap:
- defaultMode: 420
- items:
- - key: xds-trusted-ca.json
- path: xds-trusted-ca.json
- - key: xds-certificate.json
- path: xds-certificate.json
- name: envoy-default-37a8eec1
- optional: false
- name: sds
- revisionHistoryLimit: 10
- progressDeadlineSeconds: 600
+ - name: certs
+ secret:
+ defaultMode: 420
+ secretName: envoy
+ - configMap:
+ defaultMode: 420
+ items:
+ - key: xds-trusted-ca.json
+ path: xds-trusted-ca.json
+ - key: xds-certificate.json
+ path: xds-certificate.json
+ name: envoy-default-37a8eec1
+ optional: false
+ name: sds
+status: {}
diff --git a/internal/infrastructure/kubernetes/proxy/testdata/deployments/custom.yaml b/internal/infrastructure/kubernetes/proxy/testdata/deployments/custom.yaml
index ffc5a24f7ae..e26fd3bb243 100644
--- a/internal/infrastructure/kubernetes/proxy/testdata/deployments/custom.yaml
+++ b/internal/infrastructure/kubernetes/proxy/testdata/deployments/custom.yaml
@@ -1,274 +1,303 @@
apiVersion: apps/v1
kind: Deployment
metadata:
+ creationTimestamp: null
labels:
- app.kubernetes.io/name: envoy
app.kubernetes.io/component: proxy
app.kubernetes.io/managed-by: envoy-gateway
+ app.kubernetes.io/name: envoy
gateway.envoyproxy.io/owning-gateway-name: default
gateway.envoyproxy.io/owning-gateway-namespace: default
name: envoy-default-37a8eec1
namespace: envoy-gateway-system
spec:
+ progressDeadlineSeconds: 600
replicas: 2
- strategy:
- type: RollingUpdate
+ revisionHistoryLimit: 10
selector:
matchLabels:
- app.kubernetes.io/name: envoy
app.kubernetes.io/component: proxy
app.kubernetes.io/managed-by: envoy-gateway
+ app.kubernetes.io/name: envoy
+ foo.bar: custom-label
gateway.envoyproxy.io/owning-gateway-name: default
gateway.envoyproxy.io/owning-gateway-namespace: default
- foo.bar: custom-label
+ strategy:
+ type: RollingUpdate
template:
metadata:
+ annotations:
+ prometheus.io/path: /stats/prometheus
+ prometheus.io/port: "19001"
+ prometheus.io/scrape: "true"
+ creationTimestamp: null
labels:
- app.kubernetes.io/name: envoy
app.kubernetes.io/component: proxy
app.kubernetes.io/managed-by: envoy-gateway
+ app.kubernetes.io/name: envoy
+ foo.bar: custom-label
gateway.envoyproxy.io/owning-gateway-name: default
gateway.envoyproxy.io/owning-gateway-namespace: default
- foo.bar: custom-label
- annotations:
- prometheus.io/scrape: "true"
spec:
automountServiceAccountToken: false
- hostNetwork: true
containers:
- - args:
- - --service-cluster default
- - --service-node $(ENVOY_POD_NAME)
- - |
- --config-yaml admin:
- access_log:
- - name: envoy.access_loggers.file
+ - args:
+ - --service-cluster default
+ - --service-node $(ENVOY_POD_NAME)
+ - |
+ --config-yaml admin:
+ access_log:
+ - name: envoy.access_loggers.file
+ typed_config:
+ "@type": type.googleapis.com/envoy.extensions.access_loggers.file.v3.FileAccessLog
+ path: /dev/null
+ address:
+ socket_address:
+ address: 127.0.0.1
+ port_value: 19000
+ layered_runtime:
+ layers:
+ - name: global_config
+ static_layer:
+ envoy.restart_features.use_eds_cache_for_ads: true
+ re2.max_program_size.error_level: 4294967295
+ re2.max_program_size.warn_level: 1000
+ dynamic_resources:
+ ads_config:
+ api_type: DELTA_GRPC
+ transport_api_version: V3
+ grpc_services:
+ - envoy_grpc:
+ cluster_name: xds_cluster
+ set_node_on_first_message_only: true
+ lds_config:
+ ads: {}
+ resource_api_version: V3
+ cds_config:
+ ads: {}
+ resource_api_version: V3
+ static_resources:
+ listeners:
+ - name: envoy-gateway-proxy-ready-0.0.0.0-19001
+ address:
+ socket_address:
+ address: 0.0.0.0
+ port_value: 19001
+ protocol: TCP
+ filter_chains:
+ - filters:
+ - name: envoy.filters.network.http_connection_manager
typed_config:
- "@type": type.googleapis.com/envoy.extensions.access_loggers.file.v3.FileAccessLog
- path: /dev/null
- address:
- socket_address:
- address: 127.0.0.1
- port_value: 19000
- layered_runtime:
- layers:
- - name: global_config
- static_layer:
- envoy.restart_features.use_eds_cache_for_ads: true
- re2.max_program_size.error_level: 4294967295
- re2.max_program_size.warn_level: 1000
- dynamic_resources:
- ads_config:
- api_type: DELTA_GRPC
- transport_api_version: V3
- grpc_services:
- - envoy_grpc:
- cluster_name: xds_cluster
- set_node_on_first_message_only: true
- lds_config:
- ads: {}
- resource_api_version: V3
- cds_config:
- ads: {}
- resource_api_version: V3
- static_resources:
- listeners:
- - name: envoy-gateway-proxy-ready-0.0.0.0-19001
- address:
- socket_address:
- address: 0.0.0.0
- port_value: 19001
- protocol: TCP
- filter_chains:
- - filters:
- - name: envoy.filters.network.http_connection_manager
+ "@type": type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager
+ stat_prefix: eg-ready-http
+ route_config:
+ name: local_route
+ virtual_hosts:
+ - name: prometheus_stats
+ domains:
+ - "*"
+ routes:
+ - match:
+ prefix: /stats/prometheus
+ route:
+ cluster: prometheus_stats
+ http_filters:
+ - name: envoy.filters.http.health_check
typed_config:
- "@type": type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager
- stat_prefix: eg-ready-http
- route_config:
- name: local_route
- http_filters:
- - name: envoy.filters.http.health_check
- typed_config:
- "@type": type.googleapis.com/envoy.extensions.filters.http.health_check.v3.HealthCheck
- pass_through_mode: false
- headers:
- - name: ":path"
- string_match:
- exact: /ready
- - name: envoy.filters.http.router
- typed_config:
- "@type": type.googleapis.com/envoy.extensions.filters.http.router.v3.Router
- clusters:
- - connect_timeout: 10s
- load_assignment:
- cluster_name: xds_cluster
- endpoints:
- - load_balancing_weight: 1
- lb_endpoints:
- - load_balancing_weight: 1
- endpoint:
- address:
- socket_address:
- address: envoy-gateway
- port_value: 18000
- typed_extension_protocol_options:
- envoy.extensions.upstreams.http.v3.HttpProtocolOptions:
- "@type": "type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions"
- explicit_http_config:
- http2_protocol_options:
- connection_keepalive:
- interval: 30s
- timeout: 5s
- name: xds_cluster
- type: STRICT_DNS
- transport_socket:
- name: envoy.transport_sockets.tls
- typed_config:
- "@type": type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.UpstreamTlsContext
- common_tls_context:
- tls_params:
- tls_maximum_protocol_version: TLSv1_3
- tls_certificate_sds_secret_configs:
- - name: xds_certificate
- sds_config:
- path_config_source:
- path: "/sds/xds-certificate.json"
- resource_api_version: V3
- validation_context_sds_secret_config:
- name: xds_trusted_ca
- sds_config:
- path_config_source:
- path: "/sds/xds-trusted-ca.json"
- resource_api_version: V3
- - --log-level warn
- - --cpuset-threads
- command:
- - envoy
- env:
- - name: ENVOY_GATEWAY_NAMESPACE
- valueFrom:
- fieldRef:
- apiVersion: v1
- fieldPath: metadata.namespace
- - name: ENVOY_POD_NAME
- valueFrom:
- fieldRef:
- apiVersion: v1
- fieldPath: metadata.name
- image: envoyproxy/envoy:v1.2.3
- imagePullPolicy: IfNotPresent
- lifecycle:
- preStop:
- httpGet:
- path: /shutdown/ready
- port: 19002
- scheme: HTTP
- name: envoy
- ports:
- - containerPort: 8080
- name: EnvoyH-d76a15e2
- protocol: TCP
- - containerPort: 8443
- name: EnvoyH-6658f727
- protocol: TCP
- resources:
- limits:
- cpu: 400m
- memory: 2Gi
- requests:
- cpu: 200m
- memory: 1Gi
- readinessProbe:
- httpGet:
- path: /ready
- port: 19001
- scheme: HTTP
- timeoutSeconds: 1
- periodSeconds: 10
- successThreshold: 1
- failureThreshold: 3
- terminationMessagePath: /dev/termination-log
- terminationMessagePolicy: File
- securityContext:
- privileged: true
- volumeMounts:
- - mountPath: /certs
- name: certs
- readOnly: true
- - mountPath: /sds
- name: sds
- - args:
- - envoy
- - shutdown-manager
- command:
- - envoy-gateway
- env:
- - name: ENVOY_GATEWAY_NAMESPACE
- valueFrom:
- fieldRef:
- apiVersion: v1
- fieldPath: metadata.namespace
- - name: ENVOY_POD_NAME
- valueFrom:
- fieldRef:
- apiVersion: v1
- fieldPath: metadata.name
- image: envoyproxy/gateway-dev:latest
- imagePullPolicy: IfNotPresent
- lifecycle:
- preStop:
- exec:
- command:
- - envoy-gateway
- - envoy
- - shutdown
- name: shutdown-manager
- resources:
- requests:
- cpu: 10m
- memory: 32Mi
- readinessProbe:
- httpGet:
- path: /healthz
- port: 19002
- scheme: HTTP
- timeoutSeconds: 1
- periodSeconds: 10
- successThreshold: 1
- failureThreshold: 3
- livenessProbe:
+ "@type": type.googleapis.com/envoy.extensions.filters.http.health_check.v3.HealthCheck
+ pass_through_mode: false
+ headers:
+ - name: ":path"
+ string_match:
+ exact: /ready
+ - name: envoy.filters.http.router
+ typed_config:
+ "@type": type.googleapis.com/envoy.extensions.filters.http.router.v3.Router
+ clusters:
+ - name: prometheus_stats
+ connect_timeout: 0.250s
+ type: STATIC
+ lb_policy: ROUND_ROBIN
+ load_assignment:
+ cluster_name: prometheus_stats
+ endpoints:
+ - lb_endpoints:
+ - endpoint:
+ address:
+ socket_address:
+ address: 127.0.0.1
+ port_value: 19000
+ - connect_timeout: 10s
+ load_assignment:
+ cluster_name: xds_cluster
+ endpoints:
+ - load_balancing_weight: 1
+ lb_endpoints:
+ - load_balancing_weight: 1
+ endpoint:
+ address:
+ socket_address:
+ address: envoy-gateway
+ port_value: 18000
+ typed_extension_protocol_options:
+ envoy.extensions.upstreams.http.v3.HttpProtocolOptions:
+ "@type": "type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions"
+ explicit_http_config:
+ http2_protocol_options:
+ connection_keepalive:
+ interval: 30s
+ timeout: 5s
+ name: xds_cluster
+ type: STRICT_DNS
+ transport_socket:
+ name: envoy.transport_sockets.tls
+ typed_config:
+ "@type": type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.UpstreamTlsContext
+ common_tls_context:
+ tls_params:
+ tls_maximum_protocol_version: TLSv1_3
+ tls_certificate_sds_secret_configs:
+ - name: xds_certificate
+ sds_config:
+ path_config_source:
+ path: "/sds/xds-certificate.json"
+ resource_api_version: V3
+ validation_context_sds_secret_config:
+ name: xds_trusted_ca
+ sds_config:
+ path_config_source:
+ path: "/sds/xds-trusted-ca.json"
+ resource_api_version: V3
+ - --log-level warn
+ - --cpuset-threads
+ command:
+ - envoy
+ env:
+ - name: ENVOY_GATEWAY_NAMESPACE
+ valueFrom:
+ fieldRef:
+ apiVersion: v1
+ fieldPath: metadata.namespace
+ - name: ENVOY_POD_NAME
+ valueFrom:
+ fieldRef:
+ apiVersion: v1
+ fieldPath: metadata.name
+ image: envoyproxy/envoy:v1.2.3
+ imagePullPolicy: IfNotPresent
+ lifecycle:
+ preStop:
httpGet:
- path: /healthz
+ path: /shutdown/ready
port: 19002
scheme: HTTP
- timeoutSeconds: 1
- periodSeconds: 10
- successThreshold: 1
- failureThreshold: 3
- terminationMessagePath: /dev/termination-log
- terminationMessagePolicy: File
+ name: envoy
+ ports:
+ - containerPort: 8080
+ name: EnvoyH-d76a15e2
+ protocol: TCP
+ - containerPort: 8443
+ name: EnvoyH-6658f727
+ protocol: TCP
+ - containerPort: 19001
+ name: metrics
+ protocol: TCP
+ readinessProbe:
+ failureThreshold: 3
+ httpGet:
+ path: /ready
+ port: 19001
+ scheme: HTTP
+ periodSeconds: 10
+ successThreshold: 1
+ timeoutSeconds: 1
+ resources:
+ limits:
+ cpu: 400m
+ memory: 2Gi
+ requests:
+ cpu: 200m
+ memory: 1Gi
+ securityContext:
+ privileged: true
+ terminationMessagePath: /dev/termination-log
+ terminationMessagePolicy: File
+ volumeMounts:
+ - mountPath: /certs
+ name: certs
+ readOnly: true
+ - mountPath: /sds
+ name: sds
+ - args:
+ - envoy
+ - shutdown-manager
+ command:
+ - envoy-gateway
+ env:
+ - name: ENVOY_GATEWAY_NAMESPACE
+ valueFrom:
+ fieldRef:
+ apiVersion: v1
+ fieldPath: metadata.namespace
+ - name: ENVOY_POD_NAME
+ valueFrom:
+ fieldRef:
+ apiVersion: v1
+ fieldPath: metadata.name
+ image: envoyproxy/gateway-dev:latest
+ imagePullPolicy: IfNotPresent
+ lifecycle:
+ preStop:
+ exec:
+ command:
+ - envoy-gateway
+ - envoy
+ - shutdown
+ livenessProbe:
+ failureThreshold: 3
+ httpGet:
+ path: /healthz
+ port: 19002
+ scheme: HTTP
+ periodSeconds: 10
+ successThreshold: 1
+ timeoutSeconds: 1
+ name: shutdown-manager
+ readinessProbe:
+ failureThreshold: 3
+ httpGet:
+ path: /healthz
+ port: 19002
+ scheme: HTTP
+ periodSeconds: 10
+ successThreshold: 1
+ timeoutSeconds: 1
+ resources:
+ requests:
+ cpu: 10m
+ memory: 32Mi
+ terminationMessagePath: /dev/termination-log
+ terminationMessagePolicy: File
dnsPolicy: ClusterFirst
restartPolicy: Always
schedulerName: default-scheduler
- serviceAccountName: envoy-default-37a8eec1
- terminationGracePeriodSeconds: 900
securityContext:
runAsUser: 1000
+ serviceAccountName: envoy-default-37a8eec1
+ terminationGracePeriodSeconds: 900
volumes:
- - name: certs
- secret:
- secretName: envoy
- defaultMode: 420
- - configMap:
- defaultMode: 420
- items:
- - key: xds-trusted-ca.json
- path: xds-trusted-ca.json
- - key: xds-certificate.json
- path: xds-certificate.json
- name: envoy-default-37a8eec1
- optional: false
- name: sds
- revisionHistoryLimit: 10
- progressDeadlineSeconds: 600
+ - name: certs
+ secret:
+ defaultMode: 420
+ secretName: envoy
+ - configMap:
+ defaultMode: 420
+ items:
+ - key: xds-trusted-ca.json
+ path: xds-trusted-ca.json
+ - key: xds-certificate.json
+ path: xds-certificate.json
+ name: envoy-default-37a8eec1
+ optional: false
+ name: sds
+status: {}
diff --git a/internal/infrastructure/kubernetes/proxy/testdata/deployments/custom_with_initcontainers.yaml b/internal/infrastructure/kubernetes/proxy/testdata/deployments/custom_with_initcontainers.yaml
index ac68d8e5cec..f02af889f68 100644
--- a/internal/infrastructure/kubernetes/proxy/testdata/deployments/custom_with_initcontainers.yaml
+++ b/internal/infrastructure/kubernetes/proxy/testdata/deployments/custom_with_initcontainers.yaml
@@ -1,290 +1,320 @@
apiVersion: apps/v1
kind: Deployment
metadata:
+ creationTimestamp: null
labels:
- app.kubernetes.io/name: envoy
app.kubernetes.io/component: proxy
app.kubernetes.io/managed-by: envoy-gateway
+ app.kubernetes.io/name: envoy
gateway.envoyproxy.io/owning-gateway-name: default
gateway.envoyproxy.io/owning-gateway-namespace: default
name: envoy-default-37a8eec1
namespace: envoy-gateway-system
spec:
+ progressDeadlineSeconds: 600
replicas: 3
- strategy:
- type: RollingUpdate
+ revisionHistoryLimit: 10
selector:
matchLabels:
- app.kubernetes.io/name: envoy
app.kubernetes.io/component: proxy
app.kubernetes.io/managed-by: envoy-gateway
+ app.kubernetes.io/name: envoy
+ foo.bar: custom-label
gateway.envoyproxy.io/owning-gateway-name: default
gateway.envoyproxy.io/owning-gateway-namespace: default
- foo.bar: custom-label
+ strategy:
+ type: RollingUpdate
template:
metadata:
+ annotations:
+ prometheus.io/path: /stats/prometheus
+ prometheus.io/port: "19001"
+ prometheus.io/scrape: "true"
+ creationTimestamp: null
labels:
- app.kubernetes.io/name: envoy
app.kubernetes.io/component: proxy
app.kubernetes.io/managed-by: envoy-gateway
+ app.kubernetes.io/name: envoy
+ foo.bar: custom-label
gateway.envoyproxy.io/owning-gateway-name: default
gateway.envoyproxy.io/owning-gateway-namespace: default
- foo.bar: custom-label
- annotations:
- prometheus.io/scrape: "true"
spec:
automountServiceAccountToken: false
containers:
- - args:
- - --service-cluster default
- - --service-node $(ENVOY_POD_NAME)
- - |
- --config-yaml admin:
- access_log:
- - name: envoy.access_loggers.file
+ - args:
+ - --service-cluster default
+ - --service-node $(ENVOY_POD_NAME)
+ - |
+ --config-yaml admin:
+ access_log:
+ - name: envoy.access_loggers.file
+ typed_config:
+ "@type": type.googleapis.com/envoy.extensions.access_loggers.file.v3.FileAccessLog
+ path: /dev/null
+ address:
+ socket_address:
+ address: 127.0.0.1
+ port_value: 19000
+ layered_runtime:
+ layers:
+ - name: global_config
+ static_layer:
+ envoy.restart_features.use_eds_cache_for_ads: true
+ re2.max_program_size.error_level: 4294967295
+ re2.max_program_size.warn_level: 1000
+ dynamic_resources:
+ ads_config:
+ api_type: DELTA_GRPC
+ transport_api_version: V3
+ grpc_services:
+ - envoy_grpc:
+ cluster_name: xds_cluster
+ set_node_on_first_message_only: true
+ lds_config:
+ ads: {}
+ resource_api_version: V3
+ cds_config:
+ ads: {}
+ resource_api_version: V3
+ static_resources:
+ listeners:
+ - name: envoy-gateway-proxy-ready-0.0.0.0-19001
+ address:
+ socket_address:
+ address: 0.0.0.0
+ port_value: 19001
+ protocol: TCP
+ filter_chains:
+ - filters:
+ - name: envoy.filters.network.http_connection_manager
typed_config:
- "@type": type.googleapis.com/envoy.extensions.access_loggers.file.v3.FileAccessLog
- path: /dev/null
- address:
- socket_address:
- address: 127.0.0.1
- port_value: 19000
- layered_runtime:
- layers:
- - name: global_config
- static_layer:
- envoy.restart_features.use_eds_cache_for_ads: true
- re2.max_program_size.error_level: 4294967295
- re2.max_program_size.warn_level: 1000
- dynamic_resources:
- ads_config:
- api_type: DELTA_GRPC
- transport_api_version: V3
- grpc_services:
- - envoy_grpc:
- cluster_name: xds_cluster
- set_node_on_first_message_only: true
- lds_config:
- ads: {}
- resource_api_version: V3
- cds_config:
- ads: {}
- resource_api_version: V3
- static_resources:
- listeners:
- - name: envoy-gateway-proxy-ready-0.0.0.0-19001
- address:
- socket_address:
- address: 0.0.0.0
- port_value: 19001
- protocol: TCP
- filter_chains:
- - filters:
- - name: envoy.filters.network.http_connection_manager
+ "@type": type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager
+ stat_prefix: eg-ready-http
+ route_config:
+ name: local_route
+ virtual_hosts:
+ - name: prometheus_stats
+ domains:
+ - "*"
+ routes:
+ - match:
+ prefix: /stats/prometheus
+ route:
+ cluster: prometheus_stats
+ http_filters:
+ - name: envoy.filters.http.health_check
typed_config:
- "@type": type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager
- stat_prefix: eg-ready-http
- route_config:
- name: local_route
- http_filters:
- - name: envoy.filters.http.health_check
- typed_config:
- "@type": type.googleapis.com/envoy.extensions.filters.http.health_check.v3.HealthCheck
- pass_through_mode: false
- headers:
- - name: ":path"
- string_match:
- exact: /ready
- - name: envoy.filters.http.router
- typed_config:
- "@type": type.googleapis.com/envoy.extensions.filters.http.router.v3.Router
- clusters:
- - connect_timeout: 10s
- load_assignment:
- cluster_name: xds_cluster
- endpoints:
- - load_balancing_weight: 1
- lb_endpoints:
- - load_balancing_weight: 1
- endpoint:
- address:
- socket_address:
- address: envoy-gateway
- port_value: 18000
- typed_extension_protocol_options:
- envoy.extensions.upstreams.http.v3.HttpProtocolOptions:
- "@type": "type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions"
- explicit_http_config:
- http2_protocol_options:
- connection_keepalive:
- interval: 30s
- timeout: 5s
- name: xds_cluster
- type: STRICT_DNS
- transport_socket:
- name: envoy.transport_sockets.tls
- typed_config:
- "@type": type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.UpstreamTlsContext
- common_tls_context:
- tls_params:
- tls_maximum_protocol_version: TLSv1_3
- tls_certificate_sds_secret_configs:
- - name: xds_certificate
- sds_config:
- path_config_source:
- path: "/sds/xds-certificate.json"
- resource_api_version: V3
- validation_context_sds_secret_config:
- name: xds_trusted_ca
- sds_config:
- path_config_source:
- path: "/sds/xds-trusted-ca.json"
- resource_api_version: V3
- - --log-level warn
- - --cpuset-threads
- command:
- - envoy
- env:
- - name: ENVOY_GATEWAY_NAMESPACE
- valueFrom:
- fieldRef:
- apiVersion: v1
- fieldPath: metadata.namespace
- - name: ENVOY_POD_NAME
- valueFrom:
- fieldRef:
- apiVersion: v1
- fieldPath: metadata.name
- image: envoyproxy/envoy:v1.2.3
- imagePullPolicy: IfNotPresent
- lifecycle:
- preStop:
- httpGet:
- path: /shutdown/ready
- port: 19002
- scheme: HTTP
- name: envoy
- ports:
- - containerPort: 8080
- name: EnvoyH-d76a15e2
- protocol: TCP
- - containerPort: 8443
- name: EnvoyH-6658f727
- protocol: TCP
- resources:
- limits:
- cpu: 400m
- memory: 2Gi
- requests:
- cpu: 200m
- memory: 1Gi
- readinessProbe:
- httpGet:
- path: /ready
- port: 19001
- scheme: HTTP
- timeoutSeconds: 1
- periodSeconds: 10
- successThreshold: 1
- failureThreshold: 3
- terminationMessagePath: /dev/termination-log
- terminationMessagePolicy: File
- securityContext:
- privileged: true
- volumeMounts:
- - mountPath: /certs
- name: certs
- readOnly: true
- - mountPath: /sds
- name: sds
- - mountPath: /lib/filter_foo.so
- name: custom-libs
- - args:
- - envoy
- - shutdown-manager
- command:
- - envoy-gateway
- env:
- - name: ENVOY_GATEWAY_NAMESPACE
- valueFrom:
- fieldRef:
- apiVersion: v1
- fieldPath: metadata.namespace
- - name: ENVOY_POD_NAME
- valueFrom:
- fieldRef:
- apiVersion: v1
- fieldPath: metadata.name
- image: envoyproxy/gateway-dev:latest
- imagePullPolicy: IfNotPresent
- lifecycle:
- preStop:
- exec:
- command:
- - envoy-gateway
- - envoy
- - shutdown
- name: shutdown-manager
- resources:
- requests:
- cpu: 10m
- memory: 32Mi
- readinessProbe:
- httpGet:
- path: /healthz
- port: 19002
- scheme: HTTP
- timeoutSeconds: 1
- periodSeconds: 10
- successThreshold: 1
- failureThreshold: 3
- livenessProbe:
+ "@type": type.googleapis.com/envoy.extensions.filters.http.health_check.v3.HealthCheck
+ pass_through_mode: false
+ headers:
+ - name: ":path"
+ string_match:
+ exact: /ready
+ - name: envoy.filters.http.router
+ typed_config:
+ "@type": type.googleapis.com/envoy.extensions.filters.http.router.v3.Router
+ clusters:
+ - name: prometheus_stats
+ connect_timeout: 0.250s
+ type: STATIC
+ lb_policy: ROUND_ROBIN
+ load_assignment:
+ cluster_name: prometheus_stats
+ endpoints:
+ - lb_endpoints:
+ - endpoint:
+ address:
+ socket_address:
+ address: 127.0.0.1
+ port_value: 19000
+ - connect_timeout: 10s
+ load_assignment:
+ cluster_name: xds_cluster
+ endpoints:
+ - load_balancing_weight: 1
+ lb_endpoints:
+ - load_balancing_weight: 1
+ endpoint:
+ address:
+ socket_address:
+ address: envoy-gateway
+ port_value: 18000
+ typed_extension_protocol_options:
+ envoy.extensions.upstreams.http.v3.HttpProtocolOptions:
+ "@type": "type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions"
+ explicit_http_config:
+ http2_protocol_options:
+ connection_keepalive:
+ interval: 30s
+ timeout: 5s
+ name: xds_cluster
+ type: STRICT_DNS
+ transport_socket:
+ name: envoy.transport_sockets.tls
+ typed_config:
+ "@type": type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.UpstreamTlsContext
+ common_tls_context:
+ tls_params:
+ tls_maximum_protocol_version: TLSv1_3
+ tls_certificate_sds_secret_configs:
+ - name: xds_certificate
+ sds_config:
+ path_config_source:
+ path: "/sds/xds-certificate.json"
+ resource_api_version: V3
+ validation_context_sds_secret_config:
+ name: xds_trusted_ca
+ sds_config:
+ path_config_source:
+ path: "/sds/xds-trusted-ca.json"
+ resource_api_version: V3
+ - --log-level warn
+ - --cpuset-threads
+ command:
+ - envoy
+ env:
+ - name: ENVOY_GATEWAY_NAMESPACE
+ valueFrom:
+ fieldRef:
+ apiVersion: v1
+ fieldPath: metadata.namespace
+ - name: ENVOY_POD_NAME
+ valueFrom:
+ fieldRef:
+ apiVersion: v1
+ fieldPath: metadata.name
+ image: envoyproxy/envoy:v1.2.3
+ imagePullPolicy: IfNotPresent
+ lifecycle:
+ preStop:
httpGet:
- path: /healthz
+ path: /shutdown/ready
port: 19002
scheme: HTTP
- timeoutSeconds: 1
- periodSeconds: 10
- successThreshold: 1
- failureThreshold: 3
- terminationMessagePath: /dev/termination-log
- terminationMessagePolicy: File
- initContainers:
- - name: install-filter-foo
- image: alpine:3.11.3
- command:
- - /bin/sh
- - -c
- args:
- - echo "Installing filter-foo";
- wget -q https://example.com/download/filter_foo_v1.0.0.tgz -O - | tar -xz --directory=/lib filter_foo.so;
- echo "Done";
- volumeMounts:
- - mountPath: /lib
- name: custom-libs
+ name: envoy
+ ports:
+ - containerPort: 8080
+ name: EnvoyH-d76a15e2
+ protocol: TCP
+ - containerPort: 8443
+ name: EnvoyH-6658f727
+ protocol: TCP
+ - containerPort: 19001
+ name: metrics
+ protocol: TCP
+ readinessProbe:
+ failureThreshold: 3
+ httpGet:
+ path: /ready
+ port: 19001
+ scheme: HTTP
+ periodSeconds: 10
+ successThreshold: 1
+ timeoutSeconds: 1
+ resources:
+ limits:
+ cpu: 400m
+ memory: 2Gi
+ requests:
+ cpu: 200m
+ memory: 1Gi
+ securityContext:
+ privileged: true
+ terminationMessagePath: /dev/termination-log
+ terminationMessagePolicy: File
+ volumeMounts:
+ - mountPath: /certs
+ name: certs
+ readOnly: true
+ - mountPath: /sds
+ name: sds
+ - mountPath: /lib/filter_foo.so
+ name: custom-libs
+ - args:
+ - envoy
+ - shutdown-manager
+ command:
+ - envoy-gateway
+ env:
+ - name: ENVOY_GATEWAY_NAMESPACE
+ valueFrom:
+ fieldRef:
+ apiVersion: v1
+ fieldPath: metadata.namespace
+ - name: ENVOY_POD_NAME
+ valueFrom:
+ fieldRef:
+ apiVersion: v1
+ fieldPath: metadata.name
+ image: envoyproxy/gateway-dev:latest
+ imagePullPolicy: IfNotPresent
+ lifecycle:
+ preStop:
+ exec:
+ command:
+ - envoy-gateway
+ - envoy
+ - shutdown
+ livenessProbe:
+ failureThreshold: 3
+ httpGet:
+ path: /healthz
+ port: 19002
+ scheme: HTTP
+ periodSeconds: 10
+ successThreshold: 1
+ timeoutSeconds: 1
+ name: shutdown-manager
+ readinessProbe:
+ failureThreshold: 3
+ httpGet:
+ path: /healthz
+ port: 19002
+ scheme: HTTP
+ periodSeconds: 10
+ successThreshold: 1
+ timeoutSeconds: 1
+ resources:
+ requests:
+ cpu: 10m
+ memory: 32Mi
+ terminationMessagePath: /dev/termination-log
+ terminationMessagePolicy: File
dnsPolicy: ClusterFirst
+ initContainers:
+ - args:
+ - echo "Installing filter-foo"; wget -q https://example.com/download/filter_foo_v1.0.0.tgz
+ -O - | tar -xz --directory=/lib filter_foo.so; echo "Done";
+ command:
+ - /bin/sh
+ - -c
+ image: alpine:3.11.3
+ name: install-filter-foo
+ resources: {}
+ volumeMounts:
+ - mountPath: /lib
+ name: custom-libs
restartPolicy: Always
schedulerName: default-scheduler
- serviceAccountName: envoy-default-37a8eec1
- terminationGracePeriodSeconds: 900
securityContext:
runAsUser: 1000
+ serviceAccountName: envoy-default-37a8eec1
+ terminationGracePeriodSeconds: 900
volumes:
- - name: certs
- secret:
- secretName: envoy
- defaultMode: 420
- - configMap:
- defaultMode: 420
- items:
- - key: xds-trusted-ca.json
- path: xds-trusted-ca.json
- - key: xds-certificate.json
- path: xds-certificate.json
- name: envoy-default-37a8eec1
- optional: false
- name: sds
- - name: custom-libs
- emptyDir: {}
- revisionHistoryLimit: 10
- progressDeadlineSeconds: 600
+ - name: certs
+ secret:
+ defaultMode: 420
+ secretName: envoy
+ - configMap:
+ defaultMode: 420
+ items:
+ - key: xds-trusted-ca.json
+ path: xds-trusted-ca.json
+ - key: xds-certificate.json
+ path: xds-certificate.json
+ name: envoy-default-37a8eec1
+ optional: false
+ name: sds
+ - emptyDir: {}
+ name: custom-libs
+status: {}
diff --git a/internal/infrastructure/kubernetes/proxy/testdata/deployments/default-env.yaml b/internal/infrastructure/kubernetes/proxy/testdata/deployments/default-env.yaml
index c5f427b646d..04221e4729e 100644
--- a/internal/infrastructure/kubernetes/proxy/testdata/deployments/default-env.yaml
+++ b/internal/infrastructure/kubernetes/proxy/testdata/deployments/default-env.yaml
@@ -1,271 +1,301 @@
apiVersion: apps/v1
kind: Deployment
metadata:
+ creationTimestamp: null
labels:
- app.kubernetes.io/name: envoy
app.kubernetes.io/component: proxy
app.kubernetes.io/managed-by: envoy-gateway
+ app.kubernetes.io/name: envoy
gateway.envoyproxy.io/owning-gateway-name: default
gateway.envoyproxy.io/owning-gateway-namespace: default
name: envoy-default-37a8eec1
namespace: envoy-gateway-system
spec:
+ progressDeadlineSeconds: 600
replicas: 2
- strategy:
- type: RollingUpdate
+ revisionHistoryLimit: 10
selector:
matchLabels:
- app.kubernetes.io/name: envoy
app.kubernetes.io/component: proxy
app.kubernetes.io/managed-by: envoy-gateway
+ app.kubernetes.io/name: envoy
gateway.envoyproxy.io/owning-gateway-name: default
gateway.envoyproxy.io/owning-gateway-namespace: default
+ strategy:
+ type: RollingUpdate
template:
metadata:
+ annotations:
+ prometheus.io/path: /stats/prometheus
+ prometheus.io/port: "19001"
+ prometheus.io/scrape: "true"
+ creationTimestamp: null
labels:
- app.kubernetes.io/name: envoy
app.kubernetes.io/component: proxy
app.kubernetes.io/managed-by: envoy-gateway
+ app.kubernetes.io/name: envoy
gateway.envoyproxy.io/owning-gateway-name: default
gateway.envoyproxy.io/owning-gateway-namespace: default
- annotations:
- prometheus.io/scrape: "true"
spec:
automountServiceAccountToken: false
containers:
- - args:
- - --service-cluster default
- - --service-node $(ENVOY_POD_NAME)
- - |
- --config-yaml admin:
- access_log:
- - name: envoy.access_loggers.file
+ - args:
+ - --service-cluster default
+ - --service-node $(ENVOY_POD_NAME)
+ - |
+ --config-yaml admin:
+ access_log:
+ - name: envoy.access_loggers.file
+ typed_config:
+ "@type": type.googleapis.com/envoy.extensions.access_loggers.file.v3.FileAccessLog
+ path: /dev/null
+ address:
+ socket_address:
+ address: 127.0.0.1
+ port_value: 19000
+ layered_runtime:
+ layers:
+ - name: global_config
+ static_layer:
+ envoy.restart_features.use_eds_cache_for_ads: true
+ re2.max_program_size.error_level: 4294967295
+ re2.max_program_size.warn_level: 1000
+ dynamic_resources:
+ ads_config:
+ api_type: DELTA_GRPC
+ transport_api_version: V3
+ grpc_services:
+ - envoy_grpc:
+ cluster_name: xds_cluster
+ set_node_on_first_message_only: true
+ lds_config:
+ ads: {}
+ resource_api_version: V3
+ cds_config:
+ ads: {}
+ resource_api_version: V3
+ static_resources:
+ listeners:
+ - name: envoy-gateway-proxy-ready-0.0.0.0-19001
+ address:
+ socket_address:
+ address: 0.0.0.0
+ port_value: 19001
+ protocol: TCP
+ filter_chains:
+ - filters:
+ - name: envoy.filters.network.http_connection_manager
typed_config:
- "@type": type.googleapis.com/envoy.extensions.access_loggers.file.v3.FileAccessLog
- path: /dev/null
- address:
- socket_address:
- address: 127.0.0.1
- port_value: 19000
- layered_runtime:
- layers:
- - name: global_config
- static_layer:
- envoy.restart_features.use_eds_cache_for_ads: true
- re2.max_program_size.error_level: 4294967295
- re2.max_program_size.warn_level: 1000
- dynamic_resources:
- ads_config:
- api_type: DELTA_GRPC
- transport_api_version: V3
- grpc_services:
- - envoy_grpc:
- cluster_name: xds_cluster
- set_node_on_first_message_only: true
- lds_config:
- ads: {}
- resource_api_version: V3
- cds_config:
- ads: {}
- resource_api_version: V3
- static_resources:
- listeners:
- - name: envoy-gateway-proxy-ready-0.0.0.0-19001
- address:
- socket_address:
- address: 0.0.0.0
- port_value: 19001
- protocol: TCP
- filter_chains:
- - filters:
- - name: envoy.filters.network.http_connection_manager
+ "@type": type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager
+ stat_prefix: eg-ready-http
+ route_config:
+ name: local_route
+ virtual_hosts:
+ - name: prometheus_stats
+ domains:
+ - "*"
+ routes:
+ - match:
+ prefix: /stats/prometheus
+ route:
+ cluster: prometheus_stats
+ http_filters:
+ - name: envoy.filters.http.health_check
typed_config:
- "@type": type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager
- stat_prefix: eg-ready-http
- route_config:
- name: local_route
- http_filters:
- - name: envoy.filters.http.health_check
- typed_config:
- "@type": type.googleapis.com/envoy.extensions.filters.http.health_check.v3.HealthCheck
- pass_through_mode: false
- headers:
- - name: ":path"
- string_match:
- exact: /ready
- - name: envoy.filters.http.router
- typed_config:
- "@type": type.googleapis.com/envoy.extensions.filters.http.router.v3.Router
- clusters:
- - connect_timeout: 10s
- load_assignment:
- cluster_name: xds_cluster
- endpoints:
- - load_balancing_weight: 1
- lb_endpoints:
- - load_balancing_weight: 1
- endpoint:
- address:
- socket_address:
- address: envoy-gateway
- port_value: 18000
- typed_extension_protocol_options:
- envoy.extensions.upstreams.http.v3.HttpProtocolOptions:
- "@type": "type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions"
- explicit_http_config:
- http2_protocol_options:
- connection_keepalive:
- interval: 30s
- timeout: 5s
- name: xds_cluster
- type: STRICT_DNS
- transport_socket:
- name: envoy.transport_sockets.tls
- typed_config:
- "@type": type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.UpstreamTlsContext
- common_tls_context:
- tls_params:
- tls_maximum_protocol_version: TLSv1_3
- tls_certificate_sds_secret_configs:
- - name: xds_certificate
- sds_config:
- path_config_source:
- path: "/sds/xds-certificate.json"
- resource_api_version: V3
- validation_context_sds_secret_config:
- name: xds_trusted_ca
- sds_config:
- path_config_source:
- path: "/sds/xds-trusted-ca.json"
- resource_api_version: V3
- - --log-level warn
- - --cpuset-threads
- command:
- - envoy
- env:
- - name: ENVOY_GATEWAY_NAMESPACE
- valueFrom:
- fieldRef:
- apiVersion: v1
- fieldPath: metadata.namespace
- - name: ENVOY_POD_NAME
- valueFrom:
- fieldRef:
- apiVersion: v1
- fieldPath: metadata.name
- image: envoyproxy/envoy:v1.2.3
- imagePullPolicy: IfNotPresent
- lifecycle:
- preStop:
- httpGet:
- path: /shutdown/ready
- port: 19002
- scheme: HTTP
- name: envoy
- ports:
- - containerPort: 8080
- name: EnvoyH-d76a15e2
- protocol: TCP
- - containerPort: 8443
- name: EnvoyH-6658f727
- protocol: TCP
- resources:
- limits:
- cpu: 400m
- memory: 2Gi
- requests:
- cpu: 200m
- memory: 1Gi
- readinessProbe:
- httpGet:
- path: /ready
- port: 19001
- scheme: HTTP
- timeoutSeconds: 1
- periodSeconds: 10
- successThreshold: 1
- failureThreshold: 3
- terminationMessagePath: /dev/termination-log
- terminationMessagePolicy: File
- securityContext:
- privileged: true
- volumeMounts:
- - mountPath: /certs
- name: certs
- readOnly: true
- - mountPath: /sds
- name: sds
- - args:
- - envoy
- - shutdown-manager
- command:
- - envoy-gateway
- env:
- - name: ENVOY_GATEWAY_NAMESPACE
- valueFrom:
- fieldRef:
- apiVersion: v1
- fieldPath: metadata.namespace
- - name: ENVOY_POD_NAME
- valueFrom:
- fieldRef:
- apiVersion: v1
- fieldPath: metadata.name
- image: envoyproxy/gateway-dev:latest
- imagePullPolicy: IfNotPresent
- lifecycle:
- preStop:
- exec:
- command:
- - envoy-gateway
- - envoy
- - shutdown
- name: shutdown-manager
- resources:
- requests:
- cpu: 10m
- memory: 32Mi
- readinessProbe:
- httpGet:
- path: /healthz
- port: 19002
- scheme: HTTP
- timeoutSeconds: 1
- periodSeconds: 10
- successThreshold: 1
- failureThreshold: 3
- livenessProbe:
+ "@type": type.googleapis.com/envoy.extensions.filters.http.health_check.v3.HealthCheck
+ pass_through_mode: false
+ headers:
+ - name: ":path"
+ string_match:
+ exact: /ready
+ - name: envoy.filters.http.router
+ typed_config:
+ "@type": type.googleapis.com/envoy.extensions.filters.http.router.v3.Router
+ clusters:
+ - name: prometheus_stats
+ connect_timeout: 0.250s
+ type: STATIC
+ lb_policy: ROUND_ROBIN
+ load_assignment:
+ cluster_name: prometheus_stats
+ endpoints:
+ - lb_endpoints:
+ - endpoint:
+ address:
+ socket_address:
+ address: 127.0.0.1
+ port_value: 19000
+ - connect_timeout: 10s
+ load_assignment:
+ cluster_name: xds_cluster
+ endpoints:
+ - load_balancing_weight: 1
+ lb_endpoints:
+ - load_balancing_weight: 1
+ endpoint:
+ address:
+ socket_address:
+ address: envoy-gateway
+ port_value: 18000
+ typed_extension_protocol_options:
+ envoy.extensions.upstreams.http.v3.HttpProtocolOptions:
+ "@type": "type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions"
+ explicit_http_config:
+ http2_protocol_options:
+ connection_keepalive:
+ interval: 30s
+ timeout: 5s
+ name: xds_cluster
+ type: STRICT_DNS
+ transport_socket:
+ name: envoy.transport_sockets.tls
+ typed_config:
+ "@type": type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.UpstreamTlsContext
+ common_tls_context:
+ tls_params:
+ tls_maximum_protocol_version: TLSv1_3
+ tls_certificate_sds_secret_configs:
+ - name: xds_certificate
+ sds_config:
+ path_config_source:
+ path: "/sds/xds-certificate.json"
+ resource_api_version: V3
+ validation_context_sds_secret_config:
+ name: xds_trusted_ca
+ sds_config:
+ path_config_source:
+ path: "/sds/xds-trusted-ca.json"
+ resource_api_version: V3
+ - --log-level warn
+ - --cpuset-threads
+ command:
+ - envoy
+ env:
+ - name: ENVOY_GATEWAY_NAMESPACE
+ valueFrom:
+ fieldRef:
+ apiVersion: v1
+ fieldPath: metadata.namespace
+ - name: ENVOY_POD_NAME
+ valueFrom:
+ fieldRef:
+ apiVersion: v1
+ fieldPath: metadata.name
+ image: envoyproxy/envoy:v1.2.3
+ imagePullPolicy: IfNotPresent
+ lifecycle:
+ preStop:
httpGet:
- path: /healthz
+ path: /shutdown/ready
port: 19002
scheme: HTTP
- timeoutSeconds: 1
- periodSeconds: 10
- successThreshold: 1
- failureThreshold: 3
- terminationMessagePath: /dev/termination-log
- terminationMessagePolicy: File
+ name: envoy
+ ports:
+ - containerPort: 8080
+ name: EnvoyH-d76a15e2
+ protocol: TCP
+ - containerPort: 8443
+ name: EnvoyH-6658f727
+ protocol: TCP
+ - containerPort: 19001
+ name: metrics
+ protocol: TCP
+ readinessProbe:
+ failureThreshold: 3
+ httpGet:
+ path: /ready
+ port: 19001
+ scheme: HTTP
+ periodSeconds: 10
+ successThreshold: 1
+ timeoutSeconds: 1
+ resources:
+ limits:
+ cpu: 400m
+ memory: 2Gi
+ requests:
+ cpu: 200m
+ memory: 1Gi
+ securityContext:
+ privileged: true
+ terminationMessagePath: /dev/termination-log
+ terminationMessagePolicy: File
+ volumeMounts:
+ - mountPath: /certs
+ name: certs
+ readOnly: true
+ - mountPath: /sds
+ name: sds
+ - args:
+ - envoy
+ - shutdown-manager
+ command:
+ - envoy-gateway
+ env:
+ - name: ENVOY_GATEWAY_NAMESPACE
+ valueFrom:
+ fieldRef:
+ apiVersion: v1
+ fieldPath: metadata.namespace
+ - name: ENVOY_POD_NAME
+ valueFrom:
+ fieldRef:
+ apiVersion: v1
+ fieldPath: metadata.name
+ image: envoyproxy/gateway-dev:latest
+ imagePullPolicy: IfNotPresent
+ lifecycle:
+ preStop:
+ exec:
+ command:
+ - envoy-gateway
+ - envoy
+ - shutdown
+ livenessProbe:
+ failureThreshold: 3
+ httpGet:
+ path: /healthz
+ port: 19002
+ scheme: HTTP
+ periodSeconds: 10
+ successThreshold: 1
+ timeoutSeconds: 1
+ name: shutdown-manager
+ readinessProbe:
+ failureThreshold: 3
+ httpGet:
+ path: /healthz
+ port: 19002
+ scheme: HTTP
+ periodSeconds: 10
+ successThreshold: 1
+ timeoutSeconds: 1
+ resources:
+ requests:
+ cpu: 10m
+ memory: 32Mi
+ terminationMessagePath: /dev/termination-log
+ terminationMessagePolicy: File
dnsPolicy: ClusterFirst
restartPolicy: Always
schedulerName: default-scheduler
- serviceAccountName: envoy-default-37a8eec1
- terminationGracePeriodSeconds: 900
securityContext:
runAsUser: 1000
+ serviceAccountName: envoy-default-37a8eec1
+ terminationGracePeriodSeconds: 900
volumes:
- - name: certs
- secret:
- secretName: envoy
- defaultMode: 420
- - configMap:
- defaultMode: 420
- items:
- - key: xds-trusted-ca.json
- path: xds-trusted-ca.json
- - key: xds-certificate.json
- path: xds-certificate.json
- name: envoy-default-37a8eec1
- optional: false
- name: sds
- revisionHistoryLimit: 10
- progressDeadlineSeconds: 600
+ - name: certs
+ secret:
+ defaultMode: 420
+ secretName: envoy
+ - configMap:
+ defaultMode: 420
+ items:
+ - key: xds-trusted-ca.json
+ path: xds-trusted-ca.json
+ - key: xds-certificate.json
+ path: xds-certificate.json
+ name: envoy-default-37a8eec1
+ optional: false
+ name: sds
+status: {}
diff --git a/internal/infrastructure/kubernetes/proxy/testdata/deployments/default.yaml b/internal/infrastructure/kubernetes/proxy/testdata/deployments/default.yaml
index c96afd0aa57..866c1e4f393 100644
--- a/internal/infrastructure/kubernetes/proxy/testdata/deployments/default.yaml
+++ b/internal/infrastructure/kubernetes/proxy/testdata/deployments/default.yaml
@@ -1,262 +1,294 @@
apiVersion: apps/v1
kind: Deployment
metadata:
+ creationTimestamp: null
labels:
- app.kubernetes.io/name: envoy
app.kubernetes.io/component: proxy
app.kubernetes.io/managed-by: envoy-gateway
+ app.kubernetes.io/name: envoy
gateway.envoyproxy.io/owning-gateway-name: default
gateway.envoyproxy.io/owning-gateway-namespace: default
name: envoy-default-37a8eec1
namespace: envoy-gateway-system
spec:
+ progressDeadlineSeconds: 600
replicas: 1
- strategy:
- type: RollingUpdate
+ revisionHistoryLimit: 10
selector:
matchLabels:
- app.kubernetes.io/name: envoy
app.kubernetes.io/component: proxy
app.kubernetes.io/managed-by: envoy-gateway
+ app.kubernetes.io/name: envoy
gateway.envoyproxy.io/owning-gateway-name: default
gateway.envoyproxy.io/owning-gateway-namespace: default
+ strategy:
+ type: RollingUpdate
template:
metadata:
+ annotations:
+ prometheus.io/path: /stats/prometheus
+ prometheus.io/port: "19001"
+ prometheus.io/scrape: "true"
+ creationTimestamp: null
labels:
- app.kubernetes.io/name: envoy
app.kubernetes.io/component: proxy
app.kubernetes.io/managed-by: envoy-gateway
+ app.kubernetes.io/name: envoy
gateway.envoyproxy.io/owning-gateway-name: default
gateway.envoyproxy.io/owning-gateway-namespace: default
spec:
automountServiceAccountToken: false
containers:
- - args:
- - --service-cluster default
- - --service-node $(ENVOY_POD_NAME)
- - |
- --config-yaml admin:
- access_log:
- - name: envoy.access_loggers.file
+ - args:
+ - --service-cluster default
+ - --service-node $(ENVOY_POD_NAME)
+ - |
+ --config-yaml admin:
+ access_log:
+ - name: envoy.access_loggers.file
+ typed_config:
+ "@type": type.googleapis.com/envoy.extensions.access_loggers.file.v3.FileAccessLog
+ path: /dev/null
+ address:
+ socket_address:
+ address: 127.0.0.1
+ port_value: 19000
+ layered_runtime:
+ layers:
+ - name: global_config
+ static_layer:
+ envoy.restart_features.use_eds_cache_for_ads: true
+ re2.max_program_size.error_level: 4294967295
+ re2.max_program_size.warn_level: 1000
+ dynamic_resources:
+ ads_config:
+ api_type: DELTA_GRPC
+ transport_api_version: V3
+ grpc_services:
+ - envoy_grpc:
+ cluster_name: xds_cluster
+ set_node_on_first_message_only: true
+ lds_config:
+ ads: {}
+ resource_api_version: V3
+ cds_config:
+ ads: {}
+ resource_api_version: V3
+ static_resources:
+ listeners:
+ - name: envoy-gateway-proxy-ready-0.0.0.0-19001
+ address:
+ socket_address:
+ address: 0.0.0.0
+ port_value: 19001
+ protocol: TCP
+ filter_chains:
+ - filters:
+ - name: envoy.filters.network.http_connection_manager
typed_config:
- "@type": type.googleapis.com/envoy.extensions.access_loggers.file.v3.FileAccessLog
- path: /dev/null
- address:
- socket_address:
- address: 127.0.0.1
- port_value: 19000
- layered_runtime:
- layers:
- - name: global_config
- static_layer:
- envoy.restart_features.use_eds_cache_for_ads: true
- re2.max_program_size.error_level: 4294967295
- re2.max_program_size.warn_level: 1000
- dynamic_resources:
- ads_config:
- api_type: DELTA_GRPC
- transport_api_version: V3
- grpc_services:
- - envoy_grpc:
- cluster_name: xds_cluster
- set_node_on_first_message_only: true
- lds_config:
- ads: {}
- resource_api_version: V3
- cds_config:
- ads: {}
- resource_api_version: V3
- static_resources:
- listeners:
- - name: envoy-gateway-proxy-ready-0.0.0.0-19001
- address:
- socket_address:
- address: 0.0.0.0
- port_value: 19001
- protocol: TCP
- filter_chains:
- - filters:
- - name: envoy.filters.network.http_connection_manager
+ "@type": type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager
+ stat_prefix: eg-ready-http
+ route_config:
+ name: local_route
+ virtual_hosts:
+ - name: prometheus_stats
+ domains:
+ - "*"
+ routes:
+ - match:
+ prefix: /stats/prometheus
+ route:
+ cluster: prometheus_stats
+ http_filters:
+ - name: envoy.filters.http.health_check
typed_config:
- "@type": type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager
- stat_prefix: eg-ready-http
- route_config:
- name: local_route
- http_filters:
- - name: envoy.filters.http.health_check
- typed_config:
- "@type": type.googleapis.com/envoy.extensions.filters.http.health_check.v3.HealthCheck
- pass_through_mode: false
- headers:
- - name: ":path"
- string_match:
- exact: /ready
- - name: envoy.filters.http.router
- typed_config:
- "@type": type.googleapis.com/envoy.extensions.filters.http.router.v3.Router
- clusters:
- - connect_timeout: 10s
- load_assignment:
- cluster_name: xds_cluster
- endpoints:
- - load_balancing_weight: 1
- lb_endpoints:
- - load_balancing_weight: 1
- endpoint:
- address:
- socket_address:
- address: envoy-gateway
- port_value: 18000
- typed_extension_protocol_options:
- envoy.extensions.upstreams.http.v3.HttpProtocolOptions:
- "@type": "type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions"
- explicit_http_config:
- http2_protocol_options:
- connection_keepalive:
- interval: 30s
- timeout: 5s
- name: xds_cluster
- type: STRICT_DNS
- transport_socket:
- name: envoy.transport_sockets.tls
- typed_config:
- "@type": type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.UpstreamTlsContext
- common_tls_context:
- tls_params:
- tls_maximum_protocol_version: TLSv1_3
- tls_certificate_sds_secret_configs:
- - name: xds_certificate
- sds_config:
- path_config_source:
- path: "/sds/xds-certificate.json"
- resource_api_version: V3
- validation_context_sds_secret_config:
- name: xds_trusted_ca
- sds_config:
- path_config_source:
- path: "/sds/xds-trusted-ca.json"
- resource_api_version: V3
- - --log-level warn
- - --cpuset-threads
- command:
- - envoy
- env:
- - name: ENVOY_GATEWAY_NAMESPACE
- valueFrom:
- fieldRef:
- apiVersion: v1
- fieldPath: metadata.namespace
- - name: ENVOY_POD_NAME
- valueFrom:
- fieldRef:
- apiVersion: v1
- fieldPath: metadata.name
- image: envoyproxy/envoy:distroless-dev
- imagePullPolicy: IfNotPresent
- lifecycle:
- preStop:
- httpGet:
- path: /shutdown/ready
- port: 19002
- scheme: HTTP
- name: envoy
- ports:
- - containerPort: 8080
- name: EnvoyH-d76a15e2
- protocol: TCP
- - containerPort: 8443
- name: EnvoyH-6658f727
- protocol: TCP
- resources:
- requests:
- cpu: 100m
- memory: 512Mi
- readinessProbe:
- httpGet:
- path: /ready
- port: 19001
- scheme: HTTP
- timeoutSeconds: 1
- periodSeconds: 10
- successThreshold: 1
- failureThreshold: 3
- terminationMessagePath: /dev/termination-log
- terminationMessagePolicy: File
- volumeMounts:
- - mountPath: /certs
- name: certs
- readOnly: true
- - mountPath: /sds
- name: sds
- - args:
- - envoy
- - shutdown-manager
- command:
- - envoy-gateway
- env:
- - name: ENVOY_GATEWAY_NAMESPACE
- valueFrom:
- fieldRef:
- apiVersion: v1
- fieldPath: metadata.namespace
- - name: ENVOY_POD_NAME
- valueFrom:
- fieldRef:
- apiVersion: v1
- fieldPath: metadata.name
- image: envoyproxy/gateway-dev:latest
- imagePullPolicy: IfNotPresent
- lifecycle:
- preStop:
- exec:
- command:
- - envoy-gateway
- - envoy
- - shutdown
- name: shutdown-manager
- resources:
- requests:
- cpu: 10m
- memory: 32Mi
- readinessProbe:
- httpGet:
- path: /healthz
- port: 19002
- scheme: HTTP
- timeoutSeconds: 1
- periodSeconds: 10
- successThreshold: 1
- failureThreshold: 3
- livenessProbe:
+ "@type": type.googleapis.com/envoy.extensions.filters.http.health_check.v3.HealthCheck
+ pass_through_mode: false
+ headers:
+ - name: ":path"
+ string_match:
+ exact: /ready
+ - name: envoy.filters.http.router
+ typed_config:
+ "@type": type.googleapis.com/envoy.extensions.filters.http.router.v3.Router
+ clusters:
+ - name: prometheus_stats
+ connect_timeout: 0.250s
+ type: STATIC
+ lb_policy: ROUND_ROBIN
+ load_assignment:
+ cluster_name: prometheus_stats
+ endpoints:
+ - lb_endpoints:
+ - endpoint:
+ address:
+ socket_address:
+ address: 127.0.0.1
+ port_value: 19000
+ - connect_timeout: 10s
+ load_assignment:
+ cluster_name: xds_cluster
+ endpoints:
+ - load_balancing_weight: 1
+ lb_endpoints:
+ - load_balancing_weight: 1
+ endpoint:
+ address:
+ socket_address:
+ address: envoy-gateway
+ port_value: 18000
+ typed_extension_protocol_options:
+ envoy.extensions.upstreams.http.v3.HttpProtocolOptions:
+ "@type": "type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions"
+ explicit_http_config:
+ http2_protocol_options:
+ connection_keepalive:
+ interval: 30s
+ timeout: 5s
+ name: xds_cluster
+ type: STRICT_DNS
+ transport_socket:
+ name: envoy.transport_sockets.tls
+ typed_config:
+ "@type": type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.UpstreamTlsContext
+ common_tls_context:
+ tls_params:
+ tls_maximum_protocol_version: TLSv1_3
+ tls_certificate_sds_secret_configs:
+ - name: xds_certificate
+ sds_config:
+ path_config_source:
+ path: "/sds/xds-certificate.json"
+ resource_api_version: V3
+ validation_context_sds_secret_config:
+ name: xds_trusted_ca
+ sds_config:
+ path_config_source:
+ path: "/sds/xds-trusted-ca.json"
+ resource_api_version: V3
+ - --log-level warn
+ - --cpuset-threads
+ command:
+ - envoy
+ env:
+ - name: ENVOY_GATEWAY_NAMESPACE
+ valueFrom:
+ fieldRef:
+ apiVersion: v1
+ fieldPath: metadata.namespace
+ - name: ENVOY_POD_NAME
+ valueFrom:
+ fieldRef:
+ apiVersion: v1
+ fieldPath: metadata.name
+ image: envoyproxy/envoy:distroless-dev
+ imagePullPolicy: IfNotPresent
+ lifecycle:
+ preStop:
httpGet:
- path: /healthz
+ path: /shutdown/ready
port: 19002
scheme: HTTP
- timeoutSeconds: 1
- periodSeconds: 10
- successThreshold: 1
- failureThreshold: 3
- terminationMessagePath: /dev/termination-log
- terminationMessagePolicy: File
+ name: envoy
+ ports:
+ - containerPort: 8080
+ name: EnvoyH-d76a15e2
+ protocol: TCP
+ - containerPort: 8443
+ name: EnvoyH-6658f727
+ protocol: TCP
+ - containerPort: 19001
+ name: metrics
+ protocol: TCP
+ readinessProbe:
+ failureThreshold: 3
+ httpGet:
+ path: /ready
+ port: 19001
+ scheme: HTTP
+ periodSeconds: 10
+ successThreshold: 1
+ timeoutSeconds: 1
+ resources:
+ requests:
+ cpu: 100m
+ memory: 512Mi
+ terminationMessagePath: /dev/termination-log
+ terminationMessagePolicy: File
+ volumeMounts:
+ - mountPath: /certs
+ name: certs
+ readOnly: true
+ - mountPath: /sds
+ name: sds
+ - args:
+ - envoy
+ - shutdown-manager
+ command:
+ - envoy-gateway
+ env:
+ - name: ENVOY_GATEWAY_NAMESPACE
+ valueFrom:
+ fieldRef:
+ apiVersion: v1
+ fieldPath: metadata.namespace
+ - name: ENVOY_POD_NAME
+ valueFrom:
+ fieldRef:
+ apiVersion: v1
+ fieldPath: metadata.name
+ image: envoyproxy/gateway-dev:latest
+ imagePullPolicy: IfNotPresent
+ lifecycle:
+ preStop:
+ exec:
+ command:
+ - envoy-gateway
+ - envoy
+ - shutdown
+ livenessProbe:
+ failureThreshold: 3
+ httpGet:
+ path: /healthz
+ port: 19002
+ scheme: HTTP
+ periodSeconds: 10
+ successThreshold: 1
+ timeoutSeconds: 1
+ name: shutdown-manager
+ readinessProbe:
+ failureThreshold: 3
+ httpGet:
+ path: /healthz
+ port: 19002
+ scheme: HTTP
+ periodSeconds: 10
+ successThreshold: 1
+ timeoutSeconds: 1
+ resources:
+ requests:
+ cpu: 10m
+ memory: 32Mi
+ terminationMessagePath: /dev/termination-log
+ terminationMessagePolicy: File
dnsPolicy: ClusterFirst
restartPolicy: Always
schedulerName: default-scheduler
serviceAccountName: envoy-default-37a8eec1
terminationGracePeriodSeconds: 900
volumes:
- - name: certs
- secret:
- secretName: envoy
- defaultMode: 420
- - configMap:
- defaultMode: 420
- items:
- - key: xds-trusted-ca.json
- path: xds-trusted-ca.json
- - key: xds-certificate.json
- path: xds-certificate.json
- name: envoy-default-37a8eec1
- optional: false
- name: sds
- revisionHistoryLimit: 10
- progressDeadlineSeconds: 600
+ - name: certs
+ secret:
+ defaultMode: 420
+ secretName: envoy
+ - configMap:
+ defaultMode: 420
+ items:
+ - key: xds-trusted-ca.json
+ path: xds-trusted-ca.json
+ - key: xds-certificate.json
+ path: xds-certificate.json
+ name: envoy-default-37a8eec1
+ optional: false
+ name: sds
+status: {}
diff --git a/internal/infrastructure/kubernetes/proxy/testdata/deployments/disable-prometheus.yaml b/internal/infrastructure/kubernetes/proxy/testdata/deployments/disable-prometheus.yaml
new file mode 100644
index 00000000000..6523569c80e
--- /dev/null
+++ b/internal/infrastructure/kubernetes/proxy/testdata/deployments/disable-prometheus.yaml
@@ -0,0 +1,265 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+ creationTimestamp: null
+ labels:
+ app.kubernetes.io/component: proxy
+ app.kubernetes.io/managed-by: envoy-gateway
+ app.kubernetes.io/name: envoy
+ gateway.envoyproxy.io/owning-gateway-name: default
+ gateway.envoyproxy.io/owning-gateway-namespace: default
+ name: envoy-default-37a8eec1
+ namespace: envoy-gateway-system
+spec:
+ progressDeadlineSeconds: 600
+ replicas: 1
+ revisionHistoryLimit: 10
+ selector:
+ matchLabels:
+ app.kubernetes.io/component: proxy
+ app.kubernetes.io/managed-by: envoy-gateway
+ app.kubernetes.io/name: envoy
+ gateway.envoyproxy.io/owning-gateway-name: default
+ gateway.envoyproxy.io/owning-gateway-namespace: default
+ strategy:
+ type: RollingUpdate
+ template:
+ metadata:
+ creationTimestamp: null
+ labels:
+ app.kubernetes.io/component: proxy
+ app.kubernetes.io/managed-by: envoy-gateway
+ app.kubernetes.io/name: envoy
+ gateway.envoyproxy.io/owning-gateway-name: default
+ gateway.envoyproxy.io/owning-gateway-namespace: default
+ spec:
+ automountServiceAccountToken: false
+ containers:
+ - args:
+ - --service-cluster default
+ - --service-node $(ENVOY_POD_NAME)
+ - |
+ --config-yaml admin:
+ access_log:
+ - name: envoy.access_loggers.file
+ typed_config:
+ "@type": type.googleapis.com/envoy.extensions.access_loggers.file.v3.FileAccessLog
+ path: /dev/null
+ address:
+ socket_address:
+ address: 127.0.0.1
+ port_value: 19000
+ layered_runtime:
+ layers:
+ - name: global_config
+ static_layer:
+ envoy.restart_features.use_eds_cache_for_ads: true
+ re2.max_program_size.error_level: 4294967295
+ re2.max_program_size.warn_level: 1000
+ dynamic_resources:
+ ads_config:
+ api_type: DELTA_GRPC
+ transport_api_version: V3
+ grpc_services:
+ - envoy_grpc:
+ cluster_name: xds_cluster
+ set_node_on_first_message_only: true
+ lds_config:
+ ads: {}
+ resource_api_version: V3
+ cds_config:
+ ads: {}
+ resource_api_version: V3
+ static_resources:
+ listeners:
+ - name: envoy-gateway-proxy-ready-0.0.0.0-19001
+ address:
+ socket_address:
+ address: 0.0.0.0
+ port_value: 19001
+ protocol: TCP
+ filter_chains:
+ - filters:
+ - name: envoy.filters.network.http_connection_manager
+ typed_config:
+ "@type": type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager
+ stat_prefix: eg-ready-http
+ route_config:
+ name: local_route
+ http_filters:
+ - name: envoy.filters.http.health_check
+ typed_config:
+ "@type": type.googleapis.com/envoy.extensions.filters.http.health_check.v3.HealthCheck
+ pass_through_mode: false
+ headers:
+ - name: ":path"
+ string_match:
+ exact: /ready
+ - name: envoy.filters.http.router
+ typed_config:
+ "@type": type.googleapis.com/envoy.extensions.filters.http.router.v3.Router
+ clusters:
+ - connect_timeout: 10s
+ load_assignment:
+ cluster_name: xds_cluster
+ endpoints:
+ - load_balancing_weight: 1
+ lb_endpoints:
+ - load_balancing_weight: 1
+ endpoint:
+ address:
+ socket_address:
+ address: envoy-gateway
+ port_value: 18000
+ typed_extension_protocol_options:
+ envoy.extensions.upstreams.http.v3.HttpProtocolOptions:
+ "@type": "type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions"
+ explicit_http_config:
+ http2_protocol_options:
+ connection_keepalive:
+ interval: 30s
+ timeout: 5s
+ name: xds_cluster
+ type: STRICT_DNS
+ transport_socket:
+ name: envoy.transport_sockets.tls
+ typed_config:
+ "@type": type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.UpstreamTlsContext
+ common_tls_context:
+ tls_params:
+ tls_maximum_protocol_version: TLSv1_3
+ tls_certificate_sds_secret_configs:
+ - name: xds_certificate
+ sds_config:
+ path_config_source:
+ path: "/sds/xds-certificate.json"
+ resource_api_version: V3
+ validation_context_sds_secret_config:
+ name: xds_trusted_ca
+ sds_config:
+ path_config_source:
+ path: "/sds/xds-trusted-ca.json"
+ resource_api_version: V3
+ - --log-level warn
+ - --cpuset-threads
+ command:
+ - envoy
+ env:
+ - name: ENVOY_GATEWAY_NAMESPACE
+ valueFrom:
+ fieldRef:
+ apiVersion: v1
+ fieldPath: metadata.namespace
+ - name: ENVOY_POD_NAME
+ valueFrom:
+ fieldRef:
+ apiVersion: v1
+ fieldPath: metadata.name
+ image: envoyproxy/envoy:distroless-dev
+ imagePullPolicy: IfNotPresent
+ lifecycle:
+ preStop:
+ httpGet:
+ path: /shutdown/ready
+ port: 19002
+ scheme: HTTP
+ name: envoy
+ ports:
+ - containerPort: 8080
+ name: EnvoyH-d76a15e2
+ protocol: TCP
+ - containerPort: 8443
+ name: EnvoyH-6658f727
+ protocol: TCP
+ readinessProbe:
+ failureThreshold: 3
+ httpGet:
+ path: /ready
+ port: 19001
+ scheme: HTTP
+ periodSeconds: 10
+ successThreshold: 1
+ timeoutSeconds: 1
+ resources:
+ requests:
+ cpu: 100m
+ memory: 512Mi
+ terminationMessagePath: /dev/termination-log
+ terminationMessagePolicy: File
+ volumeMounts:
+ - mountPath: /certs
+ name: certs
+ readOnly: true
+ - mountPath: /sds
+ name: sds
+ - args:
+ - envoy
+ - shutdown-manager
+ command:
+ - envoy-gateway
+ env:
+ - name: ENVOY_GATEWAY_NAMESPACE
+ valueFrom:
+ fieldRef:
+ apiVersion: v1
+ fieldPath: metadata.namespace
+ - name: ENVOY_POD_NAME
+ valueFrom:
+ fieldRef:
+ apiVersion: v1
+ fieldPath: metadata.name
+ image: envoyproxy/gateway-dev:latest
+ imagePullPolicy: IfNotPresent
+ lifecycle:
+ preStop:
+ exec:
+ command:
+ - envoy-gateway
+ - envoy
+ - shutdown
+ livenessProbe:
+ failureThreshold: 3
+ httpGet:
+ path: /healthz
+ port: 19002
+ scheme: HTTP
+ periodSeconds: 10
+ successThreshold: 1
+ timeoutSeconds: 1
+ name: shutdown-manager
+ readinessProbe:
+ failureThreshold: 3
+ httpGet:
+ path: /healthz
+ port: 19002
+ scheme: HTTP
+ periodSeconds: 10
+ successThreshold: 1
+ timeoutSeconds: 1
+ resources:
+ requests:
+ cpu: 10m
+ memory: 32Mi
+ terminationMessagePath: /dev/termination-log
+ terminationMessagePolicy: File
+ dnsPolicy: ClusterFirst
+ restartPolicy: Always
+ schedulerName: default-scheduler
+ serviceAccountName: envoy-default-37a8eec1
+ terminationGracePeriodSeconds: 900
+ volumes:
+ - name: certs
+ secret:
+ defaultMode: 420
+ secretName: envoy
+ - configMap:
+ defaultMode: 420
+ items:
+ - key: xds-trusted-ca.json
+ path: xds-trusted-ca.json
+ - key: xds-certificate.json
+ path: xds-certificate.json
+ name: envoy-default-37a8eec1
+ optional: false
+ name: sds
+status: {}
diff --git a/internal/infrastructure/kubernetes/proxy/testdata/deployments/enable-prometheus.yaml b/internal/infrastructure/kubernetes/proxy/testdata/deployments/enable-prometheus.yaml
deleted file mode 100644
index ef459a40401..00000000000
--- a/internal/infrastructure/kubernetes/proxy/testdata/deployments/enable-prometheus.yaml
+++ /dev/null
@@ -1,291 +0,0 @@
-apiVersion: apps/v1
-kind: Deployment
-metadata:
- labels:
- app.kubernetes.io/name: envoy
- app.kubernetes.io/component: proxy
- app.kubernetes.io/managed-by: envoy-gateway
- gateway.envoyproxy.io/owning-gateway-name: default
- gateway.envoyproxy.io/owning-gateway-namespace: default
- name: envoy-default-37a8eec1
- namespace: envoy-gateway-system
-spec:
- replicas: 1
- strategy:
- type: RollingUpdate
- selector:
- matchLabels:
- app.kubernetes.io/name: envoy
- app.kubernetes.io/component: proxy
- app.kubernetes.io/managed-by: envoy-gateway
- gateway.envoyproxy.io/owning-gateway-name: default
- gateway.envoyproxy.io/owning-gateway-namespace: default
- template:
- metadata:
- annotations:
- prometheus.io/path: /stats/prometheus
- prometheus.io/port: "19001"
- prometheus.io/scrape: "true"
- labels:
- app.kubernetes.io/name: envoy
- app.kubernetes.io/component: proxy
- app.kubernetes.io/managed-by: envoy-gateway
- gateway.envoyproxy.io/owning-gateway-name: default
- gateway.envoyproxy.io/owning-gateway-namespace: default
- spec:
- automountServiceAccountToken: false
- containers:
- - args:
- - --service-cluster default
- - --service-node $(ENVOY_POD_NAME)
- - |
- --config-yaml admin:
- access_log:
- - name: envoy.access_loggers.file
- typed_config:
- "@type": type.googleapis.com/envoy.extensions.access_loggers.file.v3.FileAccessLog
- path: /dev/null
- address:
- socket_address:
- address: 127.0.0.1
- port_value: 19000
- layered_runtime:
- layers:
- - name: global_config
- static_layer:
- envoy.restart_features.use_eds_cache_for_ads: true
- re2.max_program_size.error_level: 4294967295
- re2.max_program_size.warn_level: 1000
- dynamic_resources:
- ads_config:
- api_type: DELTA_GRPC
- transport_api_version: V3
- grpc_services:
- - envoy_grpc:
- cluster_name: xds_cluster
- set_node_on_first_message_only: true
- lds_config:
- ads: {}
- resource_api_version: V3
- cds_config:
- ads: {}
- resource_api_version: V3
- static_resources:
- listeners:
- - name: envoy-gateway-proxy-ready-0.0.0.0-19001
- address:
- socket_address:
- address: 0.0.0.0
- port_value: 19001
- protocol: TCP
- filter_chains:
- - filters:
- - name: envoy.filters.network.http_connection_manager
- typed_config:
- "@type": type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager
- stat_prefix: eg-ready-http
- route_config:
- name: local_route
- virtual_hosts:
- - name: prometheus_stats
- domains:
- - "*"
- routes:
- - match:
- prefix: /stats/prometheus
- route:
- cluster: prometheus_stats
- http_filters:
- - name: envoy.filters.http.health_check
- typed_config:
- "@type": type.googleapis.com/envoy.extensions.filters.http.health_check.v3.HealthCheck
- pass_through_mode: false
- headers:
- - name: ":path"
- string_match:
- exact: /ready
- - name: envoy.filters.http.router
- typed_config:
- "@type": type.googleapis.com/envoy.extensions.filters.http.router.v3.Router
- clusters:
- - name: prometheus_stats
- connect_timeout: 0.250s
- type: STATIC
- lb_policy: ROUND_ROBIN
- load_assignment:
- cluster_name: prometheus_stats
- endpoints:
- - lb_endpoints:
- - endpoint:
- address:
- socket_address:
- address: 127.0.0.1
- port_value: 19000
- - connect_timeout: 10s
- load_assignment:
- cluster_name: xds_cluster
- endpoints:
- - load_balancing_weight: 1
- lb_endpoints:
- - load_balancing_weight: 1
- endpoint:
- address:
- socket_address:
- address: envoy-gateway
- port_value: 18000
- typed_extension_protocol_options:
- envoy.extensions.upstreams.http.v3.HttpProtocolOptions:
- "@type": "type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions"
- explicit_http_config:
- http2_protocol_options:
- connection_keepalive:
- interval: 30s
- timeout: 5s
- name: xds_cluster
- type: STRICT_DNS
- transport_socket:
- name: envoy.transport_sockets.tls
- typed_config:
- "@type": type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.UpstreamTlsContext
- common_tls_context:
- tls_params:
- tls_maximum_protocol_version: TLSv1_3
- tls_certificate_sds_secret_configs:
- - name: xds_certificate
- sds_config:
- path_config_source:
- path: "/sds/xds-certificate.json"
- resource_api_version: V3
- validation_context_sds_secret_config:
- name: xds_trusted_ca
- sds_config:
- path_config_source:
- path: "/sds/xds-trusted-ca.json"
- resource_api_version: V3
- - --log-level warn
- - --cpuset-threads
- command:
- - envoy
- env:
- - name: ENVOY_GATEWAY_NAMESPACE
- valueFrom:
- fieldRef:
- apiVersion: v1
- fieldPath: metadata.namespace
- - name: ENVOY_POD_NAME
- valueFrom:
- fieldRef:
- apiVersion: v1
- fieldPath: metadata.name
- image: envoyproxy/envoy:distroless-dev
- imagePullPolicy: IfNotPresent
- lifecycle:
- preStop:
- httpGet:
- path: /shutdown/ready
- port: 19002
- scheme: HTTP
- name: envoy
- ports:
- - containerPort: 8080
- name: EnvoyH-d76a15e2
- protocol: TCP
- - containerPort: 8443
- name: EnvoyH-6658f727
- protocol: TCP
- - containerPort: 19001
- name: metrics
- protocol: TCP
- resources:
- requests:
- cpu: 100m
- memory: 512Mi
- readinessProbe:
- httpGet:
- path: /ready
- port: 19001
- scheme: HTTP
- timeoutSeconds: 1
- periodSeconds: 10
- successThreshold: 1
- failureThreshold: 3
- terminationMessagePath: /dev/termination-log
- terminationMessagePolicy: File
- volumeMounts:
- - mountPath: /certs
- name: certs
- readOnly: true
- - mountPath: /sds
- name: sds
- - args:
- - envoy
- - shutdown-manager
- command:
- - envoy-gateway
- env:
- - name: ENVOY_GATEWAY_NAMESPACE
- valueFrom:
- fieldRef:
- apiVersion: v1
- fieldPath: metadata.namespace
- - name: ENVOY_POD_NAME
- valueFrom:
- fieldRef:
- apiVersion: v1
- fieldPath: metadata.name
- image: envoyproxy/gateway-dev:latest
- imagePullPolicy: IfNotPresent
- lifecycle:
- preStop:
- exec:
- command:
- - envoy-gateway
- - envoy
- - shutdown
- name: shutdown-manager
- resources:
- requests:
- cpu: 10m
- memory: 32Mi
- readinessProbe:
- httpGet:
- path: /healthz
- port: 19002
- scheme: HTTP
- timeoutSeconds: 1
- periodSeconds: 10
- successThreshold: 1
- failureThreshold: 3
- livenessProbe:
- httpGet:
- path: /healthz
- port: 19002
- scheme: HTTP
- timeoutSeconds: 1
- periodSeconds: 10
- successThreshold: 1
- failureThreshold: 3
- terminationMessagePath: /dev/termination-log
- terminationMessagePolicy: File
- dnsPolicy: ClusterFirst
- restartPolicy: Always
- schedulerName: default-scheduler
- serviceAccountName: envoy-default-37a8eec1
- terminationGracePeriodSeconds: 900
- volumes:
- - name: certs
- secret:
- secretName: envoy
- defaultMode: 420
- - configMap:
- defaultMode: 420
- items:
- - key: xds-trusted-ca.json
- path: xds-trusted-ca.json
- - key: xds-certificate.json
- path: xds-certificate.json
- name: envoy-default-37a8eec1
- optional: false
- name: sds
- revisionHistoryLimit: 10
- progressDeadlineSeconds: 600
diff --git a/internal/infrastructure/kubernetes/proxy/testdata/deployments/extension-env.yaml b/internal/infrastructure/kubernetes/proxy/testdata/deployments/extension-env.yaml
index 0bace33bc2b..17067fe31c1 100644
--- a/internal/infrastructure/kubernetes/proxy/testdata/deployments/extension-env.yaml
+++ b/internal/infrastructure/kubernetes/proxy/testdata/deployments/extension-env.yaml
@@ -1,275 +1,305 @@
apiVersion: apps/v1
kind: Deployment
metadata:
+ creationTimestamp: null
labels:
- app.kubernetes.io/name: envoy
app.kubernetes.io/component: proxy
app.kubernetes.io/managed-by: envoy-gateway
+ app.kubernetes.io/name: envoy
gateway.envoyproxy.io/owning-gateway-name: default
gateway.envoyproxy.io/owning-gateway-namespace: default
name: envoy-default-37a8eec1
namespace: envoy-gateway-system
spec:
+ progressDeadlineSeconds: 600
replicas: 2
- strategy:
- type: RollingUpdate
+ revisionHistoryLimit: 10
selector:
matchLabels:
- app.kubernetes.io/name: envoy
app.kubernetes.io/component: proxy
app.kubernetes.io/managed-by: envoy-gateway
+ app.kubernetes.io/name: envoy
gateway.envoyproxy.io/owning-gateway-name: default
gateway.envoyproxy.io/owning-gateway-namespace: default
+ strategy:
+ type: RollingUpdate
template:
metadata:
+ annotations:
+ prometheus.io/path: /stats/prometheus
+ prometheus.io/port: "19001"
+ prometheus.io/scrape: "true"
+ creationTimestamp: null
labels:
- app.kubernetes.io/name: envoy
app.kubernetes.io/component: proxy
app.kubernetes.io/managed-by: envoy-gateway
+ app.kubernetes.io/name: envoy
gateway.envoyproxy.io/owning-gateway-name: default
gateway.envoyproxy.io/owning-gateway-namespace: default
- annotations:
- prometheus.io/scrape: "true"
spec:
automountServiceAccountToken: false
containers:
- - args:
- - --service-cluster default
- - --service-node $(ENVOY_POD_NAME)
- - |
- --config-yaml admin:
- access_log:
- - name: envoy.access_loggers.file
+ - args:
+ - --service-cluster default
+ - --service-node $(ENVOY_POD_NAME)
+ - |
+ --config-yaml admin:
+ access_log:
+ - name: envoy.access_loggers.file
+ typed_config:
+ "@type": type.googleapis.com/envoy.extensions.access_loggers.file.v3.FileAccessLog
+ path: /dev/null
+ address:
+ socket_address:
+ address: 127.0.0.1
+ port_value: 19000
+ layered_runtime:
+ layers:
+ - name: global_config
+ static_layer:
+ envoy.restart_features.use_eds_cache_for_ads: true
+ re2.max_program_size.error_level: 4294967295
+ re2.max_program_size.warn_level: 1000
+ dynamic_resources:
+ ads_config:
+ api_type: DELTA_GRPC
+ transport_api_version: V3
+ grpc_services:
+ - envoy_grpc:
+ cluster_name: xds_cluster
+ set_node_on_first_message_only: true
+ lds_config:
+ ads: {}
+ resource_api_version: V3
+ cds_config:
+ ads: {}
+ resource_api_version: V3
+ static_resources:
+ listeners:
+ - name: envoy-gateway-proxy-ready-0.0.0.0-19001
+ address:
+ socket_address:
+ address: 0.0.0.0
+ port_value: 19001
+ protocol: TCP
+ filter_chains:
+ - filters:
+ - name: envoy.filters.network.http_connection_manager
typed_config:
- "@type": type.googleapis.com/envoy.extensions.access_loggers.file.v3.FileAccessLog
- path: /dev/null
- address:
- socket_address:
- address: 127.0.0.1
- port_value: 19000
- layered_runtime:
- layers:
- - name: global_config
- static_layer:
- envoy.restart_features.use_eds_cache_for_ads: true
- re2.max_program_size.error_level: 4294967295
- re2.max_program_size.warn_level: 1000
- dynamic_resources:
- ads_config:
- api_type: DELTA_GRPC
- transport_api_version: V3
- grpc_services:
- - envoy_grpc:
- cluster_name: xds_cluster
- set_node_on_first_message_only: true
- lds_config:
- ads: {}
- resource_api_version: V3
- cds_config:
- ads: {}
- resource_api_version: V3
- static_resources:
- listeners:
- - name: envoy-gateway-proxy-ready-0.0.0.0-19001
- address:
- socket_address:
- address: 0.0.0.0
- port_value: 19001
- protocol: TCP
- filter_chains:
- - filters:
- - name: envoy.filters.network.http_connection_manager
+ "@type": type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager
+ stat_prefix: eg-ready-http
+ route_config:
+ name: local_route
+ virtual_hosts:
+ - name: prometheus_stats
+ domains:
+ - "*"
+ routes:
+ - match:
+ prefix: /stats/prometheus
+ route:
+ cluster: prometheus_stats
+ http_filters:
+ - name: envoy.filters.http.health_check
typed_config:
- "@type": type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager
- stat_prefix: eg-ready-http
- route_config:
- name: local_route
- http_filters:
- - name: envoy.filters.http.health_check
- typed_config:
- "@type": type.googleapis.com/envoy.extensions.filters.http.health_check.v3.HealthCheck
- pass_through_mode: false
- headers:
- - name: ":path"
- string_match:
- exact: /ready
- - name: envoy.filters.http.router
- typed_config:
