diff --git a/.github/workflows/build_and_test.yaml b/.github/workflows/build_and_test.yaml index 80992fc9d6d..cd49c5a82c7 100644 --- a/.github/workflows/build_and_test.yaml +++ b/.github/workflows/build_and_test.yaml @@ -20,7 +20,7 @@ jobs: lint: runs-on: ubuntu-22.04 steps: - - uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - uses: ./tools/github-actions/setup-deps # Generate the installation manifests first, so it can check # for errors while running `make -k lint` @@ -31,14 +31,14 @@ jobs: gen-check: runs-on: ubuntu-22.04 steps: - - uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - uses: ./tools/github-actions/setup-deps - run: make -k gen-check license-check: runs-on: ubuntu-latest steps: - - uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - uses: ./tools/github-actions/setup-deps - run: make -k licensecheck @@ -48,7 +48,7 @@ jobs: contents: read # for actions/checkout id-token: write # for fetching OIDC token steps: - - uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - uses: ./tools/github-actions/setup-deps # test @@ -67,7 +67,7 @@ jobs: runs-on: ubuntu-latest needs: [lint, gen-check, license-check, coverage-test] steps: - - uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - uses: ./tools/github-actions/setup-deps - name: Build EG Multiarch Binaries @@ -87,7 +87,7 @@ jobs: matrix: version: [ v1.28.13, v1.29.8, v1.30.4, v1.31.0 ] steps: - - uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - uses: ./tools/github-actions/setup-deps - name: Download EG Binaries @@ -114,9 +114,21 @@ jobs: strategy: fail-fast: false matrix: - version: [ v1.28.13, v1.29.8, v1.30.4, v1.31.0 ] + target: + - version: v1.28.13 + ipFamily: ipv4 + - version: v1.29.8 + ipFamily: ipv4 + - version: v1.30.4 + ipFamily: ipv4 + # Enable these after https://github.com/envoyproxy/gateway/issues/4572 fixed + # - version: v1.31.0 + # ipFamily: ipv6 # only run ipv6 test on latest version to save time + # TODO: this's IPv4 first, need a way to test IPv6 first. + - version: v1.31.0 + ipFamily: dual # only run dual test on latest version to save time steps: - - uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - uses: ./tools/github-actions/setup-deps - name: Download EG Binaries @@ -133,8 +145,9 @@ jobs: # E2E - name: Run E2E Tests env: - KIND_NODE_TAG: ${{ matrix.version }} + KIND_NODE_TAG: ${{ matrix.target.version }} IMAGE_PULL_POLICY: IfNotPresent + IP_FAMILY: ${{ matrix.target.ipFamily }} run: make e2e benchmark-test: @@ -143,7 +156,7 @@ jobs: if: ${{ ! startsWith(github.event_name, 'push') }} needs: [build] steps: - - uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - uses: ./tools/github-actions/setup-deps - name: Setup Graphviz @@ -170,7 +183,7 @@ jobs: runs-on: ubuntu-latest needs: [conformance-test, e2e-test] steps: - - uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - uses: ./tools/github-actions/setup-deps - name: Download EG Binaries @@ -210,4 +223,6 @@ jobs: if: github.event_name == 'push' && github.ref == 'refs/heads/main' # use `0.0.0` as the default latest version. # use `Always` image pull policy for latest version. - run: IMAGE_PULL_POLICY=Always OCI_REGISTRY=oci://docker.io/envoyproxy CHART_VERSION=v0.0.0-latest TAG=latest make helm-push + run: | + IMAGE_PULL_POLICY=Always OCI_REGISTRY=oci://docker.io/envoyproxy CHART_VERSION=v0.0.0-latest TAG=latest make helm-push + IMAGE_PULL_POLICY=Always OCI_REGISTRY=oci://docker.io/envoyproxy