- "@type": type.googleapis.com/envoy.extensions.filters.http.router.v3.Router
- clusters:
- - connect_timeout: 10s
- load_assignment:
- cluster_name: xds_cluster
- endpoints:
- - load_balancing_weight: 1
- lb_endpoints:
- - load_balancing_weight: 1
- endpoint:
- address:
- socket_address:
- address: envoy-gateway
- port_value: 18000
- typed_extension_protocol_options:
- envoy.extensions.upstreams.http.v3.HttpProtocolOptions:
- "@type": "type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions"
- explicit_http_config:
- http2_protocol_options:
- connection_keepalive:
- interval: 30s
- timeout: 5s
- name: xds_cluster
- type: STRICT_DNS
- transport_socket:
- name: envoy.transport_sockets.tls
- typed_config:
- "@type": type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.UpstreamTlsContext
- common_tls_context:
- tls_params:
- tls_maximum_protocol_version: TLSv1_3
- tls_certificate_sds_secret_configs:
- - name: xds_certificate
- sds_config:
- path_config_source:
- path: "/sds/xds-certificate.json"
- resource_api_version: V3
- validation_context_sds_secret_config:
- name: xds_trusted_ca
- sds_config:
- path_config_source:
- path: "/sds/xds-trusted-ca.json"
- resource_api_version: V3
- - --log-level warn
- - --cpuset-threads
- command:
- - envoy
- env:
- - name: ENVOY_GATEWAY_NAMESPACE
- valueFrom:
- fieldRef:
- apiVersion: v1
- fieldPath: metadata.namespace
- - name: ENVOY_POD_NAME
- valueFrom:
- fieldRef:
- apiVersion: v1
- fieldPath: metadata.name
- - name: env_a
- value: env_a_value
- - name: env_b
- value: env_b_value
- image: envoyproxy/envoy:v1.2.3
- imagePullPolicy: IfNotPresent
- lifecycle:
- preStop:
- httpGet:
- path: /shutdown/ready
- port: 19002
- scheme: HTTP
- name: envoy
- ports:
- - containerPort: 8080
- name: EnvoyH-d76a15e2
- protocol: TCP
- - containerPort: 8443
- name: EnvoyH-6658f727
- protocol: TCP
- resources:
- limits:
- cpu: 400m
- memory: 2Gi
- requests:
- cpu: 200m
- memory: 1Gi
- readinessProbe:
- httpGet:
- path: /ready
- port: 19001
- scheme: HTTP
- timeoutSeconds: 1
- periodSeconds: 10
- successThreshold: 1
- failureThreshold: 3
- terminationMessagePath: /dev/termination-log
- terminationMessagePolicy: File
- securityContext:
- privileged: true
- volumeMounts:
- - mountPath: /certs
- name: certs
- readOnly: true
- - mountPath: /sds
- name: sds
- - args:
- - envoy
- - shutdown-manager
- command:
- - envoy-gateway
- env:
- - name: ENVOY_GATEWAY_NAMESPACE
- valueFrom:
- fieldRef:
- apiVersion: v1
- fieldPath: metadata.namespace
- - name: ENVOY_POD_NAME
- valueFrom:
- fieldRef:
- apiVersion: v1
- fieldPath: metadata.name
- image: envoyproxy/gateway-dev:latest
- imagePullPolicy: IfNotPresent
- lifecycle:
- preStop:
- exec:
- command:
- - envoy-gateway
- - envoy
- - shutdown
- name: shutdown-manager
- resources:
- requests:
- cpu: 10m
- memory: 32Mi
- readinessProbe:
- httpGet:
- path: /healthz
- port: 19002
- scheme: HTTP
- timeoutSeconds: 1
- periodSeconds: 10
- successThreshold: 1
- failureThreshold: 3
- livenessProbe:
+ "@type": type.googleapis.com/envoy.extensions.filters.http.health_check.v3.HealthCheck
+ pass_through_mode: false
+ headers:
+ - name: ":path"
+ string_match:
+ exact: /ready
+ - name: envoy.filters.http.router
+ typed_config:
+ "@type": type.googleapis.com/envoy.extensions.filters.http.router.v3.Router
+ clusters:
+ - name: prometheus_stats
+ connect_timeout: 0.250s
+ type: STATIC
+ lb_policy: ROUND_ROBIN
+ load_assignment:
+ cluster_name: prometheus_stats
+ endpoints:
+ - lb_endpoints:
+ - endpoint:
+ address:
+ socket_address:
+ address: 127.0.0.1
+ port_value: 19000
+ - connect_timeout: 10s
+ load_assignment:
+ cluster_name: xds_cluster
+ endpoints:
+ - load_balancing_weight: 1
+ lb_endpoints:
+ - load_balancing_weight: 1
+ endpoint:
+ address:
+ socket_address:
+ address: envoy-gateway
+ port_value: 18000
+ typed_extension_protocol_options:
+ envoy.extensions.upstreams.http.v3.HttpProtocolOptions:
+ "@type": "type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions"
+ explicit_http_config:
+ http2_protocol_options:
+ connection_keepalive:
+ interval: 30s
+ timeout: 5s
+ name: xds_cluster
+ type: STRICT_DNS
+ transport_socket:
+ name: envoy.transport_sockets.tls
+ typed_config:
+ "@type": type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.UpstreamTlsContext
+ common_tls_context:
+ tls_params:
+ tls_maximum_protocol_version: TLSv1_3
+ tls_certificate_sds_secret_configs:
+ - name: xds_certificate
+ sds_config:
+ path_config_source:
+ path: "/sds/xds-certificate.json"
+ resource_api_version: V3
+ validation_context_sds_secret_config:
+ name: xds_trusted_ca
+ sds_config:
+ path_config_source:
+ path: "/sds/xds-trusted-ca.json"
+ resource_api_version: V3
+ - --log-level warn
+ - --cpuset-threads
+ command:
+ - envoy
+ env:
+ - name: ENVOY_GATEWAY_NAMESPACE
+ valueFrom:
+ fieldRef:
+ apiVersion: v1
+ fieldPath: metadata.namespace
+ - name: ENVOY_POD_NAME
+ valueFrom:
+ fieldRef:
+ apiVersion: v1
+ fieldPath: metadata.name
+ - name: env_a
+ value: env_a_value
+ - name: env_b
+ value: env_b_value
+ image: envoyproxy/envoy:v1.2.3
+ imagePullPolicy: IfNotPresent
+ lifecycle:
+ preStop:
httpGet:
- path: /healthz
+ path: /shutdown/ready
port: 19002
scheme: HTTP
- timeoutSeconds: 1
- periodSeconds: 10
- successThreshold: 1
- failureThreshold: 3
- terminationMessagePath: /dev/termination-log
- terminationMessagePolicy: File
+ name: envoy
+ ports:
+ - containerPort: 8080
+ name: EnvoyH-d76a15e2
+ protocol: TCP
+ - containerPort: 8443
+ name: EnvoyH-6658f727
+ protocol: TCP
+ - containerPort: 19001
+ name: metrics
+ protocol: TCP
+ readinessProbe:
+ failureThreshold: 3
+ httpGet:
+ path: /ready
+ port: 19001
+ scheme: HTTP
+ periodSeconds: 10
+ successThreshold: 1
+ timeoutSeconds: 1
+ resources:
+ limits:
+ cpu: 400m
+ memory: 2Gi
+ requests:
+ cpu: 200m
+ memory: 1Gi
+ securityContext:
+ privileged: true
+ terminationMessagePath: /dev/termination-log
+ terminationMessagePolicy: File
+ volumeMounts:
+ - mountPath: /certs
+ name: certs
+ readOnly: true
+ - mountPath: /sds
+ name: sds
+ - args:
+ - envoy
+ - shutdown-manager
+ command:
+ - envoy-gateway
+ env:
+ - name: ENVOY_GATEWAY_NAMESPACE
+ valueFrom:
+ fieldRef:
+ apiVersion: v1
+ fieldPath: metadata.namespace
+ - name: ENVOY_POD_NAME
+ valueFrom:
+ fieldRef:
+ apiVersion: v1
+ fieldPath: metadata.name
+ image: envoyproxy/gateway-dev:latest
+ imagePullPolicy: IfNotPresent
+ lifecycle:
+ preStop:
+ exec:
+ command:
+ - envoy-gateway
+ - envoy
+ - shutdown
+ livenessProbe:
+ failureThreshold: 3
+ httpGet:
+ path: /healthz
+ port: 19002
+ scheme: HTTP
+ periodSeconds: 10
+ successThreshold: 1
+ timeoutSeconds: 1
+ name: shutdown-manager
+ readinessProbe:
+ failureThreshold: 3
+ httpGet:
+ path: /healthz
+ port: 19002
+ scheme: HTTP
+ periodSeconds: 10
+ successThreshold: 1
+ timeoutSeconds: 1
+ resources:
+ requests:
+ cpu: 10m
+ memory: 32Mi
+ terminationMessagePath: /dev/termination-log
+ terminationMessagePolicy: File
dnsPolicy: ClusterFirst
restartPolicy: Always
schedulerName: default-scheduler
- serviceAccountName: envoy-default-37a8eec1
- terminationGracePeriodSeconds: 900
securityContext:
runAsUser: 1000
+ serviceAccountName: envoy-default-37a8eec1
+ terminationGracePeriodSeconds: 900
volumes:
- - name: certs
- secret:
- secretName: envoy
- defaultMode: 420
- - configMap:
- defaultMode: 420
- items:
- - key: xds-trusted-ca.json
- path: xds-trusted-ca.json
- - key: xds-certificate.json
- path: xds-certificate.json
- name: envoy-default-37a8eec1
- optional: false
- name: sds
- revisionHistoryLimit: 10
- progressDeadlineSeconds: 600
+ - name: certs
+ secret:
+ defaultMode: 420
+ secretName: envoy
+ - configMap:
+ defaultMode: 420
+ items:
+ - key: xds-trusted-ca.json
+ path: xds-trusted-ca.json
+ - key: xds-certificate.json
+ path: xds-certificate.json
+ name: envoy-default-37a8eec1
+ optional: false
+ name: sds
+status: {}
diff --git a/internal/infrastructure/kubernetes/proxy/testdata/deployments/override-labels-and-annotations.yaml b/internal/infrastructure/kubernetes/proxy/testdata/deployments/override-labels-and-annotations.yaml
index 4b0bcd0dfce..253588c0665 100644
--- a/internal/infrastructure/kubernetes/proxy/testdata/deployments/override-labels-and-annotations.yaml
+++ b/internal/infrastructure/kubernetes/proxy/testdata/deployments/override-labels-and-annotations.yaml
@@ -4,10 +4,11 @@ metadata:
annotations:
anno1: value1
anno2: value2
+ creationTimestamp: null
labels:
- app.kubernetes.io/name: envoy
app.kubernetes.io/component: proxy
app.kubernetes.io/managed-by: envoy-gateway
+ app.kubernetes.io/name: envoy
gateway.envoyproxy.io/owning-gateway-name: default
gateway.envoyproxy.io/owning-gateway-namespace: default
label1: value1
@@ -15,27 +16,33 @@ metadata:
name: envoy-default-37a8eec1
namespace: envoy-gateway-system
spec:
+ progressDeadlineSeconds: 600
replicas: 1
- strategy:
- type: RollingUpdate
+ revisionHistoryLimit: 10
selector:
matchLabels:
- app.kubernetes.io/name: envoy
app.kubernetes.io/component: proxy
app.kubernetes.io/managed-by: envoy-gateway
+ app.kubernetes.io/name: envoy
gateway.envoyproxy.io/owning-gateway-name: default
gateway.envoyproxy.io/owning-gateway-namespace: default
label1: value1-override
label2: value2
+ strategy:
+ type: RollingUpdate
template:
metadata:
annotations:
anno1: value1-override
anno2: value2
+ prometheus.io/path: /stats/prometheus
+ prometheus.io/port: "19001"
+ prometheus.io/scrape: "true"
+ creationTimestamp: null
labels:
- app.kubernetes.io/name: envoy
app.kubernetes.io/component: proxy
app.kubernetes.io/managed-by: envoy-gateway
+ app.kubernetes.io/name: envoy
gateway.envoyproxy.io/owning-gateway-name: default
gateway.envoyproxy.io/owning-gateway-namespace: default
label1: value1-override
@@ -43,232 +50,256 @@ spec:
spec:
automountServiceAccountToken: false
containers:
- - args:
- - --service-cluster default
- - --service-node $(ENVOY_POD_NAME)
- - |
- --config-yaml admin:
- access_log:
- - name: envoy.access_loggers.file
+ - args:
+ - --service-cluster default
+ - --service-node $(ENVOY_POD_NAME)
+ - |
+ --config-yaml admin:
+ access_log:
+ - name: envoy.access_loggers.file
+ typed_config:
+ "@type": type.googleapis.com/envoy.extensions.access_loggers.file.v3.FileAccessLog
+ path: /dev/null
+ address:
+ socket_address:
+ address: 127.0.0.1
+ port_value: 19000
+ layered_runtime:
+ layers:
+ - name: global_config
+ static_layer:
+ envoy.restart_features.use_eds_cache_for_ads: true
+ re2.max_program_size.error_level: 4294967295
+ re2.max_program_size.warn_level: 1000
+ dynamic_resources:
+ ads_config:
+ api_type: DELTA_GRPC
+ transport_api_version: V3
+ grpc_services:
+ - envoy_grpc:
+ cluster_name: xds_cluster
+ set_node_on_first_message_only: true
+ lds_config:
+ ads: {}
+ resource_api_version: V3
+ cds_config:
+ ads: {}
+ resource_api_version: V3
+ static_resources:
+ listeners:
+ - name: envoy-gateway-proxy-ready-0.0.0.0-19001
+ address:
+ socket_address:
+ address: 0.0.0.0
+ port_value: 19001
+ protocol: TCP
+ filter_chains:
+ - filters:
+ - name: envoy.filters.network.http_connection_manager
typed_config:
- "@type": type.googleapis.com/envoy.extensions.access_loggers.file.v3.FileAccessLog
- path: /dev/null
- address:
- socket_address:
- address: 127.0.0.1
- port_value: 19000
- layered_runtime:
- layers:
- - name: global_config
- static_layer:
- envoy.restart_features.use_eds_cache_for_ads: true
- re2.max_program_size.error_level: 4294967295
- re2.max_program_size.warn_level: 1000
- dynamic_resources:
- ads_config:
- api_type: DELTA_GRPC
- transport_api_version: V3
- grpc_services:
- - envoy_grpc:
- cluster_name: xds_cluster
- set_node_on_first_message_only: true
- lds_config:
- ads: {}
- resource_api_version: V3
- cds_config:
- ads: {}
- resource_api_version: V3
- static_resources:
- listeners:
- - name: envoy-gateway-proxy-ready-0.0.0.0-19001
- address:
- socket_address:
- address: 0.0.0.0
- port_value: 19001
- protocol: TCP
- filter_chains:
- - filters:
- - name: envoy.filters.network.http_connection_manager
+ "@type": type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager
+ stat_prefix: eg-ready-http
+ route_config:
+ name: local_route
+ virtual_hosts:
+ - name: prometheus_stats
+ domains:
+ - "*"
+ routes:
+ - match:
+ prefix: /stats/prometheus
+ route:
+ cluster: prometheus_stats
+ http_filters:
+ - name: envoy.filters.http.health_check
typed_config:
- "@type": type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager
- stat_prefix: eg-ready-http
- route_config:
- name: local_route
- http_filters:
- - name: envoy.filters.http.health_check
- typed_config:
- "@type": type.googleapis.com/envoy.extensions.filters.http.health_check.v3.HealthCheck
- pass_through_mode: false
- headers:
- - name: ":path"
- string_match:
- exact: /ready
- - name: envoy.filters.http.router
- typed_config:
- "@type": type.googleapis.com/envoy.extensions.filters.http.router.v3.Router
- clusters:
- - connect_timeout: 10s
- load_assignment:
- cluster_name: xds_cluster
- endpoints:
- - load_balancing_weight: 1
- lb_endpoints:
- - load_balancing_weight: 1
- endpoint:
- address:
- socket_address:
- address: envoy-gateway
- port_value: 18000
- typed_extension_protocol_options:
- envoy.extensions.upstreams.http.v3.HttpProtocolOptions:
- "@type": "type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions"
- explicit_http_config:
- http2_protocol_options:
- connection_keepalive:
- interval: 30s
- timeout: 5s
- name: xds_cluster
- type: STRICT_DNS
- transport_socket:
- name: envoy.transport_sockets.tls
- typed_config:
- "@type": type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.UpstreamTlsContext
- common_tls_context:
- tls_params:
- tls_maximum_protocol_version: TLSv1_3
- tls_certificate_sds_secret_configs:
- - name: xds_certificate
- sds_config:
- path_config_source:
- path: "/sds/xds-certificate.json"
- resource_api_version: V3
- validation_context_sds_secret_config:
- name: xds_trusted_ca
- sds_config:
- path_config_source:
- path: "/sds/xds-trusted-ca.json"
- resource_api_version: V3
- - --log-level warn
- - --cpuset-threads
- command:
- - envoy
- env:
- - name: ENVOY_GATEWAY_NAMESPACE
- valueFrom:
- fieldRef:
- apiVersion: v1
- fieldPath: metadata.namespace
- - name: ENVOY_POD_NAME
- valueFrom:
- fieldRef:
- apiVersion: v1
- fieldPath: metadata.name
- image: envoyproxy/envoy:distroless-dev
- imagePullPolicy: IfNotPresent
- lifecycle:
- preStop:
- httpGet:
- path: /shutdown/ready
- port: 19002
- scheme: HTTP
- name: envoy
- ports:
- - containerPort: 8080
- name: EnvoyH-d76a15e2
- protocol: TCP
- - containerPort: 8443
- name: EnvoyH-6658f727
- protocol: TCP
- resources:
- requests:
- cpu: 100m
- memory: 512Mi
- readinessProbe:
- httpGet:
- path: /ready
- port: 19001
- scheme: HTTP
- timeoutSeconds: 1
- periodSeconds: 10
- successThreshold: 1
- failureThreshold: 3
- terminationMessagePath: /dev/termination-log
- terminationMessagePolicy: File
- volumeMounts:
- - mountPath: /certs
- name: certs
- readOnly: true
- - mountPath: /sds
- name: sds
- - args:
- - envoy
- - shutdown-manager
- command:
- - envoy-gateway
- env:
- - name: ENVOY_GATEWAY_NAMESPACE
- valueFrom:
- fieldRef:
- apiVersion: v1
- fieldPath: metadata.namespace
- - name: ENVOY_POD_NAME
- valueFrom:
- fieldRef:
- apiVersion: v1
- fieldPath: metadata.name
- image: envoyproxy/gateway-dev:latest
- imagePullPolicy: IfNotPresent
- lifecycle:
- preStop:
- exec:
- command:
- - envoy-gateway
- - envoy
- - shutdown
- name: shutdown-manager
- resources:
- requests:
- cpu: 10m
- memory: 32Mi
- readinessProbe:
- httpGet:
- path: /healthz
- port: 19002
- scheme: HTTP
- timeoutSeconds: 1
- periodSeconds: 10
- successThreshold: 1
- failureThreshold: 3
- livenessProbe:
+ "@type": type.googleapis.com/envoy.extensions.filters.http.health_check.v3.HealthCheck
+ pass_through_mode: false
+ headers:
+ - name: ":path"
+ string_match:
+ exact: /ready
+ - name: envoy.filters.http.router
+ typed_config:
+ "@type": type.googleapis.com/envoy.extensions.filters.http.router.v3.Router
+ clusters:
+ - name: prometheus_stats
+ connect_timeout: 0.250s
+ type: STATIC
+ lb_policy: ROUND_ROBIN
+ load_assignment:
+ cluster_name: prometheus_stats
+ endpoints:
+ - lb_endpoints:
+ - endpoint:
+ address:
+ socket_address:
+ address: 127.0.0.1
+ port_value: 19000
+ - connect_timeout: 10s
+ load_assignment:
+ cluster_name: xds_cluster
+ endpoints:
+ - load_balancing_weight: 1
+ lb_endpoints:
+ - load_balancing_weight: 1
+ endpoint:
+ address:
+ socket_address:
+ address: envoy-gateway
+ port_value: 18000
+ typed_extension_protocol_options:
+ envoy.extensions.upstreams.http.v3.HttpProtocolOptions:
+ "@type": "type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions"
+ explicit_http_config:
+ http2_protocol_options:
+ connection_keepalive:
+ interval: 30s
+ timeout: 5s
+ name: xds_cluster
+ type: STRICT_DNS
+ transport_socket:
+ name: envoy.transport_sockets.tls
+ typed_config:
+ "@type": type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.UpstreamTlsContext
+ common_tls_context:
+ tls_params:
+ tls_maximum_protocol_version: TLSv1_3
+ tls_certificate_sds_secret_configs:
+ - name: xds_certificate
+ sds_config:
+ path_config_source:
+ path: "/sds/xds-certificate.json"
+ resource_api_version: V3
+ validation_context_sds_secret_config:
+ name: xds_trusted_ca
+ sds_config:
+ path_config_source:
+ path: "/sds/xds-trusted-ca.json"
+ resource_api_version: V3
+ - --log-level warn
+ - --cpuset-threads
+ command:
+ - envoy
+ env:
+ - name: ENVOY_GATEWAY_NAMESPACE
+ valueFrom:
+ fieldRef:
+ apiVersion: v1
+ fieldPath: metadata.namespace
+ - name: ENVOY_POD_NAME
+ valueFrom:
+ fieldRef:
+ apiVersion: v1
+ fieldPath: metadata.name
+ image: envoyproxy/envoy:distroless-dev
+ imagePullPolicy: IfNotPresent
+ lifecycle:
+ preStop:
httpGet:
- path: /healthz
+ path: /shutdown/ready
port: 19002
scheme: HTTP
- timeoutSeconds: 1
- periodSeconds: 10
- successThreshold: 1
- failureThreshold: 3
- terminationMessagePath: /dev/termination-log
- terminationMessagePolicy: File
+ name: envoy
+ ports:
+ - containerPort: 8080
+ name: EnvoyH-d76a15e2
+ protocol: TCP
+ - containerPort: 8443
+ name: EnvoyH-6658f727
+ protocol: TCP
+ - containerPort: 19001
+ name: metrics
+ protocol: TCP
+ readinessProbe:
+ failureThreshold: 3
+ httpGet:
+ path: /ready
+ port: 19001
+ scheme: HTTP
+ periodSeconds: 10
+ successThreshold: 1
+ timeoutSeconds: 1
+ resources:
+ requests:
+ cpu: 100m
+ memory: 512Mi
+ terminationMessagePath: /dev/termination-log
+ terminationMessagePolicy: File
+ volumeMounts:
+ - mountPath: /certs
+ name: certs
+ readOnly: true
+ - mountPath: /sds
+ name: sds
+ - args:
+ - envoy
+ - shutdown-manager
+ command:
+ - envoy-gateway
+ env:
+ - name: ENVOY_GATEWAY_NAMESPACE
+ valueFrom:
+ fieldRef:
+ apiVersion: v1
+ fieldPath: metadata.namespace
+ - name: ENVOY_POD_NAME
+ valueFrom:
+ fieldRef:
+ apiVersion: v1
+ fieldPath: metadata.name
+ image: envoyproxy/gateway-dev:latest
+ imagePullPolicy: IfNotPresent
+ lifecycle:
+ preStop:
+ exec:
+ command:
+ - envoy-gateway
+ - envoy
+ - shutdown
+ livenessProbe:
+ failureThreshold: 3
+ httpGet:
+ path: /healthz
+ port: 19002
+ scheme: HTTP
+ periodSeconds: 10
+ successThreshold: 1
+ timeoutSeconds: 1
+ name: shutdown-manager
+ readinessProbe:
+ failureThreshold: 3
+ httpGet:
+ path: /healthz
+ port: 19002
+ scheme: HTTP
+ periodSeconds: 10
+ successThreshold: 1
+ timeoutSeconds: 1
+ resources:
+ requests:
+ cpu: 10m
+ memory: 32Mi
+ terminationMessagePath: /dev/termination-log
+ terminationMessagePolicy: File
dnsPolicy: ClusterFirst
restartPolicy: Always
schedulerName: default-scheduler
serviceAccountName: envoy-default-37a8eec1
terminationGracePeriodSeconds: 900
volumes:
- - name: certs
- secret:
- secretName: envoy
- defaultMode: 420
- - configMap:
- defaultMode: 420
- items:
- - key: xds-trusted-ca.json
- path: xds-trusted-ca.json
- - key: xds-certificate.json
- path: xds-certificate.json
- name: envoy-default-37a8eec1
- optional: false
- name: sds
- revisionHistoryLimit: 10
- progressDeadlineSeconds: 600
+ - name: certs
+ secret:
+ defaultMode: 420
+ secretName: envoy
+ - configMap:
+ defaultMode: 420
+ items:
+ - key: xds-trusted-ca.json
+ path: xds-trusted-ca.json
+ - key: xds-certificate.json
+ path: xds-certificate.json
+ name: envoy-default-37a8eec1
+ optional: false
+ name: sds
+status: {}
diff --git a/internal/infrastructure/kubernetes/proxy/testdata/deployments/patch-deployment.yaml b/internal/infrastructure/kubernetes/proxy/testdata/deployments/patch-deployment.yaml
index 3029ab1a4a2..31c18276aac 100644
--- a/internal/infrastructure/kubernetes/proxy/testdata/deployments/patch-deployment.yaml
+++ b/internal/infrastructure/kubernetes/proxy/testdata/deployments/patch-deployment.yaml
@@ -1,243 +1,276 @@
apiVersion: apps/v1
kind: Deployment
metadata:
+ creationTimestamp: null
labels:
- app.kubernetes.io/name: envoy
app.kubernetes.io/component: proxy
app.kubernetes.io/managed-by: envoy-gateway
+ app.kubernetes.io/name: envoy
gateway.envoyproxy.io/owning-gateway-name: default
gateway.envoyproxy.io/owning-gateway-namespace: default
name: envoy-default-37a8eec1
namespace: envoy-gateway-system
spec:
+ progressDeadlineSeconds: 600
replicas: 1
- strategy:
- type: RollingUpdate
+ revisionHistoryLimit: 10
selector:
matchLabels:
- app.kubernetes.io/name: envoy
app.kubernetes.io/component: proxy
app.kubernetes.io/managed-by: envoy-gateway
+ app.kubernetes.io/name: envoy
gateway.envoyproxy.io/owning-gateway-name: default
gateway.envoyproxy.io/owning-gateway-namespace: default
+ strategy:
+ type: RollingUpdate
template:
metadata:
+ annotations:
+ prometheus.io/path: /stats/prometheus
+ prometheus.io/port: "19001"
+ prometheus.io/scrape: "true"
+ creationTimestamp: null
labels:
- app.kubernetes.io/name: envoy
app.kubernetes.io/component: proxy
app.kubernetes.io/managed-by: envoy-gateway
+ app.kubernetes.io/name: envoy
gateway.envoyproxy.io/owning-gateway-name: default
gateway.envoyproxy.io/owning-gateway-namespace: default
spec:
automountServiceAccountToken: false
containers:
- - args:
- - --service-cluster default
- - --service-node $(ENVOY_POD_NAME)
- - |
- --config-yaml admin:
- access_log:
- - name: envoy.access_loggers.file
+ - args:
+ - --service-cluster default
+ - --service-node $(ENVOY_POD_NAME)
+ - |
+ --config-yaml admin:
+ access_log:
+ - name: envoy.access_loggers.file
+ typed_config:
+ "@type": type.googleapis.com/envoy.extensions.access_loggers.file.v3.FileAccessLog
+ path: /dev/null
+ address:
+ socket_address:
+ address: 127.0.0.1
+ port_value: 19000
+ layered_runtime:
+ layers:
+ - name: global_config
+ static_layer:
+ envoy.restart_features.use_eds_cache_for_ads: true
+ re2.max_program_size.error_level: 4294967295
+ re2.max_program_size.warn_level: 1000
+ dynamic_resources:
+ ads_config:
+ api_type: DELTA_GRPC
+ transport_api_version: V3
+ grpc_services:
+ - envoy_grpc:
+ cluster_name: xds_cluster
+ set_node_on_first_message_only: true
+ lds_config:
+ ads: {}
+ resource_api_version: V3
+ cds_config:
+ ads: {}
+ resource_api_version: V3
+ static_resources:
+ listeners:
+ - name: envoy-gateway-proxy-ready-0.0.0.0-19001
+ address:
+ socket_address:
+ address: 0.0.0.0
+ port_value: 19001
+ protocol: TCP
+ filter_chains:
+ - filters:
+ - name: envoy.filters.network.http_connection_manager
typed_config:
- "@type": type.googleapis.com/envoy.extensions.access_loggers.file.v3.FileAccessLog
- path: /dev/null
- address:
- socket_address:
- address: 127.0.0.1
- port_value: 19000
- layered_runtime:
- layers:
- - name: global_config
- static_layer:
- envoy.restart_features.use_eds_cache_for_ads: true
- re2.max_program_size.error_level: 4294967295
- re2.max_program_size.warn_level: 1000
- dynamic_resources:
- ads_config:
- api_type: DELTA_GRPC
- transport_api_version: V3
- grpc_services:
- - envoy_grpc:
- cluster_name: xds_cluster
- set_node_on_first_message_only: true
- lds_config:
- ads: {}
- resource_api_version: V3
- cds_config:
- ads: {}
- resource_api_version: V3
- static_resources:
- listeners:
- - name: envoy-gateway-proxy-ready-0.0.0.0-19001
- address:
- socket_address:
- address: 0.0.0.0
- port_value: 19001
- protocol: TCP
- filter_chains:
- - filters:
- - name: envoy.filters.network.http_connection_manager
+ "@type": type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager
+ stat_prefix: eg-ready-http
+ route_config:
+ name: local_route
+ virtual_hosts:
+ - name: prometheus_stats
+ domains:
+ - "*"
+ routes:
+ - match:
+ prefix: /stats/prometheus
+ route:
+ cluster: prometheus_stats
+ http_filters:
+ - name: envoy.filters.http.health_check
typed_config:
- "@type": type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager
- stat_prefix: eg-ready-http
- route_config:
- name: local_route
- http_filters:
- - name: envoy.filters.http.health_check
- typed_config:
- "@type": type.googleapis.com/envoy.extensions.filters.http.health_check.v3.HealthCheck
- pass_through_mode: false
- headers:
- - name: ":path"
- string_match:
- exact: /ready
- - name: envoy.filters.http.router
- typed_config:
- "@type": type.googleapis.com/envoy.extensions.filters.http.router.v3.Router
- clusters:
- - connect_timeout: 10s
- load_assignment:
- cluster_name: xds_cluster
- endpoints:
- - load_balancing_weight: 1
- lb_endpoints:
- - load_balancing_weight: 1
- endpoint:
- address:
- socket_address:
- address: envoy-gateway
- port_value: 18000
- typed_extension_protocol_options:
- envoy.extensions.upstreams.http.v3.HttpProtocolOptions:
- "@type": "type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions"
- explicit_http_config:
- http2_protocol_options:
- connection_keepalive:
- interval: 30s
- timeout: 5s
- name: xds_cluster
- type: STRICT_DNS
- transport_socket:
- name: envoy.transport_sockets.tls
- typed_config:
- "@type": type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.UpstreamTlsContext
- common_tls_context:
- tls_params:
- tls_maximum_protocol_version: TLSv1_3
- tls_certificate_sds_secret_configs:
- - name: xds_certificate
- sds_config:
- path_config_source:
- path: "/sds/xds-certificate.json"
- resource_api_version: V3
- validation_context_sds_secret_config:
- name: xds_trusted_ca
- sds_config:
- path_config_source:
- path: "/sds/xds-trusted-ca.json"
- resource_api_version: V3
- - --log-level warn
- - --cpuset-threads
- command:
- - envoy
- env:
- - name: ENVOY_GATEWAY_NAMESPACE
- valueFrom:
- fieldRef:
- apiVersion: v1
- fieldPath: metadata.namespace
- - name: ENVOY_POD_NAME
- valueFrom:
- fieldRef:
- apiVersion: v1
- fieldPath: metadata.name
- image: envoyproxy/envoy:distroless-dev
- imagePullPolicy: IfNotPresent
- lifecycle:
- preStop:
- httpGet:
- path: /shutdown/ready
- port: 19002
- scheme: HTTP
- name: envoy
- ports:
- - containerPort: 8080
- name: EnvoyH-d76a15e2
- protocol: TCP
- - containerPort: 8443
- name: EnvoyH-6658f727
- protocol: TCP
- resources:
- requests:
- cpu: 100m
- memory: 512Mi
- readinessProbe:
- httpGet:
- path: /ready
- port: 19001
- scheme: HTTP
- timeoutSeconds: 1
- periodSeconds: 10
- successThreshold: 1
- failureThreshold: 3
- terminationMessagePath: /dev/termination-log
- terminationMessagePolicy: File
- volumeMounts:
- - mountPath: /certs
- name: certs
- readOnly: true
- - mountPath: /sds
- name: sds
- - args:
- - envoy
- - shutdown-manager
- command:
- - envoy-gateway
- env:
- - name: ENVOY_GATEWAY_NAMESPACE
- valueFrom:
- fieldRef:
- apiVersion: v1
- fieldPath: metadata.namespace
- - name: ENVOY_POD_NAME
- valueFrom:
- fieldRef:
- apiVersion: v1
- fieldPath: metadata.name
- image: envoyproxy/gateway-dev:latest
- imagePullPolicy: IfNotPresent
- lifecycle:
- preStop:
- exec:
- command:
- - envoy-gateway
- - envoy
- - shutdown
- name: shutdown-manager
- resources:
- requests:
- cpu: 10m
- memory: 32Mi
- readinessProbe:
- httpGet:
- path: /healthz
- port: 19002
- scheme: HTTP
- timeoutSeconds: 1
- periodSeconds: 10
- successThreshold: 1
- failureThreshold: 3
- livenessProbe:
+ "@type": type.googleapis.com/envoy.extensions.filters.http.health_check.v3.HealthCheck
+ pass_through_mode: false
+ headers:
+ - name: ":path"
+ string_match:
+ exact: /ready
+ - name: envoy.filters.http.router
+ typed_config:
+ "@type": type.googleapis.com/envoy.extensions.filters.http.router.v3.Router
+ clusters:
+ - name: prometheus_stats
+ connect_timeout: 0.250s
+ type: STATIC
+ lb_policy: ROUND_ROBIN
+ load_assignment:
+ cluster_name: prometheus_stats
+ endpoints:
+ - lb_endpoints:
+ - endpoint:
+ address:
+ socket_address:
+ address: 127.0.0.1
+ port_value: 19000
+ - connect_timeout: 10s
+ load_assignment:
+ cluster_name: xds_cluster
+ endpoints:
+ - load_balancing_weight: 1
+ lb_endpoints:
+ - load_balancing_weight: 1
+ endpoint:
+ address:
+ socket_address:
+ address: envoy-gateway
+ port_value: 18000
+ typed_extension_protocol_options:
+ envoy.extensions.upstreams.http.v3.HttpProtocolOptions:
+ "@type": "type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions"
+ explicit_http_config:
+ http2_protocol_options:
+ connection_keepalive:
+ interval: 30s
+ timeout: 5s
+ name: xds_cluster
+ type: STRICT_DNS
+ transport_socket:
+ name: envoy.transport_sockets.tls
+ typed_config:
+ "@type": type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.UpstreamTlsContext
+ common_tls_context:
+ tls_params:
+ tls_maximum_protocol_version: TLSv1_3
+ tls_certificate_sds_secret_configs:
+ - name: xds_certificate
+ sds_config:
+ path_config_source:
+ path: "/sds/xds-certificate.json"
+ resource_api_version: V3
+ validation_context_sds_secret_config:
+ name: xds_trusted_ca
+ sds_config:
+ path_config_source:
+ path: "/sds/xds-trusted-ca.json"
+ resource_api_version: V3
+ - --log-level warn
+ - --cpuset-threads
+ command:
+ - envoy
+ env:
+ - name: ENVOY_GATEWAY_NAMESPACE
+ valueFrom:
+ fieldRef:
+ apiVersion: v1
+ fieldPath: metadata.namespace
+ - name: ENVOY_POD_NAME
+ valueFrom:
+ fieldRef:
+ apiVersion: v1
+ fieldPath: metadata.name
+ image: envoyproxy/envoy:distroless-dev
+ imagePullPolicy: IfNotPresent
+ lifecycle:
+ preStop:
httpGet:
- path: /healthz
+ path: /shutdown/ready
port: 19002
scheme: HTTP
- timeoutSeconds: 1
- periodSeconds: 10
- successThreshold: 1
- failureThreshold: 3
- terminationMessagePath: /dev/termination-log
- terminationMessagePolicy: File
+ name: envoy
+ ports:
+ - containerPort: 8080
+ name: EnvoyH-d76a15e2
+ protocol: TCP
+ - containerPort: 8443
+ name: EnvoyH-6658f727
+ protocol: TCP
+ - containerPort: 19001
+ name: metrics
+ protocol: TCP
+ readinessProbe:
+ failureThreshold: 3
+ httpGet:
+ path: /ready
+ port: 19001
+ scheme: HTTP
+ periodSeconds: 10
+ successThreshold: 1
+ timeoutSeconds: 1
+ resources:
+ requests:
+ cpu: 100m
+ memory: 512Mi
+ terminationMessagePath: /dev/termination-log
+ terminationMessagePolicy: File
+ volumeMounts:
+ - mountPath: /certs
+ name: certs
+ readOnly: true
+ - mountPath: /sds
+ name: sds
+ - args:
+ - envoy
+ - shutdown-manager
+ command:
+ - envoy-gateway
+ env:
+ - name: ENVOY_GATEWAY_NAMESPACE
+ valueFrom:
+ fieldRef:
+ apiVersion: v1
+ fieldPath: metadata.namespace
+ - name: ENVOY_POD_NAME
+ valueFrom:
+ fieldRef:
+ apiVersion: v1
+ fieldPath: metadata.name
+ image: envoyproxy/gateway-dev:latest
+ imagePullPolicy: IfNotPresent
+ lifecycle:
+ preStop:
+ exec:
+ command:
+ - envoy-gateway
+ - envoy
+ - shutdown
+ livenessProbe:
+ failureThreshold: 3
+ httpGet:
+ path: /healthz
+ port: 19002
+ scheme: HTTP
+ periodSeconds: 10
+ successThreshold: 1
+ timeoutSeconds: 1
+ name: shutdown-manager
+ readinessProbe:
+ failureThreshold: 3
+ httpGet:
+ path: /healthz
+ port: 19002
+ scheme: HTTP
+ periodSeconds: 10
+ successThreshold: 1
+ timeoutSeconds: 1
+ resources:
+ requests:
+ cpu: 10m
+ memory: 32Mi
+ terminationMessagePath: /dev/termination-log
+ terminationMessagePolicy: File
dnsPolicy: ClusterFirstWithHostNet
hostNetwork: true
restartPolicy: Always
@@ -245,19 +278,18 @@ spec:
serviceAccountName: envoy-default-37a8eec1
terminationGracePeriodSeconds: 900
volumes:
- - name: certs
- secret:
- secretName: envoy
- defaultMode: 420
- - configMap:
- defaultMode: 420
- items:
- - key: xds-trusted-ca.json
- path: xds-trusted-ca.json
- - key: xds-certificate.json
- path: xds-certificate.json
- name: envoy-default-37a8eec1
- optional: false
- name: sds
- revisionHistoryLimit: 10
- progressDeadlineSeconds: 600
+ - name: certs
+ secret:
+ defaultMode: 420
+ secretName: envoy
+ - configMap:
+ defaultMode: 420
+ items:
+ - key: xds-trusted-ca.json
+ path: xds-trusted-ca.json
+ - key: xds-certificate.json
+ path: xds-certificate.json
+ name: envoy-default-37a8eec1
+ optional: false
+ name: sds
+status: {}
diff --git a/internal/infrastructure/kubernetes/proxy/testdata/deployments/shutdown-manager.yaml b/internal/infrastructure/kubernetes/proxy/testdata/deployments/shutdown-manager.yaml
index c28ad823250..43059817605 100644
--- a/internal/infrastructure/kubernetes/proxy/testdata/deployments/shutdown-manager.yaml
+++ b/internal/infrastructure/kubernetes/proxy/testdata/deployments/shutdown-manager.yaml
@@ -1,274 +1,306 @@
apiVersion: apps/v1
kind: Deployment
metadata:
+ creationTimestamp: null
labels:
- app.kubernetes.io/name: envoy
app.kubernetes.io/component: proxy
app.kubernetes.io/managed-by: envoy-gateway
+ app.kubernetes.io/name: envoy
gateway.envoyproxy.io/owning-gateway-name: default
gateway.envoyproxy.io/owning-gateway-namespace: default
name: envoy-default-37a8eec1
namespace: envoy-gateway-system
spec:
+ progressDeadlineSeconds: 600
replicas: 1
- strategy:
- type: RollingUpdate
+ revisionHistoryLimit: 10
selector:
matchLabels:
- app.kubernetes.io/name: envoy
app.kubernetes.io/component: proxy
app.kubernetes.io/managed-by: envoy-gateway
+ app.kubernetes.io/name: envoy
gateway.envoyproxy.io/owning-gateway-name: default
gateway.envoyproxy.io/owning-gateway-namespace: default
+ strategy:
+ type: RollingUpdate
template:
metadata:
+ annotations:
+ prometheus.io/path: /stats/prometheus
+ prometheus.io/port: "19001"
+ prometheus.io/scrape: "true"
+ creationTimestamp: null
labels:
- app.kubernetes.io/name: envoy
app.kubernetes.io/component: proxy
app.kubernetes.io/managed-by: envoy-gateway
+ app.kubernetes.io/name: envoy
gateway.envoyproxy.io/owning-gateway-name: default
gateway.envoyproxy.io/owning-gateway-namespace: default
spec:
automountServiceAccountToken: false
containers:
- - args:
- - --service-cluster default
- - --service-node $(ENVOY_POD_NAME)
- - |
- --config-yaml admin:
- access_log:
- - name: envoy.access_loggers.file
+ - args:
+ - --service-cluster default
+ - --service-node $(ENVOY_POD_NAME)
+ - |
+ --config-yaml admin:
+ access_log:
+ - name: envoy.access_loggers.file
+ typed_config:
+ "@type": type.googleapis.com/envoy.extensions.access_loggers.file.v3.FileAccessLog
+ path: /dev/null
+ address:
+ socket_address:
+ address: 127.0.0.1
+ port_value: 19000
+ layered_runtime:
+ layers:
+ - name: global_config
+ static_layer:
+ envoy.restart_features.use_eds_cache_for_ads: true
+ re2.max_program_size.error_level: 4294967295
+ re2.max_program_size.warn_level: 1000
+ dynamic_resources:
+ ads_config:
+ api_type: DELTA_GRPC
+ transport_api_version: V3
+ grpc_services:
+ - envoy_grpc:
+ cluster_name: xds_cluster
+ set_node_on_first_message_only: true
+ lds_config:
+ ads: {}
+ resource_api_version: V3
+ cds_config:
+ ads: {}
+ resource_api_version: V3
+ static_resources:
+ listeners:
+ - name: envoy-gateway-proxy-ready-0.0.0.0-19001
+ address:
+ socket_address:
+ address: 0.0.0.0
+ port_value: 19001
+ protocol: TCP
+ filter_chains:
+ - filters:
+ - name: envoy.filters.network.http_connection_manager
typed_config:
- "@type": type.googleapis.com/envoy.extensions.access_loggers.file.v3.FileAccessLog
- path: /dev/null
- address:
- socket_address:
- address: 127.0.0.1
- port_value: 19000
- layered_runtime:
- layers:
- - name: global_config
- static_layer:
- envoy.restart_features.use_eds_cache_for_ads: true
- re2.max_program_size.error_level: 4294967295
- re2.max_program_size.warn_level: 1000
- dynamic_resources:
- ads_config:
- api_type: DELTA_GRPC
- transport_api_version: V3
- grpc_services:
- - envoy_grpc:
- cluster_name: xds_cluster
- set_node_on_first_message_only: true
- lds_config:
- ads: {}
- resource_api_version: V3
- cds_config:
- ads: {}
- resource_api_version: V3
- static_resources:
- listeners:
- - name: envoy-gateway-proxy-ready-0.0.0.0-19001
- address:
- socket_address:
- address: 0.0.0.0
- port_value: 19001
- protocol: TCP
- filter_chains:
- - filters:
- - name: envoy.filters.network.http_connection_manager
+ "@type": type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager
+ stat_prefix: eg-ready-http
+ route_config:
+ name: local_route
+ virtual_hosts:
+ - name: prometheus_stats
+ domains:
+ - "*"
+ routes:
+ - match:
+ prefix: /stats/prometheus
+ route:
+ cluster: prometheus_stats
+ http_filters:
+ - name: envoy.filters.http.health_check
typed_config:
- "@type": type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager
- stat_prefix: eg-ready-http
- route_config:
- name: local_route
- http_filters:
- - name: envoy.filters.http.health_check
- typed_config:
- "@type": type.googleapis.com/envoy.extensions.filters.http.health_check.v3.HealthCheck
- pass_through_mode: false
- headers:
- - name: ":path"
- string_match:
- exact: /ready
- - name: envoy.filters.http.router
- typed_config:
- "@type": type.googleapis.com/envoy.extensions.filters.http.router.v3.Router
- clusters:
- - connect_timeout: 10s
- load_assignment:
- cluster_name: xds_cluster
- endpoints:
- - load_balancing_weight: 1
- lb_endpoints:
- - load_balancing_weight: 1
- endpoint:
- address:
- socket_address:
- address: envoy-gateway
- port_value: 18000
- typed_extension_protocol_options:
- envoy.extensions.upstreams.http.v3.HttpProtocolOptions:
- "@type": "type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions"
- explicit_http_config:
- http2_protocol_options:
- connection_keepalive:
- interval: 30s
- timeout: 5s
- name: xds_cluster
- type: STRICT_DNS
- transport_socket:
- name: envoy.transport_sockets.tls
- typed_config:
- "@type": type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.UpstreamTlsContext
- common_tls_context:
- tls_params:
- tls_maximum_protocol_version: TLSv1_3
- tls_certificate_sds_secret_configs:
- - name: xds_certificate
- sds_config:
- path_config_source:
- path: "/sds/xds-certificate.json"
- resource_api_version: V3
- validation_context_sds_secret_config:
- name: xds_trusted_ca
- sds_config:
- path_config_source:
- path: "/sds/xds-trusted-ca.json"
- resource_api_version: V3
- - --log-level warn
- - --cpuset-threads
- command:
- - envoy
- env:
- - name: ENVOY_GATEWAY_NAMESPACE
- valueFrom:
- fieldRef:
- apiVersion: v1
- fieldPath: metadata.namespace
- - name: ENVOY_POD_NAME
- valueFrom:
- fieldRef:
- apiVersion: v1
- fieldPath: metadata.name
- image: envoyproxy/envoy:distroless-dev
- imagePullPolicy: IfNotPresent
- lifecycle:
- preStop:
- httpGet:
- path: /shutdown/ready
- port: 19002
- scheme: HTTP
- name: envoy
- ports:
- - containerPort: 8080
- name: EnvoyH-d76a15e2
- protocol: TCP
- - containerPort: 8443
- name: EnvoyH-6658f727
- protocol: TCP
- resources:
- requests:
- cpu: 100m
- memory: 512Mi
- readinessProbe:
- httpGet:
- path: /ready
- port: 19001
- scheme: HTTP
- timeoutSeconds: 1
- periodSeconds: 10
- successThreshold: 1
- failureThreshold: 3
- terminationMessagePath: /dev/termination-log
- terminationMessagePolicy: File
- volumeMounts:
- - mountPath: /certs
- name: certs
- readOnly: true
- - mountPath: /sds
- name: sds
- - args:
- - envoy
- - shutdown-manager
- - --ready-timeout=40s
- command:
- - envoy-gateway
- env:
- - name: env_a
- value: env_a_value
- - name: env_b
- value: env_b_value
- - name: ENVOY_GATEWAY_NAMESPACE
- valueFrom:
- fieldRef:
- apiVersion: v1
- fieldPath: metadata.namespace
- - name: ENVOY_POD_NAME
- valueFrom:
- fieldRef:
- apiVersion: v1
- fieldPath: metadata.name
- image: envoyproxy/gateway-dev:v1.2.3
- imagePullPolicy: IfNotPresent
- lifecycle:
- preStop:
- exec:
- command:
- - envoy-gateway
- - envoy
- - shutdown
- - --drain-timeout=30s
- - --min-drain-duration=15s
- name: shutdown-manager
- resources:
- limits:
- cpu: 200m
- memory: 96Mi
- requests:
- cpu: 100m
- memory: 64Mi
- readinessProbe:
- httpGet:
- path: /healthz
- port: 19002
- scheme: HTTP
- timeoutSeconds: 1
- periodSeconds: 10
- successThreshold: 1
- failureThreshold: 3
- livenessProbe:
+ "@type": type.googleapis.com/envoy.extensions.filters.http.health_check.v3.HealthCheck
+ pass_through_mode: false
+ headers:
+ - name: ":path"
+ string_match:
+ exact: /ready
+ - name: envoy.filters.http.router
+ typed_config:
+ "@type": type.googleapis.com/envoy.extensions.filters.http.router.v3.Router
+ clusters:
+ - name: prometheus_stats
+ connect_timeout: 0.250s
+ type: STATIC
+ lb_policy: ROUND_ROBIN
+ load_assignment:
+ cluster_name: prometheus_stats
+ endpoints:
+ - lb_endpoints:
+ - endpoint:
+ address:
+ socket_address:
+ address: 127.0.0.1
+ port_value: 19000
+ - connect_timeout: 10s
+ load_assignment:
+ cluster_name: xds_cluster
+ endpoints:
+ - load_balancing_weight: 1
+ lb_endpoints:
+ - load_balancing_weight: 1
+ endpoint:
+ address:
+ socket_address:
+ address: envoy-gateway
+ port_value: 18000
+ typed_extension_protocol_options:
+ envoy.extensions.upstreams.http.v3.HttpProtocolOptions:
+ "@type": "type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions"
+ explicit_http_config:
+ http2_protocol_options:
+ connection_keepalive:
+ interval: 30s
+ timeout: 5s
+ name: xds_cluster
+ type: STRICT_DNS
+ transport_socket:
+ name: envoy.transport_sockets.tls
+ typed_config:
+ "@type": type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.UpstreamTlsContext
+ common_tls_context:
+ tls_params:
+ tls_maximum_protocol_version: TLSv1_3
+ tls_certificate_sds_secret_configs:
+ - name: xds_certificate
+ sds_config:
+ path_config_source:
+ path: "/sds/xds-certificate.json"
+ resource_api_version: V3
+ validation_context_sds_secret_config:
+ name: xds_trusted_ca
+ sds_config:
+ path_config_source:
+ path: "/sds/xds-trusted-ca.json"
+ resource_api_version: V3
+ - --log-level warn
+ - --cpuset-threads
+ command:
+ - envoy
+ env:
+ - name: ENVOY_GATEWAY_NAMESPACE
+ valueFrom:
+ fieldRef:
+ apiVersion: v1
+ fieldPath: metadata.namespace
+ - name: ENVOY_POD_NAME
+ valueFrom:
+ fieldRef:
+ apiVersion: v1
+ fieldPath: metadata.name
+ image: envoyproxy/envoy:distroless-dev
+ imagePullPolicy: IfNotPresent
+ lifecycle:
+ preStop:
httpGet:
- path: /healthz
+ path: /shutdown/ready
port: 19002
scheme: HTTP
- timeoutSeconds: 1
- periodSeconds: 10
- successThreshold: 1
- failureThreshold: 3
- terminationMessagePath: /dev/termination-log
- terminationMessagePolicy: File
- securityContext:
- runAsUser: 1234
+ name: envoy
+ ports:
+ - containerPort: 8080
+ name: EnvoyH-d76a15e2
+ protocol: TCP
+ - containerPort: 8443
+ name: EnvoyH-6658f727
+ protocol: TCP
+ - containerPort: 19001
+ name: metrics
+ protocol: TCP
+ readinessProbe:
+ failureThreshold: 3
+ httpGet:
+ path: /ready
+ port: 19001
+ scheme: HTTP
+ periodSeconds: 10
+ successThreshold: 1
+ timeoutSeconds: 1
+ resources:
+ requests:
+ cpu: 100m
+ memory: 512Mi
+ terminationMessagePath: /dev/termination-log
+ terminationMessagePolicy: File
+ volumeMounts:
+ - mountPath: /certs
+ name: certs
+ readOnly: true
+ - mountPath: /sds
+ name: sds
+ - args:
+ - envoy
+ - shutdown-manager
+ - --ready-timeout=40s
+ command:
+ - envoy-gateway
+ env:
+ - name: env_a
+ value: env_a_value
+ - name: env_b
+ value: env_b_value
+ - name: ENVOY_GATEWAY_NAMESPACE
+ valueFrom:
+ fieldRef:
+ apiVersion: v1
+ fieldPath: metadata.namespace
+ - name: ENVOY_POD_NAME
+ valueFrom:
+ fieldRef:
+ apiVersion: v1
+ fieldPath: metadata.name
+ image: envoyproxy/gateway-dev:v1.2.3
+ imagePullPolicy: IfNotPresent
+ lifecycle:
+ preStop:
+ exec:
+ command:
+ - envoy-gateway
+ - envoy
+ - shutdown
+ - --drain-timeout=30s
+ - --min-drain-duration=15s
+ livenessProbe:
+ failureThreshold: 3
+ httpGet:
+ path: /healthz
+ port: 19002
+ scheme: HTTP
+ periodSeconds: 10
+ successThreshold: 1
+ timeoutSeconds: 1
+ name: shutdown-manager
+ readinessProbe:
+ failureThreshold: 3
+ httpGet:
+ path: /healthz
+ port: 19002
+ scheme: HTTP
+ periodSeconds: 10
+ successThreshold: 1
+ timeoutSeconds: 1
+ resources:
+ limits:
+ cpu: 200m
+ memory: 96Mi
+ requests:
+ cpu: 100m
+ memory: 64Mi
+ securityContext:
+ runAsUser: 1234
+ terminationMessagePath: /dev/termination-log
+ terminationMessagePolicy: File
dnsPolicy: ClusterFirst
restartPolicy: Always
schedulerName: default-scheduler
serviceAccountName: envoy-default-37a8eec1
terminationGracePeriodSeconds: 330
volumes:
- - name: certs
- secret:
- secretName: envoy
- defaultMode: 420
- - configMap:
- defaultMode: 420
- items:
- - key: xds-trusted-ca.json
- path: xds-trusted-ca.json
- - key: xds-certificate.json
- path: xds-certificate.json
- name: envoy-default-37a8eec1
- optional: false
- name: sds
- revisionHistoryLimit: 10
- progressDeadlineSeconds: 600
+ - name: certs
+ secret:
+ defaultMode: 420
+ secretName: envoy
+ - configMap:
+ defaultMode: 420
+ items:
+ - key: xds-trusted-ca.json
+ path: xds-trusted-ca.json
+ - key: xds-certificate.json
+ path: xds-certificate.json
+ name: envoy-default-37a8eec1
+ optional: false
+ name: sds
+status: {}
diff --git a/internal/infrastructure/kubernetes/proxy/testdata/deployments/volumes.yaml b/internal/infrastructure/kubernetes/proxy/testdata/deployments/volumes.yaml
index 81437fea591..b663085188e 100644
--- a/internal/infrastructure/kubernetes/proxy/testdata/deployments/volumes.yaml
+++ b/internal/infrastructure/kubernetes/proxy/testdata/deployments/volumes.yaml
@@ -1,275 +1,305 @@
apiVersion: apps/v1
kind: Deployment
metadata:
+ creationTimestamp: null
labels:
- app.kubernetes.io/name: envoy
app.kubernetes.io/component: proxy
app.kubernetes.io/managed-by: envoy-gateway
+ app.kubernetes.io/name: envoy
gateway.envoyproxy.io/owning-gateway-name: default
gateway.envoyproxy.io/owning-gateway-namespace: default
name: envoy-default-37a8eec1
namespace: envoy-gateway-system
spec:
+ progressDeadlineSeconds: 600
replicas: 2
- strategy:
- type: RollingUpdate
+ revisionHistoryLimit: 10
selector:
matchLabels:
- app.kubernetes.io/name: envoy
app.kubernetes.io/component: proxy
app.kubernetes.io/managed-by: envoy-gateway
+ app.kubernetes.io/name: envoy
gateway.envoyproxy.io/owning-gateway-name: default
gateway.envoyproxy.io/owning-gateway-namespace: default
+ strategy:
+ type: RollingUpdate
template:
metadata:
+ annotations:
+ prometheus.io/path: /stats/prometheus
+ prometheus.io/port: "19001"
+ prometheus.io/scrape: "true"
+ creationTimestamp: null
labels:
- app.kubernetes.io/name: envoy
app.kubernetes.io/component: proxy
app.kubernetes.io/managed-by: envoy-gateway
+ app.kubernetes.io/name: envoy
gateway.envoyproxy.io/owning-gateway-name: default
gateway.envoyproxy.io/owning-gateway-namespace: default
- annotations:
- prometheus.io/scrape: "true"
spec:
automountServiceAccountToken: false
containers:
- - args:
- - --service-cluster default
- - --service-node $(ENVOY_POD_NAME)
- - |
- --config-yaml admin:
- access_log:
- - name: envoy.access_loggers.file
+ - args:
+ - --service-cluster default
+ - --service-node $(ENVOY_POD_NAME)
+ - |
+ --config-yaml admin:
+ access_log:
+ - name: envoy.access_loggers.file
+ typed_config:
+ "@type": type.googleapis.com/envoy.extensions.access_loggers.file.v3.FileAccessLog
+ path: /dev/null
+ address:
+ socket_address:
+ address: 127.0.0.1
+ port_value: 19000
+ layered_runtime:
+ layers:
+ - name: global_config
+ static_layer:
+ envoy.restart_features.use_eds_cache_for_ads: true
+ re2.max_program_size.error_level: 4294967295
+ re2.max_program_size.warn_level: 1000
+ dynamic_resources:
+ ads_config:
+ api_type: DELTA_GRPC
+ transport_api_version: V3
+ grpc_services:
+ - envoy_grpc:
+ cluster_name: xds_cluster
+ set_node_on_first_message_only: true
+ lds_config:
+ ads: {}
+ resource_api_version: V3
+ cds_config:
+ ads: {}
+ resource_api_version: V3
+ static_resources:
+ listeners:
+ - name: envoy-gateway-proxy-ready-0.0.0.0-19001
+ address:
+ socket_address:
+ address: 0.0.0.0
+ port_value: 19001
+ protocol: TCP
+ filter_chains:
+ - filters:
+ - name: envoy.filters.network.http_connection_manager
typed_config:
- "@type": type.googleapis.com/envoy.extensions.access_loggers.file.v3.FileAccessLog
- path: /dev/null
- address:
- socket_address:
- address: 127.0.0.1
- port_value: 19000
- layered_runtime:
- layers:
- - name: global_config
- static_layer:
- envoy.restart_features.use_eds_cache_for_ads: true
- re2.max_program_size.error_level: 4294967295
- re2.max_program_size.warn_level: 1000
- dynamic_resources:
- ads_config:
- api_type: DELTA_GRPC
- transport_api_version: V3
- grpc_services:
- - envoy_grpc:
- cluster_name: xds_cluster
- set_node_on_first_message_only: true
- lds_config:
- ads: {}
- resource_api_version: V3
- cds_config:
- ads: {}
- resource_api_version: V3
- static_resources:
- listeners:
- - name: envoy-gateway-proxy-ready-0.0.0.0-19001
- address:
- socket_address:
- address: 0.0.0.0
- port_value: 19001
- protocol: TCP
- filter_chains:
- - filters:
- - name: envoy.filters.network.http_connection_manager
+ "@type": type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager
+ stat_prefix: eg-ready-http
+ route_config:
+ name: local_route
+ virtual_hosts:
+ - name: prometheus_stats
+ domains:
+ - "*"
+ routes:
+ - match:
+ prefix: /stats/prometheus
+ route:
+ cluster: prometheus_stats
+ http_filters:
+ - name: envoy.filters.http.health_check
typed_config:
- "@type": type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager
- stat_prefix: eg-ready-http
- route_config:
- name: local_route
- http_filters:
- - name: envoy.filters.http.health_check
- typed_config:
- "@type": type.googleapis.com/envoy.extensions.filters.http.health_check.v3.HealthCheck
- pass_through_mode: false
- headers:
- - name: ":path"
- string_match:
- exact: /ready
- - name: envoy.filters.http.router
- typed_config:
- "@type": type.googleapis.com/envoy.extensions.filters.http.router.v3.Router
- clusters:
- - connect_timeout: 10s
- load_assignment:
- cluster_name: xds_cluster
- endpoints:
- - load_balancing_weight: 1
- lb_endpoints:
- - load_balancing_weight: 1
- endpoint:
- address:
- socket_address:
- address: envoy-gateway
- port_value: 18000
- typed_extension_protocol_options:
- envoy.extensions.upstreams.http.v3.HttpProtocolOptions:
- "@type": "type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions"
- explicit_http_config:
- http2_protocol_options:
- connection_keepalive:
- interval: 30s
- timeout: 5s
- name: xds_cluster
- type: STRICT_DNS
- transport_socket:
- name: envoy.transport_sockets.tls
- typed_config:
- "@type": type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.UpstreamTlsContext
- common_tls_context:
- tls_params:
- tls_maximum_protocol_version: TLSv1_3
- tls_certificate_sds_secret_configs:
- - name: xds_certificate
- sds_config:
- path_config_source:
- path: "/sds/xds-certificate.json"
- resource_api_version: V3
- validation_context_sds_secret_config:
- name: xds_trusted_ca
- sds_config:
- path_config_source:
- path: "/sds/xds-trusted-ca.json"
- resource_api_version: V3
- - --log-level warn
- - --cpuset-threads
- command:
- - envoy
- env:
- - name: ENVOY_GATEWAY_NAMESPACE
- valueFrom:
- fieldRef:
- apiVersion: v1
- fieldPath: metadata.namespace
- - name: ENVOY_POD_NAME
- valueFrom:
- fieldRef:
- apiVersion: v1
- fieldPath: metadata.name
- - name: env_a
- value: env_a_value
- - name: env_b
- value: env_b_value
- image: envoyproxy/envoy:v1.2.3
- imagePullPolicy: IfNotPresent
- lifecycle:
- preStop:
- httpGet:
- path: /shutdown/ready
- port: 19002
- scheme: HTTP
- name: envoy
- ports:
- - containerPort: 8080
- name: EnvoyH-d76a15e2
- protocol: TCP
- - containerPort: 8443
- name: EnvoyH-6658f727
- protocol: TCP
- resources:
- limits:
- cpu: 400m
- memory: 2Gi
- requests:
- cpu: 200m
- memory: 1Gi
- readinessProbe:
- httpGet:
- path: /ready
- port: 19001
- scheme: HTTP
- timeoutSeconds: 1
- periodSeconds: 10
- successThreshold: 1
- failureThreshold: 3
- terminationMessagePath: /dev/termination-log
- terminationMessagePolicy: File
- securityContext:
- privileged: true
- volumeMounts:
- - mountPath: /certs
- name: certs
- readOnly: true
- - mountPath: /sds
- name: sds
- - args:
- - envoy
- - shutdown-manager
- command:
- - envoy-gateway
- env:
- - name: ENVOY_GATEWAY_NAMESPACE
- valueFrom:
- fieldRef:
- apiVersion: v1
- fieldPath: metadata.namespace
- - name: ENVOY_POD_NAME
- valueFrom:
- fieldRef:
- apiVersion: v1
- fieldPath: metadata.name
- image: envoyproxy/gateway-dev:latest
- imagePullPolicy: IfNotPresent
- lifecycle:
- preStop:
- exec:
- command:
- - envoy-gateway
- - envoy
- - shutdown
- name: shutdown-manager
- resources:
- requests:
- cpu: 10m
- memory: 32Mi
- readinessProbe:
- httpGet:
- path: /healthz
- port: 19002
- scheme: HTTP
- timeoutSeconds: 1
- periodSeconds: 10
- successThreshold: 1
- failureThreshold: 3
- livenessProbe:
+ "@type": type.googleapis.com/envoy.extensions.filters.http.health_check.v3.HealthCheck
+ pass_through_mode: false
+ headers:
+ - name: ":path"
+ string_match:
+ exact: /ready
+ - name: envoy.filters.http.router
+ typed_config:
+ "@type": type.googleapis.com/envoy.extensions.filters.http.router.v3.Router
+ clusters:
+ - name: prometheus_stats
+ connect_timeout: 0.250s
+ type: STATIC
+ lb_policy: ROUND_ROBIN
+ load_assignment:
+ cluster_name: prometheus_stats
+ endpoints:
+ - lb_endpoints:
+ - endpoint:
+ address:
+ socket_address:
+ address: 127.0.0.1
+ port_value: 19000
+ - connect_timeout: 10s
+ load_assignment:
+ cluster_name: xds_cluster
+ endpoints:
+ - load_balancing_weight: 1
+ lb_endpoints:
+ - load_balancing_weight: 1
+ endpoint:
+ address:
+ socket_address:
+ address: envoy-gateway
+ port_value: 18000
+ typed_extension_protocol_options:
+ envoy.extensions.upstreams.http.v3.HttpProtocolOptions:
+ "@type": "type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions"
+ explicit_http_config:
+ http2_protocol_options:
+ connection_keepalive:
+ interval: 30s
+ timeout: 5s
+ name: xds_cluster
+ type: STRICT_DNS
+ transport_socket:
+ name: envoy.transport_sockets.tls
+ typed_config:
+ "@type": type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.UpstreamTlsContext
+ common_tls_context:
+ tls_params:
+ tls_maximum_protocol_version: TLSv1_3
+ tls_certificate_sds_secret_configs:
+ - name: xds_certificate
+ sds_config:
+ path_config_source:
+ path: "/sds/xds-certificate.json"
+ resource_api_version: V3
+ validation_context_sds_secret_config:
+ name: xds_trusted_ca
+ sds_config:
+ path_config_source:
+ path: "/sds/xds-trusted-ca.json"
+ resource_api_version: V3
+ - --log-level warn
+ - --cpuset-threads
+ command:
+ - envoy
+ env:
+ - name: ENVOY_GATEWAY_NAMESPACE
+ valueFrom:
+ fieldRef:
+ apiVersion: v1
+ fieldPath: metadata.namespace
+ - name: ENVOY_POD_NAME
+ valueFrom:
+ fieldRef:
+ apiVersion: v1
+ fieldPath: metadata.name
+ - name: env_a
+ value: env_a_value
+ - name: env_b
+ value: env_b_value
+ image: envoyproxy/envoy:v1.2.3
+ imagePullPolicy: IfNotPresent
+ lifecycle:
+ preStop:
httpGet:
- path: /healthz
+ path: /shutdown/ready
port: 19002
scheme: HTTP
- timeoutSeconds: 1
- periodSeconds: 10
- successThreshold: 1
- failureThreshold: 3
- terminationMessagePath: /dev/termination-log
- terminationMessagePolicy: File
+ name: envoy
+ ports:
+ - containerPort: 8080
+ name: EnvoyH-d76a15e2
+ protocol: TCP
+ - containerPort: 8443
+ name: EnvoyH-6658f727
+ protocol: TCP
+ - containerPort: 19001
+ name: metrics
+ protocol: TCP
+ readinessProbe:
+ failureThreshold: 3
+ httpGet:
+ path: /ready
+ port: 19001
+ scheme: HTTP
+ periodSeconds: 10
+ successThreshold: 1
+ timeoutSeconds: 1
+ resources:
+ limits:
+ cpu: 400m
+ memory: 2Gi
+ requests:
+ cpu: 200m
+ memory: 1Gi
+ securityContext:
+ privileged: true
+ terminationMessagePath: /dev/termination-log
+ terminationMessagePolicy: File
+ volumeMounts:
+ - mountPath: /certs
+ name: certs
+ readOnly: true
+ - mountPath: /sds
+ name: sds
+ - args:
+ - envoy
+ - shutdown-manager
+ command:
+ - envoy-gateway
+ env:
+ - name: ENVOY_GATEWAY_NAMESPACE
+ valueFrom:
+ fieldRef:
+ apiVersion: v1
+ fieldPath: metadata.namespace
+ - name: ENVOY_POD_NAME
+ valueFrom:
+ fieldRef:
+ apiVersion: v1
+ fieldPath: metadata.name
+ image: envoyproxy/gateway-dev:latest
+ imagePullPolicy: IfNotPresent
+ lifecycle:
+ preStop:
+ exec:
+ command:
+ - envoy-gateway
+ - envoy
+ - shutdown
+ livenessProbe:
+ failureThreshold: 3
+ httpGet:
+ path: /healthz
+ port: 19002
+ scheme: HTTP
+ periodSeconds: 10
+ successThreshold: 1
+ timeoutSeconds: 1
+ name: shutdown-manager
+ readinessProbe:
+ failureThreshold: 3
+ httpGet:
+ path: /healthz
+ port: 19002
+ scheme: HTTP
+ periodSeconds: 10
+ successThreshold: 1
+ timeoutSeconds: 1
+ resources:
+ requests:
+ cpu: 10m
+ memory: 32Mi
+ terminationMessagePath: /dev/termination-log
+ terminationMessagePolicy: File
dnsPolicy: ClusterFirst
restartPolicy: Always
schedulerName: default-scheduler
- serviceAccountName: envoy-default-37a8eec1
- terminationGracePeriodSeconds: 900
securityContext:
runAsUser: 1000
+ serviceAccountName: envoy-default-37a8eec1
+ terminationGracePeriodSeconds: 900
volumes:
- - name: certs
- secret:
- secretName: custom-envoy-cert
- defaultMode: 420
- - configMap:
- defaultMode: 420
- items:
- - key: xds-trusted-ca.json
- path: xds-trusted-ca.json
- - key: xds-certificate.json
- path: xds-certificate.json
- name: envoy-default-37a8eec1
- optional: false
- name: sds
- revisionHistoryLimit: 10
- progressDeadlineSeconds: 600
+ - name: certs
+ secret:
+ defaultMode: 420
+ secretName: custom-envoy-cert
+ - configMap:
+ defaultMode: 420
+ items:
+ - key: xds-trusted-ca.json
+ path: xds-trusted-ca.json
+ - key: xds-certificate.json
+ path: xds-certificate.json
+ name: envoy-default-37a8eec1
+ optional: false
+ name: sds
+status: {}
diff --git a/internal/infrastructure/kubernetes/proxy/testdata/deployments/with-annotations.yaml b/internal/infrastructure/kubernetes/proxy/testdata/deployments/with-annotations.yaml
index 5e6fd0e18b6..9b1765fff3d 100644
--- a/internal/infrastructure/kubernetes/proxy/testdata/deployments/with-annotations.yaml
+++ b/internal/infrastructure/kubernetes/proxy/testdata/deployments/with-annotations.yaml
@@ -4,265 +4,296 @@ metadata:
annotations:
anno1: value1
anno2: value2
+ creationTimestamp: null
labels:
- app.kubernetes.io/name: envoy
app.kubernetes.io/component: proxy
app.kubernetes.io/managed-by: envoy-gateway
+ app.kubernetes.io/name: envoy
gateway.envoyproxy.io/owning-gateway-name: default
gateway.envoyproxy.io/owning-gateway-namespace: default
name: envoy-default-37a8eec1
namespace: envoy-gateway-system
spec:
+ progressDeadlineSeconds: 600
replicas: 1
- strategy:
- type: RollingUpdate
+ revisionHistoryLimit: 10
selector:
matchLabels:
- app.kubernetes.io/name: envoy
app.kubernetes.io/component: proxy
app.kubernetes.io/managed-by: envoy-gateway
+ app.kubernetes.io/name: envoy
gateway.envoyproxy.io/owning-gateway-name: default
gateway.envoyproxy.io/owning-gateway-namespace: default
+ strategy:
+ type: RollingUpdate
template:
metadata:
annotations:
anno1: value1
anno2: value2
+ prometheus.io/path: /stats/prometheus
+ prometheus.io/port: "19001"
+ prometheus.io/scrape: "true"
+ creationTimestamp: null
labels:
- app.kubernetes.io/name: envoy
app.kubernetes.io/component: proxy
app.kubernetes.io/managed-by: envoy-gateway
+ app.kubernetes.io/name: envoy
gateway.envoyproxy.io/owning-gateway-name: default
gateway.envoyproxy.io/owning-gateway-namespace: default
spec:
automountServiceAccountToken: false
containers:
- - args:
- - --service-cluster default
- - --service-node $(ENVOY_POD_NAME)
- - |
- --config-yaml admin:
- access_log:
- - name: envoy.access_loggers.file
+ - args:
+ - --service-cluster default
+ - --service-node $(ENVOY_POD_NAME)
+ - |
+ --config-yaml admin:
+ access_log:
+ - name: envoy.access_loggers.file
+ typed_config:
+ "@type": type.googleapis.com/envoy.extensions.access_loggers.file.v3.FileAccessLog
+ path: /dev/null
+ address:
+ socket_address:
+ address: 127.0.0.1
+ port_value: 19000
+ layered_runtime:
+ layers:
+ - name: global_config
+ static_layer:
+ envoy.restart_features.use_eds_cache_for_ads: true
+ re2.max_program_size.error_level: 4294967295
+ re2.max_program_size.warn_level: 1000
+ dynamic_resources:
+ ads_config:
+ api_type: DELTA_GRPC
+ transport_api_version: V3
+ grpc_services:
+ - envoy_grpc:
+ cluster_name: xds_cluster
+ set_node_on_first_message_only: true
+ lds_config:
+ ads: {}
+ resource_api_version: V3
+ cds_config:
+ ads: {}
+ resource_api_version: V3
+ static_resources:
+ listeners:
+ - name: envoy-gateway-proxy-ready-0.0.0.0-19001
+ address:
+ socket_address:
+ address: 0.0.0.0
+ port_value: 19001
+ protocol: TCP
+ filter_chains:
+ - filters:
+ - name: envoy.filters.network.http_connection_manager
typed_config:
- "@type": type.googleapis.com/envoy.extensions.access_loggers.file.v3.FileAccessLog
- path: /dev/null
- address:
- socket_address:
- address: 127.0.0.1
- port_value: 19000
- layered_runtime:
- layers:
- - name: global_config
- static_layer:
- envoy.restart_features.use_eds_cache_for_ads: true
- re2.max_program_size.error_level: 4294967295
- re2.max_program_size.warn_level: 1000
- dynamic_resources:
- ads_config:
- api_type: DELTA_GRPC
- transport_api_version: V3
- grpc_services:
- - envoy_grpc:
- cluster_name: xds_cluster
- set_node_on_first_message_only: true
- lds_config:
- ads: {}
- resource_api_version: V3
- cds_config:
- ads: {}
- resource_api_version: V3
- static_resources:
- listeners:
- - name: envoy-gateway-proxy-ready-0.0.0.0-19001
- address:
- socket_address:
- address: 0.0.0.0
- port_value: 19001
- protocol: TCP
- filter_chains:
- - filters:
- - name: envoy.filters.network.http_connection_manager
+ "@type": type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager
+ stat_prefix: eg-ready-http
+ route_config:
+ name: local_route
+ virtual_hosts:
+ - name: prometheus_stats
+ domains:
+ - "*"
+ routes:
+ - match:
+ prefix: /stats/prometheus
+ route:
+ cluster: prometheus_stats
+ http_filters:
+ - name: envoy.filters.http.health_check
typed_config:
- "@type": type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager
- stat_prefix: eg-ready-http
- route_config:
- name: local_route
- http_filters:
- - name: envoy.filters.http.health_check
- typed_config:
- "@type": type.googleapis.com/envoy.extensions.filters.http.health_check.v3.HealthCheck
- pass_through_mode: false
- headers:
- - name: ":path"
- string_match:
- exact: /ready
- - name: envoy.filters.http.router
- typed_config:
- "@type": type.googleapis.com/envoy.extensions.filters.http.router.v3.Router
- clusters:
- - connect_timeout: 10s
- load_assignment:
- cluster_name: xds_cluster
- endpoints:
- - load_balancing_weight: 1
- lb_endpoints:
- - load_balancing_weight: 1
- endpoint:
- address:
- socket_address:
- address: envoy-gateway
- port_value: 18000
- typed_extension_protocol_options:
- envoy.extensions.upstreams.http.v3.HttpProtocolOptions:
- "@type": "type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions"
- explicit_http_config:
- http2_protocol_options:
- connection_keepalive:
- interval: 30s
- timeout: 5s
- name: xds_cluster
- type: STRICT_DNS
- transport_socket:
- name: envoy.transport_sockets.tls
- typed_config:
- "@type": type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.UpstreamTlsContext
- common_tls_context:
- tls_params:
- tls_maximum_protocol_version: TLSv1_3
- tls_certificate_sds_secret_configs:
- - name: xds_certificate
- sds_config:
- path_config_source:
- path: "/sds/xds-certificate.json"
- resource_api_version: V3
- validation_context_sds_secret_config:
- name: xds_trusted_ca
- sds_config:
- path_config_source:
- path: "/sds/xds-trusted-ca.json"
- resource_api_version: V3
- - --log-level warn
- - --cpuset-threads
- command:
- - envoy
- env:
- - name: ENVOY_GATEWAY_NAMESPACE
- valueFrom:
- fieldRef:
- apiVersion: v1
- fieldPath: metadata.namespace
- - name: ENVOY_POD_NAME
- valueFrom:
- fieldRef:
- apiVersion: v1
- fieldPath: metadata.name
- image: envoyproxy/envoy:distroless-dev
- imagePullPolicy: IfNotPresent
- lifecycle:
- preStop:
- httpGet:
- path: /shutdown/ready
- port: 19002
- scheme: HTTP
- name: envoy
- ports:
- - containerPort: 8080
- name: EnvoyH-d76a15e2
- protocol: TCP
- - containerPort: 8443
- name: EnvoyH-6658f727
- protocol: TCP
- resources:
- requests:
- cpu: 100m
- memory: 512Mi
- readinessProbe:
- httpGet:
- path: /ready
- port: 19001
- scheme: HTTP
- timeoutSeconds: 1
- periodSeconds: 10
- successThreshold: 1
- failureThreshold: 3
- terminationMessagePath: /dev/termination-log
- terminationMessagePolicy: File
- volumeMounts:
- - mountPath: /certs
- name: certs
- readOnly: true
- - mountPath: /sds
- name: sds
- - args:
- - envoy
- - shutdown-manager
- command:
- - envoy-gateway
- env:
- - name: ENVOY_GATEWAY_NAMESPACE
- valueFrom:
- fieldRef:
- apiVersion: v1
- fieldPath: metadata.namespace
- - name: ENVOY_POD_NAME
- valueFrom:
- fieldRef:
- apiVersion: v1
- fieldPath: metadata.name
- image: envoyproxy/gateway-dev:latest
- imagePullPolicy: IfNotPresent
- lifecycle:
- preStop:
- exec:
- command:
- - envoy-gateway
- - envoy
- - shutdown
- name: shutdown-manager
- resources:
- requests:
- cpu: 10m
- memory: 32Mi
- readinessProbe:
- httpGet:
- path: /healthz
- port: 19002
- scheme: HTTP
- timeoutSeconds: 1
- periodSeconds: 10
- successThreshold: 1
- failureThreshold: 3
- livenessProbe:
+ "@type": type.googleapis.com/envoy.extensions.filters.http.health_check.v3.HealthCheck
+ pass_through_mode: false
+ headers:
+ - name: ":path"
+ string_match:
+ exact: /ready
+ - name: envoy.filters.http.router
+ typed_config:
+ "@type": type.googleapis.com/envoy.extensions.filters.http.router.v3.Router
+ clusters:
+ - name: prometheus_stats
+ connect_timeout: 0.250s
+ type: STATIC
+ lb_policy: ROUND_ROBIN
+ load_assignment:
+ cluster_name: prometheus_stats
+ endpoints:
+ - lb_endpoints:
+ - endpoint:
+ address:
+ socket_address:
+ address: 127.0.0.1
+ port_value: 19000
+ - connect_timeout: 10s
+ load_assignment:
+ cluster_name: xds_cluster
+ endpoints:
+ - load_balancing_weight: 1
+ lb_endpoints:
+ - load_balancing_weight: 1
+ endpoint:
+ address:
+ socket_address:
+ address: envoy-gateway
+ port_value: 18000
+ typed_extension_protocol_options:
+ envoy.extensions.upstreams.http.v3.HttpProtocolOptions:
+ "@type": "type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions"
+ explicit_http_config:
+ http2_protocol_options:
+ connection_keepalive:
+ interval: 30s
+ timeout: 5s
+ name: xds_cluster
+ type: STRICT_DNS
+ transport_socket:
+ name: envoy.transport_sockets.tls
+ typed_config:
+ "@type": type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.UpstreamTlsContext
+ common_tls_context:
+ tls_params:
+ tls_maximum_protocol_version: TLSv1_3
+ tls_certificate_sds_secret_configs:
+ - name: xds_certificate
+ sds_config:
+ path_config_source:
+ path: "/sds/xds-certificate.json"
+ resource_api_version: V3
+ validation_context_sds_secret_config:
+ name: xds_trusted_ca
+ sds_config:
+ path_config_source:
+ path: "/sds/xds-trusted-ca.json"
+ resource_api_version: V3
+ - --log-level warn
+ - --cpuset-threads
+ command:
+ - envoy
+ env:
+ - name: ENVOY_GATEWAY_NAMESPACE
+ valueFrom:
+ fieldRef:
+ apiVersion: v1
+ fieldPath: metadata.namespace
+ - name: ENVOY_POD_NAME
+ valueFrom:
+ fieldRef:
+ apiVersion: v1
+ fieldPath: metadata.name
+ image: envoyproxy/envoy:distroless-dev
+ imagePullPolicy: IfNotPresent
+ lifecycle:
+ preStop:
httpGet:
- path: /healthz
+ path: /shutdown/ready
port: 19002
scheme: HTTP
- timeoutSeconds: 1
- periodSeconds: 10
- successThreshold: 1
- failureThreshold: 3
- terminationMessagePath: /dev/termination-log
- terminationMessagePolicy: File
+ name: envoy
+ ports:
+ - containerPort: 8080
+ name: EnvoyH-d76a15e2
+ protocol: TCP
+ - containerPort: 8443
+ name: EnvoyH-6658f727
+ protocol: TCP
+ - containerPort: 19001
+ name: metrics
+ protocol: TCP
+ readinessProbe:
+ failureThreshold: 3
+ httpGet:
+ path: /ready
+ port: 19001
+ scheme: HTTP
+ periodSeconds: 10
+ successThreshold: 1
+ timeoutSeconds: 1
+ resources:
+ requests:
+ cpu: 100m
+ memory: 512Mi
+ terminationMessagePath: /dev/termination-log
+ terminationMessagePolicy: File
+ volumeMounts:
+ - mountPath: /certs
+ name: certs
+ readOnly: true
+ - mountPath: /sds
+ name: sds
+ - args:
+ - envoy
+ - shutdown-manager
+ command:
+ - envoy-gateway
+ env:
+ - name: ENVOY_GATEWAY_NAMESPACE
+ valueFrom:
+ fieldRef:
+ apiVersion: v1
+ fieldPath: metadata.namespace
+ - name: ENVOY_POD_NAME
+ valueFrom:
+ fieldRef:
+ apiVersion: v1
+ fieldPath: metadata.name
+ image: envoyproxy/gateway-dev:latest
+ imagePullPolicy: IfNotPresent
+ lifecycle:
+ preStop:
+ exec:
+ command:
+ - envoy-gateway
+ - envoy
+ - shutdown
+ livenessProbe:
+ failureThreshold: 3
+ httpGet:
+ path: /healthz
+ port: 19002
+ scheme: HTTP
+ periodSeconds: 10
+ successThreshold: 1
+ timeoutSeconds: 1
+ name: shutdown-manager
+ readinessProbe:
+ failureThreshold: 3
+ httpGet:
+ path: /healthz
+ port: 19002
+ scheme: HTTP
+ periodSeconds: 10
+ successThreshold: 1
+ timeoutSeconds: 1
+ resources:
+ requests:
+ cpu: 10m
+ memory: 32Mi
+ terminationMessagePath: /dev/termination-log
+ terminationMessagePolicy: File
dnsPolicy: ClusterFirst
restartPolicy: Always
schedulerName: default-scheduler
serviceAccountName: envoy-default-37a8eec1
terminationGracePeriodSeconds: 900
volumes:
- - name: certs
- secret:
- secretName: envoy
- defaultMode: 420
- - configMap:
- defaultMode: 420
- items:
- - key: xds-trusted-ca.json
- path: xds-trusted-ca.json
- - key: xds-certificate.json
- path: xds-certificate.json