CHART_VERSION=0.0.0-latest TAG=latest make helm-push diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index 5fceea67877..2027c7548aa 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -32,18 +32,18 @@ jobs: steps: - name: Checkout repository - uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - uses: ./tools/github-actions/setup-deps - name: Initialize CodeQL - uses: github/codeql-action/init@f779452ac5af1c261dce0346a8f964149f49322b # v3.26.13 + uses: github/codeql-action/init@662472033e021d55d94146f66f6058822b0b39fd # v3.27.0 with: languages: ${{ matrix.language }} - name: Autobuild - uses: github/codeql-action/autobuild@f779452ac5af1c261dce0346a8f964149f49322b # v3.26.13 + uses: github/codeql-action/autobuild@662472033e021d55d94146f66f6058822b0b39fd # v3.27.0 - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@f779452ac5af1c261dce0346a8f964149f49322b # v3.26.13 + uses: github/codeql-action/analyze@662472033e021d55d94146f66f6058822b0b39fd # v3.27.0 with: category: "/language:${{matrix.language}}" diff --git a/.github/workflows/docs.yaml b/.github/workflows/docs.yaml index 687c824ea41..22437cb9cd8 100644 --- a/.github/workflows/docs.yaml +++ b/.github/workflows/docs.yaml @@ -23,7 +23,7 @@ jobs: runs-on: ubuntu-22.04 steps: - name: Check out code - uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: ref: ${{ github.event.pull_request.head.sha }} @@ -48,7 +48,7 @@ jobs: contents: write steps: - name: Git checkout - uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: submodules: true ref: ${{ github.event.pull_request.head.sha }} @@ -62,7 +62,7 @@ jobs: extended: true - name: Setup Node - uses: actions/setup-node@0a44ba7841725637a19e28fa30b79a866c81b0a6 # v4.1.0 + uses: actions/setup-node@39370e3970a6d050c480ffad4ff0ed4d3fdee5af # v4.1.0 with: node-version: '18' diff --git a/.github/workflows/experimental_conformance.yaml b/.github/workflows/experimental_conformance.yaml index 931831b2bf1..e2b43edfbba 100644 --- a/.github/workflows/experimental_conformance.yaml +++ b/.github/workflows/experimental_conformance.yaml @@ -21,7 +21,7 @@ jobs: matrix: version: [ v1.28.13, v1.29.8, v1.30.4, v1.31.0 ] steps: - - uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - uses: ./tools/github-actions/setup-deps # gateway api experimental conformance diff --git a/.github/workflows/latest_release.yaml b/.github/workflows/latest_release.yaml index a0ceb53e08d..0b709f9fe1a 100644 --- a/.github/workflows/latest_release.yaml +++ b/.github/workflows/latest_release.yaml @@ -22,7 +22,7 @@ jobs: benchmark-test: runs-on: ubuntu-latest steps: - - uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - uses: ./tools/github-actions/setup-deps - name: Setup Graphviz @@ -57,7 +57,7 @@ jobs: permissions: contents: write steps: - - uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - uses: ./tools/github-actions/setup-deps - name: Generate Release Manifests @@ -72,11 +72,15 @@ jobs: - name: Build egctl latest multiarch binaries run: | - make build-multiarch BINS="egctl" - tar -zcvf egctl_latest_linux_amd64.tar.gz bin/linux/amd64/ - tar -zcvf egctl_latest_linux_arm64.tar.gz bin/linux/arm64/ - tar -zcvf egctl_latest_darwin_amd64.tar.gz bin/darwin/amd64/ - tar -zcvf egctl_latest_darwin_arm64.tar.gz bin/darwin/arm64/ + make build-multiarch + tar -zcvf envoy-gateway_latest_linux_amd64.tar.gz bin/linux/amd64/envoy-gateway + tar -zcvf envoy-gateway_linux_arm64.tar.gz bin/linux/arm64/envoy-gateway + tar -zcvf envoy-gateway_darwin_amd64.tar.gz bin/darwin/amd64/envoy-gateway + tar -zcvf envoy-gateway_darwin_arm64.tar.gz bin/darwin/arm64/envoy-gateway + tar -zcvf egctl_latest_linux_amd64.tar.gz bin/linux/amd64/egctl + tar -zcvf egctl_latest_linux_arm64.tar.gz bin/linux/arm64/egctl + tar -zcvf egctl_latest_darwin_amd64.tar.gz bin/darwin/amd64/egctl + tar -zcvf egctl_latest_darwin_arm64.tar.gz bin/darwin/arm64/egctl # Ignore the error when we delete the latest release, it might not exist. @@ -103,7 +107,7 @@ jobs: GITHUB_REPOSITORY: ${{ github.repository_owner }}/${{ github.event.repository.name }} - name: Recreate the Latest Release and Tag - uses: softprops/action-gh-release@c062e08bd532815e2082a85e87e3ef29c3e6d191 # v0.1.15 + uses: softprops/action-gh-release@e7a8f85e1c67a31e6ed99a94b41bd0b71bbee6b8 # v0.1.15 with: draft: false prerelease: true @@ -112,6 +116,10 @@ jobs: release-artifacts/install.yaml release-artifacts/quickstart.yaml release-artifacts/benchmark_report.zip + envoy-gateway_latest_linux_amd64.tar.gz + envoy-gateway_latest_linux_arm64.tar.gz + envoy-gateway_latest_darwin_amd64.tar.gz + envoy-gateway_latest_darwin_arm64.tar.gz egctl_latest_linux_amd64.tar.gz egctl_latest_linux_arm64.tar.gz egctl_latest_darwin_amd64.tar.gz diff --git a/.github/workflows/license-scan.yml b/.github/workflows/license-scan.yml index 2bbb36ce830..649f27fe979 100644 --- a/.github/workflows/license-scan.yml +++ b/.github/workflows/license-scan.yml @@ -16,7 +16,7 @@ jobs: runs-on: ubuntu-22.04 steps: - name: Checkout code - uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - name: Run scanner uses: google/osv-scanner-action/osv-scanner-action@19ec1116569a47416e11a45848722b1af31a857b # v1.9.0 with: diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml index a95f411890d..6c4d715edc8 100644 --- a/.github/workflows/release.yaml +++ b/.github/workflows/release.yaml @@ -15,7 +15,7 @@ jobs: benchmark-test: runs-on: ubuntu-latest steps: - - uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - uses: ./tools/github-actions/setup-deps - name: Setup Graphviz @@ -50,13 +50,14 @@ jobs: permissions: contents: write steps: - - uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - name: Extract Release Tag and Commit SHA id: vars shell: bash run: | echo "release_tag=$(echo ${GITHUB_REF##*/})" >> $GITHUB_ENV + echo "without_v_release_tag=${release_tag:1}" >> $GITHUB_ENV echo "sha_short=$(git rev-parse --short HEAD)" >> $GITHUB_ENV - name: Login to DockerHub @@ -72,7 +73,9 @@ jobs: run: IMAGE_PULL_POLICY=IfNotPresent make generate-artifacts IMAGE=envoyproxy/gateway TAG=${{ env.release_tag }} OUTPUT_DIR=release-artifacts - name: Build and Push EG Release Helm Chart - run: IMAGE_PULL_POLICY=IfNotPresent OCI_REGISTRY=oci://docker.io/envoyproxy CHART_VERSION=${{ env.release_tag }} IMAGE=docker.io/envoyproxy/gateway TAG=${{ env.release_tag }} make helm-package helm-push + run: | + IMAGE_PULL_POLICY=IfNotPresent OCI_REGISTRY=oci://docker.io/envoyproxy CHART_VERSION=${{ env.release_tag }} IMAGE=docker.io/envoyproxy/gateway TAG=${{ env.release_tag }} make helm-package helm-push + IMAGE_PULL_POLICY=IfNotPresent OCI_REGISTRY=oci://docker.io/envoyproxy CHART_VERSION=${{ env.without_v_release_tag }} IMAGE=docker.io/envoyproxy/gateway TAG=${{ env.release_tag }} make helm-package helm-push - name: Download Benchmark Report uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8 @@ -80,15 +83,31 @@ jobs: name: benchmark_report path: release-artifacts + - name: Build egctl multiarch binaries + run: | + make build-multiarch + tar -zcvf envoy-gateway_${{ env.release_tag }}_linux_amd64.tar.gz bin/linux/amd64/envoy-gateway + tar -zcvf envoy-gateway_${{ env.release_tag }}_linux_arm64.tar.gz bin/linux/arm64/envoy-gateway + tar -zcvf envoy-gateway_${{ env.release_tag }}_darwin_amd64.tar.gz bin/darwin/amd64/envoy-gateway + tar -zcvf envoy-gateway_${{ env.release_tag }}_darwin_arm64.tar.gz bin/darwin/arm64/envoy-gateway + tar -zcvf egctl_${{ env.release_tag }}_linux_amd64.tar.gz bin/linux/amd64/egctl + tar -zcvf egctl_${{ env.release_tag }}_linux_arm64.tar.gz bin/linux/arm64/egctl + tar -zcvf egctl_${{ env.release_tag }}_darwin_amd64.tar.gz bin/darwin/amd64/egctl + tar -zcvf egctl_${{ env.release_tag }}_darwin_arm64.tar.gz bin/darwin/arm64/egctl + - name: Upload Release Manifests - uses: softprops/action-gh-release@c062e08bd532815e2082a85e87e3ef29c3e6d191 # v0.1.15 + uses: softprops/action-gh-release@e7a8f85e1c67a31e6ed99a94b41bd0b71bbee6b8 # v0.1.15 with: files: | release-artifacts/install.yaml release-artifacts/quickstart.yaml release-artifacts/release-notes.yaml release-artifacts/benchmark_report.zip - release-artifacts/egctl_${{ env.release_tag }}_linux_amd64.tar.gz - release-artifacts/egctl_${{ env.release_tag }}_linux_arm64.tar.gz - release-artifacts/egctl_${{ env.release_tag }}_darwin_amd64.tar.gz - release-artifacts/egctl_${{ env.release_tag }}_darwin_arm64.tar.gz + envoy-gateway_${{ env.release_tag }}_linux_amd64.tar.gz + envoy-gateway_${{ env.release_tag }}_linux_arm64.tar.gz + envoy-gateway_${{ env.release_tag }}_darwin_amd64.tar.gz + envoy-gateway_${{ env.release_tag }}_darwin_arm64.tar.gz + egctl_${{ env.release_tag }}_linux_amd64.tar.gz + egctl_${{ env.release_tag }}_linux_arm64.tar.gz + egctl_${{ env.release_tag }}_darwin_amd64.tar.gz + egctl_${{ env.release_tag }}_darwin_arm64.tar.gz diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml index 018bb5c0dd7..6e816b5460f 100644 --- a/.github/workflows/scorecard.yml +++ b/.github/workflows/scorecard.yml @@ -21,7 +21,7 @@ jobs: steps: - name: "Checkout code" - uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: persist-credentials: false @@ -40,6 +40,6 @@ jobs: retention-days: 5 - name: "Upload to code-scanning" - uses: github/codeql-action/upload-sarif@f779452ac5af1c261dce0346a8f964149f49322b # v3.26.13 + uses: github/codeql-action/upload-sarif@662472033e021d55d94146f66f6058822b0b39fd # v3.27.0 with: sarif_file: results.sarif diff --git a/.github/workflows/trivy.yml b/.github/workflows/trivy.yml index f34bd237a88..077dfa44fcb 100644 --- a/.github/workflows/trivy.yml +++ b/.github/workflows/trivy.yml @@ -18,7 +18,7 @@ jobs: runs-on: ubuntu-22.04 steps: - name: Checkout code - uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - name: Build an image from Dockerfile run: | diff --git a/OWNERS b/OWNERS index 9237b007189..4a2e54e6db2 100644 --- a/OWNERS +++ b/OWNERS @@ -9,7 +9,6 @@ admins: maintainers: -- AliceProxy - arkodg - Xunzhuo - zirain @@ -25,6 +24,7 @@ emeritus-maintainers: - skriss - youngnick - qicz +- Alice-Lilith reviewers: diff --git a/api/v1alpha1/envoygateway_helpers.go b/api/v1alpha1/envoygateway_helpers.go index c61b43c82e1..68c451e68df 100644 --- a/api/v1alpha1/envoygateway_helpers.go +++ b/api/v1alpha1/envoygateway_helpers.go @@ -6,7 +6,8 @@ package v1alpha1 import ( - "fmt" + "net" + "strconv" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" "k8s.io/utils/ptr" @@ -80,7 +81,7 @@ func (e *EnvoyGateway) GetEnvoyGatewayAdmin() *EnvoyGatewayAdmin { func (e *EnvoyGateway) GetEnvoyGatewayAdminAddress() string { address := e.GetEnvoyGatewayAdmin().Address if address != nil { - return fmt.Sprintf("%s:%d", address.Host, address.Port) + return net.JoinHostPort(address.Host, strconv.Itoa(address.Port)) } return "" diff --git a/api/v1alpha1/shared_types.go b/api/v1alpha1/shared_types.go index fc6121f6922..aff125785e2 100644 --- a/api/v1alpha1/shared_types.go +++ b/api/v1alpha1/shared_types.go @@ -28,7 +28,7 @@ const ( // DefaultShutdownManagerMemoryResourceRequests for shutdown manager memory resource DefaultShutdownManagerMemoryResourceRequests = "32Mi" // DefaultShutdownManagerImage is the default image used for the shutdown manager. - DefaultShutdownManagerImage = "envoyproxy/gateway-dev:latest" + DefaultShutdownManagerImage = "docker.io/envoyproxy/gateway-dev:latest" // DefaultRateLimitImage is the default image used by ratelimit. DefaultRateLimitImage = "envoyproxy/ratelimit:28b1629a" // HTTPProtocol is the common-used http protocol. diff --git a/charts/gateway-addons-helm/Chart.lock b/charts/gateway-addons-helm/Chart.lock index 228a952fdc1..4e15b355cb5 100644 --- a/charts/gateway-addons-helm/Chart.lock +++ b/charts/gateway-addons-helm/Chart.lock @@ -8,6 +8,9 @@ dependencies: - name: fluent-bit repository: https://fluent.github.io/helm-charts version: 0.30.4 +- name: alloy + repository: https://grafana.github.io/helm-charts + version: 0.9.2 - name: loki repository: https://grafana.github.io/helm-charts version: 4.8.0 @@ -17,5 +20,5 @@ dependencies: - name: opentelemetry-collector repository: https://open-telemetry.github.io/opentelemetry-helm-charts version: 0.108.0 -digest: sha256:ea6663bb1358123b96b69d2c5b0b8c20650a43dc39b24c482f0560201fd2cc3a -generated: "2024-10-19T12:59:47.251089661+02:00" +digest: sha256:bc634c59972bfd4a01e0f4310a4949095752e659a9b5cb1d9c0fbe9a86f37011 +generated: "2024-10-25T10:55:26.755739+08:00" diff --git a/charts/gateway-addons-helm/Chart.yaml b/charts/gateway-addons-helm/Chart.yaml index 2571ccec51e..3a2303ef8c9 100644 --- a/charts/gateway-addons-helm/Chart.yaml +++ b/charts/gateway-addons-helm/Chart.yaml @@ -37,6 +37,10 @@ dependencies: repository: https://fluent.github.io/helm-charts version: 0.30.4 condition: fluent-bit.enabled + - name: alloy + repository: https://grafana.github.io/helm-charts + version: 0.9.2 + condition: alloy.enabled - name: loki version: 4.8.0 repository: https://grafana.github.io/helm-charts diff --git a/charts/gateway-addons-helm/README.md b/charts/gateway-addons-helm/README.md index a52af3e2d14..b30a535e724 100644 --- a/charts/gateway-addons-helm/README.md +++ b/charts/gateway-addons-helm/README.md @@ -22,6 +22,7 @@ An Add-ons Helm chart for Envoy Gateway | Repository | Name | Version | |------------|------|---------| | https://fluent.github.io/helm-charts | fluent-bit | 0.30.4 | +| https://grafana.github.io/helm-charts | alloy | 0.9.2 | | https://grafana.github.io/helm-charts | grafana | 8.0.0 | | https://grafana.github.io/helm-charts | loki | 4.8.0 | | https://grafana.github.io/helm-charts | tempo | 1.3.1 | @@ -55,6 +56,9 @@ To uninstall the chart: | Key | Type | Default | Description | |-----|------|---------|-------------| +| alloy.alloy.configMap.content | string | `"// Write your Alloy config here:\nlogging {\n level = \"info\"\n format = \"logfmt\"\n}\nloki.write \"alloy\" {\n endpoint {\n url = \"http://loki.monitoring.svc:3100/loki/api/v1/push\"\n }\n}\n// discovery.kubernetes allows you to find scrape targets from Kubernetes resources.