- name: envoy-default-37a8eec1
- optional: false
- name: sds
- revisionHistoryLimit: 10
- progressDeadlineSeconds: 600
+ - name: certs
+ secret:
+ defaultMode: 420
+ secretName: envoy
+ - configMap:
+ defaultMode: 420
+ items:
+ - key: xds-trusted-ca.json
+ path: xds-trusted-ca.json
+ - key: xds-certificate.json
+ path: xds-certificate.json
+ name: envoy-default-37a8eec1
+ optional: false
+ name: sds
+status: {}
diff --git a/internal/infrastructure/kubernetes/proxy/testdata/deployments/with-concurrency.yaml b/internal/infrastructure/kubernetes/proxy/testdata/deployments/with-concurrency.yaml
index fbace368c2b..f4299e05180 100644
--- a/internal/infrastructure/kubernetes/proxy/testdata/deployments/with-concurrency.yaml
+++ b/internal/infrastructure/kubernetes/proxy/testdata/deployments/with-concurrency.yaml
@@ -1,162 +1,172 @@
apiVersion: apps/v1
kind: Deployment
metadata:
+ creationTimestamp: null
labels:
- app.kubernetes.io/name: envoy
app.kubernetes.io/component: proxy
app.kubernetes.io/managed-by: envoy-gateway
+ app.kubernetes.io/name: envoy
gateway.envoyproxy.io/owning-gateway-name: default
gateway.envoyproxy.io/owning-gateway-namespace: default
name: envoy-default-37a8eec1
namespace: envoy-gateway-system
spec:
+ progressDeadlineSeconds: 600
replicas: 1
- strategy:
- type: RollingUpdate
+ revisionHistoryLimit: 10
selector:
matchLabels:
- app.kubernetes.io/name: envoy
app.kubernetes.io/component: proxy
app.kubernetes.io/managed-by: envoy-gateway
+ app.kubernetes.io/name: envoy
gateway.envoyproxy.io/owning-gateway-name: default
gateway.envoyproxy.io/owning-gateway-namespace: default
+ strategy:
+ type: RollingUpdate
template:
metadata:
+ annotations:
+ prometheus.io/path: /stats/prometheus
+ prometheus.io/port: "19001"
+ prometheus.io/scrape: "true"
+ creationTimestamp: null
labels:
- app.kubernetes.io/name: envoy
app.kubernetes.io/component: proxy
app.kubernetes.io/managed-by: envoy-gateway
+ app.kubernetes.io/name: envoy
gateway.envoyproxy.io/owning-gateway-name: default
gateway.envoyproxy.io/owning-gateway-namespace: default
spec:
automountServiceAccountToken: false
containers:
- - args:
- - --service-cluster default
- - --service-node $(ENVOY_POD_NAME)
- - --config-yaml test bootstrap config
- - --log-level warn
- - --cpuset-threads
- - --concurrency 4
- command:
- - envoy
- env:
- - name: ENVOY_GATEWAY_NAMESPACE
- valueFrom:
- fieldRef:
- apiVersion: v1
- fieldPath: metadata.namespace
- - name: ENVOY_POD_NAME
- valueFrom:
- fieldRef:
- apiVersion: v1
- fieldPath: metadata.name
- image: envoyproxy/envoy:distroless-dev
- imagePullPolicy: IfNotPresent
- lifecycle:
- preStop:
- httpGet:
- path: /shutdown/ready
- port: 19002
- scheme: HTTP
- name: envoy
- ports:
- - containerPort: 8080
- name: EnvoyH-d76a15e2
- protocol: TCP
- - containerPort: 8443
- name: EnvoyH-6658f727
- protocol: TCP
- resources:
- requests:
- cpu: 100m
- memory: 512Mi
- readinessProbe:
- httpGet:
- path: /ready
- port: 19001
- scheme: HTTP
- timeoutSeconds: 1
- periodSeconds: 10
- successThreshold: 1
- failureThreshold: 3
- terminationMessagePath: /dev/termination-log
- terminationMessagePolicy: File
- volumeMounts:
- - mountPath: /certs
- name: certs
- readOnly: true
- - mountPath: /sds
- name: sds
- - args:
- - envoy
- - shutdown-manager
- command:
- - envoy-gateway
- env:
- - name: ENVOY_GATEWAY_NAMESPACE
- valueFrom:
- fieldRef:
- apiVersion: v1
- fieldPath: metadata.namespace
- - name: ENVOY_POD_NAME
- valueFrom:
- fieldRef:
- apiVersion: v1
- fieldPath: metadata.name
- image: envoyproxy/gateway-dev:latest
- imagePullPolicy: IfNotPresent
- lifecycle:
- preStop:
- exec:
- command:
- - envoy-gateway
- - envoy
- - shutdown
- name: shutdown-manager
- resources:
- requests:
- cpu: 10m
- memory: 32Mi
- readinessProbe:
- httpGet:
- path: /healthz
- port: 19002
- scheme: HTTP
- timeoutSeconds: 1
- periodSeconds: 10
- successThreshold: 1
- failureThreshold: 3
- livenessProbe:
+ - args:
+ - --service-cluster default
+ - --service-node $(ENVOY_POD_NAME)
+ - --config-yaml test bootstrap config
+ - --log-level warn
+ - --cpuset-threads
+ - --concurrency 4
+ command:
+ - envoy
+ env:
+ - name: ENVOY_GATEWAY_NAMESPACE
+ valueFrom:
+ fieldRef:
+ apiVersion: v1
+ fieldPath: metadata.namespace
+ - name: ENVOY_POD_NAME
+ valueFrom:
+ fieldRef:
+ apiVersion: v1
+ fieldPath: metadata.name
+ image: envoyproxy/envoy:distroless-dev
+ imagePullPolicy: IfNotPresent
+ lifecycle:
+ preStop:
httpGet:
- path: /healthz
+ path: /shutdown/ready
port: 19002
scheme: HTTP
- timeoutSeconds: 1
- periodSeconds: 10
- successThreshold: 1
- failureThreshold: 3
- terminationMessagePath: /dev/termination-log
- terminationMessagePolicy: File
+ name: envoy
+ ports:
+ - containerPort: 8080
+ name: EnvoyH-d76a15e2
+ protocol: TCP
+ - containerPort: 8443
+ name: EnvoyH-6658f727
+ protocol: TCP
+ - containerPort: 19001
+ name: metrics
+ protocol: TCP
+ readinessProbe:
+ failureThreshold: 3
+ httpGet:
+ path: /ready
+ port: 19001
+ scheme: HTTP
+ periodSeconds: 10
+ successThreshold: 1
+ timeoutSeconds: 1
+ resources:
+ requests:
+ cpu: 100m
+ memory: 512Mi
+ terminationMessagePath: /dev/termination-log
+ terminationMessagePolicy: File
+ volumeMounts:
+ - mountPath: /certs
+ name: certs
+ readOnly: true
+ - mountPath: /sds
+ name: sds
+ - args:
+ - envoy
+ - shutdown-manager
+ command:
+ - envoy-gateway
+ env:
+ - name: ENVOY_GATEWAY_NAMESPACE
+ valueFrom:
+ fieldRef:
+ apiVersion: v1
+ fieldPath: metadata.namespace
+ - name: ENVOY_POD_NAME
+ valueFrom:
+ fieldRef:
+ apiVersion: v1
+ fieldPath: metadata.name
+ image: envoyproxy/gateway-dev:latest
+ imagePullPolicy: IfNotPresent
+ lifecycle:
+ preStop:
+ exec:
+ command:
+ - envoy-gateway
+ - envoy
+ - shutdown
+ livenessProbe:
+ failureThreshold: 3
+ httpGet:
+ path: /healthz
+ port: 19002
+ scheme: HTTP
+ periodSeconds: 10
+ successThreshold: 1
+ timeoutSeconds: 1
+ name: shutdown-manager
+ readinessProbe:
+ failureThreshold: 3
+ httpGet:
+ path: /healthz
+ port: 19002
+ scheme: HTTP
+ periodSeconds: 10
+ successThreshold: 1
+ timeoutSeconds: 1
+ resources:
+ requests:
+ cpu: 10m
+ memory: 32Mi
+ terminationMessagePath: /dev/termination-log
+ terminationMessagePolicy: File
dnsPolicy: ClusterFirst
restartPolicy: Always
schedulerName: default-scheduler
serviceAccountName: envoy-default-37a8eec1
terminationGracePeriodSeconds: 900
volumes:
- - name: certs
- secret:
- secretName: envoy
- defaultMode: 420
- - configMap:
- defaultMode: 420
- items:
- - key: xds-trusted-ca.json
- path: xds-trusted-ca.json
- - key: xds-certificate.json
- path: xds-certificate.json
- name: envoy-default-37a8eec1
- optional: false
- name: sds
- revisionHistoryLimit: 10
- progressDeadlineSeconds: 600
+ - name: certs
+ secret:
+ defaultMode: 420
+ secretName: envoy
+ - configMap:
+ defaultMode: 420
+ items:
+ - key: xds-trusted-ca.json
+ path: xds-trusted-ca.json
+ - key: xds-certificate.json
+ path: xds-certificate.json
+ name: envoy-default-37a8eec1
+ optional: false
+ name: sds
+status: {}
diff --git a/internal/infrastructure/kubernetes/proxy/testdata/deployments/with-extra-args.yaml b/internal/infrastructure/kubernetes/proxy/testdata/deployments/with-extra-args.yaml
index d039593fdf9..41c17c28068 100644
--- a/internal/infrastructure/kubernetes/proxy/testdata/deployments/with-extra-args.yaml
+++ b/internal/infrastructure/kubernetes/proxy/testdata/deployments/with-extra-args.yaml
@@ -1,264 +1,296 @@
apiVersion: apps/v1
kind: Deployment
metadata:
+ creationTimestamp: null
labels:
- app.kubernetes.io/name: envoy
app.kubernetes.io/component: proxy
app.kubernetes.io/managed-by: envoy-gateway
+ app.kubernetes.io/name: envoy
gateway.envoyproxy.io/owning-gateway-name: default
gateway.envoyproxy.io/owning-gateway-namespace: default
name: envoy-default-37a8eec1
namespace: envoy-gateway-system
spec:
+ progressDeadlineSeconds: 600
replicas: 1
- strategy:
- type: RollingUpdate
+ revisionHistoryLimit: 10
selector:
matchLabels:
- app.kubernetes.io/name: envoy
app.kubernetes.io/component: proxy
app.kubernetes.io/managed-by: envoy-gateway
+ app.kubernetes.io/name: envoy
gateway.envoyproxy.io/owning-gateway-name: default
gateway.envoyproxy.io/owning-gateway-namespace: default
+ strategy:
+ type: RollingUpdate
template:
metadata:
+ annotations:
+ prometheus.io/path: /stats/prometheus
+ prometheus.io/port: "19001"
+ prometheus.io/scrape: "true"
+ creationTimestamp: null
labels:
- app.kubernetes.io/name: envoy
app.kubernetes.io/component: proxy
app.kubernetes.io/managed-by: envoy-gateway
+ app.kubernetes.io/name: envoy
gateway.envoyproxy.io/owning-gateway-name: default
gateway.envoyproxy.io/owning-gateway-namespace: default
spec:
automountServiceAccountToken: false
containers:
- - args:
- - --service-cluster default
- - --service-node $(ENVOY_POD_NAME)
- - |
- --config-yaml admin:
- access_log:
- - name: envoy.access_loggers.file
+ - args:
+ - --service-cluster default
+ - --service-node $(ENVOY_POD_NAME)
+ - |
+ --config-yaml admin:
+ access_log:
+ - name: envoy.access_loggers.file
+ typed_config:
+ "@type": type.googleapis.com/envoy.extensions.access_loggers.file.v3.FileAccessLog
+ path: /dev/null
+ address:
+ socket_address:
+ address: 127.0.0.1
+ port_value: 19000
+ layered_runtime:
+ layers:
+ - name: global_config
+ static_layer:
+ envoy.restart_features.use_eds_cache_for_ads: true
+ re2.max_program_size.error_level: 4294967295
+ re2.max_program_size.warn_level: 1000
+ dynamic_resources:
+ ads_config:
+ api_type: DELTA_GRPC
+ transport_api_version: V3
+ grpc_services:
+ - envoy_grpc:
+ cluster_name: xds_cluster
+ set_node_on_first_message_only: true
+ lds_config:
+ ads: {}
+ resource_api_version: V3
+ cds_config:
+ ads: {}
+ resource_api_version: V3
+ static_resources:
+ listeners:
+ - name: envoy-gateway-proxy-ready-0.0.0.0-19001
+ address:
+ socket_address:
+ address: 0.0.0.0
+ port_value: 19001
+ protocol: TCP
+ filter_chains:
+ - filters:
+ - name: envoy.filters.network.http_connection_manager
typed_config:
- "@type": type.googleapis.com/envoy.extensions.access_loggers.file.v3.FileAccessLog
- path: /dev/null
- address:
- socket_address:
- address: 127.0.0.1
- port_value: 19000
- layered_runtime:
- layers:
- - name: global_config
- static_layer:
- envoy.restart_features.use_eds_cache_for_ads: true
- re2.max_program_size.error_level: 4294967295
- re2.max_program_size.warn_level: 1000
- dynamic_resources:
- ads_config:
- api_type: DELTA_GRPC
- transport_api_version: V3
- grpc_services:
- - envoy_grpc:
- cluster_name: xds_cluster
- set_node_on_first_message_only: true
- lds_config:
- ads: {}
- resource_api_version: V3
- cds_config:
- ads: {}
- resource_api_version: V3
- static_resources:
- listeners:
- - name: envoy-gateway-proxy-ready-0.0.0.0-19001
- address:
- socket_address:
- address: 0.0.0.0
- port_value: 19001
- protocol: TCP
- filter_chains:
- - filters:
- - name: envoy.filters.network.http_connection_manager
+ "@type": type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager
+ stat_prefix: eg-ready-http
+ route_config:
+ name: local_route
+ virtual_hosts:
+ - name: prometheus_stats
+ domains:
+ - "*"
+ routes:
+ - match:
+ prefix: /stats/prometheus
+ route:
+ cluster: prometheus_stats
+ http_filters:
+ - name: envoy.filters.http.health_check
typed_config:
- "@type": type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager
- stat_prefix: eg-ready-http
- route_config:
- name: local_route
- http_filters:
- - name: envoy.filters.http.health_check
- typed_config:
- "@type": type.googleapis.com/envoy.extensions.filters.http.health_check.v3.HealthCheck
- pass_through_mode: false
- headers:
- - name: ":path"
- string_match:
- exact: /ready
- - name: envoy.filters.http.router
- typed_config:
- "@type": type.googleapis.com/envoy.extensions.filters.http.router.v3.Router
- clusters:
- - connect_timeout: 10s
- load_assignment:
- cluster_name: xds_cluster
- endpoints:
- - load_balancing_weight: 1
- lb_endpoints:
- - load_balancing_weight: 1
- endpoint:
- address:
- socket_address:
- address: envoy-gateway
- port_value: 18000
- typed_extension_protocol_options:
- envoy.extensions.upstreams.http.v3.HttpProtocolOptions:
- "@type": "type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions"
- explicit_http_config:
- http2_protocol_options:
- connection_keepalive:
- interval: 30s
- timeout: 5s
- name: xds_cluster
- type: STRICT_DNS
- transport_socket:
- name: envoy.transport_sockets.tls
- typed_config:
- "@type": type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.UpstreamTlsContext
- common_tls_context:
- tls_params:
- tls_maximum_protocol_version: TLSv1_3
- tls_certificate_sds_secret_configs:
- - name: xds_certificate
- sds_config:
- path_config_source:
- path: "/sds/xds-certificate.json"
- resource_api_version: V3
- validation_context_sds_secret_config:
- name: xds_trusted_ca
- sds_config:
- path_config_source:
- path: "/sds/xds-trusted-ca.json"
- resource_api_version: V3
- - --log-level warn
- - --cpuset-threads
- - --key1 val1
- - --key2 val2
- command:
- - envoy
- env:
- - name: ENVOY_GATEWAY_NAMESPACE
- valueFrom:
- fieldRef:
- apiVersion: v1
- fieldPath: metadata.namespace
- - name: ENVOY_POD_NAME
- valueFrom:
- fieldRef:
- apiVersion: v1
- fieldPath: metadata.name
- image: envoyproxy/envoy:distroless-dev
- imagePullPolicy: IfNotPresent
- lifecycle:
- preStop:
- httpGet:
- path: /shutdown/ready
- port: 19002
- scheme: HTTP
- name: envoy
- ports:
- - containerPort: 8080
- name: EnvoyH-d76a15e2
- protocol: TCP
- - containerPort: 8443
- name: EnvoyH-6658f727
- protocol: TCP
- resources:
- requests:
- cpu: 100m
- memory: 512Mi
- readinessProbe:
- httpGet:
- path: /ready
- port: 19001
- scheme: HTTP
- timeoutSeconds: 1
- periodSeconds: 10
- successThreshold: 1
- failureThreshold: 3
- terminationMessagePath: /dev/termination-log
- terminationMessagePolicy: File
- volumeMounts:
- - mountPath: /certs
- name: certs
- readOnly: true
- - mountPath: /sds
- name: sds
- - args:
- - envoy
- - shutdown-manager
- command:
- - envoy-gateway
- env:
- - name: ENVOY_GATEWAY_NAMESPACE
- valueFrom:
- fieldRef:
- apiVersion: v1
- fieldPath: metadata.namespace
- - name: ENVOY_POD_NAME
- valueFrom:
- fieldRef:
- apiVersion: v1
- fieldPath: metadata.name
- image: envoyproxy/gateway-dev:latest
- imagePullPolicy: IfNotPresent
- lifecycle:
- preStop:
- exec:
- command:
- - envoy-gateway
- - envoy
- - shutdown
- name: shutdown-manager
- resources:
- requests:
- cpu: 10m
- memory: 32Mi
- readinessProbe:
- httpGet:
- path: /healthz
- port: 19002
- scheme: HTTP
- timeoutSeconds: 1
- periodSeconds: 10
- successThreshold: 1
- failureThreshold: 3
- livenessProbe:
+ "@type": type.googleapis.com/envoy.extensions.filters.http.health_check.v3.HealthCheck
+ pass_through_mode: false
+ headers:
+ - name: ":path"
+ string_match:
+ exact: /ready
+ - name: envoy.filters.http.router
+ typed_config:
+ "@type": type.googleapis.com/envoy.extensions.filters.http.router.v3.Router
+ clusters:
+ - name: prometheus_stats
+ connect_timeout: 0.250s
+ type: STATIC
+ lb_policy: ROUND_ROBIN
+ load_assignment:
+ cluster_name: prometheus_stats
+ endpoints:
+ - lb_endpoints:
+ - endpoint:
+ address:
+ socket_address:
+ address: 127.0.0.1
+ port_value: 19000
+ - connect_timeout: 10s
+ load_assignment:
+ cluster_name: xds_cluster
+ endpoints:
+ - load_balancing_weight: 1
+ lb_endpoints:
+ - load_balancing_weight: 1
+ endpoint:
+ address:
+ socket_address:
+ address: envoy-gateway
+ port_value: 18000
+ typed_extension_protocol_options:
+ envoy.extensions.upstreams.http.v3.HttpProtocolOptions:
+ "@type": "type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions"
+ explicit_http_config:
+ http2_protocol_options:
+ connection_keepalive:
+ interval: 30s
+ timeout: 5s
+ name: xds_cluster
+ type: STRICT_DNS
+ transport_socket:
+ name: envoy.transport_sockets.tls
+ typed_config:
+ "@type": type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.UpstreamTlsContext
+ common_tls_context:
+ tls_params:
+ tls_maximum_protocol_version: TLSv1_3
+ tls_certificate_sds_secret_configs:
+ - name: xds_certificate
+ sds_config:
+ path_config_source:
+ path: "/sds/xds-certificate.json"
+ resource_api_version: V3
+ validation_context_sds_secret_config:
+ name: xds_trusted_ca
+ sds_config:
+ path_config_source:
+ path: "/sds/xds-trusted-ca.json"
+ resource_api_version: V3
+ - --log-level warn
+ - --cpuset-threads
+ - --key1 val1
+ - --key2 val2
+ command:
+ - envoy
+ env:
+ - name: ENVOY_GATEWAY_NAMESPACE
+ valueFrom:
+ fieldRef:
+ apiVersion: v1
+ fieldPath: metadata.namespace
+ - name: ENVOY_POD_NAME
+ valueFrom:
+ fieldRef:
+ apiVersion: v1
+ fieldPath: metadata.name
+ image: envoyproxy/envoy:distroless-dev
+ imagePullPolicy: IfNotPresent
+ lifecycle:
+ preStop:
httpGet:
- path: /healthz
+ path: /shutdown/ready
port: 19002
scheme: HTTP
- timeoutSeconds: 1
- periodSeconds: 10
- successThreshold: 1
- failureThreshold: 3
- terminationMessagePath: /dev/termination-log
- terminationMessagePolicy: File
+ name: envoy
+ ports:
+ - containerPort: 8080
+ name: EnvoyH-d76a15e2
+ protocol: TCP
+ - containerPort: 8443
+ name: EnvoyH-6658f727
+ protocol: TCP
+ - containerPort: 19001
+ name: metrics
+ protocol: TCP
+ readinessProbe:
+ failureThreshold: 3
+ httpGet:
+ path: /ready
+ port: 19001
+ scheme: HTTP
+ periodSeconds: 10
+ successThreshold: 1
+ timeoutSeconds: 1
+ resources:
+ requests:
+ cpu: 100m
+ memory: 512Mi
+ terminationMessagePath: /dev/termination-log
+ terminationMessagePolicy: File
+ volumeMounts:
+ - mountPath: /certs
+ name: certs
+ readOnly: true
+ - mountPath: /sds
+ name: sds
+ - args:
+ - envoy
+ - shutdown-manager
+ command:
+ - envoy-gateway
+ env:
+ - name: ENVOY_GATEWAY_NAMESPACE
+ valueFrom:
+ fieldRef:
+ apiVersion: v1
+ fieldPath: metadata.namespace
+ - name: ENVOY_POD_NAME
+ valueFrom:
+ fieldRef:
+ apiVersion: v1
+ fieldPath: metadata.name
+ image: envoyproxy/gateway-dev:latest
+ imagePullPolicy: IfNotPresent
+ lifecycle:
+ preStop:
+ exec:
+ command:
+ - envoy-gateway
+ - envoy
+ - shutdown
+ livenessProbe:
+ failureThreshold: 3
+ httpGet:
+ path: /healthz
+ port: 19002
+ scheme: HTTP
+ periodSeconds: 10
+ successThreshold: 1
+ timeoutSeconds: 1
+ name: shutdown-manager
+ readinessProbe:
+ failureThreshold: 3
+ httpGet:
+ path: /healthz
+ port: 19002
+ scheme: HTTP
+ periodSeconds: 10
+ successThreshold: 1
+ timeoutSeconds: 1
+ resources:
+ requests:
+ cpu: 10m
+ memory: 32Mi
+ terminationMessagePath: /dev/termination-log
+ terminationMessagePolicy: File
dnsPolicy: ClusterFirst
restartPolicy: Always
schedulerName: default-scheduler
serviceAccountName: envoy-default-37a8eec1
terminationGracePeriodSeconds: 900
volumes:
- - name: certs
- secret:
- secretName: envoy
- defaultMode: 420
- - configMap:
- defaultMode: 420
- items:
- - key: xds-trusted-ca.json
- path: xds-trusted-ca.json
- - key: xds-certificate.json
- path: xds-certificate.json
- name: envoy-default-37a8eec1
- optional: false
- name: sds
- revisionHistoryLimit: 10
- progressDeadlineSeconds: 600
+ - name: certs
+ secret:
+ defaultMode: 420
+ secretName: envoy
+ - configMap:
+ defaultMode: 420
+ items:
+ - key: xds-trusted-ca.json
+ path: xds-trusted-ca.json
+ - key: xds-certificate.json
+ path: xds-certificate.json
+ name: envoy-default-37a8eec1
+ optional: false
+ name: sds
+status: {}
diff --git a/internal/infrastructure/kubernetes/proxy/testdata/deployments/with-image-pull-secrets.yaml b/internal/infrastructure/kubernetes/proxy/testdata/deployments/with-image-pull-secrets.yaml
index 15f475f4fc7..fe7b608026c 100644
--- a/internal/infrastructure/kubernetes/proxy/testdata/deployments/with-image-pull-secrets.yaml
+++ b/internal/infrastructure/kubernetes/proxy/testdata/deployments/with-image-pull-secrets.yaml
@@ -1,265 +1,297 @@
apiVersion: apps/v1
kind: Deployment
metadata:
+ creationTimestamp: null
labels:
- app.kubernetes.io/name: envoy
app.kubernetes.io/component: proxy
app.kubernetes.io/managed-by: envoy-gateway
+ app.kubernetes.io/name: envoy
gateway.envoyproxy.io/owning-gateway-name: default
gateway.envoyproxy.io/owning-gateway-namespace: default
name: envoy-default-37a8eec1
namespace: envoy-gateway-system
spec:
+ progressDeadlineSeconds: 600
replicas: 1
- strategy:
- type: RollingUpdate
+ revisionHistoryLimit: 10
selector:
matchLabels:
- app.kubernetes.io/name: envoy
app.kubernetes.io/component: proxy
app.kubernetes.io/managed-by: envoy-gateway
+ app.kubernetes.io/name: envoy
gateway.envoyproxy.io/owning-gateway-name: default
gateway.envoyproxy.io/owning-gateway-namespace: default
+ strategy:
+ type: RollingUpdate
template:
metadata:
+ annotations:
+ prometheus.io/path: /stats/prometheus
+ prometheus.io/port: "19001"
+ prometheus.io/scrape: "true"
+ creationTimestamp: null
labels:
- app.kubernetes.io/name: envoy
app.kubernetes.io/component: proxy
app.kubernetes.io/managed-by: envoy-gateway
+ app.kubernetes.io/name: envoy
gateway.envoyproxy.io/owning-gateway-name: default
gateway.envoyproxy.io/owning-gateway-namespace: default
spec:
automountServiceAccountToken: false
containers:
- - args:
- - --service-cluster default
- - --service-node $(ENVOY_POD_NAME)
- - |
- --config-yaml admin:
- access_log:
- - name: envoy.access_loggers.file
+ - args:
+ - --service-cluster default
+ - --service-node $(ENVOY_POD_NAME)
+ - |
+ --config-yaml admin:
+ access_log:
+ - name: envoy.access_loggers.file
+ typed_config:
+ "@type": type.googleapis.com/envoy.extensions.access_loggers.file.v3.FileAccessLog
+ path: /dev/null
+ address:
+ socket_address:
+ address: 127.0.0.1
+ port_value: 19000
+ layered_runtime:
+ layers:
+ - name: global_config
+ static_layer:
+ envoy.restart_features.use_eds_cache_for_ads: true
+ re2.max_program_size.error_level: 4294967295
+ re2.max_program_size.warn_level: 1000
+ dynamic_resources:
+ ads_config:
+ api_type: DELTA_GRPC
+ transport_api_version: V3
+ grpc_services:
+ - envoy_grpc:
+ cluster_name: xds_cluster
+ set_node_on_first_message_only: true
+ lds_config:
+ ads: {}
+ resource_api_version: V3
+ cds_config:
+ ads: {}
+ resource_api_version: V3
+ static_resources:
+ listeners:
+ - name: envoy-gateway-proxy-ready-0.0.0.0-19001
+ address:
+ socket_address:
+ address: 0.0.0.0
+ port_value: 19001
+ protocol: TCP
+ filter_chains:
+ - filters:
+ - name: envoy.filters.network.http_connection_manager
typed_config:
- "@type": type.googleapis.com/envoy.extensions.access_loggers.file.v3.FileAccessLog
- path: /dev/null
- address:
- socket_address:
- address: 127.0.0.1
- port_value: 19000
- layered_runtime:
- layers:
- - name: global_config
- static_layer:
- envoy.restart_features.use_eds_cache_for_ads: true
- re2.max_program_size.error_level: 4294967295
- re2.max_program_size.warn_level: 1000
- dynamic_resources:
- ads_config:
- api_type: DELTA_GRPC
- transport_api_version: V3
- grpc_services:
- - envoy_grpc:
- cluster_name: xds_cluster
- set_node_on_first_message_only: true
- lds_config:
- ads: {}
- resource_api_version: V3
- cds_config:
- ads: {}
- resource_api_version: V3
- static_resources:
- listeners:
- - name: envoy-gateway-proxy-ready-0.0.0.0-19001
- address:
- socket_address:
- address: 0.0.0.0
- port_value: 19001
- protocol: TCP
- filter_chains:
- - filters:
- - name: envoy.filters.network.http_connection_manager
+ "@type": type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager
+ stat_prefix: eg-ready-http
+ route_config:
+ name: local_route
+ virtual_hosts:
+ - name: prometheus_stats
+ domains:
+ - "*"
+ routes:
+ - match:
+ prefix: /stats/prometheus
+ route:
+ cluster: prometheus_stats
+ http_filters:
+ - name: envoy.filters.http.health_check
typed_config:
- "@type": type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager
- stat_prefix: eg-ready-http
- route_config:
- name: local_route
- http_filters:
- - name: envoy.filters.http.health_check
- typed_config:
- "@type": type.googleapis.com/envoy.extensions.filters.http.health_check.v3.HealthCheck
- pass_through_mode: false
- headers:
- - name: ":path"
- string_match:
- exact: /ready
- - name: envoy.filters.http.router
- typed_config:
- "@type": type.googleapis.com/envoy.extensions.filters.http.router.v3.Router
- clusters:
- - connect_timeout: 10s
- load_assignment:
- cluster_name: xds_cluster
- endpoints:
- - load_balancing_weight: 1
- lb_endpoints:
- - load_balancing_weight: 1
- endpoint:
- address:
- socket_address:
- address: envoy-gateway
- port_value: 18000
- typed_extension_protocol_options:
- envoy.extensions.upstreams.http.v3.HttpProtocolOptions:
- "@type": "type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions"
- explicit_http_config:
- http2_protocol_options:
- connection_keepalive:
- interval: 30s
- timeout: 5s
- name: xds_cluster
- type: STRICT_DNS
- transport_socket:
- name: envoy.transport_sockets.tls
- typed_config:
- "@type": type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.UpstreamTlsContext
- common_tls_context:
- tls_params:
- tls_maximum_protocol_version: TLSv1_3
- tls_certificate_sds_secret_configs:
- - name: xds_certificate
- sds_config:
- path_config_source:
- path: "/sds/xds-certificate.json"
- resource_api_version: V3
- validation_context_sds_secret_config:
- name: xds_trusted_ca
- sds_config:
- path_config_source:
- path: "/sds/xds-trusted-ca.json"
- resource_api_version: V3
- - --log-level warn
- - --cpuset-threads
- command:
- - envoy
- env:
- - name: ENVOY_GATEWAY_NAMESPACE
- valueFrom:
- fieldRef:
- apiVersion: v1
- fieldPath: metadata.namespace
- - name: ENVOY_POD_NAME
- valueFrom:
- fieldRef:
- apiVersion: v1
- fieldPath: metadata.name
- image: envoyproxy/envoy:distroless-dev
- imagePullPolicy: IfNotPresent
- lifecycle:
- preStop:
- httpGet:
- path: /shutdown/ready
- port: 19002
- scheme: HTTP
- name: envoy
- ports:
- - containerPort: 8080
- name: EnvoyH-d76a15e2
- protocol: TCP
- - containerPort: 8443
- name: EnvoyH-6658f727
- protocol: TCP
- resources:
- requests:
- cpu: 100m
- memory: 512Mi
- readinessProbe:
- httpGet:
- path: /ready
- port: 19001
- scheme: HTTP
- timeoutSeconds: 1
- periodSeconds: 10
- successThreshold: 1
- failureThreshold: 3
- terminationMessagePath: /dev/termination-log
- terminationMessagePolicy: File
- volumeMounts:
- - mountPath: /certs
- name: certs
- readOnly: true
- - mountPath: /sds
- name: sds
- - args:
- - envoy
- - shutdown-manager
- command:
- - envoy-gateway
- env:
- - name: ENVOY_GATEWAY_NAMESPACE
- valueFrom:
- fieldRef:
- apiVersion: v1
- fieldPath: metadata.namespace
- - name: ENVOY_POD_NAME
- valueFrom:
- fieldRef:
- apiVersion: v1
- fieldPath: metadata.name
- image: envoyproxy/gateway-dev:latest
- imagePullPolicy: IfNotPresent
- lifecycle:
- preStop:
- exec:
- command:
- - envoy-gateway
- - envoy
- - shutdown
- name: shutdown-manager
- resources:
- requests:
- cpu: 10m
- memory: 32Mi
- readinessProbe:
- httpGet:
- path: /healthz
- port: 19002
- scheme: HTTP
- timeoutSeconds: 1
- periodSeconds: 10
- successThreshold: 1
- failureThreshold: 3
- livenessProbe:
+ "@type": type.googleapis.com/envoy.extensions.filters.http.health_check.v3.HealthCheck
+ pass_through_mode: false
+ headers:
+ - name: ":path"
+ string_match:
+ exact: /ready
+ - name: envoy.filters.http.router
+ typed_config:
+ "@type": type.googleapis.com/envoy.extensions.filters.http.router.v3.Router
+ clusters:
+ - name: prometheus_stats
+ connect_timeout: 0.250s
+ type: STATIC
+ lb_policy: ROUND_ROBIN
+ load_assignment:
+ cluster_name: prometheus_stats
+ endpoints:
+ - lb_endpoints:
+ - endpoint:
+ address:
+ socket_address:
+ address: 127.0.0.1
+ port_value: 19000
+ - connect_timeout: 10s
+ load_assignment:
+ cluster_name: xds_cluster
+ endpoints:
+ - load_balancing_weight: 1
+ lb_endpoints:
+ - load_balancing_weight: 1
+ endpoint:
+ address:
+ socket_address:
+ address: envoy-gateway
+ port_value: 18000
+ typed_extension_protocol_options:
+ envoy.extensions.upstreams.http.v3.HttpProtocolOptions:
+ "@type": "type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions"
+ explicit_http_config:
+ http2_protocol_options:
+ connection_keepalive:
+ interval: 30s
+ timeout: 5s
+ name: xds_cluster
+ type: STRICT_DNS
+ transport_socket:
+ name: envoy.transport_sockets.tls
+ typed_config:
+ "@type": type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.UpstreamTlsContext
+ common_tls_context:
+ tls_params:
+ tls_maximum_protocol_version: TLSv1_3
+ tls_certificate_sds_secret_configs:
+ - name: xds_certificate
+ sds_config:
+ path_config_source:
+ path: "/sds/xds-certificate.json"
+ resource_api_version: V3
+ validation_context_sds_secret_config:
+ name: xds_trusted_ca
+ sds_config:
+ path_config_source:
+ path: "/sds/xds-trusted-ca.json"
+ resource_api_version: V3
+ - --log-level warn
+ - --cpuset-threads
+ command:
+ - envoy
+ env:
+ - name: ENVOY_GATEWAY_NAMESPACE
+ valueFrom:
+ fieldRef:
+ apiVersion: v1
+ fieldPath: metadata.namespace
+ - name: ENVOY_POD_NAME
+ valueFrom:
+ fieldRef:
+ apiVersion: v1
+ fieldPath: metadata.name
+ image: envoyproxy/envoy:distroless-dev
+ imagePullPolicy: IfNotPresent
+ lifecycle:
+ preStop:
httpGet:
- path: /healthz
+ path: /shutdown/ready
port: 19002
scheme: HTTP
- timeoutSeconds: 1
- periodSeconds: 10
- successThreshold: 1
- failureThreshold: 3
- terminationMessagePath: /dev/termination-log
- terminationMessagePolicy: File
+ name: envoy
+ ports:
+ - containerPort: 8080
+ name: EnvoyH-d76a15e2
+ protocol: TCP
+ - containerPort: 8443
+ name: EnvoyH-6658f727
+ protocol: TCP
+ - containerPort: 19001
+ name: metrics
+ protocol: TCP
+ readinessProbe:
+ failureThreshold: 3
+ httpGet:
+ path: /ready
+ port: 19001
+ scheme: HTTP
+ periodSeconds: 10
+ successThreshold: 1
+ timeoutSeconds: 1
+ resources:
+ requests:
+ cpu: 100m
+ memory: 512Mi
+ terminationMessagePath: /dev/termination-log
+ terminationMessagePolicy: File
+ volumeMounts:
+ - mountPath: /certs
+ name: certs
+ readOnly: true
+ - mountPath: /sds
+ name: sds
+ - args:
+ - envoy
+ - shutdown-manager
+ command:
+ - envoy-gateway
+ env:
+ - name: ENVOY_GATEWAY_NAMESPACE
+ valueFrom:
+ fieldRef:
+ apiVersion: v1
+ fieldPath: metadata.namespace
+ - name: ENVOY_POD_NAME
+ valueFrom:
+ fieldRef:
+ apiVersion: v1
+ fieldPath: metadata.name
+ image: envoyproxy/gateway-dev:latest
+ imagePullPolicy: IfNotPresent
+ lifecycle:
+ preStop:
+ exec:
+ command:
+ - envoy-gateway
+ - envoy
+ - shutdown
+ livenessProbe:
+ failureThreshold: 3
+ httpGet:
+ path: /healthz
+ port: 19002
+ scheme: HTTP
+ periodSeconds: 10
+ successThreshold: 1
+ timeoutSeconds: 1
+ name: shutdown-manager
+ readinessProbe:
+ failureThreshold: 3
+ httpGet:
+ path: /healthz
+ port: 19002
+ scheme: HTTP
+ periodSeconds: 10
+ successThreshold: 1
+ timeoutSeconds: 1
+ resources:
+ requests:
+ cpu: 10m
+ memory: 32Mi
+ terminationMessagePath: /dev/termination-log
+ terminationMessagePolicy: File
dnsPolicy: ClusterFirst
+ imagePullSecrets:
+ - name: aaa
+ - name: bbb
restartPolicy: Always
schedulerName: default-scheduler
serviceAccountName: envoy-default-37a8eec1
terminationGracePeriodSeconds: 900
- imagePullSecrets:
- - name: aaa
- - name: bbb
volumes:
- - name: certs
- secret:
- secretName: envoy
- defaultMode: 420
- - configMap:
- defaultMode: 420
- items:
- - key: xds-trusted-ca.json
- path: xds-trusted-ca.json
- - key: xds-certificate.json
- path: xds-certificate.json
- name: envoy-default-37a8eec1
- optional: false
- name: sds
- revisionHistoryLimit: 10
- progressDeadlineSeconds: 600
+ - name: certs
+ secret:
+ defaultMode: 420
+ secretName: envoy
+ - configMap:
+ defaultMode: 420
+ items:
+ - key: xds-trusted-ca.json
+ path: xds-trusted-ca.json
+ - key: xds-certificate.json
+ path: xds-certificate.json
+ name: envoy-default-37a8eec1
+ optional: false
+ name: sds
+status: {}
diff --git a/internal/infrastructure/kubernetes/proxy/testdata/deployments/with-node-selector.yaml b/internal/infrastructure/kubernetes/proxy/testdata/deployments/with-node-selector.yaml
index c80231848bb..6d544f57ddb 100644
--- a/internal/infrastructure/kubernetes/proxy/testdata/deployments/with-node-selector.yaml
+++ b/internal/infrastructure/kubernetes/proxy/testdata/deployments/with-node-selector.yaml
@@ -1,243 +1,276 @@
apiVersion: apps/v1
kind: Deployment
metadata:
+ creationTimestamp: null
labels:
- app.kubernetes.io/name: envoy
app.kubernetes.io/component: proxy
app.kubernetes.io/managed-by: envoy-gateway
+ app.kubernetes.io/name: envoy
gateway.envoyproxy.io/owning-gateway-name: default
gateway.envoyproxy.io/owning-gateway-namespace: default
name: envoy-default-37a8eec1
namespace: envoy-gateway-system
spec:
+ progressDeadlineSeconds: 600
replicas: 1
- strategy:
- type: RollingUpdate
+ revisionHistoryLimit: 10
selector:
matchLabels:
- app.kubernetes.io/name: envoy
app.kubernetes.io/component: proxy
app.kubernetes.io/managed-by: envoy-gateway
+ app.kubernetes.io/name: envoy
gateway.envoyproxy.io/owning-gateway-name: default
gateway.envoyproxy.io/owning-gateway-namespace: default
+ strategy:
+ type: RollingUpdate
template:
metadata:
+ annotations:
+ prometheus.io/path: /stats/prometheus
+ prometheus.io/port: "19001"
+ prometheus.io/scrape: "true"
+ creationTimestamp: null
labels:
- app.kubernetes.io/name: envoy
app.kubernetes.io/component: proxy
app.kubernetes.io/managed-by: envoy-gateway
+ app.kubernetes.io/name: envoy
gateway.envoyproxy.io/owning-gateway-name: default
gateway.envoyproxy.io/owning-gateway-namespace: default
spec:
automountServiceAccountToken: false
containers:
- - args:
- - --service-cluster default
- - --service-node $(ENVOY_POD_NAME)
- - |
- --config-yaml admin:
- access_log:
- - name: envoy.access_loggers.file
+ - args:
+ - --service-cluster default
+ - --service-node $(ENVOY_POD_NAME)
+ - |
+ --config-yaml admin:
+ access_log:
+ - name: envoy.access_loggers.file
+ typed_config:
+ "@type": type.googleapis.com/envoy.extensions.access_loggers.file.v3.FileAccessLog
+ path: /dev/null
+ address:
+ socket_address:
+ address: 127.0.0.1
+ port_value: 19000
+ layered_runtime:
+ layers:
+ - name: global_config
+ static_layer:
+ envoy.restart_features.use_eds_cache_for_ads: true
+ re2.max_program_size.error_level: 4294967295
+ re2.max_program_size.warn_level: 1000
+ dynamic_resources:
+ ads_config:
+ api_type: DELTA_GRPC
+ transport_api_version: V3
+ grpc_services:
+ - envoy_grpc:
+ cluster_name: xds_cluster
+ set_node_on_first_message_only: true
+ lds_config:
+ ads: {}
+ resource_api_version: V3
+ cds_config:
+ ads: {}
+ resource_api_version: V3
+ static_resources:
+ listeners:
+ - name: envoy-gateway-proxy-ready-0.0.0.0-19001
+ address:
+ socket_address:
+ address: 0.0.0.0
+ port_value: 19001
+ protocol: TCP
+ filter_chains:
+ - filters:
+ - name: envoy.filters.network.http_connection_manager
typed_config:
- "@type": type.googleapis.com/envoy.extensions.access_loggers.file.v3.FileAccessLog
- path: /dev/null
- address:
- socket_address:
- address: 127.0.0.1
- port_value: 19000
- layered_runtime:
- layers:
- - name: global_config
- static_layer:
- envoy.restart_features.use_eds_cache_for_ads: true
- re2.max_program_size.error_level: 4294967295
- re2.max_program_size.warn_level: 1000
- dynamic_resources:
- ads_config:
- api_type: DELTA_GRPC
- transport_api_version: V3
- grpc_services:
- - envoy_grpc:
- cluster_name: xds_cluster
- set_node_on_first_message_only: true
- lds_config:
- ads: {}
- resource_api_version: V3
- cds_config:
- ads: {}
- resource_api_version: V3
- static_resources:
- listeners:
- - name: envoy-gateway-proxy-ready-0.0.0.0-19001
- address:
- socket_address:
- address: 0.0.0.0
- port_value: 19001
- protocol: TCP
- filter_chains:
- - filters:
- - name: envoy.filters.network.http_connection_manager
+ "@type": type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager
+ stat_prefix: eg-ready-http
+ route_config:
+ name: local_route
+ virtual_hosts:
+ - name: prometheus_stats
+ domains:
+ - "*"
+ routes:
+ - match:
+ prefix: /stats/prometheus
+ route:
+ cluster: prometheus_stats
+ http_filters:
+ - name: envoy.filters.http.health_check
typed_config:
- "@type": type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager
- stat_prefix: eg-ready-http
- route_config:
- name: local_route
- http_filters:
- - name: envoy.filters.http.health_check
- typed_config:
- "@type": type.googleapis.com/envoy.extensions.filters.http.health_check.v3.HealthCheck
- pass_through_mode: false
- headers:
- - name: ":path"
- string_match:
- exact: /ready
- - name: envoy.filters.http.router
- typed_config:
- "@type": type.googleapis.com/envoy.extensions.filters.http.router.v3.Router
- clusters:
- - connect_timeout: 10s
- load_assignment:
- cluster_name: xds_cluster
- endpoints:
- - load_balancing_weight: 1
- lb_endpoints:
- - load_balancing_weight: 1
- endpoint:
- address:
- socket_address:
- address: envoy-gateway
- port_value: 18000
- typed_extension_protocol_options:
- envoy.extensions.upstreams.http.v3.HttpProtocolOptions:
- "@type": "type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions"
- explicit_http_config:
- http2_protocol_options:
- connection_keepalive:
- interval: 30s
- timeout: 5s
- name: xds_cluster
- type: STRICT_DNS
- transport_socket:
- name: envoy.transport_sockets.tls
- typed_config:
- "@type": type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.UpstreamTlsContext
- common_tls_context:
- tls_params:
- tls_maximum_protocol_version: TLSv1_3
- tls_certificate_sds_secret_configs:
- - name: xds_certificate
- sds_config:
- path_config_source:
- path: "/sds/xds-certificate.json"
- resource_api_version: V3
- validation_context_sds_secret_config:
- name: xds_trusted_ca
- sds_config:
- path_config_source:
- path: "/sds/xds-trusted-ca.json"
- resource_api_version: V3
- - --log-level warn
- - --cpuset-threads
- command:
- - envoy
- env:
- - name: ENVOY_GATEWAY_NAMESPACE
- valueFrom:
- fieldRef:
- apiVersion: v1
- fieldPath: metadata.namespace
- - name: ENVOY_POD_NAME
- valueFrom:
- fieldRef:
- apiVersion: v1
- fieldPath: metadata.name
- image: envoyproxy/envoy:distroless-dev
- imagePullPolicy: IfNotPresent
- lifecycle:
- preStop:
- httpGet:
- path: /shutdown/ready
- port: 19002
- scheme: HTTP
- name: envoy
- ports:
- - containerPort: 8080
- name: EnvoyH-d76a15e2
- protocol: TCP
- - containerPort: 8443
- name: EnvoyH-6658f727
- protocol: TCP
- resources:
- requests:
- cpu: 100m
- memory: 512Mi
- readinessProbe:
- httpGet:
- path: /ready
- port: 19001
- scheme: HTTP
- timeoutSeconds: 1
- periodSeconds: 10
- successThreshold: 1
- failureThreshold: 3
- terminationMessagePath: /dev/termination-log
- terminationMessagePolicy: File
- volumeMounts:
- - mountPath: /certs
- name: certs
- readOnly: true
- - mountPath: /sds
- name: sds
- - args:
- - envoy
- - shutdown-manager
- command:
- - envoy-gateway
- env:
- - name: ENVOY_GATEWAY_NAMESPACE
- valueFrom:
- fieldRef:
- apiVersion: v1
- fieldPath: metadata.namespace
- - name: ENVOY_POD_NAME
- valueFrom:
- fieldRef:
- apiVersion: v1
- fieldPath: metadata.name
- image: envoyproxy/gateway-dev:latest
- imagePullPolicy: IfNotPresent
- lifecycle:
- preStop:
- exec:
- command:
- - envoy-gateway
- - envoy
- - shutdown
- name: shutdown-manager
- resources:
- requests:
- cpu: 10m
- memory: 32Mi
- readinessProbe:
- httpGet:
- path: /healthz
- port: 19002
- scheme: HTTP
- timeoutSeconds: 1
- periodSeconds: 10
- successThreshold: 1
- failureThreshold: 3
- livenessProbe:
+ "@type": type.googleapis.com/envoy.extensions.filters.http.health_check.v3.HealthCheck
+ pass_through_mode: false
+ headers:
+ - name: ":path"
+ string_match:
+ exact: /ready
+ - name: envoy.filters.http.router
+ typed_config:
+ "@type": type.googleapis.com/envoy.extensions.filters.http.router.v3.Router
+ clusters:
+ - name: prometheus_stats
+ connect_timeout: 0.250s
+ type: STATIC
+ lb_policy: ROUND_ROBIN
+ load_assignment:
+ cluster_name: prometheus_stats
+ endpoints:
+ - lb_endpoints:
+ - endpoint:
+ address:
+ socket_address:
+ address: 127.0.0.1
+ port_value: 19000
+ - connect_timeout: 10s
+ load_assignment:
+ cluster_name: xds_cluster
+ endpoints:
+ - load_balancing_weight: 1
+ lb_endpoints:
+ - load_balancing_weight: 1
+ endpoint:
+ address:
+ socket_address:
+ address: envoy-gateway
+ port_value: 18000
+ typed_extension_protocol_options:
+ envoy.extensions.upstreams.http.v3.HttpProtocolOptions:
+ "@type": "type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions"
+ explicit_http_config:
+ http2_protocol_options:
+ connection_keepalive:
+ interval: 30s
+ timeout: 5s
+ name: xds_cluster
+ type: STRICT_DNS
+ transport_socket:
+ name: envoy.transport_sockets.tls
+ typed_config:
+ "@type": type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.UpstreamTlsContext
+ common_tls_context:
+ tls_params:
+ tls_maximum_protocol_version: TLSv1_3
+ tls_certificate_sds_secret_configs:
+ - name: xds_certificate
+ sds_config:
+ path_config_source:
+ path: "/sds/xds-certificate.json"
+ resource_api_version: V3
+ validation_context_sds_secret_config:
+ name: xds_trusted_ca
+ sds_config:
+ path_config_source:
+ path: "/sds/xds-trusted-ca.json"
+ resource_api_version: V3
+ - --log-level warn
+ - --cpuset-threads
+ command:
+ - envoy
+ env:
+ - name: ENVOY_GATEWAY_NAMESPACE
+ valueFrom:
+ fieldRef:
+ apiVersion: v1
+ fieldPath: metadata.namespace
+ - name: ENVOY_POD_NAME
+ valueFrom:
+ fieldRef:
+ apiVersion: v1
+ fieldPath: metadata.name
+ image: envoyproxy/envoy:distroless-dev
+ imagePullPolicy: IfNotPresent
+ lifecycle:
+ preStop:
httpGet:
- path: /healthz
+ path: /shutdown/ready
port: 19002
scheme: HTTP
- timeoutSeconds: 1
- periodSeconds: 10
- successThreshold: 1
- failureThreshold: 3
- terminationMessagePath: /dev/termination-log
- terminationMessagePolicy: File
+ name: envoy
+ ports:
+ - containerPort: 8080
+ name: EnvoyH-d76a15e2
+ protocol: TCP
+ - containerPort: 8443
+ name: EnvoyH-6658f727
+ protocol: TCP
+ - containerPort: 19001
+ name: metrics
+ protocol: TCP
+ readinessProbe:
+ failureThreshold: 3
+ httpGet:
+ path: /ready
+ port: 19001
+ scheme: HTTP
+ periodSeconds: 10
+ successThreshold: 1
+ timeoutSeconds: 1
+ resources:
+ requests:
+ cpu: 100m
+ memory: 512Mi
+ terminationMessagePath: /dev/termination-log
+ terminationMessagePolicy: File
+ volumeMounts:
+ - mountPath: /certs
+ name: certs
+ readOnly: true
+ - mountPath: /sds
+ name: sds
+ - args:
+ - envoy
+ - shutdown-manager
+ command:
+ - envoy-gateway
+ env:
+ - name: ENVOY_GATEWAY_NAMESPACE
+ valueFrom:
+ fieldRef:
+ apiVersion: v1
+ fieldPath: metadata.namespace
+ - name: ENVOY_POD_NAME
+ valueFrom:
+ fieldRef:
+ apiVersion: v1
+ fieldPath: metadata.name
+ image: envoyproxy/gateway-dev:latest
+ imagePullPolicy: IfNotPresent
+ lifecycle:
+ preStop:
+ exec:
+ command:
+ - envoy-gateway
+ - envoy
+ - shutdown
+ livenessProbe:
+ failureThreshold: 3
+ httpGet:
+ path: /healthz
+ port: 19002
+ scheme: HTTP
+ periodSeconds: 10
+ successThreshold: 1
+ timeoutSeconds: 1
+ name: shutdown-manager
+ readinessProbe:
+ failureThreshold: 3
+ httpGet:
+ path: /healthz
+ port: 19002
+ scheme: HTTP
+ periodSeconds: 10
+ successThreshold: 1
+ timeoutSeconds: 1
+ resources:
+ requests:
+ cpu: 10m
+ memory: 32Mi
+ terminationMessagePath: /dev/termination-log
+ terminationMessagePolicy: File
dnsPolicy: ClusterFirst
nodeSelector:
key1: value1
@@ -247,19 +280,18 @@ spec:
serviceAccountName: envoy-default-37a8eec1
terminationGracePeriodSeconds: 900
volumes:
- - name: certs
- secret:
- secretName: envoy
- defaultMode: 420
- - configMap:
- defaultMode: 420
- items:
- - key: xds-trusted-ca.json
- path: xds-trusted-ca.json
- - key: xds-certificate.json
- path: xds-certificate.json
- name: envoy-default-37a8eec1
- optional: false
- name: sds
- revisionHistoryLimit: 10
- progressDeadlineSeconds: 600
+ - name: certs
+ secret:
+ defaultMode: 420
+ secretName: envoy
+ - configMap:
+ defaultMode: 420
+ items:
+ - key: xds-trusted-ca.json
+ path: xds-trusted-ca.json
+ - key: xds-certificate.json
+ path: xds-certificate.json
+ name: envoy-default-37a8eec1
+ optional: false
+ name: sds
+status: {}
diff --git a/internal/infrastructure/kubernetes/proxy/testdata/deployments/with-topology-spread-constraints.yaml b/internal/infrastructure/kubernetes/proxy/testdata/deployments/with-topology-spread-constraints.yaml
index f3bb3826542..b0b5afbc3f2 100644
--- a/internal/infrastructure/kubernetes/proxy/testdata/deployments/with-topology-spread-constraints.yaml
+++ b/internal/infrastructure/kubernetes/proxy/testdata/deployments/with-topology-spread-constraints.yaml
@@ -1,271 +1,303 @@
apiVersion: apps/v1
kind: Deployment
metadata:
+ creationTimestamp: null
labels:
- app.kubernetes.io/name: envoy
app.kubernetes.io/component: proxy
app.kubernetes.io/managed-by: envoy-gateway
+ app.kubernetes.io/name: envoy
gateway.envoyproxy.io/owning-gateway-name: default
gateway.envoyproxy.io/owning-gateway-namespace: default
name: envoy-default-37a8eec1
namespace: envoy-gateway-system
spec:
+ progressDeadlineSeconds: 600
replicas: 1
- strategy:
- type: RollingUpdate
+ revisionHistoryLimit: 10
selector:
matchLabels:
- app.kubernetes.io/name: envoy
app.kubernetes.io/component: proxy
app.kubernetes.io/managed-by: envoy-gateway
+ app.kubernetes.io/name: envoy
gateway.envoyproxy.io/owning-gateway-name: default
gateway.envoyproxy.io/owning-gateway-namespace: default
+ strategy:
+ type: RollingUpdate
template:
metadata:
+ annotations:
+ prometheus.io/path: /stats/prometheus
+ prometheus.io/port: "19001"
+ prometheus.io/scrape: "true"
+ creationTimestamp: null
labels:
- app.kubernetes.io/name: envoy
app.kubernetes.io/component: proxy
app.kubernetes.io/managed-by: envoy-gateway
+ app.kubernetes.io/name: envoy
gateway.envoyproxy.io/owning-gateway-name: default
gateway.envoyproxy.io/owning-gateway-namespace: default
spec:
automountServiceAccountToken: false
containers:
- - args:
- - --service-cluster default
- - --service-node $(ENVOY_POD_NAME)
- - |
- --config-yaml admin:
- access_log:
- - name: envoy.access_loggers.file
+ - args:
+ - --service-cluster default
+ - --service-node $(ENVOY_POD_NAME)
+ - |
+ --config-yaml admin:
+ access_log:
+ - name: envoy.access_loggers.file
+ typed_config:
+ "@type": type.googleapis.com/envoy.extensions.access_loggers.file.v3.FileAccessLog
+ path: /dev/null
+ address:
+ socket_address:
+ address: 127.0.0.1
+ port_value: 19000
+ layered_runtime:
+ layers:
+ - name: global_config
+ static_layer:
+ envoy.restart_features.use_eds_cache_for_ads: true
+ re2.max_program_size.error_level: 4294967295
+ re2.max_program_size.warn_level: 1000
+ dynamic_resources:
+ ads_config:
+ api_type: DELTA_GRPC
+ transport_api_version: V3
+ grpc_services:
+ - envoy_grpc:
+ cluster_name: xds_cluster
+ set_node_on_first_message_only: true
+ lds_config:
+ ads: {}
+ resource_api_version: V3
+ cds_config:
+ ads: {}
+ resource_api_version: V3
+ static_resources:
+ listeners:
+ - name: envoy-gateway-proxy-ready-0.0.0.0-19001
+ address:
+ socket_address:
+ address: 0.0.0.0
+ port_value: 19001
+ protocol: TCP
+ filter_chains:
+ - filters:
+ - name: envoy.filters.network.http_connection_manager
typed_config:
- "@type": type.googleapis.com/envoy.extensions.access_loggers.file.v3.FileAccessLog
- path: /dev/null
- address:
- socket_address:
- address: 127.0.0.1
- port_value: 19000
- layered_runtime:
- layers:
- - name: global_config
- static_layer:
- envoy.restart_features.use_eds_cache_for_ads: true
- re2.max_program_size.error_level: 4294967295
- re2.max_program_size.warn_level: 1000
- dynamic_resources:
- ads_config:
- api_type: DELTA_GRPC
- transport_api_version: V3
- grpc_services:
- - envoy_grpc:
- cluster_name: xds_cluster
- set_node_on_first_message_only: true
- lds_config:
- ads: {}
- resource_api_version: V3
- cds_config:
- ads: {}
- resource_api_version: V3
- static_resources:
- listeners:
- - name: envoy-gateway-proxy-ready-0.0.0.0-19001
- address:
- socket_address:
- address: 0.0.0.0
- port_value: 19001
- protocol: TCP
- filter_chains:
- - filters:
- - name: envoy.filters.network.http_connection_manager
+ "@type": type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager
+ stat_prefix: eg-ready-http
+ route_config:
+ name: local_route
+ virtual_hosts:
+ - name: prometheus_stats
+ domains:
+ - "*"
+ routes:
+ - match:
+ prefix: /stats/prometheus
+ route:
+ cluster: prometheus_stats
+ http_filters:
+ - name: envoy.filters.http.health_check
typed_config:
- "@type": type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager
- stat_prefix: eg-ready-http
- route_config:
- name: local_route
- http_filters:
- - name: envoy.filters.http.health_check
- typed_config:
- "@type": type.googleapis.com/envoy.extensions.filters.http.health_check.v3.HealthCheck
- pass_through_mode: false
- headers:
- - name: ":path"
- string_match:
- exact: /ready
- - name: envoy.filters.http.router
- typed_config:
- "@type": type.googleapis.com/envoy.extensions.filters.http.router.v3.Router
- clusters:
- - connect_timeout: 10s
- load_assignment:
- cluster_name: xds_cluster
- endpoints:
- - load_balancing_weight: 1
- lb_endpoints:
- - load_balancing_weight: 1
- endpoint:
- address:
- socket_address:
- address: envoy-gateway
- port_value: 18000
- typed_extension_protocol_options:
- envoy.extensions.upstreams.http.v3.HttpProtocolOptions:
- "@type": "type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions"
- explicit_http_config:
- http2_protocol_options:
- connection_keepalive:
- interval: 30s
- timeout: 5s
- name: xds_cluster
- type: STRICT_DNS
- transport_socket:
- name: envoy.transport_sockets.tls
- typed_config:
- "@type": type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.UpstreamTlsContext
- common_tls_context:
- tls_params:
- tls_maximum_protocol_version: TLSv1_3
- tls_certificate_sds_secret_configs:
- - name: xds_certificate
- sds_config:
- path_config_source:
- path: "/sds/xds-certificate.json"
- resource_api_version: V3
- validation_context_sds_secret_config:
- name: xds_trusted_ca
- sds_config:
- path_config_source:
- path: "/sds/xds-trusted-ca.json"
- resource_api_version: V3
- - --log-level warn
- - --cpuset-threads
- command:
- - envoy
- env:
- - name: ENVOY_GATEWAY_NAMESPACE
- valueFrom:
- fieldRef:
- apiVersion: v1
- fieldPath: metadata.namespace
- - name: ENVOY_POD_NAME
- valueFrom:
- fieldRef:
- apiVersion: v1
- fieldPath: metadata.name
- image: envoyproxy/envoy:distroless-dev
- imagePullPolicy: IfNotPresent
- lifecycle:
- preStop:
- httpGet:
- path: /shutdown/ready
- port: 19002
- scheme: HTTP
- name: envoy
- ports:
- - containerPort: 8080
- name: EnvoyH-d76a15e2
- protocol: TCP
- - containerPort: 8443
- name: EnvoyH-6658f727
- protocol: TCP
- resources:
- requests:
- cpu: 100m
- memory: 512Mi
- readinessProbe:
- httpGet:
- path: /ready
- port: 19001
- scheme: HTTP
- timeoutSeconds: 1
- periodSeconds: 10
- successThreshold: 1
- failureThreshold: 3
- terminationMessagePath: /dev/termination-log
- terminationMessagePolicy: File
- volumeMounts:
- - mountPath: /certs
- name: certs
- readOnly: true
- - mountPath: /sds
- name: sds
- - args:
- - envoy
- - shutdown-manager
- command:
- - envoy-gateway
- env:
- - name: ENVOY_GATEWAY_NAMESPACE
- valueFrom:
- fieldRef:
- apiVersion: v1
- fieldPath: metadata.namespace
- - name: ENVOY_POD_NAME
- valueFrom:
- fieldRef:
- apiVersion: v1
- fieldPath: metadata.name
- image: envoyproxy/gateway-dev:latest
- imagePullPolicy: IfNotPresent
- lifecycle:
- preStop:
- exec:
- command:
- - envoy-gateway
- - envoy
- - shutdown
- name: shutdown-manager
- resources:
- requests:
- cpu: 10m
- memory: 32Mi
- readinessProbe:
- httpGet:
- path: /healthz
- port: 19002
- scheme: HTTP
- timeoutSeconds: 1
- periodSeconds: 10
- successThreshold: 1
- failureThreshold: 3
- livenessProbe:
+ "@type": type.googleapis.com/envoy.extensions.filters.http.health_check.v3.HealthCheck
+ pass_through_mode: false
+ headers:
+ - name: ":path"
+ string_match:
+ exact: /ready
+ - name: envoy.filters.http.router
+ typed_config:
+ "@type": type.googleapis.com/envoy.extensions.filters.http.router.v3.Router
+ clusters:
+ - name: prometheus_stats
+ connect_timeout: 0.250s
+ type: STATIC
+ lb_policy: ROUND_ROBIN
+ load_assignment:
+ cluster_name: prometheus_stats
+ endpoints:
+ - lb_endpoints:
+ - endpoint:
+ address:
+ socket_address:
+ address: 127.0.0.1
+ port_value: 19000
+ - connect_timeout: 10s
+ load_assignment:
+ cluster_name: xds_cluster
+ endpoints:
+ - load_balancing_weight: 1
+ lb_endpoints:
+ - load_balancing_weight: 1
+ endpoint:
+ address:
+ socket_address:
+ address: envoy-gateway
+ port_value: 18000
+ typed_extension_protocol_options:
+ envoy.extensions.upstreams.http.v3.HttpProtocolOptions:
+ "@type": "type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions"
+ explicit_http_config:
+ http2_protocol_options:
+ connection_keepalive:
+ interval: 30s
+ timeout: 5s
+ name: xds_cluster
+ type: STRICT_DNS
+ transport_socket:
+ name: envoy.transport_sockets.tls
+ typed_config:
+ "@type": type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.UpstreamTlsContext
+ common_tls_context:
+ tls_params:
+ tls_maximum_protocol_version: TLSv1_3
+ tls_certificate_sds_secret_configs:
+ - name: xds_certificate
+ sds_config:
+ path_config_source:
+ path: "/sds/xds-certificate.json"
+ resource_api_version: V3
+ validation_context_sds_secret_config:
+ name: xds_trusted_ca
+ sds_config:
+ path_config_source:
+ path: "/sds/xds-trusted-ca.json"
+ resource_api_version: V3
+ - --log-level warn
+ - --cpuset-threads
+ command:
+ - envoy
+ env:
+ - name: ENVOY_GATEWAY_NAMESPACE
+ valueFrom:
+ fieldRef:
+ apiVersion: v1
+ fieldPath: metadata.namespace
+ - name: ENVOY_POD_NAME
+ valueFrom:
+ fieldRef:
+ apiVersion: v1
+ fieldPath: metadata.name
+ image: envoyproxy/envoy:distroless-dev
+ imagePullPolicy: IfNotPresent
+ lifecycle:
+ preStop:
httpGet:
- path: /healthz
+ path: /shutdown/ready
port: 19002
scheme: HTTP
- timeoutSeconds: 1
- periodSeconds: 10
- successThreshold: 1
- failureThreshold: 3
- terminationMessagePath: /dev/termination-log
- terminationMessagePolicy: File
+ name: envoy
+ ports:
+ - containerPort: 8080
+ name: EnvoyH-d76a15e2
+ protocol: TCP
+ - containerPort: 8443
+ name: EnvoyH-6658f727
+ protocol: TCP
+ - containerPort: 19001
+ name: metrics
+ protocol: TCP
+ readinessProbe:
+ failureThreshold: 3
+ httpGet:
+ path: /ready
+ port: 19001
+ scheme: HTTP
+ periodSeconds: 10
+ successThreshold: 1
+ timeoutSeconds: 1
+ resources:
+ requests:
+ cpu: 100m
+ memory: 512Mi
+ terminationMessagePath: /dev/termination-log
+ terminationMessagePolicy: File
+ volumeMounts:
+ - mountPath: /certs
+ name: certs
+ readOnly: true
+ - mountPath: /sds
+ name: sds
+ - args:
+ - envoy
+ - shutdown-manager
+ command:
+ - envoy-gateway
+ env:
+ - name: ENVOY_GATEWAY_NAMESPACE
+ valueFrom:
+ fieldRef:
+ apiVersion: v1
+ fieldPath: metadata.namespace
+ - name: ENVOY_POD_NAME
+ valueFrom:
+ fieldRef:
+ apiVersion: v1
+ fieldPath: metadata.name
+ image: envoyproxy/gateway-dev:latest
+ imagePullPolicy: IfNotPresent
+ lifecycle:
+ preStop:
+ exec:
+ command:
+ - envoy-gateway
+ - envoy
+ - shutdown
+ livenessProbe:
+ failureThreshold: 3
+ httpGet:
+ path: /healthz
+ port: 19002
+ scheme: HTTP
+ periodSeconds: 10
+ successThreshold: 1
+ timeoutSeconds: 1
+ name: shutdown-manager
+ readinessProbe:
+ failureThreshold: 3
+ httpGet:
+ path: /healthz
+ port: 19002
+ scheme: HTTP
+ periodSeconds: 10
+ successThreshold: 1
+ timeoutSeconds: 1
+ resources:
+ requests:
+ cpu: 10m
+ memory: 32Mi
+ terminationMessagePath: /dev/termination-log
+ terminationMessagePolicy: File
dnsPolicy: ClusterFirst
restartPolicy: Always
schedulerName: default-scheduler
serviceAccountName: envoy-default-37a8eec1
terminationGracePeriodSeconds: 900
topologySpreadConstraints:
- - maxSkew: 1
- topologyKey: kubernetes.io/hostname
- whenUnsatisfiable: DoNotSchedule
- labelSelector:
- matchLabels:
- app: foo
- matchLabelKeys:
- - pod-template-hash
+ - labelSelector:
+ matchLabels:
+ app: foo
+ matchLabelKeys:
+ - pod-template-hash
+ maxSkew: 1
+ topologyKey: kubernetes.io/hostname
+ whenUnsatisfiable: DoNotSchedule
volumes:
- - name: certs
- secret:
- secretName: envoy
- defaultMode: 420
- - configMap:
- defaultMode: 420
- items:
- - key: xds-trusted-ca.json
- path: xds-trusted-ca.json
- - key: xds-certificate.json
- path: xds-certificate.json
- name: envoy-default-37a8eec1
- optional: false
- name: sds
- revisionHistoryLimit: 10
- progressDeadlineSeconds: 600
+ - name: certs
+ secret:
+ defaultMode: 420
+ secretName: envoy
+ - configMap:
+ defaultMode: 420
+ items:
+ - key: xds-trusted-ca.json
+ path: xds-trusted-ca.json
+ - key: xds-certificate.json
+ path: xds-certificate.json
+ name: envoy-default-37a8eec1
+ optional: false
+ name: sds
+status: {}
diff --git a/internal/infrastructure/kubernetes/proxy/testdata/services/patch-service.yaml b/internal/infrastructure/kubernetes/proxy/testdata/services/patch-service.yaml
new file mode 100644
index 00000000000..3dd093ffff6
--- /dev/null
+++ b/internal/infrastructure/kubernetes/proxy/testdata/services/patch-service.yaml
@@ -0,0 +1,30 @@
+apiVersion: v1
+kind: Service
+metadata:
+ labels:
+ app.kubernetes.io/name: envoy
+ app.kubernetes.io/component: proxy
+ app.kubernetes.io/managed-by: envoy-gateway
+ gateway.envoyproxy.io/owning-gateway-name: default
+ gateway.envoyproxy.io/owning-gateway-namespace: default
+ name: foo
+ namespace: envoy-gateway-system
+spec:
+ externalTrafficPolicy: Local
+ ports:
+ - name: envoy-EnvoyHTTPPort-d76a15e2
+ port: 0
+ protocol: TCP
+ targetPort: 8080
+ - name: envoy-EnvoyHTTPSPort-6658f727
+ port: 0
+ protocol: TCP
+ targetPort: 8443
+ selector:
+ app.kubernetes.io/name: envoy
+ app.kubernetes.io/component: proxy
+ app.kubernetes.io/managed-by: envoy-gateway
+ gateway.envoyproxy.io/owning-gateway-name: default
+ gateway.envoyproxy.io/owning-gateway-namespace: default
+ sessionAffinity: None
+ type: LoadBalancer
diff --git a/internal/infrastructure/kubernetes/ratelimit/resource.go b/internal/infrastructure/kubernetes/ratelimit/resource.go
index b0d44694e2c..b6924aab00c 100644
--- a/internal/infrastructure/kubernetes/ratelimit/resource.go
+++ b/internal/infrastructure/kubernetes/ratelimit/resource.go
@@ -91,7 +91,9 @@ const (
// ReadinessPath is readiness path for readiness probe.
ReadinessPath = "/healthcheck"
// ReadinessPort is readiness port for readiness probe.
- ReadinessPort = 8080
+ ReadinessPort = 8080
+ StatsdPort = 9125
+ PrometheusPort = 19001
)
// GetServiceURL returns the URL for the rate limit service.
@@ -163,9 +165,47 @@ func expectedRateLimitContainers(rateLimit *egv1a1.RateLimit, rateLimitDeploymen
},
}
+ if enablePrometheus(rateLimit) {
+ containers = append(containers, promStatsdExporterContainer())
+ }
+
return containers
}
+func promStatsdExporterContainer() corev1.Container {
+ return corev1.Container{
+ Name: "prom-statsd-exporter",
+ Image: "prom/statsd-exporter:v0.18.0",
+ ImagePullPolicy: corev1.PullIfNotPresent,
+ Command: []string{
+ "/bin/statsd_exporter",
+ fmt.Sprintf("--web.listen-address=:%d", PrometheusPort),
+ "--statsd.mapping-config=/etc/statsd-exporter/conf.yaml",
+ },
+ Ports: []corev1.ContainerPort{
+ {
+ Name: "statsd",
+ ContainerPort: StatsdPort,
+ Protocol: corev1.ProtocolTCP,
+ },
+ {
+ Name: "metrics",
+ ContainerPort: PrometheusPort,
+ Protocol: corev1.ProtocolTCP,
+ },
+ },
+ VolumeMounts: []corev1.VolumeMount{
+ {
+ Name: "statsd-exporter-config",
+ ReadOnly: true,
+ MountPath: "/etc/statsd-exporter",
+ },
+ },
+ TerminationMessagePolicy: corev1.TerminationMessageReadFile,
+ TerminationMessagePath: "/dev/termination-log",
+ }
+}
+
// expectedContainerVolumeMounts returns expected rateLimit container volume mounts.
func expectedContainerVolumeMounts(rateLimit *egv1a1.RateLimit, rateLimitDeployment *egv1a1.KubernetesDeploymentSpec) []corev1.VolumeMount {
var volumeMounts []corev1.VolumeMount
@@ -214,6 +254,21 @@ func expectedDeploymentVolumes(rateLimit *egv1a1.RateLimit, rateLimitDeployment
},
})
+ if enablePrometheus(rateLimit) {
+ volumes = append(volumes, corev1.Volume{
+ Name: "statsd-exporter-config",
+ VolumeSource: corev1.VolumeSource{
+ ConfigMap: &corev1.ConfigMapVolumeSource{
+ LocalObjectReference: corev1.LocalObjectReference{
+ Name: "statsd-exporter-config",
+ },
+ Optional: ptr.To(true),
+ DefaultMode: ptr.To[int32](420),
+ },
+ },
+ })
+ }
+
return resource.ExpectedDeploymentVolumes(rateLimitDeployment.Pod, volumes)
}
diff --git a/internal/infrastructure/kubernetes/ratelimit/resource_provider.go b/internal/infrastructure/kubernetes/ratelimit/resource_provider.go
index 5e4a2a2639b..67c5312b5e3 100644
--- a/internal/infrastructure/kubernetes/ratelimit/resource_provider.go
+++ b/internal/infrastructure/kubernetes/ratelimit/resource_provider.go
@@ -6,6 +6,9 @@
package ratelimit
import (
+ _ "embed"
+ "strconv"
+
appsv1 "k8s.io/api/apps/v1"
autoscalingv2 "k8s.io/api/autoscaling/v2"
corev1 "k8s.io/api/core/v1"
@@ -24,8 +27,12 @@ const (
ResourceKindService = "Service"
ResourceKindDeployment = "Deployment"
ResourceKindServiceAccount = "ServiceAccount"
+ appsAPIVersion = "apps/v1"
)
+//go:embed statsd_conf.yaml
+var statsConf string
+
type ResourceRender struct {
// Namespace is the Namespace used for managed infra.
Namespace string
@@ -51,9 +58,36 @@ func (r *ResourceRender) Name() string {
return InfraName
}
-// ConfigMap is deprecated since ratelimit supports xds grpc config server.
+func enablePrometheus(rl *egv1a1.RateLimit) bool {
+ if rl != nil &&
+ rl.Telemetry != nil &&
+ rl.Telemetry.Metrics.Prometheus != nil {
+ return !rl.Telemetry.Metrics.Prometheus.Disable
+ }
+
+ return true
+}
+
+// ConfigMap returns the expected rate limit ConfigMap based on the provided infra.
func (r *ResourceRender) ConfigMap() (*corev1.ConfigMap, error) {
- return nil, nil
+ if !enablePrometheus(r.rateLimit) {
+ return nil, nil
+ }
+
+ return &corev1.ConfigMap{
+ TypeMeta: metav1.TypeMeta{
+ Kind: "ConfigMap",
+ APIVersion: "v1",
+ },
+ ObjectMeta: metav1.ObjectMeta{
+ Namespace: r.Namespace,
+ Name: "statsd-exporter-config",
+ Labels: rateLimitLabels(),
+ },
+ Data: map[string]string{
+ "conf.yaml": statsConf,
+ },
+ }, nil
}
// Service returns the expected rate limit Service based on the provided infra.
@@ -139,13 +173,18 @@ func (r *ResourceRender) ServiceAccount() (*corev1.ServiceAccount, error) {
// Deployment returns the expected rate limit Deployment based on the provided infra.
func (r *ResourceRender) Deployment() (*appsv1.Deployment, error) {
- const apiVersion = "apps/v1"
-
containers := expectedRateLimitContainers(r.rateLimit, r.rateLimitDeployment)
labels := rateLimitLabels()
selector := resource.GetSelector(labels)
var annotations map[string]string
+ if enablePrometheus(r.rateLimit) {
+ annotations = map[string]string{
+ "prometheus.io/path": "/metrics",
+ "prometheus.io/port": strconv.Itoa(PrometheusPort),
+ "prometheus.io/scrape": "true",
+ }
+ }
if r.rateLimitDeployment.Pod.Annotations != nil {
annotations = r.rateLimitDeployment.Pod.Annotations
}
@@ -153,7 +192,7 @@ func (r *ResourceRender) Deployment() (*appsv1.Deployment, error) {
deployment := &appsv1.Deployment{
TypeMeta: metav1.TypeMeta{
Kind: ResourceKindDeployment,
- APIVersion: apiVersion,
+ APIVersion: appsAPIVersion,
},
ObjectMeta: metav1.ObjectMeta{
Namespace: r.Namespace,
@@ -178,7 +217,6 @@ func (r *ResourceRender) Deployment() (*appsv1.Deployment, error) {
RestartPolicy: corev1.RestartPolicyAlways,
SchedulerName: "default-scheduler",
SecurityContext: r.rateLimitDeployment.Pod.SecurityContext,
- HostNetwork: r.rateLimitDeployment.Pod.HostNetwork,
Volumes: expectedDeploymentVolumes(r.rateLimit, r.rateLimitDeployment),
Affinity: r.rateLimitDeployment.Pod.Affinity,
Tolerations: r.rateLimitDeployment.Pod.Tolerations,
@@ -197,7 +235,7 @@ func (r *ResourceRender) Deployment() (*appsv1.Deployment, error) {
deployment.OwnerReferences = []metav1.OwnerReference{
{
Kind: ResourceKindDeployment,
- APIVersion: apiVersion,
+ APIVersion: appsAPIVersion,
Name: "envoy-gateway",
UID: uid,
},
diff --git a/internal/infrastructure/kubernetes/ratelimit/resource_provider_test.go b/internal/infrastructure/kubernetes/ratelimit/resource_provider_test.go
index 2b8d774d14c..d322e8c925e 100644
--- a/internal/infrastructure/kubernetes/ratelimit/resource_provider_test.go
+++ b/internal/infrastructure/kubernetes/ratelimit/resource_provider_test.go
@@ -6,6 +6,7 @@
package ratelimit
import (
+ "flag"
"fmt"
"os"
"testing"
@@ -26,6 +27,10 @@ import (
"github.com/envoyproxy/gateway/internal/envoygateway/config"
)
+var (
+ overrideTestData = flag.Bool("override-testdata", false, "if override the test output data.")
+)
+
const (
// RedisAuthEnvVar is the redis auth.
RedisAuthEnvVar = "REDIS_AUTH"
@@ -152,6 +157,47 @@ func loadService() (*corev1.Service, error) {
return svc, nil
}
+func TestConfigmap(t *testing.T) {
+ cfg, err := config.New()
+ require.NoError(t, err)
+
+ cfg.EnvoyGateway.RateLimit = &egv1a1.RateLimit{
+ Backend: egv1a1.RateLimitDatabaseBackend{
+ Type: egv1a1.RedisBackendType,
+ Redis: &egv1a1.RateLimitRedisSettings{
+ URL: "redis.redis.svc:6379",
+ },
+ },
+ }
+ r := NewResourceRender(cfg.Namespace, cfg.EnvoyGateway, ownerReferenceUID)
+ cm, err := r.ConfigMap()
+ require.NoError(t, err)
+
+ if *overrideTestData {
+ cmYAML, err := yaml.Marshal(cm)
+ require.NoError(t, err)
+ // nolint:gosec
+ err = os.WriteFile("testdata/envoy-ratelimit-configmap.yaml", cmYAML, 0644)
+ require.NoError(t, err)
+ return
+ }
+
+ expected, err := loadConfigmap()
+ require.NoError(t, err)
+
+ assert.Equal(t, expected, cm)
+}
+
+func loadConfigmap() (*corev1.ConfigMap, error) {
+ configmapYAML, err := os.ReadFile("testdata/envoy-ratelimit-configmap.yaml")
+ if err != nil {
+ return nil, err
+ }
+ cm := &corev1.ConfigMap{}
+ _ = yaml.Unmarshal(configmapYAML, cm)
+ return cm, nil
+}
+
func TestDeployment(t *testing.T) {
cfg, err := config.New()
require.NoError(t, err)
@@ -173,6 +219,25 @@ func TestDeployment(t *testing.T) {
rateLimit: rateLimit,
deploy: cfg.EnvoyGateway.GetEnvoyGatewayProvider().GetEnvoyGatewayKubeProvider().RateLimitDeployment,
},
+ {
+ caseName: "disable-prometheus",
+ rateLimit: &egv1a1.RateLimit{
+ Backend: egv1a1.RateLimitDatabaseBackend{
+ Type: egv1a1.RedisBackendType,
+ Redis: &egv1a1.RateLimitRedisSettings{
+ URL: "redis.redis.svc:6379",
+ },
+ },
+ Telemetry: &egv1a1.RateLimitTelemetry{
+ Metrics: &egv1a1.RateLimitMetrics{
+ Prometheus: &egv1a1.RateLimitMetricsPrometheusProvider{
+ Disable: true,
+ },
+ },
+ },
+ },
+ deploy: cfg.EnvoyGateway.GetEnvoyGatewayProvider().GetEnvoyGatewayKubeProvider().RateLimitDeployment,
+ },
{
caseName: "patch-deployment",
rateLimit: rateLimit,
@@ -198,7 +263,6 @@ func TestDeployment(t *testing.T) {
SecurityContext: &corev1.PodSecurityContext{
RunAsUser: ptr.To[int64](1000),
},
- HostNetwork: true,
},
Container: &egv1a1.KubernetesContainerSpec{
Image: ptr.To("custom-image"),
@@ -566,6 +630,15 @@ func TestDeployment(t *testing.T) {
dp, err := r.Deployment()
require.NoError(t, err)
+ if *overrideTestData {
+ deploymentYAML, err := yaml.Marshal(dp)
+ require.NoError(t, err)
+ // nolint:gosec
+ err = os.WriteFile(fmt.Sprintf("testdata/deployments/%s.yaml", tc.caseName), deploymentYAML, 0644)
+ require.NoError(t, err)
+ return
+ }
+
expected, err := loadDeployment(tc.caseName)
require.NoError(t, err)
diff --git a/internal/infrastructure/kubernetes/ratelimit/statsd_conf.yaml b/internal/infrastructure/kubernetes/ratelimit/statsd_conf.yaml
new file mode 100644
index 00000000000..4ded9cb6025
--- /dev/null
+++ b/internal/infrastructure/kubernetes/ratelimit/statsd_conf.yaml
@@ -0,0 +1,92 @@
+mappings:
+ - match: "ratelimit.service.rate_limit.*.*.near_limit"
+ name: "ratelimit_service_rate_limit_near_limit"
+ timer_type: "histogram"
+ labels:
+ domain: "$1"
+ key1: "$2"
+ - match: "ratelimit.service.rate_limit.*.*.over_limit"
+ name: "ratelimit_service_rate_limit_over_limit"
+ timer_type: "histogram"
+ labels:
+ domain: "$1"
+ key1: "$2"
+ - match: "ratelimit.service.rate_limit.*.*.total_hits"
+ name: "ratelimit_service_rate_limit_total_hits"
+ timer_type: "histogram"
+ labels:
+ domain: "$1"
+ key1: "$2"
+ - match: "ratelimit.service.rate_limit.*.*.within_limit"
+ name: "ratelimit_service_rate_limit_within_limit"
+ timer_type: "histogram"
+ labels:
+ domain: "$1"
+ key1: "$2"
+
+ - match: "ratelimit.service.rate_limit.*.*.*.near_limit"
+ name: "ratelimit_service_rate_limit_near_limit"
+ timer_type: "histogram"
+ labels:
+ domain: "$1"
+ key1: "$2"
+ key2: "$3"
+ - match: "ratelimit.service.rate_limit.*.*.*.over_limit"
+ name: "ratelimit_service_rate_limit_over_limit"
+ timer_type: "histogram"
+ labels:
+ domain: "$1"
+ key1: "$2"
+ key2: "$3"
+ - match: "ratelimit.service.rate_limit.*.*.*.total_hits"
+ name: "ratelimit_service_rate_limit_total_hits"
+ timer_type: "histogram"
+ labels:
+ domain: "$1"
+ key1: "$2"
+ key2: "$3"
+ - match: "ratelimit.service.rate_limit.*.*.*.within_limit"
+ name: "ratelimit_service_rate_limit_within_limit"
+ timer_type: "histogram"
+ labels:
+ domain: "$1"
+ key1: "$2"
+ key2: "$3"
+
+ - match: "ratelimit.service.call.should_rate_limit.*"
+ name: "ratelimit_service_should_rate_limit_error"
+ match_metric_type: counter
+ labels:
+ err_type: "$1"
+
+ - match: "ratelimit_server.*.total_requests"
+ name: "ratelimit_service_total_requests"
+ match_metric_type: counter
+ labels:
+ grpc_method: "$1"
+
+ - match: "ratelimit_server.*.response_time"
+ name: "ratelimit_service_response_time_seconds"
+ timer_type: histogram
+ labels:
+ grpc_method: "$1"
+
+ - match: "ratelimit.service.config_load_success"
+ name: "ratelimit_service_config_load_success"
+ match_metric_type: counter
+ - match: "ratelimit.service.config_load_error"
+ name: "ratelimit_service_config_load_error"
+ match_metric_type: counter
+
+ - match: "ratelimit.service.rate_limit.*.*.*.shadow_mode"
+ name: "ratelimit_service_rate_limit_shadow_mode"
+ timer_type: "histogram"
+ labels:
+ domain: "$1"
+ key1: "$2"
+ key2: "$3"
+
+ - match: "."