\n// It watches cluster state and ensures targets are continually synced with what is currently running in your cluster.\ndiscovery.kubernetes \"pod\" {\n role = \"pod\"\n}\n\n// discovery.relabel rewrites the label set of the input targets by applying one or more relabeling rules.\n// If no rules are defined, then the input targets are exported as-is.\ndiscovery.relabel \"pod_logs\" {\n targets = discovery.kubernetes.pod.targets\n\n // Label creation - \"namespace\" field from \"__meta_kubernetes_namespace\"\n rule {\n source_labels = [\"__meta_kubernetes_namespace\"]\n action = \"replace\"\n target_label = \"namespace\"\n }\n\n // Label creation - \"pod\" field from \"__meta_kubernetes_pod_name\"\n rule {\n source_labels = [\"__meta_kubernetes_pod_name\"]\n action = \"replace\"\n target_label = \"pod\"\n }\n\n // Label creation - \"container\" field from \"__meta_kubernetes_pod_container_name\"\n rule {\n source_labels = [\"__meta_kubernetes_pod_container_name\"]\n action = \"replace\"\n target_label = \"container\"\n }\n\n // Label creation - \"app\" field from \"__meta_kubernetes_pod_label_app_kubernetes_io_name\"\n rule {\n source_labels = [\"__meta_kubernetes_pod_label_app_kubernetes_io_name\"]\n action = \"replace\"\n target_label = \"app\"\n }\n\n // Label creation - \"job\" field from \"__meta_kubernetes_namespace\" and \"__meta_kubernetes_pod_container_name\"\n // Concatenate values __meta_kubernetes_namespace/__meta_kubernetes_pod_container_name\n rule {\n source_labels = [\"__meta_kubernetes_namespace\", \"__meta_kubernetes_pod_container_name\"]\n action = \"replace\"\n target_label = \"job\"\n separator = \"/\"\n replacement = \"$1\"\n }\n\n // Label creation - \"container\" field from \"__meta_kubernetes_pod_uid\" and \"__meta_kubernetes_pod_container_name\"\n // Concatenate values __meta_kubernetes_pod_uid/__meta_kubernetes_pod_container_name.log\n rule {\n source_labels = [\"__meta_kubernetes_pod_uid\", \"__meta_kubernetes_pod_container_name\"]\n action = \"replace\"\n target_label = \"__path__\"\n separator = \"/\"\n replacement = \"/var/log/pods/*$1/*.log\"\n }\n\n // Label creation - \"container_runtime\" field from \"__meta_kubernetes_pod_container_id\"\n rule {\n source_labels = [\"__meta_kubernetes_pod_container_id\"]\n action = \"replace\"\n target_label = \"container_runtime\"\n regex = \"^(\\\\S+):\\\\/\\\\/.+$\"\n replacement = \"$1\"\n }\n}\n\n// loki.source.kubernetes tails logs from Kubernetes containers using the Kubernetes API.\nloki.source.kubernetes \"pod_logs\" {\n targets = discovery.relabel.pod_logs.output\n forward_to = [loki.process.pod_logs.receiver]\n}\n// loki.process receives log entries from other Loki components, applies one or more processing stages,\n// and forwards the results to the list of receivers in the component’s arguments.\nloki.process \"pod_logs\" {\n stage.static_labels {\n values = {\n cluster = \"envoy-gateway\",\n }\n }\n\n forward_to = [loki.write.alloy.receiver]\n}"` | | +| alloy.enabled | bool | `false` | | +| alloy.fullnameOverride | string | `"alloy"` | | | fluent-bit.config.filters | string | `"[FILTER]\n Name kubernetes\n Match kube.