+ match_type: "regex"
+ action: "drop"
+ name: "dropped"
diff --git a/internal/infrastructure/kubernetes/ratelimit/testdata/deployments/custom.yaml b/internal/infrastructure/kubernetes/ratelimit/testdata/deployments/custom.yaml
index c922b53f519..5f0c2f8683f 100644
--- a/internal/infrastructure/kubernetes/ratelimit/testdata/deployments/custom.yaml
+++ b/internal/infrastructure/kubernetes/ratelimit/testdata/deployments/custom.yaml
@@ -1,10 +1,11 @@
apiVersion: apps/v1
kind: Deployment
metadata:
+ creationTimestamp: null
labels:
- app.kubernetes.io/name: envoy-ratelimit
app.kubernetes.io/component: ratelimit
app.kubernetes.io/managed-by: envoy-gateway
+ app.kubernetes.io/name: envoy-ratelimit
name: envoy-ratelimit
namespace: envoy-gateway-system
ownerReferences:
@@ -13,25 +14,27 @@ metadata:
name: envoy-gateway
uid: test-owner-reference-uid-for-deployment
spec:
+ progressDeadlineSeconds: 600
replicas: 2
- strategy:
- type: RollingUpdate
+ revisionHistoryLimit: 10
selector:
matchLabels:
- app.kubernetes.io/name: envoy-ratelimit
app.kubernetes.io/component: ratelimit
app.kubernetes.io/managed-by: envoy-gateway
+ app.kubernetes.io/name: envoy-ratelimit
+ strategy:
+ type: RollingUpdate
template:
metadata:
+ annotations:
+ prometheus.io/scrape: "true"
+ creationTimestamp: null
labels:
- app.kubernetes.io/name: envoy-ratelimit
app.kubernetes.io/component: ratelimit
app.kubernetes.io/managed-by: envoy-gateway
- annotations:
- prometheus.io/scrape: "true"
+ app.kubernetes.io/name: envoy-ratelimit
spec:
automountServiceAccountToken: false
- hostNetwork: true
containers:
- command:
- /bin/ratelimit
@@ -61,19 +64,19 @@ spec:
- name: GRPC_SERVER_USE_TLS
value: "true"
- name: GRPC_SERVER_TLS_CERT
- value: "/certs/tls.crt"
+ value: /certs/tls.crt
- name: GRPC_SERVER_TLS_KEY
- value: "/certs/tls.key"
+ value: /certs/tls.key
- name: GRPC_SERVER_TLS_CA_CERT
- value: "/certs/ca.crt"
+ value: /certs/ca.crt
- name: CONFIG_GRPC_XDS_SERVER_USE_TLS
value: "true"
- name: CONFIG_GRPC_XDS_CLIENT_TLS_CERT
- value: "/certs/tls.crt"
+ value: /certs/tls.crt
- name: CONFIG_GRPC_XDS_CLIENT_TLS_KEY
- value: "/certs/tls.key"
+ value: /certs/tls.key
- name: CONFIG_GRPC_XDS_SERVER_TLS_CACERT
- value: "/certs/ca.crt"
+ value: /certs/ca.crt
- name: FORCE_START_WITHOUT_INITIAL_CONFIG
value: "true"
image: custom-image
@@ -83,8 +86,15 @@ spec:
- containerPort: 8081
name: grpc
protocol: TCP
- securityContext:
- privileged: true
+ readinessProbe:
+ failureThreshold: 3
+ httpGet:
+ path: /healthcheck
+ port: 8080
+ scheme: HTTP
+ periodSeconds: 10
+ successThreshold: 1
+ timeoutSeconds: 1
resources:
limits:
cpu: 400m
@@ -92,32 +102,50 @@ spec:
requests:
cpu: 200m
memory: 1Gi
+ securityContext:
+ privileged: true
terminationMessagePath: /dev/termination-log
terminationMessagePolicy: File
volumeMounts:
- mountPath: /certs
name: certs
readOnly: true
- readinessProbe:
- failureThreshold: 3
- httpGet:
- path: /healthcheck
- port: 8080
- scheme: HTTP
- periodSeconds: 10
- successThreshold: 1
- timeoutSeconds: 1
+ - command:
+ - /bin/statsd_exporter
+ - --web.listen-address=:19001
+ - --statsd.mapping-config=/etc/statsd-exporter/conf.yaml
+ image: prom/statsd-exporter:v0.18.0
+ imagePullPolicy: IfNotPresent
+ name: prom-statsd-exporter
+ ports:
+ - containerPort: 9125
+ name: statsd
+ protocol: TCP
+ - containerPort: 19001
+ name: metrics
+ protocol: TCP
+ resources: {}
+ terminationMessagePath: /dev/termination-log
+ terminationMessagePolicy: File
+ volumeMounts:
+ - mountPath: /etc/statsd-exporter
+ name: statsd-exporter-config
+ readOnly: true
dnsPolicy: ClusterFirst
restartPolicy: Always
schedulerName: default-scheduler
- serviceAccountName: envoy-ratelimit
securityContext:
runAsUser: 1000
+ serviceAccountName: envoy-ratelimit
terminationGracePeriodSeconds: 300
volumes:
- name: certs
secret:
+ defaultMode: 420
secretName: envoy-rate-limit
+ - configMap:
defaultMode: 420
- revisionHistoryLimit: 10
- progressDeadlineSeconds: 600
+ name: statsd-exporter-config
+ optional: true
+ name: statsd-exporter-config
+status: {}
diff --git a/internal/infrastructure/kubernetes/ratelimit/testdata/deployments/default-env.yaml b/internal/infrastructure/kubernetes/ratelimit/testdata/deployments/default-env.yaml
index b34ab0fe254..5f0c2f8683f 100644
--- a/internal/infrastructure/kubernetes/ratelimit/testdata/deployments/default-env.yaml
+++ b/internal/infrastructure/kubernetes/ratelimit/testdata/deployments/default-env.yaml
@@ -1,10 +1,11 @@
apiVersion: apps/v1
kind: Deployment
metadata:
+ creationTimestamp: null
labels:
- app.kubernetes.io/name: envoy-ratelimit
app.kubernetes.io/component: ratelimit
app.kubernetes.io/managed-by: envoy-gateway
+ app.kubernetes.io/name: envoy-ratelimit
name: envoy-ratelimit
namespace: envoy-gateway-system
ownerReferences:
@@ -13,22 +14,25 @@ metadata:
name: envoy-gateway
uid: test-owner-reference-uid-for-deployment
spec:
+ progressDeadlineSeconds: 600
replicas: 2
- strategy:
- type: RollingUpdate
+ revisionHistoryLimit: 10
selector:
matchLabels:
- app.kubernetes.io/name: envoy-ratelimit
app.kubernetes.io/component: ratelimit
app.kubernetes.io/managed-by: envoy-gateway
+ app.kubernetes.io/name: envoy-ratelimit
+ strategy:
+ type: RollingUpdate
template:
metadata:
+ annotations:
+ prometheus.io/scrape: "true"
+ creationTimestamp: null
labels:
- app.kubernetes.io/name: envoy-ratelimit
app.kubernetes.io/component: ratelimit
app.kubernetes.io/managed-by: envoy-gateway
- annotations:
- prometheus.io/scrape: "true"
+ app.kubernetes.io/name: envoy-ratelimit
spec:
automountServiceAccountToken: false
containers:
@@ -60,19 +64,19 @@ spec:
- name: GRPC_SERVER_USE_TLS
value: "true"
- name: GRPC_SERVER_TLS_CERT
- value: "/certs/tls.crt"
+ value: /certs/tls.crt
- name: GRPC_SERVER_TLS_KEY
- value: "/certs/tls.key"
+ value: /certs/tls.key
- name: GRPC_SERVER_TLS_CA_CERT
- value: "/certs/ca.crt"
+ value: /certs/ca.crt
- name: CONFIG_GRPC_XDS_SERVER_USE_TLS
value: "true"
- name: CONFIG_GRPC_XDS_CLIENT_TLS_CERT
- value: "/certs/tls.crt"
+ value: /certs/tls.crt
- name: CONFIG_GRPC_XDS_CLIENT_TLS_KEY
- value: "/certs/tls.key"
+ value: /certs/tls.key
- name: CONFIG_GRPC_XDS_SERVER_TLS_CACERT
- value: "/certs/ca.crt"
+ value: /certs/ca.crt
- name: FORCE_START_WITHOUT_INITIAL_CONFIG
value: "true"
image: custom-image
@@ -82,8 +86,15 @@ spec:
- containerPort: 8081
name: grpc
protocol: TCP
- securityContext:
- privileged: true
+ readinessProbe:
+ failureThreshold: 3
+ httpGet:
+ path: /healthcheck
+ port: 8080
+ scheme: HTTP
+ periodSeconds: 10
+ successThreshold: 1
+ timeoutSeconds: 1
resources:
limits:
cpu: 400m
@@ -91,32 +102,50 @@ spec:
requests:
cpu: 200m
memory: 1Gi
+ securityContext:
+ privileged: true
terminationMessagePath: /dev/termination-log
terminationMessagePolicy: File
volumeMounts:
- mountPath: /certs
name: certs
readOnly: true
- readinessProbe:
- failureThreshold: 3
- httpGet:
- path: /healthcheck
- port: 8080
- scheme: HTTP
- periodSeconds: 10
- successThreshold: 1
- timeoutSeconds: 1
+ - command:
+ - /bin/statsd_exporter
+ - --web.listen-address=:19001
+ - --statsd.mapping-config=/etc/statsd-exporter/conf.yaml
+ image: prom/statsd-exporter:v0.18.0
+ imagePullPolicy: IfNotPresent
+ name: prom-statsd-exporter
+ ports:
+ - containerPort: 9125
+ name: statsd
+ protocol: TCP
+ - containerPort: 19001
+ name: metrics
+ protocol: TCP
+ resources: {}
+ terminationMessagePath: /dev/termination-log
+ terminationMessagePolicy: File
+ volumeMounts:
+ - mountPath: /etc/statsd-exporter
+ name: statsd-exporter-config
+ readOnly: true
dnsPolicy: ClusterFirst
restartPolicy: Always
schedulerName: default-scheduler
- serviceAccountName: envoy-ratelimit
securityContext:
runAsUser: 1000
+ serviceAccountName: envoy-ratelimit
terminationGracePeriodSeconds: 300
volumes:
- name: certs
secret:
+ defaultMode: 420
secretName: envoy-rate-limit
+ - configMap:
defaultMode: 420
- revisionHistoryLimit: 10
- progressDeadlineSeconds: 600
+ name: statsd-exporter-config
+ optional: true
+ name: statsd-exporter-config
+status: {}
diff --git a/internal/infrastructure/kubernetes/ratelimit/testdata/deployments/default.yaml b/internal/infrastructure/kubernetes/ratelimit/testdata/deployments/default.yaml
index a9451dae13c..759a9c60199 100644
--- a/internal/infrastructure/kubernetes/ratelimit/testdata/deployments/default.yaml
+++ b/internal/infrastructure/kubernetes/ratelimit/testdata/deployments/default.yaml
@@ -1,10 +1,11 @@
apiVersion: apps/v1
kind: Deployment
metadata:
+ creationTimestamp: null
labels:
- app.kubernetes.io/name: envoy-ratelimit
app.kubernetes.io/component: ratelimit
app.kubernetes.io/managed-by: envoy-gateway
+ app.kubernetes.io/name: envoy-ratelimit
name: envoy-ratelimit
namespace: envoy-gateway-system
ownerReferences:
@@ -13,20 +14,27 @@ metadata:
name: envoy-gateway
uid: test-owner-reference-uid-for-deployment
spec:
+ progressDeadlineSeconds: 600
replicas: 1
- strategy:
- type: RollingUpdate
+ revisionHistoryLimit: 10
selector:
matchLabels:
- app.kubernetes.io/name: envoy-ratelimit
app.kubernetes.io/component: ratelimit
app.kubernetes.io/managed-by: envoy-gateway
+ app.kubernetes.io/name: envoy-ratelimit
+ strategy:
+ type: RollingUpdate
template:
metadata:
+ annotations:
+ prometheus.io/path: /metrics
+ prometheus.io/port: "19001"
+ prometheus.io/scrape: "true"
+ creationTimestamp: null
labels:
- app.kubernetes.io/name: envoy-ratelimit
app.kubernetes.io/component: ratelimit
app.kubernetes.io/managed-by: envoy-gateway
+ app.kubernetes.io/name: envoy-ratelimit
spec:
automountServiceAccountToken: false
containers:
@@ -58,19 +66,19 @@ spec:
- name: GRPC_SERVER_USE_TLS
value: "true"
- name: GRPC_SERVER_TLS_CERT
- value: "/certs/tls.crt"
+ value: /certs/tls.crt
- name: GRPC_SERVER_TLS_KEY
- value: "/certs/tls.key"
+ value: /certs/tls.key
- name: GRPC_SERVER_TLS_CA_CERT
- value: "/certs/ca.crt"
+ value: /certs/ca.crt
- name: CONFIG_GRPC_XDS_SERVER_USE_TLS
value: "true"
- name: CONFIG_GRPC_XDS_CLIENT_TLS_CERT
- value: "/certs/tls.crt"
+ value: /certs/tls.crt
- name: CONFIG_GRPC_XDS_CLIENT_TLS_KEY
- value: "/certs/tls.key"
+ value: /certs/tls.key
- name: CONFIG_GRPC_XDS_SERVER_TLS_CACERT
- value: "/certs/ca.crt"
+ value: /certs/ca.crt
- name: FORCE_START_WITHOUT_INITIAL_CONFIG
value: "true"
image: envoyproxy/ratelimit:master
@@ -80,6 +88,15 @@ spec:
- containerPort: 8081
name: grpc
protocol: TCP
+ readinessProbe:
+ failureThreshold: 3
+ httpGet:
+ path: /healthcheck
+ port: 8080
+ scheme: HTTP
+ periodSeconds: 10
+ successThreshold: 1
+ timeoutSeconds: 1
resources:
requests:
cpu: 100m
@@ -90,15 +107,27 @@ spec:
- mountPath: /certs
name: certs
readOnly: true
- readinessProbe:
- failureThreshold: 3
- httpGet:
- path: /healthcheck
- port: 8080
- scheme: HTTP
- periodSeconds: 10
- successThreshold: 1
- timeoutSeconds: 1
+ - command:
+ - /bin/statsd_exporter
+ - --web.listen-address=:19001
+ - --statsd.mapping-config=/etc/statsd-exporter/conf.yaml
+ image: prom/statsd-exporter:v0.18.0
+ imagePullPolicy: IfNotPresent
+ name: prom-statsd-exporter
+ ports:
+ - containerPort: 9125
+ name: statsd
+ protocol: TCP
+ - containerPort: 19001
+ name: metrics
+ protocol: TCP
+ resources: {}
+ terminationMessagePath: /dev/termination-log
+ terminationMessagePolicy: File
+ volumeMounts:
+ - mountPath: /etc/statsd-exporter
+ name: statsd-exporter-config
+ readOnly: true
dnsPolicy: ClusterFirst
restartPolicy: Always
schedulerName: default-scheduler
@@ -107,7 +136,11 @@ spec:
volumes:
- name: certs
secret:
+ defaultMode: 420
secretName: envoy-rate-limit
+ - configMap:
defaultMode: 420
- revisionHistoryLimit: 10
- progressDeadlineSeconds: 600
+ name: statsd-exporter-config
+ optional: true
+ name: statsd-exporter-config
+status: {}
diff --git a/internal/infrastructure/kubernetes/ratelimit/testdata/deployments/affinity.yaml b/internal/infrastructure/kubernetes/ratelimit/testdata/deployments/disable-prometheus.yaml
similarity index 79%
rename from internal/infrastructure/kubernetes/ratelimit/testdata/deployments/affinity.yaml
rename to internal/infrastructure/kubernetes/ratelimit/testdata/deployments/disable-prometheus.yaml
index fa2e11f2a2e..25da4c56e25 100644
--- a/internal/infrastructure/kubernetes/ratelimit/testdata/deployments/affinity.yaml
+++ b/internal/infrastructure/kubernetes/ratelimit/testdata/deployments/disable-prometheus.yaml
@@ -1,10 +1,11 @@
apiVersion: apps/v1
kind: Deployment
metadata:
+ creationTimestamp: null
labels:
- app.kubernetes.io/name: envoy-ratelimit
app.kubernetes.io/component: ratelimit
app.kubernetes.io/managed-by: envoy-gateway
+ app.kubernetes.io/name: envoy-ratelimit
name: envoy-ratelimit
namespace: envoy-gateway-system
ownerReferences:
@@ -13,22 +14,23 @@ metadata:
name: envoy-gateway
uid: test-owner-reference-uid-for-deployment
spec:
- replicas: 2
- strategy:
- type: RollingUpdate
+ progressDeadlineSeconds: 600
+ replicas: 1
+ revisionHistoryLimit: 10
selector:
matchLabels:
- app.kubernetes.io/name: envoy-ratelimit
app.kubernetes.io/component: ratelimit
app.kubernetes.io/managed-by: envoy-gateway
+ app.kubernetes.io/name: envoy-ratelimit
+ strategy:
+ type: RollingUpdate
template:
metadata:
+ creationTimestamp: null
labels:
- app.kubernetes.io/name: envoy-ratelimit
app.kubernetes.io/component: ratelimit
app.kubernetes.io/managed-by: envoy-gateway
- annotations:
- prometheus.io/scrape: "true"
+ app.kubernetes.io/name: envoy-ratelimit
spec:
automountServiceAccountToken: false
containers:
@@ -50,7 +52,7 @@ spec:
- name: LOG_LEVEL
value: info
- name: USE_STATSD
- value: "true"
+ value: "false"
- name: CONFIG_TYPE
value: GRPC_XDS_SOTW
- name: CONFIG_GRPC_XDS_SERVER_URL
@@ -60,43 +62,28 @@ spec:
- name: GRPC_SERVER_USE_TLS
value: "true"
- name: GRPC_SERVER_TLS_CERT
- value: "/certs/tls.crt"
+ value: /certs/tls.crt
- name: GRPC_SERVER_TLS_KEY
- value: "/certs/tls.key"
+ value: /certs/tls.key
- name: GRPC_SERVER_TLS_CA_CERT
- value: "/certs/ca.crt"
+ value: /certs/ca.crt
- name: CONFIG_GRPC_XDS_SERVER_USE_TLS
value: "true"
- name: CONFIG_GRPC_XDS_CLIENT_TLS_CERT
- value: "/certs/tls.crt"
+ value: /certs/tls.crt
- name: CONFIG_GRPC_XDS_CLIENT_TLS_KEY
- value: "/certs/tls.key"
+ value: /certs/tls.key
- name: CONFIG_GRPC_XDS_SERVER_TLS_CACERT
- value: "/certs/ca.crt"
+ value: /certs/ca.crt
- name: FORCE_START_WITHOUT_INITIAL_CONFIG
value: "true"
- image: custom-image
+ image: envoyproxy/ratelimit:master
imagePullPolicy: IfNotPresent
name: envoy-ratelimit
ports:
- containerPort: 8081
name: grpc
protocol: TCP
- securityContext:
- privileged: true
- resources:
- limits:
- cpu: 400m
- memory: 2Gi
- requests:
- cpu: 200m
- memory: 1Gi
- terminationMessagePath: /dev/termination-log
- terminationMessagePolicy: File
- volumeMounts:
- - mountPath: /certs
- name: certs
- readOnly: true
readinessProbe:
failureThreshold: 3
httpGet:
@@ -106,26 +93,24 @@ spec:
periodSeconds: 10
successThreshold: 1
timeoutSeconds: 1
+ resources:
+ requests:
+ cpu: 100m
+ memory: 512Mi
+ terminationMessagePath: /dev/termination-log
+ terminationMessagePolicy: File
+ volumeMounts:
+ - mountPath: /certs
+ name: certs
+ readOnly: true
dnsPolicy: ClusterFirst
restartPolicy: Always
schedulerName: default-scheduler
serviceAccountName: envoy-ratelimit
- securityContext:
- runAsUser: 1000
- affinity:
- nodeAffinity:
- requiredDuringSchedulingIgnoredDuringExecution:
- nodeSelectorTerms:
- - matchExpressions:
- - key: cloud.google.com/gke-nodepool
- operator: In
- values:
- - router-node
terminationGracePeriodSeconds: 300
volumes:
- name: certs
secret:
- secretName: envoy-rate-limit
defaultMode: 420
- revisionHistoryLimit: 10
- progressDeadlineSeconds: 600
+ secretName: envoy-rate-limit
+status: {}
diff --git a/internal/infrastructure/kubernetes/ratelimit/testdata/deployments/extension-env.yaml b/internal/infrastructure/kubernetes/ratelimit/testdata/deployments/extension-env.yaml
index 59c0f8089ca..81295ee4439 100644
--- a/internal/infrastructure/kubernetes/ratelimit/testdata/deployments/extension-env.yaml
+++ b/internal/infrastructure/kubernetes/ratelimit/testdata/deployments/extension-env.yaml
@@ -1,10 +1,11 @@
apiVersion: apps/v1
kind: Deployment
metadata:
+ creationTimestamp: null
labels:
- app.kubernetes.io/name: envoy-ratelimit
app.kubernetes.io/component: ratelimit
app.kubernetes.io/managed-by: envoy-gateway
+ app.kubernetes.io/name: envoy-ratelimit
name: envoy-ratelimit
namespace: envoy-gateway-system
ownerReferences:
@@ -13,22 +14,25 @@ metadata:
name: envoy-gateway
uid: test-owner-reference-uid-for-deployment
spec:
+ progressDeadlineSeconds: 600
replicas: 2
- strategy:
- type: RollingUpdate
+ revisionHistoryLimit: 10
selector:
matchLabels:
- app.kubernetes.io/name: envoy-ratelimit
app.kubernetes.io/component: ratelimit
app.kubernetes.io/managed-by: envoy-gateway
+ app.kubernetes.io/name: envoy-ratelimit
+ strategy:
+ type: RollingUpdate
template:
metadata:
+ annotations:
+ prometheus.io/scrape: "true"
+ creationTimestamp: null
labels:
- app.kubernetes.io/name: envoy-ratelimit
app.kubernetes.io/component: ratelimit
app.kubernetes.io/managed-by: envoy-gateway
- annotations:
- prometheus.io/scrape: "true"
+ app.kubernetes.io/name: envoy-ratelimit
spec:
automountServiceAccountToken: false
containers:
@@ -60,19 +64,19 @@ spec:
- name: GRPC_SERVER_USE_TLS
value: "true"
- name: GRPC_SERVER_TLS_CERT
- value: "/certs/tls.crt"
+ value: /certs/tls.crt
- name: GRPC_SERVER_TLS_KEY
- value: "/certs/tls.key"
+ value: /certs/tls.key
- name: GRPC_SERVER_TLS_CA_CERT
- value: "/certs/ca.crt"
+ value: /certs/ca.crt
- name: CONFIG_GRPC_XDS_SERVER_USE_TLS
value: "true"
- name: CONFIG_GRPC_XDS_CLIENT_TLS_CERT
- value: "/certs/tls.crt"
+ value: /certs/tls.crt
- name: CONFIG_GRPC_XDS_CLIENT_TLS_KEY
- value: "/certs/tls.key"
+ value: /certs/tls.key
- name: CONFIG_GRPC_XDS_SERVER_TLS_CACERT
- value: "/certs/ca.crt"
+ value: /certs/ca.crt
- name: FORCE_START_WITHOUT_INITIAL_CONFIG
value: "true"
- name: env_a
@@ -86,8 +90,15 @@ spec:
- containerPort: 8081
name: grpc
protocol: TCP
- securityContext:
- privileged: true
+ readinessProbe:
+ failureThreshold: 3
+ httpGet:
+ path: /healthcheck
+ port: 8080
+ scheme: HTTP
+ periodSeconds: 10
+ successThreshold: 1
+ timeoutSeconds: 1
resources:
limits:
cpu: 400m
@@ -95,32 +106,50 @@ spec:
requests:
cpu: 200m
memory: 1Gi
+ securityContext:
+ privileged: true
terminationMessagePath: /dev/termination-log
terminationMessagePolicy: File
volumeMounts:
- mountPath: /certs
name: certs
readOnly: true
- readinessProbe:
- failureThreshold: 3
- httpGet:
- path: /healthcheck
- port: 8080
- scheme: HTTP
- periodSeconds: 10
- successThreshold: 1
- timeoutSeconds: 1
+ - command:
+ - /bin/statsd_exporter
+ - --web.listen-address=:19001
+ - --statsd.mapping-config=/etc/statsd-exporter/conf.yaml
+ image: prom/statsd-exporter:v0.18.0
+ imagePullPolicy: IfNotPresent
+ name: prom-statsd-exporter
+ ports:
+ - containerPort: 9125
+ name: statsd
+ protocol: TCP
+ - containerPort: 19001
+ name: metrics
+ protocol: TCP
+ resources: {}
+ terminationMessagePath: /dev/termination-log
+ terminationMessagePolicy: File
+ volumeMounts:
+ - mountPath: /etc/statsd-exporter
+ name: statsd-exporter-config
+ readOnly: true
dnsPolicy: ClusterFirst
restartPolicy: Always
schedulerName: default-scheduler
- serviceAccountName: envoy-ratelimit
securityContext:
runAsUser: 1000
+ serviceAccountName: envoy-ratelimit
terminationGracePeriodSeconds: 300
volumes:
- name: certs
secret:
+ defaultMode: 420
secretName: envoy-rate-limit
+ - configMap:
defaultMode: 420
- revisionHistoryLimit: 10
- progressDeadlineSeconds: 600
+ name: statsd-exporter-config
+ optional: true
+ name: statsd-exporter-config
+status: {}
diff --git a/internal/infrastructure/kubernetes/ratelimit/testdata/deployments/override-env.yaml b/internal/infrastructure/kubernetes/ratelimit/testdata/deployments/override-env.yaml
index a87dd79bd9c..24ac22c8a6a 100644
--- a/internal/infrastructure/kubernetes/ratelimit/testdata/deployments/override-env.yaml
+++ b/internal/infrastructure/kubernetes/ratelimit/testdata/deployments/override-env.yaml
@@ -1,10 +1,11 @@
apiVersion: apps/v1
kind: Deployment
metadata:
+ creationTimestamp: null
labels:
- app.kubernetes.io/name: envoy-ratelimit
app.kubernetes.io/component: ratelimit
app.kubernetes.io/managed-by: envoy-gateway
+ app.kubernetes.io/name: envoy-ratelimit
name: envoy-ratelimit
namespace: envoy-gateway-system
ownerReferences:
@@ -13,22 +14,25 @@ metadata:
name: envoy-gateway
uid: test-owner-reference-uid-for-deployment
spec:
+ progressDeadlineSeconds: 600
replicas: 2
- strategy:
- type: RollingUpdate
+ revisionHistoryLimit: 10
selector:
matchLabels:
- app.kubernetes.io/name: envoy-ratelimit
app.kubernetes.io/component: ratelimit
app.kubernetes.io/managed-by: envoy-gateway
+ app.kubernetes.io/name: envoy-ratelimit
+ strategy:
+ type: RollingUpdate
template:
metadata:
+ annotations:
+ prometheus.io/scrape: "true"
+ creationTimestamp: null
labels:
- app.kubernetes.io/name: envoy-ratelimit
app.kubernetes.io/component: ratelimit
app.kubernetes.io/managed-by: envoy-gateway
- annotations:
- prometheus.io/scrape: "true"
+ app.kubernetes.io/name: envoy-ratelimit
spec:
automountServiceAccountToken: false
containers:
@@ -60,19 +64,19 @@ spec:
- name: GRPC_SERVER_USE_TLS
value: "true"
- name: GRPC_SERVER_TLS_CERT
- value: "/certs/tls.crt"
+ value: /certs/tls.crt
- name: GRPC_SERVER_TLS_KEY
- value: "/certs/tls.key"
+ value: /certs/tls.key
- name: GRPC_SERVER_TLS_CA_CERT
- value: "/certs/ca.crt"
+ value: /certs/ca.crt
- name: CONFIG_GRPC_XDS_SERVER_USE_TLS
value: "true"
- name: CONFIG_GRPC_XDS_CLIENT_TLS_CERT
- value: "/certs/tls.crt"
+ value: /certs/tls.crt
- name: CONFIG_GRPC_XDS_CLIENT_TLS_KEY
- value: "/certs/tls.key"
+ value: /certs/tls.key
- name: CONFIG_GRPC_XDS_SERVER_TLS_CACERT
- value: "/certs/ca.crt"
+ value: /certs/ca.crt
- name: FORCE_START_WITHOUT_INITIAL_CONFIG
value: "true"
image: custom-image
@@ -82,8 +86,15 @@ spec:
- containerPort: 8081
name: grpc
protocol: TCP
- securityContext:
- privileged: true
+ readinessProbe:
+ failureThreshold: 3
+ httpGet:
+ path: /healthcheck
+ port: 8080
+ scheme: HTTP
+ periodSeconds: 10
+ successThreshold: 1
+ timeoutSeconds: 1
resources:
limits:
cpu: 400m
@@ -91,32 +102,50 @@ spec:
requests:
cpu: 200m
memory: 1Gi
+ securityContext:
+ privileged: true
terminationMessagePath: /dev/termination-log
terminationMessagePolicy: File
volumeMounts:
- mountPath: /certs
name: certs
readOnly: true
- readinessProbe:
- failureThreshold: 3
- httpGet:
- path: /healthcheck
- port: 8080
- scheme: HTTP
- periodSeconds: 10
- successThreshold: 1
- timeoutSeconds: 1
+ - command:
+ - /bin/statsd_exporter
+ - --web.listen-address=:19001
+ - --statsd.mapping-config=/etc/statsd-exporter/conf.yaml
+ image: prom/statsd-exporter:v0.18.0
+ imagePullPolicy: IfNotPresent
+ name: prom-statsd-exporter
+ ports:
+ - containerPort: 9125
+ name: statsd
+ protocol: TCP
+ - containerPort: 19001
+ name: metrics
+ protocol: TCP
+ resources: {}
+ terminationMessagePath: /dev/termination-log
+ terminationMessagePolicy: File
+ volumeMounts:
+ - mountPath: /etc/statsd-exporter
+ name: statsd-exporter-config
+ readOnly: true
dnsPolicy: ClusterFirst
restartPolicy: Always
schedulerName: default-scheduler
- serviceAccountName: envoy-ratelimit
securityContext:
runAsUser: 1000
+ serviceAccountName: envoy-ratelimit
terminationGracePeriodSeconds: 300
volumes:
- name: certs
secret:
+ defaultMode: 420
secretName: envoy-rate-limit
+ - configMap:
defaultMode: 420
- revisionHistoryLimit: 10
- progressDeadlineSeconds: 600
+ name: statsd-exporter-config
+ optional: true
+ name: statsd-exporter-config
+status: {}
diff --git a/internal/infrastructure/kubernetes/ratelimit/testdata/deployments/patch-deployment.yaml b/internal/infrastructure/kubernetes/ratelimit/testdata/deployments/patch-deployment.yaml
index c9e915ef9b0..3f075c640a7 100644
--- a/internal/infrastructure/kubernetes/ratelimit/testdata/deployments/patch-deployment.yaml
+++ b/internal/infrastructure/kubernetes/ratelimit/testdata/deployments/patch-deployment.yaml
@@ -1,10 +1,11 @@
apiVersion: apps/v1
kind: Deployment
metadata:
+ creationTimestamp: null
labels:
- app.kubernetes.io/name: envoy-ratelimit
app.kubernetes.io/component: ratelimit
app.kubernetes.io/managed-by: envoy-gateway
+ app.kubernetes.io/name: envoy-ratelimit
name: envoy-ratelimit
namespace: envoy-gateway-system
ownerReferences:
@@ -13,20 +14,27 @@ metadata:
name: envoy-gateway
uid: test-owner-reference-uid-for-deployment
spec:
+ progressDeadlineSeconds: 600
replicas: 1
- strategy:
- type: RollingUpdate
+ revisionHistoryLimit: 10
selector:
matchLabels:
- app.kubernetes.io/name: envoy-ratelimit
app.kubernetes.io/component: ratelimit
app.kubernetes.io/managed-by: envoy-gateway
+ app.kubernetes.io/name: envoy-ratelimit
+ strategy:
+ type: RollingUpdate
template:
metadata:
+ annotations:
+ prometheus.io/path: /metrics
+ prometheus.io/port: "19001"
+ prometheus.io/scrape: "true"
+ creationTimestamp: null
labels:
- app.kubernetes.io/name: envoy-ratelimit
app.kubernetes.io/component: ratelimit
app.kubernetes.io/managed-by: envoy-gateway
+ app.kubernetes.io/name: envoy-ratelimit
spec:
automountServiceAccountToken: false
containers:
@@ -58,19 +66,19 @@ spec:
- name: GRPC_SERVER_USE_TLS
value: "true"
- name: GRPC_SERVER_TLS_CERT
- value: "/certs/tls.crt"
+ value: /certs/tls.crt
- name: GRPC_SERVER_TLS_KEY
- value: "/certs/tls.key"
+ value: /certs/tls.key
- name: GRPC_SERVER_TLS_CA_CERT
- value: "/certs/ca.crt"
+ value: /certs/ca.crt
- name: CONFIG_GRPC_XDS_SERVER_USE_TLS
value: "true"
- name: CONFIG_GRPC_XDS_CLIENT_TLS_CERT
- value: "/certs/tls.crt"
+ value: /certs/tls.crt
- name: CONFIG_GRPC_XDS_CLIENT_TLS_KEY
- value: "/certs/tls.key"
+ value: /certs/tls.key
- name: CONFIG_GRPC_XDS_SERVER_TLS_CACERT
- value: "/certs/ca.crt"
+ value: /certs/ca.crt
- name: FORCE_START_WITHOUT_INITIAL_CONFIG
value: "true"
image: envoyproxy/ratelimit:master
@@ -80,6 +88,15 @@ spec:
- containerPort: 8081
name: grpc
protocol: TCP
+ readinessProbe:
+ failureThreshold: 3
+ httpGet:
+ path: /healthcheck
+ port: 8080
+ scheme: HTTP
+ periodSeconds: 10
+ successThreshold: 1
+ timeoutSeconds: 1
resources:
requests:
cpu: 100m
@@ -90,15 +107,27 @@ spec:
- mountPath: /certs
name: certs
readOnly: true
- readinessProbe:
- failureThreshold: 3
- httpGet:
- path: /healthcheck
- port: 8080
- scheme: HTTP
- periodSeconds: 10
- successThreshold: 1
- timeoutSeconds: 1
+ - command:
+ - /bin/statsd_exporter
+ - --web.listen-address=:19001
+ - --statsd.mapping-config=/etc/statsd-exporter/conf.yaml
+ image: prom/statsd-exporter:v0.18.0
+ imagePullPolicy: IfNotPresent
+ name: prom-statsd-exporter
+ ports:
+ - containerPort: 9125
+ name: statsd
+ protocol: TCP
+ - containerPort: 19001
+ name: metrics
+ protocol: TCP
+ resources: {}
+ terminationMessagePath: /dev/termination-log
+ terminationMessagePolicy: File
+ volumeMounts:
+ - mountPath: /etc/statsd-exporter
+ name: statsd-exporter-config
+ readOnly: true
dnsPolicy: ClusterFirstWithHostNet
hostNetwork: true
restartPolicy: Always
@@ -108,7 +137,11 @@ spec:
volumes:
- name: certs
secret:
+ defaultMode: 420
secretName: envoy-rate-limit
+ - configMap:
defaultMode: 420
- revisionHistoryLimit: 10
- progressDeadlineSeconds: 600
+ name: statsd-exporter-config
+ optional: true
+ name: statsd-exporter-config
+status: {}
diff --git a/internal/infrastructure/kubernetes/ratelimit/testdata/deployments/redis-tls-settings.yaml b/internal/infrastructure/kubernetes/ratelimit/testdata/deployments/redis-tls-settings.yaml
index 136101fd9bd..f14702fcf43 100644
--- a/internal/infrastructure/kubernetes/ratelimit/testdata/deployments/redis-tls-settings.yaml
+++ b/internal/infrastructure/kubernetes/ratelimit/testdata/deployments/redis-tls-settings.yaml
@@ -1,10 +1,11 @@
apiVersion: apps/v1
kind: Deployment
metadata:
+ creationTimestamp: null
labels:
- app.kubernetes.io/name: envoy-ratelimit
app.kubernetes.io/component: ratelimit
app.kubernetes.io/managed-by: envoy-gateway
+ app.kubernetes.io/name: envoy-ratelimit
name: envoy-ratelimit
namespace: envoy-gateway-system
ownerReferences:
@@ -13,22 +14,25 @@ metadata:
name: envoy-gateway
uid: test-owner-reference-uid-for-deployment
spec:
+ progressDeadlineSeconds: 600
replicas: 2
- strategy:
- type: RollingUpdate
+ revisionHistoryLimit: 10
selector:
matchLabels:
- app.kubernetes.io/name: envoy-ratelimit
app.kubernetes.io/component: ratelimit
app.kubernetes.io/managed-by: envoy-gateway
+ app.kubernetes.io/name: envoy-ratelimit
+ strategy:
+ type: RollingUpdate
template:
metadata:
+ annotations:
+ prometheus.io/scrape: "true"
+ creationTimestamp: null
labels:
- app.kubernetes.io/name: envoy-ratelimit
app.kubernetes.io/component: ratelimit
app.kubernetes.io/managed-by: envoy-gateway
- annotations:
- prometheus.io/scrape: "true"
+ app.kubernetes.io/name: envoy-ratelimit
spec:
automountServiceAccountToken: false
containers:
@@ -60,29 +64,29 @@ spec:
- name: GRPC_SERVER_USE_TLS
value: "true"
- name: GRPC_SERVER_TLS_CERT
- value: "/certs/tls.crt"
+ value: /certs/tls.crt
- name: GRPC_SERVER_TLS_KEY
- value: "/certs/tls.key"
+ value: /certs/tls.key
- name: GRPC_SERVER_TLS_CA_CERT
- value: "/certs/ca.crt"
+ value: /certs/ca.crt
- name: CONFIG_GRPC_XDS_SERVER_USE_TLS
value: "true"
- name: CONFIG_GRPC_XDS_CLIENT_TLS_CERT
- value: "/certs/tls.crt"
+ value: /certs/tls.crt
- name: CONFIG_GRPC_XDS_CLIENT_TLS_KEY
- value: "/certs/tls.key"
+ value: /certs/tls.key
- name: CONFIG_GRPC_XDS_SERVER_TLS_CACERT
- value: "/certs/ca.crt"
+ value: /certs/ca.crt
- name: FORCE_START_WITHOUT_INITIAL_CONFIG
value: "true"
- name: REDIS_TLS
value: "true"
- name: REDIS_TLS_CLIENT_CERT
- value: "/redis-certs/tls.crt"
+ value: /redis-certs/tls.crt
- name: REDIS_TLS_CLIENT_KEY
- value: "/redis-certs/tls.key"
+ value: /redis-certs/tls.key
- name: REDIS_AUTH
- value: "redis_auth_password"
+ value: redis_auth_password
image: custom-image
imagePullPolicy: IfNotPresent
name: envoy-ratelimit
@@ -90,8 +94,15 @@ spec:
- containerPort: 8081
name: grpc
protocol: TCP
- securityContext:
- privileged: true
+ readinessProbe:
+ failureThreshold: 3
+ httpGet:
+ path: /healthcheck
+ port: 8080
+ scheme: HTTP
+ periodSeconds: 10
+ successThreshold: 1
+ timeoutSeconds: 1
resources:
limits:
cpu: 400m
@@ -99,6 +110,8 @@ spec:
requests:
cpu: 200m
memory: 1Gi
+ securityContext:
+ privileged: true
terminationMessagePath: /dev/termination-log
terminationMessagePolicy: File
volumeMounts:
@@ -108,30 +121,46 @@ spec:
- mountPath: /redis-certs
name: redis-certs
readOnly: true
- readinessProbe:
- failureThreshold: 3
- httpGet:
- path: /healthcheck
- port: 8080
- scheme: HTTP
- periodSeconds: 10
- successThreshold: 1
- timeoutSeconds: 1
+ - command:
+ - /bin/statsd_exporter
+ - --web.listen-address=:19001
+ - --statsd.mapping-config=/etc/statsd-exporter/conf.yaml
+ image: prom/statsd-exporter:v0.18.0
+ imagePullPolicy: IfNotPresent
+ name: prom-statsd-exporter
+ ports:
+ - containerPort: 9125
+ name: statsd
+ protocol: TCP
+ - containerPort: 19001
+ name: metrics
+ protocol: TCP
+ resources: {}
+ terminationMessagePath: /dev/termination-log
+ terminationMessagePolicy: File
+ volumeMounts:
+ - mountPath: /etc/statsd-exporter
+ name: statsd-exporter-config
+ readOnly: true
dnsPolicy: ClusterFirst
restartPolicy: Always
schedulerName: default-scheduler
- serviceAccountName: envoy-ratelimit
securityContext:
runAsUser: 1000
+ serviceAccountName: envoy-ratelimit
terminationGracePeriodSeconds: 300
volumes:
- name: redis-certs
secret:
- secretName: ratelimit-cert
defaultMode: 420
+ secretName: ratelimit-cert
- name: certs
secret:
+ defaultMode: 420
secretName: envoy-rate-limit
+ - configMap:
defaultMode: 420
- revisionHistoryLimit: 10
- progressDeadlineSeconds: 600
+ name: statsd-exporter-config
+ optional: true
+ name: statsd-exporter-config
+status: {}
diff --git a/internal/infrastructure/kubernetes/ratelimit/testdata/deployments/tolerations.yaml b/internal/infrastructure/kubernetes/ratelimit/testdata/deployments/tolerations.yaml
index eac44ebd0e4..48e776db25a 100644
--- a/internal/infrastructure/kubernetes/ratelimit/testdata/deployments/tolerations.yaml
+++ b/internal/infrastructure/kubernetes/ratelimit/testdata/deployments/tolerations.yaml
@@ -1,10 +1,11 @@
apiVersion: apps/v1
kind: Deployment
metadata:
+ creationTimestamp: null
labels:
- app.kubernetes.io/name: envoy-ratelimit
app.kubernetes.io/component: ratelimit
app.kubernetes.io/managed-by: envoy-gateway
+ app.kubernetes.io/name: envoy-ratelimit
name: envoy-ratelimit
namespace: envoy-gateway-system
ownerReferences:
@@ -13,22 +14,25 @@ metadata:
name: envoy-gateway
uid: test-owner-reference-uid-for-deployment
spec:
+ progressDeadlineSeconds: 600
replicas: 2
- strategy:
- type: RollingUpdate
+ revisionHistoryLimit: 10
selector:
matchLabels:
- app.kubernetes.io/name: envoy-ratelimit
app.kubernetes.io/component: ratelimit
app.kubernetes.io/managed-by: envoy-gateway
+ app.kubernetes.io/name: envoy-ratelimit
+ strategy:
+ type: RollingUpdate
template:
metadata:
+ annotations:
+ prometheus.io/scrape: "true"
+ creationTimestamp: null
labels:
- app.kubernetes.io/name: envoy-ratelimit
app.kubernetes.io/component: ratelimit
app.kubernetes.io/managed-by: envoy-gateway
- annotations:
- prometheus.io/scrape: "true"
+ app.kubernetes.io/name: envoy-ratelimit
spec:
automountServiceAccountToken: false
containers:
@@ -60,29 +64,29 @@ spec:
- name: GRPC_SERVER_USE_TLS
value: "true"
- name: GRPC_SERVER_TLS_CERT
- value: "/certs/tls.crt"
+ value: /certs/tls.crt
- name: GRPC_SERVER_TLS_KEY
- value: "/certs/tls.key"
+ value: /certs/tls.key
- name: GRPC_SERVER_TLS_CA_CERT
- value: "/certs/ca.crt"
+ value: /certs/ca.crt
- name: CONFIG_GRPC_XDS_SERVER_USE_TLS
value: "true"
- name: CONFIG_GRPC_XDS_CLIENT_TLS_CERT
- value: "/certs/tls.crt"
+ value: /certs/tls.crt
- name: CONFIG_GRPC_XDS_CLIENT_TLS_KEY
- value: "/certs/tls.key"
+ value: /certs/tls.key
- name: CONFIG_GRPC_XDS_SERVER_TLS_CACERT
- value: "/certs/ca.crt"
+ value: /certs/ca.crt
- name: FORCE_START_WITHOUT_INITIAL_CONFIG
value: "true"
- name: REDIS_TLS
value: "true"
- name: REDIS_TLS_CLIENT_CERT
- value: "/redis-certs/tls.crt"
+ value: /redis-certs/tls.crt
- name: REDIS_TLS_CLIENT_KEY
- value: "/redis-certs/tls.key"
+ value: /redis-certs/tls.key
- name: REDIS_AUTH
- value: "redis_auth_password"
+ value: redis_auth_password
image: custom-image
imagePullPolicy: IfNotPresent
name: envoy-ratelimit
@@ -90,8 +94,15 @@ spec:
- containerPort: 8081
name: grpc
protocol: TCP
- securityContext:
- privileged: true
+ readinessProbe:
+ failureThreshold: 3
+ httpGet:
+ path: /healthcheck
+ port: 8080
+ scheme: HTTP
+ periodSeconds: 10
+ successThreshold: 1
+ timeoutSeconds: 1
resources:
limits:
cpu: 400m
@@ -99,6 +110,8 @@ spec:
requests:
cpu: 200m
memory: 1Gi
+ securityContext:
+ privileged: true
terminationMessagePath: /dev/termination-log
terminationMessagePolicy: File
volumeMounts:
@@ -108,35 +121,51 @@ spec:
- mountPath: /redis-certs
name: redis-certs
readOnly: true
- readinessProbe:
- failureThreshold: 3
- httpGet:
- path: /healthcheck
- port: 8080
- scheme: HTTP
- periodSeconds: 10
- successThreshold: 1
- timeoutSeconds: 1
+ - command:
+ - /bin/statsd_exporter
+ - --web.listen-address=:19001
+ - --statsd.mapping-config=/etc/statsd-exporter/conf.yaml
+ image: prom/statsd-exporter:v0.18.0
+ imagePullPolicy: IfNotPresent
+ name: prom-statsd-exporter
+ ports:
+ - containerPort: 9125
+ name: statsd
+ protocol: TCP
+ - containerPort: 19001
+ name: metrics
+ protocol: TCP
+ resources: {}
+ terminationMessagePath: /dev/termination-log
+ terminationMessagePolicy: File
+ volumeMounts:
+ - mountPath: /etc/statsd-exporter
+ name: statsd-exporter-config
+ readOnly: true
dnsPolicy: ClusterFirst
restartPolicy: Always
schedulerName: default-scheduler
- serviceAccountName: envoy-ratelimit
securityContext:
runAsUser: 1000
+ serviceAccountName: envoy-ratelimit
+ terminationGracePeriodSeconds: 300
tolerations:
- effect: NoSchedule
key: node-type
operator: Exists
- value: "router"
- terminationGracePeriodSeconds: 300
+ value: router
volumes:
- name: redis-certs
secret:
- secretName: ratelimit-cert
defaultMode: 420
+ secretName: ratelimit-cert
- name: certs
secret:
+ defaultMode: 420
secretName: envoy-rate-limit
+ - configMap:
defaultMode: 420
- revisionHistoryLimit: 10
- progressDeadlineSeconds: 600
+ name: statsd-exporter-config
+ optional: true
+ name: statsd-exporter-config
+status: {}
diff --git a/internal/infrastructure/kubernetes/ratelimit/testdata/deployments/volumes.yaml b/internal/infrastructure/kubernetes/ratelimit/testdata/deployments/volumes.yaml
index 1ba74b57c86..78534d7af12 100644
--- a/internal/infrastructure/kubernetes/ratelimit/testdata/deployments/volumes.yaml
+++ b/internal/infrastructure/kubernetes/ratelimit/testdata/deployments/volumes.yaml
@@ -1,10 +1,11 @@
apiVersion: apps/v1
kind: Deployment
metadata:
+ creationTimestamp: null
labels:
- app.kubernetes.io/name: envoy-ratelimit
app.kubernetes.io/component: ratelimit
app.kubernetes.io/managed-by: envoy-gateway
+ app.kubernetes.io/name: envoy-ratelimit
name: envoy-ratelimit
namespace: envoy-gateway-system
ownerReferences:
@@ -13,22 +14,25 @@ metadata:
name: envoy-gateway
uid: test-owner-reference-uid-for-deployment
spec:
+ progressDeadlineSeconds: 600
replicas: 2
- strategy:
- type: RollingUpdate
+ revisionHistoryLimit: 10
selector:
matchLabels:
- app.kubernetes.io/name: envoy-ratelimit
app.kubernetes.io/component: ratelimit
app.kubernetes.io/managed-by: envoy-gateway
+ app.kubernetes.io/name: envoy-ratelimit
+ strategy:
+ type: RollingUpdate
template:
metadata:
+ annotations:
+ prometheus.io/scrape: "true"
+ creationTimestamp: null
labels:
- app.kubernetes.io/name: envoy-ratelimit
app.kubernetes.io/component: ratelimit
app.kubernetes.io/managed-by: envoy-gateway
- annotations:
- prometheus.io/scrape: "true"
+ app.kubernetes.io/name: envoy-ratelimit
spec:
automountServiceAccountToken: false
containers:
@@ -60,29 +64,29 @@ spec:
- name: GRPC_SERVER_USE_TLS
value: "true"
- name: GRPC_SERVER_TLS_CERT
- value: "/certs/tls.crt"
+ value: /certs/tls.crt
- name: GRPC_SERVER_TLS_KEY
- value: "/certs/tls.key"
+ value: /certs/tls.key
- name: GRPC_SERVER_TLS_CA_CERT
- value: "/certs/ca.crt"
+ value: /certs/ca.crt
- name: CONFIG_GRPC_XDS_SERVER_USE_TLS
value: "true"
- name: CONFIG_GRPC_XDS_CLIENT_TLS_CERT
- value: "/certs/tls.crt"
+ value: /certs/tls.crt
- name: CONFIG_GRPC_XDS_CLIENT_TLS_KEY
- value: "/certs/tls.key"
+ value: /certs/tls.key
- name: CONFIG_GRPC_XDS_SERVER_TLS_CACERT
- value: "/certs/ca.crt"
+ value: /certs/ca.crt
- name: FORCE_START_WITHOUT_INITIAL_CONFIG
value: "true"
- name: REDIS_TLS
value: "true"
- name: REDIS_TLS_CLIENT_CERT
- value: "/redis-certs/tls.crt"
+ value: /redis-certs/tls.crt
- name: REDIS_TLS_CLIENT_KEY
- value: "/redis-certs/tls.key"
+ value: /redis-certs/tls.key
- name: REDIS_AUTH
- value: "redis_auth_password"
+ value: redis_auth_password
image: custom-image
imagePullPolicy: IfNotPresent
name: envoy-ratelimit
@@ -90,8 +94,15 @@ spec:
- containerPort: 8081
name: grpc
protocol: TCP
- securityContext:
- privileged: true
+ readinessProbe:
+ failureThreshold: 3
+ httpGet:
+ path: /healthcheck
+ port: 8080
+ scheme: HTTP
+ periodSeconds: 10
+ successThreshold: 1
+ timeoutSeconds: 1
resources:
limits:
cpu: 400m
@@ -99,6 +110,8 @@ spec:
requests:
cpu: 200m
memory: 1Gi
+ securityContext:
+ privileged: true
terminationMessagePath: /dev/termination-log
terminationMessagePolicy: File
volumeMounts:
@@ -108,35 +121,51 @@ spec:
- mountPath: /redis-certs
name: redis-certs
readOnly: true
- readinessProbe:
- failureThreshold: 3
- httpGet:
- path: /healthcheck
- port: 8080
- scheme: HTTP
- periodSeconds: 10
- successThreshold: 1
- timeoutSeconds: 1
+ - command:
+ - /bin/statsd_exporter
+ - --web.listen-address=:19001
+ - --statsd.mapping-config=/etc/statsd-exporter/conf.yaml
+ image: prom/statsd-exporter:v0.18.0
+ imagePullPolicy: IfNotPresent
+ name: prom-statsd-exporter
+ ports:
+ - containerPort: 9125
+ name: statsd
+ protocol: TCP
+ - containerPort: 19001
+ name: metrics
+ protocol: TCP
+ resources: {}
+ terminationMessagePath: /dev/termination-log
+ terminationMessagePolicy: File
+ volumeMounts:
+ - mountPath: /etc/statsd-exporter
+ name: statsd-exporter-config
+ readOnly: true
dnsPolicy: ClusterFirst
restartPolicy: Always
schedulerName: default-scheduler
- serviceAccountName: envoy-ratelimit
securityContext:
runAsUser: 1000
+ serviceAccountName: envoy-ratelimit
+ terminationGracePeriodSeconds: 300
tolerations:
- effect: NoSchedule
key: node-type
operator: Exists
- value: "router"
- terminationGracePeriodSeconds: 300
+ value: router
volumes:
- name: redis-certs
secret:
- secretName: ratelimit-cert-origin
defaultMode: 420
+ secretName: ratelimit-cert-origin
- name: certs
secret:
+ defaultMode: 420
secretName: custom-cert
+ - configMap:
defaultMode: 420
- revisionHistoryLimit: 10
- progressDeadlineSeconds: 600
+ name: statsd-exporter-config
+ optional: true
+ name: statsd-exporter-config
+status: {}
diff --git a/internal/infrastructure/kubernetes/ratelimit/testdata/deployments/with-node-selector.yaml b/internal/infrastructure/kubernetes/ratelimit/testdata/deployments/with-node-selector.yaml
index 55864cd9995..a83f8432aaa 100644
--- a/internal/infrastructure/kubernetes/ratelimit/testdata/deployments/with-node-selector.yaml
+++ b/internal/infrastructure/kubernetes/ratelimit/testdata/deployments/with-node-selector.yaml
@@ -1,10 +1,11 @@
apiVersion: apps/v1
kind: Deployment
metadata:
+ creationTimestamp: null
labels:
- app.kubernetes.io/name: envoy-ratelimit
app.kubernetes.io/component: ratelimit
app.kubernetes.io/managed-by: envoy-gateway
+ app.kubernetes.io/name: envoy-ratelimit
name: envoy-ratelimit
namespace: envoy-gateway-system
ownerReferences:
@@ -13,20 +14,27 @@ metadata:
name: envoy-gateway
uid: test-owner-reference-uid-for-deployment
spec:
+ progressDeadlineSeconds: 600
replicas: 1
- strategy:
- type: RollingUpdate
+ revisionHistoryLimit: 10
selector:
matchLabels:
- app.kubernetes.io/name: envoy-ratelimit
app.kubernetes.io/component: ratelimit
app.kubernetes.io/managed-by: envoy-gateway
+ app.kubernetes.io/name: envoy-ratelimit
+ strategy:
+ type: RollingUpdate
template:
metadata:
+ annotations:
+ prometheus.io/path: /metrics
+ prometheus.io/port: "19001"
+ prometheus.io/scrape: "true"
+ creationTimestamp: null
labels:
- app.kubernetes.io/name: envoy-ratelimit
app.kubernetes.io/component: ratelimit
app.kubernetes.io/managed-by: envoy-gateway
+ app.kubernetes.io/name: envoy-ratelimit
spec:
automountServiceAccountToken: false
containers:
@@ -58,19 +66,19 @@ spec:
- name: GRPC_SERVER_USE_TLS
value: "true"
- name: GRPC_SERVER_TLS_CERT
- value: "/certs/tls.crt"
+ value: /certs/tls.crt
- name: GRPC_SERVER_TLS_KEY
- value: "/certs/tls.key"
+ value: /certs/tls.key
- name: GRPC_SERVER_TLS_CA_CERT
- value: "/certs/ca.crt"
+ value: /certs/ca.crt
- name: CONFIG_GRPC_XDS_SERVER_USE_TLS
value: "true"
- name: CONFIG_GRPC_XDS_CLIENT_TLS_CERT
- value: "/certs/tls.crt"
+ value: /certs/tls.crt
- name: CONFIG_GRPC_XDS_CLIENT_TLS_KEY
- value: "/certs/tls.key"
+ value: /certs/tls.key
- name: CONFIG_GRPC_XDS_SERVER_TLS_CACERT
- value: "/certs/ca.crt"
+ value: /certs/ca.crt
- name: FORCE_START_WITHOUT_INITIAL_CONFIG
value: "true"
image: envoyproxy/ratelimit:master
@@ -80,6 +88,15 @@ spec:
- containerPort: 8081
name: grpc
protocol: TCP
+ readinessProbe:
+ failureThreshold: 3
+ httpGet:
+ path: /healthcheck
+ port: 8080
+ scheme: HTTP
+ periodSeconds: 10
+ successThreshold: 1
+ timeoutSeconds: 1
resources:
requests:
cpu: 100m
@@ -90,15 +107,27 @@ spec:
- mountPath: /certs
name: certs
readOnly: true
- readinessProbe:
- failureThreshold: 3
- httpGet:
- path: /healthcheck
- port: 8080
- scheme: HTTP
- periodSeconds: 10
- successThreshold: 1
- timeoutSeconds: 1
+ - command:
+ - /bin/statsd_exporter
+ - --web.listen-address=:19001
+ - --statsd.mapping-config=/etc/statsd-exporter/conf.yaml
+ image: prom/statsd-exporter:v0.18.0
+ imagePullPolicy: IfNotPresent
+ name: prom-statsd-exporter
+ ports:
+ - containerPort: 9125
+ name: statsd
+ protocol: TCP
+ - containerPort: 19001
+ name: metrics
+ protocol: TCP
+ resources: {}
+ terminationMessagePath: /dev/termination-log
+ terminationMessagePolicy: File
+ volumeMounts:
+ - mountPath: /etc/statsd-exporter
+ name: statsd-exporter-config
+ readOnly: true
dnsPolicy: ClusterFirst
nodeSelector:
key1: value1
@@ -110,7 +139,11 @@ spec:
volumes:
- name: certs
secret:
+ defaultMode: 420
secretName: envoy-rate-limit
+ - configMap:
defaultMode: 420
- revisionHistoryLimit: 10
- progressDeadlineSeconds: 600
+ name: statsd-exporter-config
+ optional: true
+ name: statsd-exporter-config
+status: {}
diff --git a/internal/infrastructure/kubernetes/ratelimit/testdata/deployments/with-topology-spread-constraints.yaml b/internal/infrastructure/kubernetes/ratelimit/testdata/deployments/with-topology-spread-constraints.yaml
index d647ef00065..bddb780d39b 100644
--- a/internal/infrastructure/kubernetes/ratelimit/testdata/deployments/with-topology-spread-constraints.yaml
+++ b/internal/infrastructure/kubernetes/ratelimit/testdata/deployments/with-topology-spread-constraints.yaml
@@ -1,10 +1,11 @@
apiVersion: apps/v1
kind: Deployment
metadata:
+ creationTimestamp: null
labels:
- app.kubernetes.io/name: envoy-ratelimit
app.kubernetes.io/component: ratelimit
app.kubernetes.io/managed-by: envoy-gateway
+ app.kubernetes.io/name: envoy-ratelimit
name: envoy-ratelimit
namespace: envoy-gateway-system
ownerReferences:
@@ -13,20 +14,27 @@ metadata:
name: envoy-gateway
uid: test-owner-reference-uid-for-deployment
spec:
+ progressDeadlineSeconds: 600
replicas: 1
- strategy:
- type: RollingUpdate
+ revisionHistoryLimit: 10
selector:
matchLabels:
- app.kubernetes.io/name: envoy-ratelimit
app.kubernetes.io/component: ratelimit
app.kubernetes.io/managed-by: envoy-gateway
+ app.kubernetes.io/name: envoy-ratelimit
+ strategy:
+ type: RollingUpdate
template:
metadata:
+ annotations:
+ prometheus.io/path: /metrics
+ prometheus.io/port: "19001"
+ prometheus.io/scrape: "true"
+ creationTimestamp: null
labels:
- app.kubernetes.io/name: envoy-ratelimit
app.kubernetes.io/component: ratelimit
app.kubernetes.io/managed-by: envoy-gateway
+ app.kubernetes.io/name: envoy-ratelimit
spec:
automountServiceAccountToken: false
containers:
@@ -58,19 +66,19 @@ spec:
- name: GRPC_SERVER_USE_TLS
value: "true"
- name: GRPC_SERVER_TLS_CERT
- value: "/certs/tls.crt"
+ value: /certs/tls.crt
- name: GRPC_SERVER_TLS_KEY
- value: "/certs/tls.key"
+ value: /certs/tls.key
- name: GRPC_SERVER_TLS_CA_CERT
- value: "/certs/ca.crt"
+ value: /certs/ca.crt
- name: CONFIG_GRPC_XDS_SERVER_USE_TLS
value: "true"
- name: CONFIG_GRPC_XDS_CLIENT_TLS_CERT
- value: "/certs/tls.crt"
+ value: /certs/tls.crt
- name: CONFIG_GRPC_XDS_CLIENT_TLS_KEY
- value: "/certs/tls.key"
+ value: /certs/tls.key
- name: CONFIG_GRPC_XDS_SERVER_TLS_CACERT
- value: "/certs/ca.crt"
+ value: /certs/ca.crt
- name: FORCE_START_WITHOUT_INITIAL_CONFIG
value: "true"
image: envoyproxy/ratelimit:master
@@ -80,6 +88,15 @@ spec:
- containerPort: 8081
name: grpc
protocol: TCP
+ readinessProbe:
+ failureThreshold: 3
+ httpGet:
+ path: /healthcheck
+ port: 8080
+ scheme: HTTP
+ periodSeconds: 10
+ successThreshold: 1
+ timeoutSeconds: 1
resources:
requests:
cpu: 100m
@@ -90,33 +107,49 @@ spec:
- mountPath: /certs
name: certs
readOnly: true
- readinessProbe:
- failureThreshold: 3
- httpGet:
- path: /healthcheck
- port: 8080
- scheme: HTTP
- periodSeconds: 10
- successThreshold: 1
- timeoutSeconds: 1
+ - command:
+ - /bin/statsd_exporter
+ - --web.listen-address=:19001
+ - --statsd.mapping-config=/etc/statsd-exporter/conf.yaml
+ image: prom/statsd-exporter:v0.18.0
+ imagePullPolicy: IfNotPresent
+ name: prom-statsd-exporter
+ ports:
+ - containerPort: 9125
+ name: statsd
+ protocol: TCP
+ - containerPort: 19001
+ name: metrics
+ protocol: TCP
+ resources: {}
+ terminationMessagePath: /dev/termination-log
+ terminationMessagePolicy: File
+ volumeMounts:
+ - mountPath: /etc/statsd-exporter
+ name: statsd-exporter-config
+ readOnly: true
dnsPolicy: ClusterFirst
restartPolicy: Always
schedulerName: default-scheduler
serviceAccountName: envoy-ratelimit
terminationGracePeriodSeconds: 300
topologySpreadConstraints:
- - maxSkew: 1
- topologyKey: kubernetes.io/hostname
- whenUnsatisfiable: DoNotSchedule
- labelSelector:
+ - labelSelector:
matchLabels:
app: foo
matchLabelKeys:
- pod-template-hash
+ maxSkew: 1
+ topologyKey: kubernetes.io/hostname
+ whenUnsatisfiable: DoNotSchedule
volumes:
- name: certs
secret:
+ defaultMode: 420
secretName: envoy-rate-limit
+ - configMap:
defaultMode: 420
- revisionHistoryLimit: 10
- progressDeadlineSeconds: 600
+ name: statsd-exporter-config
+ optional: true
+ name: statsd-exporter-config
+status: {}
diff --git a/internal/infrastructure/kubernetes/ratelimit/testdata/envoy-ratelimit-configmap.yaml b/internal/infrastructure/kubernetes/ratelimit/testdata/envoy-ratelimit-configmap.yaml
new file mode 100644
index 00000000000..eee9062f051
--- /dev/null
+++ b/internal/infrastructure/kubernetes/ratelimit/testdata/envoy-ratelimit-configmap.yaml
@@ -0,0 +1,104 @@
+apiVersion: v1
+data:
+ conf.yaml: |
+ mappings:
+ - match: "ratelimit.service.rate_limit.*.*.near_limit"
+ name: "ratelimit_service_rate_limit_near_limit"
+ timer_type: "histogram"
+ labels:
+ domain: "$1"
+ key1: "$2"
+ - match: "ratelimit.service.rate_limit.*.*.over_limit"
+ name: "ratelimit_service_rate_limit_over_limit"
+ timer_type: "histogram"
+ labels:
+ domain: "$1"
+ key1: "$2"
+ - match: "ratelimit.service.rate_limit.*.*.total_hits"
+ name: "ratelimit_service_rate_limit_total_hits"
+ timer_type: "histogram"
+ labels:
+ domain: "$1"
+ key1: "$2"
+ - match: "ratelimit.service.rate_limit.*.*.within_limit"
+ name: "ratelimit_service_rate_limit_within_limit"
+ timer_type: "histogram"
+ labels:
+ domain: "$1"
+ key1: "$2"
+
+ - match: "ratelimit.service.rate_limit.*.*.*.near_limit"
+ name: "ratelimit_service_rate_limit_near_limit"
+ timer_type: "histogram"
+ labels:
+ domain: "$1"
+ key1: "$2"
+ key2: "$3"
+ - match: "ratelimit.service.rate_limit.*.*.*.over_limit"
+ name: "ratelimit_service_rate_limit_over_limit"
+ timer_type: "histogram"
+ labels:
+ domain: "$1"
+ key1: "$2"
+ key2: "$3"
+ - match: "ratelimit.service.rate_limit.*.*.*.total_hits"
+ name: "ratelimit_service_rate_limit_total_hits"
+ timer_type: "histogram"
+ labels:
+ domain: "$1"
+ key1: "$2"
+ key2: "$3"
+ - match: "ratelimit.service.rate_limit.*.*.*.within_limit"
+ name: "ratelimit_service_rate_limit_within_limit"
+ timer_type: "histogram"
+ labels:
+ domain: "$1"
+ key1: "$2"
+ key2: "$3"
+
+ - match: "ratelimit.service.call.should_rate_limit.*"
+ name: "ratelimit_service_should_rate_limit_error"
+ match_metric_type: counter
+ labels:
+ err_type: "$1"
+
+ - match: "ratelimit_server.*.total_requests"
+ name: "ratelimit_service_total_requests"
+ match_metric_type: counter
+ labels:
+ grpc_method: "$1"
+
+ - match: "ratelimit_server.*.response_time"
+ name: "ratelimit_service_response_time_seconds"
+ timer_type: histogram
+ labels:
+ grpc_method: "$1"
+
+ - match: "ratelimit.service.config_load_success"
+ name: "ratelimit_service_config_load_success"
+ match_metric_type: counter
+ - match: "ratelimit.service.config_load_error"
+ name: "ratelimit_service_config_load_error"
+ match_metric_type: counter
+
+ - match: "ratelimit.service.rate_limit.*.*.*.shadow_mode"
+ name: "ratelimit_service_rate_limit_shadow_mode"
+ timer_type: "histogram"
+ labels:
+ domain: "$1"
+ key1: "$2"
+ key2: "$3"
+
+ - match: "."
+ match_type: "regex"
+ action: "drop"
+ name: "dropped"
+kind: ConfigMap
+metadata:
+ creationTimestamp: null
+ labels:
+ app.kubernetes.io/component: ratelimit
+ app.kubernetes.io/managed-by: envoy-gateway
+ app.kubernetes.io/name: envoy-ratelimit
+ name: statsd-exporter-config
+ namespace: envoy-gateway-system
diff --git a/internal/ir/xds.go b/internal/ir/xds.go
index d501fffac8f..7d1af7c0602 100644
--- a/internal/ir/xds.go
+++ b/internal/ir/xds.go
@@ -16,6 +16,7 @@ import (
apiextensionsv1 "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
+ "k8s.io/apimachinery/pkg/util/sets"
"k8s.io/apimachinery/pkg/util/validation"
"sigs.k8s.io/yaml"
@@ -179,6 +180,7 @@ func (x Xds) Printable() *Xds {
// Omit field
if route.OIDC != nil {
route.OIDC.ClientSecret = redacted
+ route.OIDC.HMACSecret = redacted
}
if route.BasicAuth != nil {
route.BasicAuth.Users = redacted
@@ -308,7 +310,7 @@ type TLSCertificate struct {
// +k8s:deepcopy-gen=true
type TLSCACertificate struct {
// Name of the Secret object.
- Name string `json:"name" yaml:"name"`
+ Name string `json:"name,omitempty" yaml:"name,omitempty"`
// Certificate content.
Certificate []byte `json:"certificate,omitempty" yaml:"certificate,omitempty"`
}
@@ -526,9 +528,11 @@ type OIDC struct {
// [Authentication Request](https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest).
//
// This is an Opaque secret. The client secret should be stored in the key "client-secret".
-
ClientSecret []byte `json:"clientSecret,omitempty" yaml:"clientSecret,omitempty"`
+ // HMACSecret is the secret used to sign the HMAC of the OAuth2 filter cookies.
+ HMACSecret []byte `json:"hmacSecret,omitempty" yaml:"hmacSecret,omitempty"`
+
// The OIDC scopes to be used in the
// [Authentication Request](https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest).
Scopes []string `json:"scopes,omitempty" yaml:"scopes,omitempty"`
@@ -711,53 +715,49 @@ func (h HTTPRoute) Validate() error {
}
}
if len(h.AddRequestHeaders) > 0 {
- occurred := map[string]bool{}
+ occurred := sets.NewString()
for _, header := range h.AddRequestHeaders {
if err := header.Validate(); err != nil {
errs = errors.Join(errs, err)
}
- if !occurred[header.Name] {
- occurred[header.Name] = true
- } else {
+ if occurred.Has(header.Name) {
errs = errors.Join(errs, ErrAddHeaderDuplicate)
break
}
+ occurred.Insert(header.Name)
}
}
if len(h.RemoveRequestHeaders) > 0 {
- occurred := map[string]bool{}
+ occurred := sets.NewString()
for _, header := range h.RemoveRequestHeaders {
- if !occurred[header] {
- occurred[header] = true
- } else {
+ if occurred.Has(header) {
errs = errors.Join(errs, ErrRemoveHeaderDuplicate)
break
}
+ occurred.Insert(header)
}
}
if len(h.AddResponseHeaders) > 0 {
- occurred := map[string]bool{}
+ occurred := sets.NewString()
for _, header := range h.AddResponseHeaders {
if err := header.Validate(); err != nil {
errs = errors.Join(errs, err)
}
- if !occurred[header.Name] {
- occurred[header.Name] = true
- } else {
+ if occurred.Has(header.Name) {
errs = errors.Join(errs, ErrAddHeaderDuplicate)
break
}
+ occurred.Insert(header.Name)
}
}
if len(h.RemoveResponseHeaders) > 0 {
- occurred := map[string]bool{}
+ occurred := sets.NewString()
for _, header := range h.RemoveResponseHeaders {
- if !occurred[header] {
- occurred[header] = true
- } else {
+ if occurred.Has(header) {
errs = errors.Join(errs, ErrRemoveHeaderDuplicate)
break
}
+ occurred.Insert(header)
}
}
if h.LoadBalancer != nil {
@@ -825,6 +825,8 @@ type DestinationSetting struct {
Endpoints []*DestinationEndpoint `json:"endpoints,omitempty" yaml:"endpoints,omitempty"`
// AddressTypeState specifies the state of DestinationEndpoint address type.
AddressType *DestinationAddressType `json:"addressType,omitempty" yaml:"addressType,omitempty"`
+
+ TLS *TLSUpstreamConfig `json:"tls,omitempty" yaml:"tls,omitempty"`
}
// Validate the fields within the RouteDestination structure
@@ -1444,6 +1446,9 @@ type CircuitBreaker struct {
// The maximum number of parallel requests that Envoy will make.
MaxRequestsPerConnection *uint32 `json:"maxRequestsPerConnection,omitempty" yaml:"maxRequestsPerConnection,omitempty"`
+
+ // The maximum number of parallel retries that Envoy will make.
+ MaxParallelRetries *uint32 `json:"maxParallelRetries,omitempty" yaml:"maxParallelRetries,omitempty"`
}
// HealthCheck defines health check settings
@@ -1697,7 +1702,7 @@ type TriggerEnum egv1a1.TriggerEnum
const (
Error5XX = TriggerEnum(egv1a1.Error5XX)
GatewayError = TriggerEnum(egv1a1.GatewayError)
- DisconnectRest = TriggerEnum(egv1a1.DisconnectRest)
+ Reset = TriggerEnum(egv1a1.Reset)
ConnectFailure = TriggerEnum(egv1a1.ConnectFailure)
Retriable4XX = TriggerEnum(egv1a1.Retriable4XX)
RefusedStream = TriggerEnum(egv1a1.RefusedStream)
@@ -1733,3 +1738,11 @@ type BackOffPolicy struct {
// MaxInterval is the maximum interval between retries.
MaxInterval *metav1.Duration `json:"maxInterval,omitempty"`
}
+
+// TLSUpstreamConfig contains sni and ca file in []byte format.
+// +k8s:deepcopy-gen=true
+type TLSUpstreamConfig struct {
+ SNI string `json:"sni,omitempty" yaml:"sni,omitempty"`
+ UseSystemTrustStore bool `json:"useSystemTrustStore,omitempty" yaml:"useSystemTrustStore,omitempty"`
+ CACertificate *TLSCACertificate `json:"caCertificate,omitempty" yaml:"caCertificate,omitempty"`
+}
diff --git a/internal/ir/zz_generated.deepcopy.go b/internal/ir/zz_generated.deepcopy.go
index 52923b43f8c..3e19c4b4602 100644
--- a/internal/ir/zz_generated.deepcopy.go
+++ b/internal/ir/zz_generated.deepcopy.go
@@ -237,6 +237,11 @@ func (in *CircuitBreaker) DeepCopyInto(out *CircuitBreaker) {
*out = new(uint32)
**out = **in
}
+ if in.MaxParallelRetries != nil {
+ in, out := &in.MaxParallelRetries, &out.MaxParallelRetries
+ *out = new(uint32)
+ **out = **in
+ }
}
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CircuitBreaker.
@@ -353,6 +358,11 @@ func (in *DestinationSetting) DeepCopyInto(out *DestinationSetting) {
*out = new(DestinationAddressType)
**out = **in
}
+ if in.TLS != nil {
+ in, out := &in.TLS, &out.TLS
+ *out = new(TLSUpstreamConfig)
+ (*in).DeepCopyInto(*out)
+ }
}
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new DestinationSetting.
@@ -1312,6 +1322,11 @@ func (in *OIDC) DeepCopyInto(out *OIDC) {
*out = make([]byte, len(*in))
copy(*out, *in)
}
+ if in.HMACSecret != nil {
+ in, out := &in.HMACSecret, &out.HMACSecret
+ *out = make([]byte, len(*in))
+ copy(*out, *in)
+ }
if in.Scopes != nil {
in, out := &in.Scopes, &out.Scopes
*out = make([]string, len(*in))
@@ -2074,6 +2089,26 @@ func (in *TLSInspectorConfig) DeepCopy() *TLSInspectorConfig {
return out
}
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *TLSUpstreamConfig) DeepCopyInto(out *TLSUpstreamConfig) {
+ *out = *in
+ if in.CACertificate != nil {
+ in, out := &in.CACertificate, &out.CACertificate
+ *out = new(TLSCACertificate)
+ (*in).DeepCopyInto(*out)
+ }
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new TLSUpstreamConfig.
+func (in *TLSUpstreamConfig) DeepCopy() *TLSUpstreamConfig {
+ if in == nil {
+ return nil
+ }
+ out := new(TLSUpstreamConfig)
+ in.DeepCopyInto(out)
+ return out
+}
+
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *TextAccessLog) DeepCopyInto(out *TextAccessLog) {
*out = *in
diff --git a/internal/kubernetes/port-forwarder.go b/internal/kubernetes/port_forwarder.go
similarity index 100%
rename from internal/kubernetes/port-forwarder.go
rename to internal/kubernetes/port_forwarder.go
diff --git a/internal/message/types.go b/internal/message/types.go
index 1328c2a853c..ded83524326 100644
--- a/internal/message/types.go
+++ b/internal/message/types.go
@@ -21,7 +21,7 @@ import (
type ProviderResources struct {
// GatewayAPIResources is a map from a GatewayClass name to
// a group of gateway API and other related resources.
- GatewayAPIResources watchable.Map[string, *gatewayapi.GatewayClassResources]
+ GatewayAPIResources watchable.Map[string, *gatewayapi.ControllerResources]
// GatewayAPIStatuses is a group of gateway api
// resource statuses maps.
@@ -31,13 +31,25 @@ type ProviderResources struct {
PolicyStatuses
}
-func (p *ProviderResources) GetResources() *gatewayapi.GatewayClassResources {
+func (p *ProviderResources) GetResources() []*gatewayapi.Resources {
if p.GatewayAPIResources.Len() == 0 {
return nil
}
+
for _, v := range p.GatewayAPIResources.LoadAll() {
- return v
+ return *v
}
+
+ return nil
+}
+
+func (p *ProviderResources) GetResourcesByGatewayClass(name string) *gatewayapi.Resources {
+ for _, r := range p.GetResources() {
+ if r != nil && r.GatewayClass != nil && r.GatewayClass.Name == name {
+ return r
+ }
+ }
+
return nil
}
@@ -82,12 +94,14 @@ type PolicyStatuses struct {
BackendTrafficPolicyStatuses watchable.Map[types.NamespacedName, *egv1a1.BackendTrafficPolicyStatus]
EnvoyPatchPolicyStatuses watchable.Map[types.NamespacedName, *egv1a1.EnvoyPatchPolicyStatus]
SecurityPolicyStatuses watchable.Map[types.NamespacedName, *egv1a1.SecurityPolicyStatus]
+ BackendTLSPolicyStatuses watchable.Map[types.NamespacedName, *gwapiv1a2.PolicyStatus]
}
func (p *PolicyStatuses) Close() {
p.ClientTrafficPolicyStatuses.Close()
p.SecurityPolicyStatuses.Close()
p.EnvoyPatchPolicyStatuses.Close()
+ p.BackendTLSPolicyStatuses.Close()
}
// XdsIR message
diff --git a/internal/provider/kubernetes/controller.go b/internal/provider/kubernetes/controller.go
index b7d305caa83..fe9a0242ed4 100644
--- a/internal/provider/kubernetes/controller.go
+++ b/internal/provider/kubernetes/controller.go
@@ -18,6 +18,7 @@ import (
"k8s.io/apimachinery/pkg/fields"
"k8s.io/apimachinery/pkg/runtime/schema"
"k8s.io/apimachinery/pkg/types"
+ "k8s.io/apimachinery/pkg/util/sets"
"k8s.io/client-go/discovery"
"sigs.k8s.io/controller-runtime/pkg/client"
"sigs.k8s.io/controller-runtime/pkg/controller"
@@ -51,7 +52,7 @@ type gatewayAPIReconciler struct {
namespace string
namespaceLabel *metav1.LabelSelector
envoyGateway *egv1a1.EnvoyGateway
- mergeGateways map[string]bool
+ mergeGateways sets.Set[string]
resources *message.ProviderResources
extGVKs []schema.GroupVersionKind
}
@@ -87,7 +88,7 @@ func newGatewayAPIController(mgr manager.Manager, cfg *config.Server, su status.
extGVKs: extGVKs,
store: newProviderStore(),
envoyGateway: cfg.EnvoyGateway,
- mergeGateways: map[string]bool{},
+ mergeGateways: sets.New[string](),
}
if byNamespaceSelector {
@@ -136,176 +137,82 @@ func newResourceMapping() *resourceMappings {
// same reconcile.Request containing the gateway controller name. This allows multiple resource updates to
// be handled by a single call to Reconcile. The reconcile.Request DOES NOT map to a specific resource.
func (r *gatewayAPIReconciler) Reconcile(ctx context.Context, _ reconcile.Request) (reconcile.Result, error) {
+ var (
+ managedGCs []*gwapiv1.GatewayClass
+ err error
+ )
r.log.Info("reconciling gateways")
- var gatewayClasses gwapiv1.GatewayClassList
- if err := r.client.List(ctx, &gatewayClasses); err != nil {
- return reconcile.Result{}, fmt.Errorf("error listing gatewayclasses: %w", err)
- }
-
- var cc controlledClasses
-
- for _, gwClass := range gatewayClasses.Items {
- gwClass := gwClass
- if gwClass.Spec.ControllerName == r.classController {
- // The gatewayclass was marked for deletion and the finalizer removed,
- // so clean-up dependents.
- if !gwClass.DeletionTimestamp.IsZero() &&
- !slice.ContainsString(gwClass.Finalizers, gatewayClassFinalizer) {
- r.log.Info("gatewayclass marked for deletion")
- cc.removeMatch(&gwClass)
- continue
- }
-
- cc.addMatch(&gwClass)
- }
+ // Get the GatewayClasses managed by the Envoy Gateway Controller.
+ managedGCs, err = r.managedGatewayClasses(ctx)
+ if err != nil {
+ return reconcile.Result{}, err
}
// The gatewayclass was already deleted/finalized and there are stale queue entries.
- acceptedGCs := cc.matchedClasses
- if acceptedGCs == nil {
+ if managedGCs == nil {
r.resources.GatewayAPIResources.Delete(string(r.classController))
r.log.Info("no accepted gatewayclass")
return reconcile.Result{}, nil
}
- resourcesMap := make(gatewayapi.GatewayClassResources)
- for _, acceptedGC := range acceptedGCs {
+ // Collect all the Gateway API resources, Envoy Gateway customized resources,
+ // and their referenced resources for the managed GatewayClasses, and store
+ // them per GatewayClass.
+ // For example:
+ // - Gateway API resources: Gateways, xRoutes ...
+ // - Envoy Gateway customized resources: EnvoyPatchPolicies, ClientTrafficPolicies, BackendTrafficPolicies ...
+ // - Referenced resources: Services, ServiceImports, EndpointSlices, Secrets, ConfigMaps ...
+ gwcResources := make(gatewayapi.ControllerResources, 0, len(managedGCs))
+ for _, managedGC := range managedGCs {
// Initialize resource types.
- acceptedGC := acceptedGC
- resourcesMap[acceptedGC.Name] = gatewayapi.NewResources()
+ managedGC := managedGC
+ gwcResource := gatewayapi.NewResources()
+ gwcResource.GatewayClass = managedGC
+ gwcResources = append(gwcResources, gwcResource)
resourceMappings := newResourceMapping()
- if err := r.processGateways(ctx, acceptedGC, resourceMappings, resourcesMap[acceptedGC.Name]); err != nil {
+ // Add all Gateways, their associated Routes, and referenced resources to the resourceTree
+ if err = r.processGateways(ctx, managedGC, resourceMappings, gwcResource); err != nil {
return reconcile.Result{}, err
}
- for backendRef := range resourceMappings.allAssociatedBackendRefs {
- backendRefKind := gatewayapi.KindDerefOr(backendRef.Kind, gatewayapi.KindService)
- r.log.Info("processing Backend", "kind", backendRefKind, "namespace", string(*backendRef.Namespace),
- "name", string(backendRef.Name))
-
- var endpointSliceLabelKey string
- switch backendRefKind {
- case gatewayapi.KindService:
- service := new(corev1.Service)
- err := r.client.Get(ctx, types.NamespacedName{Namespace: string(*backendRef.Namespace), Name: string(backendRef.Name)}, service)
- if err != nil {
- r.log.Error(err, "failed to get Service", "namespace", string(*backendRef.Namespace),
- "name", string(backendRef.Name))
- } else {
- resourceMappings.allAssociatedNamespaces[service.Namespace] = struct{}{}
- resourcesMap[acceptedGC.Name].Services = append(resourcesMap[acceptedGC.Name].Services, service)
- r.log.Info("added Service to resource tree", "namespace", string(*backendRef.Namespace),
- "name", string(backendRef.Name))
- }
- endpointSliceLabelKey = discoveryv1.LabelServiceName
-
- case gatewayapi.KindServiceImport:
- serviceImport := new(mcsapi.ServiceImport)
- err := r.client.Get(ctx, types.NamespacedName{Namespace: string(*backendRef.Namespace), Name: string(backendRef.Name)}, serviceImport)
- if err != nil {
- r.log.Error(err, "failed to get ServiceImport", "namespace", string(*backendRef.Namespace),
- "name", string(backendRef.Name))
- } else {
- resourceMappings.allAssociatedNamespaces[serviceImport.Namespace] = struct{}{}
- resourcesMap[acceptedGC.Name].ServiceImports = append(resourcesMap[acceptedGC.Name].ServiceImports, serviceImport)
- r.log.Info("added ServiceImport to resource tree", "namespace", string(*backendRef.Namespace),
- "name", string(backendRef.Name))
- }
- endpointSliceLabelKey = mcsapi.LabelServiceName
- }
-
- // Retrieve the EndpointSlices associated with the service
- endpointSliceList := new(discoveryv1.EndpointSliceList)
- opts := []client.ListOption{
- client.MatchingLabels(map[string]string{
- endpointSliceLabelKey: string(backendRef.Name),
- }),
- client.InNamespace(string(*backendRef.Namespace)),
- }
- if err := r.client.List(ctx, endpointSliceList, opts...); err != nil {
- r.log.Error(err, "failed to get EndpointSlices", "namespace", string(*backendRef.Namespace),
- backendRefKind, string(backendRef.Name))
- } else {
- for _, endpointSlice := range endpointSliceList.Items {
- endpointSlice := endpointSlice
- r.log.Info("added EndpointSlice to resource tree", "namespace", endpointSlice.Namespace,
- "name", endpointSlice.Name)
- resourcesMap[acceptedGC.Name].EndpointSlices = append(resourcesMap[acceptedGC.Name].EndpointSlices, &endpointSlice)
- }
- }
- }
-
- // Add all ReferenceGrants to the resourceTree
- for _, referenceGrant := range resourceMappings.allAssociatedRefGrants {
- resourcesMap[acceptedGC.Name].ReferenceGrants = append(resourcesMap[acceptedGC.Name].ReferenceGrants, referenceGrant)
- }
-
- // Add all EnvoyPatchPolicies
- envoyPatchPolicies := egv1a1.EnvoyPatchPolicyList{}
- if err := r.client.List(ctx, &envoyPatchPolicies); err != nil {
- return reconcile.Result{}, fmt.Errorf("error listing EnvoyPatchPolicies: %w", err)
- }
-
- for _, policy := range envoyPatchPolicies.Items {
- policy := policy
- // Discard Status to reduce memory consumption in watchable
- // It will be recomputed by the gateway-api layer
- policy.Status = egv1a1.EnvoyPatchPolicyStatus{}
-
- resourcesMap[acceptedGC.Name].EnvoyPatchPolicies = append(resourcesMap[acceptedGC.Name].EnvoyPatchPolicies, &policy)
+ // Add all EnvoyPatchPolicies to the resourceTree
+ if err = r.processEnvoyPatchPolicies(ctx, gwcResource); err != nil {
+ return reconcile.Result{}, err
}
- // Add all ClientTrafficPolicies
- clientTrafficPolicies := egv1a1.ClientTrafficPolicyList{}
- if err := r.client.List(ctx, &clientTrafficPolicies); err != nil {
- return reconcile.Result{}, fmt.Errorf("error listing ClientTrafficPolicies: %w", err)
+ // Add all ClientTrafficPolicies and their referenced resources to the resourceTree
+ if err = r.processClientTrafficPolicies(ctx, gwcResource, resourceMappings); err != nil {
+ return reconcile.Result{}, err
}
- for _, policy := range clientTrafficPolicies.Items {
- policy := policy
- // Discard Status to reduce memory consumption in watchable
- // It will be recomputed by the gateway-api layer
- policy.Status = egv1a1.ClientTrafficPolicyStatus{}
- resourcesMap[acceptedGC.Name].ClientTrafficPolicies = append(resourcesMap[acceptedGC.Name].ClientTrafficPolicies, &policy)
-
+ // Add all BackendTrafficPolicies to the resourceTree
+ if err = r.processBackendTrafficPolicies(ctx, gwcResource); err != nil {
+ return reconcile.Result{}, err
}
- // Add the referenced ConfigMaps in ClientTrafficPolicies to the resourceTree
- r.processCtpConfigMapRefs(ctx, resourcesMap[acceptedGC.Name], resourceMappings)
-
- // Add all BackendTrafficPolicies
- backendTrafficPolicies := egv1a1.BackendTrafficPolicyList{}
- if err := r.client.List(ctx, &backendTrafficPolicies); err != nil {
- return reconcile.Result{}, fmt.Errorf("error listing BackendTrafficPolicies: %w", err)
+ // Add all SecurityPolicies and their referenced resources to the resourceTree
+ if err = r.processSecurityPolicies(ctx, gwcResource, resourceMappings); err != nil {
+ return reconcile.Result{}, err
}
- for _, policy := range backendTrafficPolicies.Items {
- policy := policy
- // Discard Status to reduce memory consumption in watchable
- // It will be recomputed by the gateway-api layer
- policy.Status = egv1a1.BackendTrafficPolicyStatus{}
- resourcesMap[acceptedGC.Name].BackendTrafficPolicies = append(resourcesMap[acceptedGC.Name].BackendTrafficPolicies, &policy)
+ // Add all BackendTLSPolies to the resourceTree
+ if err = r.processBackendTLSPolicies(ctx, gwcResource, resourceMappings); err != nil {
+ return reconcile.Result{}, err
}
- // Add all SecurityPolicies
- securityPolicies := egv1a1.SecurityPolicyList{}
- if err := r.client.List(ctx, &securityPolicies); err != nil {
- return reconcile.Result{}, fmt.Errorf("error listing SecurityPolicies: %w", err)
- }
+ // Add the referenced services, ServiceImports, and EndpointSlices in
+ // the collected BackendRefs to the resourceTree.
+ // BackendRefs are referred by various Route objects and the ExtAuth in SecurityPolicies.
+ r.processBackendRefs(ctx, gwcResource, resourceMappings)
- for _, policy := range securityPolicies.Items {
- policy := policy
- // Discard Status to reduce memory consumption in watchable
- // It will be recomputed by the gateway-api layer
- policy.Status = egv1a1.SecurityPolicyStatus{}
- resourcesMap[acceptedGC.Name].SecurityPolicies = append(resourcesMap[acceptedGC.Name].SecurityPolicies, &policy)
+ // Add all ReferenceGrants to the resourceTree
+ // TODO: zhaohuabing remove allAssociatedRefGrants from resourceMappings and directly add to gwcResource
+ for _, referenceGrant := range resourceMappings.allAssociatedRefGrants {
+ gwcResource.ReferenceGrants = append(gwcResource.ReferenceGrants, referenceGrant)
}
- // Add the referenced Secrets in SecurityPolicies to the resourceTree
- r.processSecurityPolicySecretRefs(ctx, resourcesMap[acceptedGC.Name], resourceMappings)
-
// For this particular Gateway, and all associated objects, check whether the
// namespace exists. Add to the resourceTree.
for ns := range resourceMappings.allAssociatedNamespaces {
@@ -318,64 +225,171 @@ func (r *gatewayAPIReconciler) Reconcile(ctx context.Context, _ reconcile.Reques
return reconcile.Result{}, err
}
- resourcesMap[acceptedGC.Name].Namespaces = append(resourcesMap[acceptedGC.Name].Namespaces, namespace)
+ gwcResource.Namespaces = append(gwcResource.Namespaces, namespace)
}
// Process the parametersRef of the accepted GatewayClass.
- if acceptedGC.Spec.ParametersRef != nil && acceptedGC.DeletionTimestamp == nil {
- if err := r.processParamsRef(ctx, acceptedGC, resourcesMap[acceptedGC.Name]); err != nil {
+ if managedGC.Spec.ParametersRef != nil && managedGC.DeletionTimestamp == nil {
+ if err := r.processParamsRef(ctx, managedGC, gwcResource); err != nil {
msg := fmt.Sprintf("%s: %v", status.MsgGatewayClassInvalidParams, err)
- if err := r.updateStatusForGatewayClass(ctx, acceptedGC, false, string(gwapiv1.GatewayClassReasonInvalidParameters), msg); err != nil {
+ if err := r.updateStatusForGatewayClass(ctx, managedGC, false, string(gwapiv1.GatewayClassReasonInvalidParameters), msg); err != nil {
r.log.Error(err, "unable to update GatewayClass status")
}
- r.log.Error(err, "failed to process parametersRef for gatewayclass", "name", acceptedGC.Name)
+ r.log.Error(err, "failed to process parametersRef for gatewayclass", "name", managedGC.Name)
return reconcile.Result{}, err
}
}
- if resourcesMap[acceptedGC.Name].EnvoyProxy != nil && resourcesMap[acceptedGC.Name].EnvoyProxy.Spec.MergeGateways != nil {
- r.mergeGateways[acceptedGC.Name] = *resourcesMap[acceptedGC.Name].EnvoyProxy.Spec.MergeGateways
+ if gwcResource.EnvoyProxy != nil && gwcResource.EnvoyProxy.Spec.MergeGateways != nil {
+ if *gwcResource.EnvoyProxy.Spec.MergeGateways {
+ r.mergeGateways.Insert(managedGC.Name)
+ } else {
+ r.mergeGateways.Delete(managedGC.Name)
+ }
}
- if err := r.updateStatusForGatewayClass(ctx, acceptedGC, true, string(gwapiv1.GatewayClassReasonAccepted), status.MsgValidGatewayClass); err != nil {
+ if err := r.updateStatusForGatewayClass(ctx, managedGC, true, string(gwapiv1.GatewayClassReasonAccepted), status.MsgValidGatewayClass); err != nil {
r.log.Error(err, "unable to update GatewayClass status")
return reconcile.Result{}, err
}
- if len(resourcesMap[acceptedGC.Name].Gateways) == 0 {
+ if len(gwcResource.Gateways) == 0 {
r.log.Info("No gateways found for accepted gatewayclass")
// If needed, remove the finalizer from the accepted GatewayClass.
- if err := r.removeFinalizer(ctx, acceptedGC); err != nil {
+ if err := r.removeFinalizer(ctx, managedGC); err != nil {
r.log.Error(err, fmt.Sprintf("failed to remove finalizer from gatewayclass %s",
- acceptedGC.Name))
+ managedGC.Name))
return reconcile.Result{}, err
}
} else {
// finalize the accepted GatewayClass.
- if err := r.addFinalizer(ctx, acceptedGC); err != nil {
+ if err := r.addFinalizer(ctx, managedGC); err != nil {
r.log.Error(err, fmt.Sprintf("failed adding finalizer to gatewayclass %s",
- acceptedGC.Name))
+ managedGC.Name))
return reconcile.Result{}, err
}
}
}
+
+ // Store the Gateway Resources for the GatewayClass.
// The Store is triggered even when there are no Gateways associated to the
// GatewayClass. This would happen in case the last Gateway is removed and the
// Store will be required to trigger a cleanup of envoy infra resources.
- r.resources.GatewayAPIResources.Store(string(r.classController), resourcesMap.DeepCopy())
+ r.resources.GatewayAPIResources.Store(string(r.classController), &gwcResources)
r.log.Info("reconciled gateways successfully")
return reconcile.Result{}, nil
}
-// processSecurityPolicySecretRefs adds the referenced Secrets in SecurityPolicies
+// managedGatewayClasses returns a list of GatewayClass objects that are managed by the Envoy Gateway Controller.
+func (r *gatewayAPIReconciler) managedGatewayClasses(ctx context.Context) ([]*gwapiv1.GatewayClass, error) {
+ var gatewayClasses gwapiv1.GatewayClassList
+ if err := r.client.List(ctx, &gatewayClasses); err != nil {
+ return nil, fmt.Errorf("error listing gatewayclasses: %w", err)
+ }
+
+ var cc controlledClasses
+
+ for _, gwClass := range gatewayClasses.Items {
+ gwClass := gwClass
+ if gwClass.Spec.ControllerName == r.classController {
+ // The gatewayclass was marked for deletion and the finalizer removed,
+ // so clean-up dependents.
+ if !gwClass.DeletionTimestamp.IsZero() &&
+ !slice.ContainsString(gwClass.Finalizers, gatewayClassFinalizer) {
+ r.log.Info("gatewayclass marked for deletion")
+ cc.removeMatch(&gwClass)
+ continue
+ }
+
+ cc.addMatch(&gwClass)
+ }
+ }
+
+ return cc.matchedClasses, nil
+}
+
+// processBackendRefs adds the referenced resources in BackendRefs to the resourceTree, including:
+// - Services
+// - ServiceImports
+// - EndpointSlices
+func (r *gatewayAPIReconciler) processBackendRefs(ctx context.Context, gwcResource *gatewayapi.Resources, resourceMappings *resourceMappings) {
+ for backendRef := range resourceMappings.allAssociatedBackendRefs {
+ backendRefKind := gatewayapi.KindDerefOr(backendRef.Kind, gatewayapi.KindService)
+ r.log.Info("processing Backend", "kind", backendRefKind, "namespace", string(*backendRef.Namespace),
+ "name", string(backendRef.Name))
+
+ var endpointSliceLabelKey string
+ switch backendRefKind {
+ case gatewayapi.KindService:
+ service := new(corev1.Service)
+ err := r.client.Get(ctx, types.NamespacedName{Namespace: string(*backendRef.Namespace), Name: string(backendRef.Name)}, service)
+ if err != nil {
+ r.log.Error(err, "failed to get Service", "namespace", string(*backendRef.Namespace),
+ "name", string(backendRef.Name))
+ } else {
+ resourceMappings.allAssociatedNamespaces[service.Namespace] = struct{}{}
+ gwcResource.Services = append(gwcResource.Services, service)
+ r.log.Info("added Service to resource tree", "namespace", string(*backendRef.Namespace),
+ "name", string(backendRef.Name))
+ }
+ endpointSliceLabelKey = discoveryv1.LabelServiceName
+
+ case gatewayapi.KindServiceImport:
+ serviceImport := new(mcsapi.ServiceImport)
+ err := r.client.Get(ctx, types.NamespacedName{Namespace: string(*backendRef.Namespace), Name: string(backendRef.Name)}, serviceImport)
+ if err != nil {
+ r.log.Error(err, "failed to get ServiceImport", "namespace", string(*backendRef.Namespace),
+ "name", string(backendRef.Name))
+ } else {
+ resourceMappings.allAssociatedNamespaces[serviceImport.Namespace] = struct{}{}
+ gwcResource.ServiceImports = append(gwcResource.ServiceImports, serviceImport)
+ r.log.Info("added ServiceImport to resource tree", "namespace", string(*backendRef.Namespace),
+ "name", string(backendRef.Name))
+ }
+ endpointSliceLabelKey = mcsapi.LabelServiceName
+ }
+
+ // Retrieve the EndpointSlices associated with the service
+ endpointSliceList := new(discoveryv1.EndpointSliceList)
+ opts := []client.ListOption{
+ client.MatchingLabels(map[string]string{
+ endpointSliceLabelKey: string(backendRef.Name),
+ }),
+ client.InNamespace(string(*backendRef.Namespace)),
+ }
+ if err := r.client.List(ctx, endpointSliceList, opts...); err != nil {
+ r.log.Error(err, "failed to get EndpointSlices", "namespace", string(*backendRef.Namespace),
+ backendRefKind, string(backendRef.Name))
+ } else {
+ for _, endpointSlice := range endpointSliceList.Items {
+ endpointSlice := endpointSlice
+ r.log.Info("added EndpointSlice to resource tree", "namespace", endpointSlice.Namespace,
+ "name", endpointSlice.Name)
+ gwcResource.EndpointSlices = append(gwcResource.EndpointSlices, &endpointSlice)
+ }
+ }
+ }
+}
+
+// processSecurityPolicyObjectRefs adds the referenced resources in SecurityPolicies
// to the resourceTree
-func (r *gatewayAPIReconciler) processSecurityPolicySecretRefs(
+// - Secrets for OIDC and BasicAuth
+// - BackendRefs for ExAuth
+func (r *gatewayAPIReconciler) processSecurityPolicyObjectRefs(
ctx context.Context, resourceTree *gatewayapi.Resources, resourceMap *resourceMappings) {
+ // we don't return errors from this method, because we want to continue reconciling
+ // the rest of the SecurityPolicies despite that one reference is invalid. This
+ // allows Envoy Gateway to continue serving traffic even if some SecurityPolicies
+ // are invalid.
+ //
+ // This SecurityPolicy will be marked as invalid in its status when translating
+ // to IR because the referenced secret can't be found.
for _, policy := range resourceTree.SecurityPolicies {
oidc := policy.Spec.OIDC
+ // Add the referenced Secrets in OIDC to the resourceTree
if oidc != nil {
if err := r.processSecretRef(
ctx,
@@ -385,17 +399,13 @@ func (r *gatewayAPIReconciler) processSecurityPolicySecretRefs(
policy.Namespace,
policy.Name,
oidc.ClientSecret); err != nil {
- // we don't return an error here, because we want to continue
- // reconciling the rest of the SecurityPolicies despite that this
- // secret reference is invalid.
- // This SecurityPolicy will be marked as invalid in its status
- // when translating to IR because the referenced secret can't be
- // found.
r.log.Error(err,
"failed to process OIDC SecretRef for SecurityPolicy",
"policy", policy, "secretRef", oidc.ClientSecret)
}
}
+
+ // Add the referenced Secrets in BasicAuth to the resourceTree
basicAuth := policy.Spec.BasicAuth
if basicAuth != nil {
if err := r.processSecretRef(
@@ -411,9 +421,82 @@ func (r *gatewayAPIReconciler) processSecurityPolicySecretRefs(
"policy", policy, "secretRef", basicAuth.Users)
}
}
+
+ // Add the referenced BackendRefs and ReferenceGrants in ExtAuth to Maps for later processing
+ extAuth := policy.Spec.ExtAuth
+ if extAuth != nil {
+ var backendRef gwapiv1.BackendObjectReference
+ if extAuth.GRPC != nil {
+ backendRef = extAuth.GRPC.BackendRef
+ } else {
+ backendRef = extAuth.HTTP.BackendRef
+ }
+
+ backendNamespace := gatewayapi.NamespaceDerefOr(backendRef.Namespace, policy.Namespace)
+ resourceMap.allAssociatedBackendRefs[gwapiv1.BackendObjectReference{
+ Group: backendRef.Group,
+ Kind: backendRef.Kind,
+ Namespace: gatewayapi.NamespacePtrV1Alpha2(backendNamespace),
+ Name: backendRef.Name,
+ }] = struct{}{}
+
+ if backendNamespace != policy.Namespace {
+ from := ObjectKindNamespacedName{
+ kind: gatewayapi.KindHTTPRoute,
+ namespace: policy.Namespace,
+ name: policy.Name,
+ }
+ to := ObjectKindNamespacedName{
+ kind: gatewayapi.KindDerefOr(backendRef.Kind, gatewayapi.KindService),
+ namespace: backendNamespace,
+ name: string(backendRef.Name),
+ }
+ refGrant, err := r.findReferenceGrant(ctx, from, to)
+ switch {
+ case err != nil:
+ r.log.Error(err, "failed to find ReferenceGrant")
+ case refGrant == nil:
+ r.log.Info("no matching ReferenceGrants found", "from", from.kind,
+ "from namespace", from.namespace, "target", to.kind, "target namespace", to.namespace)
+ default:
+ resourceMap.allAssociatedRefGrants[utils.NamespacedName(refGrant)] = refGrant
+ r.log.Info("added ReferenceGrant to resource map", "namespace", refGrant.Namespace,
+ "name", refGrant.Name)
+ }
+ }
+ }
}
}
+// processOIDCHMACSecret adds the OIDC HMAC Secret to the resourceTree.
+// The OIDC HMAC Secret is created by the CertGen job and is used by SecurityPolicy
+// to configure OAuth2 filters.
+func (r *gatewayAPIReconciler) processOIDCHMACSecret(ctx context.Context, resourceTree *gatewayapi.Resources) {
+ var (
+ secret corev1.Secret
+ err error
+ )
+
+ err = r.client.Get(ctx,
+ types.NamespacedName{Namespace: r.namespace, Name: oidcHMACSecretName},
+ &secret,
+ )
+
+ // We don't return an error here, because we want to continue reconciling
+ // despite that the OIDC HMAC secret can't be found.
+ // If the OIDC HMAC Secret is missing, the SecurityPolicy with OIDC will be
+ // marked as invalid in its status when translating to IR.
+ if err != nil {
+ r.log.Error(err,
+ "failed to process OIDC HMAC Secret",
+ "namespace", r.namespace, "name", oidcHMACSecretName)
+ return
+ }
+
+ resourceTree.Secrets = append(resourceTree.Secrets, &secret)
+ r.log.Info("processing OIDC HMAC Secret", "namespace", r.namespace, "name", oidcHMACSecretName)
+}
+
// processSecretRef adds the referenced Secret to the resourceTree if it's valid.
// - If it exists in the same namespace as the owner.
// - If it exists in a different namespace, and there is a ReferenceGrant.
@@ -616,14 +699,14 @@ func (r *gatewayAPIReconciler) findReferenceGrant(ctx context.Context, from, to
return nil, nil
}
-func (r *gatewayAPIReconciler) processGateways(ctx context.Context, acceptedGC *gwapiv1.GatewayClass, resourceMap *resourceMappings, resourceTree *gatewayapi.Resources) error {
- // Find gateways for the acceptedGC
+func (r *gatewayAPIReconciler) processGateways(ctx context.Context, managedGC *gwapiv1.GatewayClass, resourceMap *resourceMappings, resourceTree *gatewayapi.Resources) error {
+ // Find gateways for the managedGC
// Find the Gateways that reference this Class.
gatewayList := &gwapiv1.GatewayList{}
if err := r.client.List(ctx, gatewayList, &client.ListOptions{
- FieldSelector: fields.OneTermEqualSelector(classGatewayIndex, acceptedGC.Name),
+ FieldSelector: fields.OneTermEqualSelector(classGatewayIndex, managedGC.Name),
}); err != nil {
- r.log.Info("no associated Gateways found for GatewayClass", "name", acceptedGC.Name)
+ r.log.Info("no associated Gateways found for GatewayClass", "name", managedGC.Name)
return err
}
@@ -700,6 +783,107 @@ func (r *gatewayAPIReconciler) processGateways(ctx context.Context, acceptedGC *
return nil
}
+// processEnvoyPatchPolicies adds EnvoyPatchPolicies to the resourceTree
+func (r *gatewayAPIReconciler) processEnvoyPatchPolicies(ctx context.Context, resourceTree *gatewayapi.Resources) error {
+ envoyPatchPolicies := egv1a1.EnvoyPatchPolicyList{}
+ if err := r.client.List(ctx, &envoyPatchPolicies); err != nil {
+ return fmt.Errorf("error listing EnvoyPatchPolicies: %w", err)
+ }
+
+ for _, policy := range envoyPatchPolicies.Items {
+ policy := policy
+ // Discard Status to reduce memory consumption in watchable
+ // It will be recomputed by the gateway-api layer
+ policy.Status = egv1a1.EnvoyPatchPolicyStatus{}
+
+ resourceTree.EnvoyPatchPolicies = append(resourceTree.EnvoyPatchPolicies, &policy)
+ }
+ return nil
+}
+
+// processClientTrafficPolicies adds ClientTrafficPolicies to the resourceTree
+func (r *gatewayAPIReconciler) processClientTrafficPolicies(
+ ctx context.Context, resourceTree *gatewayapi.Resources, resourceMap *resourceMappings) error {
+ clientTrafficPolicies := egv1a1.ClientTrafficPolicyList{}
+ if err := r.client.List(ctx, &clientTrafficPolicies); err != nil {
+ return fmt.Errorf("error listing ClientTrafficPolicies: %w", err)
+ }
+
+ for _, policy := range clientTrafficPolicies.Items {
+ policy := policy
+ // Discard Status to reduce memory consumption in watchable
+ // It will be recomputed by the gateway-api layer
+ policy.Status = egv1a1.ClientTrafficPolicyStatus{}
+ resourceTree.ClientTrafficPolicies = append(resourceTree.ClientTrafficPolicies, &policy)
+ }
+
+ r.processCtpConfigMapRefs(ctx, resourceTree, resourceMap)
+
+ return nil
+}
+
+// processBackendTrafficPolicies adds BackendTrafficPolicies to the resourceTree
+func (r *gatewayAPIReconciler) processBackendTrafficPolicies(ctx context.Context, resourceTree *gatewayapi.Resources) error {
+ backendTrafficPolicies := egv1a1.BackendTrafficPolicyList{}
+ if err := r.client.List(ctx, &backendTrafficPolicies); err != nil {
+ return fmt.Errorf("error listing BackendTrafficPolicies: %w", err)
+ }
+
+ for _, policy := range backendTrafficPolicies.Items {
+ policy := policy
+ // Discard Status to reduce memory consumption in watchable
+ // It will be recomputed by the gateway-api layer
+ policy.Status = egv1a1.BackendTrafficPolicyStatus{}
+ resourceTree.BackendTrafficPolicies = append(resourceTree.BackendTrafficPolicies, &policy)
+ }
+ return nil
+}
+
+// processSecurityPolicies adds SecurityPolicies and their referenced resources to the resourceTree
+func (r *gatewayAPIReconciler) processSecurityPolicies(
+ ctx context.Context, resourceTree *gatewayapi.Resources, resourceMap *resourceMappings) error {
+ securityPolicies := egv1a1.SecurityPolicyList{}
+ if err := r.client.List(ctx, &securityPolicies); err != nil {
+ return fmt.Errorf("error listing SecurityPolicies: %w", err)
+ }
+
+ for _, policy := range securityPolicies.Items {
+ policy := policy
+ // Discard Status to reduce memory consumption in watchable
+ // It will be recomputed by the gateway-api layer
+ policy.Status = egv1a1.SecurityPolicyStatus{}
+ resourceTree.SecurityPolicies = append(resourceTree.SecurityPolicies, &policy)
+ }
+
+ // Add the referenced Resources in SecurityPolicies to the resourceTree
+ r.processSecurityPolicyObjectRefs(ctx, resourceTree, resourceMap)
+
+ // Add the OIDC HMAC Secret to the resourceTree
+ r.processOIDCHMACSecret(ctx, resourceTree)
+ return nil
+}
+
+// processBackendTLSPolicies adds BackendTLSPolicies and their referenced resources to the resourceTree
+func (r *gatewayAPIReconciler) processBackendTLSPolicies(
+ ctx context.Context, resourceTree *gatewayapi.Resources, resourceMap *resourceMappings) error {
+ backendTLSPolicies := gwapiv1a2.BackendTLSPolicyList{}
+ if err := r.client.List(ctx, &backendTLSPolicies); err != nil {
+ return fmt.Errorf("error listing BackendTLSPolicies: %w", err)
+ }
+
+ for _, policy := range backendTLSPolicies.Items {
+ policy := policy
+ // Discard Status to reduce memory consumption in watchable
+ // It will be recomputed by the gateway-api layer
+ policy.Status = gwapiv1a2.PolicyStatus{} // todo ?
+ resourceTree.BackendTLSPolicies = append(resourceTree.BackendTLSPolicies, &policy)
+ }
+
+ // Add the referenced Secrets and ConfigMaps in BackendTLSPolicies to the resourceTree.
+ r.processBackendTLSPolicyConfigMapRefs(ctx, resourceTree, resourceMap)
+ return nil
+}
+
// removeFinalizer removes the gatewayclass finalizer from the provided gc, if it exists.
func (r *gatewayAPIReconciler) removeFinalizer(ctx context.Context, gc *gwapiv1.GatewayClass) error {
if slice.ContainsString(gc.Finalizers, gatewayClassFinalizer) {
@@ -931,7 +1115,7 @@ func (r *gatewayAPIReconciler) watchResources(ctx context.Context, mgr manager.M
return err
}
- // Watch ConfigMap CRUDs and process affected ClienTraffiPolicies.
+ // Watch ConfigMap CRUDs and process affected ClienTraffiPolicies and BackendTLSPolicies.
configMapPredicates := []predicate.Predicate{
predicate.GenerationChangedPredicate{},
predicate.NewPredicateFuncs(r.validateConfigMapForReconcile),
@@ -1041,6 +1225,24 @@ func (r *gatewayAPIReconciler) watchResources(ctx context.Context, mgr manager.M
return err
}
+ // Watch BackendTLSPolicy
+ btlsPredicates := []predicate.Predicate{predicate.GenerationChangedPredicate{}}
+ if r.namespaceLabel != nil {
+ btlsPredicates = append(btlsPredicates, predicate.NewPredicateFuncs(r.hasMatchingNamespaceLabels))
+ }
+
+ if err := c.Watch(
+ source.Kind(mgr.GetCache(), &gwapiv1a2.BackendTLSPolicy{}),
+ handler.EnqueueRequestsFromMapFunc(r.enqueueClass),
+ btlsPredicates...,
+ ); err != nil {
+ return err
+ }
+
+ if err := addBtlsIndexers(ctx, mgr); err != nil {
+ return err
+ }
+
r.log.Info("Watching gatewayAPI related objects")
// Watch any additional GVKs from the registered extension.
@@ -1170,3 +1372,40 @@ func (r *gatewayAPIReconciler) serviceImportCRDExists(mgr manager.Manager) bool
return serviceImportFound
}
+
+func (r *gatewayAPIReconciler) processBackendTLSPolicyConfigMapRefs(ctx context.Context, resourceTree *gatewayapi.Resources, resourceMap *resourceMappings) {
+ for _, policy := range resourceTree.BackendTLSPolicies {
+ tls := policy.Spec.TLS
+
+ if tls.CACertRefs != nil {
+ for _, caCertRef := range tls.CACertRefs {
+ if string(caCertRef.Kind) == gatewayapi.KindConfigMap {
+ caRefNew := gwapiv1b1.SecretObjectReference{
+ Group: gatewayapi.GroupPtr(string(caCertRef.Group)),
+ Kind: gatewayapi.KindPtr(string(caCertRef.Kind)),
+ Name: caCertRef.Name,
+ Namespace: gatewayapi.NamespacePtr(policy.Namespace),
+ }
+ if err := r.processConfigMapRef(
+ ctx,
+ resourceMap,
+ resourceTree,
+ gatewayapi.KindBackendTLSPolicy,
+ policy.Namespace,
+ policy.Name,
+ caRefNew); err != nil {
+ // we don't return an error here, because we want to continue
+ // reconciling the rest of the ClientTrafficPolicies despite that this
+ // reference is invalid.
+ // This ClientTrafficPolicy will be marked as invalid in its status
+ // when translating to IR because the referenced configmap can't be
+ // found.
+ r.log.Error(err,
+ "failed to process CACertificateRef for BackendTLSPolicy",
+ "policy", policy, "caCertificateRef", caCertRef.Name)
+ }
+ }
+ }
+ }
+ }
+}
diff --git a/internal/provider/kubernetes/indexers.go b/internal/provider/kubernetes/indexers.go
index f4daed5960e..3e638a17aae 100644
--- a/internal/provider/kubernetes/indexers.go
+++ b/internal/provider/kubernetes/indexers.go
@@ -37,6 +37,7 @@ const (
backendSecurityPolicyIndex = "backendSecurityPolicyIndex"
configMapCtpIndex = "configMapCtpIndex"
secretCtpIndex = "secretCtpIndex"
+ configMapBtlsIndex = "configMapBtlsIndex"
)
func addReferenceGrantIndexers(ctx context.Context, mgr manager.Manager) error {
@@ -481,3 +482,32 @@ func secretCtpIndexFunc(rawObj client.Object) []string {
}
return secretReferences
}
+
+// addBtlsIndexers adds indexing on BackendTLSPolicy, for ConfigMap objects that are
+// referenced in BackendTLSPolicy objects. This helps in querying for BackendTLSPolicies that are
+// affected by a particular ConfigMap CRUD.
+func addBtlsIndexers(ctx context.Context, mgr manager.Manager) error {
+ if err := mgr.GetFieldIndexer().IndexField(ctx, &gwapiv1a2.BackendTLSPolicy{}, configMapBtlsIndex, configMapBtlsIndexFunc); err != nil {
+ return err
+ }
+
+ return nil
+}
+
+func configMapBtlsIndexFunc(rawObj client.Object) []string {
+ btls := rawObj.(*gwapiv1a2.BackendTLSPolicy)
+ var configMapReferences []string
+ if btls.Spec.TLS.CACertRefs != nil {
+ for _, caCertRef := range btls.Spec.TLS.CACertRefs {
+ if string(caCertRef.Kind) == gatewayapi.KindConfigMap {
+ configMapReferences = append(configMapReferences,
+ types.NamespacedName{
+ Namespace: btls.Namespace,
+ Name: string(caCertRef.Name),
+ }.String(),
+ )
+ }
+ }
+ }
+ return configMapReferences
+}
diff --git a/internal/provider/kubernetes/kubernetes_test.go b/internal/provider/kubernetes/kubernetes_test.go
index fc4cc7a39a0..350818cb182 100644
--- a/internal/provider/kubernetes/kubernetes_test.go
+++ b/internal/provider/kubernetes/kubernetes_test.go
@@ -366,10 +366,8 @@ func testGatewayScheduledStatus(ctx context.Context, t *testing.T, provider *Pro
return cli.Get(ctx, key, gw) == nil
}, defaultWait, defaultTick)
- gatewayClassResources, _ := resources.GatewayAPIResources.Load(egv1a1.GatewayControllerName)
- assert.NotNil(t, gatewayClassResources)
-
- res := (*gatewayClassResources)[gc.Name]
+ res := resources.GetResourcesByGatewayClass(gc.Name)
+ assert.NotNil(t, res)
// Only check if the spec is equal
// The watchable map will not store a resource
// with an updated status if the spec has not changed
@@ -903,10 +901,8 @@ func testHTTPRoute(ctx context.Context, t *testing.T, provider *Provider, resour
return ok && len(res.HTTPRoutes) != 0
}, defaultWait, defaultTick)
- gatewayClassResources, _ := resources.GatewayAPIResources.Load(egv1a1.GatewayControllerName)
- assert.NotNil(t, gatewayClassResources)
-
- res := (*gatewayClassResources)[gc.Name]
+ res := resources.GetResourcesByGatewayClass(gc.Name)
+ assert.NotNil(t, res)
assert.Equal(t, &testCase.route, res.HTTPRoutes[0])
// Ensure the HTTPRoute Namespace is in the Namespace resource map.
@@ -1054,10 +1050,8 @@ func testTLSRoute(ctx context.Context, t *testing.T, provider *Provider, resourc
return ok && len(res.TLSRoutes) != 0
}, defaultWait, defaultTick)
- gatewayClassResources, _ := resources.GatewayAPIResources.Load(egv1a1.GatewayControllerName)
- assert.NotNil(t, gatewayClassResources)
-
- res, _ := (*gatewayClassResources)[gc.Name]
+ res := resources.GetResourcesByGatewayClass(gc.Name)
+ assert.NotNil(t, res)
assert.Equal(t, &testCase.route, res.TLSRoutes[0])
// Ensure the HTTPRoute Namespace is in the Namespace resource map.
@@ -1593,13 +1587,8 @@ func TestNamespaceSelectorProvider(t *testing.T) {
}
func waitUntilGatewayClassResourcesAreReady(resources *message.ProviderResources, gatewayClassName string) (*gatewayapi.Resources, bool) {
- gatewayClassResources, ok := resources.GatewayAPIResources.Load(egv1a1.GatewayControllerName)
- if !ok {
- return nil, false
- }
-
- res, ok := (*gatewayClassResources)[gatewayClassName]
- if !ok {
+ res := resources.GetResourcesByGatewayClass(gatewayClassName)
+ if res == nil {
return nil, false
}
diff --git a/internal/provider/kubernetes/predicates.go b/internal/provider/kubernetes/predicates.go
index c929721dccc..3585a2913ae 100644
--- a/internal/provider/kubernetes/predicates.go
+++ b/internal/provider/kubernetes/predicates.go
@@ -27,6 +27,9 @@ import (
"github.com/envoyproxy/gateway/internal/utils"
)
+// nolint: gosec
+const oidcHMACSecretName = "envoy-oidc-hmac"
+
// hasMatchingController returns true if the provided object is a GatewayClass
// with a Spec.Controller string matching this Envoy Gateway's controller string,
// or false otherwise.
@@ -153,6 +156,10 @@ func (r *gatewayAPIReconciler) validateSecretForReconcile(obj client.Object) boo
return true
}
+ if r.isOIDCHMACSecret(&nsName) {
+ return true
+ }
+
return false
}
@@ -202,6 +209,14 @@ func (r *gatewayAPIReconciler) isCtpReferencingSecret(nsName *types.NamespacedNa
return len(ctpList.Items) > 0
}
+func (r *gatewayAPIReconciler) isOIDCHMACSecret(nsName *types.NamespacedName) bool {
+ oidcHMACSecret := types.NamespacedName{
+ Namespace: r.namespace,
+ Name: oidcHMACSecretName,
+ }
+ return *nsName == oidcHMACSecret
+}
+
// validateServiceForReconcile tries finding the owning Gateway of the Service
// if it exists, finds the Gateway's Deployment, and further updates the Gateway
// status Ready condition. All Services are pushed for reconciliation.
@@ -223,7 +238,7 @@ func (r *gatewayAPIReconciler) validateServiceForReconcile(obj client.Object) bo
// Merged gateways will have only this label, update status of all Gateways under found GatewayClass.
gcName, ok := labels[gatewayapi.OwningGatewayClassLabel]
- if ok && r.mergeGateways[gcName] {
+ if ok && r.mergeGateways.Has(gcName) {
if err := r.updateStatusForGatewaysUnderGatewayClass(ctx, gcName); err != nil {
r.log.Info("no Gateways found under GatewayClass", "name", gcName)
return false
@@ -375,7 +390,7 @@ func (r *gatewayAPIReconciler) validateDeploymentForReconcile(obj client.Object)
// Merged gateways will have only this label, update status of all Gateways under found GatewayClass.
gcName, ok := labels[gatewayapi.OwningGatewayClassLabel]
- if ok && r.mergeGateways[gcName] {
+ if ok && r.mergeGateways.Has(gcName) {
if err := r.updateStatusForGatewaysUnderGatewayClass(ctx, gcName); err != nil {
r.log.Info("no Gateways found under GatewayClass", "name", gcName)
return false
@@ -391,7 +406,7 @@ func (r *gatewayAPIReconciler) validateDeploymentForReconcile(obj client.Object)
func (r *gatewayAPIReconciler) envoyDeploymentForGateway(ctx context.Context, gateway *gwapiv1.Gateway) (*appsv1.Deployment, error) {
key := types.NamespacedName{
Namespace: r.namespace,
- Name: infraName(gateway, r.mergeGateways[string(gateway.Spec.GatewayClassName)]),
+ Name: infraName(gateway, r.mergeGateways.Has(string(gateway.Spec.GatewayClassName))),
}
deployment := new(appsv1.Deployment)
if err := r.client.Get(ctx, key, deployment); err != nil {
@@ -407,7 +422,7 @@ func (r *gatewayAPIReconciler) envoyDeploymentForGateway(ctx context.Context, ga
func (r *gatewayAPIReconciler) envoyServiceForGateway(ctx context.Context, gateway *gwapiv1.Gateway) (*corev1.Service, error) {
key := types.NamespacedName{
Namespace: r.namespace,
- Name: infraName(gateway, r.mergeGateways[string(gateway.Spec.GatewayClassName)]),
+ Name: infraName(gateway, r.mergeGateways.Has(string(gateway.Spec.GatewayClassName))),
}
svc := new(corev1.Service)
if err := r.client.Get(ctx, key, svc); err != nil {
@@ -504,5 +519,17 @@ func (r *gatewayAPIReconciler) validateConfigMapForReconcile(obj client.Object)
return false
}
+ btlsList := &gwapiv1a2.BackendTLSPolicyList{}
+ if err := r.client.List(context.Background(), btlsList, &client.ListOptions{
+ FieldSelector: fields.OneTermEqualSelector(configMapBtlsIndex, utils.NamespacedName(configMap).String()),
+ }); err != nil {
+ r.log.Error(err, "unable to find associated BackendTLSPolicy")
+ return false
+ }
+
+ if len(btlsList.Items) == 0 {
+ return false
+ }
+
return true
}
diff --git a/internal/provider/kubernetes/predicates_test.go b/internal/provider/kubernetes/predicates_test.go
index cd88d7b7100..f923eef8a26 100644
--- a/internal/provider/kubernetes/predicates_test.go
+++ b/internal/provider/kubernetes/predicates_test.go
@@ -13,6 +13,7 @@ import (
corev1 "k8s.io/api/core/v1"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
"k8s.io/apimachinery/pkg/types"
+ "k8s.io/apimachinery/pkg/util/sets"
"k8s.io/utils/ptr"
"sigs.k8s.io/controller-runtime/pkg/client"
fakeclient "sigs.k8s.io/controller-runtime/pkg/client/fake"
@@ -556,9 +557,7 @@ func TestValidateServiceForReconcile(t *testing.T) {
r := gatewayAPIReconciler{
classController: v1alpha1.GatewayControllerName,
log: logger,
- mergeGateways: map[string]bool{
- "test-mg": true,
- },
+ mergeGateways: sets.New[string]("test-mg"),
}
for _, tc := range testCases {
@@ -653,9 +652,7 @@ func TestValidateDeploymentForReconcile(t *testing.T) {
r := gatewayAPIReconciler{
classController: v1alpha1.GatewayControllerName,
log: logger,
- mergeGateways: map[string]bool{
- "test-mg": true,
- },
+ mergeGateways: sets.New[string]("test-mg"),
}
for _, tc := range testCases {
diff --git a/internal/provider/kubernetes/secrets.go b/internal/provider/kubernetes/secrets.go
index 5a2a8c7776c..bd1af8612e8 100644
--- a/internal/provider/kubernetes/secrets.go
+++ b/internal/provider/kubernetes/secrets.go
@@ -26,7 +26,10 @@ var (
// caCertificateKey is the key name for accessing TLS CA certificate bundles
// in Kubernetes Secrets.
-const caCertificateKey = "ca.crt"
+const (
+ caCertificateKey = "ca.crt"
+ hmacSecretKey = "hmac-secret"
+)
func newSecret(secretType corev1.SecretType, name string, namespace string, data map[string][]byte) corev1.Secret {
return corev1.Secret{
@@ -76,6 +79,13 @@ func CertsToSecret(namespace string, certs *crypto.Certificates) []corev1.Secret
corev1.TLSCertKey: certs.EnvoyRateLimitCertificate,
corev1.TLSPrivateKeyKey: certs.EnvoyRateLimitPrivateKey,
}),
+ newSecret(
+ corev1.SecretTypeOpaque,
+ "envoy-oidc-hmac",
+ namespace,
+ map[string][]byte{
+ hmacSecretKey: certs.OIDCHMACSecret,
+ }),
}
}
diff --git a/internal/provider/kubernetes/status.go b/internal/provider/kubernetes/status.go
index f26ae4c877a..1e780a19689 100644
--- a/internal/provider/kubernetes/status.go
+++ b/internal/provider/kubernetes/status.go
@@ -334,6 +334,36 @@ func (r *gatewayAPIReconciler) subscribeAndUpdateStatus(ctx context.Context) {
)
r.log.Info("securityPolicy status subscriber shutting down")
}()
+
+ // BackendTLSPolicy object status updater
+ go func() {
+ message.HandleSubscription(message.Metadata{Runner: string(v1alpha1.LogComponentProviderRunner), Message: "backendtlspolicy-status"}, r.resources.BackendTLSPolicyStatuses.Subscribe(ctx),
+ func(update message.Update[types.NamespacedName, *gwapiv1a2.PolicyStatus], errChan chan error) {
+ // skip delete updates.
+ if update.Delete {
+ return
+ }
+ key := update.Key
+ val := update.Value
+ r.statusUpdater.Send(status.Update{
+ NamespacedName: key,
+ Resource: new(gwapiv1a2.BackendTLSPolicy),
+ Mutator: status.MutatorFunc(func(obj client.Object) client.Object {
+ t, ok := obj.(*gwapiv1a2.BackendTLSPolicy)
+ if !ok {
+ err := fmt.Errorf("unsupported object type %T", obj)
+ errChan <- err
+ panic(err)
+ }
+ tCopy := t.DeepCopy()
+ tCopy.Status = *val
+ return tCopy
+ }),
+ })
+ },
+ )
+ r.log.Info("backendTlsPolicy status subscriber shutting down")
+ }()
}
func (r *gatewayAPIReconciler) updateStatusForGateway(ctx context.Context, gtw *gwapiv1.Gateway) {
diff --git a/internal/status/backendtlspolicy.go b/internal/status/backendtlspolicy.go
new file mode 100644
index 00000000000..313cab2f595
--- /dev/null
+++ b/internal/status/backendtlspolicy.go
@@ -0,0 +1,32 @@
+// Copyright Envoy Gateway Authors
+// SPDX-License-Identifier: Apache-2.0
+// The full text of the Apache license is available in the LICENSE file at
+// the root of the repo.
+
+package status
+
+import (
+ "time"
+
+ metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+ gwv1a2 "sigs.k8s.io/gateway-api/apis/v1alpha2"
+)
+
+func SetBackendTLSPolicyCondition(c *gwv1a2.BackendTLSPolicy, policyAnces gwv1a2.PolicyAncestorStatus, conditionType gwv1a2.PolicyConditionType, status metav1.ConditionStatus, reason gwv1a2.PolicyConditionReason, message string) {
+
+ if c.Status.Ancestors == nil {
+ c.Status.Ancestors = []gwv1a2.PolicyAncestorStatus{}
+ }
+
+ cond := newCondition(string(conditionType), status, string(reason), message, time.Now(), c.Generation)
+ for i, ancestor := range c.Status.Ancestors {
+ if ancestor.AncestorRef.Name == policyAnces.AncestorRef.Name &&
+ (ancestor.AncestorRef.Namespace == nil || *ancestor.AncestorRef.Namespace == *policyAnces.AncestorRef.Namespace) {
+ c.Status.Ancestors[i].Conditions = MergeConditions(c.Status.Ancestors[i].Conditions, cond)
+ return
+ }
+ }
+ len := len(c.Status.Ancestors)
+ c.Status.Ancestors = append(c.Status.Ancestors, policyAnces)
+ c.Status.Ancestors[len].Conditions = MergeConditions(c.Status.Ancestors[len].Conditions, cond)
+}
diff --git a/internal/status/status.go b/internal/status/status.go
index 5ffa6ed4ad1..4f945e2ca9c 100644
--- a/internal/status/status.go
+++ b/internal/status/status.go
@@ -170,6 +170,7 @@ func (u *UpdateWriter) Send(update Update) {
// EnvoyPatchPolicy
// ClientTrafficPolicy
// SecurityPolicy
+// BackendTLSPolicy
func isStatusEqual(objA, objB interface{}) bool {
opts := cmpopts.IgnoreFields(metav1.Condition{}, "LastTransitionTime")
switch a := objA.(type) {
@@ -239,6 +240,12 @@ func isStatusEqual(objA, objB interface{}) bool {
return true
}
}
+ case gwapiv1a2.BackendTLSPolicy:
+ if b, ok := objB.(*gwapiv1a2.BackendTLSPolicy); ok {
+ if cmp.Equal(a.Status, b.Status, opts) {
+ return true
+ }
+ }
}
return false
diff --git a/internal/utils/proto/google_proto.go b/internal/utils/proto/google_proto.go
new file mode 100644
index 00000000000..fea52d070e7
--- /dev/null
+++ b/internal/utils/proto/google_proto.go
@@ -0,0 +1,128 @@
+// Copyright Envoy Gateway Authors
+// SPDX-License-Identifier: Apache-2.0
+// The full text of the Apache license is available in the LICENSE file at
+// the root of the repo.
+
+// Copied from https://github.com/kumahq/kuma/tree/9ea78e31147a855ac54a7a2c92c724ee9a75de46/pkg/util/proto
+// to avoid importing the entire kuma codebase breaking our go.mod file
+
+package proto
+
+import (
+ "fmt"
+
+ "google.golang.org/protobuf/proto"
+ "google.golang.org/protobuf/reflect/protoreflect"
+ "google.golang.org/protobuf/types/known/durationpb"
+)
+
+type (
+ MergeFunction func(dst, src protoreflect.Message)
+ mergeOptions struct {
+ customMergeFn map[protoreflect.FullName]MergeFunction
+ }
+)
+type OptionFn func(options mergeOptions) mergeOptions
+
+func MergeFunctionOptionFn(name protoreflect.FullName, function MergeFunction) OptionFn {
+ return func(options mergeOptions) mergeOptions {
+ options.customMergeFn[name] = function
+ return options
+ }
+}
+
+// ReplaceMergeFn instead of merging all subfields one by one, takes src and set it to dest
+var ReplaceMergeFn MergeFunction = func(dst, src protoreflect.Message) {
+ dst.Range(func(fd protoreflect.FieldDescriptor, v protoreflect.Value) bool {
+ dst.Clear(fd)
+ return true
+ })
+ src.Range(func(fd protoreflect.FieldDescriptor, v protoreflect.Value) bool {
+ dst.Set(fd, v)
+ return true
+ })
+}
+
+func Merge(dst, src proto.Message) {
+ duration := &durationpb.Duration{}
+ merge(dst, src, MergeFunctionOptionFn(duration.ProtoReflect().Descriptor().FullName(), ReplaceMergeFn))
+}
+
+// Merge Code of proto.Merge with modifications to support custom types
+func merge(dst, src proto.Message, opts ...OptionFn) {
+ mo := mergeOptions{customMergeFn: map[protoreflect.FullName]MergeFunction{}}
+ for _, opt := range opts {
+ mo = opt(mo)
+ }
+ mo.mergeMessage(dst.ProtoReflect(), src.ProtoReflect())
+}
+
+func (o mergeOptions) mergeMessage(dst, src protoreflect.Message) {
+ // The regular proto.mergeMessage would have a fast path method option here.
+ // As we want to have exceptions we always use the slow path.
+ if !dst.IsValid() {
+ panic(fmt.Sprintf("cannot merge into invalid %v message", dst.Descriptor().FullName()))
+ }
+
+ src.Range(func(fd protoreflect.FieldDescriptor, v protoreflect.Value) bool {
+ switch {
+ case fd.IsList():
+ o.mergeList(dst.Mutable(fd).List(), v.List(), fd)
+ case fd.IsMap():
+ o.mergeMap(dst.Mutable(fd).Map(), v.Map(), fd.MapValue())
+ case fd.Message() != nil:
+ mergeFn, exists := o.customMergeFn[fd.Message().FullName()]
+ if exists {
+ mergeFn(dst.Mutable(fd).Message(), v.Message())
+ } else {
+ o.mergeMessage(dst.Mutable(fd).Message(), v.Message())
+ }
+ case fd.Kind() == protoreflect.BytesKind:
+ dst.Set(fd, o.cloneBytes(v))
+ default:
+ dst.Set(fd, v)
+ }
+ return true
+ })
+
+ if len(src.GetUnknown()) > 0 {
+ dst.SetUnknown(append(dst.GetUnknown(), src.GetUnknown()...))
+ }
+}
+
+func (o mergeOptions) mergeList(dst, src protoreflect.List, fd protoreflect.FieldDescriptor) {
+ // Merge semantics appends to the end of the existing list.
+ for i, n := 0, src.Len(); i < n; i++ {
+ switch v := src.Get(i); {
+ case fd.Message() != nil:
+ dstv := dst.NewElement()
+ o.mergeMessage(dstv.Message(), v.Message())
+ dst.Append(dstv)
+ case fd.Kind() == protoreflect.BytesKind:
+ dst.Append(o.cloneBytes(v))
+ default:
+ dst.Append(v)
+ }
+ }
+}
+
+func (o mergeOptions) mergeMap(dst, src protoreflect.Map, fd protoreflect.FieldDescriptor) {
+ // Merge semantics replaces, rather than merges into existing entries.
+ src.Range(func(k protoreflect.MapKey, v protoreflect.Value) bool {
+ switch {
+ case fd.Message() != nil:
+ dstv := dst.NewValue()
+ o.mergeMessage(dstv.Message(), v.Message())
+ dst.Set(k, dstv)
+ case fd.Kind() == protoreflect.BytesKind:
+ dst.Set(k, o.cloneBytes(v))
+ default:
+ dst.Set(k, v)
+ }
+ return true
+ })
+}
+
+func (o mergeOptions) cloneBytes(v protoreflect.Value) protoreflect.Value {
+ return protoreflect.ValueOfBytes(append([]byte{}, v.Bytes()...))
+}
diff --git a/internal/utils/proto/proto.go b/internal/utils/proto/proto.go
new file mode 100644
index 00000000000..ff05e3a7150
--- /dev/null
+++ b/internal/utils/proto/proto.go
@@ -0,0 +1,40 @@
+// Copyright Envoy Gateway Authors
+// SPDX-License-Identifier: Apache-2.0
+// The full text of the Apache license is available in the LICENSE file at
+// the root of the repo.
+
+// Copied from https://github.com/kumahq/kuma/tree/9ea78e31147a855ac54a7a2c92c724ee9a75de46/pkg/util/proto
+// to avoid importing the entire kuma codebase breaking our go.mod file
+
+package proto
+
+import (
+ "bytes"
+
+ "github.com/golang/protobuf/jsonpb"
+ protov1 "github.com/golang/protobuf/proto"
+ "google.golang.org/protobuf/proto"
+ "sigs.k8s.io/yaml"
+)
+
+func FromYAML(content []byte, pb proto.Message) error {
+ json, err := yaml.YAMLToJSON(content)
+ if err != nil {
+ return err
+ }
+ return FromJSON(json, pb)
+}
+
+func ToYAML(pb proto.Message) ([]byte, error) {
+ marshaler := &jsonpb.Marshaler{}
+ json, err := marshaler.MarshalToString(protov1.MessageV1(pb))
+ if err != nil {
+ return nil, err
+ }
+ return yaml.JSONToYAML([]byte(json))
+}
+
+func FromJSON(content []byte, out proto.Message) error {
+ unmarshaler := &jsonpb.Unmarshaler{AllowUnknownFields: true}
+ return unmarshaler.Unmarshal(bytes.NewReader(content), protov1.MessageV1(out))
+}
diff --git a/internal/utils/yaml/yaml.go b/internal/utils/yaml/yaml.go
deleted file mode 100644
index 42e87f97dd5..00000000000
--- a/internal/utils/yaml/yaml.go
+++ /dev/null
@@ -1,62 +0,0 @@
-// Copyright Envoy Gateway Authors
-// SPDX-License-Identifier: Apache-2.0
-// The full text of the Apache license is available in the LICENSE file at
-// the root of the repo.
-
-package yaml
-
-import (
- "reflect"
-
- "sigs.k8s.io/yaml"
-)
-
-// MergeYAML merges two yaml files. The second yaml file will override the first one if the same key exists.
-// This method can add or override a value within a map, or add a new value to a list.
-// Please note that this method can't override a value within a list.
-func MergeYAML(base, override string) (string, error) {
- // declare two map to hold the yaml content
- map1 := map[string]interface{}{}
- map2 := map[string]interface{}{}
-
- if err := yaml.Unmarshal([]byte(base), &map1); err != nil {
- return "", err
- }
-
- if err := yaml.Unmarshal([]byte(override), &map2); err != nil {
- return "", err
- }
-
- // merge both yaml data recursively
- result := mergeMaps(map1, map2)
-
- out, err := yaml.Marshal(result)
- if err != nil {
- return "", err
- }
- return string(out), nil
-}
-
-func mergeMaps(map1, map2 map[string]interface{}) map[string]interface{} {
- out := make(map[string]interface{}, len(map1))
- for k, v := range map1 {
- out[k] = v
- }
- for k, v := range map2 {
- if v, ok := v.(map[string]interface{}); ok {
- if bv, ok := out[k]; ok {
- if bv, ok := bv.(map[string]interface{}); ok {
- out[k] = mergeMaps(bv, v)
- continue
- }
- }
- }
- value := reflect.ValueOf(v)
- if value.Kind() == reflect.Array || value.Kind() == reflect.Slice {
- out[k] = append(out[k].([]interface{}), v.([]interface{})...)
- } else {
- out[k] = v
- }
- }
- return out
-}
diff --git a/internal/utils/yaml/yaml_test.go b/internal/utils/yaml/yaml_test.go
deleted file mode 100644
index 1ba6c90faed..00000000000
--- a/internal/utils/yaml/yaml_test.go
+++ /dev/null
@@ -1,67 +0,0 @@
-// Copyright Envoy Gateway Authors
-// SPDX-License-Identifier: Apache-2.0
-// The full text of the Apache license is available in the LICENSE file at
-// the root of the repo.
-
-package yaml
-
-import (
- "reflect"
- "testing"
-)
-
-func TestMergeYAML(t *testing.T) {
- tests := []struct {
- name string
- yaml1 string
- yaml2 string
- want string
- }{
- {
- name: "test1",
- yaml1: `
-a: a
-b:
- c:
- d: d
-e:
- f:
- - g
-k:
- l: l
-`,
- yaml2: `
-a: a1
-b:
- c:
- d: d1
-e:
- f:
- - h
-i:
- j: j
-`,
- want: `a: a1
-b:
- c:
- d: d1
-e:
- f:
- - g
- - h
-i:
- j: j
-k:
- l: l
-`,
- },
- }
- for _, tt := range tests {
- t.Run(tt.name, func(t *testing.T) {
- got, _ := MergeYAML(tt.yaml1, tt.yaml2)
- if !reflect.DeepEqual(got, tt.want) {
- t.Errorf("MergeYAML() got = %v, want %v", got, tt.want)
- }
- })
- }
-}
diff --git a/internal/xds/bootstrap/bootstrap_test.go b/internal/xds/bootstrap/bootstrap_test.go
index e57708b95ac..06e8f731d50 100644
--- a/internal/xds/bootstrap/bootstrap_test.go
+++ b/internal/xds/bootstrap/bootstrap_test.go
@@ -87,6 +87,14 @@ func TestGetRenderedBootstrapConfig(t *testing.T) {
t.Run(tc.name, func(t *testing.T) {
got, err := GetRenderedBootstrapConfig(tc.proxyMetrics)
require.NoError(t, err)
+
+ if *overrideTestData {
+ // nolint:gosec
+ err = os.WriteFile(path.Join("testdata", "render", fmt.Sprintf("%s.yaml", tc.name)), []byte(got), 0644)
+ require.NoError(t, err)
+ return
+ }
+
expected, err := readTestData(tc.name)
require.NoError(t, err)
assert.Equal(t, expected, got)
@@ -95,7 +103,7 @@ func TestGetRenderedBootstrapConfig(t *testing.T) {
}
func readTestData(caseName string) (string, error) {
- filename := path.Join("testdata", fmt.Sprintf("%s.yaml", caseName))
+ filename := path.Join("testdata", "render", fmt.Sprintf("%s.yaml", caseName))
b, err := os.ReadFile(filename)
if err != nil {
diff --git a/internal/xds/bootstrap/testdata/merge/default.in.yaml b/internal/xds/bootstrap/testdata/merge/default.in.yaml
new file mode 100644
index 00000000000..0f6069e27d5
--- /dev/null
+++ b/internal/xds/bootstrap/testdata/merge/default.in.yaml
@@ -0,0 +1,13 @@
+admin:
+ address:
+ socket_address:
+ address: 127.0.0.1
+ port_value: 20000
+layered_runtime:
+ layers:
+ - name: runtime-0
+ rtds_layer:
+ rtds_config:
+ ads: {}
+ resource_api_version: V3
+ name: runtime-0
diff --git a/internal/xds/bootstrap/testdata/merge/default.out.yaml b/internal/xds/bootstrap/testdata/merge/default.out.yaml
new file mode 100644
index 00000000000..d386f8c5bdb
--- /dev/null
+++ b/internal/xds/bootstrap/testdata/merge/default.out.yaml
@@ -0,0 +1,127 @@
+admin:
+ accessLog:
+ - name: envoy.access_loggers.file
+ typedConfig:
+ '@type': type.googleapis.com/envoy.extensions.access_loggers.file.v3.FileAccessLog
+ path: /dev/null
+ address:
+ socketAddress:
+ address: 127.0.0.1
+ portValue: 20000
+dynamicResources:
+ adsConfig:
+ apiType: DELTA_GRPC
+ grpcServices:
+ - envoyGrpc:
+ clusterName: xds_cluster
+ setNodeOnFirstMessageOnly: true
+ transportApiVersion: V3
+ cdsConfig:
+ ads: {}
+ resourceApiVersion: V3
+ ldsConfig:
+ ads: {}
+ resourceApiVersion: V3
+layeredRuntime:
+ layers:
+ - name: global_config
+ staticLayer:
+ envoy.restart_features.use_eds_cache_for_ads: true
+ re2.max_program_size.error_level: 4294967295
+ re2.max_program_size.warn_level: 1000
+ - name: runtime-0
+ rtdsLayer:
+ name: runtime-0
+ rtdsConfig:
+ ads: {}
+ resourceApiVersion: V3
+staticResources:
+ clusters:
+ - connectTimeout: 0.250s
+ loadAssignment:
+ clusterName: prometheus_stats
+ endpoints:
+ - lbEndpoints:
+ - endpoint:
+ address:
+ socketAddress:
+ address: 127.0.0.1
+ portValue: 19000
+ name: prometheus_stats
+ type: STATIC
+ - connectTimeout: 10s
+ loadAssignment:
+ clusterName: xds_cluster
+ endpoints:
+ - lbEndpoints:
+ - endpoint:
+ address:
+ socketAddress:
+ address: envoy-gateway
+ portValue: 18000
+ loadBalancingWeight: 1
+ loadBalancingWeight: 1
+ name: xds_cluster
+ transportSocket:
+ name: envoy.transport_sockets.tls
+ typedConfig:
+ '@type': type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.UpstreamTlsContext
+ commonTlsContext:
+ tlsCertificateSdsSecretConfigs:
+ - name: xds_certificate
+ sdsConfig:
+ pathConfigSource:
+ path: /sds/xds-certificate.json
+ resourceApiVersion: V3
+ tlsParams:
+ tlsMaximumProtocolVersion: TLSv1_3
+ validationContextSdsSecretConfig:
+ name: xds_trusted_ca
+ sdsConfig:
+ pathConfigSource:
+ path: /sds/xds-trusted-ca.json
+ resourceApiVersion: V3
+ type: STRICT_DNS
+ typedExtensionProtocolOptions:
+ envoy.extensions.upstreams.http.v3.HttpProtocolOptions:
+ '@type': type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions
+ explicitHttpConfig:
+ http2ProtocolOptions:
+ connectionKeepalive:
+ interval: 30s
+ timeout: 5s
+ listeners:
+ - address:
+ socketAddress:
+ address: 0.0.0.0
+ portValue: 19001
+ filterChains:
+ - filters:
+ - name: envoy.filters.network.http_connection_manager
+ typedConfig:
+ '@type': type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager
+ httpFilters:
+ - name: envoy.filters.http.health_check
+ typedConfig:
+ '@type': type.googleapis.com/envoy.extensions.filters.http.health_check.v3.HealthCheck
+ headers:
+ - name: :path
+ stringMatch:
+ exact: /ready
+ passThroughMode: false
+ - name: envoy.filters.http.router
+ typedConfig:
+ '@type': type.googleapis.com/envoy.extensions.filters.http.router.v3.Router
+ routeConfig:
+ name: local_route
+ virtualHosts:
+ - domains:
+ - '*'
+ name: prometheus_stats
+ routes:
+ - match:
+ prefix: /stats/prometheus
+ route:
+ cluster: prometheus_stats
+ statPrefix: eg-ready-http
+ name: envoy-gateway-proxy-ready-0.0.0.0-19001
diff --git a/internal/xds/bootstrap/testdata/merge/stats_sinks.in.yaml b/internal/xds/bootstrap/testdata/merge/stats_sinks.in.yaml
new file mode 100644
index 00000000000..8b4f9363f91
--- /dev/null
+++ b/internal/xds/bootstrap/testdata/merge/stats_sinks.in.yaml
@@ -0,0 +1,34 @@
+stats_sinks:
+ - name: envoy.stat_sinks.metrics_service
+ typed_config:
+ "@type": type.googleapis.com/envoy.config.metrics.v3.MetricsServiceConfig
+ transport_api_version: V3
+ grpc_service:
+ envoy_grpc:
+ cluster_name: metrics_cluster
+static_resources:
+ clusters:
+ - connect_timeout: 1s
+ dns_lookup_family: V4_ONLY
+ dns_refresh_rate: 30s
+ lb_policy: ROUND_ROBIN
+ typed_extension_protocol_options:
+ "envoy.extensions.upstreams.http.v3.HttpProtocolOptions":
+ "@type": "type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions"
+ explicit_http_config:
+ http2_protocol_options:
+ connection_keepalive:
+ interval: 30s
+ timeout: 5s
+ load_assignment:
+ cluster_name: metrics_cluster
+ endpoints:
+ - lb_endpoints:
+ - endpoint:
+ address:
+ socket_address:
+ address: skywalking-oap.skywalking
+ portValue: 11800
+ name: metrics_cluster
+ respect_dns_ttl: true
+ type: STRICT_DNS
diff --git a/internal/xds/bootstrap/testdata/merge/stats_sinks.out.yaml b/internal/xds/bootstrap/testdata/merge/stats_sinks.out.yaml
new file mode 100644
index 00000000000..2471257d4c3
--- /dev/null
+++ b/internal/xds/bootstrap/testdata/merge/stats_sinks.out.yaml
@@ -0,0 +1,152 @@
+admin:
+ accessLog:
+ - name: envoy.access_loggers.file
+ typedConfig:
+ '@type': type.googleapis.com/envoy.extensions.access_loggers.file.v3.FileAccessLog
+ path: /dev/null
+ address:
+ socketAddress:
+ address: 127.0.0.1
+ portValue: 19000
+dynamicResources:
+ adsConfig:
+ apiType: DELTA_GRPC
+ grpcServices:
+ - envoyGrpc:
+ clusterName: xds_cluster
+ setNodeOnFirstMessageOnly: true
+ transportApiVersion: V3
+ cdsConfig:
+ ads: {}
+ resourceApiVersion: V3
+ ldsConfig:
+ ads: {}
+ resourceApiVersion: V3
+layeredRuntime:
+ layers:
+ - name: global_config
+ staticLayer:
+ envoy.restart_features.use_eds_cache_for_ads: true
+ re2.max_program_size.error_level: 4294967295
+ re2.max_program_size.warn_level: 1000
+staticResources:
+ clusters:
+ - connectTimeout: 0.250s
+ loadAssignment:
+ clusterName: prometheus_stats
+ endpoints:
+ - lbEndpoints:
+ - endpoint:
+ address:
+ socketAddress:
+ address: 127.0.0.1
+ portValue: 19000
+ name: prometheus_stats
+ type: STATIC
+ - connectTimeout: 10s
+ loadAssignment:
+ clusterName: xds_cluster
+ endpoints:
+ - lbEndpoints:
+ - endpoint:
+ address:
+ socketAddress:
+ address: envoy-gateway
+ portValue: 18000
+ loadBalancingWeight: 1
+ loadBalancingWeight: 1
+ name: xds_cluster
+ transportSocket:
+ name: envoy.transport_sockets.tls
+ typedConfig:
+ '@type': type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.UpstreamTlsContext
+ commonTlsContext:
+ tlsCertificateSdsSecretConfigs:
+ - name: xds_certificate
+ sdsConfig:
+ pathConfigSource:
+ path: /sds/xds-certificate.json
+ resourceApiVersion: V3
+ tlsParams:
+ tlsMaximumProtocolVersion: TLSv1_3
+ validationContextSdsSecretConfig:
+ name: xds_trusted_ca
+ sdsConfig:
+ pathConfigSource:
+ path: /sds/xds-trusted-ca.json
+ resourceApiVersion: V3
+ type: STRICT_DNS
+ typedExtensionProtocolOptions:
+ envoy.extensions.upstreams.http.v3.HttpProtocolOptions:
+ '@type': type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions
+ explicitHttpConfig:
+ http2ProtocolOptions:
+ connectionKeepalive:
+ interval: 30s
+ timeout: 5s
+ - connectTimeout: 1s
+ dnsLookupFamily: V4_ONLY
+ dnsRefreshRate: 30s
+ loadAssignment:
+ clusterName: metrics_cluster
+ endpoints:
+ - lbEndpoints:
+ - endpoint:
+ address:
+ socketAddress:
+ address: skywalking-oap.skywalking
+ portValue: 11800
+ name: metrics_cluster
+ respectDnsTtl: true
+ type: STRICT_DNS
+ typedExtensionProtocolOptions:
+ envoy.extensions.upstreams.http.v3.HttpProtocolOptions:
+ '@type': type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions
+ explicitHttpConfig:
+ http2ProtocolOptions:
+ connectionKeepalive:
+ interval: 30s
+ timeout: 5s
+ listeners:
+ - address:
+ socketAddress:
+ address: 0.0.0.0
+ portValue: 19001
+ filterChains:
+ - filters:
+ - name: envoy.filters.network.http_connection_manager
+ typedConfig:
+ '@type': type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager
+ httpFilters:
+ - name: envoy.filters.http.health_check
+ typedConfig:
+ '@type': type.googleapis.com/envoy.extensions.filters.http.health_check.v3.HealthCheck
+ headers:
+ - name: :path
+ stringMatch:
+ exact: /ready
+ passThroughMode: false
+ - name: envoy.filters.http.router
+ typedConfig:
+ '@type': type.googleapis.com/envoy.extensions.filters.http.router.v3.Router
+ routeConfig:
+ name: local_route
+ virtualHosts:
+ - domains:
+ - '*'
+ name: prometheus_stats
+ routes:
+ - match:
+ prefix: /stats/prometheus
+ route:
+ cluster: prometheus_stats
+ statPrefix: eg-ready-http
+ name: envoy-gateway-proxy-ready-0.0.0.0-19001
+statsSinks:
+- name: envoy.stat_sinks.metrics_service
+ typedConfig:
+ '@type': type.googleapis.com/envoy.config.metrics.v3.MetricsServiceConfig
+ grpcService:
+ envoyGrpc:
+ clusterName: metrics_cluster
+ transportApiVersion: V3
diff --git a/internal/xds/bootstrap/testdata/custom-stats-matcher.yaml b/internal/xds/bootstrap/testdata/render/custom-stats-matcher.yaml
similarity index 100%
rename from internal/xds/bootstrap/testdata/custom-stats-matcher.yaml
rename to internal/xds/bootstrap/testdata/render/custom-stats-matcher.yaml
diff --git a/internal/xds/bootstrap/testdata/disable-prometheus.yaml b/internal/xds/bootstrap/testdata/render/disable-prometheus.yaml
similarity index 100%
rename from internal/xds/bootstrap/testdata/disable-prometheus.yaml
rename to internal/xds/bootstrap/testdata/render/disable-prometheus.yaml
diff --git a/internal/xds/bootstrap/testdata/enable-prometheus.yaml b/internal/xds/bootstrap/testdata/render/enable-prometheus.yaml
similarity index 100%
rename from internal/xds/bootstrap/testdata/enable-prometheus.yaml
rename to internal/xds/bootstrap/testdata/render/enable-prometheus.yaml
diff --git a/internal/xds/bootstrap/testdata/otel-metrics.yaml b/internal/xds/bootstrap/testdata/render/otel-metrics.yaml
similarity index 100%
rename from internal/xds/bootstrap/testdata/otel-metrics.yaml
rename to internal/xds/bootstrap/testdata/render/otel-metrics.yaml
diff --git a/internal/xds/bootstrap/util.go b/internal/xds/bootstrap/util.go
index ca0ffbfa3e8..e00294e2715 100644
--- a/internal/xds/bootstrap/util.go
+++ b/internal/xds/bootstrap/util.go
@@ -6,15 +6,20 @@
package bootstrap
import (
+ "fmt"
+
+ bootstrapv3 "github.com/envoyproxy/go-control-plane/envoy/config/bootstrap/v3"
+
egv1a1 "github.com/envoyproxy/gateway/api/v1alpha1"
- yamlutils "github.com/envoyproxy/gateway/internal/utils/yaml"
+ "github.com/envoyproxy/gateway/internal/utils/proto"
+ _ "github.com/envoyproxy/gateway/internal/xds/extensions" // DON'T REMOVE: import of all extensions
)
// ApplyBootstrapConfig applies the bootstrap config to the default bootstrap config and return the result config.
func ApplyBootstrapConfig(boostrapConfig *egv1a1.ProxyBootstrap, defaultBootstrap string) (string, error) {
bootstrapType := boostrapConfig.Type
if bootstrapType != nil && *bootstrapType == egv1a1.BootstrapTypeMerge {
- mergedBootstrap, err := yamlutils.MergeYAML(defaultBootstrap, boostrapConfig.Value)
+ mergedBootstrap, err := mergeBootstrap(defaultBootstrap, boostrapConfig.Value)
if err != nil {
return "", err
}
@@ -22,3 +27,28 @@ func ApplyBootstrapConfig(boostrapConfig *egv1a1.ProxyBootstrap, defaultBootstra
}
return boostrapConfig.Value, nil
}
+
+func mergeBootstrap(base, override string) (string, error) {
+ dst := &bootstrapv3.Bootstrap{}
+ if err := proto.FromYAML([]byte(base), dst); err != nil {
+ return "", fmt.Errorf("failed to parse default bootstrap config: %w", err)
+ }
+
+ src := &bootstrapv3.Bootstrap{}
+ if err := proto.FromYAML([]byte(override), src); err != nil {
+ return "", fmt.Errorf("failed to parse override bootstrap config: %w", err)
+ }
+
+ proto.Merge(dst, src)
+
+ if err := dst.Validate(); err != nil {
+ return "", fmt.Errorf("failed to validate merged bootstrap config: %w", err)
+ }
+
+ data, err := proto.ToYAML(dst)
+ if err != nil {
+ return "", fmt.Errorf("failed to convert proto message to YAML: %w", err)
+ }
+
+ return string(data), nil
+}
diff --git a/internal/xds/bootstrap/util_test.go b/internal/xds/bootstrap/util_test.go
new file mode 100644
index 00000000000..b0d27460093
--- /dev/null
+++ b/internal/xds/bootstrap/util_test.go
@@ -0,0 +1,78 @@
+// Copyright Envoy Gateway Authors
+// SPDX-License-Identifier: Apache-2.0
+// The full text of the Apache license is available in the LICENSE file at
+// the root of the repo.
+
+package bootstrap
+
+import (
+ "flag"
+ "fmt"
+ "os"
+ "path"
+ "testing"
+
+ "github.com/stretchr/testify/require"
+ "k8s.io/utils/ptr"
+
+ egv1a1 "github.com/envoyproxy/gateway/api/v1alpha1"
+)
+
+var (
+ overrideTestData = flag.Bool("override-testdata", false, "if override the test output data.")
+)
+
+func TestApplyBootstrapConfig(t *testing.T) {
+ str, _ := readTestData("enable-prometheus")
+ cases := []struct {
+ name string
+ boostrapConfig *egv1a1.ProxyBootstrap
+ defaultBootstrap string
+ }{
+ {
+ name: "default",
+ boostrapConfig: &egv1a1.ProxyBootstrap{
+ Type: ptr.To(egv1a1.BootstrapTypeMerge),
+ },
+ defaultBootstrap: str,
+ },
+ {
+ name: "stats_sinks",
+ boostrapConfig: &egv1a1.ProxyBootstrap{
+ Type: ptr.To(egv1a1.BootstrapTypeMerge),
+ },
+ defaultBootstrap: str,
+ },
+ }
+
+ for _, tc := range cases {
+ t.Run(tc.name, func(t *testing.T) {
+ in, err := loadData(tc.name, "in")
+ require.NoError(t, err)
+
+ tc.boostrapConfig.Value = in
+ data, err := ApplyBootstrapConfig(tc.boostrapConfig, tc.defaultBootstrap)
+ require.NoError(t, err)
+
+ if *overrideTestData {
+ // nolint:gosec
+ err = os.WriteFile(path.Join("testdata", "merge", fmt.Sprintf("%s.out.yaml", tc.name)), []byte(data), 0644)
+ require.NoError(t, err)
+ return
+ }
+
+ expected, err := loadData(tc.name, "out")
+ require.NoError(t, err)
+ require.Equal(t, expected, data)
+ })
+ }
+}
+
+func loadData(caseName string, inOrOut string) (string, error) {
+ filename := path.Join("testdata", "merge", fmt.Sprintf("%s.%s.yaml", caseName, inOrOut))
+ b, err := os.ReadFile(filename)
+ if err != nil {
+ return "", err
+ }
+ return string(b), nil
+}
diff --git a/internal/xds/translator/basicauth.go b/internal/xds/translator/basicauth.go
index c9658cfe82b..6ae7b9163e5 100644
--- a/internal/xds/translator/basicauth.go
+++ b/internal/xds/translator/basicauth.go
@@ -60,7 +60,7 @@ func (*basicAuth) patchHCM(mgr *hcmv3.HttpConnectionManager, irListener *ir.HTTP
mgr.HttpFilters = append(mgr.HttpFilters, filter)
}
- return nil
+ return errs
}
// buildHCMBasicAuthFilter returns a basic_auth HTTP filter from the provided IR HTTPRoute.
diff --git a/internal/xds/translator/cluster.go b/internal/xds/translator/cluster.go
index 3b2dee97941..761a81e87f9 100644
--- a/internal/xds/translator/cluster.go
+++ b/internal/xds/translator/cluster.go
@@ -144,9 +144,9 @@ func buildXdsCluster(args *xdsClusterArgs) *clusterv3.Cluster {
cluster.OutlierDetection = buildXdsOutlierDetection(args.healthCheck.Passive)
}
- if args.circuitBreaker != nil {
- cluster.CircuitBreakers = buildXdsClusterCircuitBreaker(args.circuitBreaker)
- }
+
+ cluster.CircuitBreakers = buildXdsClusterCircuitBreaker(args.circuitBreaker)
+
if args.tcpkeepalive != nil {
cluster.UpstreamConnectionOptions = buildXdsClusterUpstreamOptions(args.tcpkeepalive)
}
@@ -272,25 +272,38 @@ func buildHealthCheckPayload(irLoad *ir.HealthCheckPayload) *corev3.HealthCheck_
}
func buildXdsClusterCircuitBreaker(circuitBreaker *ir.CircuitBreaker) *clusterv3.CircuitBreakers {
+ // Always allow the same amount of retries as regular requests to handle surges in retries
+ // related to pod restarts
cbt := &clusterv3.CircuitBreakers_Thresholds{
Priority: corev3.RoutingPriority_DEFAULT,
+ MaxRetries: &wrapperspb.UInt32Value{
+ Value: uint32(1024),
+ },
}
- if circuitBreaker.MaxConnections != nil {
- cbt.MaxConnections = &wrapperspb.UInt32Value{
- Value: *circuitBreaker.MaxConnections,
+ if circuitBreaker != nil {
+ if circuitBreaker.MaxConnections != nil {
+ cbt.MaxConnections = &wrapperspb.UInt32Value{
+ Value: *circuitBreaker.MaxConnections,
+ }
}
- }
- if circuitBreaker.MaxPendingRequests != nil {
- cbt.MaxPendingRequests = &wrapperspb.UInt32Value{
- Value: *circuitBreaker.MaxPendingRequests,
+ if circuitBreaker.MaxPendingRequests != nil {
+ cbt.MaxPendingRequests = &wrapperspb.UInt32Value{
+ Value: *circuitBreaker.MaxPendingRequests,
+ }
+ }
+
+ if circuitBreaker.MaxParallelRequests != nil {
+ cbt.MaxRequests = &wrapperspb.UInt32Value{
+ Value: *circuitBreaker.MaxParallelRequests,
+ }
}
- }
- if circuitBreaker.MaxParallelRequests != nil {
- cbt.MaxRequests = &wrapperspb.UInt32Value{
- Value: *circuitBreaker.MaxParallelRequests,
+ if circuitBreaker.MaxParallelRetries != nil {
+ cbt.MaxRetries = &wrapperspb.UInt32Value{
+ Value: *circuitBreaker.MaxParallelRetries,
+ }
}
}
diff --git a/internal/xds/translator/extauth.go b/internal/xds/translator/extauth.go
index 57536a3c20d..f67191da3e0 100644
--- a/internal/xds/translator/extauth.go
+++ b/internal/xds/translator/extauth.go
@@ -64,7 +64,7 @@ func (*extAuth) patchHCM(mgr *hcmv3.HttpConnectionManager, irListener *ir.HTTPLi
mgr.HttpFilters = append(mgr.HttpFilters, filter)
}
- return nil
+ return errs
}
// buildHCMExtAuthFilter returns an ext_authz HTTP filter from the provided IR HTTPRoute.
@@ -93,7 +93,10 @@ func extAuthFilterName(route *ir.HTTPRoute) string {
}
func extAuthConfig(extAuth *ir.ExtAuth) *extauthv3.ExtAuthz {
- config := &extauthv3.ExtAuthz{}
+ config := &extauthv3.ExtAuthz{
+ TransportApiVersion: corev3.ApiVersion_V3,
+ FailureModeAllow: false,
+ }
var headersToExtAuth []*matcherv3.StringMatcher
for _, header := range extAuth.HeadersToExtAuth {
@@ -134,6 +137,7 @@ func httpService(http *ir.HTTPExtAuthService) *extauthv3.HttpService {
var (
uri string
headersToBackend []*matcherv3.StringMatcher
+ service = new(extauthv3.HttpService)
)
u := url.URL{
@@ -146,6 +150,16 @@ func httpService(http *ir.HTTPExtAuthService) *extauthv3.HttpService {
}
uri = u.String()
+ service.ServerUri = &corev3.HttpUri{
+ Uri: uri,
+ HttpUpstreamType: &corev3.HttpUri_Cluster{
+ Cluster: http.Destination.Name,
+ },
+ Timeout: &duration.Duration{
+ Seconds: defaultExtServiceRequestTimeout,
+ },
+ }
+
for _, header := range http.HeadersToBackend {
headersToBackend = append(headersToBackend, &matcherv3.StringMatcher{
MatchPattern: &matcherv3.StringMatcher_Exact{
@@ -154,22 +168,15 @@ func httpService(http *ir.HTTPExtAuthService) *extauthv3.HttpService {
})
}
- return &extauthv3.HttpService{
- ServerUri: &corev3.HttpUri{
- Uri: uri,
- HttpUpstreamType: &corev3.HttpUri_Cluster{
- Cluster: http.Destination.Name,
- },
- Timeout: &duration.Duration{
- Seconds: defaultExtServiceRequestTimeout,
- },
- },
- AuthorizationResponse: &extauthv3.AuthorizationResponse{
+ if len(headersToBackend) > 0 {
+ service.AuthorizationResponse = &extauthv3.AuthorizationResponse{
AllowedUpstreamHeaders: &matcherv3.ListStringMatcher{
Patterns: headersToBackend,
},
- },
+ }
}
+
+ return service
}
func grpcService(grpc *ir.GRPCExtAuthService) *corev3.GrpcService_EnvoyGrpc {
diff --git a/internal/xds/translator/jwt.go b/internal/xds/translator/jwt.go
index 55c4005064b..1fa26376d92 100644
--- a/internal/xds/translator/jwt.go
+++ b/internal/xds/translator/jwt.go
@@ -109,7 +109,7 @@ func buildJWTAuthn(irListener *ir.HTTPListener) (*jwtauthnv3.JwtAuthentication,
for i := range route.JWT.Providers {
irProvider := route.JWT.Providers[i]
// Create the cluster for the remote jwks, if it doesn't exist.
- jwksCluster, err := url2Cluster(irProvider.RemoteJWKS.URI, false)
+ jwksCluster, err := url2Cluster(irProvider.RemoteJWKS.URI)
if err != nil {
return nil, err
}
@@ -270,7 +270,7 @@ func (*jwt) patchResources(tCtx *types.ResourceVersionTable, routes []*ir.HTTPRo
)
provider := route.JWT.Providers[i]
- jwks, err = url2Cluster(provider.RemoteJWKS.URI, false)
+ jwks, err = url2Cluster(provider.RemoteJWKS.URI)
if err != nil {
errs = errors.Join(errs, err)
continue
diff --git a/internal/xds/translator/oidc.go b/internal/xds/translator/oidc.go
index d9a65deaf87..58b417f2441 100644
--- a/internal/xds/translator/oidc.go
+++ b/internal/xds/translator/oidc.go
@@ -6,7 +6,6 @@
package translator
import (
- "crypto/rand"
"errors"
"fmt"
@@ -66,7 +65,7 @@ func (*oidc) patchHCM(mgr *hcmv3.HttpConnectionManager, irListener *ir.HTTPListe
mgr.HttpFilters = append(mgr.HttpFilters, filter)
}
- return nil
+ return errs
}
// buildHCMOAuth2Filter returns an OAuth2 HTTP filter from the provided IR HTTPRoute.
@@ -99,7 +98,7 @@ func oauth2FilterName(route *ir.HTTPRoute) string {
}
func oauth2Config(route *ir.HTTPRoute) (*oauth2v3.OAuth2, error) {
- cluster, err := url2Cluster(route.OIDC.Provider.TokenEndpoint, true)
+ cluster, err := url2Cluster(route.OIDC.Provider.TokenEndpoint)
if err != nil {
return nil, err
}
@@ -215,7 +214,7 @@ func createOAuth2TokenEndpointClusters(tCtx *types.ResourceVersionTable,
err error
)
- cluster, err = url2Cluster(route.OIDC.Provider.TokenEndpoint, true)
+ cluster, err = url2Cluster(route.OIDC.Provider.TokenEndpoint)
if err != nil {
errs = errors.Join(errs, err)
continue
@@ -231,13 +230,6 @@ func createOAuth2TokenEndpointClusters(tCtx *types.ResourceVersionTable,
continue
}
- // TODO huabing: add support for custom CA and client certificate.
- tSocket, err = buildXdsUpstreamTLSSocket(cluster.hostname)
- if err != nil {
- errs = errors.Join(errs, err)
- continue
- }
-
ds = &ir.DestinationSetting{
Weight: ptr.To[uint32](1),
Endpoints: []*ir.DestinationEndpoint{ir.NewDestEndpoint(
@@ -246,12 +238,22 @@ func createOAuth2TokenEndpointClusters(tCtx *types.ResourceVersionTable,
},
}
- if err = addXdsCluster(tCtx, &xdsClusterArgs{
+ clusterArgs := &xdsClusterArgs{
name: cluster.name,
settings: []*ir.DestinationSetting{ds},
tSocket: tSocket,
endpointType: cluster.endpointType,
- }); err != nil && !errors.Is(err, ErrXdsClusterExists) {
+ }
+ if cluster.tls {
+ tSocket, err = buildXdsUpstreamTLSSocket(cluster.hostname)
+ if err != nil {
+ errs = errors.Join(errs, err)
+ continue
+ }
+ clusterArgs.tSocket = tSocket
+ }
+
+ if err = addXdsCluster(tCtx, clusterArgs); err != nil && !errors.Is(err, ErrXdsClusterExists) {
errs = errors.Join(errs, err)
}
}
@@ -276,11 +278,7 @@ func createOAuth2Secrets(tCtx *types.ResourceVersionTable, routes []*ir.HTTPRout
errs = errors.Join(errs, err)
}
- hmacSecret, err := buildOAuth2HMACSecret(route)
- if err != nil {
- errs = errors.Join(errs, err)
- }
- if err := addXdsSecret(tCtx, hmacSecret); err != nil {
+ if err := addXdsSecret(tCtx, buildOAuth2HMACSecret(route)); err != nil {
errs = errors.Join(errs, err)
}
}
@@ -305,25 +303,21 @@ func buildOAuth2ClientSecret(route *ir.HTTPRoute) *tlsv3.Secret {
return clientSecret
}
-func buildOAuth2HMACSecret(route *ir.HTTPRoute) (*tlsv3.Secret, error) {
- hmac, err := generateHMACSecretKey()
- if err != nil {
- return nil, fmt.Errorf("failed to generate hmack secret key: %w", err)
- }
+func buildOAuth2HMACSecret(route *ir.HTTPRoute) *tlsv3.Secret {
hmacSecret := &tlsv3.Secret{
Name: oauth2HMACSecretName(route),
Type: &tlsv3.Secret_GenericSecret{
GenericSecret: &tlsv3.GenericSecret{
Secret: &corev3.DataSource{
Specifier: &corev3.DataSource_InlineBytes{
- InlineBytes: hmac,
+ InlineBytes: route.OIDC.HMACSecret,
},
},
},
},
}
- return hmacSecret, nil
+ return hmacSecret
}
func oauth2ClientSecretName(route *ir.HTTPRoute) string {
@@ -334,22 +328,6 @@ func oauth2HMACSecretName(route *ir.HTTPRoute) string {
return fmt.Sprintf("%s/oauth2/hmac_secret", route.Name)
}
-func generateHMACSecretKey() ([]byte, error) {
- // Set the desired length of the secret key in bytes
- keyLength := 32
-
- // Create a byte slice to hold the random bytes
- key := make([]byte, keyLength)
-
- // Read random bytes from the cryptographically secure random number generator
- _, err := rand.Read(key)
- if err != nil {
- return nil, err
- }
-
- return key, nil
-}
-
// patchRoute patches the provided route with the oauth2 config if applicable.
// Note: this method enables the corresponding oauth2 filter for the provided route.
func (*oidc) patchRoute(route *routev3.Route, irRoute *ir.HTTPRoute) error {
diff --git a/internal/xds/translator/route.go b/internal/xds/translator/route.go
index 07336fa48ee..22654bc8c45 100644
--- a/internal/xds/translator/route.go
+++ b/internal/xds/translator/route.go
@@ -10,8 +10,11 @@ import (
"strings"
"time"
+ "github.com/envoyproxy/gateway/internal/utils/protocov"
+
corev3 "github.com/envoyproxy/go-control-plane/envoy/config/core/v3"
routev3 "github.com/envoyproxy/go-control-plane/envoy/config/route/v3"
+ previoushost "github.com/envoyproxy/go-control-plane/envoy/extensions/retry/host/previous_hosts/v3"
matcherv3 "github.com/envoyproxy/go-control-plane/envoy/type/matcher/v3"
"google.golang.org/protobuf/types/known/durationpb"
"google.golang.org/protobuf/types/known/wrapperspb"
@@ -427,6 +430,15 @@ func buildRetryPolicy(route *ir.HTTPRoute) (*routev3.RetryPolicy, error) {
RetryOn: retryDefaultRetryOn,
RetriableStatusCodes: []uint32{retryDefaultRetriableStatusCode},
NumRetries: &wrapperspb.UInt32Value{Value: retryDefaultNumRetries},
+ RetryHostPredicate: []*routev3.RetryPolicy_RetryHostPredicate{
+ {
+ Name: "envoy.retry_host_predicates.previous_hosts",
+ ConfigType: &routev3.RetryPolicy_RetryHostPredicate_TypedConfig{
+ TypedConfig: protocov.ToAny(&previoushost.PreviousHostsPredicate{}),
+ },
+ },
+ },
+ HostSelectionRetryMaxAttempts: 5,
}
if rr.NumRetries != nil {
@@ -494,7 +506,7 @@ func buildRetryOn(triggers []ir.TriggerEnum) (string, error) {
lookup := map[ir.TriggerEnum]string{
ir.Error5XX: "5xx",
ir.GatewayError: "gateway-error",
- ir.DisconnectRest: "disconnect-reset",
+ ir.Reset: "reset",
ir.ConnectFailure: "connect-failure",
ir.Retriable4XX: "retriable-4xx",
ir.RefusedStream: "refused-stream",
diff --git a/internal/xds/translator/runner/runner.go b/internal/xds/translator/runner/runner.go
index bae2a9fe939..114b00b4550 100644
--- a/internal/xds/translator/runner/runner.go
+++ b/internal/xds/translator/runner/runner.go
@@ -90,6 +90,14 @@ func (r *Runner) subscribeAndTranslate(ctx context.Context) {
return
}
+ // Get all status keys from watchable and save them in the map statusesToDelete.
+ // Iterating through result.EnvoyPatchPolicyStatuses, any valid keys will be removed from statusesToDelete.
+ // Remaining keys will be deleted from watchable before we exit this function.
+ statusesToDelete := make(map[ktypes.NamespacedName]bool)
+ for key := range r.ProviderResources.EnvoyPatchPolicyStatuses.LoadAll() {
+ statusesToDelete[key] = true
+ }
+
// Publish EnvoyPatchPolicyStatus
for _, e := range result.EnvoyPatchPolicyStatuses {
key := ktypes.NamespacedName{
@@ -97,12 +105,18 @@ func (r *Runner) subscribeAndTranslate(ctx context.Context) {
Namespace: e.Namespace,
}
r.ProviderResources.EnvoyPatchPolicyStatuses.Store(key, e.Status)
+ delete(statusesToDelete, key)
}
// Discard the EnvoyPatchPolicyStatuses to reduce memory footprint
result.EnvoyPatchPolicyStatuses = nil
// Publish
r.Xds.Store(key, result)
+
+ // Delete all the deletable status keys
+ for key := range statusesToDelete {
+ r.ProviderResources.EnvoyPatchPolicyStatuses.Delete(key)
+ }
}
},
)
diff --git a/internal/xds/translator/runner/runner_test.go b/internal/xds/translator/runner/runner_test.go
index ab8a2c65e78..9f3d7035bd6 100644
--- a/internal/xds/translator/runner/runner_test.go
+++ b/internal/xds/translator/runner/runner_test.go
@@ -27,12 +27,14 @@ func TestRunner(t *testing.T) {
// Setup
xdsIR := new(message.XdsIR)
xds := new(message.Xds)
+ pResource := new(message.ProviderResources)
cfg, err := config.New()
require.NoError(t, err)
r := New(&Config{
- Server: *cfg,
- XdsIR: xdsIR,
- Xds: xds,
+ Server: *cfg,
+ ProviderResources: pResource,
+ XdsIR: xdsIR,
+ Xds: xds,
})
ctx := context.Background()
@@ -103,13 +105,16 @@ func TestRunner_withExtensionManager(t *testing.T) {
// Setup
xdsIR := new(message.XdsIR)
xds := new(message.Xds)
+ pResource := new(message.ProviderResources)
+
cfg, err := config.New()
require.NoError(t, err)
r := New(&Config{
- Server: *cfg,
- XdsIR: xdsIR,
- Xds: xds,
- ExtensionManager: &extManagerMock{},
+ Server: *cfg,
+ ProviderResources: pResource,
+ XdsIR: xdsIR,
+ Xds: xds,
+ ExtensionManager: &extManagerMock{},
})
ctx := context.Background()
diff --git a/internal/xds/translator/testdata/in/xds-ir/circuit-breaker.yaml b/internal/xds/translator/testdata/in/xds-ir/circuit-breaker.yaml
index cb693fc583e..a63297e264c 100644
--- a/internal/xds/translator/testdata/in/xds-ir/circuit-breaker.yaml
+++ b/internal/xds/translator/testdata/in/xds-ir/circuit-breaker.yaml
@@ -14,6 +14,7 @@ http:
maxConnections: 1
maxPendingRequests: 1
maxParallelRequests: 1
+ maxParallelRetries: 2
maxRequestsPerConnection: 10
destination:
name: "first-route-dest"
diff --git a/internal/xds/translator/testdata/in/xds-ir/health-check.yaml b/internal/xds/translator/testdata/in/xds-ir/health-check.yaml
index a634af2ef8f..ca5f9c0a1c8 100644
--- a/internal/xds/translator/testdata/in/xds-ir/health-check.yaml
+++ b/internal/xds/translator/testdata/in/xds-ir/health-check.yaml
@@ -27,6 +27,10 @@ http:
baseEjectionTime: 180s
interval: 2s
maxEjectionPercent: 100
+ consecutive5XxErrors: 5
+ consecutiveGatewayErrors: 0
+ consecutiveLocalOriginFailures: 5
+ splitExternalLocalOriginErrors: false
destination:
name: "first-route-dest"
settings:
@@ -52,6 +56,10 @@ http:
baseEjectionTime: 180s
interval: 1s
maxEjectionPercent: 100
+ consecutive5XxErrors: 5
+ consecutiveGatewayErrors: 0
+ consecutiveLocalOriginFailures: 5
+ splitExternalLocalOriginErrors: false
destination:
name: "second-route-dest"
settings:
@@ -75,6 +83,10 @@ http:
baseEjectionTime: 160s
interval: 1s
maxEjectionPercent: 100
+ consecutive5XxErrors: 5
+ consecutiveGatewayErrors: 0
+ consecutiveLocalOriginFailures: 5
+ splitExternalLocalOriginErrors: false
destination:
name: "third-route-dest"
settings:
@@ -98,6 +110,10 @@ http:
baseEjectionTime: 180s
interval: 1s
maxEjectionPercent: 90
+ consecutive5XxErrors: 5
+ consecutiveGatewayErrors: 0
+ consecutiveLocalOriginFailures: 5
+ splitExternalLocalOriginErrors: true
destination:
name: "fourth-route-dest"
settings:
diff --git a/internal/xds/translator/testdata/in/xds-ir/http-route-with-tls-system-truststore.yaml b/internal/xds/translator/testdata/in/xds-ir/http-route-with-tls-system-truststore.yaml
new file mode 100644
index 00000000000..3cc0e5e8766
--- /dev/null
+++ b/internal/xds/translator/testdata/in/xds-ir/http-route-with-tls-system-truststore.yaml
@@ -0,0 +1,32 @@
+http:
+ - address: 0.0.0.0
+ hostnames:
+ - '*'
+ isHTTP2: false
+ name: envoy-gateway/gateway-btls/http
+ path:
+ escapedSlashesAction: UnescapeAndRedirect
+ mergeSlashes: true
+ port: 10080
+ routes:
+ - backendWeights:
+ invalid: 0
+ valid: 0
+ destination:
+ name: httproute/envoy-gateway/httproute-btls/rule/0
+ settings:
+ - addressType: IP
+ endpoints:
+ - host: 10.244.0.11
+ port: 8080
+ protocol: HTTP
+ tls:
+ sni: example.com
+ useSystemTrustStore: true
+ weight: 1
+ hostname: '*'
+ name: httproute/envoy-gateway/httproute-btls/rule/0/match/0/*
+ pathMatch:
+ distinct: false
+ exact: /exact
+ name: ""
diff --git a/internal/xds/translator/testdata/in/xds-ir/http-route-with-tlsbundle.yaml b/internal/xds/translator/testdata/in/xds-ir/http-route-with-tlsbundle.yaml
new file mode 100644
index 00000000000..e28cd14d655
--- /dev/null
+++ b/internal/xds/translator/testdata/in/xds-ir/http-route-with-tlsbundle.yaml
@@ -0,0 +1,34 @@
+http:
+ - address: 0.0.0.0
+ hostnames:
+ - '*'
+ isHTTP2: false
+ name: envoy-gateway/gateway-btls/http
+ path:
+ escapedSlashesAction: UnescapeAndRedirect
+ mergeSlashes: true
+ port: 10080
+ routes:
+ - backendWeights:
+ invalid: 0
+ valid: 0
+ destination:
+ name: httproute/envoy-gateway/httproute-btls/rule/0
+ settings:
+ - addressType: IP
+ endpoints:
+ - host: 10.244.0.11
+ port: 8080
+ protocol: HTTP
+ tls:
+ CACertificate:
+ certificate: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURKekNDQWcrZ0F3SUJBZ0lVQWw2VUtJdUttenRlODFjbGx6NVBmZE4ySWxJd0RRWUpLb1pJaHZjTkFRRUwKQlFBd0l6RVFNQTRHQTFVRUF3d0hiWGxqYVdWdWRERVBNQTBHQTFVRUNnd0dhM1ZpWldSaU1CNFhEVEl6TVRBdwpNakExTkRFMU4xb1hEVEkwTVRBd01UQTFOREUxTjFvd0l6RVFNQTRHQTFVRUF3d0hiWGxqYVdWdWRERVBNQTBHCkExVUVDZ3dHYTNWaVpXUmlNSUlCSWpBTkJna3Foa2lHOXcwQkFRRUZBQU9DQVE4QU1JSUJDZ0tDQVFFQXdTVGMKMXlqOEhXNjJueW5rRmJYbzRWWEt2MmpDMFBNN2RQVmt5ODdGd2VaY1RLTG9XUVZQUUUycDJrTERLNk9Fc3ptTQp5eXIreHhXdHlpdmVyZW1yV3FuS2tOVFloTGZZUGhnUWtjemliN2VVYWxtRmpVYmhXZEx2SGFrYkVnQ29kbjNiCmt6NTdtSW5YMlZwaURPS2c0a3lIZml1WFdwaUJxckN4MEtOTHB4bzNERVFjRmNzUVRlVEh6aDQ3NTJHVjA0UlUKVGkvR0VXeXpJc2w0Umc3dEd0QXdtY0lQZ1VOVWZZMlEzOTBGR3FkSDRhaG4rbXcvNmFGYlczMVc2M2Q5WUpWcQppb3lPVmNhTUlwTTVCL2M3UWM4U3VoQ0kxWUdoVXlnNGNSSExFdzVWdGlraW95RTNYMDRrbmEzalFBajU0WWJSCmJwRWhjMzVhcEtMQjIxSE9VUUlEQVFBQm8xTXdVVEFkQmdOVkhRNEVGZ1FVeXZsMFZJNXZKVlN1WUZYdTdCNDgKNlBiTUVBb3dId1lEVlIwakJCZ3dGb0FVeXZsMFZJNXZKVlN1WUZYdTdCNDg2UGJNRUFvd0R3WURWUjBUQVFILwpCQVV3QXdFQi96QU5CZ2txaGtpRzl3MEJBUXNGQUFPQ0FRRUFNTHhyZ0ZWTXVOUnEyd0F3Y0J0N1NuTlI1Q2Z6CjJNdlhxNUVVbXVhd0lVaTlrYVlqd2RWaURSRUdTams3SlcxN3ZsNTc2SGpEa2RmUndpNEUyOFN5ZFJJblpmNkoKaThIWmNaN2NhSDZEeFIzMzVmZ0hWekxpNU5pVGNlL09qTkJRelEyTUpYVkRkOERCbUc1ZnlhdEppT0pRNGJXRQpBN0ZsUDBSZFAzQ08zR1dFME01aVhPQjJtMXFXa0UyZXlPNFVIdndUcU5RTGRyZEFYZ0RRbGJhbTllNEJHM0dnCmQvNnRoQWtXRGJ0L1FOVCtFSkhEQ3ZoRFJLaDFSdUdIeWcrWSsvbmViVFdXckZXc2t0UnJiT29IQ1ppQ3BYSTEKM2VYRTZudDBZa2d0RHhHMjJLcW5ocEFnOWdVU3MyaGxob3h5dmt6eUYwbXU2TmhQbHdBZ25xNysvUT09Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K
+ name: policy-btls/policies-ca
+ SNI: example.com
+ weight: 1
+ hostname: '*'
+ name: httproute/envoy-gateway/httproute-btls/rule/0/match/0/*
+ pathMatch:
+ distinct: false
+ exact: /exact
+ name: ""
diff --git a/internal/xds/translator/testdata/in/xds-ir/retry-partial-invalid.yaml b/internal/xds/translator/testdata/in/xds-ir/retry-partial-invalid.yaml
index 794df92c7f6..7f5938fd64d 100644
--- a/internal/xds/translator/testdata/in/xds-ir/retry-partial-invalid.yaml
+++ b/internal/xds/translator/testdata/in/xds-ir/retry-partial-invalid.yaml
@@ -17,6 +17,7 @@ http:
- 429
- 503
triggers:
+ - reset
- connect-failure
- retriable-status-codes
perRetry:
diff --git a/internal/xds/translator/testdata/out/extension-xds-ir/http-route-extension-filter.clusters.yaml b/internal/xds/translator/testdata/out/extension-xds-ir/http-route-extension-filter.clusters.yaml
index fc88cebd59b..45f45f5c9bf 100644
--- a/internal/xds/translator/testdata/out/extension-xds-ir/http-route-extension-filter.clusters.yaml
+++ b/internal/xds/translator/testdata/out/extension-xds-ir/http-route-extension-filter.clusters.yaml
@@ -1,4 +1,7 @@
-- commonLbConfig:
+- circuitBreakers:
+ thresholds:
+ - maxRetries: 1024
+ commonLbConfig:
localityWeightedLbConfig: {}
connectTimeout: 10s
dnsLookupFamily: V4_ONLY
diff --git a/internal/xds/translator/testdata/out/extension-xds-ir/http-route.clusters.yaml b/internal/xds/translator/testdata/out/extension-xds-ir/http-route.clusters.yaml
index fc88cebd59b..45f45f5c9bf 100644
--- a/internal/xds/translator/testdata/out/extension-xds-ir/http-route.clusters.yaml
+++ b/internal/xds/translator/testdata/out/extension-xds-ir/http-route.clusters.yaml
@@ -1,4 +1,7 @@
-- commonLbConfig:
+- circuitBreakers:
+ thresholds:
+ - maxRetries: 1024
+ commonLbConfig:
localityWeightedLbConfig: {}
connectTimeout: 10s
dnsLookupFamily: V4_ONLY
diff --git a/internal/xds/translator/testdata/out/xds-ir/accesslog.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/accesslog.clusters.yaml
index 1ba3e1d7080..7168156486d 100644
--- a/internal/xds/translator/testdata/out/xds-ir/accesslog.clusters.yaml
+++ b/internal/xds/translator/testdata/out/xds-ir/accesslog.clusters.yaml
@@ -1,4 +1,7 @@
-- commonLbConfig:
+- circuitBreakers:
+ thresholds:
+ - maxRetries: 1024
+ commonLbConfig:
localityWeightedLbConfig: {}
connectTimeout: 10s
dnsLookupFamily: V4_ONLY
@@ -12,7 +15,10 @@
outlierDetection: {}
perConnectionBufferLimitBytes: 32768
type: EDS
-- commonLbConfig:
+- circuitBreakers:
+ thresholds:
+ - maxRetries: 1024
+ commonLbConfig:
localityWeightedLbConfig: {}
connectTimeout: 10s
dnsLookupFamily: V4_ONLY
diff --git a/internal/xds/translator/testdata/out/xds-ir/basic-auth.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/basic-auth.clusters.yaml
index c8692b81602..d53a7a1b2ce 100644
--- a/internal/xds/translator/testdata/out/xds-ir/basic-auth.clusters.yaml
+++ b/internal/xds/translator/testdata/out/xds-ir/basic-auth.clusters.yaml
@@ -1,4 +1,7 @@
-- commonLbConfig:
+- circuitBreakers:
+ thresholds:
+ - maxRetries: 1024
+ commonLbConfig:
localityWeightedLbConfig: {}
connectTimeout: 10s
dnsLookupFamily: V4_ONLY
diff --git a/internal/xds/translator/testdata/out/xds-ir/circuit-breaker.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/circuit-breaker.clusters.yaml
index 9bae95db486..90636e8ffe1 100644
--- a/internal/xds/translator/testdata/out/xds-ir/circuit-breaker.clusters.yaml
+++ b/internal/xds/translator/testdata/out/xds-ir/circuit-breaker.clusters.yaml
@@ -3,6 +3,7 @@
- maxConnections: 1
maxPendingRequests: 1
maxRequests: 1
+ maxRetries: 2
commonLbConfig:
localityWeightedLbConfig: {}
connectTimeout: 10s
diff --git a/internal/xds/translator/testdata/out/xds-ir/client-ip-detection.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/client-ip-detection.clusters.yaml
old mode 100755
new mode 100644
index 869321c6504..a89644e62d9
--- a/internal/xds/translator/testdata/out/xds-ir/client-ip-detection.clusters.yaml
+++ b/internal/xds/translator/testdata/out/xds-ir/client-ip-detection.clusters.yaml
@@ -1,4 +1,7 @@
-- commonLbConfig:
+- circuitBreakers:
+ thresholds:
+ - maxRetries: 1024
+ commonLbConfig:
localityWeightedLbConfig: {}
connectTimeout: 10s
dnsLookupFamily: V4_ONLY
@@ -12,7 +15,10 @@
outlierDetection: {}
perConnectionBufferLimitBytes: 32768
type: EDS
-- commonLbConfig:
+- circuitBreakers:
+ thresholds:
+ - maxRetries: 1024
+ commonLbConfig:
localityWeightedLbConfig: {}
connectTimeout: 10s
dnsLookupFamily: V4_ONLY
@@ -26,7 +32,10 @@
outlierDetection: {}
perConnectionBufferLimitBytes: 32768
type: EDS
-- commonLbConfig:
+- circuitBreakers:
+ thresholds:
+ - maxRetries: 1024
+ commonLbConfig:
localityWeightedLbConfig: {}
connectTimeout: 10s
dnsLookupFamily: V4_ONLY
diff --git a/internal/xds/translator/testdata/out/xds-ir/client-ip-detection.endpoints.yaml b/internal/xds/translator/testdata/out/xds-ir/client-ip-detection.endpoints.yaml
old mode 100755
new mode 100644
diff --git a/internal/xds/translator/testdata/out/xds-ir/client-ip-detection.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/client-ip-detection.listeners.yaml
old mode 100755
new mode 100644
diff --git a/internal/xds/translator/testdata/out/xds-ir/client-ip-detection.routes.yaml b/internal/xds/translator/testdata/out/xds-ir/client-ip-detection.routes.yaml
old mode 100755
new mode 100644
diff --git a/internal/xds/translator/testdata/out/xds-ir/client-timeout.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/client-timeout.clusters.yaml
index c8692b81602..d53a7a1b2ce 100644
--- a/internal/xds/translator/testdata/out/xds-ir/client-timeout.clusters.yaml
+++ b/internal/xds/translator/testdata/out/xds-ir/client-timeout.clusters.yaml
@@ -1,4 +1,7 @@
-- commonLbConfig:
+- circuitBreakers:
+ thresholds:
+ - maxRetries: 1024
+ commonLbConfig:
localityWeightedLbConfig: {}
connectTimeout: 10s
dnsLookupFamily: V4_ONLY
diff --git a/internal/xds/translator/testdata/out/xds-ir/cors.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/cors.clusters.yaml
index c8692b81602..d53a7a1b2ce 100644
--- a/internal/xds/translator/testdata/out/xds-ir/cors.clusters.yaml
+++ b/internal/xds/translator/testdata/out/xds-ir/cors.clusters.yaml
@@ -1,4 +1,7 @@
-- commonLbConfig:
+- circuitBreakers:
+ thresholds:
+ - maxRetries: 1024
+ commonLbConfig:
localityWeightedLbConfig: {}
connectTimeout: 10s
dnsLookupFamily: V4_ONLY
diff --git a/internal/xds/translator/testdata/out/xds-ir/ext-auth.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/ext-auth.clusters.yaml
old mode 100755
new mode 100644
index ec3cb0b2f79..d02aa6b4aa8
--- a/internal/xds/translator/testdata/out/xds-ir/ext-auth.clusters.yaml
+++ b/internal/xds/translator/testdata/out/xds-ir/ext-auth.clusters.yaml
@@ -1,4 +1,7 @@
-- commonLbConfig:
+- circuitBreakers:
+ thresholds:
+ - maxRetries: 1024
+ commonLbConfig:
localityWeightedLbConfig: {}
connectTimeout: 10s
dnsLookupFamily: V4_ONLY
@@ -12,7 +15,10 @@
outlierDetection: {}
perConnectionBufferLimitBytes: 32768
type: EDS
-- commonLbConfig:
+- circuitBreakers:
+ thresholds:
+ - maxRetries: 1024
+ commonLbConfig:
localityWeightedLbConfig: {}
connectTimeout: 10s
dnsLookupFamily: V4_ONLY
@@ -26,7 +32,10 @@
outlierDetection: {}
perConnectionBufferLimitBytes: 32768
type: EDS
-- commonLbConfig:
+- circuitBreakers:
+ thresholds:
+ - maxRetries: 1024
+ commonLbConfig:
localityWeightedLbConfig: {}
connectTimeout: 10s
dnsLookupFamily: V4_ONLY
@@ -40,7 +49,10 @@
outlierDetection: {}
perConnectionBufferLimitBytes: 32768
type: EDS
-- commonLbConfig:
+- circuitBreakers:
+ thresholds:
+ - maxRetries: 1024
+ commonLbConfig:
localityWeightedLbConfig: {}
connectTimeout: 10s
dnsLookupFamily: V4_ONLY
diff --git a/internal/xds/translator/testdata/out/xds-ir/ext-auth.endpoints.yaml b/internal/xds/translator/testdata/out/xds-ir/ext-auth.endpoints.yaml
old mode 100755
new mode 100644
diff --git a/internal/xds/translator/testdata/out/xds-ir/ext-auth.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/ext-auth.listeners.yaml
old mode 100755
new mode 100644
index b310689402b..52735036294
--- a/internal/xds/translator/testdata/out/xds-ir/ext-auth.listeners.yaml
+++ b/internal/xds/translator/testdata/out/xds-ir/ext-auth.listeners.yaml
@@ -28,6 +28,7 @@
cluster: securitypolicy/default/policy-for-first-route/http-backend
timeout: 10s
uri: http://http-backend.envoy-gateway:80/auth
+ transportApiVersion: V3
- disabled: true
name: envoy.filters.http.ext_authz_httproute/default/httproute-2/rule/0/match/0/www_example_com
typedConfig:
@@ -41,6 +42,7 @@
authority: grpc-backend.default:9000
clusterName: securitypolicy/default/policy-for-second-route/grpc-backend
timeout: 10s
+ transportApiVersion: V3
- name: envoy.filters.http.router
typedConfig:
'@type': type.googleapis.com/envoy.extensions.filters.http.router.v3.Router
diff --git a/internal/xds/translator/testdata/out/xds-ir/ext-auth.routes.yaml b/internal/xds/translator/testdata/out/xds-ir/ext-auth.routes.yaml
old mode 100755
new mode 100644
diff --git a/internal/xds/translator/testdata/out/xds-ir/fault-injection.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/fault-injection.clusters.yaml
old mode 100755
new mode 100644
index 2a9c75f08cb..03e10ccd7fc
--- a/internal/xds/translator/testdata/out/xds-ir/fault-injection.clusters.yaml
+++ b/internal/xds/translator/testdata/out/xds-ir/fault-injection.clusters.yaml
@@ -1,4 +1,7 @@
-- commonLbConfig:
+- circuitBreakers:
+ thresholds:
+ - maxRetries: 1024
+ commonLbConfig:
localityWeightedLbConfig: {}
connectTimeout: 10s
dnsLookupFamily: V4_ONLY
@@ -12,7 +15,10 @@
outlierDetection: {}
perConnectionBufferLimitBytes: 32768
type: EDS
-- commonLbConfig:
+- circuitBreakers:
+ thresholds:
+ - maxRetries: 1024
+ commonLbConfig:
localityWeightedLbConfig: {}
connectTimeout: 10s
dnsLookupFamily: V4_ONLY
@@ -26,7 +32,10 @@
outlierDetection: {}
perConnectionBufferLimitBytes: 32768
type: EDS
-- commonLbConfig:
+- circuitBreakers:
+ thresholds:
+ - maxRetries: 1024
+ commonLbConfig:
localityWeightedLbConfig: {}
connectTimeout: 10s
dnsLookupFamily: V4_ONLY
@@ -40,7 +49,10 @@
outlierDetection: {}
perConnectionBufferLimitBytes: 32768
type: EDS
-- commonLbConfig:
+- circuitBreakers:
+ thresholds:
+ - maxRetries: 1024
+ commonLbConfig:
localityWeightedLbConfig: {}
connectTimeout: 10s
dnsLookupFamily: V4_ONLY
@@ -54,7 +66,10 @@
outlierDetection: {}
perConnectionBufferLimitBytes: 32768
type: EDS
-- commonLbConfig:
+- circuitBreakers:
+ thresholds:
+ - maxRetries: 1024
+ commonLbConfig:
localityWeightedLbConfig: {}
connectTimeout: 10s
dnsLookupFamily: V4_ONLY
diff --git a/internal/xds/translator/testdata/out/xds-ir/fault-injection.endpoints.yaml b/internal/xds/translator/testdata/out/xds-ir/fault-injection.endpoints.yaml
old mode 100755
new mode 100644
diff --git a/internal/xds/translator/testdata/out/xds-ir/fault-injection.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/fault-injection.listeners.yaml
old mode 100755
new mode 100644
diff --git a/internal/xds/translator/testdata/out/xds-ir/fault-injection.routes.yaml b/internal/xds/translator/testdata/out/xds-ir/fault-injection.routes.yaml
old mode 100755
new mode 100644
diff --git a/internal/xds/translator/testdata/out/xds-ir/health-check.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/health-check.clusters.yaml
index 6003509f196..8c076fbdb87 100644
--- a/internal/xds/translator/testdata/out/xds-ir/health-check.clusters.yaml
+++ b/internal/xds/translator/testdata/out/xds-ir/health-check.clusters.yaml
@@ -1,4 +1,7 @@
-- commonLbConfig:
+- circuitBreakers:
+ thresholds:
+ - maxRetries: 1024
+ commonLbConfig:
localityWeightedLbConfig: {}
connectTimeout: 10s
dnsLookupFamily: V4_ONLY
@@ -25,11 +28,17 @@
name: first-route-dest
outlierDetection:
baseEjectionTime: 180s
+ consecutive5xx: 5
+ consecutiveGatewayFailure: 0
+ consecutiveLocalOriginFailure: 5
interval: 2s
maxEjectionPercent: 100
perConnectionBufferLimitBytes: 32768
type: EDS
-- commonLbConfig:
+- circuitBreakers:
+ thresholds:
+ - maxRetries: 1024
+ commonLbConfig:
localityWeightedLbConfig: {}
connectTimeout: 10s
dnsLookupFamily: V4_ONLY
@@ -54,11 +63,17 @@
name: second-route-dest
outlierDetection:
baseEjectionTime: 180s
+ consecutive5xx: 5
+ consecutiveGatewayFailure: 0
+ consecutiveLocalOriginFailure: 5
interval: 1s
maxEjectionPercent: 100
perConnectionBufferLimitBytes: 32768
type: EDS
-- commonLbConfig:
+- circuitBreakers:
+ thresholds:
+ - maxRetries: 1024
+ commonLbConfig:
localityWeightedLbConfig: {}
connectTimeout: 10s
dnsLookupFamily: V4_ONLY
@@ -81,11 +96,17 @@
name: third-route-dest
outlierDetection:
baseEjectionTime: 160s
+ consecutive5xx: 5
+ consecutiveGatewayFailure: 0
+ consecutiveLocalOriginFailure: 5
interval: 1s
maxEjectionPercent: 100
perConnectionBufferLimitBytes: 32768
type: EDS
-- commonLbConfig:
+- circuitBreakers:
+ thresholds:
+ - maxRetries: 1024
+ commonLbConfig:
localityWeightedLbConfig: {}
connectTimeout: 10s
dnsLookupFamily: V4_ONLY
@@ -108,7 +129,11 @@
name: fourth-route-dest
outlierDetection:
baseEjectionTime: 180s
+ consecutive5xx: 5
+ consecutiveGatewayFailure: 0
+ consecutiveLocalOriginFailure: 5
interval: 1s
maxEjectionPercent: 90
+ splitExternalLocalOriginErrors: true
perConnectionBufferLimitBytes: 32768
type: EDS
diff --git a/internal/xds/translator/testdata/out/xds-ir/http-route-direct-response.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/http-route-direct-response.clusters.yaml
index af1e50c6320..f0ea3b32320 100644
--- a/internal/xds/translator/testdata/out/xds-ir/http-route-direct-response.clusters.yaml
+++ b/internal/xds/translator/testdata/out/xds-ir/http-route-direct-response.clusters.yaml
@@ -1,4 +1,7 @@
-- commonLbConfig:
+- circuitBreakers:
+ thresholds:
+ - maxRetries: 1024
+ commonLbConfig:
localityWeightedLbConfig: {}
connectTimeout: 10s
dnsLookupFamily: V4_ONLY
diff --git a/internal/xds/translator/testdata/out/xds-ir/http-route-dns-cluster.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/http-route-dns-cluster.clusters.yaml
index 4527713b1c2..876e1084c87 100644
--- a/internal/xds/translator/testdata/out/xds-ir/http-route-dns-cluster.clusters.yaml
+++ b/internal/xds/translator/testdata/out/xds-ir/http-route-dns-cluster.clusters.yaml
@@ -1,4 +1,7 @@
-- commonLbConfig:
+- circuitBreakers:
+ thresholds:
+ - maxRetries: 1024
+ commonLbConfig:
localityWeightedLbConfig: {}
connectTimeout: 10s
dnsLookupFamily: V4_ONLY
diff --git a/internal/xds/translator/testdata/out/xds-ir/http-route-mirror.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/http-route-mirror.clusters.yaml
index 36dfc7b6165..53d1f9a7c1a 100644
--- a/internal/xds/translator/testdata/out/xds-ir/http-route-mirror.clusters.yaml
+++ b/internal/xds/translator/testdata/out/xds-ir/http-route-mirror.clusters.yaml
@@ -1,4 +1,7 @@
-- commonLbConfig:
+- circuitBreakers:
+ thresholds:
+ - maxRetries: 1024
+ commonLbConfig:
localityWeightedLbConfig: {}
connectTimeout: 10s
dnsLookupFamily: V4_ONLY
diff --git a/internal/xds/translator/testdata/out/xds-ir/http-route-multiple-matches.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/http-route-multiple-matches.clusters.yaml
index daf7072f011..0322cbb616d 100644
--- a/internal/xds/translator/testdata/out/xds-ir/http-route-multiple-matches.clusters.yaml
+++ b/internal/xds/translator/testdata/out/xds-ir/http-route-multiple-matches.clusters.yaml
@@ -1,4 +1,7 @@
-- commonLbConfig:
+- circuitBreakers:
+ thresholds:
+ - maxRetries: 1024
+ commonLbConfig:
localityWeightedLbConfig: {}
connectTimeout: 10s
dnsLookupFamily: V4_ONLY
@@ -12,7 +15,10 @@
outlierDetection: {}
perConnectionBufferLimitBytes: 32768
type: EDS
-- commonLbConfig:
+- circuitBreakers:
+ thresholds:
+ - maxRetries: 1024
+ commonLbConfig:
localityWeightedLbConfig: {}
connectTimeout: 10s
dnsLookupFamily: V4_ONLY
@@ -26,7 +32,10 @@
outlierDetection: {}
perConnectionBufferLimitBytes: 32768
type: EDS
-- commonLbConfig:
+- circuitBreakers:
+ thresholds:
+ - maxRetries: 1024
+ commonLbConfig:
localityWeightedLbConfig: {}
connectTimeout: 10s
dnsLookupFamily: V4_ONLY
@@ -40,7 +49,10 @@
outlierDetection: {}
perConnectionBufferLimitBytes: 32768
type: EDS
-- commonLbConfig:
+- circuitBreakers:
+ thresholds:
+ - maxRetries: 1024
+ commonLbConfig:
localityWeightedLbConfig: {}
connectTimeout: 10s
dnsLookupFamily: V4_ONLY
@@ -54,7 +66,10 @@
outlierDetection: {}
perConnectionBufferLimitBytes: 32768
type: EDS
-- commonLbConfig:
+- circuitBreakers:
+ thresholds:
+ - maxRetries: 1024
+ commonLbConfig:
localityWeightedLbConfig: {}
connectTimeout: 10s
dnsLookupFamily: V4_ONLY
@@ -68,7 +83,10 @@
outlierDetection: {}
perConnectionBufferLimitBytes: 32768
type: EDS
-- commonLbConfig:
+- circuitBreakers:
+ thresholds:
+ - maxRetries: 1024
+ commonLbConfig:
localityWeightedLbConfig: {}
connectTimeout: 10s
dnsLookupFamily: V4_ONLY
@@ -82,7 +100,10 @@
outlierDetection: {}
perConnectionBufferLimitBytes: 32768
type: EDS
-- commonLbConfig:
+- circuitBreakers:
+ thresholds:
+ - maxRetries: 1024
+ commonLbConfig:
localityWeightedLbConfig: {}
connectTimeout: 10s
dnsLookupFamily: V4_ONLY
diff --git a/internal/xds/translator/testdata/out/xds-ir/http-route-multiple-mirrors.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/http-route-multiple-mirrors.clusters.yaml
index 0296e36dc4e..046021604df 100644
--- a/internal/xds/translator/testdata/out/xds-ir/http-route-multiple-mirrors.clusters.yaml
+++ b/internal/xds/translator/testdata/out/xds-ir/http-route-multiple-mirrors.clusters.yaml
@@ -1,4 +1,7 @@
-- commonLbConfig:
+- circuitBreakers:
+ thresholds:
+ - maxRetries: 1024
+ commonLbConfig:
localityWeightedLbConfig: {}
connectTimeout: 10s
dnsLookupFamily: V4_ONLY
@@ -12,7 +15,10 @@
outlierDetection: {}
perConnectionBufferLimitBytes: 32768
type: EDS
-- commonLbConfig:
+- circuitBreakers:
+ thresholds:
+ - maxRetries: 1024
+ commonLbConfig:
localityWeightedLbConfig: {}
connectTimeout: 10s
dnsLookupFamily: V4_ONLY
@@ -26,7 +32,10 @@
outlierDetection: {}
perConnectionBufferLimitBytes: 32768
type: EDS
-- commonLbConfig:
+- circuitBreakers:
+ thresholds:
+ - maxRetries: 1024
+ commonLbConfig:
localityWeightedLbConfig: {}
connectTimeout: 10s
dnsLookupFamily: V4_ONLY
diff --git a/internal/xds/translator/testdata/out/xds-ir/http-route-partial-invalid.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/http-route-partial-invalid.clusters.yaml
index d8b8e4d21ff..61496817710 100644
--- a/internal/xds/translator/testdata/out/xds-ir/http-route-partial-invalid.clusters.yaml
+++ b/internal/xds/translator/testdata/out/xds-ir/http-route-partial-invalid.clusters.yaml
@@ -1,4 +1,7 @@
-- commonLbConfig:
+- circuitBreakers:
+ thresholds:
+ - maxRetries: 1024
+ commonLbConfig:
localityWeightedLbConfig: {}
connectTimeout: 10s
dnsLookupFamily: V4_ONLY
diff --git a/internal/xds/translator/testdata/out/xds-ir/http-route-redirect.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/http-route-redirect.clusters.yaml
index a19246c6c14..b435363bef7 100644
--- a/internal/xds/translator/testdata/out/xds-ir/http-route-redirect.clusters.yaml
+++ b/internal/xds/translator/testdata/out/xds-ir/http-route-redirect.clusters.yaml
@@ -1,4 +1,7 @@
-- commonLbConfig:
+- circuitBreakers:
+ thresholds:
+ - maxRetries: 1024
+ commonLbConfig:
localityWeightedLbConfig: {}
connectTimeout: 10s
dnsLookupFamily: V4_ONLY
diff --git a/internal/xds/translator/testdata/out/xds-ir/http-route-regex.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/http-route-regex.clusters.yaml
index a21398c504f..0f75e67e278 100644
--- a/internal/xds/translator/testdata/out/xds-ir/http-route-regex.clusters.yaml
+++ b/internal/xds/translator/testdata/out/xds-ir/http-route-regex.clusters.yaml
@@ -1,4 +1,7 @@
-- commonLbConfig:
+- circuitBreakers:
+ thresholds:
+ - maxRetries: 1024
+ commonLbConfig:
localityWeightedLbConfig: {}
connectTimeout: 10s
dnsLookupFamily: V4_ONLY
diff --git a/internal/xds/translator/testdata/out/xds-ir/http-route-request-headers.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/http-route-request-headers.clusters.yaml
index 7e253f6b5be..2adb8e01e4d 100644
--- a/internal/xds/translator/testdata/out/xds-ir/http-route-request-headers.clusters.yaml
+++ b/internal/xds/translator/testdata/out/xds-ir/http-route-request-headers.clusters.yaml
@@ -1,4 +1,7 @@
-- commonLbConfig:
+- circuitBreakers:
+ thresholds:
+ - maxRetries: 1024
+ commonLbConfig:
localityWeightedLbConfig: {}
connectTimeout: 10s
dnsLookupFamily: V4_ONLY
diff --git a/internal/xds/translator/testdata/out/xds-ir/http-route-response-add-headers.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/http-route-response-add-headers.clusters.yaml
index 3c6050b2116..ca020e482fe 100644
--- a/internal/xds/translator/testdata/out/xds-ir/http-route-response-add-headers.clusters.yaml
+++ b/internal/xds/translator/testdata/out/xds-ir/http-route-response-add-headers.clusters.yaml
@@ -1,4 +1,7 @@
-- commonLbConfig:
+- circuitBreakers:
+ thresholds:
+ - maxRetries: 1024
+ commonLbConfig:
localityWeightedLbConfig: {}
connectTimeout: 10s
dnsLookupFamily: V4_ONLY
diff --git a/internal/xds/translator/testdata/out/xds-ir/http-route-response-add-remove-headers.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/http-route-response-add-remove-headers.clusters.yaml
index 3c6050b2116..ca020e482fe 100644
--- a/internal/xds/translator/testdata/out/xds-ir/http-route-response-add-remove-headers.clusters.yaml
+++ b/internal/xds/translator/testdata/out/xds-ir/http-route-response-add-remove-headers.clusters.yaml
@@ -1,4 +1,7 @@
-- commonLbConfig:
+- circuitBreakers:
+ thresholds:
+ - maxRetries: 1024
+ commonLbConfig:
localityWeightedLbConfig: {}
connectTimeout: 10s
dnsLookupFamily: V4_ONLY
diff --git a/internal/xds/translator/testdata/out/xds-ir/http-route-response-remove-headers.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/http-route-response-remove-headers.clusters.yaml
index 3c6050b2116..ca020e482fe 100644
--- a/internal/xds/translator/testdata/out/xds-ir/http-route-response-remove-headers.clusters.yaml
+++ b/internal/xds/translator/testdata/out/xds-ir/http-route-response-remove-headers.clusters.yaml
@@ -1,4 +1,7 @@
-- commonLbConfig:
+- circuitBreakers:
+ thresholds:
+ - maxRetries: 1024
+ commonLbConfig:
localityWeightedLbConfig: {}
connectTimeout: 10s
dnsLookupFamily: V4_ONLY
diff --git a/internal/xds/translator/testdata/out/xds-ir/http-route-rewrite-root-path-url-prefix.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/http-route-rewrite-root-path-url-prefix.clusters.yaml
index 1a641679539..027db39fb29 100644
--- a/internal/xds/translator/testdata/out/xds-ir/http-route-rewrite-root-path-url-prefix.clusters.yaml
+++ b/internal/xds/translator/testdata/out/xds-ir/http-route-rewrite-root-path-url-prefix.clusters.yaml
@@ -1,4 +1,7 @@
-- commonLbConfig:
+- circuitBreakers:
+ thresholds:
+ - maxRetries: 1024
+ commonLbConfig:
localityWeightedLbConfig: {}
connectTimeout: 10s
dnsLookupFamily: V4_ONLY
diff --git a/internal/xds/translator/testdata/out/xds-ir/http-route-rewrite-url-fullpath.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/http-route-rewrite-url-fullpath.clusters.yaml
index 6aeeab50483..3a2b7308d8e 100644
--- a/internal/xds/translator/testdata/out/xds-ir/http-route-rewrite-url-fullpath.clusters.yaml
+++ b/internal/xds/translator/testdata/out/xds-ir/http-route-rewrite-url-fullpath.clusters.yaml
@@ -1,4 +1,7 @@
-- commonLbConfig:
+- circuitBreakers:
+ thresholds:
+ - maxRetries: 1024
+ commonLbConfig:
localityWeightedLbConfig: {}
connectTimeout: 10s
dnsLookupFamily: V4_ONLY
diff --git a/internal/xds/translator/testdata/out/xds-ir/http-route-rewrite-url-host.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/http-route-rewrite-url-host.clusters.yaml
index 1a641679539..027db39fb29 100644
--- a/internal/xds/translator/testdata/out/xds-ir/http-route-rewrite-url-host.clusters.yaml
+++ b/internal/xds/translator/testdata/out/xds-ir/http-route-rewrite-url-host.clusters.yaml
@@ -1,4 +1,7 @@
-- commonLbConfig:
+- circuitBreakers:
+ thresholds:
+ - maxRetries: 1024
+ commonLbConfig:
localityWeightedLbConfig: {}
connectTimeout: 10s
dnsLookupFamily: V4_ONLY
diff --git a/internal/xds/translator/testdata/out/xds-ir/http-route-rewrite-url-prefix.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/http-route-rewrite-url-prefix.clusters.yaml
index 1a641679539..027db39fb29 100644
--- a/internal/xds/translator/testdata/out/xds-ir/http-route-rewrite-url-prefix.clusters.yaml
+++ b/internal/xds/translator/testdata/out/xds-ir/http-route-rewrite-url-prefix.clusters.yaml
@@ -1,4 +1,7 @@
-- commonLbConfig:
+- circuitBreakers:
+ thresholds:
+ - maxRetries: 1024
+ commonLbConfig:
localityWeightedLbConfig: {}
connectTimeout: 10s
dnsLookupFamily: V4_ONLY
diff --git a/internal/xds/translator/testdata/out/xds-ir/http-route-timeout.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/http-route-timeout.clusters.yaml
index 869321c6504..a89644e62d9 100644
--- a/internal/xds/translator/testdata/out/xds-ir/http-route-timeout.clusters.yaml
+++ b/internal/xds/translator/testdata/out/xds-ir/http-route-timeout.clusters.yaml
@@ -1,4 +1,7 @@
-- commonLbConfig:
+- circuitBreakers:
+ thresholds:
+ - maxRetries: 1024
+ commonLbConfig:
localityWeightedLbConfig: {}
connectTimeout: 10s
dnsLookupFamily: V4_ONLY
@@ -12,7 +15,10 @@
outlierDetection: {}
perConnectionBufferLimitBytes: 32768
type: EDS
-- commonLbConfig:
+- circuitBreakers:
+ thresholds:
+ - maxRetries: 1024
+ commonLbConfig:
localityWeightedLbConfig: {}
connectTimeout: 10s
dnsLookupFamily: V4_ONLY
@@ -26,7 +32,10 @@
outlierDetection: {}
perConnectionBufferLimitBytes: 32768
type: EDS
-- commonLbConfig:
+- circuitBreakers:
+ thresholds:
+ - maxRetries: 1024
+ commonLbConfig:
localityWeightedLbConfig: {}
connectTimeout: 10s
dnsLookupFamily: V4_ONLY
diff --git a/internal/xds/translator/testdata/out/xds-ir/http-route-weighted-backend.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/http-route-weighted-backend.clusters.yaml
index c8692b81602..d53a7a1b2ce 100644
--- a/internal/xds/translator/testdata/out/xds-ir/http-route-weighted-backend.clusters.yaml
+++ b/internal/xds/translator/testdata/out/xds-ir/http-route-weighted-backend.clusters.yaml
@@ -1,4 +1,7 @@
-- commonLbConfig:
+- circuitBreakers:
+ thresholds:
+ - maxRetries: 1024
+ commonLbConfig:
localityWeightedLbConfig: {}
connectTimeout: 10s
dnsLookupFamily: V4_ONLY
diff --git a/internal/xds/translator/testdata/out/xds-ir/http-route-weighted-invalid-backend.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/http-route-weighted-invalid-backend.clusters.yaml
index c8692b81602..d53a7a1b2ce 100644
--- a/internal/xds/translator/testdata/out/xds-ir/http-route-weighted-invalid-backend.clusters.yaml
+++ b/internal/xds/translator/testdata/out/xds-ir/http-route-weighted-invalid-backend.clusters.yaml
@@ -1,4 +1,7 @@
-- commonLbConfig:
+- circuitBreakers:
+ thresholds:
+ - maxRetries: 1024
+ commonLbConfig:
localityWeightedLbConfig: {}
connectTimeout: 10s
dnsLookupFamily: V4_ONLY
diff --git a/internal/xds/translator/testdata/out/xds-ir/http-route-with-tls-system-truststore.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/http-route-with-tls-system-truststore.clusters.yaml
new file mode 100644
index 00000000000..7c3428468f0
--- /dev/null
+++ b/internal/xds/translator/testdata/out/xds-ir/http-route-with-tls-system-truststore.clusters.yaml
@@ -0,0 +1,26 @@
+- circuitBreakers:
+ thresholds:
+ - maxRetries: 1024
+ commonLbConfig:
+ localityWeightedLbConfig: {}
+ connectTimeout: 10s
+ dnsLookupFamily: V4_ONLY
+ edsClusterConfig:
+ edsConfig:
+ ads: {}
+ resourceApiVersion: V3
+ serviceName: httproute/envoy-gateway/httproute-btls/rule/0
+ lbPolicy: LEAST_REQUEST
+ name: httproute/envoy-gateway/httproute-btls/rule/0
+ outlierDetection: {}
+ perConnectionBufferLimitBytes: 32768
+ transportSocket:
+ name: envoy.transport_sockets.tls
+ typedConfig:
+ '@type': type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.UpstreamTlsContext
+ commonTlsContext:
+ validationContext:
+ trustedCa:
+ filename: /etc/ssl/certs/ca-certificates.crt
+ sni: example.com
+ type: EDS
diff --git a/internal/xds/translator/testdata/out/xds-ir/http-route-with-tls-system-truststore.endpoints.yaml b/internal/xds/translator/testdata/out/xds-ir/http-route-with-tls-system-truststore.endpoints.yaml
new file mode 100644
index 00000000000..90d97a4e2f6
--- /dev/null
+++ b/internal/xds/translator/testdata/out/xds-ir/http-route-with-tls-system-truststore.endpoints.yaml
@@ -0,0 +1,12 @@
+- clusterName: httproute/envoy-gateway/httproute-btls/rule/0
+ endpoints:
+ - lbEndpoints:
+ - endpoint:
+ address:
+ socketAddress:
+ address: 10.244.0.11
+ portValue: 8080
+ loadBalancingWeight: 1
+ loadBalancingWeight: 1
+ locality:
+ region: httproute/envoy-gateway/httproute-btls/rule/0/backend/0
diff --git a/internal/xds/translator/testdata/out/xds-ir/http-route-with-tls-system-truststore.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/http-route-with-tls-system-truststore.listeners.yaml
new file mode 100644
index 00000000000..4bdeddbb3fc
--- /dev/null
+++ b/internal/xds/translator/testdata/out/xds-ir/http-route-with-tls-system-truststore.listeners.yaml
@@ -0,0 +1,34 @@
+- address:
+ socketAddress:
+ address: 0.0.0.0
+ portValue: 10080
+ defaultFilterChain:
+ filters:
+ - name: envoy.filters.network.http_connection_manager
+ typedConfig:
+ '@type': type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager
+ commonHttpProtocolOptions:
+ headersWithUnderscoresAction: REJECT_REQUEST
+ http2ProtocolOptions:
+ initialConnectionWindowSize: 1048576
+ initialStreamWindowSize: 65536
+ maxConcurrentStreams: 100
+ httpFilters:
+ - name: envoy.filters.http.router
+ typedConfig:
+ '@type': type.googleapis.com/envoy.extensions.filters.http.router.v3.Router
+ suppressEnvoyHeaders: true
+ mergeSlashes: true
+ normalizePath: true
+ pathWithEscapedSlashesAction: UNESCAPE_AND_REDIRECT
+ rds:
+ configSource:
+ ads: {}
+ resourceApiVersion: V3
+ routeConfigName: envoy-gateway/gateway-btls/http
+ serverHeaderTransformation: PASS_THROUGH
+ statPrefix: http
+ useRemoteAddress: true
+ drainType: MODIFY_ONLY
+ name: envoy-gateway/gateway-btls/http
+ perConnectionBufferLimitBytes: 32768
diff --git a/internal/xds/translator/testdata/out/xds-ir/http-route-with-tls-system-truststore.routes.yaml b/internal/xds/translator/testdata/out/xds-ir/http-route-with-tls-system-truststore.routes.yaml
new file mode 100644
index 00000000000..bd4f9cfe7e2
--- /dev/null
+++ b/internal/xds/translator/testdata/out/xds-ir/http-route-with-tls-system-truststore.routes.yaml
@@ -0,0 +1,14 @@
+- ignorePortInHostMatching: true
+ name: envoy-gateway/gateway-btls/http
+ virtualHosts:
+ - domains:
+ - '*'
+ name: envoy-gateway/gateway-btls/http/*
+ routes:
+ - match:
+ path: /exact
+ name: httproute/envoy-gateway/httproute-btls/rule/0/match/0/*
+ route:
+ cluster: httproute/envoy-gateway/httproute-btls/rule/0
+ upgradeConfigs:
+ - upgradeType: websocket
diff --git a/internal/xds/translator/testdata/out/xds-ir/http-route-with-tlsbundle.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/http-route-with-tlsbundle.clusters.yaml
new file mode 100644
index 00000000000..fca8c6280b0
--- /dev/null
+++ b/internal/xds/translator/testdata/out/xds-ir/http-route-with-tlsbundle.clusters.yaml
@@ -0,0 +1,28 @@
+- circuitBreakers:
+ thresholds:
+ - maxRetries: 1024
+ commonLbConfig:
+ localityWeightedLbConfig: {}
+ connectTimeout: 10s
+ dnsLookupFamily: V4_ONLY
+ edsClusterConfig:
+ edsConfig:
+ ads: {}
+ resourceApiVersion: V3
+ serviceName: httproute/envoy-gateway/httproute-btls/rule/0
+ lbPolicy: LEAST_REQUEST
+ name: httproute/envoy-gateway/httproute-btls/rule/0
+ outlierDetection: {}
+ perConnectionBufferLimitBytes: 32768
+ transportSocket:
+ name: envoy.transport_sockets.tls
+ typedConfig:
+ '@type': type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.UpstreamTlsContext
+ commonTlsContext:
+ validationContextSdsSecretConfig:
+ name: policy-btls/policies-ca
+ sdsConfig:
+ ads: {}
+ resourceApiVersion: V3
+ sni: example.com
+ type: EDS
diff --git a/internal/xds/translator/testdata/out/xds-ir/http-route-with-tlsbundle.endpoints.yaml b/internal/xds/translator/testdata/out/xds-ir/http-route-with-tlsbundle.endpoints.yaml
new file mode 100644
index 00000000000..90d97a4e2f6
--- /dev/null
+++ b/internal/xds/translator/testdata/out/xds-ir/http-route-with-tlsbundle.endpoints.yaml
@@ -0,0 +1,12 @@
+- clusterName: httproute/envoy-gateway/httproute-btls/rule/0
+ endpoints:
+ - lbEndpoints:
+ - endpoint:
+ address:
+ socketAddress:
+ address: 10.244.0.11
+ portValue: 8080
+ loadBalancingWeight: 1
+ loadBalancingWeight: 1
+ locality:
+ region: httproute/envoy-gateway/httproute-btls/rule/0/backend/0
diff --git a/internal/xds/translator/testdata/out/xds-ir/http-route-with-tlsbundle.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/http-route-with-tlsbundle.listeners.yaml
new file mode 100644
index 00000000000..4bdeddbb3fc
--- /dev/null
+++ b/internal/xds/translator/testdata/out/xds-ir/http-route-with-tlsbundle.listeners.yaml
@@ -0,0 +1,34 @@
+- address:
+ socketAddress:
+ address: 0.0.0.0
+ portValue: 10080
+ defaultFilterChain:
+ filters:
+ - name: envoy.filters.network.http_connection_manager
+ typedConfig:
+ '@type': type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager
+ commonHttpProtocolOptions:
+ headersWithUnderscoresAction: REJECT_REQUEST
+ http2ProtocolOptions:
+ initialConnectionWindowSize: 1048576
+ initialStreamWindowSize: 65536
+ maxConcurrentStreams: 100
+ httpFilters:
+ - name: envoy.filters.http.router
+ typedConfig:
+ '@type': type.googleapis.com/envoy.extensions.filters.http.router.v3.Router
+ suppressEnvoyHeaders: true
+ mergeSlashes: true
+ normalizePath: true
+ pathWithEscapedSlashesAction: UNESCAPE_AND_REDIRECT
+ rds:
+ configSource:
+ ads: {}
+ resourceApiVersion: V3
+ routeConfigName: envoy-gateway/gateway-btls/http
+ serverHeaderTransformation: PASS_THROUGH
+ statPrefix: http
+ useRemoteAddress: true
+ drainType: MODIFY_ONLY
+ name: envoy-gateway/gateway-btls/http
+ perConnectionBufferLimitBytes: 32768
diff --git a/internal/xds/translator/testdata/out/xds-ir/http-route-with-tlsbundle.routes.yaml b/internal/xds/translator/testdata/out/xds-ir/http-route-with-tlsbundle.routes.yaml
new file mode 100644
index 00000000000..bd4f9cfe7e2
--- /dev/null
+++ b/internal/xds/translator/testdata/out/xds-ir/http-route-with-tlsbundle.routes.yaml
@@ -0,0 +1,14 @@
+- ignorePortInHostMatching: true
+ name: envoy-gateway/gateway-btls/http
+ virtualHosts:
+ - domains:
+ - '*'
+ name: envoy-gateway/gateway-btls/http/*
+ routes:
+ - match:
+ path: /exact
+ name: httproute/envoy-gateway/httproute-btls/rule/0/match/0/*
+ route:
+ cluster: httproute/envoy-gateway/httproute-btls/rule/0
+ upgradeConfigs:
+ - upgradeType: websocket
diff --git a/internal/xds/translator/testdata/out/xds-ir/http-route-with-tlsbundle.secrets.yaml b/internal/xds/translator/testdata/out/xds-ir/http-route-with-tlsbundle.secrets.yaml
new file mode 100644
index 00000000000..be757009ca1
--- /dev/null
+++ b/internal/xds/translator/testdata/out/xds-ir/http-route-with-tlsbundle.secrets.yaml
@@ -0,0 +1,4 @@
+- name: policy-btls/policies-ca
+ validationContext:
+ trustedCa:
+ inlineBytes: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURKekNDQWcrZ0F3SUJBZ0lVQWw2VUtJdUttenRlODFjbGx6NVBmZE4ySWxJd0RRWUpLb1pJaHZjTkFRRUwKQlFBd0l6RVFNQTRHQTFVRUF3d0hiWGxqYVdWdWRERVBNQTBHQTFVRUNnd0dhM1ZpWldSaU1CNFhEVEl6TVRBdwpNakExTkRFMU4xb1hEVEkwTVRBd01UQTFOREUxTjFvd0l6RVFNQTRHQTFVRUF3d0hiWGxqYVdWdWRERVBNQTBHCkExVUVDZ3dHYTNWaVpXUmlNSUlCSWpBTkJna3Foa2lHOXcwQkFRRUZBQU9DQVE4QU1JSUJDZ0tDQVFFQXdTVGMKMXlqOEhXNjJueW5rRmJYbzRWWEt2MmpDMFBNN2RQVmt5ODdGd2VaY1RLTG9XUVZQUUUycDJrTERLNk9Fc3ptTQp5eXIreHhXdHlpdmVyZW1yV3FuS2tOVFloTGZZUGhnUWtjemliN2VVYWxtRmpVYmhXZEx2SGFrYkVnQ29kbjNiCmt6NTdtSW5YMlZwaURPS2c0a3lIZml1WFdwaUJxckN4MEtOTHB4bzNERVFjRmNzUVRlVEh6aDQ3NTJHVjA0UlUKVGkvR0VXeXpJc2w0Umc3dEd0QXdtY0lQZ1VOVWZZMlEzOTBGR3FkSDRhaG4rbXcvNmFGYlczMVc2M2Q5WUpWcQppb3lPVmNhTUlwTTVCL2M3UWM4U3VoQ0kxWUdoVXlnNGNSSExFdzVWdGlraW95RTNYMDRrbmEzalFBajU0WWJSCmJwRWhjMzVhcEtMQjIxSE9VUUlEQVFBQm8xTXdVVEFkQmdOVkhRNEVGZ1FVeXZsMFZJNXZKVlN1WUZYdTdCNDgKNlBiTUVBb3dId1lEVlIwakJCZ3dGb0FVeXZsMFZJNXZKVlN1WUZYdTdCNDg2UGJNRUFvd0R3WURWUjBUQVFILwpCQVV3QXdFQi96QU5CZ2txaGtpRzl3MEJBUXNGQUFPQ0FRRUFNTHhyZ0ZWTXVOUnEyd0F3Y0J0N1NuTlI1Q2Z6CjJNdlhxNUVVbXVhd0lVaTlrYVlqd2RWaURSRUdTams3SlcxN3ZsNTc2SGpEa2RmUndpNEUyOFN5ZFJJblpmNkoKaThIWmNaN2NhSDZEeFIzMzVmZ0hWekxpNU5pVGNlL09qTkJRelEyTUpYVkRkOERCbUc1ZnlhdEppT0pRNGJXRQpBN0ZsUDBSZFAzQ08zR1dFME01aVhPQjJtMXFXa0UyZXlPNFVIdndUcU5RTGRyZEFYZ0RRbGJhbTllNEJHM0dnCmQvNnRoQWtXRGJ0L1FOVCtFSkhEQ3ZoRFJLaDFSdUdIeWcrWSsvbmViVFdXckZXc2t0UnJiT29IQ1ppQ3BYSTEKM2VYRTZudDBZa2d0RHhHMjJLcW5ocEFnOWdVU3MyaGxob3h5dmt6eUYwbXU2TmhQbHdBZ25xNysvUT09Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K
diff --git a/internal/xds/translator/testdata/out/xds-ir/http-route.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/http-route.clusters.yaml
index c8692b81602..d53a7a1b2ce 100644
--- a/internal/xds/translator/testdata/out/xds-ir/http-route.clusters.yaml
+++ b/internal/xds/translator/testdata/out/xds-ir/http-route.clusters.yaml
@@ -1,4 +1,7 @@
-- commonLbConfig:
+- circuitBreakers:
+ thresholds:
+ - maxRetries: 1024
+ commonLbConfig:
localityWeightedLbConfig: {}
connectTimeout: 10s
dnsLookupFamily: V4_ONLY
diff --git a/internal/xds/translator/testdata/out/xds-ir/http1-preserve-case.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/http1-preserve-case.clusters.yaml
index 3799e281ee2..1489e95f6fd 100644
--- a/internal/xds/translator/testdata/out/xds-ir/http1-preserve-case.clusters.yaml
+++ b/internal/xds/translator/testdata/out/xds-ir/http1-preserve-case.clusters.yaml
@@ -1,4 +1,7 @@
-- commonLbConfig:
+- circuitBreakers:
+ thresholds:
+ - maxRetries: 1024
+ commonLbConfig:
localityWeightedLbConfig: {}
connectTimeout: 10s
dnsLookupFamily: V4_ONLY
@@ -22,7 +25,10 @@
name: preserve_case
typedConfig:
'@type': type.googleapis.com/envoy.extensions.http.header_formatters.preserve_case.v3.PreserveCaseFormatterConfig
-- commonLbConfig:
+- circuitBreakers:
+ thresholds:
+ - maxRetries: 1024
+ commonLbConfig:
localityWeightedLbConfig: {}
connectTimeout: 10s
dnsLookupFamily: V4_ONLY
diff --git a/internal/xds/translator/testdata/out/xds-ir/http1-trailers.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/http1-trailers.clusters.yaml
index 2e9b5ba149f..8c3dd7a549c 100644
--- a/internal/xds/translator/testdata/out/xds-ir/http1-trailers.clusters.yaml
+++ b/internal/xds/translator/testdata/out/xds-ir/http1-trailers.clusters.yaml
@@ -1,4 +1,7 @@
-- commonLbConfig:
+- circuitBreakers:
+ thresholds:
+ - maxRetries: 1024
+ commonLbConfig:
localityWeightedLbConfig: {}
connectTimeout: 10s
dnsLookupFamily: V4_ONLY
diff --git a/internal/xds/translator/testdata/out/xds-ir/http10.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/http10.clusters.yaml
index 5fe5a91e3ed..2cb022cfad0 100644
--- a/internal/xds/translator/testdata/out/xds-ir/http10.clusters.yaml
+++ b/internal/xds/translator/testdata/out/xds-ir/http10.clusters.yaml
@@ -1,4 +1,7 @@
-- commonLbConfig:
+- circuitBreakers:
+ thresholds:
+ - maxRetries: 1024
+ commonLbConfig:
localityWeightedLbConfig: {}
connectTimeout: 10s
dnsLookupFamily: V4_ONLY
diff --git a/internal/xds/translator/testdata/out/xds-ir/http2-route.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/http2-route.clusters.yaml
index b64f0e3521c..6086cfbb86f 100644
--- a/internal/xds/translator/testdata/out/xds-ir/http2-route.clusters.yaml
+++ b/internal/xds/translator/testdata/out/xds-ir/http2-route.clusters.yaml
@@ -1,4 +1,7 @@
-- commonLbConfig:
+- circuitBreakers:
+ thresholds:
+ - maxRetries: 1024
+ commonLbConfig:
localityWeightedLbConfig: {}
connectTimeout: 10s
dnsLookupFamily: V4_ONLY
diff --git a/internal/xds/translator/testdata/out/xds-ir/http3.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/http3.clusters.yaml
index 986aeb8e82e..9714612e3de 100644
--- a/internal/xds/translator/testdata/out/xds-ir/http3.clusters.yaml
+++ b/internal/xds/translator/testdata/out/xds-ir/http3.clusters.yaml
@@ -1,4 +1,7 @@
-- commonLbConfig:
+- circuitBreakers:
+ thresholds:
+ - maxRetries: 1024
+ commonLbConfig:
localityWeightedLbConfig: {}
connectTimeout: 10s
dnsLookupFamily: V4_ONLY
diff --git a/internal/xds/translator/testdata/out/xds-ir/jsonpatch-add-op-without-value.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/jsonpatch-add-op-without-value.clusters.yaml
index c8692b81602..d53a7a1b2ce 100644
--- a/internal/xds/translator/testdata/out/xds-ir/jsonpatch-add-op-without-value.clusters.yaml
+++ b/internal/xds/translator/testdata/out/xds-ir/jsonpatch-add-op-without-value.clusters.yaml
@@ -1,4 +1,7 @@
-- commonLbConfig:
+- circuitBreakers:
+ thresholds:
+ - maxRetries: 1024
+ commonLbConfig:
localityWeightedLbConfig: {}
connectTimeout: 10s
dnsLookupFamily: V4_ONLY
diff --git a/internal/xds/translator/testdata/out/xds-ir/jsonpatch-invalid-patch.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/jsonpatch-invalid-patch.clusters.yaml
index c8692b81602..d53a7a1b2ce 100644
--- a/internal/xds/translator/testdata/out/xds-ir/jsonpatch-invalid-patch.clusters.yaml
+++ b/internal/xds/translator/testdata/out/xds-ir/jsonpatch-invalid-patch.clusters.yaml
@@ -1,4 +1,7 @@
-- commonLbConfig:
+- circuitBreakers:
+ thresholds:
+ - maxRetries: 1024
+ commonLbConfig:
localityWeightedLbConfig: {}
connectTimeout: 10s
dnsLookupFamily: V4_ONLY
diff --git a/internal/xds/translator/testdata/out/xds-ir/jsonpatch-missing-resource.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/jsonpatch-missing-resource.clusters.yaml
index c8692b81602..d53a7a1b2ce 100644
--- a/internal/xds/translator/testdata/out/xds-ir/jsonpatch-missing-resource.clusters.yaml
+++ b/internal/xds/translator/testdata/out/xds-ir/jsonpatch-missing-resource.clusters.yaml
@@ -1,4 +1,7 @@
-- commonLbConfig:
+- circuitBreakers:
+ thresholds:
+ - maxRetries: 1024
+ commonLbConfig:
localityWeightedLbConfig: {}
connectTimeout: 10s
dnsLookupFamily: V4_ONLY
diff --git a/internal/xds/translator/testdata/out/xds-ir/jsonpatch-move-op-with-value.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/jsonpatch-move-op-with-value.clusters.yaml
index c8692b81602..d53a7a1b2ce 100644
--- a/internal/xds/translator/testdata/out/xds-ir/jsonpatch-move-op-with-value.clusters.yaml
+++ b/internal/xds/translator/testdata/out/xds-ir/jsonpatch-move-op-with-value.clusters.yaml
@@ -1,4 +1,7 @@
-- commonLbConfig:
+- circuitBreakers:
+ thresholds:
+ - maxRetries: 1024
+ commonLbConfig:
localityWeightedLbConfig: {}
connectTimeout: 10s
dnsLookupFamily: V4_ONLY
diff --git a/internal/xds/translator/testdata/out/xds-ir/jsonpatch.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/jsonpatch.clusters.yaml
index b171eb11f71..b6e4ed1ae7d 100644
--- a/internal/xds/translator/testdata/out/xds-ir/jsonpatch.clusters.yaml
+++ b/internal/xds/translator/testdata/out/xds-ir/jsonpatch.clusters.yaml
@@ -1,4 +1,7 @@
-- commonLbConfig:
+- circuitBreakers:
+ thresholds:
+ - maxRetries: 1024
+ commonLbConfig:
localityWeightedLbConfig: {}
connectTimeout: 10s
dnsLookupFamily: V4_ONLY
diff --git a/internal/xds/translator/testdata/out/xds-ir/jwt-custom-extractor.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/jwt-custom-extractor.clusters.yaml
index 9b85cda2aa1..8ede70cf99a 100644
--- a/internal/xds/translator/testdata/out/xds-ir/jwt-custom-extractor.clusters.yaml
+++ b/internal/xds/translator/testdata/out/xds-ir/jwt-custom-extractor.clusters.yaml
@@ -1,4 +1,7 @@
-- commonLbConfig:
+- circuitBreakers:
+ thresholds:
+ - maxRetries: 1024
+ commonLbConfig:
localityWeightedLbConfig: {}
connectTimeout: 10s
dnsLookupFamily: V4_ONLY
@@ -12,7 +15,10 @@
outlierDetection: {}
perConnectionBufferLimitBytes: 32768
type: EDS
-- commonLbConfig:
+- circuitBreakers:
+ thresholds:
+ - maxRetries: 1024
+ commonLbConfig:
localityWeightedLbConfig: {}
connectTimeout: 10s
dnsLookupFamily: V4_ONLY
diff --git a/internal/xds/translator/testdata/out/xds-ir/jwt-multi-route-multi-provider.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/jwt-multi-route-multi-provider.clusters.yaml
index d760d2ca25a..9de709310e6 100644
--- a/internal/xds/translator/testdata/out/xds-ir/jwt-multi-route-multi-provider.clusters.yaml
+++ b/internal/xds/translator/testdata/out/xds-ir/jwt-multi-route-multi-provider.clusters.yaml
@@ -1,4 +1,7 @@
-- commonLbConfig:
+- circuitBreakers:
+ thresholds:
+ - maxRetries: 1024
+ commonLbConfig:
localityWeightedLbConfig: {}
connectTimeout: 10s
dnsLookupFamily: V4_ONLY
@@ -12,7 +15,10 @@
outlierDetection: {}
perConnectionBufferLimitBytes: 32768
type: EDS
-- commonLbConfig:
+- circuitBreakers:
+ thresholds:
+ - maxRetries: 1024
+ commonLbConfig:
localityWeightedLbConfig: {}
connectTimeout: 10s
dnsLookupFamily: V4_ONLY
@@ -26,7 +32,10 @@
outlierDetection: {}
perConnectionBufferLimitBytes: 32768
type: EDS
-- commonLbConfig:
+- circuitBreakers:
+ thresholds:
+ - maxRetries: 1024
+ commonLbConfig:
localityWeightedLbConfig: {}
connectTimeout: 10s
dnsLookupFamily: V4_ONLY
@@ -50,7 +59,10 @@
perConnectionBufferLimitBytes: 32768
respectDnsTtl: true
type: STRICT_DNS
-- commonLbConfig:
+- circuitBreakers:
+ thresholds:
+ - maxRetries: 1024
+ commonLbConfig:
localityWeightedLbConfig: {}
connectTimeout: 10s
dnsLookupFamily: V4_ONLY
diff --git a/internal/xds/translator/testdata/out/xds-ir/jwt-multi-route-single-provider.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/jwt-multi-route-single-provider.clusters.yaml
index 45b8763385e..8d7b2d37ca0 100644
--- a/internal/xds/translator/testdata/out/xds-ir/jwt-multi-route-single-provider.clusters.yaml
+++ b/internal/xds/translator/testdata/out/xds-ir/jwt-multi-route-single-provider.clusters.yaml
@@ -1,4 +1,7 @@
-- commonLbConfig:
+- circuitBreakers:
+ thresholds:
+ - maxRetries: 1024
+ commonLbConfig:
localityWeightedLbConfig: {}
connectTimeout: 10s
dnsLookupFamily: V4_ONLY
@@ -12,7 +15,10 @@
outlierDetection: {}
perConnectionBufferLimitBytes: 32768
type: EDS
-- commonLbConfig:
+- circuitBreakers:
+ thresholds:
+ - maxRetries: 1024
+ commonLbConfig:
localityWeightedLbConfig: {}
connectTimeout: 10s
dnsLookupFamily: V4_ONLY
@@ -26,7 +32,10 @@
outlierDetection: {}
perConnectionBufferLimitBytes: 32768
type: EDS
-- commonLbConfig:
+- circuitBreakers:
+ thresholds:
+ - maxRetries: 1024
+ commonLbConfig:
localityWeightedLbConfig: {}
connectTimeout: 10s
dnsLookupFamily: V4_ONLY
diff --git a/internal/xds/translator/testdata/out/xds-ir/jwt-ratelimit.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/jwt-ratelimit.clusters.yaml
index bc0cd764256..d4e9db34e33 100644
--- a/internal/xds/translator/testdata/out/xds-ir/jwt-ratelimit.clusters.yaml
+++ b/internal/xds/translator/testdata/out/xds-ir/jwt-ratelimit.clusters.yaml
@@ -1,4 +1,7 @@
-- commonLbConfig:
+- circuitBreakers:
+ thresholds:
+ - maxRetries: 1024
+ commonLbConfig:
localityWeightedLbConfig: {}
connectTimeout: 10s
dnsLookupFamily: V4_ONLY
@@ -12,7 +15,10 @@
outlierDetection: {}
perConnectionBufferLimitBytes: 32768
type: EDS
-- commonLbConfig:
+- circuitBreakers:
+ thresholds:
+ - maxRetries: 1024
+ commonLbConfig:
localityWeightedLbConfig: {}
connectTimeout: 10s
dnsLookupFamily: V4_ONLY
@@ -26,7 +32,10 @@
outlierDetection: {}
perConnectionBufferLimitBytes: 32768
type: EDS
-- commonLbConfig:
+- circuitBreakers:
+ thresholds:
+ - maxRetries: 1024
+ commonLbConfig:
localityWeightedLbConfig: {}
connectTimeout: 10s
dnsLookupFamily: V4_ONLY
@@ -40,7 +49,10 @@
outlierDetection: {}
perConnectionBufferLimitBytes: 32768
type: EDS
-- commonLbConfig:
+- circuitBreakers:
+ thresholds:
+ - maxRetries: 1024
+ commonLbConfig:
localityWeightedLbConfig: {}
connectTimeout: 10s
dnsLookupFamily: V4_ONLY
@@ -63,7 +75,10 @@
filename: /etc/ssl/certs/ca-certificates.crt
sni: 192.168.1.250
type: EDS
-- commonLbConfig:
+- circuitBreakers:
+ thresholds:
+ - maxRetries: 1024
+ commonLbConfig:
localityWeightedLbConfig: {}
connectTimeout: 10s
dnsLookupFamily: V4_ONLY
diff --git a/internal/xds/translator/testdata/out/xds-ir/jwt-single-route-single-match.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/jwt-single-route-single-match.clusters.yaml
index 9b85cda2aa1..8ede70cf99a 100644
--- a/internal/xds/translator/testdata/out/xds-ir/jwt-single-route-single-match.clusters.yaml
+++ b/internal/xds/translator/testdata/out/xds-ir/jwt-single-route-single-match.clusters.yaml
@@ -1,4 +1,7 @@
-- commonLbConfig:
+- circuitBreakers:
+ thresholds:
+ - maxRetries: 1024
+ commonLbConfig:
localityWeightedLbConfig: {}
connectTimeout: 10s
dnsLookupFamily: V4_ONLY
@@ -12,7 +15,10 @@
outlierDetection: {}
perConnectionBufferLimitBytes: 32768
type: EDS
-- commonLbConfig:
+- circuitBreakers:
+ thresholds:
+ - maxRetries: 1024
+ commonLbConfig:
localityWeightedLbConfig: {}
connectTimeout: 10s
dnsLookupFamily: V4_ONLY
diff --git a/internal/xds/translator/testdata/out/xds-ir/listener-proxy-protocol.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/listener-proxy-protocol.clusters.yaml
index c8692b81602..d53a7a1b2ce 100644
--- a/internal/xds/translator/testdata/out/xds-ir/listener-proxy-protocol.clusters.yaml
+++ b/internal/xds/translator/testdata/out/xds-ir/listener-proxy-protocol.clusters.yaml
@@ -1,4 +1,7 @@
-- commonLbConfig:
+- circuitBreakers:
+ thresholds:
+ - maxRetries: 1024
+ commonLbConfig:
localityWeightedLbConfig: {}
connectTimeout: 10s
dnsLookupFamily: V4_ONLY
diff --git a/internal/xds/translator/testdata/out/xds-ir/listener-tcp-keepalive.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/listener-tcp-keepalive.clusters.yaml
index 1bcfa8d1104..a52251e32bf 100644
--- a/internal/xds/translator/testdata/out/xds-ir/listener-tcp-keepalive.clusters.yaml
+++ b/internal/xds/translator/testdata/out/xds-ir/listener-tcp-keepalive.clusters.yaml
@@ -1,4 +1,7 @@
-- commonLbConfig:
+- circuitBreakers:
+ thresholds:
+ - maxRetries: 1024
+ commonLbConfig:
localityWeightedLbConfig: {}
connectTimeout: 10s
dnsLookupFamily: V4_ONLY
@@ -12,7 +15,10 @@
outlierDetection: {}
perConnectionBufferLimitBytes: 32768
type: EDS
-- commonLbConfig:
+- circuitBreakers:
+ thresholds:
+ - maxRetries: 1024
+ commonLbConfig:
localityWeightedLbConfig: {}
connectTimeout: 10s
dnsLookupFamily: V4_ONLY
@@ -26,7 +32,10 @@
outlierDetection: {}
perConnectionBufferLimitBytes: 32768
type: EDS
-- commonLbConfig:
+- circuitBreakers:
+ thresholds:
+ - maxRetries: 1024
+ commonLbConfig:
localityWeightedLbConfig: {}
connectTimeout: 10s
dnsLookupFamily: V4_ONLY
@@ -40,7 +49,10 @@
outlierDetection: {}
perConnectionBufferLimitBytes: 32768
type: EDS
-- commonLbConfig:
+- circuitBreakers:
+ thresholds:
+ - maxRetries: 1024
+ commonLbConfig:
localityWeightedLbConfig: {}
connectTimeout: 10s
dnsLookupFamily: V4_ONLY
diff --git a/internal/xds/translator/testdata/out/xds-ir/load-balancer.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/load-balancer.clusters.yaml
index 60969f05429..fc755fed368 100644
--- a/internal/xds/translator/testdata/out/xds-ir/load-balancer.clusters.yaml
+++ b/internal/xds/translator/testdata/out/xds-ir/load-balancer.clusters.yaml
@@ -1,4 +1,7 @@
-- commonLbConfig:
+- circuitBreakers:
+ thresholds:
+ - maxRetries: 1024
+ commonLbConfig:
localityWeightedLbConfig: {}
connectTimeout: 10s
dnsLookupFamily: V4_ONLY
@@ -11,7 +14,10 @@
outlierDetection: {}
perConnectionBufferLimitBytes: 32768
type: EDS
-- commonLbConfig:
+- circuitBreakers:
+ thresholds:
+ - maxRetries: 1024
+ commonLbConfig:
localityWeightedLbConfig: {}
connectTimeout: 10s
dnsLookupFamily: V4_ONLY
@@ -25,7 +31,10 @@
outlierDetection: {}
perConnectionBufferLimitBytes: 32768
type: EDS
-- commonLbConfig:
+- circuitBreakers:
+ thresholds:
+ - maxRetries: 1024
+ commonLbConfig:
localityWeightedLbConfig: {}
connectTimeout: 10s
dnsLookupFamily: V4_ONLY
@@ -39,7 +48,10 @@
outlierDetection: {}
perConnectionBufferLimitBytes: 32768
type: EDS
-- commonLbConfig:
+- circuitBreakers:
+ thresholds:
+ - maxRetries: 1024
+ commonLbConfig:
localityWeightedLbConfig: {}
connectTimeout: 10s
dnsLookupFamily: V4_ONLY
@@ -53,7 +65,10 @@
outlierDetection: {}
perConnectionBufferLimitBytes: 32768
type: EDS
-- commonLbConfig:
+- circuitBreakers:
+ thresholds:
+ - maxRetries: 1024
+ commonLbConfig:
localityWeightedLbConfig: {}
connectTimeout: 10s
dnsLookupFamily: V4_ONLY
@@ -70,7 +85,10 @@
outlierDetection: {}
perConnectionBufferLimitBytes: 32768
type: EDS
-- commonLbConfig:
+- circuitBreakers:
+ thresholds:
+ - maxRetries: 1024
+ commonLbConfig:
localityWeightedLbConfig: {}
connectTimeout: 10s
dnsLookupFamily: V4_ONLY
diff --git a/internal/xds/translator/testdata/out/xds-ir/local-ratelimit.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/local-ratelimit.clusters.yaml
index 869321c6504..a89644e62d9 100644
--- a/internal/xds/translator/testdata/out/xds-ir/local-ratelimit.clusters.yaml
+++ b/internal/xds/translator/testdata/out/xds-ir/local-ratelimit.clusters.yaml
@@ -1,4 +1,7 @@
-- commonLbConfig:
+- circuitBreakers:
+ thresholds:
+ - maxRetries: 1024
+ commonLbConfig:
localityWeightedLbConfig: {}
connectTimeout: 10s
dnsLookupFamily: V4_ONLY
@@ -12,7 +15,10 @@
outlierDetection: {}
perConnectionBufferLimitBytes: 32768
type: EDS
-- commonLbConfig:
+- circuitBreakers:
+ thresholds:
+ - maxRetries: 1024
+ commonLbConfig:
localityWeightedLbConfig: {}
connectTimeout: 10s
dnsLookupFamily: V4_ONLY
@@ -26,7 +32,10 @@
outlierDetection: {}
perConnectionBufferLimitBytes: 32768
type: EDS
-- commonLbConfig:
+- circuitBreakers:
+ thresholds:
+ - maxRetries: 1024
+ commonLbConfig:
localityWeightedLbConfig: {}
connectTimeout: 10s
dnsLookupFamily: V4_ONLY
diff --git a/internal/xds/translator/testdata/out/xds-ir/metrics-virtual-host.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/metrics-virtual-host.clusters.yaml
index c8692b81602..d53a7a1b2ce 100644
--- a/internal/xds/translator/testdata/out/xds-ir/metrics-virtual-host.clusters.yaml
+++ b/internal/xds/translator/testdata/out/xds-ir/metrics-virtual-host.clusters.yaml
@@ -1,4 +1,7 @@
-- commonLbConfig:
+- circuitBreakers:
+ thresholds:
+ - maxRetries: 1024
+ commonLbConfig:
localityWeightedLbConfig: {}
connectTimeout: 10s
dnsLookupFamily: V4_ONLY
diff --git a/internal/xds/translator/testdata/out/xds-ir/multiple-listeners-same-port.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/multiple-listeners-same-port.clusters.yaml
index 6ac76261382..ce7f4361a40 100644
--- a/internal/xds/translator/testdata/out/xds-ir/multiple-listeners-same-port.clusters.yaml
+++ b/internal/xds/translator/testdata/out/xds-ir/multiple-listeners-same-port.clusters.yaml
@@ -1,4 +1,7 @@
-- commonLbConfig:
+- circuitBreakers:
+ thresholds:
+ - maxRetries: 1024
+ commonLbConfig:
localityWeightedLbConfig: {}
connectTimeout: 10s
dnsLookupFamily: V4_ONLY
@@ -12,7 +15,10 @@
outlierDetection: {}
perConnectionBufferLimitBytes: 32768
type: EDS
-- commonLbConfig:
+- circuitBreakers:
+ thresholds:
+ - maxRetries: 1024
+ commonLbConfig:
localityWeightedLbConfig: {}
connectTimeout: 10s
dnsLookupFamily: V4_ONLY
@@ -26,7 +32,10 @@
outlierDetection: {}
perConnectionBufferLimitBytes: 32768
type: EDS
-- commonLbConfig:
+- circuitBreakers:
+ thresholds:
+ - maxRetries: 1024
+ commonLbConfig:
localityWeightedLbConfig: {}
connectTimeout: 10s
dnsLookupFamily: V4_ONLY
@@ -40,7 +49,10 @@
outlierDetection: {}
perConnectionBufferLimitBytes: 32768
type: EDS
-- commonLbConfig:
+- circuitBreakers:
+ thresholds:
+ - maxRetries: 1024
+ commonLbConfig:
localityWeightedLbConfig: {}
connectTimeout: 10s
dnsLookupFamily: V4_ONLY
@@ -54,7 +66,10 @@
outlierDetection: {}
perConnectionBufferLimitBytes: 32768
type: EDS
-- commonLbConfig:
+- circuitBreakers:
+ thresholds:
+ - maxRetries: 1024
+ commonLbConfig:
localityWeightedLbConfig: {}
connectTimeout: 10s
dnsLookupFamily: V4_ONLY
@@ -68,7 +83,10 @@
outlierDetection: {}
perConnectionBufferLimitBytes: 32768
type: EDS
-- commonLbConfig:
+- circuitBreakers:
+ thresholds:
+ - maxRetries: 1024
+ commonLbConfig:
localityWeightedLbConfig: {}
connectTimeout: 10s
dnsLookupFamily: V4_ONLY
diff --git a/internal/xds/translator/testdata/out/xds-ir/multiple-simple-tcp-route-same-port.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/multiple-simple-tcp-route-same-port.clusters.yaml
index 30c51562dd2..e0f57c2a695 100644
--- a/internal/xds/translator/testdata/out/xds-ir/multiple-simple-tcp-route-same-port.clusters.yaml
+++ b/internal/xds/translator/testdata/out/xds-ir/multiple-simple-tcp-route-same-port.clusters.yaml
@@ -1,4 +1,7 @@
-- commonLbConfig:
+- circuitBreakers:
+ thresholds:
+ - maxRetries: 1024
+ commonLbConfig:
localityWeightedLbConfig: {}
connectTimeout: 10s
dnsLookupFamily: V4_ONLY
@@ -12,7 +15,10 @@
outlierDetection: {}
perConnectionBufferLimitBytes: 32768
type: EDS
-- commonLbConfig:
+- circuitBreakers:
+ thresholds:
+ - maxRetries: 1024
+ commonLbConfig:
localityWeightedLbConfig: {}
connectTimeout: 10s
dnsLookupFamily: V4_ONLY
@@ -26,7 +32,10 @@
outlierDetection: {}
perConnectionBufferLimitBytes: 32768
type: EDS
-- commonLbConfig:
+- circuitBreakers:
+ thresholds:
+ - maxRetries: 1024
+ commonLbConfig:
localityWeightedLbConfig: {}
connectTimeout: 10s
dnsLookupFamily: V4_ONLY
@@ -40,7 +49,10 @@
outlierDetection: {}
perConnectionBufferLimitBytes: 32768
type: EDS
-- commonLbConfig:
+- circuitBreakers:
+ thresholds:
+ - maxRetries: 1024
+ commonLbConfig:
localityWeightedLbConfig: {}
connectTimeout: 10s
dnsLookupFamily: V4_ONLY
@@ -54,7 +66,10 @@
outlierDetection: {}
perConnectionBufferLimitBytes: 32768
type: EDS
-- commonLbConfig:
+- circuitBreakers:
+ thresholds:
+ - maxRetries: 1024
+ commonLbConfig:
localityWeightedLbConfig: {}
connectTimeout: 10s
dnsLookupFamily: V4_ONLY
diff --git a/internal/xds/translator/testdata/out/xds-ir/mutual-tls.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/mutual-tls.clusters.yaml
index c8692b81602..d53a7a1b2ce 100644
--- a/internal/xds/translator/testdata/out/xds-ir/mutual-tls.clusters.yaml
+++ b/internal/xds/translator/testdata/out/xds-ir/mutual-tls.clusters.yaml
@@ -1,4 +1,7 @@
-- commonLbConfig:
+- circuitBreakers:
+ thresholds:
+ - maxRetries: 1024
+ commonLbConfig:
localityWeightedLbConfig: {}
connectTimeout: 10s
dnsLookupFamily: V4_ONLY
diff --git a/internal/xds/translator/testdata/out/xds-ir/oidc.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/oidc.clusters.yaml
index 2903bb5f9c4..5309331d017 100644
--- a/internal/xds/translator/testdata/out/xds-ir/oidc.clusters.yaml
+++ b/internal/xds/translator/testdata/out/xds-ir/oidc.clusters.yaml
@@ -1,4 +1,7 @@
-- commonLbConfig:
+- circuitBreakers:
+ thresholds:
+ - maxRetries: 1024
+ commonLbConfig:
localityWeightedLbConfig: {}
connectTimeout: 10s
dnsLookupFamily: V4_ONLY
@@ -12,7 +15,10 @@
outlierDetection: {}
perConnectionBufferLimitBytes: 32768
type: EDS
-- commonLbConfig:
+- circuitBreakers:
+ thresholds:
+ - maxRetries: 1024
+ commonLbConfig:
localityWeightedLbConfig: {}
connectTimeout: 10s
dnsLookupFamily: V4_ONLY
@@ -26,7 +32,10 @@
outlierDetection: {}
perConnectionBufferLimitBytes: 32768
type: EDS
-- commonLbConfig:
+- circuitBreakers:
+ thresholds:
+ - maxRetries: 1024
+ commonLbConfig:
localityWeightedLbConfig: {}
connectTimeout: 10s
dnsLookupFamily: V4_ONLY
@@ -59,7 +68,10 @@
filename: /etc/ssl/certs/ca-certificates.crt
sni: oauth.foo.com
type: STRICT_DNS
-- commonLbConfig:
+- circuitBreakers:
+ thresholds:
+ - maxRetries: 1024
+ commonLbConfig:
localityWeightedLbConfig: {}
connectTimeout: 10s
dnsLookupFamily: V4_ONLY
diff --git a/internal/xds/translator/testdata/out/xds-ir/path-settings.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/path-settings.clusters.yaml
index c8692b81602..d53a7a1b2ce 100644
--- a/internal/xds/translator/testdata/out/xds-ir/path-settings.clusters.yaml
+++ b/internal/xds/translator/testdata/out/xds-ir/path-settings.clusters.yaml
@@ -1,4 +1,7 @@
-- commonLbConfig:
+- circuitBreakers:
+ thresholds:
+ - maxRetries: 1024
+ commonLbConfig:
localityWeightedLbConfig: {}
connectTimeout: 10s
dnsLookupFamily: V4_ONLY
diff --git a/internal/xds/translator/testdata/out/xds-ir/proxy-protocol-upstream.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/proxy-protocol-upstream.clusters.yaml
index 4e4dcf0659e..6441952eae8 100644
--- a/internal/xds/translator/testdata/out/xds-ir/proxy-protocol-upstream.clusters.yaml
+++ b/internal/xds/translator/testdata/out/xds-ir/proxy-protocol-upstream.clusters.yaml
@@ -1,4 +1,7 @@
-- commonLbConfig:
+- circuitBreakers:
+ thresholds:
+ - maxRetries: 1024
+ commonLbConfig:
localityWeightedLbConfig: {}
connectTimeout: 10s
dnsLookupFamily: V4_ONLY
diff --git a/internal/xds/translator/testdata/out/xds-ir/ratelimit-custom-domain.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/ratelimit-custom-domain.clusters.yaml
index 73b916d5c08..bd23f61ee21 100644
--- a/internal/xds/translator/testdata/out/xds-ir/ratelimit-custom-domain.clusters.yaml
+++ b/internal/xds/translator/testdata/out/xds-ir/ratelimit-custom-domain.clusters.yaml
@@ -1,4 +1,7 @@
-- commonLbConfig:
+- circuitBreakers:
+ thresholds:
+ - maxRetries: 1024
+ commonLbConfig:
localityWeightedLbConfig: {}
connectTimeout: 10s
dnsLookupFamily: V4_ONLY
@@ -12,7 +15,10 @@
outlierDetection: {}
perConnectionBufferLimitBytes: 32768
type: EDS
-- commonLbConfig:
+- circuitBreakers:
+ thresholds:
+ - maxRetries: 1024
+ commonLbConfig:
localityWeightedLbConfig: {}
connectTimeout: 10s
dnsLookupFamily: V4_ONLY
@@ -26,7 +32,10 @@
outlierDetection: {}
perConnectionBufferLimitBytes: 32768
type: EDS
-- commonLbConfig:
+- circuitBreakers:
+ thresholds:
+ - maxRetries: 1024
+ commonLbConfig:
localityWeightedLbConfig: {}
connectTimeout: 10s
dnsLookupFamily: V4_ONLY
@@ -40,7 +49,10 @@
outlierDetection: {}
perConnectionBufferLimitBytes: 32768
type: EDS
-- commonLbConfig:
+- circuitBreakers:
+ thresholds:
+ - maxRetries: 1024
+ commonLbConfig:
localityWeightedLbConfig: {}
connectTimeout: 10s
dnsLookupFamily: V4_ONLY
diff --git a/internal/xds/translator/testdata/out/xds-ir/ratelimit-sourceip.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/ratelimit-sourceip.clusters.yaml
index abe58dd36f1..33fc01336b8 100644
--- a/internal/xds/translator/testdata/out/xds-ir/ratelimit-sourceip.clusters.yaml
+++ b/internal/xds/translator/testdata/out/xds-ir/ratelimit-sourceip.clusters.yaml
@@ -1,4 +1,7 @@
-- commonLbConfig:
+- circuitBreakers:
+ thresholds:
+ - maxRetries: 1024
+ commonLbConfig:
localityWeightedLbConfig: {}
connectTimeout: 10s
dnsLookupFamily: V4_ONLY
@@ -12,7 +15,10 @@
outlierDetection: {}
perConnectionBufferLimitBytes: 32768
type: EDS
-- commonLbConfig:
+- circuitBreakers:
+ thresholds:
+ - maxRetries: 1024
+ commonLbConfig:
localityWeightedLbConfig: {}
connectTimeout: 10s
dnsLookupFamily: V4_ONLY
@@ -26,7 +32,10 @@
outlierDetection: {}
perConnectionBufferLimitBytes: 32768
type: EDS
-- commonLbConfig:
+- circuitBreakers:
+ thresholds:
+ - maxRetries: 1024
+ commonLbConfig:
localityWeightedLbConfig: {}
connectTimeout: 10s
dnsLookupFamily: V4_ONLY
@@ -40,7 +49,10 @@
outlierDetection: {}
perConnectionBufferLimitBytes: 32768
type: EDS
-- commonLbConfig:
+- circuitBreakers:
+ thresholds:
+ - maxRetries: 1024
+ commonLbConfig:
localityWeightedLbConfig: {}
connectTimeout: 10s
dnsLookupFamily: V4_ONLY
@@ -54,7 +66,10 @@
outlierDetection: {}
perConnectionBufferLimitBytes: 32768
type: EDS
-- commonLbConfig:
+- circuitBreakers:
+ thresholds:
+ - maxRetries: 1024
+ commonLbConfig:
localityWeightedLbConfig: {}
connectTimeout: 10s
dnsLookupFamily: V4_ONLY
diff --git a/internal/xds/translator/testdata/out/xds-ir/ratelimit.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/ratelimit.clusters.yaml
index 1ef3710072f..9f9bc9f1dff 100644
--- a/internal/xds/translator/testdata/out/xds-ir/ratelimit.clusters.yaml
+++ b/internal/xds/translator/testdata/out/xds-ir/ratelimit.clusters.yaml
@@ -1,4 +1,7 @@
-- commonLbConfig:
+- circuitBreakers:
+ thresholds:
+ - maxRetries: 1024
+ commonLbConfig:
localityWeightedLbConfig: {}
connectTimeout: 10s
dnsLookupFamily: V4_ONLY
@@ -12,7 +15,10 @@
outlierDetection: {}
perConnectionBufferLimitBytes: 32768
type: EDS
-- commonLbConfig:
+- circuitBreakers:
+ thresholds:
+ - maxRetries: 1024
+ commonLbConfig:
localityWeightedLbConfig: {}
connectTimeout: 10s
dnsLookupFamily: V4_ONLY
@@ -26,7 +32,10 @@
outlierDetection: {}
perConnectionBufferLimitBytes: 32768
type: EDS
-- commonLbConfig:
+- circuitBreakers:
+ thresholds:
+ - maxRetries: 1024
+ commonLbConfig:
localityWeightedLbConfig: {}
connectTimeout: 10s
dnsLookupFamily: V4_ONLY
@@ -40,7 +49,10 @@
outlierDetection: {}
perConnectionBufferLimitBytes: 32768
type: EDS
-- commonLbConfig:
+- circuitBreakers:
+ thresholds:
+ - maxRetries: 1024
+ commonLbConfig:
localityWeightedLbConfig: {}
connectTimeout: 10s
dnsLookupFamily: V4_ONLY
diff --git a/internal/xds/translator/testdata/out/xds-ir/retry-partial-invalid.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/retry-partial-invalid.clusters.yaml
index c8692b81602..d53a7a1b2ce 100644
--- a/internal/xds/translator/testdata/out/xds-ir/retry-partial-invalid.clusters.yaml
+++ b/internal/xds/translator/testdata/out/xds-ir/retry-partial-invalid.clusters.yaml
@@ -1,4 +1,7 @@
-- commonLbConfig:
+- circuitBreakers:
+ thresholds:
+ - maxRetries: 1024
+ commonLbConfig:
localityWeightedLbConfig: {}
connectTimeout: 10s
dnsLookupFamily: V4_ONLY
diff --git a/internal/xds/translator/testdata/out/xds-ir/retry-partial-invalid.routes.yaml b/internal/xds/translator/testdata/out/xds-ir/retry-partial-invalid.routes.yaml
index e1b4ffe7bf1..f2cacab526d 100644
--- a/internal/xds/translator/testdata/out/xds-ir/retry-partial-invalid.routes.yaml
+++ b/internal/xds/translator/testdata/out/xds-ir/retry-partial-invalid.routes.yaml
@@ -11,6 +11,7 @@
route:
cluster: first-route-dest
retryPolicy:
+ hostSelectionRetryMaxAttempts: "5"
numRetries: 5
perTryTimeout: 0.250s
retriableStatusCodes:
@@ -19,7 +20,11 @@
retryBackOff:
baseInterval: 0.100s
maxInterval: 10s
- retryOn: connect-failure,retriable-status-codes
+ retryHostPredicate:
+ - name: envoy.retry_host_predicates.previous_hosts
+ typedConfig:
+ '@type': type.googleapis.com/envoy.extensions.retry.host.previous_hosts.v3.PreviousHostsPredicate
+ retryOn: reset,connect-failure,retriable-status-codes
upgradeConfigs:
- upgradeType: websocket
- domains:
@@ -32,9 +37,14 @@
route:
cluster: first-route-dest
retryPolicy:
+ hostSelectionRetryMaxAttempts: "5"
numRetries: 2
retriableStatusCodes:
- 503
+ retryHostPredicate:
+ - name: envoy.retry_host_predicates.previous_hosts
+ typedConfig:
+ '@type': type.googleapis.com/envoy.extensions.retry.host.previous_hosts.v3.PreviousHostsPredicate
retryOn: connect-failure,refused-stream,unavailable,cancelled,retriable-status-codes
upgradeConfigs:
- upgradeType: websocket
diff --git a/internal/xds/translator/testdata/out/xds-ir/simple-tls.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/simple-tls.clusters.yaml
index c8692b81602..d53a7a1b2ce 100644
--- a/internal/xds/translator/testdata/out/xds-ir/simple-tls.clusters.yaml
+++ b/internal/xds/translator/testdata/out/xds-ir/simple-tls.clusters.yaml
@@ -1,4 +1,7 @@
-- commonLbConfig:
+- circuitBreakers:
+ thresholds:
+ - maxRetries: 1024
+ commonLbConfig:
localityWeightedLbConfig: {}
connectTimeout: 10s
dnsLookupFamily: V4_ONLY
diff --git a/internal/xds/translator/testdata/out/xds-ir/suppress-envoy-headers.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/suppress-envoy-headers.clusters.yaml
index c8692b81602..d53a7a1b2ce 100644
--- a/internal/xds/translator/testdata/out/xds-ir/suppress-envoy-headers.clusters.yaml
+++ b/internal/xds/translator/testdata/out/xds-ir/suppress-envoy-headers.clusters.yaml
@@ -1,4 +1,7 @@
-- commonLbConfig:
+- circuitBreakers:
+ thresholds:
+ - maxRetries: 1024
+ commonLbConfig:
localityWeightedLbConfig: {}
connectTimeout: 10s
dnsLookupFamily: V4_ONLY
diff --git a/internal/xds/translator/testdata/out/xds-ir/tcp-route-complex.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/tcp-route-complex.clusters.yaml
index a4f9048c783..382c2857a1f 100644
--- a/internal/xds/translator/testdata/out/xds-ir/tcp-route-complex.clusters.yaml
+++ b/internal/xds/translator/testdata/out/xds-ir/tcp-route-complex.clusters.yaml
@@ -1,4 +1,7 @@
-- commonLbConfig:
+- circuitBreakers:
+ thresholds:
+ - maxRetries: 1024
+ commonLbConfig:
localityWeightedLbConfig: {}
connectTimeout: 10s
dnsLookupFamily: V4_ONLY
diff --git a/internal/xds/translator/testdata/out/xds-ir/tcp-route-simple.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/tcp-route-simple.clusters.yaml
index 2e9e07958c4..c845c64037d 100644
--- a/internal/xds/translator/testdata/out/xds-ir/tcp-route-simple.clusters.yaml
+++ b/internal/xds/translator/testdata/out/xds-ir/tcp-route-simple.clusters.yaml
@@ -1,4 +1,7 @@
-- commonLbConfig:
+- circuitBreakers:
+ thresholds:
+ - maxRetries: 1024
+ commonLbConfig:
localityWeightedLbConfig: {}
connectTimeout: 10s
dnsLookupFamily: V4_ONLY
diff --git a/internal/xds/translator/testdata/out/xds-ir/tcp-route-tls-terminate.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/tcp-route-tls-terminate.clusters.yaml
index e4bea76097a..af4d15a65a7 100644
--- a/internal/xds/translator/testdata/out/xds-ir/tcp-route-tls-terminate.clusters.yaml
+++ b/internal/xds/translator/testdata/out/xds-ir/tcp-route-tls-terminate.clusters.yaml
@@ -1,4 +1,7 @@
-- commonLbConfig:
+- circuitBreakers:
+ thresholds:
+ - maxRetries: 1024
+ commonLbConfig:
localityWeightedLbConfig: {}
connectTimeout: 10s
dnsLookupFamily: V4_ONLY
diff --git a/internal/xds/translator/testdata/out/xds-ir/tcp-route-weighted-backend.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/tcp-route-weighted-backend.clusters.yaml
index b3af74933f2..849359c1385 100644
--- a/internal/xds/translator/testdata/out/xds-ir/tcp-route-weighted-backend.clusters.yaml
+++ b/internal/xds/translator/testdata/out/xds-ir/tcp-route-weighted-backend.clusters.yaml
@@ -1,4 +1,7 @@
-- commonLbConfig:
+- circuitBreakers:
+ thresholds:
+ - maxRetries: 1024
+ commonLbConfig:
localityWeightedLbConfig: {}
connectTimeout: 10s
dnsLookupFamily: V4_ONLY
diff --git a/internal/xds/translator/testdata/out/xds-ir/timeout.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/timeout.clusters.yaml
index 7515ac9e7d6..e2156cb6aff 100644
--- a/internal/xds/translator/testdata/out/xds-ir/timeout.clusters.yaml
+++ b/internal/xds/translator/testdata/out/xds-ir/timeout.clusters.yaml
@@ -1,4 +1,7 @@
-- commonLbConfig:
+- circuitBreakers:
+ thresholds:
+ - maxRetries: 1024
+ commonLbConfig:
localityWeightedLbConfig: {}
connectTimeout: 31s
dnsLookupFamily: V4_ONLY
diff --git a/internal/xds/translator/testdata/out/xds-ir/tls-route-passthrough.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/tls-route-passthrough.clusters.yaml
index 6601b3394c7..bd4967179fa 100644
--- a/internal/xds/translator/testdata/out/xds-ir/tls-route-passthrough.clusters.yaml
+++ b/internal/xds/translator/testdata/out/xds-ir/tls-route-passthrough.clusters.yaml
@@ -1,4 +1,7 @@
-- commonLbConfig:
+- circuitBreakers:
+ thresholds:
+ - maxRetries: 1024
+ commonLbConfig:
localityWeightedLbConfig: {}
connectTimeout: 10s
dnsLookupFamily: V4_ONLY
diff --git a/internal/xds/translator/testdata/out/xds-ir/tls-with-ciphers-versions-alpn.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/tls-with-ciphers-versions-alpn.clusters.yaml
index c8692b81602..d53a7a1b2ce 100644
--- a/internal/xds/translator/testdata/out/xds-ir/tls-with-ciphers-versions-alpn.clusters.yaml
+++ b/internal/xds/translator/testdata/out/xds-ir/tls-with-ciphers-versions-alpn.clusters.yaml
@@ -1,4 +1,7 @@
-- commonLbConfig:
+- circuitBreakers:
+ thresholds:
+ - maxRetries: 1024
+ commonLbConfig:
localityWeightedLbConfig: {}
connectTimeout: 10s
dnsLookupFamily: V4_ONLY
diff --git a/internal/xds/translator/testdata/out/xds-ir/tracing.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/tracing.clusters.yaml
index 2053a4bdeb1..eea2936ce62 100644
--- a/internal/xds/translator/testdata/out/xds-ir/tracing.clusters.yaml
+++ b/internal/xds/translator/testdata/out/xds-ir/tracing.clusters.yaml
@@ -1,4 +1,7 @@
-- commonLbConfig:
+- circuitBreakers:
+ thresholds:
+ - maxRetries: 1024
+ commonLbConfig:
localityWeightedLbConfig: {}
connectTimeout: 10s
dnsLookupFamily: V4_ONLY
@@ -12,7 +15,10 @@
outlierDetection: {}
perConnectionBufferLimitBytes: 32768
type: EDS
-- commonLbConfig:
+- circuitBreakers:
+ thresholds:
+ - maxRetries: 1024
+ commonLbConfig:
localityWeightedLbConfig: {}
connectTimeout: 10s
dnsLookupFamily: V4_ONLY
diff --git a/internal/xds/translator/testdata/out/xds-ir/udp-route.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/udp-route.clusters.yaml
index 3afb28bd407..0656b7c45e5 100644
--- a/internal/xds/translator/testdata/out/xds-ir/udp-route.clusters.yaml
+++ b/internal/xds/translator/testdata/out/xds-ir/udp-route.clusters.yaml
@@ -1,4 +1,7 @@
-- commonLbConfig:
+- circuitBreakers:
+ thresholds:
+ - maxRetries: 1024
+ commonLbConfig:
localityWeightedLbConfig: {}
connectTimeout: 10s
dnsLookupFamily: V4_ONLY
diff --git a/internal/xds/translator/testdata/out/xds-ir/upstream-tcpkeepalive.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/upstream-tcpkeepalive.clusters.yaml
index 8064de8d285..6d5dffadf8c 100644
--- a/internal/xds/translator/testdata/out/xds-ir/upstream-tcpkeepalive.clusters.yaml
+++ b/internal/xds/translator/testdata/out/xds-ir/upstream-tcpkeepalive.clusters.yaml
@@ -1,4 +1,7 @@
-- commonLbConfig:
+- circuitBreakers:
+ thresholds:
+ - maxRetries: 1024
+ commonLbConfig:
localityWeightedLbConfig: {}
connectTimeout: 10s
dnsLookupFamily: V4_ONLY
diff --git a/internal/xds/translator/translator.go b/internal/xds/translator/translator.go
index 4ce82ca543f..16b7e7a9d1d 100644
--- a/internal/xds/translator/translator.go
+++ b/internal/xds/translator/translator.go
@@ -19,6 +19,8 @@ import (
tlsv3 "github.com/envoyproxy/go-control-plane/envoy/extensions/transport_sockets/tls/v3"
matcherv3 "github.com/envoyproxy/go-control-plane/envoy/type/matcher/v3"
resourcev3 "github.com/envoyproxy/go-control-plane/pkg/resource/v3"
+ "github.com/envoyproxy/go-control-plane/pkg/wellknown"
+ "google.golang.org/protobuf/types/known/anypb"
"google.golang.org/protobuf/types/known/wrapperspb"
extensionTypes "github.com/envoyproxy/gateway/internal/extension/types"
@@ -504,10 +506,28 @@ func processXdsCluster(tCtx *types.ResourceVersionTable, httpRoute *ir.HTTPRoute
endpointType = EndpointTypeStatic
}
+ var tSocket *corev3.TransportSocket
+
+ if httpRoute.Destination.Settings[0].TLS != nil {
+ CaSecret := buildXdsUpstreamTLSCASecret(httpRoute.Destination.Settings[0].TLS)
+ if CaSecret != nil {
+ if err := tCtx.AddXdsResource(resourcev3.SecretType, CaSecret); err != nil {
+ return err
+ }
+ }
+ // for upstreamTLS , a fixed sni can be used. use auto_sni otherwise
+ // https://www.envoyproxy.io/docs/envoy/latest/faq/configuration/sni#faq-how-to-setup-sni:~:text=For%20clusters%2C%20a,for%20trust%20anchor.
+ temp, err := buildXdsUpstreamTLSSocketWthCert(httpRoute.Destination.Settings[0].TLS)
+ if err != nil {
+ return err
+ }
+ tSocket = temp
+ }
+
if err := addXdsCluster(tCtx, &xdsClusterArgs{
name: httpRoute.Destination.Name,
settings: httpRoute.Destination.Settings,
- tSocket: nil,
+ tSocket: tSocket,
endpointType: endpointType,
loadBalancer: httpRoute.LoadBalancer,
proxyProtocol: httpRoute.ProxyProtocol,
@@ -572,3 +592,79 @@ func addXdsCluster(tCtx *types.ResourceVersionTable, args *xdsClusterArgs) error
}
return nil
}
+
+const (
+ DefaultEndpointType EndpointType = iota
+ Static
+ EDS
+)
+
+func buildXdsUpstreamTLSCASecret(tlsConfig *ir.TLSUpstreamConfig) *tlsv3.Secret {
+ // Build the tls secret
+ if tlsConfig.UseSystemTrustStore {
+ return nil
+ }
+ return &tlsv3.Secret{
+ Name: tlsConfig.CACertificate.Name,
+ Type: &tlsv3.Secret_ValidationContext{
+ ValidationContext: &tlsv3.CertificateValidationContext{
+ TrustedCa: &corev3.DataSource{
+ Specifier: &corev3.DataSource_InlineBytes{InlineBytes: tlsConfig.CACertificate.Certificate},
+ },
+ },
+ },
+ }
+}
+
+func buildXdsUpstreamTLSSocketWthCert(tlsConfig *ir.TLSUpstreamConfig) (*corev3.TransportSocket, error) {
+
+ var tlsCtx *tlsv3.UpstreamTlsContext
+
+ if tlsConfig.UseSystemTrustStore {
+ tlsCtx = &tlsv3.UpstreamTlsContext{
+ CommonTlsContext: &tlsv3.CommonTlsContext{
+ ValidationContextType: &tlsv3.CommonTlsContext_ValidationContext{
+ ValidationContext: &tlsv3.CertificateValidationContext{
+ TrustedCa: &corev3.DataSource{
+ Specifier: &corev3.DataSource_Filename{
+ // This is the default location for the system trust store
+ // on Debian derivatives like the envoy-proxy image being used by the infrastructure
+ // controller.
+ // See https://www.envoyproxy.io/docs/envoy/latest/intro/arch_overview/security/ssl
+ // TODO: allow customizing this value via EnvoyGateway so that if a non-standard
+ // envoy image is being used, this can be modified to match
+ Filename: "/etc/ssl/certs/ca-certificates.crt",
+ },
+ },
+ },
+ },
+ },
+ Sni: tlsConfig.SNI,
+ }
+ } else {
+ tlsCtx = &tlsv3.UpstreamTlsContext{
+ CommonTlsContext: &tlsv3.CommonTlsContext{
+ TlsCertificateSdsSecretConfigs: nil,
+ ValidationContextType: &tlsv3.CommonTlsContext_ValidationContextSdsSecretConfig{
+ ValidationContextSdsSecretConfig: &tlsv3.SdsSecretConfig{
+ Name: tlsConfig.CACertificate.Name,
+ SdsConfig: makeConfigSource(),
+ },
+ },
+ },
+ Sni: tlsConfig.SNI,
+ }
+ }
+
+ tlsCtxAny, err := anypb.New(tlsCtx)
+ if err != nil {
+ return nil, err
+ }
+
+ return &corev3.TransportSocket{
+ Name: wellknown.TransportSocketTLS,
+ ConfigType: &corev3.TransportSocket_TypedConfig{
+ TypedConfig: tlsCtxAny,
+ },
+ }, nil
+}
diff --git a/internal/xds/translator/translator_test.go b/internal/xds/translator/translator_test.go
index c3a5b609e58..7a3d52c480f 100644
--- a/internal/xds/translator/translator_test.go
+++ b/internal/xds/translator/translator_test.go
@@ -90,6 +90,13 @@ func TestTranslateXds(t *testing.T) {
{
name: "http-route-dns-cluster",
},
+ {
+ name: "http-route-with-tls-system-truststore",
+ },
+ {
+ name: "http-route-with-tlsbundle",
+ requireSecrets: true,
+ },
{
name: "simple-tls",
requireSecrets: true,
diff --git a/internal/xds/translator/utils.go b/internal/xds/translator/utils.go
index 01d9939badb..8ebcc74c677 100644
--- a/internal/xds/translator/utils.go
+++ b/internal/xds/translator/utils.go
@@ -35,7 +35,7 @@ type urlCluster struct {
}
// url2Cluster returns a urlCluster from the provided url.
-func url2Cluster(strURL string, secure bool) (*urlCluster, error) {
+func url2Cluster(strURL string) (*urlCluster, error) {
epType := EndpointTypeDNS
// The URL should have already been validated in the gateway API translator.
@@ -44,10 +44,6 @@ func url2Cluster(strURL string, secure bool) (*urlCluster, error) {
return nil, err
}
- if secure && u.Scheme != "https" {
- return nil, fmt.Errorf("unsupported URI scheme %s", u.Scheme)
- }
-
var port uint64
if u.Scheme == "https" {
port = defaultHTTPSPort
diff --git a/release-notes/v1.0.0-rc.1.yaml b/release-notes/v1.0.0-rc.1.yaml
new file mode 100644
index 00000000000..f91e7856d92
--- /dev/null
+++ b/release-notes/v1.0.0-rc.1.yaml
@@ -0,0 +1,151 @@
+date: Nov 1, 2023
+
+changes:
+ - area: documentation
+ change: |
+ Added User Guide for local rate limit
+ Added User Guide for circuit breaker
+ Added User Guide for fault injection
+ Added User Guide for EnvoyProxy extraArgs
+ Added User Guide for Timeouts in ClientTrafficPolicy
+ Added User Guide for JWT claim base routing
+ Added User Guide for HTTP Timeout
+ Added User Guide for Retry in BackendTrafficPolicy
+ Added User Guide for basic auth
+ Added User Guide for OIDC
+ Added User Guide for ClientTrafficPolicy
+ Added User Guide for BackendTrafficPolicy
+ Added `Type` and `required` for CRD API doc
+ Updated crd-ref-docs to 0.0.10
+ Updated Envoy proxy image to envoy:distroless-dev in main
+
+
+ - area: installation
+ change: |
+ Added Support for Pulling envoyGateway image from a private registry
+ Added Support for Configuring resources for certgen job
+ Added Support for Configuring affinity for EnvoyGateway pod
+
+ - area: api
+ change: |
+ Added Support for Downstream QUIC/HTTP3 in ClientTrafficPolicy CRD
+ Added Support for Downstream MTLS in ClientTrafficPolicy CRD
+ Added Support for enabling EnvoyHeaders in ClientTrafficPolicy CRD
+ Added Support for DisableMergeSlash and escapedSlashesAction in ClientTrafficPolicy CRD
+ Added Support for EnableTrailers in HTTP/1.1 in ClientTrafficPolicy CRD
+ Added Support for Preserving header letter-case on HTTP/1 in ClientTrafficPolicy CRD
+ Added Support for enabling HTTP/1.0 and HTTP/0.9 in ClientTrafficPolicy CRD
+ Added Support for Client IP Detection using XFF in ClientTrafficPolicy CRD
+ Added Support for Client IP Detection using Custom Header in ClientTrafficPolicy CRD
+ Added Support for Connection Timeouts in ClientTrafficPolicy CRD
+ Added Support for Common TLS configuration properties in ClientTrafficPolicy CRD
+ Added Support for Proxy protocol in ClientTrafficPolicy CRD
+ Added Support for TCPKeepAlive in ClientTrafficPolicy CRD
+ Added Support for Local rate limit in BackendTrafficPolicy CRD
+ Added Support for CircuitBreaker in BackendTrafficPolicy CRD
+ Added Support for Fault injection in BackendTrafficPolicy CRD
+ Added Support for Passive Health Checks in BackendTrafficPolicy CRD
+ Added Support for Active Health Checks in BackendTrafficPolicy CRD
+ Added Support for Connection Timeouts in BackendTrafficPolicy CRD
+ Added Support for Compressor/Decompressor in BackendTrafficPolicy CRD
+ Added Support for Retry in BackendTrafficPolicy CRD
+ Added Support for Slow start mode in BackendTrafficPolicy CRD
+ Added Support for Proxy protocol in BackendTrafficPolicy CRD
+ Added Support for TCPKeepAlive in BackendTrafficPolicy CRD
+ Added Support for OIDC in SecurityPolicy CRD
+ Added Support for Basic Auth in SecurityPolicy CRD
+ Added Support for RedirectURL and signoutPath to OIDC in SecurityPolicy CRD
+ Added Support for ExtractFrom headers and params to JWT in SecurityPolicy CRD
+ Added Support for External authorization in SecurityPolicy CRD
+ Added Support for RecomputeRoute field to JWT in SecurityPolicy CRD
+ Added Support for AllowCredentials knob to CORS setting in SecurityPolicy CRD
+ Added Support for Extract from different identifier to JWT in SecurityPolicy CRD
+ Added Support for Secret resource in EnvoyPatchPolicy CRD
+ Added Support for Making the value optional for JSONPatchOperation in EnvoyPatchPolicy CRD
+ Added Support for `From` field to JSONPatchOperation in EnvoyPatchPolicy CRD
+ Added Support for MergeGateways in EnvoyPatchPolicy CRD
+ Added Support for Upstream TLS by implementing BackendTLSPolicy CRD
+ Added Support for LabelSelector type for NamespaceSelectors in EnvoyGateway Configuration
+ Added Support for ratelimit prometheus in EnvoyGateway Configuration
+ Added Support for Gracefully drain listeners before envoy shutdown on pod termination in EnvoyProxy CRD
+ Added Support for Configuring externalTrafficPolicy to the envoy service in EnvoyProxy CRD
+ Added Support for Envoy extra args in EnvoyProxy CRD
+ Added Support for Mergepatch to envoyproxy/ratelimit deployment in EnvoyProxy CRD
+ Added Support for Mergepatch to envoyproxy service in EnvoyProxy CRD
+ Added Support for NodeSelector to PodSpec in EnvoyProxy CRD
+ Added Support for HorizontalPodAutoscaler in EnvoyProxy CRD
+ Added Support for TopologySpreadConstraints to PodSpec in EnvoyProxy CRD
+ Added Support for ImagePullSecrets to PodSpec in EnvoyProxy CRD
+
+ breaking-change: |
+ Use wildcard to match AllowOrigins to CORS in SecurityPolicy CRD
+
+ - area: conformance
+ change: |
+ Replaced backend image from gcr.io/k8s-staging-ingressconformance/echoserver to gcr.io/k8s-staging-gateway-api/echo-basic
+
+
+ - area: testing
+ change: |
+ Added e2e test for header case-preserving
+ Added LoadBalancerIP validation to prevent trailing period
+ Added e2e test for Timeout in ClientTrafficPolicy
+ Added e2e test for jwt claim base routing
+ Added e2e test for OIDC
+ Added e2e test for BackendTrafficPolicy Retry
+
+
+ - area: translator
+ change: |
+ Fixed Prefix match to prevent mismatching routes with the same prefix
+ Fixed Multiple reconciling by implementing comparable interface for ir.Infra
+ Fixed EndpointSlice with empty conditions {}
+ Fixed Error handling when parsing the http request timeout
+ Fixed No status when EnvoyPatchPolicy is disabled
+ Fixed Printable for xds and infra IRs
+ Fixed Skip backendRefs with weight set to 0
+ Fixed AND Header matches in ratelimiting not working
+ Fixed Deletion logics when no gatewayclasses exist
+ Fixed Match mergedGateways irKey for ClientTrafficPolicy
+ Fixed Policies should apply only to gateways they were attached to when mergeGateways is true
+ Fixed Listener status is not surfaced for gateways when MergeGateways enabled
+ Fixed GRPCroute websocket not working by moving web socket upgrade config from hcm to route
+ Fixed Configure idle timeout when timeout is set on HTTPRoute
+ Fixed Relaxing HTTPS restriction for OIDC token endpoint
+ Fixed Panic when translating routes with empty backends
+ Fixed Xds translation should be done in a best-effort manner
+ Added Support for validating regex before sending to Envoy
+ Added Support for setting spec.addresses.value into ClusterIP when Service Type is ClusterIP
+ Added Unsupported status condition for filters within BackendRef
+ Added List instead of map for Provider Resources for order stability
+ Added Suffix for oauth cookies to prevent multiple oauth filters from overwriting each other's cookies
+ Added Support for overriding condition to BackendTrafficPolicy and SecurityPolicy
+ Added Support for default retry budget and retry host predicate
+ Added Support for implementing gateway.spec.infrastructure
+ Added Validation for CA Cert in ClientTrafficPolicy
+
+
+ - area: providers
+ change: |
+ Added Support for multiple GatewayClass per controller
+ Added SecurityPolicyIndexers in Kubernetes Provider
+ Added Support for generating HMAC secret in CertGen Job
+ Fixed Finalizer logic when deleting Gatewayclasses
+ Fixed MergeGateways panics when restarting control plane
+
+
+ - area: xds
+ change: |
+ Added Support for EDS cache
+ Added Support for ADS cache to ensure the rule order
+ Fixed Deprecated field error when using RequestHeaderModifier filter
+ Fixed Envoy rejects XDS at runtime losing all routes on restart
+ Fixed Requests not matching defined routes trigger per-route filters
+ Bumped go-control-plane to v0.12.0
+
+
+ - area: cli
+ change: |
+ Added Support for egctl x status
+ Added Support for egctl experimental dashboard envoy-proxy
+ Added Support for egctl config ratelimit
diff --git a/site/content/en/latest/api/extension_types.md b/site/content/en/latest/api/extension_types.md
index 7ebe5f16669..a0b3f0047e6 100644
--- a/site/content/en/latest/api/extension_types.md
+++ b/site/content/en/latest/api/extension_types.md
@@ -229,6 +229,7 @@ _Appears in:_
| `maxConnections` | _integer_ | false | The maximum number of connections that Envoy will establish to the referenced backend defined within a xRoute rule. |
| `maxPendingRequests` | _integer_ | false | The maximum number of pending requests that Envoy will queue to the referenced backend defined within a xRoute rule. |
| `maxParallelRequests` | _integer_ | false | The maximum number of parallel requests that Envoy will make to the referenced backend defined within a xRoute rule. |
+| `maxParallelRetries` | _integer_ | false | The maximum number of parallel retries that Envoy will make to the referenced backend defined within a xRoute rule. |
| `maxRequestsPerConnection` | _integer_ | false | The maximum number of requests that Envoy will make over a single connection to the referenced backend defined within a xRoute rule. Default: unlimited. |
@@ -1454,6 +1455,7 @@ KubernetesPatchSpec defines how to perform the patch operation
_Appears in:_
- [KubernetesDeploymentSpec](#kubernetesdeploymentspec)
+- [KubernetesServiceSpec](#kubernetesservicespec)
| Field | Type | Required | Description |
| --- | --- | --- | --- |
@@ -1478,7 +1480,6 @@ _Appears in:_
| `affinity` | _[Affinity](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.26/#affinity-v1-core)_ | false | If specified, the pod's scheduling constraints. |
| `tolerations` | _[Toleration](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.26/#toleration-v1-core) array_ | false | If specified, the pod's tolerations. |
| `volumes` | _[Volume](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.26/#volume-v1-core) array_ | false | Volumes that can be mounted by containers belonging to the pod. More info: https://kubernetes.io/docs/concepts/storage/volumes |
-| `hostNetwork` | _boolean_ | false | HostNetwork, If this is set to true, the pod will use host's network namespace. |
| `imagePullSecrets` | _[LocalObjectReference](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.26/#localobjectreference-v1-core) array_ | false | ImagePullSecrets is an optional list of references to secrets in the same namespace to use for pulling any of the images used by this PodSpec. If specified, these secrets will be passed to individual puller implementations for them to use. More info: https://kubernetes.io/docs/concepts/containers/images#specifying-imagepullsecrets-on-a-pod |
| `nodeSelector` | _object (keys:string, values:string)_ | false | NodeSelector is a selector which must be true for the pod to fit on a node. Selector which must match a node's labels for the pod to be scheduled on that node. More info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/ |
| `topologySpreadConstraints` | _[TopologySpreadConstraint](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.26/#topologyspreadconstraint-v1-core) array_ | false | TopologySpreadConstraints describes how a group of pods ought to spread across topology domains. Scheduler will schedule pods in a way which abides by the constraints. All topologySpreadConstraints are ANDed. |
@@ -1501,6 +1502,7 @@ _Appears in:_
| `allocateLoadBalancerNodePorts` | _boolean_ | false | AllocateLoadBalancerNodePorts defines if NodePorts will be automatically allocated for services with type LoadBalancer. Default is "true". It may be set to "false" if the cluster load-balancer does not rely on NodePorts. If the caller requests specific NodePorts (by specifying a value), those requests will be respected, regardless of this field. This field may only be set for services with type LoadBalancer and will be cleared if the type is changed to any other type. |
| `loadBalancerIP` | _string_ | false | LoadBalancerIP defines the IP Address of the underlying load balancer service. This field may be ignored if the load balancer provider does not support this feature. This field has been deprecated in Kubernetes, but it is still used for setting the IP Address in some cloud providers such as GCP. |
| `externalTrafficPolicy` | _[ServiceExternalTrafficPolicy](#serviceexternaltrafficpolicy)_ | false | ExternalTrafficPolicy determines the externalTrafficPolicy for the Envoy Service. Valid options are Local and Cluster. Default is "Local". "Local" means traffic will only go to pods on the node receiving the traffic. "Cluster" means connections are loadbalanced to all pods in the cluster. |
+| `patch` | _[KubernetesPatchSpec](#kubernetespatchspec)_ | false | Patch defines how to perform the patch operation to the service |
#### KubernetesWatchMode
@@ -2004,6 +2006,7 @@ _Appears in:_
| `backend` | _[RateLimitDatabaseBackend](#ratelimitdatabasebackend)_ | true | Backend holds the configuration associated with the database backend used by the rate limit service to store state associated with global ratelimiting. |
| `timeout` | _[Duration](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.26/#duration-v1-meta)_ | false | Timeout specifies the timeout period for the proxy to access the ratelimit server If not set, timeout is 20ms. |
| `failClosed` | _boolean_ | true | FailClosed is a switch used to control the flow of traffic when the response from the ratelimit server cannot be obtained. If FailClosed is false, let the traffic pass, otherwise, don't let the traffic pass and return 500. If not set, FailClosed is False. |
+| `telemetry` | _[RateLimitTelemetry](#ratelimittelemetry)_ | false | Telemetry defines telemetry configuration for RateLimit. |
#### RateLimitDatabaseBackend
@@ -2032,6 +2035,34 @@ _Appears in:_
+#### RateLimitMetrics
+
+
+
+
+
+_Appears in:_
+- [RateLimitTelemetry](#ratelimittelemetry)
+
+| Field | Type | Required | Description |
+| --- | --- | --- | --- |
+| `prometheus` | _[RateLimitMetricsPrometheusProvider](#ratelimitmetricsprometheusprovider)_ | true | Prometheus defines the configuration for prometheus endpoint. |
+
+
+#### RateLimitMetricsPrometheusProvider
+
+
+
+
+
+_Appears in:_
+- [RateLimitMetrics](#ratelimitmetrics)
+
+| Field | Type | Required | Description |
+| --- | --- | --- | --- |
+| `disable` | _boolean_ | true | Disable the Prometheus endpoint. |
+
+
#### RateLimitRedisSettings
@@ -2094,6 +2125,20 @@ _Appears in:_
| `local` | _[LocalRateLimit](#localratelimit)_ | false | Local defines local rate limit configuration. |
+#### RateLimitTelemetry
+
+
+
+
+
+_Appears in:_
+- [RateLimit](#ratelimit)
+
+| Field | Type | Required | Description |
+| --- | --- | --- | --- |
+| `metrics` | _[RateLimitMetrics](#ratelimitmetrics)_ | true | Metrics defines metrics configuration for RateLimit. |
+
+
#### RateLimitType
_Underlying type:_ _string_
diff --git a/site/content/en/latest/install/api.md b/site/content/en/latest/install/api.md
index e007fdba69c..165a91d01e6 100644
--- a/site/content/en/latest/install/api.md
+++ b/site/content/en/latest/install/api.md
@@ -51,9 +51,6 @@ The Helm chart for Envoy Gateway
| deployment.ports[1].port | int | `18001` | |
| deployment.ports[1].targetPort | int | `18001` | |
| deployment.replicas | int | `1` | |
-| envoyGatewayMetricsService.ports[0].name | string | `"http"` | |
-| envoyGatewayMetricsService.ports[0].port | int | `19001` | |
-| envoyGatewayMetricsService.ports[0].protocol | string | `"TCP"` | |
-| envoyGatewayMetricsService.ports[0].targetPort | int | `19001` | |
+| envoyGatewayMetricsService.port | int | `19001` | |
| kubernetesClusterDomain | string | `"cluster.local"` | |
diff --git a/site/content/en/latest/user/extensibility/_index.md b/site/content/en/latest/user/extensibility/_index.md
new file mode 100644
index 00000000000..9560b0dd241
--- /dev/null
+++ b/site/content/en/latest/user/extensibility/_index.md
@@ -0,0 +1,5 @@
+---
+title: "Extensibility"
+weight: 4
+description: This section includes User Guides of Extensibility.
+---
diff --git a/site/content/en/latest/user/envoy-patch-policy.md b/site/content/en/latest/user/extensibility/envoy-patch-policy.md
similarity index 96%
rename from site/content/en/latest/user/envoy-patch-policy.md
rename to site/content/en/latest/user/extensibility/envoy-patch-policy.md
index dc403d57bc0..994436c9473 100644
--- a/site/content/en/latest/user/envoy-patch-policy.md
+++ b/site/content/en/latest/user/extensibility/envoy-patch-policy.md
@@ -22,7 +22,7 @@ not exposed by Envoy Gateway APIs today.
### Prerequisites
-* Follow the steps from the [Quickstart](../quickstart) guide to install Envoy Gateway and the example manifest.
+* Follow the steps from the [Quickstart](../../quickstart) guide to install Envoy Gateway and the example manifest.
Before proceeding, you should be able to query the example backend using HTTP.
### Enable EnvoyPatchPolicy
@@ -233,8 +233,8 @@ across versions for these reasons
* Envoy Gateway might alter the xDS translation creating a different xDS output
such as changing the `name` field of resources.
-[EnvoyPatchPolicy]: ../../api/extension_types#envoypatchpolicy
-[EnvoyGateway]: ../../api/extension_types#envoygateway
+[EnvoyPatchPolicy]: ../../../api/extension_types#envoypatchpolicy
+[EnvoyGateway]: ../../../api/extension_types#envoygateway
[JSON Patch]: https://datatracker.ietf.org/doc/html/rfc6902
[xDS]: https://www.envoyproxy.io/docs/envoy/latest/intro/arch_overview/operations/dynamic_configuration
[Local Reply Modification]: https://www.envoyproxy.io/docs/envoy/latest/configuration/http/http_conn_man/local_reply
diff --git a/site/content/en/latest/user/observability/_index.md b/site/content/en/latest/user/observability/_index.md
new file mode 100644
index 00000000000..ed877d4355b
--- /dev/null
+++ b/site/content/en/latest/user/observability/_index.md
@@ -0,0 +1,5 @@
+---
+title: "Observability"
+weight: 4
+description: This section includes User Guides of Observability.
+---
diff --git a/site/content/en/latest/user/gateway-api-metrics.md b/site/content/en/latest/user/observability/gateway-api-metrics.md
similarity index 96%
rename from site/content/en/latest/user/gateway-api-metrics.md
rename to site/content/en/latest/user/observability/gateway-api-metrics.md
index a7764edbfc1..e99a8dee692 100644
--- a/site/content/en/latest/user/gateway-api-metrics.md
+++ b/site/content/en/latest/user/observability/gateway-api-metrics.md
@@ -7,7 +7,7 @@ The project also provides example dashboard for visualising the metrics using Gr
## Prerequisites
-Follow the steps from the [Quickstart Guide](../quickstart) to install Envoy Gateway and the example manifest.
+Follow the steps from the [Quickstart Guide](../../quickstart) to install Envoy Gateway and the example manifest.
Before proceeding, you should be able to query the example backend using HTTP.
Run the following commands to install the metrics stack, with the Gateway API State Metrics configuration, on your kubernetes cluster:
diff --git a/site/content/en/latest/user/grafana-integration.md b/site/content/en/latest/user/observability/grafana-integration.md
similarity index 96%
rename from site/content/en/latest/user/grafana-integration.md
rename to site/content/en/latest/user/observability/grafana-integration.md
index 3c1aa0a8b6d..b7c58e0d582 100644
--- a/site/content/en/latest/user/grafana-integration.md
+++ b/site/content/en/latest/user/observability/grafana-integration.md
@@ -7,7 +7,7 @@ This guide shows you how to visualise the metrics exposed to prometheus using gr
## Prerequisites
-Follow the steps from the [Quickstart Guide](../quickstart) to install Envoy Gateway and the example manifest.
+Follow the steps from the [Quickstart Guide](../../quickstart) to install Envoy Gateway and the example manifest.
Before proceeding, you should be able to query the example backend using HTTP.
Follow the steps from the [Proxy Observability](../proxy-observability#Metrics) to enable prometheus metrics.
diff --git a/site/content/en/latest/user/proxy-observability.md b/site/content/en/latest/user/observability/proxy-observability.md
similarity index 97%
rename from site/content/en/latest/user/proxy-observability.md
rename to site/content/en/latest/user/observability/proxy-observability.md
index f9d8f2d5a0d..c521b62cbe9 100644
--- a/site/content/en/latest/user/proxy-observability.md
+++ b/site/content/en/latest/user/observability/proxy-observability.md
@@ -7,7 +7,7 @@ This guide show you how to config proxy observability, includes metrics, logs, a
## Prerequisites
-Follow the steps from the [Quickstart Guide](../quickstart) to install Envoy Gateway and the example manifest.
+Follow the steps from the [Quickstart Guide](../../quickstart) to install Envoy Gateway and the example manifest.
Before proceeding, you should be able to query the example backend using HTTP.
[FluentBit](https://fluentbit.io/) is used to collect logs from the EnvoyProxy instances and forward them to Loki. Install FluentBit:
diff --git a/site/content/en/latest/user/operations/_index.md b/site/content/en/latest/user/operations/_index.md
new file mode 100644
index 00000000000..0341d46ad0a
--- /dev/null
+++ b/site/content/en/latest/user/operations/_index.md
@@ -0,0 +1,5 @@
+---
+title: "Operations"
+weight: 4
+description: This section includes User Guides of Operations.
+---
diff --git a/site/content/en/latest/user/customize-envoyproxy.md b/site/content/en/latest/user/operations/customize-envoyproxy.md
similarity index 98%
rename from site/content/en/latest/user/customize-envoyproxy.md
rename to site/content/en/latest/user/operations/customize-envoyproxy.md
index 3bc0c0c96d6..5d78247fbbd 100644
--- a/site/content/en/latest/user/customize-envoyproxy.md
+++ b/site/content/en/latest/user/operations/customize-envoyproxy.md
@@ -8,7 +8,7 @@ Service. To learn more about GatewayClass and ParametersRef, please refer to [Ga
## Installation
-Follow the steps from the [Quickstart Guide](../quickstart) to install Envoy Gateway and the example manifest.
+Follow the steps from the [Quickstart Guide](../../quickstart) to install Envoy Gateway and the example manifest.
Before proceeding, you should be able to query the example backend using HTTP.
## Add GatewayClass ParametersRef
@@ -368,5 +368,5 @@ EOF
```
[Gateway API documentation]: https://gateway-api.sigs.k8s.io/
-[EnvoyProxy]: ../../api/extension_types#envoyproxy
+[EnvoyProxy]: ../../../api/extension_types#envoyproxy
[egctl translate]: ../egctl/#validating-gateway-api-configuration
diff --git a/site/content/en/latest/user/deployment-mode.md b/site/content/en/latest/user/operations/deployment-mode.md
similarity index 97%
rename from site/content/en/latest/user/deployment-mode.md
rename to site/content/en/latest/user/operations/deployment-mode.md
index 66605e297a1..2a2fa651951 100644
--- a/site/content/en/latest/user/deployment-mode.md
+++ b/site/content/en/latest/user/operations/deployment-mode.md
@@ -103,7 +103,7 @@ spec:
spec:
serviceAccountName: backend
containers:
- - image: gcr.io/k8s-staging-ingressconformance/echoserver:v20221109-7ee2f3e
+ - image: gcr.io/k8s-staging-gateway-api/echo-basic:v20231214-v1.0.0-140-gf544a46e
imagePullPolicy: IfNotPresent
name: backend
ports:
@@ -281,7 +281,7 @@ spec:
spec:
serviceAccountName: backend
containers:
- - image: gcr.io/k8s-staging-ingressconformance/echoserver:v20221109-7ee2f3e
+ - image: gcr.io/k8s-staging-gateway-api/echo-basic:v20231214-v1.0.0-140-gf544a46e
imagePullPolicy: IfNotPresent
name: backend
ports:
@@ -410,6 +410,6 @@ Handling connection for 8889
```
[GatewayClass]: https://gateway-api.sigs.k8s.io/api-types/gatewayclass/
-[Namespaced deployment mode]: ../../api/extension_types#kuberneteswatchmode
+[Namespaced deployment mode]: ../../../api/extension_types#kuberneteswatchmode
[issue1231]: https://github.com/envoyproxy/gateway/issues/1231
[issue1117]: https://github.com/envoyproxy/gateway/issues/1117
diff --git a/site/content/en/latest/user/egctl.md b/site/content/en/latest/user/operations/egctl.md
similarity index 97%
rename from site/content/en/latest/user/egctl.md
rename to site/content/en/latest/user/operations/egctl.md
index cb361673fd1..75855ad68d9 100644
--- a/site/content/en/latest/user/egctl.md
+++ b/site/content/en/latest/user/operations/egctl.md
@@ -10,6 +10,23 @@ title: "Use egctl"
This subcommand allows users to translate from an input configuration type to an output configuration type.
+The `translate` subcommand can translate Kubernetes resources to:
+* Gateway API resources
+ This is useful in order to see how validation would occur if these resources were applied to Kubernetes.
+
+ Use the `--to gateway-api` parameter to translate to Gateway API resources.
+
+* Envoy Gateway intermediate representation (IR)
+ This represents Envoy Gateway's translation of the Gateway API resources.
+
+ Use the `--to ir` parameter to translate to Envoy Gateway intermediate representation.
+
+* Envoy Proxy xDS
+ This is the xDS configuration provided to Envoy Proxy.
+
+ Use the `--to xds` parameter to translate to Envoy Proxy xDS.
+
+
In the below example, we will translate the Kubernetes resources (including the Gateway API resources) into xDS
resources.
@@ -824,7 +841,7 @@ product backend ResolvedRefs True ResolvedRefs
[Multi-tenancy]: ../deployment-mode#multi-tenancy
-[EnvoyProxy]: ../../api/extension_types#envoyproxy
+[EnvoyProxy]: ../../../api/extension_types#envoyproxy
## egctl experimental dashboard
diff --git a/site/content/en/latest/user/quickstart.md b/site/content/en/latest/user/quickstart.md
index c0850751c75..21a79c1ed5c 100644
--- a/site/content/en/latest/user/quickstart.md
+++ b/site/content/en/latest/user/quickstart.md
@@ -1,6 +1,7 @@
---
title: "Quickstart"
weight: 1
+description: Get started with Envoy Gateway in a few simple steps.
---
This guide will help you get started with Envoy Gateway in a few simple steps.
diff --git a/site/content/en/latest/user/security/_index.md b/site/content/en/latest/user/security/_index.md
new file mode 100644
index 00000000000..f469d0c55a5
--- /dev/null
+++ b/site/content/en/latest/user/security/_index.md
@@ -0,0 +1,5 @@
+---
+title: "Security"
+weight: 2
+description: This section includes User Guides of Security.
+---
diff --git a/site/content/en/latest/user/basic-auth.md b/site/content/en/latest/user/security/basic-auth.md
similarity index 58%
rename from site/content/en/latest/user/basic-auth.md
rename to site/content/en/latest/user/security/basic-auth.md
index 2b96ddfe4bc..be165d2e0e2 100644
--- a/site/content/en/latest/user/basic-auth.md
+++ b/site/content/en/latest/user/security/basic-auth.md
@@ -12,7 +12,7 @@ This instantiated resource can be linked to a [Gateway][Gateway], [HTTPRoute][HT
## Prerequisites
-Follow the steps from the [Quickstart](../quickstart) guide to install Envoy Gateway and the example manifest.
+Follow the steps from the [Quickstart](../../quickstart) guide to install Envoy Gateway and the example manifest.
Before proceeding, you should be able to query the example backend using HTTP.
## Configuration
@@ -21,9 +21,58 @@ Envoy Gateway uses [.htpasswd][.htpasswd] format to store the username-password
The file must be stored in a kubernetes secret and referenced in the [SecurityPolicy][SecurityPolicy] configuration.
The secret is an Opaque secret, and the username-password pairs must be stored in the key ".htpasswd".
+### Create a root certificate
+
+Create a root certificate and private key to sign certificates:
+
+```shell
+openssl req -x509 -sha256 -nodes -days 365 -newkey rsa:2048 -subj '/O=example Inc./CN=example.com' -keyout example.com.key -out example.com.crt
+```
+
+### Create a certificate secret
+
+Create a certificate and a private key for `www.example.com`:
+
+```shell
+openssl req -out www.example.com.csr -newkey rsa:2048 -nodes -keyout www.example.com.key -subj "/CN=www.example.com/O=example organization"
+openssl x509 -req -days 365 -CA example.com.crt -CAkey example.com.key -set_serial 0 -in www.example.com.csr -out www.example.com.crt
+```
+
+### Create certificate
+
+```shell
+kubectl create secret tls example-cert --key=www.example.com.key --cert=www.example.com.crt
+```
+
+### Enable HTTPS
+Update the Gateway from the Quickstart guide to include an HTTPS listener that listens on port `443` and references the
+`example-cert` Secret:
+
+```shell
+kubectl patch gateway eg --type=json --patch '[{
+ "op": "add",
+ "path": "/spec/listeners/-",
+ "value": {
+ "name": "https",
+ "protocol": "HTTPS",
+ "port": 443,
+ "tls": {
+ "mode": "Terminate",
+ "certificateRefs": [{
+ "kind": "Secret",
+ "group": "",
+ "name": "example-cert",
+ }],
+ },
+ },
+}]'
+```
+
### Create a .htpasswd file
First, create a [.htpasswd][.htpasswd] file with the username and password you want to use for authentication.
+Note: Please always use HTTPS with Basic Authentication. This prevents credentials from being transmitted in plain text.
+
The input password won't be saved, instead, a hash will be generated and saved in the output file. When a request
tries to access protected resources, the password in the "Authorization" HTTP header will be hashed and compared with the
saved hash.
@@ -31,23 +80,22 @@ saved hash.
Note: only SHA hash algorithm is supported for now.
```shell
-$ htpasswd -cbs .htpasswd foo bar
-Adding password for user foo
+htpasswd -cbs .htpasswd foo bar
```
You can also add more users to the file:
```shell
-$ htpasswd -bs .htpasswd foo1 bar1
+htpasswd -bs .htpasswd foo1 bar1
```
-### Create a kubernetes secret
+### Create a basic-auth secret
+
Next, create a kubernetes secret with the generated .htpasswd file in the previous step.
```shell
-$ kubectl create secret generic basic-auth --from-file=.htpasswd
-secret "basic-auth" created
+kubectl create secret generic basic-auth --from-file=.htpasswd
```
### Create a SecurityPolicy
@@ -80,7 +128,7 @@ kubectl get securitypolicy/basic-auth-example -o yaml
## Testing
-Ensure the `GATEWAY_HOST` environment variable from the [Quickstart](../quickstart) guide is set. If not, follow the
+Ensure the `GATEWAY_HOST` environment variable from the [Quickstart](../../quickstart) guide is set. If not, follow the
Quickstart instructions to set the variable.
```shell
@@ -96,13 +144,22 @@ curl -v -H "Host: www.example.com" "http://${GATEWAY_HOST}/"
You should see `401 Unauthorized` in the response, indicating that the request is not allowed without authentication.
```shell
+* Connected to 127.0.0.1 (127.0.0.1) port 443
...
-< HTTP/1.1 401 Unauthorized
+* Server certificate:
+* subject: CN=www.example.com; O=example organization
+* issuer: O=example Inc.; CN=example.com
+> GET / HTTP/2
+> Host: www.example.com
+> User-Agent: curl/8.6.0
+> Accept: */*
+...
+< HTTP/2 401
< content-length: 58
< content-type: text/plain
-< date: Tue, 28 Nov 2023 12:43:32 GMT
-< server: envoy
-<
+< date: Wed, 06 Mar 2024 15:59:36 GMT
+<
+
* Connection #0 to host 127.0.0.1 left intact
User authentication failed. Missing username and password.
```
@@ -110,7 +167,7 @@ User authentication failed. Missing username and password.
Send a request to the backend service with `Authentication` header:
```shell
-curl -v -H "Host: www.example.com" -u 'foo:bar' "http://${GATEWAY_HOST}/"
+curl -kv -H "Host: www.example.com" -u 'foo:bar' "https://${GATEWAY_HOST}/"
```
The request should be allowed and you should see the response from the backend service.
@@ -119,20 +176,21 @@ The request should be allowed and you should see the response from the backend s
## Clean-Up
-Follow the steps from the [Quickstart](../quickstart) guide to uninstall Envoy Gateway and the example manifest.
+Follow the steps from the [Quickstart](../../quickstart) guide to uninstall Envoy Gateway and the example manifest.
Delete the SecurityPolicy and the secret
```shell
kubectl delete securitypolicy/basic-auth-example
kubectl delete secret/basic-auth
+kubectl delete secret/example-cert
```
## Next Steps
-Checkout the [Developer Guide](../../contributions/develop/) to get involved in the project.
+Checkout the [Developer Guide](../../../contributions/develop/) to get involved in the project.
-[SecurityPolicy]: ../../design/security-policy/
+[SecurityPolicy]: ../../../design/security-policy/
[http Basic authentication]: https://tools.ietf.org/html/rfc2617
[Gateway]: https://gateway-api.sigs.k8s.io/api-types/gateway
[HTTPRoute]: https://gateway-api.sigs.k8s.io/api-types/httproute
diff --git a/site/content/en/latest/user/cors.md b/site/content/en/latest/user/security/cors.md
similarity index 90%
rename from site/content/en/latest/user/cors.md
rename to site/content/en/latest/user/security/cors.md
index 886d795a66a..184b566afd1 100644
--- a/site/content/en/latest/user/cors.md
+++ b/site/content/en/latest/user/security/cors.md
@@ -11,7 +11,7 @@ This instantiated resource can be linked to a [Gateway][Gateway], [HTTPRoute][HT
## Prerequisites
-Follow the steps from the [Quickstart](../quickstart) guide to install Envoy Gateway and the example manifest.
+Follow the steps from the [Quickstart](../../quickstart) guide to install Envoy Gateway and the example manifest.
Before proceeding, you should be able to query the example backend using HTTP.
## Configuration
@@ -57,7 +57,7 @@ kubectl get securitypolicy/cors-example -o yaml
## Testing
-Ensure the `GATEWAY_HOST` environment variable from the [Quickstart](../quickstart) guide is set. If not, follow the
+Ensure the `GATEWAY_HOST` environment variable from the [Quickstart](../../quickstart) guide is set. If not, follow the
Quickstart instructions to set the variable.
```shell
@@ -122,7 +122,7 @@ filter to work. Otherwise, the OPTIONS request won't match the routes and the CO
## Clean-Up
-Follow the steps from the [Quickstart](../quickstart) guide to uninstall Envoy Gateway and the example manifest.
+Follow the steps from the [Quickstart](../../quickstart) guide to uninstall Envoy Gateway and the example manifest.
Delete the SecurityPolicy:
@@ -132,9 +132,9 @@ kubectl delete securitypolicy/cors-example
## Next Steps
-Checkout the [Developer Guide](../../contributions/develop/) to get involved in the project.
+Checkout the [Developer Guide](../../../contributions/develop/) to get involved in the project.
-[SecurityPolicy]: ../../design/security-policy/
+[SecurityPolicy]: ../../../design/security-policy/
[cors]: https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS
[Gateway]: https://gateway-api.sigs.k8s.io/api-types/gateway
[HTTPRoute]: https://gateway-api.sigs.k8s.io/api-types/httproute
diff --git a/site/content/en/latest/user/jwt-authentication.md b/site/content/en/latest/user/security/jwt-authentication.md
similarity index 91%
rename from site/content/en/latest/user/jwt-authentication.md
rename to site/content/en/latest/user/security/jwt-authentication.md
index 368b6af9d09..a4897302979 100644
--- a/site/content/en/latest/user/jwt-authentication.md
+++ b/site/content/en/latest/user/security/jwt-authentication.md
@@ -11,7 +11,7 @@ This instantiated resource can be linked to a [Gateway][Gateway], [HTTPRoute][HT
## Prerequisites
-Follow the steps from the [Quickstart](../quickstart) guide to install Envoy Gateway and the example manifest.
+Follow the steps from the [Quickstart](../../quickstart) guide to install Envoy Gateway and the example manifest.
For GRPC - follow the steps from the [GRPC Routing](../grpc-routing) example.
Before proceeding, you should be able to query the example backend using HTTP or GRPC.
@@ -71,7 +71,7 @@ kubectl get securitypolicy/jwt-example -o yaml
## Testing
-Ensure the `GATEWAY_HOST` environment variable from the [Quickstart](../quickstart) guide is set. If not, follow the
+Ensure the `GATEWAY_HOST` environment variable from the [Quickstart](../../quickstart) guide is set. If not, follow the
Quickstart instructions to set the variable.
```shell
@@ -150,7 +150,7 @@ You should see the below response
## Clean-Up
-Follow the steps from the [Quickstart](../quickstart) guide to uninstall Envoy Gateway and the example manifest.
+Follow the steps from the [Quickstart](../../quickstart) guide to uninstall Envoy Gateway and the example manifest.
Delete the SecurityPolicy:
@@ -160,9 +160,9 @@ kubectl delete securitypolicy/jwt-example
## Next Steps
-Checkout the [Developer Guide](../../contributions/develop/) to get involved in the project.
+Checkout the [Developer Guide](../../../contributions/develop/) to get involved in the project.
-[SecurityPolicy]: ../../design/security-policy/
+[SecurityPolicy]: ../../../design/security-policy/
[jwt]: https://tools.ietf.org/html/rfc7519
[jwks]: https://tools.ietf.org/html/rfc7517
[Gateway]: https://gateway-api.sigs.k8s.io/api-types/gateway
diff --git a/site/content/en/latest/user/oidc.md b/site/content/en/latest/user/security/oidc.md
similarity index 92%
rename from site/content/en/latest/user/oidc.md
rename to site/content/en/latest/user/security/oidc.md
index 6d4deba8efd..adf85206006 100644
--- a/site/content/en/latest/user/oidc.md
+++ b/site/content/en/latest/user/security/oidc.md
@@ -13,7 +13,7 @@ This instantiated resource can be linked to a [Gateway][Gateway] and [HTTPRoute]
## Prerequisites
-Follow the steps from the [Quickstart](../quickstart) guide to install Envoy Gateway and the example manifest.
+Follow the steps from the [Quickstart](../../quickstart) guide to install Envoy Gateway and the example manifest.
Before proceeding, you should be able to query the example backend using HTTP.
OIDC authentication requires the redirect URL to be HTTPS. Follow the [Secure Gateways](../secure-gateways) guide
@@ -110,7 +110,7 @@ successfully login, you should see the response from the backend service.
## Clean-Up
-Follow the steps from the [Quickstart](../quickstart) guide to uninstall Envoy Gateway and the example manifest.
+Follow the steps from the [Quickstart](../../quickstart) guide to uninstall Envoy Gateway and the example manifest.
Delete the SecurityPolicy and the secret:
@@ -121,10 +121,10 @@ kubectl delete secret/my-app-client-secret
## Next Steps
-Checkout the [Developer Guide](../../contributions/develop/) to get involved in the project.
+Checkout the [Developer Guide](../../../contributions/develop/) to get involved in the project.
[oidc]: https://openid.net/connect/
[google-oidc]: https://developers.google.com/identity/protocols/oauth2/openid-connect
-[SecurityPolicy]: ../../design/security-policy/
+[SecurityPolicy]: ../../../design/security-policy/
[Gateway]: https://gateway-api.sigs.k8s.io/api-types/gateway
[HTTPRoute]: https://gateway-api.sigs.k8s.io/api-types/httproute
diff --git a/site/content/en/latest/user/secure-gateways.md b/site/content/en/latest/user/security/secure-gateways.md
similarity index 96%
rename from site/content/en/latest/user/secure-gateways.md
rename to site/content/en/latest/user/security/secure-gateways.md
index 805aeb8b1a6..70a3049289b 100644
--- a/site/content/en/latest/user/secure-gateways.md
+++ b/site/content/en/latest/user/security/secure-gateways.md
@@ -11,7 +11,7 @@ testing and demonstration purposes only.
## Installation
-Follow the steps from the [Quickstart Guide](../quickstart) to install Envoy Gateway and the example manifest.
+Follow the steps from the [Quickstart Guide](../../quickstart) to install Envoy Gateway and the example manifest.
Before proceeding, you should be able to query the example backend using HTTP.
## TLS Certificates
@@ -242,7 +242,7 @@ Lastly, test connectivity using the above [Testing section](#testing).
## Clean-Up
-Follow the steps from the [Quickstart Guide](../quickstart) to uninstall Envoy Gateway and the example manifest.
+Follow the steps from the [Quickstart Guide](../../quickstart) to uninstall Envoy Gateway and the example manifest.
Delete the Secrets:
@@ -257,7 +257,7 @@ This section gives a walkthrough to generate RSA and ECDSA derived certificates
## Prerequisites
-Follow the steps from the [Quickstart Guide](../quickstart) to install Envoy Gateway and the example manifest.
+Follow the steps from the [Quickstart Guide](../../quickstart) to install Envoy Gateway and the example manifest.
Before proceeding, you should be able to query the example backend using HTTP.
Follow the steps in the [TLS Certificates](../secure-gateways#tls-certificates) section in the guide to generate self-signed RSA derived Server certificate and private key, and configure those in the Gateway listener configuration to terminate HTTPS traffic.
@@ -369,7 +369,7 @@ This sections gives a walkthrough to generate multiple certificates correspondin
## Prerequisites
-Follow the steps from the [Quickstart Guide](../quickstart) to install Envoy Gateway and the example manifest.
+Follow the steps from the [Quickstart Guide](../../quickstart) to install Envoy Gateway and the example manifest.
Before proceeding, you should be able to query the example backend using HTTP.
Follow the steps in the [TLS Certificates](../secure-gateways#tls-certificates) section in the guide to generate self-signed RSA derived Server certificate and private key, and configure those in the Gateway listener configuration to terminate HTTPS traffic.
@@ -450,6 +450,6 @@ Refer to the steps mentioned earlier in the guide under [Testing in clusters wit
## Next Steps
-Checkout the [Developer Guide](../../contributions/develop/) to get involved in the project.
+Checkout the [Developer Guide](../../../contributions/develop/) to get involved in the project.
[ReferenceGrant]: https://gateway-api.sigs.k8s.io/api-types/referencegrant/
diff --git a/site/content/en/latest/user/tls-cert-manager.md b/site/content/en/latest/user/security/tls-cert-manager.md
similarity index 99%
rename from site/content/en/latest/user/tls-cert-manager.md
rename to site/content/en/latest/user/security/tls-cert-manager.md
index d3077a86bd0..690a5e02e04 100644
--- a/site/content/en/latest/user/tls-cert-manager.md
+++ b/site/content/en/latest/user/security/tls-cert-manager.md
@@ -18,7 +18,7 @@ Changing to the Let's Encrypt production environment is straight-forward after t
## Installation
-Follow the steps from the [Quickstart Guide](../quickstart) to install Envoy Gateway and the example manifest.
+Follow the steps from the [Quickstart Guide](../../quickstart) to install Envoy Gateway and the example manifest.
Before proceeding, you should be able to query the example backend using HTTP.
## Deploying cert-manager
diff --git a/site/content/en/latest/user/tls-passthrough.md b/site/content/en/latest/user/security/tls-passthrough.md
similarity index 91%
rename from site/content/en/latest/user/tls-passthrough.md
rename to site/content/en/latest/user/security/tls-passthrough.md
index 34af20e5dce..f732b71236b 100644
--- a/site/content/en/latest/user/tls-passthrough.md
+++ b/site/content/en/latest/user/security/tls-passthrough.md
@@ -12,7 +12,7 @@ to terminate the TLS connection, while the Gateway routes the requests to the ap
## Installation
-Follow the steps from the [Quickstart Guide](../quickstart) to install Envoy Gateway and the example manifest.
+Follow the steps from the [Quickstart Guide](../../quickstart) to install Envoy Gateway and the example manifest.
Before proceeding, you should be able to query the example backend using HTTP.
## TLS Certificates
@@ -106,7 +106,7 @@ curl -v -HHost:passthrough.example.com --resolve "passthrough.example.com:6443:$
## Clean-Up
-Follow the steps from the [Quickstart Guide](../quickstart) to uninstall Envoy Gateway and the example manifest.
+Follow the steps from the [Quickstart Guide](../../quickstart) to uninstall Envoy Gateway and the example manifest.
Delete the Secret:
@@ -116,4 +116,4 @@ kubectl delete secret/server-certs
## Next Steps
-Checkout the [Developer Guide](../../contributions/develop/) to get involved in the project.
+Checkout the [Developer Guide](../../../contributions/develop/) to get involved in the project.
diff --git a/site/content/en/latest/user/tls-termination.md b/site/content/en/latest/user/security/tls-termination.md
similarity index 96%
rename from site/content/en/latest/user/tls-termination.md
rename to site/content/en/latest/user/security/tls-termination.md
index eb0d2d6932c..1c75b40e6db 100644
--- a/site/content/en/latest/user/tls-termination.md
+++ b/site/content/en/latest/user/security/tls-termination.md
@@ -10,7 +10,7 @@ This guide will walk through the steps required to configure TLS Terminate mode
## Installation
-Follow the steps from the [Quickstart Guide](../quickstart) to install Envoy Gateway.
+Follow the steps from the [Quickstart Guide](../../quickstart) to install Envoy Gateway.
## TLS Certificates
Generate the certificates and keys used by the Gateway to terminate client TLS connections.
diff --git a/site/content/en/latest/user/traffic/_index.md b/site/content/en/latest/user/traffic/_index.md
new file mode 100644
index 00000000000..87e84e04907
--- /dev/null
+++ b/site/content/en/latest/user/traffic/_index.md
@@ -0,0 +1,5 @@
+---
+title: "Traffic"
+weight: 1
+description: This section includes User Guides of Traffic Management.
+---
diff --git a/site/content/en/latest/user/circuit-breaker.md b/site/content/en/latest/user/traffic/circuit-breaker.md
similarity index 70%
rename from site/content/en/latest/user/circuit-breaker.md
rename to site/content/en/latest/user/traffic/circuit-breaker.md
index 9247d179955..2a797fc24c4 100644
--- a/site/content/en/latest/user/circuit-breaker.md
+++ b/site/content/en/latest/user/traffic/circuit-breaker.md
@@ -20,109 +20,17 @@ This instantiated resource can be linked to a [Gateway][], [HTTPRoute][] or [GRP
### Install Envoy Gateway
-* Follow the installation step from the [Quickstart Guide](../quickstart) to install Envoy Gateway. There is no need to apply the quickstart manifests.
-
-### Install the httpbin backend
-
-* We will use the [Httpbin project] as a backend in order to simulate a degraded service that responds slowly. Install `httpbin` and other Envoy Gateway resources (`GatewayClass`, `Gateway`, `HTTPRoute`) by applying the following manifests:
-
-```shell
-cat < GET /get HTTP/1.1
+> Host: www.example.com
+> User-Agent: curl/8.4.0
+> Accept: */*
+> Content-Length: 10000
+>
+< HTTP/1.1 408 Request Timeout
+< content-length: 15
+< content-type: text/plain
+< date: Tue, 27 Feb 2024 07:38:27 GMT
+< connection: close
+<
+* Closing connection
+request timeout
+```
+
+[ClientTrafficPolicy]: ../../../api/extension_types#clienttrafficpolicy
+[BackendTrafficPolicy]: ../../../api/extension_types#backendtrafficpolicy
diff --git a/site/content/en/latest/user/fault-injection.md b/site/content/en/latest/user/traffic/fault-injection.md
similarity index 94%
rename from site/content/en/latest/user/fault-injection.md
rename to site/content/en/latest/user/traffic/fault-injection.md
index 0c2a366447a..c033d12aed3 100644
--- a/site/content/en/latest/user/fault-injection.md
+++ b/site/content/en/latest/user/traffic/fault-injection.md
@@ -13,7 +13,7 @@ This instantiated resource can be linked to a [Gateway][], [HTTPRoute][] or [GRP
## Prerequisites
-Follow the steps from the [Quickstart](../quickstart) guide to install Envoy Gateway and the example manifest.
+Follow the steps from the [Quickstart](../../quickstart) guide to install Envoy Gateway and the example manifest.
For GRPC - follow the steps from the [GRPC Routing](../grpc-routing) example.
Before proceeding, you should be able to query the example backend using HTTP or GRPC.
@@ -170,7 +170,7 @@ kubectl get backendtrafficpolicy/fault-injection-abort -o yaml
## Testing
-Ensure the `GATEWAY_HOST` environment variable from the [Quickstart](../quickstart) guide is set. If not, follow the
+Ensure the `GATEWAY_HOST` environment variable from the [Quickstart](../../quickstart) guide is set. If not, follow the
Quickstart instructions to set the variable.
```shell
@@ -238,7 +238,7 @@ Error invoking method "yages.Echo/Ping": rpc error: code = Unavailable desc = fa
## Clean-Up
-Follow the steps from the [Quickstart](../quickstart) guide to uninstall Envoy Gateway and the example manifest.
+Follow the steps from the [Quickstart](../../quickstart) guide to uninstall Envoy Gateway and the example manifest.
Delete the BackendTrafficPolicy:
@@ -247,7 +247,7 @@ kubectl delete BackendTrafficPolicy/fault-injection-abort
```
[Envoy fault injection]: https://www.envoyproxy.io/docs/envoy/latest/configuration/http/http_filters/fault_filter.html
-[BackendTrafficPolicy]: ../../api/extension_types#backendtrafficpolicy
+[BackendTrafficPolicy]: ../../../api/extension_types#backendtrafficpolicy
[Gateway]: https://gateway-api.sigs.k8s.io/api-types/gateway/
[HTTPRoute]: https://gateway-api.sigs.k8s.io/api-types/httproute/
[GRPCRoute]: https://gateway-api.sigs.k8s.io/api-types/grpcroute/
diff --git a/site/content/en/latest/user/gateway-address.md b/site/content/en/latest/user/traffic/gateway-address.md
similarity index 93%
rename from site/content/en/latest/user/gateway-address.md
rename to site/content/en/latest/user/traffic/gateway-address.md
index b87b19ec805..d211d315c1a 100644
--- a/site/content/en/latest/user/gateway-address.md
+++ b/site/content/en/latest/user/traffic/gateway-address.md
@@ -10,7 +10,7 @@ Depending on the Service Type, the addresses of gateway can be used as:
## Prerequisites
-Follow the steps from the [Quickstart](../quickstart) to install Envoy Gateway and the example manifest.
+Follow the steps from the [Quickstart](../../quickstart) to install Envoy Gateway and the example manifest.
## External IPs
@@ -62,4 +62,4 @@ this will __require__ the address to be of type `IPAddress` and the [ServiceType
[Addresses]: https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.GatewayAddress
[External IPs]: https://kubernetes.io/docs/concepts/services-networking/service/#external-ips
[Cluster IP]: https://kubernetes.io/docs/concepts/services-networking/service/#type-clusterip
-[ServiceType]: ../../api/extension_types#servicetype
+[ServiceType]: ../../../api/extension_types#servicetype
diff --git a/site/content/en/latest/user/gatewayapi-support.md b/site/content/en/latest/user/traffic/gatewayapi-support.md
similarity index 98%
rename from site/content/en/latest/user/gatewayapi-support.md
rename to site/content/en/latest/user/traffic/gatewayapi-support.md
index a8d27dd6a36..e8d34d43b17 100644
--- a/site/content/en/latest/user/gatewayapi-support.md
+++ b/site/content/en/latest/user/traffic/gatewayapi-support.md
@@ -94,7 +94,7 @@ these types of cross-namespace references. Envoy Gateway supports the following
namespace.
- Allowing a Gateway's [SecretObjectReference][] to reference a secret in a different namespace.
-[system design]: ../../design/system-design/
+[system design]: ../../../design/system-design/
[Gateway API]: https://gateway-api.sigs.k8s.io/
[GatewayClass]: https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.GatewayClass
[parameters reference]: https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.ParametersReference
@@ -112,7 +112,7 @@ these types of cross-namespace references. Envoy Gateway supports the following
[SecretObjectReference]: https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.SecretObjectReference
[rate limiting]: ../rate-limit/
[request authentication]: ../jwt-authentication/
-[EnvoyProxy]: ../../api/extension_types#envoyproxy
+[EnvoyProxy]: ../../../api/extension_types#envoyproxy
[resolving conflicts]: https://gateway-api.sigs.k8s.io/concepts/guidelines/?h=conflict#conflicts
[ExtensionRefs]: https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.HTTPRouteFilterType
[grpc-filter]: https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1alpha2.GRPCRouteFilter
diff --git a/site/content/en/latest/user/global-rate-limit.md b/site/content/en/latest/user/traffic/global-rate-limit.md
similarity index 99%
rename from site/content/en/latest/user/global-rate-limit.md
rename to site/content/en/latest/user/traffic/global-rate-limit.md
index 1c44b356b13..6a67a9573fe 100644
--- a/site/content/en/latest/user/global-rate-limit.md
+++ b/site/content/en/latest/user/traffic/global-rate-limit.md
@@ -27,7 +27,7 @@ has its own 100r/s rate limit bucket.
### Install Envoy Gateway
-* Follow the steps from the [Quickstart Guide](../quickstart) to install Envoy Gateway and the HTTPRoute example manifest.
+* Follow the steps from the [Quickstart Guide](../../quickstart) to install Envoy Gateway and the HTTPRoute example manifest.
Before proceeding, you should be able to query the example backend using HTTP.
### Install Redis
@@ -825,7 +825,7 @@ kubectl rollout restart deployment envoy-gateway -n envoy-gateway-system
[Global Rate Limiting]: https://www.envoyproxy.io/docs/envoy/latest/intro/arch_overview/other_features/global_rate_limiting
[Local rate limiting]: https://www.envoyproxy.io/docs/envoy/latest/intro/arch_overview/other_features/local_rate_limiting
-[BackendTrafficPolicy]: ../../api/extension_types#backendtrafficpolicy
+[BackendTrafficPolicy]: ../../../api/extension_types#backendtrafficpolicy
[Envoy Ratelimit]: https://github.com/envoyproxy/ratelimit
[EnvoyGateway]: https://gateway.envoyproxy.io/latest/api/config_types.html#envoygateway
[Gateway]: https://gateway-api.sigs.k8s.io/api-types/gateway/
diff --git a/site/content/en/latest/user/grpc-routing.md b/site/content/en/latest/user/traffic/grpc-routing.md
similarity index 94%
rename from site/content/en/latest/user/grpc-routing.md
rename to site/content/en/latest/user/traffic/grpc-routing.md
index 5dca26744bc..0d6ccb963be 100644
--- a/site/content/en/latest/user/grpc-routing.md
+++ b/site/content/en/latest/user/traffic/grpc-routing.md
@@ -7,17 +7,8 @@ To learn more about gRPC routing, refer to the [Gateway API documentation][].
## Prerequisites
-Install Envoy Gateway:
-
-```shell
-helm install eg oci://docker.io/envoyproxy/gateway-helm --version v0.0.0-latest -n envoy-gateway-system --create-namespace
-```
-
-Wait for Envoy Gateway to become available:
-
-```shell
-kubectl wait --timeout=5m -n envoy-gateway-system deployment/envoy-gateway --for=condition=Available
-```
+Follow the steps from the [Quickstart](../../quickstart) guide to install Envoy Gateway and the example manifest.
+Before proceeding, you should be able to query the example backend using HTTP.
## Installation
diff --git a/site/content/en/latest/user/http-redirect.md b/site/content/en/latest/user/traffic/http-redirect.md
similarity index 98%
rename from site/content/en/latest/user/http-redirect.md
rename to site/content/en/latest/user/traffic/http-redirect.md
index 1ef88e53fa3..ac6a3aceb18 100644
--- a/site/content/en/latest/user/http-redirect.md
+++ b/site/content/en/latest/user/traffic/http-redirect.md
@@ -9,7 +9,7 @@ learn more about HTTP routing, refer to the [Gateway API documentation][].
## Prerequisites
-Follow the steps from the [Quickstart](../quickstart) to install Envoy Gateway and the example manifest.
+Follow the steps from the [Quickstart](../../quickstart) to install Envoy Gateway and the example manifest.
Before proceeding, you should be able to query the example backend using HTTPS.
## Redirects
diff --git a/site/content/en/latest/user/http-request-headers.md b/site/content/en/latest/user/traffic/http-request-headers.md
similarity index 98%
rename from site/content/en/latest/user/http-request-headers.md
rename to site/content/en/latest/user/traffic/http-request-headers.md
index 25b675a16d7..af946da719e 100644
--- a/site/content/en/latest/user/http-request-headers.md
+++ b/site/content/en/latest/user/traffic/http-request-headers.md
@@ -14,7 +14,7 @@ client.
## Prerequisites
-Follow the steps from the [Quickstart Guide](../quickstart) to install Envoy Gateway and the example manifest.
+Follow the steps from the [Quickstart Guide](../../quickstart) to install Envoy Gateway and the example manifest.
Before proceeding, you should be able to query the example backend using HTTP.
## Adding Request Headers
diff --git a/site/content/en/latest/user/http-request-mirroring.md b/site/content/en/latest/user/traffic/http-request-mirroring.md
similarity index 98%
rename from site/content/en/latest/user/http-request-mirroring.md
rename to site/content/en/latest/user/traffic/http-request-mirroring.md
index 95d3d0cfa54..0398cf3780b 100644
--- a/site/content/en/latest/user/http-request-mirroring.md
+++ b/site/content/en/latest/user/traffic/http-request-mirroring.md
@@ -57,7 +57,7 @@ spec:
spec:
serviceAccountName: backend-2
containers:
- - image: gcr.io/k8s-staging-ingressconformance/echoserver:v20221109-7ee2f3e
+ - image: gcr.io/k8s-staging-gateway-api/echo-basic:v20231214-v1.0.0-140-gf544a46e
imagePullPolicy: IfNotPresent
name: backend-2
ports:
@@ -244,7 +244,7 @@ EOF
Error from server: error when creating "STDIN": admission webhook "validate.gateway.networking.k8s.io" denied the request: spec.rules[0].filters: Invalid value: "RequestMirror": cannot be used multiple times in the same rule
```
-[Quickstart Guide]: ../quickstart/
+[Quickstart Guide]: ../../quickstart/
[Traffic Splitting]: ../http-traffic-splitting/
[HTTPRoute]: https://gateway-api.sigs.k8s.io/api-types/httproute/
[backendRefs]: https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.BackendRef
diff --git a/site/content/en/latest/user/http-response-headers.md b/site/content/en/latest/user/traffic/http-response-headers.md
similarity index 98%
rename from site/content/en/latest/user/http-response-headers.md
rename to site/content/en/latest/user/traffic/http-response-headers.md
index 76cf33362b4..13efc8af19a 100644
--- a/site/content/en/latest/user/http-response-headers.md
+++ b/site/content/en/latest/user/traffic/http-response-headers.md
@@ -12,7 +12,7 @@ upstream service.
## Prerequisites
-Follow the steps from the [Quickstart Guide](../quickstart) to install Envoy Gateway and the example manifest.
+Follow the steps from the [Quickstart Guide](../../quickstart) to install Envoy Gateway and the example manifest.
Before proceeding, you should be able to query the example backend using HTTP.
## Adding Response Headers
diff --git a/site/content/en/latest/user/http-routing.md b/site/content/en/latest/user/traffic/http-routing.md
similarity index 63%
rename from site/content/en/latest/user/http-routing.md
rename to site/content/en/latest/user/traffic/http-routing.md
index 4d710c8a047..82d3609f91f 100644
--- a/site/content/en/latest/user/http-routing.md
+++ b/site/content/en/latest/user/traffic/http-routing.md
@@ -9,17 +9,8 @@ Services. To learn more about HTTP routing, refer to the [Gateway API documentat
## Prerequisites
-Install Envoy Gateway:
-
-```shell
-helm install eg oci://docker.io/envoyproxy/gateway-helm --version v0.0.0-latest -n envoy-gateway-system --create-namespace
-```
-
-Wait for Envoy Gateway to become available:
-
-```shell
-kubectl wait --timeout=5m -n envoy-gateway-system deployment/envoy-gateway --for=condition=Available
-```
+Follow the steps from the [Quickstart](../../quickstart) guide to install Envoy Gateway and the example manifest.
+Before proceeding, you should be able to query the example backend using HTTP.
## Installation
@@ -129,6 +120,107 @@ curl -vvv --header "Host: bar.example.com" --header "env: canary" "http://${GATE
A `200` status code should be returned and the body should include `"pod": "bar-canary-backend-*"` indicating the
traffic was routed to the foo backend service.
+### JWT Claims Based Routing
+
+Users can route to a specific backend by matching on JWT claims.
+This can be achieved, by defining a SecurityPolicy with a jwt configuration that does the following
+* Converts jwt claims to headers, which can be used for header based routing
+* Sets the recomputeRoute field to `true`. This is required so that the incoming request matches on a fallback/catch all route where the JWT can be authenticated, the claims from the JWT can be converted to headers, and then the route match can be recomputed to match based on the updated headers.
+
+For this feature to work please make sure
+* you have a fallback route rule defined, the backend for this route rule can be invalid.
+* The SecurityPolicy is applied to both the fallback route as well as the route with the claim header matches, to avoid spoofing.
+
+```shell
+cat <= BackendRequest duration
+
+## Installation
+
+Follow the steps from the [Quickstart Guide](../../quickstart) to install Envoy Gateway and the example manifest.
+Before proceeding, you should be able to query the example backend using HTTP.
+
+## Verification
+
+backend has the ability to delay responses; we use it as the backend to control response time.
+
+### request timeout
+We configure the backend to delay responses by 3 seconds, then we set the request timeout to 4 seconds. Envoy Gateway will successfully respond to the request.
+
+```shell
+cat < GET /?delay=3s HTTP/1.1
+> Host: timeout.example.com
+> User-Agent: curl/8.6.0
+> Accept: */*
+>
+
+
+< HTTP/1.1 504 Gateway Timeout
+< content-length: 24
+< content-type: text/plain
+< date: Mon, 04 Mar 2024 02:35:03 GMT
+<
+* Connection #0 to host 127.0.0.1 left intact
+upstream request timeout
+```
+
+[HTTPRouteTimeouts]: https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.HTTPRouteTimeouts
+[HTTPRouteRule]: https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.HTTPRouteRule
diff --git a/site/content/en/latest/user/http-traffic-splitting.md b/site/content/en/latest/user/traffic/http-traffic-splitting.md
similarity index 97%
rename from site/content/en/latest/user/http-traffic-splitting.md
rename to site/content/en/latest/user/traffic/http-traffic-splitting.md
index 49e6ca89c2f..ef240753ad8 100644
--- a/site/content/en/latest/user/http-traffic-splitting.md
+++ b/site/content/en/latest/user/traffic/http-traffic-splitting.md
@@ -8,7 +8,7 @@ with status code `500` for all requests that would have been sent to that backen
## Installation
-Follow the steps from the [Quickstart Guide](../quickstart) to install Envoy Gateway and the example manifest.
+Follow the steps from the [Quickstart Guide](../../quickstart) to install Envoy Gateway and the example manifest.
Before proceeding, you should be able to query the example backend using HTTP.
## Single backendRef
@@ -128,7 +128,7 @@ spec:
spec:
serviceAccountName: backend-2
containers:
- - image: gcr.io/k8s-staging-ingressconformance/echoserver:v20221109-7ee2f3e
+ - image: gcr.io/k8s-staging-gateway-api/echo-basic:v20231214-v1.0.0-140-gf544a46e
imagePullPolicy: IfNotPresent
name: backend-2
ports:
diff --git a/site/content/en/latest/user/http-urlrewrite.md b/site/content/en/latest/user/traffic/http-urlrewrite.md
similarity index 98%
rename from site/content/en/latest/user/http-urlrewrite.md
rename to site/content/en/latest/user/traffic/http-urlrewrite.md
index 945a24a7a44..062f6086392 100644
--- a/site/content/en/latest/user/http-urlrewrite.md
+++ b/site/content/en/latest/user/traffic/http-urlrewrite.md
@@ -7,7 +7,7 @@ used on a Route rule. This MUST NOT be used on the same Route rule as a HTTPRequ
## Prerequisites
-Follow the steps from the [Quickstart Guide](../quickstart) to install Envoy Gateway and the example manifest.
+Follow the steps from the [Quickstart Guide](../../quickstart) to install Envoy Gateway and the example manifest.
Before proceeding, you should be able to query the example backend using HTTP.
## Rewrite URL Prefix Path
diff --git a/site/content/en/latest/user/http3.md b/site/content/en/latest/user/traffic/http3.md
similarity index 100%
rename from site/content/en/latest/user/http3.md
rename to site/content/en/latest/user/traffic/http3.md
diff --git a/site/content/en/latest/user/local-rate-limit.md b/site/content/en/latest/user/traffic/local-rate-limit.md
similarity index 97%
rename from site/content/en/latest/user/local-rate-limit.md
rename to site/content/en/latest/user/traffic/local-rate-limit.md
index 633d198015e..822e2dd5e56 100644
--- a/site/content/en/latest/user/local-rate-limit.md
+++ b/site/content/en/latest/user/traffic/local-rate-limit.md
@@ -28,7 +28,7 @@ has its own 100r/s rate limit bucket.
### Install Envoy Gateway
-* Follow the steps from the [Quickstart Guide](../quickstart) to install Envoy Gateway and the HTTPRoute example manifest.
+* Follow the steps from the [Quickstart Guide](../../quickstart) to install Envoy Gateway and the HTTPRoute example manifest.
Before proceeding, you should be able to query the example backend using HTTP.
## Rate Limit Specific User
@@ -276,7 +276,7 @@ you should use [Global Rate Limiting][].
[Global Rate Limiting]: https://www.envoyproxy.io/docs/envoy/latest/intro/arch_overview/other_features/global_rate_limiting
[Local rate limiting]: https://www.envoyproxy.io/docs/envoy/latest/intro/arch_overview/other_features/local_rate_limiting
-[BackendTrafficPolicy]: ../../api/extension_types#backendtrafficpolicy
+[BackendTrafficPolicy]: ../../../api/extension_types#backendtrafficpolicy
[Gateway]: https://gateway-api.sigs.k8s.io/api-types/gateway/
[HTTPRoute]: https://gateway-api.sigs.k8s.io/api-types/httproute/
[GRPCRoute]: https://gateway-api.sigs.k8s.io/api-types/grpcroute/
diff --git a/site/content/en/latest/user/multicluster-service.md b/site/content/en/latest/user/traffic/multicluster-service.md
similarity index 100%
rename from site/content/en/latest/user/multicluster-service.md
rename to site/content/en/latest/user/traffic/multicluster-service.md
diff --git a/site/content/en/latest/user/traffic/retry.md b/site/content/en/latest/user/traffic/retry.md
new file mode 100644
index 00000000000..ad40202a107
--- /dev/null
+++ b/site/content/en/latest/user/traffic/retry.md
@@ -0,0 +1,110 @@
+---
+title: Retry
+---
+
+A retry setting specifies the maximum number of times an Envoy proxy attempts to connect to a service if the initial call fails. Retries can enhance service availability and application performance by making sure that calls don’t fail permanently because of transient problems such as a temporarily overloaded service or network. The interval between retries prevents the called service from being overwhelmed with requests.
+
+Envoy Gateway supports the following retry settings:
+- **NumRetries**: is the number of retries to be attempted. Defaults to 2.
+- **RetryOn**: specifies the retry trigger condition.
+- **PerRetryPolicy**: is the retry policy to be applied per retry attempt.
+
+Envoy Gateway introduces a new CRD called [BackendTrafficPolicy](../../../api/extension_types#backendtrafficpolicy) that allows the user to describe their desired retry settings. This instantiated resource can be linked to a [Gateway](https://gateway-api.sigs.k8s.io/api-types/gateway/), [HTTPRoute](https://gateway-api.sigs.k8s.io/api-types/httproute/) or [GRPCRoute](https://gateway-api.sigs.k8s.io/api-types/grpcroute/) resource.
+
+**Note**: There are distinct circuit breaker counters for each `BackendReference` in an `xRoute` rule. Even if a `BackendTrafficPolicy` targets a `Gateway`, each `BackendReference` in that gateway still has separate circuit breaker counter.
+
+## Prerequisites
+
+Follow the installation step from the [Quickstart Guide](../../quickstart) to install Envoy Gateway and sample resources.
+
+## Test and customize retry settings
+
+Before applying a `BackendTrafficPolicy` with retry setting to a route, let's test the default retry settings.
+
+```shell
+curl -v -H "Host: www.example.com" "http://${GATEWAY_HOST}/status/500"
+```
+
+It will return `500` response immediately.
+
+```console
+* Trying 172.18.255.200:80...
+* Connected to 172.18.255.200 (172.18.255.200) port 80
+> GET /status/500 HTTP/1.1
+> Host: www.example.com
+> User-Agent: curl/8.4.0
+> Accept: */*
+>
+< HTTP/1.1 500 Internal Server Error
+< date: Fri, 01 Mar 2024 15:12:55 GMT
+< content-length: 0
+<
+* Connection #0 to host 172.18.255.200 left intact
+```
+
+Let's create a `BackendTrafficPolicy` with a retry setting.
+
+The request will be retried 5 times with a 100ms base interval and a 10s maximum interval.
+
+```shell
+cat < GET /status/500 HTTP/1.1
+> Host: www.example.com
+> User-Agent: curl/8.4.0
+> Accept: */*
+>
+< HTTP/1.1 500 Internal Server Error
+< date: Fri, 01 Mar 2024 15:15:53 GMT
+< content-length: 0
+<
+* Connection #0 to host 172.18.255.200 left intact
+```
+
+Let's check the stats to see the retry behavior.
+
+```shell
+egctl x stats envoy-proxy -n envoy-gateway-system -l gateway.envoyproxy.io/owning-gateway-name=eg,gateway.envoyproxy.io/owning-gateway-namespace=default | grep "envoy_cluster_upstream_rq_retry{envoy_cluster_name=\"httproute/default/backend/rule/0\"}"
+```
+
+You will expect to see the stats.
+
+```console
+envoy_cluster_upstream_rq_retry{envoy_cluster_name="httproute/default/backend/rule/0"} 5
+```
diff --git a/site/content/en/latest/user/tcp-routing.md b/site/content/en/latest/user/traffic/tcp-routing.md
similarity index 92%
rename from site/content/en/latest/user/tcp-routing.md
rename to site/content/en/latest/user/traffic/tcp-routing.md
index d51c845f206..854522c7b98 100644
--- a/site/content/en/latest/user/tcp-routing.md
+++ b/site/content/en/latest/user/traffic/tcp-routing.md
@@ -8,17 +8,8 @@ HTTP routing, refer to the [Gateway API documentation][].
## Installation
-Install Envoy Gateway:
-
-```shell
-helm install eg oci://docker.io/envoyproxy/gateway-helm --version v0.0.0-latest -n envoy-gateway-system --create-namespace
-```
-
-Wait for Envoy Gateway to become available:
-
-```shell
-kubectl wait --timeout=5m -n envoy-gateway-system deployment/envoy-gateway --for=condition=Available
-```
+Follow the steps from the [Quickstart](../../quickstart) guide to install Envoy Gateway and the example manifest.
+Before proceeding, you should be able to query the example backend using HTTP.
## Configuration
@@ -112,7 +103,7 @@ spec:
version: v1
spec:
containers:
- - image: gcr.io/k8s-staging-ingressconformance/echoserver:v20221109-7ee2f3e
+ - image: gcr.io/k8s-staging-gateway-api/echo-basic:v20231214-v1.0.0-140-gf544a46e
imagePullPolicy: IfNotPresent
name: backend-1
ports:
@@ -146,7 +137,7 @@ spec:
version: v1
spec:
containers:
- - image: gcr.io/k8s-staging-ingressconformance/echoserver:v20221109-7ee2f3e
+ - image: gcr.io/k8s-staging-gateway-api/echo-basic:v20231214-v1.0.0-140-gf544a46e
imagePullPolicy: IfNotPresent
name: backend-2
ports:
diff --git a/site/content/en/latest/user/udp-routing.md b/site/content/en/latest/user/traffic/udp-routing.md
similarity index 87%
rename from site/content/en/latest/user/udp-routing.md
rename to site/content/en/latest/user/traffic/udp-routing.md
index 73a03c8aac0..521d0b41acc 100644
--- a/site/content/en/latest/user/udp-routing.md
+++ b/site/content/en/latest/user/traffic/udp-routing.md
@@ -12,22 +12,13 @@ For additional information, refer to Envoy's [UDP proxy documentation][].
## Prerequisites
-Install Envoy Gateway:
-
-```shell
-helm install eg oci://docker.io/envoyproxy/gateway-helm --version v0.0.0-latest -n envoy-gateway-system --create-namespace
-```
-
-Wait for Envoy Gateway to become available:
-
-```shell
-kubectl wait --timeout=5m -n envoy-gateway-system deployment/envoy-gateway --for=condition=Available
-```
+Follow the steps from the [Quickstart](../../quickstart) guide to install Envoy Gateway and the example manifest.
+Before proceeding, you should be able to query the example backend using HTTP.
## Installation
Install CoreDNS in the Kubernetes cluster as the example backend. The installed CoreDNS is listening on
- UDP port 53 for DNS lookups.
+UDP port 53 for DNS lookups.
```shell
kubectl apply -f https://raw.githubusercontent.com/envoyproxy/gateway/latest/examples/kubernetes/udp-routing-example-backend.yaml
@@ -137,7 +128,7 @@ _udp.foo.bar.com. 0 IN SRV 0 0 42376 .
## Clean-Up
-Follow the steps from the [Quickstart Guide](../quickstart) to uninstall Envoy Gateway.
+Follow the steps from the [Quickstart Guide](../../quickstart) to uninstall Envoy Gateway.
Delete the CoreDNS example manifest and the UDPRoute:
@@ -150,7 +141,7 @@ kubectl delete udproute/coredns
## Next Steps
-Checkout the [Developer Guide](../../contributions/develop/) to get involved in the project.
+Checkout the [Developer Guide](../../../contributions/develop/) to get involved in the project.
[UDPRoute]: https://gateway-api.sigs.k8s.io/references/spec/#gateway.networking.k8s.io/v1alpha2.UDPRoute
[UDP proxy documentation]: https://www.envoyproxy.io/docs/envoy/latest/configuration/listeners/udp_filters/udp_proxy
diff --git a/test/cel-validation/backendtrafficpolicy_test.go b/test/cel-validation/backendtrafficpolicy_test.go
index 947b88b970c..206fcf9fc70 100644
--- a/test/cel-validation/backendtrafficpolicy_test.go
+++ b/test/cel-validation/backendtrafficpolicy_test.go
@@ -450,13 +450,14 @@ func TestBackendTrafficPolicyTarget(t *testing.T) {
MaxConnections: valMax,
MaxPendingRequests: valMin,
MaxParallelRequests: nil,
+ MaxParallelRetries: nil,
},
}
},
wantErrors: []string{},
},
{
- desc: " invalid config: min and max valyues",
+ desc: " invalid config: min and max values",
mutate: func(btp *egv1a1.BackendTrafficPolicy) {
valOverMax := pointer.Int64(4294967296)
valUnderMin := pointer.Int64(-1)
@@ -473,10 +474,12 @@ func TestBackendTrafficPolicyTarget(t *testing.T) {
MaxPendingRequests: valUnderMin,
MaxParallelRequests: valOverMax,
MaxRequestsPerConnection: valUnderMin,
+ MaxParallelRetries: valOverMax,
},
}
},
wantErrors: []string{
+ "spec.circuitBreaker.MaxParallelRetries: Invalid value: 4294967296: spec.circuitBreaker.MaxParallelRetries in body should be less than or equal to 4294967295",
"spec.circuitBreaker.maxRequestsPerConnection: Invalid value: -1: spec.circuitBreaker.maxRequestsPerConnection in body should be greater than or equal to 0",
"spec.circuitBreaker.maxParallelRequests: Invalid value: 4294967296: spec.circuitBreaker.maxParallelRequests in body should be less than or equal to 4294967295",
"spec.circuitBreaker.maxPendingRequests: Invalid value: -1: spec.circuitBreaker.maxPendingRequests in body should be greater than or equal to 0",
diff --git a/test/e2e/base/manifests.yaml b/test/e2e/base/manifests.yaml
index 73131cd9913..9b401cda00d 100644
--- a/test/e2e/base/manifests.yaml
+++ b/test/e2e/base/manifests.yaml
@@ -115,8 +115,8 @@ spec:
spec:
containers:
- name: infra-backend-v1
- # From https://github.com/kubernetes-sigs/ingress-controller-conformance/tree/master/images/echoserver
- image: gcr.io/k8s-staging-ingressconformance/echoserver:v20221109-7ee2f3e
+ # From https://github.com/kubernetes-sigs/gateway-api/blob/main/conformance/echo-basic/echo-basic.go
+ image: gcr.io/k8s-staging-gateway-api/echo-basic:v20231214-v1.0.0-140-gf544a46e
env:
- name: POD_NAME
valueFrom:
@@ -126,6 +126,8 @@ spec:
valueFrom:
fieldRef:
fieldPath: metadata.namespace
+ - name: SERVICE_NAME
+ value: infra-backend-v1
resources:
requests:
cpu: 10m
@@ -162,7 +164,7 @@ spec:
spec:
containers:
- name: infra-backend-v2
- image: gcr.io/k8s-staging-ingressconformance/echoserver:v20221109-7ee2f3e
+ image: gcr.io/k8s-staging-gateway-api/echo-basic:v20231214-v1.0.0-140-gf544a46e
env:
- name: POD_NAME
valueFrom:
@@ -172,6 +174,8 @@ spec:
valueFrom:
fieldRef:
fieldPath: metadata.namespace
+ - name: SERVICE_NAME
+ value: infra-backend-v2
resources:
requests:
cpu: 10m
@@ -208,7 +212,7 @@ spec:
spec:
containers:
- name: infra-backend-v3
- image: gcr.io/k8s-staging-ingressconformance/echoserver:v20221109-7ee2f3e
+ image: gcr.io/k8s-staging-gateway-api/echo-basic:v20231214-v1.0.0-140-gf544a46e
env:
- name: POD_NAME
valueFrom:
@@ -218,6 +222,8 @@ spec:
valueFrom:
fieldRef:
fieldPath: metadata.namespace
+ - name: SERVICE_NAME
+ value: infra-backend-v3
resources:
requests:
cpu: 10m
@@ -254,7 +260,7 @@ spec:
spec:
containers:
- name: tls-backend
- image: gcr.io/k8s-staging-ingressconformance/echoserver:v20221109-7ee2f3e
+ image: gcr.io/k8s-staging-gateway-api/echo-basic:v20231214-v1.0.0-140-gf544a46e
volumeMounts:
- name: secret-volume
mountPath: /etc/secret-volume
@@ -267,6 +273,8 @@ spec:
valueFrom:
fieldRef:
fieldPath: metadata.namespace
+ - name: SERVICE_NAME
+ value: tls-backend
- name: TLS_SERVER_CERT
value: /etc/secret-volume/crt
- name: TLS_SERVER_PRIVKEY
@@ -323,7 +331,7 @@ spec:
spec:
containers:
- name: app-backend-v1
- image: gcr.io/k8s-staging-ingressconformance/echoserver:v20221109-7ee2f3e
+ image: gcr.io/k8s-staging-gateway-api/echo-basic:v20231214-v1.0.0-140-gf544a46e
env:
- name: POD_NAME
valueFrom:
@@ -333,6 +341,8 @@ spec:
valueFrom:
fieldRef:
fieldPath: metadata.namespace
+ - name: SERVICE_NAME
+ value: app-backend-v1
resources:
requests:
cpu: 10m
@@ -369,7 +379,7 @@ spec:
spec:
containers:
- name: app-backend-v2
- image: gcr.io/k8s-staging-ingressconformance/echoserver:v20221109-7ee2f3e
+ image: gcr.io/k8s-staging-gateway-api/echo-basic:v20231214-v1.0.0-140-gf544a46e
env:
- name: POD_NAME
valueFrom:
@@ -379,6 +389,8 @@ spec:
valueFrom:
fieldRef:
fieldPath: metadata.namespace
+ - name: SERVICE_NAME
+ value: app-backend-v2
resources:
requests:
cpu: 10m
@@ -422,7 +434,7 @@ spec:
spec:
containers:
- name: web-backend
- image: gcr.io/k8s-staging-ingressconformance/echoserver:v20221109-7ee2f3e
+ image: gcr.io/k8s-staging-gateway-api/echo-basic:v20231214-v1.0.0-140-gf544a46e
env:
- name: POD_NAME
valueFrom:
@@ -432,6 +444,8 @@ spec:
valueFrom:
fieldRef:
fieldPath: metadata.namespace
+ - name: SERVICE_NAME
+ value: web-backend
resources:
requests:
cpu: 10m
diff --git a/test/e2e/e2e_test.go b/test/e2e/e2e_test.go
index 036a24daf97..3b11afc5b73 100644
--- a/test/e2e/e2e_test.go
+++ b/test/e2e/e2e_test.go
@@ -31,22 +31,27 @@ func TestE2E(t *testing.T) {
cfg, err := config.GetConfig()
require.NoError(t, err)
- client, err := client.New(cfg, client.Options{})
+ c, err := client.New(cfg, client.Options{})
require.NoError(t, err)
-
- require.NoError(t, gwapiv1a2.AddToScheme(client.Scheme()))
- require.NoError(t, gwapiv1.AddToScheme(client.Scheme()))
- require.NoError(t, egv1a1.AddToScheme(client.Scheme()))
-
- t.Logf("Running E2E tests with %s GatewayClass\n cleanup: %t\n debug: %t\n supported features: [%v]\n exempt features: [%v]",
- *flags.GatewayClassName, *flags.CleanupBaseResources, *flags.ShowDebug, *flags.SupportedFeatures, *flags.ExemptFeatures)
+ require.NoError(t, gwapiv1a2.AddToScheme(c.Scheme()))
+ require.NoError(t, gwapiv1.AddToScheme(c.Scheme()))
+ require.NoError(t, egv1a1.AddToScheme(c.Scheme()))
+
+ if flags.RunTest != nil && *flags.RunTest != "" {
+ t.Logf("Running E2E test %s with %s GatewayClass\n cleanup: %t\n debug: %t",
+ *flags.RunTest, *flags.GatewayClassName, *flags.CleanupBaseResources, *flags.ShowDebug)
+ } else {
+ t.Logf("Running E2E tests with %s GatewayClass\n cleanup: %t\n debug: %t",
+ *flags.GatewayClassName, *flags.CleanupBaseResources, *flags.ShowDebug)
+ }
cSuite := suite.New(suite.Options{
- Client: client,
+ Client: c,
GatewayClassName: *flags.GatewayClassName,
Debug: *flags.ShowDebug,
CleanupBaseResources: *flags.CleanupBaseResources,
FS: &Manifests,
+ RunTest: *flags.RunTest,
})
cSuite.Setup(t)
diff --git a/test/e2e/testdata/backend-upgrade.yaml b/test/e2e/testdata/backend-upgrade.yaml
new file mode 100644
index 00000000000..e708342406d
--- /dev/null
+++ b/test/e2e/testdata/backend-upgrade.yaml
@@ -0,0 +1,38 @@
+apiVersion: gateway.envoyproxy.io/v1alpha1
+kind: BackendTrafficPolicy
+metadata:
+ name: backend-upgrade-example
+ namespace: gateway-conformance-infra
+spec:
+ targetRef:
+ group: gateway.networking.k8s.io
+ kind: HTTPRoute
+ name: http-backend-upgrade
+ namespace: gateway-conformance-infra
+ circuitBreaker:
+ maxParallelRequests: 10000
+ maxConnections: 10000
+ maxPendingRequests: 10000
+ retry:
+ retryOn:
+ triggers:
+ - connect-failure
+ - reset
+ numRetries: 10
+---
+apiVersion: gateway.networking.k8s.io/v1
+kind: HTTPRoute
+metadata:
+ name: http-backend-upgrade
+ namespace: gateway-conformance-infra
+spec:
+ parentRefs:
+ - name: same-namespace
+ rules:
+ - matches:
+ - path:
+ type: PathPrefix
+ value: /backend-upgrade
+ backendRefs:
+ - name: infra-backend-v1
+ port: 8080
diff --git a/test/e2e/testdata/circuitbreaker.yaml b/test/e2e/testdata/circuitbreaker.yaml
index 12557e7ef1a..912c041cf80 100644
--- a/test/e2e/testdata/circuitbreaker.yaml
+++ b/test/e2e/testdata/circuitbreaker.yaml
@@ -11,7 +11,7 @@ spec:
namespace: gateway-conformance-infra
circuitBreaker:
maxConnections: 0
- maxRequests: 0
+ maxParallelRequests: 0
maxPendingRequests: 0
---
apiVersion: gateway.networking.k8s.io/v1
diff --git a/test/e2e/testdata/jwt.yaml b/test/e2e/testdata/jwt.yaml
new file mode 100644
index 00000000000..01cb370651d
--- /dev/null
+++ b/test/e2e/testdata/jwt.yaml
@@ -0,0 +1,61 @@
+apiVersion: gateway.envoyproxy.io/v1alpha1
+kind: SecurityPolicy
+metadata:
+ name: jwt-example
+ namespace: gateway-conformance-infra
+spec:
+ targetRef:
+ group: gateway.networking.k8s.io
+ kind: HTTPRoute
+ name: jwt-claim-routing
+ jwt:
+ providers:
+ - name: example
+ recomputeRoute: true
+ claimToHeaders:
+ - claim: sub
+ header: x-sub
+ - claim: admin
+ header: x-admin
+ - claim: name
+ header: x-name
+ remoteJWKS:
+ uri: https://raw.githubusercontent.com/envoyproxy/gateway/main/examples/kubernetes/jwt/jwks.json
+---
+apiVersion: gateway.networking.k8s.io/v1
+kind: HTTPRoute
+metadata:
+ name: jwt-claim-routing
+ namespace: gateway-conformance-infra
+spec:
+ parentRefs:
+ - name: same-namespace
+ rules:
+ - backendRefs:
+ - kind: Service
+ name: infra-backend-v1
+ port: 8080
+ weight: 1
+ matches:
+ - headers:
+ - name: x-name
+ value: John Doe
+ - backendRefs:
+ - kind: Service
+ name: infra-backend-v2
+ port: 8080
+ weight: 1
+ matches:
+ - headers:
+ - name: x-name
+ value: Tom
+ # catch all
+ - backendRefs:
+ - kind: Service
+ name: infra-backend-invalid
+ port: 8080
+ weight: 1
+ matches:
+ - path:
+ type: PathPrefix
+ value: /
diff --git a/test/e2e/testdata/oidc-keycloak.yaml b/test/e2e/testdata/oidc-keycloak.yaml
new file mode 100644
index 00000000000..5e7eca54013
--- /dev/null
+++ b/test/e2e/testdata/oidc-keycloak.yaml
@@ -0,0 +1,137 @@
+apiVersion: v1
+kind: Service
+metadata:
+ name: keycloak
+ namespace: gateway-conformance-infra
+ labels:
+ app: keycloak
+spec:
+ type: LoadBalancer
+ ports:
+ - port: 80
+ targetPort: 8080
+ name: http-keycloak
+ protocol: TCP
+ selector:
+ app: keycloak
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+ name: keycloak
+ namespace: gateway-conformance-infra
+ labels:
+ app: keycloak
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+ name: keycloak
+ namespace: gateway-conformance-infra
+spec:
+ replicas: 1
+ selector:
+ matchLabels:
+ app: keycloak
+ version: v1
+ template:
+ metadata:
+ labels:
+ app: keycloak
+ version: v1
+ spec:
+ serviceAccountName: keycloak
+ containers:
+ - name: keycloak
+ image: quay.io/keycloak/keycloak:23.0.6
+ imagePullPolicy: IfNotPresent
+ args:
+ - "start-dev"
+ ports:
+ - name: keycloak
+ containerPort: 8080
+ protocol: TCP
+ env:
+ - name: KEYCLOAK_ADMIN
+ value: admin
+ - name: KEYCLOAK_ADMIN_PASSWORD
+ value: admin
+ readinessProbe:
+ initialDelaySeconds: 5
+ periodSeconds: 5
+ tcpSocket:
+ port: 8080
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+ name: setup-keycloak
+ namespace: gateway-conformance-infra
+spec:
+ template:
+ spec:
+ initContainers:
+ - name: wait-for-keycloak
+ image: busybox:stable
+ command: ["sh", "-c", "until nc -v -z -w3 keycloak 80; do sleep 2; done"]
+ containers:
+ - name: setup-keycloak
+ image: quay.io/keycloak/keycloak:23.0.6
+ command: ["bash", "/opt/keycloak/scripts/setup.sh"]
+ env:
+ - name: KEYCLOAK_ADMIN
+ value: admin
+ - name: KEYCLOAK_ADMIN_PASSWORD
+ value: admin
+ volumeMounts:
+ - name: setup-script
+ mountPath: /opt/keycloak/scripts
+ volumes:
+ - name: setup-script
+ configMap:
+ name: setup-keycloak
+ restartPolicy: Never
+ backoffLimit: 4
+---
+kind: ConfigMap
+apiVersion: v1
+metadata:
+ name: setup-keycloak
+ namespace: gateway-conformance-infra
+data:
+ setup.sh: |
+ KEYCLOAK_SERVER="http://keycloak"
+ REALM="master"
+ USERNAME=oidcuser # This is the user name that will be used for user authentication in Authorization Code Flow
+ PASSWORD=oidcpassword # This is the user password that will be used for user authentication in Authorization Code Flow
+ CLIENT_ID=oidctest
+ CLIENT_SECRET=oidctest-client-secret
+ REDIRECT_URL=http://www.example.com/myapp/oauth2/callback
+
+ set -ex
+
+ /opt/keycloak/bin/kcadm.sh create users \
+ -s username="${USERNAME}" \
+ -s enabled=true \
+ --server "${KEYCLOAK_SERVER}" \
+ --realm "${REALM}" \
+ --user "${KEYCLOAK_ADMIN}" \
+ --password "${KEYCLOAK_ADMIN_PASSWORD}"
+
+ /opt/keycloak/bin/kcadm.sh set-password \
+ --username "${USERNAME}" \
+ --new-password "${PASSWORD}" \
+ --server "${KEYCLOAK_SERVER}" \
+ --realm "${REALM}" \
+ --user "${KEYCLOAK_ADMIN}" \
+ --password "${KEYCLOAK_ADMIN_PASSWORD}"
+
+ /opt/keycloak/bin/kcreg.sh create \
+ -s clientId="${CLIENT_ID}" \
+ -s secret="${CLIENT_SECRET}" \
+ -s "redirectUris=[\"${REDIRECT_URL}\"]" \
+ -s consentRequired=false \
+ --server "${KEYCLOAK_SERVER}" \
+ --realm "${REALM}" \
+ --user "${KEYCLOAK_ADMIN}" \
+ --password "${KEYCLOAK_ADMIN_PASSWORD}"
diff --git a/test/e2e/testdata/oidc-securitypolicy.yaml b/test/e2e/testdata/oidc-securitypolicy.yaml
new file mode 100644
index 00000000000..0350979aa18
--- /dev/null
+++ b/test/e2e/testdata/oidc-securitypolicy.yaml
@@ -0,0 +1,79 @@
+---
+apiVersion: gateway.networking.k8s.io/v1
+kind: HTTPRoute
+metadata:
+ name: http-with-oidc
+ namespace: gateway-conformance-infra
+spec:
+ parentRefs:
+ - name: same-namespace
+ hostnames: ["www.example.com"]
+ rules:
+ - matches:
+ - path:
+ type: PathPrefix
+ value: /myapp # This is the path that will be protected by OIDC
+ backendRefs:
+ - name: infra-backend-v1
+ port: 8080
+---
+apiVersion: gateway.networking.k8s.io/v1
+kind: HTTPRoute
+metadata:
+ name: http-without-oidc
+ namespace: gateway-conformance-infra
+spec:
+ parentRefs:
+ - name: same-namespace
+ hostnames: ["www.example.com"]
+ rules:
+ - matches:
+ - path:
+ type: PathPrefix
+ value: /public # This is the path that will be public
+ backendRefs:
+ - name: infra-backend-v1
+ port: 8080
+---
+apiVersion: gateway.networking.k8s.io/v1
+kind: HTTPRoute
+metadata:
+ name: http-keycloak
+ namespace: gateway-conformance-infra
+spec:
+ parentRefs:
+ - name: same-namespace
+ hostnames: ["keycloak.gateway-conformance-infra"]
+ rules:
+ - backendRefs:
+ - name: keycloak
+ port: 80
+---
+apiVersion: v1
+kind: Secret
+metadata:
+ namespace: gateway-conformance-infra
+ name: oidctest-secret
+data:
+ client-secret: b2lkY3Rlc3QtY2xpZW50LXNlY3JldA== # base64 encoding of "oidctest-client-secret"
+---
+apiVersion: gateway.envoyproxy.io/v1alpha1
+kind: SecurityPolicy
+metadata:
+ name: oidc-test
+ namespace: gateway-conformance-infra
+spec:
+ targetRef:
+ group: gateway.networking.k8s.io
+ kind: HTTPRoute
+ name: http-with-oidc
+ oidc:
+ provider:
+ issuer: "http://keycloak.gateway-conformance-infra/realms/master"
+ authorizationEndpoint: "http://keycloak.gateway-conformance-infra/realms/master/protocol/openid-connect/auth"
+ tokenEndpoint: "http://keycloak.gateway-conformance-infra/realms/master/protocol/openid-connect/token"
+ clientID: "oidctest"
+ clientSecret:
+ name: "oidctest-secret"
+ redirectURL: "http://www.example.com/myapp/oauth2/callback"
+ logoutPath: "/myapp/logout"
diff --git a/test/e2e/testdata/retry.yaml b/test/e2e/testdata/retry.yaml
new file mode 100644
index 00000000000..bacb78b1d60
--- /dev/null
+++ b/test/e2e/testdata/retry.yaml
@@ -0,0 +1,41 @@
+apiVersion: gateway.envoyproxy.io/v1alpha1
+kind: BackendTrafficPolicy
+metadata:
+ name: retry-policy
+ namespace: gateway-conformance-infra
+spec:
+ targetRef:
+ group: gateway.networking.k8s.io
+ kind: HTTPRoute
+ name: retry-route
+ namespace: gateway-conformance-infra
+ retry:
+ numRetries: 5
+ perRetry:
+ backOff:
+ baseInterval: 100ms
+ maxInterval: 10s
+ timeout: 250ms
+ retryOn:
+ httpStatusCodes:
+ - 500
+ triggers:
+ - connect-failure
+ - retriable-status-codes
+---
+apiVersion: gateway.networking.k8s.io/v1
+kind: HTTPRoute
+metadata:
+ name: retry-route
+ namespace: gateway-conformance-infra
+spec:
+ parentRefs:
+ - name: same-namespace
+ rules:
+ - matches:
+ - path:
+ type: PathPrefix
+ value: /status
+ backendRefs:
+ - name: infra-backend-v1
+ port: 8080
diff --git a/test/e2e/tests/backend-upgrade.go b/test/e2e/tests/backend-upgrade.go
new file mode 100644
index 00000000000..6119aad0f05
--- /dev/null
+++ b/test/e2e/tests/backend-upgrade.go
@@ -0,0 +1,164 @@
+// Copyright Envoy Gateway Authors
+// SPDX-License-Identifier: Apache-2.0
+// The full text of the Apache license is available in the LICENSE file at
+// the root of the repo.
+
+//go:build e2e
+// +build e2e
+
+package tests
+
+import (
+ "context"
+ "io"
+ "net/url"
+ "testing"
+ "time"
+
+ "fortio.org/fortio/fhttp"
+ "fortio.org/fortio/periodic"
+
+ appsv1 "k8s.io/api/apps/v1"
+ corev1 "k8s.io/api/core/v1"
+ "k8s.io/apimachinery/pkg/labels"
+ "k8s.io/apimachinery/pkg/types"
+ "k8s.io/apimachinery/pkg/util/wait"
+ "sigs.k8s.io/controller-runtime/pkg/client"
+
+ "sigs.k8s.io/gateway-api/conformance/utils/config"
+ "sigs.k8s.io/gateway-api/conformance/utils/http"
+ "sigs.k8s.io/gateway-api/conformance/utils/kubernetes"
+ "sigs.k8s.io/gateway-api/conformance/utils/suite"
+)
+
+func init() {
+ ConformanceTests = append(ConformanceTests, BackendUpgradeTest)
+}
+
+var BackendUpgradeTest = suite.ConformanceTest{
+ ShortName: "BackendUpgrade",
+ Description: "Rolling backend pods should not lead to failures",
+ Manifests: []string{"testdata/backend-upgrade.yaml"},
+ Test: func(t *testing.T, suite *suite.ConformanceTestSuite) {
+ t.Run("All requests must succeed", func(t *testing.T) {
+ ns := "gateway-conformance-infra"
+ routeNN := types.NamespacedName{Name: "http-backend-upgrade", Namespace: ns}
+ gwNN := types.NamespacedName{Name: "same-namespace", Namespace: ns}
+ dNN := types.NamespacedName{Name: "infra-backend-v1", Namespace: ns}
+ gwAddr := kubernetes.GatewayAndHTTPRoutesMustBeAccepted(t, suite.Client, suite.TimeoutConfig, suite.ControllerName, kubernetes.NewGatewayRef(gwNN), routeNN)
+ reqURL := url.URL{Scheme: "http", Host: http.CalculateHost(t, gwAddr, "http"), Path: "/backend-upgrade"}
+
+ // can be used to abort the test after deployment restart is complete or failed
+ aborter := periodic.NewAborter()
+ // will contain indication on success or failure of load test
+ loadSuccess := make(chan bool)
+
+ t.Log("Starting load generation")
+ // Run load async and continue to restart deployment
+ go runLoadAndWait(t, suite.TimeoutConfig, loadSuccess, aborter, reqURL.String())
+
+ t.Log("Restarting deployment")
+ err := restartDeploymentAndWaitForNewPods(t, suite.TimeoutConfig, suite.Client, dNN)
+
+ t.Log("Stopping load generation and collecting results")
+ aborter.Abort(false) // abort the load either way
+
+ if err != nil {
+ t.Errorf("Failed to restart deployment")
+ }
+
+ // Wait for the goroutine to finish
+ result := <-loadSuccess
+ if !result {
+ t.Errorf("Load test failed")
+ }
+ })
+ },
+}
+
+// runs a load test with options described in opts
+// the done channel is used to notify caller of execution result
+// the execution may end due to an external abort or timeout
+func runLoadAndWait(t *testing.T, timeoutConfig config.TimeoutConfig, done chan bool, aborter *periodic.Aborter, reqURL string) {
+ opts := fhttp.HTTPRunnerOptions{
+ RunnerOptions: periodic.RunnerOptions{
+ QPS: 5000,
+ // allow some overhead time for setting up workers and tearing down after restart
+ Duration: timeoutConfig.CreateTimeout + timeoutConfig.CreateTimeout/2,
+ NumThreads: 50,
+ Stop: aborter,
+ Out: io.Discard,
+ },
+ HTTPOptions: fhttp.HTTPOptions{
+ URL: reqURL,
+ },
+ }
+ res, err := fhttp.RunHTTPTest(&opts)
+ if err != nil {
+ done <- false
+ t.Logf("failed to create load: %v", err)
+ }
+
+ // collect stats
+ okReq := res.RetCodes[200]
+ totalReq := res.DurationHistogram.Count
+ failedReq := totalReq - okReq
+ errorReq := res.ErrorsDurationHistogram.Count
+ timedOut := res.ActualDuration == opts.Duration
+ t.Logf("Backend upgrade completed after %s with %d requests, %d success, %d failures and %d errors", res.ActualDuration, totalReq, okReq, failedReq, errorReq)
+
+ if okReq == totalReq && errorReq == 0 && !timedOut {
+ done <- true
+ }
+ done <- false
+}
+
+func restartDeploymentAndWaitForNewPods(t *testing.T, timeoutConfig config.TimeoutConfig, c client.Client, dNN types.NamespacedName) error {
+ t.Helper()
+ const kubeRestartAnnotation = "kubectl.kubernetes.io/restartedAt"
+
+ ctx := context.Background()
+ dp := &appsv1.Deployment{}
+
+ err := c.Get(ctx, dNN, dp)
+ if err != nil {
+ return err
+ }
+
+ if dp.Spec.Template.ObjectMeta.Annotations == nil {
+ dp.Spec.Template.ObjectMeta.Annotations = make(map[string]string)
+ }
+ restartTime := time.Now().Format(time.RFC3339)
+ dp.Spec.Template.ObjectMeta.Annotations[kubeRestartAnnotation] = restartTime
+
+ if err = c.Update(ctx, dp); err != nil {
+ return err
+ }
+
+ return wait.PollUntilContextTimeout(ctx, 1*time.Second, timeoutConfig.CreateTimeout, true, func(ctx context.Context) (bool, error) {
+ // wait for replicaset with the same annotation to reach ready status
+ podList := &corev1.PodList{}
+ listOpts := []client.ListOption{
+ client.InNamespace(dNN.Namespace),
+ client.MatchingLabelsSelector{Selector: labels.SelectorFromSet(labels.Set{"app": dNN.Name})},
+ }
+
+ err = c.List(ctx, podList, listOpts...)
+ if err != nil {
+ return false, err
+ }
+
+ rolled := int32(0)
+ for _, rs := range podList.Items {
+ if rs.Annotations[kubeRestartAnnotation] == restartTime {
+ rolled++
+ }
+ }
+
+ if rolled == *dp.Spec.Replicas {
+ return true, nil
+ }
+
+ return false, nil
+ })
+}
diff --git a/test/e2e/tests/basic-auth.go b/test/e2e/tests/basic_auth.go
similarity index 81%
rename from test/e2e/tests/basic-auth.go
rename to test/e2e/tests/basic_auth.go
index e5b16e6c307..1c2d13a783c 100644
--- a/test/e2e/tests/basic-auth.go
+++ b/test/e2e/tests/basic_auth.go
@@ -9,22 +9,12 @@
package tests
import (
- "context"
- "fmt"
"testing"
- "time"
- "github.com/stretchr/testify/require"
- metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
"k8s.io/apimachinery/pkg/types"
- "k8s.io/apimachinery/pkg/util/wait"
- "sigs.k8s.io/controller-runtime/pkg/client"
- gwv1a2 "sigs.k8s.io/gateway-api/apis/v1alpha2"
"sigs.k8s.io/gateway-api/conformance/utils/http"
"sigs.k8s.io/gateway-api/conformance/utils/kubernetes"
"sigs.k8s.io/gateway-api/conformance/utils/suite"
-
- egv1a1 "github.com/envoyproxy/gateway/api/v1alpha1"
)
func init() {
@@ -41,7 +31,7 @@ var BasicAuthTest = suite.ConformanceTest{
routeNN := types.NamespacedName{Name: "http-with-basic-auth-1", Namespace: ns}
gwNN := types.NamespacedName{Name: "same-namespace", Namespace: ns}
gwAddr := kubernetes.GatewayAndHTTPRoutesMustBeAccepted(t, suite.Client, suite.TimeoutConfig, suite.ControllerName, kubernetes.NewGatewayRef(gwNN), routeNN)
- SecurityPolicyMustBeAccepted(t, suite.Client, types.NamespacedName{Name: "basic-auth-1", Namespace: ns})
+ securityPolicyMustBeAccepted(t, suite.Client, types.NamespacedName{Name: "basic-auth-1", Namespace: ns})
// TODO: We should wait for the `programmed` condition to be true before sending traffic.
expectedResponse := http.ExpectedResponse{
Request: http.Request{
@@ -72,7 +62,7 @@ var BasicAuthTest = suite.ConformanceTest{
routeNN := types.NamespacedName{Name: "http-with-basic-auth-1", Namespace: ns}
gwNN := types.NamespacedName{Name: "same-namespace", Namespace: ns}
gwAddr := kubernetes.GatewayAndHTTPRoutesMustBeAccepted(t, suite.Client, suite.TimeoutConfig, suite.ControllerName, kubernetes.NewGatewayRef(gwNN), routeNN)
- SecurityPolicyMustBeAccepted(t, suite.Client, types.NamespacedName{Name: "basic-auth-1", Namespace: ns})
+ securityPolicyMustBeAccepted(t, suite.Client, types.NamespacedName{Name: "basic-auth-1", Namespace: ns})
// TODO: We should wait for the `programmed` condition to be true before sending traffic.
expectedResponse := http.ExpectedResponse{
Request: http.Request{
@@ -100,7 +90,7 @@ var BasicAuthTest = suite.ConformanceTest{
routeNN := types.NamespacedName{Name: "http-with-basic-auth-1", Namespace: ns}
gwNN := types.NamespacedName{Name: "same-namespace", Namespace: ns}
gwAddr := kubernetes.GatewayAndHTTPRoutesMustBeAccepted(t, suite.Client, suite.TimeoutConfig, suite.ControllerName, kubernetes.NewGatewayRef(gwNN), routeNN)
- SecurityPolicyMustBeAccepted(t, suite.Client, types.NamespacedName{Name: "basic-auth-1", Namespace: ns})
+ securityPolicyMustBeAccepted(t, suite.Client, types.NamespacedName{Name: "basic-auth-1", Namespace: ns})
// TODO: We should wait for the `programmed` condition to be true before sending traffic.
expectedResponse := http.ExpectedResponse{
Request: http.Request{
@@ -131,7 +121,7 @@ var BasicAuthTest = suite.ConformanceTest{
routeNN := types.NamespacedName{Name: "http-with-basic-auth-2", Namespace: ns}
gwNN := types.NamespacedName{Name: "same-namespace", Namespace: ns}
gwAddr := kubernetes.GatewayAndHTTPRoutesMustBeAccepted(t, suite.Client, suite.TimeoutConfig, suite.ControllerName, kubernetes.NewGatewayRef(gwNN), routeNN)
- SecurityPolicyMustBeAccepted(t, suite.Client, types.NamespacedName{Name: "basic-auth-2", Namespace: ns})
+ securityPolicyMustBeAccepted(t, suite.Client, types.NamespacedName{Name: "basic-auth-2", Namespace: ns})
// TODO: We should wait for the `programmed` condition to be true before sending traffic.
expectedResponse := http.ExpectedResponse{
Request: http.Request{
@@ -163,7 +153,7 @@ var BasicAuthTest = suite.ConformanceTest{
routeNN := types.NamespacedName{Name: "http-with-basic-auth-1", Namespace: ns}
gwNN := types.NamespacedName{Name: "same-namespace", Namespace: ns}
gwAddr := kubernetes.GatewayAndHTTPRoutesMustBeAccepted(t, suite.Client, suite.TimeoutConfig, suite.ControllerName, kubernetes.NewGatewayRef(gwNN), routeNN)
- SecurityPolicyMustBeAccepted(t, suite.Client, types.NamespacedName{Name: "basic-auth-1", Namespace: ns})
+ securityPolicyMustBeAccepted(t, suite.Client, types.NamespacedName{Name: "basic-auth-1", Namespace: ns})
// TODO: We should wait for the `programmed` condition to be true before sending traffic.
expectedResponse := http.ExpectedResponse{
Request: http.Request{
@@ -187,28 +177,3 @@ var BasicAuthTest = suite.ConformanceTest{
})
},
}
-
-// SecurityPolicyMustBeAccepted waits for the specified SecurityPolicy to be accepted.
-func SecurityPolicyMustBeAccepted(
- t *testing.T,
- client client.Client,
- securityPolicyName types.NamespacedName) {
- t.Helper()
-
- waitErr := wait.PollUntilContextTimeout(context.Background(), 1*time.Second, 60*time.Second, true, func(ctx context.Context) (bool, error) {
- securityPolicy := &egv1a1.SecurityPolicy{}
- err := client.Get(ctx, securityPolicyName, securityPolicy)
- if err != nil {
- return false, fmt.Errorf("error fetching SecurityPolicy: %w", err)
- }
-
- for _, condition := range securityPolicy.Status.Conditions {
- if condition.Type == string(gwv1a2.PolicyConditionAccepted) && condition.Status == metav1.ConditionTrue {
- return true, nil
- }
- }
- t.Logf("SecurityPolicy not yet accepted: %v", securityPolicy)
- return false, nil
- })
- require.NoErrorf(t, waitErr, "error waiting for SecurityPolicy to be accepted")
-}
diff --git a/test/e2e/tests/circuitbreaker.go b/test/e2e/tests/circuitbreaker.go
index 0bce74ba68f..2f24d2ab3c8 100644
--- a/test/e2e/tests/circuitbreaker.go
+++ b/test/e2e/tests/circuitbreaker.go
@@ -45,15 +45,7 @@ var CircuitBreakerTest = suite.ConformanceTest{
Namespace: ns,
}
- req := http.MakeRequest(t, &expectedResponse, gwAddr, "HTTP", "http")
- cReq, cResp, err := suite.RoundTripper.CaptureRoundTrip(req)
- if err != nil {
- t.Errorf("failed to get expected response: %v", err)
- }
-
- if err := http.CompareRequest(t, &req, cReq, cResp, expectedResponse); err != nil {
- t.Errorf("failed to compare request and response: %v", err)
- }
+ http.MakeRequestAndExpectEventuallyConsistentResponse(t, suite.RoundTripper, suite.TimeoutConfig, gwAddr, expectedResponse)
})
},
}
diff --git a/test/e2e/tests/client-timeout.go b/test/e2e/tests/client-timeout.go
deleted file mode 100644
index 85de9563490..00000000000
--- a/test/e2e/tests/client-timeout.go
+++ /dev/null
@@ -1,68 +0,0 @@
-// Copyright Envoy Gateway Authors
-// SPDX-License-Identifier: Apache-2.0
-// The full text of the Apache license is available in the LICENSE file at
-// the root of the repo.
-
-//go:build e2e
-// +build e2e
-
-package tests
-
-import (
- "net/http"
- "net/url"
- "testing"
- "time"
-
- "k8s.io/apimachinery/pkg/types"
- httputils "sigs.k8s.io/gateway-api/conformance/utils/http"
- "sigs.k8s.io/gateway-api/conformance/utils/kubernetes"
- "sigs.k8s.io/gateway-api/conformance/utils/suite"
-)
-
-func init() {
- ConformanceTests = append(ConformanceTests, ClientTimeoutTest)
-}
-
-const largeHeader = "FakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValueFakeHeaderValue"
-
-var ClientTimeoutTest = suite.ConformanceTest{
- ShortName: "ClientTimeout",
- Description: "Test that the ClientTrafficPolicy API implementation supports client timeout",
- Manifests: []string{"testdata/client-timeout.yaml"},
- Test: func(t *testing.T, suite *suite.ConformanceTestSuite) {
- t.Run("http client timeout", func(t *testing.T) {
- ns := "gateway-conformance-infra"
- routeNN := types.NamespacedName{Name: "http-client-timeout", Namespace: ns}
- gwNN := types.NamespacedName{Name: "same-namespace", Namespace: ns}
- gwAddr := kubernetes.GatewayAndHTTPRoutesMustBeAccepted(t, suite.Client, suite.TimeoutConfig, suite.ControllerName, kubernetes.NewGatewayRef(gwNN), routeNN)
-
- // Use raw http request to avoid chunked
- req := &http.Request{
- Method: "GET",
- URL: &url.URL{Scheme: "http", Host: gwAddr, Path: "/request-timeout"},
- Header: http.Header{
- // larger enough to trigger request timeout
- "x-large-size-header": []string{largeHeader},
- },
- }
-
- client := &http.Client{}
-
- httputils.AwaitConvergence(t,
- suite.TimeoutConfig.RequiredConsecutiveSuccesses,
- suite.TimeoutConfig.MaxTimeToConsistency,
- func(_ time.Duration) bool {
- resp, err := client.Do(req)
- if err != nil {
- panic(err)
- }
- defer resp.Body.Close()
-
- // return 408 instead of 400 when request timeout.
- return http.StatusRequestTimeout == resp.StatusCode
- })
-
- })
- },
-}
diff --git a/test/e2e/tests/client_timeout.go b/test/e2e/tests/client_timeout.go
new file mode 100644
index 00000000000..4221eff4623
--- /dev/null
+++ b/test/e2e/tests/client_timeout.go
@@ -0,0 +1,75 @@
+// Copyright Envoy Gateway Authors
+// SPDX-License-Identifier: Apache-2.0
+// The full text of the Apache license is available in the LICENSE file at
+// the root of the repo.
+
+//go:build e2e
+// +build e2e
+
+package tests
+
+import (
+ "net/http"
+ "net/url"
+ "strings"
+ "testing"
+ "time"
+
+ "k8s.io/apimachinery/pkg/types"
+ httputils "sigs.k8s.io/gateway-api/conformance/utils/http"
+ "sigs.k8s.io/gateway-api/conformance/utils/kubernetes"
+ "sigs.k8s.io/gateway-api/conformance/utils/suite"
+)
+
+func init() {
+ ConformanceTests = append(ConformanceTests, ClientTimeoutTest)
+}
+
+var largeSizeHeader = func() string {
+ var b strings.Builder
+ for i := 0; i < 5000; i++ {
+ b.WriteString("FakeHeaderValue")
+ }
+ return b.String()
+}
+
+var ClientTimeoutTest = suite.ConformanceTest{
+ ShortName: "ClientTimeout",
+ Description: "Test that the ClientTrafficPolicy API implementation supports client timeout",
+ Manifests: []string{"testdata/client-timeout.yaml"},
+ Test: func(t *testing.T, suite *suite.ConformanceTestSuite) {
+ t.Run("http client timeout", func(t *testing.T) {
+ ns := "gateway-conformance-infra"
+ routeNN := types.NamespacedName{Name: "http-client-timeout", Namespace: ns}
+ gwNN := types.NamespacedName{Name: "same-namespace", Namespace: ns}
+ gwAddr := kubernetes.GatewayAndHTTPRoutesMustBeAccepted(t, suite.Client, suite.TimeoutConfig, suite.ControllerName, kubernetes.NewGatewayRef(gwNN), routeNN)
+
+ // Use raw http request to avoid chunked
+ req := &http.Request{
+ Method: "GET",
+ URL: &url.URL{Scheme: "http", Host: gwAddr, Path: "/request-timeout"},
+ Header: http.Header{
+ // larger enough to trigger request timeout
+ "x-large-size-header": []string{largeSizeHeader()},
+ },
+ }
+
+ client := &http.Client{}
+
+ httputils.AwaitConvergence(t,
+ suite.TimeoutConfig.RequiredConsecutiveSuccesses,
+ suite.TimeoutConfig.MaxTimeToConsistency,
+ func(_ time.Duration) bool {
+ resp, err := client.Do(req)
+ if err != nil {
+ panic(err)
+ }
+ defer resp.Body.Close()
+
+ // return 408 instead of 400 when request timeout.
+ return http.StatusRequestTimeout == resp.StatusCode
+ })
+
+ })
+ },
+}
diff --git a/test/e2e/tests/envoy-patch-policy.go b/test/e2e/tests/envoy_patch_policy.go
similarity index 100%
rename from test/e2e/tests/envoy-patch-policy.go
rename to test/e2e/tests/envoy_patch_policy.go
diff --git a/test/e2e/tests/jwt.go b/test/e2e/tests/jwt.go
new file mode 100644
index 00000000000..89de5fa60dc
--- /dev/null
+++ b/test/e2e/tests/jwt.go
@@ -0,0 +1,110 @@
+// Copyright Envoy Gateway Authors
+// SPDX-License-Identifier: Apache-2.0
+// The full text of the Apache license is available in the LICENSE file at
+// the root of the repo.
+
+//go:build e2e
+// +build e2e
+
+package tests
+
+import (
+ "testing"
+
+ "k8s.io/apimachinery/pkg/types"
+ "sigs.k8s.io/gateway-api/conformance/utils/http"
+ "sigs.k8s.io/gateway-api/conformance/utils/kubernetes"
+ "sigs.k8s.io/gateway-api/conformance/utils/suite"
+)
+
+func init() {
+ ConformanceTests = append(ConformanceTests, JWTTest)
+}
+
+const (
+ // from examples/kubernetes/jwt/test.jwt
+ // nolint: gosec
+ v1Token = "eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiYWRtaW4iOnRydWUsImlhdCI6MTUxNjIzOTAyMn0.NHVaYe26MbtOYhSKkoKYdFVomg4i8ZJd8_-RU8VNbftc4TSMb4bXP3l3YlNWACwyXPGffz5aXHc6lty1Y2t4SWRqGteragsVdZufDn5BlnJl9pdR_kdVFUsra2rWKEofkZeIC4yWytE58sMIihvo9H1ScmmVwBcQP6XETqYd0aSHp1gOa9RdUPDvoXQ5oqygTqVtxaDr6wUFKrKItgBMzWIdNZ6y7O9E0DhEPTbE9rfBo6KTFsHAZnMg4k68CDp2woYIaXbmYTWcvbzIuHO7_37GT79XdIwkm95QJ7hYC9RiwrV7mesbY4PAahERJawntho0my942XheVLmGwLMBkQ"
+ // from examples/kubernetes/jwt/with-different-claim.jwt
+ // nolint: gosec
+ v2Token = "eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IlRvbSIsImFkbWluIjp0cnVlLCJpYXQiOjE1MTYyMzkwMjJ9.kyzDDSo7XpweSPU1lxoI9IHzhTBrRNlnmcW9lmCbloZELShg-8isBx4AFoM4unXZTHpS_Y24y0gmd4nDQxgUE-CgjVSnGCb0Xhy3WO1gm9iChoKDyyQ3kHp98EmKxTyxKG2X9GyKcDFNBDjH12OBD7TcJUaBEvLf6Jw1SG2A7FakUPWeK04DQ916-ROylzI6qKyaZ0OpfYIbijvyAQxlQRxxs2XHlAkLdJhfVcUqJBwsFTbwHYARC-WNgd2_etAk1GWdwwZ_NoTmRzZAMryrYJpHY9KPlbnZ93Ye3o9h2viBQ_XRb7JBkWnAGYO4_KswpJWE_7ROUVj8iOJo2jfY6w"
+ // nolint: gosec
+ anotherToken = "eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkplcnJ5IiwiYWRtaW4iOnRydWUsImlhdCI6MTUxNjIzOTAyMn0.VKLURpaPLWanwE5xoGTfuYKqT9a91Fg1tRBAOyFzNa5t9SbtK8As7-3iJg4f_VlBHj13OeKjfpDEvgLerIt5TKnU708YKERB45di_7TNURoiVZayq3_gFznMqoSarP3irLDzh0YKUjc7Vuh3MX99fueTdbeA-c4pMhG_nwiFeRJhZNQQDzzKtmL9C_L2uwP4bDupmcYz6FAA2EN_r67WoXCjPWQoRQmE435EVQ-FYKgAR7qZ5TdjoSN91ByRQ7Ior9srPl7gOvjuaRbu7fjC-LT7wRE26v2vu-BCM2PveJf2NMobNb8q0pcmpB1TWhSXp1MIZs9yxbqEAZLOumYfUw"
+)
+
+var JWTTest = suite.ConformanceTest{
+ ShortName: "JWT",
+ Description: "JWT Claim",
+ Manifests: []string{"testdata/jwt.yaml"},
+ Test: func(t *testing.T, suite *suite.ConformanceTestSuite) {
+ t.Run("jwt claim base routing", func(t *testing.T) {
+ ns := "gateway-conformance-infra"
+ routeNN := types.NamespacedName{Name: "jwt-claim-routing", Namespace: ns}
+ gwNN := types.NamespacedName{Name: "same-namespace", Namespace: ns}
+ gwAddr := kubernetes.GatewayAndHTTPRoutesMustBeAccepted(t, suite.Client, suite.TimeoutConfig, suite.ControllerName, kubernetes.NewGatewayRef(gwNN), routeNN)
+
+ testCases := []http.ExpectedResponse{
+ {
+ Request: http.Request{
+ Path: "/get",
+ Headers: map[string]string{
+ "Authorization": "Bearer " + v1Token,
+ },
+ },
+ Backend: "infra-backend-v1",
+ Response: http.Response{
+ StatusCode: 200,
+ },
+ Namespace: ns,
+ },
+ {
+ Request: http.Request{
+ Path: "/get",
+ Headers: map[string]string{
+ "Authorization": "Bearer " + v2Token,
+ },
+ },
+ Backend: "infra-backend-v2",
+ Response: http.Response{
+ StatusCode: 200,
+ },
+ Namespace: ns,
+ },
+ {
+ Request: http.Request{
+ Path: "/get",
+ Headers: map[string]string{
+ "Authorization": "Bearer " + anotherToken,
+ },
+ },
+ Backend: "infra-backend-v1",
+ Response: http.Response{
+ StatusCode: 500,
+ },
+ Namespace: ns,
+ },
+ {
+ Request: http.Request{
+ Path: "/get",
+ Headers: map[string]string{
+ "x-name": "Tom",
+ },
+ },
+ Backend: "infra-backend-v2",
+ Response: http.Response{
+ StatusCode: 401,
+ },
+ Namespace: ns,
+ },
+ }
+
+ for i := range testCases {
+ tc := testCases[i]
+ t.Run(tc.GetTestCaseName(i), func(t *testing.T) {
+ t.Parallel()
+ http.MakeRequestAndExpectEventuallyConsistentResponse(t, suite.RoundTripper, suite.TimeoutConfig, gwAddr, tc)
+ })
+ }
+ })
+ },
+}
diff --git a/test/e2e/tests/local-ratelimit.go b/test/e2e/tests/local_ratelimit.go
similarity index 85%
rename from test/e2e/tests/local-ratelimit.go
rename to test/e2e/tests/local_ratelimit.go
index 28e3caa7034..ee67842ebd1 100644
--- a/test/e2e/tests/local-ratelimit.go
+++ b/test/e2e/tests/local_ratelimit.go
@@ -9,22 +9,12 @@
package tests
import (
- "context"
- "fmt"
"testing"
- "time"
- "github.com/stretchr/testify/require"
- metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
"k8s.io/apimachinery/pkg/types"
- "k8s.io/apimachinery/pkg/util/wait"
- "sigs.k8s.io/controller-runtime/pkg/client"
- gwv1a2 "sigs.k8s.io/gateway-api/apis/v1alpha2"
"sigs.k8s.io/gateway-api/conformance/utils/http"
"sigs.k8s.io/gateway-api/conformance/utils/kubernetes"
"sigs.k8s.io/gateway-api/conformance/utils/suite"
-
- egv1a1 "github.com/envoyproxy/gateway/api/v1alpha1"
)
func init() {
@@ -199,28 +189,3 @@ var LocalRateLimitNoLimitRouteTest = suite.ConformanceTest{
})
},
}
-
-// backendTrafficPolicyMustBeAccepted waits for the specified BackendTrafficPolicy to be accepted.
-func backendTrafficPolicyMustBeAccepted(
- t *testing.T,
- client client.Client,
- policyName types.NamespacedName) {
- t.Helper()
-
- waitErr := wait.PollUntilContextTimeout(context.Background(), 1*time.Second, 60*time.Second, true, func(ctx context.Context) (bool, error) {
- policy := &egv1a1.BackendTrafficPolicy{}
- err := client.Get(ctx, policyName, policy)
- if err != nil {
- return false, fmt.Errorf("error fetching BackendTrafficPolicy: %w", err)
- }
-
- for _, condition := range policy.Status.Conditions {
- if condition.Type == string(gwv1a2.PolicyConditionAccepted) && condition.Status == metav1.ConditionTrue {
- return true, nil
- }
- }
- t.Logf("BackendTrafficPolicy not yet accepted: %v", policy)
- return false, nil
- })
- require.NoErrorf(t, waitErr, "error waiting for BackendTrafficPolicy to be accepted")
-}
diff --git a/test/e2e/tests/oidc-testclient.go b/test/e2e/tests/oidc-testclient.go
new file mode 100644
index 00000000000..d2bd9f364ce
--- /dev/null
+++ b/test/e2e/tests/oidc-testclient.go
@@ -0,0 +1,325 @@
+// Copyright Envoy Gateway Authors
+// SPDX-License-Identifier: Apache-2.0
+// The full text of the Apache license is available in the LICENSE file at
+// the root of the repo.
+
+// This file is copied and modified from https://github.com/tetrateio/authservice-go/blob/main/e2e/testclient.go
+
+// Copyright 2024 Tetrate
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package tests
+
+import (
+ "context"
+ "fmt"
+ "io"
+ "net"
+ "net/http"
+ "net/http/httputil"
+ "net/url"
+ "strings"
+
+ "golang.org/x/net/html"
+)
+
+// LoggingRoundTripper is a http.RoundTripper that logs requests and responses.
+type LoggingRoundTripper struct {
+ LogFunc func(...any)
+ LogBody bool
+ Delegate http.RoundTripper
+}
+
+// RoundTrip logs all the requests and responses using the configured settings.
+func (l LoggingRoundTripper) RoundTrip(req *http.Request) (*http.Response, error) {
+ if l.LogFunc != nil {
+ if dump, derr := httputil.DumpRequest(req, l.LogBody); derr == nil {
+ l.LogFunc(string(dump))
+ }
+ }
+
+ res, err := l.Delegate.RoundTrip(req)
+ if err == nil && l.LogFunc != nil {
+ if dump, derr := httputil.DumpResponse(res, l.LogBody); derr == nil {
+ l.LogFunc(string(dump))
+ }
+ }
+
+ return res, err
+}
+
+// CookieTracker is a http.RoundTripper that tracks cookies received from the server.
+type CookieTracker struct {
+ Delegate http.RoundTripper
+ Cookies map[string]*http.Cookie
+}
+
+// RoundTrip tracks the cookies received from the server.
+func (c *CookieTracker) RoundTrip(req *http.Request) (*http.Response, error) {
+ for _, ck := range c.Cookies {
+ req.AddCookie(ck)
+ }
+
+ res, err := c.Delegate.RoundTrip(req)
+
+ if err == nil {
+ // Track the cookies received from the server
+ for _, ck := range res.Cookies() {
+ c.Cookies[ck.Name] = ck
+ }
+ }
+
+ return res, err
+}
+
+// OIDCTestClient encapsulates a http.Client and keeps track of the state of the OIDC login process.
+type OIDCTestClient struct {
+ http *http.Client // Delegate HTTP client
+ loginURL string // URL of the IdP where users need to authenticate
+ loginMethod string // Method (GET/POST) to use when posting the credentials to the IdP
+ mappings *AddressMappings // Custom address mappings
+ logFunc func(...any) // Logging function to log all requests and responses
+ logBody bool // Whether to log the request and response bodies
+}
+
+// Option is a functional option for configuring the OIDCTestClient.
+type Option func(*OIDCTestClient) error
+
+// WithLoggingOptions configures the OIDCTestClient to log requests and responses.
+func WithLoggingOptions(logFunc func(...any), logBody bool) Option {
+ return func(o *OIDCTestClient) error {
+ o.logFunc = logFunc
+ o.logBody = logBody
+ return nil
+ }
+}
+
+// AddressMappings is a custom dialer that resolves specific host:port to specific target addresses.
+type AddressMappings struct {
+ addresses map[string]string
+}
+
+// DialContext is a custom dialer that resolves specific host:port to specific target addresses.
+func (a *AddressMappings) DialContext(ctx context.Context, network, addr string) (net.Conn, error) {
+ if resolved, ok := a.addresses[addr]; ok {
+ addr = resolved
+ }
+ return (&net.Dialer{}).DialContext(ctx, network, addr)
+}
+
+// WithCustomAddressMappings configures the OIDCTestClient to resolve specific host:port to
+// specific target addresses.
+func WithCustomAddressMappings(mappings map[string]string) Option {
+ return func(o *OIDCTestClient) error {
+ o.mappings = &AddressMappings{
+ addresses: mappings,
+ }
+ return nil
+ }
+}
+
+// NewOIDCTestClient creates a new OIDCTestClient.
+func NewOIDCTestClient(opts ...Option) (*OIDCTestClient, error) {
+ var (
+ defaultTransport = http.DefaultTransport.(*http.Transport).Clone()
+ logging = &LoggingRoundTripper{Delegate: defaultTransport}
+ cookieTracker = &CookieTracker{Cookies: make(map[string]*http.Cookie), Delegate: logging}
+ client = &OIDCTestClient{http: &http.Client{Transport: cookieTracker}}
+ )
+
+ for _, opt := range opts {
+ if err := opt(client); err != nil {
+ return nil, err
+ }
+ }
+
+ logging.LogFunc = client.logFunc
+ logging.LogBody = client.logBody
+
+ if client.mappings != nil {
+ defaultTransport.DialContext = client.mappings.DialContext
+ }
+
+ return client, nil
+}
+
+// Get sends a GET request to the specified URL.
+func (o *OIDCTestClient) Get(url string, followDirection bool) (*http.Response, error) {
+ req, err := http.NewRequest("GET", url, nil)
+ if err != nil {
+ return nil, err
+ }
+ return o.Send(req, followDirection)
+}
+
+// Send sends the specified request.
+func (o *OIDCTestClient) Send(req *http.Request, followRedirect bool) (*http.Response, error) {
+ o.http.CheckRedirect = func(req *http.Request, via []*http.Request) error {
+ if followRedirect {
+ return nil
+ }
+ return http.ErrUseLastResponse
+ }
+ return o.http.Do(req)
+}
+
+// Login logs in to the IdP using the provided credentials.
+func (o *OIDCTestClient) Login(formData map[string]string) (*http.Response, error) {
+ if o.loginURL == "" {
+ return nil, fmt.Errorf("login URL is not set")
+ }
+ data := url.Values{}
+ for k, v := range formData {
+ data.Add(k, v)
+ }
+ req, err := http.NewRequest(o.loginMethod, o.loginURL, strings.NewReader(data.Encode()))
+ if err != nil {
+ return nil, err
+ }
+ req.Header.Set("Content-Type", "application/x-www-form-urlencoded")
+ return o.Send(req, true)
+}
+
+// ParseLoginForm parses the HTML response body to get the URL where the login page would post the user-entered credentials.
+func (o *OIDCTestClient) ParseLoginForm(responseBody io.ReadCloser, formID string) error {
+ body, err := io.ReadAll(responseBody)
+ if err != nil {
+ return err
+ }
+ o.loginURL, o.loginMethod, _, err = extractFromData(string(body), idFormMatcher{formID}, false)
+ return err
+}
+
+// extractFromData extracts the form action, method and values from the HTML response body.
+func extractFromData(responseBody string, match formMatch, includeFromInputs bool) (string, string, url.Values, error) {
+ // Parse HTML response
+ doc, err := html.Parse(strings.NewReader(responseBody))
+ if err != nil {
+ return "", "", nil, err
+ }
+
+ // Find the form with the specified ID or match criteria
+ form := findForm(doc, match)
+ if form == nil {
+ return "", "", nil, fmt.Errorf("%s not found", match)
+ }
+
+ var (
+ action, method string
+ formValues = make(url.Values)
+ )
+
+ // Get the action and method of the form
+ for _, a := range form.Attr {
+ switch a.Key {
+ case "action":
+ action = a.Val
+ case "method":
+ method = strings.ToUpper(a.Val)
+ }
+ }
+
+ // If we want to include inputs, recursively iterate the children
+ if includeFromInputs {
+ formValues = findFormInputs(form)
+ }
+
+ return action, method, formValues, nil
+}
+
+// findForm recursively searches for a form in the HTML response body that matches the specified criteria.
+func findForm(n *html.Node, match formMatch) *html.Node {
+ // Check if the current node is a form and matches the specified criteria
+ if match.matches(n) {
+ return n
+ }
+
+ // Else, recursively search for the form in child nodes
+ for c := n.FirstChild; c != nil; c = c.NextSibling {
+ if form := findForm(c, match); form != nil {
+ return form
+ }
+ }
+ return nil
+}
+
+// findFormInputs recursively searches for input fields in the HTML form node.
+func findFormInputs(formNode *html.Node) url.Values {
+ form := make(url.Values)
+ for c := formNode.FirstChild; c != nil; c = c.NextSibling {
+ if c.Type == html.ElementNode && c.Data == "input" {
+ var name, value string
+ for _, a := range c.Attr {
+ switch a.Key {
+ case "name":
+ name = a.Val
+ case "value":
+ value = a.Val
+ }
+ }
+ form.Add(name, value)
+ } else {
+ for k, v := range findFormInputs(c) {
+ form[k] = append(form[k], v...)
+ }
+ }
+ }
+ return form
+}
+
+var (
+ _ formMatch = idFormMatcher{}
+ _ formMatch = firstFormMatcher{}
+)
+
+type (
+ // formMatch is an interface that defines the criteria to match a form in the HTML response body.
+ formMatch interface {
+ matches(*html.Node) bool
+ String() string
+ }
+
+ // idFormMatcher matches a form with the specified ID.
+ idFormMatcher struct {
+ id string
+ }
+
+ // firstFormMatcher matches the first form in the HTML response body.
+ firstFormMatcher struct{}
+)
+
+func (m idFormMatcher) matches(n *html.Node) bool {
+ if n.Type != html.ElementNode || n.Data != "form" {
+ return false
+ }
+
+ for _, a := range n.Attr {
+ if a.Key == "id" && a.Val == m.id {
+ return true
+ }
+ }
+ return false
+}
+
+func (m idFormMatcher) String() string {
+ return fmt.Sprintf("form with ID '%s'", m.id)
+}
+
+func (m firstFormMatcher) matches(n *html.Node) bool {
+ return n.Type == html.ElementNode && n.Data == "form"
+}
+
+func (m firstFormMatcher) String() string {
+ return "first form"
+}
diff --git a/test/e2e/tests/oidc.go b/test/e2e/tests/oidc.go
new file mode 100644
index 00000000000..df75f15c3ef
--- /dev/null
+++ b/test/e2e/tests/oidc.go
@@ -0,0 +1,146 @@
+// Copyright Envoy Gateway Authors
+// SPDX-License-Identifier: Apache-2.0
+// The full text of the Apache license is available in the LICENSE file at
+// the root of the repo.
+
+//go:build e2e
+// +build e2e
+
+package tests
+
+import (
+ "io"
+ "net/http"
+ "regexp"
+ "testing"
+
+ "github.com/stretchr/testify/require"
+ corev1 "k8s.io/api/core/v1"
+ "k8s.io/apimachinery/pkg/types"
+ gwhttp "sigs.k8s.io/gateway-api/conformance/utils/http"
+ "sigs.k8s.io/gateway-api/conformance/utils/kubernetes"
+ "sigs.k8s.io/gateway-api/conformance/utils/suite"
+)
+
+const (
+ testURL = "http://www.example.com/myapp"
+ logoutURL = "http://www.example.com/myapp/logout"
+ keyCloakLoginFormID = "kc-form-login"
+ username = "oidcuser"
+ password = "oidcpassword"
+)
+
+func init() {
+ ConformanceTests = append(ConformanceTests, OIDCTest)
+}
+
+// OIDCTest tests OIDC authentication for an http route with OIDC configured.
+// The http route points to an application to verify that OIDC authentication works on application/http path level.
+var OIDCTest = suite.ConformanceTest{
+ ShortName: "OIDC",
+ Description: "Test OIDC authentication",
+ Manifests: []string{"testdata/oidc-keycloak.yaml", "testdata/oidc-securitypolicy.yaml"},
+ Test: func(t *testing.T, suite *suite.ConformanceTestSuite) {
+ t.Run("http route with oidc authentication", func(t *testing.T) {
+ ns := "gateway-conformance-infra"
+ routeNN := types.NamespacedName{Name: "http-with-oidc", Namespace: ns}
+ gwNN := types.NamespacedName{Name: "same-namespace", Namespace: ns}
+ gwAddr := kubernetes.GatewayAndHTTPRoutesMustBeAccepted(t, suite.Client, suite.TimeoutConfig, suite.ControllerName, kubernetes.NewGatewayRef(gwNN), routeNN)
+ securityPolicyMustBeAccepted(t, suite.Client, types.NamespacedName{Name: "oidc-test", Namespace: ns})
+ podInitialized := corev1.PodCondition{Type: corev1.PodInitialized, Status: corev1.ConditionTrue}
+
+ // Wait for the keycloak pod to be configured with the test user and client
+ waitForPods(t, suite.Client, ns, map[string]string{"job-name": "setup-keycloak"}, corev1.PodSucceeded, podInitialized)
+
+ // Initialize the test OIDC client that will keep track of the state of the OIDC login process
+ client, err := NewOIDCTestClient(
+ WithLoggingOptions(t.Log, true),
+ // Map the application and keycloak cluster DNS name to the gateway address
+ WithCustomAddressMappings(map[string]string{
+ "www.example.com:80": gwAddr,
+ "keycloak.gateway-conformance-infra:80": gwAddr,
+ }),
+ )
+ require.NoError(t, err)
+
+ // Send a request to the http route with OIDC configured.
+ // It will be redirected to the keycloak login page
+ res, err := client.Get(testURL, true)
+ require.NoError(t, err)
+ require.Equal(t, 200, res.StatusCode, "Expected 200 OK")
+
+ // Parse the response body to get the URL where the login page would post the user-entered credentials
+ require.NoError(t, client.ParseLoginForm(res.Body, keyCloakLoginFormID), "Failed to parse login form")
+
+ // Submit the login form to the IdP.
+ // This will authenticate and redirect back to the application
+ res, err = client.Login(map[string]string{"username": username, "password": password, "credentialId": ""})
+ require.NoError(t, err, "Failed to login to the IdP")
+
+ // Verify that we get the expected response from the application
+ body, err := io.ReadAll(res.Body)
+ require.NoError(t, err)
+ require.Equal(t, http.StatusOK, res.StatusCode)
+ require.Contains(t, string(body), "infra-backend-v1", "Expected response from the application")
+
+ // Verify that we can access the application without logging in again
+ res, err = client.Get(testURL, false)
+ require.NoError(t, err)
+ require.Equal(t, http.StatusOK, res.StatusCode)
+ require.Contains(t, string(body), "infra-backend-v1", "Expected response from the application")
+
+ // Verify that we can logout
+ // Note: OAuth2 filter just clears its cookies and does not log out from the IdP.
+ res, err = client.Get(logoutURL, false)
+ require.NoError(t, err)
+ require.Equal(t, http.StatusFound, res.StatusCode)
+
+ // After logout, OAuth2 filter will redirect back to the root of the host, e.g, "www.example.com".
+ // Ideally, this should redirect to the application's root, e.g, "www.example.com/myapp",
+ // but Envoy OAuth2 filter does not support this yet.
+ require.Equal(t, "http://www.example.com/", res.Header.Get("Location"), "Expected redirect to the root of the host")
+
+ // Verify that the oauth2 cookies have been deleted
+ var cookieDeleted bool
+ deletedCookies := res.Header.Values("Set-Cookie")
+ regx := regexp.MustCompile("^IdToken-.+=deleted.+")
+ for _, cookie := range deletedCookies {
+ if regx.Match([]byte(cookie)) {
+ cookieDeleted = true
+ }
+ }
+ require.True(t, cookieDeleted, "IdToken cookie not deleted")
+ })
+
+ t.Run("http route without oidc authentication", func(t *testing.T) {
+ ns := "gateway-conformance-infra"
+ routeNN := types.NamespacedName{Name: "http-without-oidc", Namespace: ns}
+ gwNN := types.NamespacedName{Name: "same-namespace", Namespace: ns}
+ gwAddr := kubernetes.GatewayAndHTTPRoutesMustBeAccepted(t, suite.Client, suite.TimeoutConfig, suite.ControllerName, kubernetes.NewGatewayRef(gwNN), routeNN)
+ securityPolicyMustBeAccepted(t, suite.Client, types.NamespacedName{Name: "oidc-test", Namespace: ns})
+ podInitialized := corev1.PodCondition{Type: corev1.PodInitialized, Status: corev1.ConditionTrue}
+ waitForPods(t, suite.Client, ns, map[string]string{"job-name": "setup-keycloak"}, corev1.PodSucceeded, podInitialized)
+
+ expectedResponse := gwhttp.ExpectedResponse{
+ Request: gwhttp.Request{
+ Host: "www.example.com",
+ Path: "/public",
+ },
+ Response: gwhttp.Response{
+ StatusCode: 200,
+ },
+ Namespace: ns,
+ }
+
+ req := gwhttp.MakeRequest(t, &expectedResponse, gwAddr, "HTTP", "http")
+ cReq, cResp, err := suite.RoundTripper.CaptureRoundTrip(req)
+ if err != nil {
+ t.Errorf("failed to get expected response: %v", err)
+ }
+
+ if err := gwhttp.CompareRequest(t, &req, cReq, cResp, expectedResponse); err != nil {
+ t.Errorf("failed to compare request and response: %v", err)
+ }
+ })
+ },
+}
diff --git a/test/e2e/tests/retry.go b/test/e2e/tests/retry.go
new file mode 100644
index 00000000000..c2acfecf34c
--- /dev/null
+++ b/test/e2e/tests/retry.go
@@ -0,0 +1,89 @@
+// Copyright Envoy Gateway Authors
+// SPDX-License-Identifier: Apache-2.0
+// The full text of the Apache license is available in the LICENSE file at
+// the root of the repo.
+
+//go:build e2e
+// +build e2e
+
+package tests
+
+import (
+ "fmt"
+ "testing"
+ "time"
+
+ "github.com/stretchr/testify/require"
+ "k8s.io/apimachinery/pkg/types"
+ "sigs.k8s.io/gateway-api/conformance/utils/http"
+ "sigs.k8s.io/gateway-api/conformance/utils/kubernetes"
+ "sigs.k8s.io/gateway-api/conformance/utils/suite"
+
+ "github.com/envoyproxy/gateway/test/e2e/utils/prometheus"
+)
+
+func init() {
+ ConformanceTests = append(ConformanceTests, RetryTest)
+
+}
+
+var RetryTest = suite.ConformanceTest{
+ ShortName: "Retry",
+ Description: "Test that the BackendTrafficPolicy API implementation supports retry",
+ Manifests: []string{"testdata/retry.yaml"},
+ Test: func(t *testing.T, suite *suite.ConformanceTestSuite) {
+ t.Run("retry-on-500", func(t *testing.T) {
+ ns := "gateway-conformance-infra"
+ routeNN := types.NamespacedName{Name: "retry-route", Namespace: ns}
+ gwNN := types.NamespacedName{Name: "same-namespace", Namespace: ns}
+ gwAddr := kubernetes.GatewayAndHTTPRoutesMustBeAccepted(t, suite.Client, suite.TimeoutConfig, suite.ControllerName, kubernetes.NewGatewayRef(gwNN), routeNN)
+
+ expectedResponse := http.ExpectedResponse{
+ Request: http.Request{
+ Path: "/status/500",
+ },
+ Response: http.Response{
+ StatusCode: 500,
+ },
+ Namespace: ns,
+ }
+
+ promAddr, err := prometheus.Address(suite.Client, types.NamespacedName{Name: "prometheus", Namespace: "monitoring"})
+ require.NoError(t, err)
+ promQL := fmt.Sprintf(`envoy_cluster_upstream_rq_retry{envoy_cluster_name="httproute/%s/%s/rule/0"}`, routeNN.Namespace, routeNN.Name)
+
+ before := float64(0)
+ v, err := prometheus.QuerySum(promAddr, promQL)
+ if err == nil {
+ before = v
+ }
+ t.Logf("query count %s before: %v", promQL, before)
+
+ req := http.MakeRequest(t, &expectedResponse, gwAddr, "HTTP", "http")
+ cReq, cResp, err := suite.RoundTripper.CaptureRoundTrip(req)
+ if err != nil {
+ t.Errorf("failed to get expected response: %v", err)
+ }
+
+ if err := http.CompareRequest(t, &req, cReq, cResp, expectedResponse); err != nil {
+ t.Errorf("failed to compare request and response: %v", err)
+ }
+
+ http.AwaitConvergence(t,
+ suite.TimeoutConfig.RequiredConsecutiveSuccesses,
+ suite.TimeoutConfig.MaxTimeToConsistency,
+ func(_ time.Duration) bool {
+ // check retry stats from Prometheus
+ v, err := prometheus.QuerySum(promAddr, promQL)
+ if err != nil {
+ return false
+ }
+ t.Logf("query count %s after: %v", promQL, v)
+
+ delta := int64(v - before)
+ // numRetries is 5, so delta mod 5 equals 0
+ return delta > 0 && delta%5 == 0
+ })
+ })
+ },
+}
diff --git a/test/e2e/tests/tcp-route.go b/test/e2e/tests/tcp_route.go
similarity index 100%
rename from test/e2e/tests/tcp-route.go
rename to test/e2e/tests/tcp_route.go
diff --git a/test/e2e/tests/utils.go b/test/e2e/tests/utils.go
new file mode 100644
index 00000000000..b827c7a3329
--- /dev/null
+++ b/test/e2e/tests/utils.go
@@ -0,0 +1,116 @@
+// Copyright Envoy Gateway Authors
+// SPDX-License-Identifier: Apache-2.0
+// The full text of the Apache license is available in the LICENSE file at
+// the root of the repo.
+
+package tests
+
+import (
+ "context"
+ "fmt"
+ "testing"
+ "time"
+
+ "github.com/stretchr/testify/require"
+ corev1 "k8s.io/api/core/v1"
+ metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+ "k8s.io/apimachinery/pkg/labels"
+ "k8s.io/apimachinery/pkg/types"
+ "k8s.io/apimachinery/pkg/util/wait"
+ "sigs.k8s.io/controller-runtime/pkg/client"
+ gwv1a2 "sigs.k8s.io/gateway-api/apis/v1alpha2"
+
+ egv1a1 "github.com/envoyproxy/gateway/api/v1alpha1"
+)
+
+const defaultServiceStartupTimeout = 5 * time.Minute
+
+// waitForPods waits for the pods in the given namespace and with the given selector
+// to be in the given phase and condition.
+func waitForPods(t *testing.T, cl client.Client, namespace string, selectors map[string]string, phase corev1.PodPhase, condition corev1.PodCondition) {
+ t.Logf("waiting for %s/[%s] to be %v...", namespace, selectors, phase)
+
+ require.Eventually(t, func() bool {
+ pods := &corev1.PodList{}
+
+ err := cl.List(context.Background(), pods, &client.ListOptions{
+ Namespace: namespace,
+ LabelSelector: labels.SelectorFromSet(selectors),
+ })
+
+ if err != nil || len(pods.Items) == 0 {
+ return false
+ }
+
+ checkPods:
+ for _, p := range pods.Items {
+ if p.Status.Phase != phase {
+ return false
+ }
+
+ if p.Status.Conditions == nil {
+ return false
+ }
+
+ for _, c := range p.Status.Conditions {
+ if c.Type == condition.Type && c.Status == condition.Status {
+ continue checkPods // pod is ready, check next pod
+ }
+ }
+
+ return false
+ }
+
+ return true
+ }, defaultServiceStartupTimeout, 2*time.Second)
+}
+
+// securityPolicyMustBeAccepted waits for the specified SecurityPolicy to be accepted.
+func securityPolicyMustBeAccepted(
+ t *testing.T,
+ client client.Client,
+ securityPolicyName types.NamespacedName) {
+ t.Helper()
+
+ waitErr := wait.PollUntilContextTimeout(context.Background(), 1*time.Second, 60*time.Second, true, func(ctx context.Context) (bool, error) {
+ securityPolicy := &egv1a1.SecurityPolicy{}
+ err := client.Get(ctx, securityPolicyName, securityPolicy)
+ if err != nil {
+ return false, fmt.Errorf("error fetching SecurityPolicy: %w", err)
+ }
+
+ for _, condition := range securityPolicy.Status.Conditions {
+ if condition.Type == string(gwv1a2.PolicyConditionAccepted) && condition.Status == metav1.ConditionTrue {
+ return true, nil
+ }
+ }
+ t.Logf("SecurityPolicy not yet accepted: %v", securityPolicy)
+ return false, nil
+ })
+ require.NoErrorf(t, waitErr, "error waiting for SecurityPolicy to be accepted")
+}
+
+// backendTrafficPolicyMustBeAccepted waits for the specified BackendTrafficPolicy to be accepted.
+func backendTrafficPolicyMustBeAccepted(
+ t *testing.T,
+ client client.Client,
+ policyName types.NamespacedName) {
+ t.Helper()
+
+ waitErr := wait.PollUntilContextTimeout(context.Background(), 1*time.Second, 60*time.Second, true, func(ctx context.Context) (bool, error) {
+ policy := &egv1a1.BackendTrafficPolicy{}
+ err := client.Get(ctx, policyName, policy)
+ if err != nil {
+ return false, fmt.Errorf("error fetching BackendTrafficPolicy: %w", err)
+ }
+
+ for _, condition := range policy.Status.Conditions {
+ if condition.Type == string(gwv1a2.PolicyConditionAccepted) && condition.Status == metav1.ConditionTrue {
+ return true, nil
+ }
+ }
+ t.Logf("BackendTrafficPolicy not yet accepted: %v", policy)
+ return false, nil
+ })
+ require.NoErrorf(t, waitErr, "error waiting for BackendTrafficPolicy to be accepted")
+}
diff --git a/test/e2e/utils/prometheus/prometheus.go b/test/e2e/utils/prometheus/prometheus.go
new file mode 100644
index 00000000000..641f802609f
--- /dev/null
+++ b/test/e2e/utils/prometheus/prometheus.go
@@ -0,0 +1,92 @@
+// Copyright Envoy Gateway Authors
+// SPDX-License-Identifier: Apache-2.0
+// The full text of the Apache license is available in the LICENSE file at
+// the root of the repo.
+
+//go:build e2e
+// +build e2e
+
+package prometheus
+
+import (
+ "context"
+ "fmt"
+ "time"
+
+ prom "github.com/prometheus/client_golang/api"
+ prompapiv1 "github.com/prometheus/client_golang/api/prometheus/v1"
+ "github.com/prometheus/common/model"
+ corev1 "k8s.io/api/core/v1"
+ "k8s.io/apimachinery/pkg/types"
+ "sigs.k8s.io/controller-runtime/pkg/client"
+)
+
+func Address(c client.Client, nn types.NamespacedName) (string, error) {
+ svc := &corev1.Service{}
+ if err := c.Get(context.TODO(), nn, svc); err != nil {
+ return "", fmt.Errorf("failed to get service: %w", err)
+ }
+ for _, ing := range svc.Status.LoadBalancer.Ingress {
+ if ing.IP != "" {
+ return fmt.Sprintf("http://%s", ing.IP), nil
+ }
+ }
+
+ return "", fmt.Errorf("no ingress found")
+}
+
+func RawQuery(address string, promQL string) (model.Value, error) {
+ c, err := prom.NewClient(prom.Config{Address: address})
+ if err != nil {
+ return nil, err
+ }
+
+ v, _, err := prompapiv1.NewAPI(c).Query(context.Background(), promQL, time.Now())
+ if err != nil {
+ return nil, err
+ }
+
+ switch v.Type() {
+ case model.ValScalar, model.ValString:
+ return v, nil
+ case model.ValVector:
+ value := v.(model.Vector)
+ if len(value) == 0 {
+ return nil, fmt.Errorf("value not found (query: %v)", promQL)
+ }
+ return v, nil
+
+ default:
+ return nil, fmt.Errorf("unhandled value type: %v", v.Type())
+ }
+}
+
+func QuerySum(address string, promQL string) (float64, error) {
+ val, err := RawQuery(address, promQL)
+ if err != nil {
+ return 0, err
+ }
+ got, err := sum(val)
+ if err != nil {
+ return 0, fmt.Errorf("could not find metric value: %w", err)
+ }
+ return got, nil
+}
+
+func sum(val model.Value) (float64, error) {
+ if val.Type() != model.ValVector {
+ return 0, fmt.Errorf("value not a model.Vector; was %s", val.Type().String())
+ }
+
+ value := val.(model.Vector)
+
+ valueCount := 0.0
+ for _, sample := range value {
+ valueCount += float64(sample.Value)
+ }
+
+ if valueCount > 0.0 {
+ return valueCount, nil
+ }
+ return 0, fmt.Errorf("value not found")
+}
diff --git a/tools/make/golang.mk b/tools/make/golang.mk
index 9387414afa1..8f30d4a667f 100644
--- a/tools/make/golang.mk
+++ b/tools/make/golang.mk
@@ -50,7 +50,10 @@ go.testdata.complete: ## Override test ouputdata
@$(LOG_TARGET)
go test -timeout 30s github.com/envoyproxy/gateway/internal/xds/translator --override-testdata=true
go test -timeout 30s github.com/envoyproxy/gateway/internal/cmd/egctl --override-testdata=true
- go test -timeout 30s github.com/envoyproxy/gateway/internal/gatewayapi --override-testdata=true
+ go test -timeout 30s github.com/envoyproxy/gateway/internal/infrastructure/kubernetes/ratelimit --override-testdata=true
+ go test -timeout 30s github.com/envoyproxy/gateway/internal/infrastructure/kubernetes/proxy --override-testdata=true
+ go test -timeout 30s github.com/envoyproxy/gateway/internal/xds/bootstrap --override-testdata=true
+ go test -timeout 60s github.com/envoyproxy/gateway/internal/gatewayapi --override-testdata=true
.PHONY: go.test.coverage
go.test.coverage: $(tools/setup-envtest) ## Run go unit and integration tests in GitHub Actions
diff --git a/tools/make/kube.mk b/tools/make/kube.mk
index 1384c9340e0..2e0bf4e64e9 100644
--- a/tools/make/kube.mk
+++ b/tools/make/kube.mk
@@ -11,6 +11,7 @@ WAIT_TIMEOUT ?= 15m
FLUENT_BIT_CHART_VERSION ?= 0.30.4
OTEL_COLLECTOR_CHART_VERSION ?= 0.73.1
TEMPO_CHART_VERSION ?= 1.3.1
+E2E_RUN_TEST ?=
# Set Kubernetes Resources Directory Path
ifeq ($(origin KUBE_PROVIDER_DIR),undefined)
@@ -113,20 +114,31 @@ install-ratelimit:
kubectl wait --timeout=5m -n envoy-gateway-system deployment/envoy-ratelimit --for=condition=Available
.PHONY: run-e2e
-run-e2e: prepare-e2e
+run-e2e: install-e2e-telemetry
@$(LOG_TARGET)
kubectl wait --timeout=5m -n envoy-gateway-system deployment/envoy-ratelimit --for=condition=Available
kubectl wait --timeout=5m -n envoy-gateway-system deployment/envoy-gateway --for=condition=Available
kubectl apply -f test/config/gatewayclass.yaml
+ifeq ($(E2E_RUN_TEST),)
go test -v -tags e2e ./test/e2e --gateway-class=envoy-gateway --debug=true
+else
+ go test -v -tags e2e ./test/e2e --gateway-class=envoy-gateway --debug=true --run-test $(E2E_RUN_TEST)
+endif
-.PHONY: prepare-e2e
-prepare-e2e: prepare-helm-repo install-fluent-bit install-loki install-tempo install-otel-collector
+.PHONY: install-e2e-telemetry
+install-e2e-telemetry: prepare-helm-repo install-fluent-bit install-loki install-tempo install-otel-collector install-prometheus
@$(LOG_TARGET)
kubectl rollout status daemonset fluent-bit -n monitoring --timeout 5m
kubectl rollout status statefulset loki -n monitoring --timeout 5m
kubectl rollout status statefulset tempo -n monitoring --timeout 5m
kubectl rollout status deployment otel-collector -n monitoring --timeout 5m
+ kubectl rollout status deployment prometheus -n monitoring --timeout 5m
+
+.PHONY: uninstall-e2e-telemetry
+uninstall-e2e-telemetry:
+ @$(LOG_TARGET)
+ kubectl delete -f examples/loki/loki.yaml -n monitoring --ignore-not-found
+ helm delete $(shell helm list -n monitoring -q) -n monitoring
.PHONY: prepare-helm-repo
prepare-helm-repo:
@@ -134,6 +146,7 @@ prepare-helm-repo:
helm repo add fluent https://fluent.github.io/helm-charts
helm repo add grafana https://grafana.github.io/helm-charts
helm repo add open-telemetry https://open-telemetry.github.io/opentelemetry-helm-charts
+ helm repo add prometheus-community https://prometheus-community.github.io/helm-charts
helm repo update
.PHONY: install-fluent-bit
@@ -151,6 +164,11 @@ install-tempo:
@$(LOG_TARGET)
helm upgrade --install tempo grafana/tempo -f examples/tempo/helm-values.yaml -n monitoring --create-namespace --version $(TEMPO_CHART_VERSION)
+.PHONY: install-prometheus
+install-prometheus:
+ @$(LOG_TARGET)
+ helm upgrade --install prometheus prometheus-community/prometheus -f examples/prometheus/helm-values.yaml -n monitoring --create-namespace
+
.PHONY: install-otel-collector
install-otel-collector:
@$(LOG_TARGET)