*\n Merge_Log On\n Keep_Log Off\n K8S-Logging.Parser On\n K8S-Logging.Exclude On\n\n[FILTER]\n Name grep\n Match kube.*\n Regex $kubernetes['container_name'] ^envoy$\n\n[FILTER]\n Name parser\n Match kube.*\n Key_Name log\n Parser envoy\n Reserve_Data True\n"` | | | fluent-bit.config.inputs | string | `"[INPUT]\n Name tail\n Path /var/log/containers/*.log\n multiline.parser docker, cri\n Tag kube.*\n Mem_Buf_Limit 5MB\n Skip_Long_Lines On\n"` | | | fluent-bit.config.outputs | string | `"[OUTPUT]\n Name loki\n Match kube.*\n Host loki.monitoring.svc.cluster.local\n Port 3100\n Labels job=fluentbit, app=$kubernetes['labels']['app'], k8s_namespace_name=$kubernetes['namespace_name'], k8s_pod_name=$kubernetes['pod_name'], k8s_container_name=$kubernetes['container_name']\n"` | | @@ -107,15 +111,21 @@ To uninstall the chart: | opentelemetry-collector.config.exporters.loki.endpoint | string | `"http://loki.monitoring.svc:3100/loki/api/v1/push"` | | | opentelemetry-collector.config.exporters.otlp.endpoint | string | `"tempo.monitoring.svc:4317"` | | | opentelemetry-collector.config.exporters.otlp.tls.insecure | bool | `true` | | -| opentelemetry-collector.config.exporters.prometheus.endpoint | string | `"0.0.0.0:19001"` | | -| opentelemetry-collector.config.extensions.health_check | object | `{}` | | +| opentelemetry-collector.config.exporters.prometheus.endpoint | string | `"[${env:MY_POD_IP}]:19001"` | | +| opentelemetry-collector.config.extensions.health_check.endpoint | string | `"[${env:MY_POD_IP}]:13133"` | | | opentelemetry-collector.config.processors.attributes.actions[0].action | string | `"insert"` | | | opentelemetry-collector.config.processors.attributes.actions[0].key | string | `"loki.attribute.labels"` | | | opentelemetry-collector.config.processors.attributes.actions[0].value | string | `"k8s.pod.name, k8s.namespace.name"` | | -| opentelemetry-collector.config.receivers.datadog.endpoint | string | `"${env:MY_POD_IP}:8126"` | | -| opentelemetry-collector.config.receivers.otlp.protocols.grpc.endpoint | string | `"${env:MY_POD_IP}:4317"` | | -| opentelemetry-collector.config.receivers.otlp.protocols.http.endpoint | string | `"${env:MY_POD_IP}:4318"` | | -| opentelemetry-collector.config.receivers.zipkin.endpoint | string | `"${env:MY_POD_IP}:9411"` | | +| opentelemetry-collector.config.receivers.datadog.endpoint | string | `"[${env:MY_POD_IP}]:8126"` | | +| opentelemetry-collector.config.receivers.jaeger.protocols.grpc.endpoint | string | `"[${env:MY_POD_IP}]:14250"` | | +| opentelemetry-collector.config.receivers.jaeger.protocols.thrift_compact.endpoint | string | `"[${env:MY_POD_IP}]:6831"` | | +| opentelemetry-collector.config.receivers.jaeger.protocols.thrift_http.endpoint | string | `"[${env:MY_POD_IP}]:14268"` | | +| opentelemetry-collector.config.receivers.otlp.protocols.grpc.endpoint | string | `"[${env:MY_POD_IP}]:4317"` | | +| opentelemetry-collector.config.receivers.otlp.protocols.http.endpoint | string | `"[${env:MY_POD_IP}]:4318"` | | +| opentelemetry-collector.config.receivers.prometheus.config.scrape_configs[0].job_name | string | `"opentelemetry-collector"` | | +| opentelemetry-collector.config.receivers.prometheus.config.scrape_configs[0].scrape_interval | string | `"10s"` | | +| opentelemetry-collector.config.receivers.prometheus.config.scrape_configs[0].static_configs[0].targets[0] | string | `"[${env:MY_POD_IP}]:8888"` | | +| opentelemetry-collector.config.receivers.zipkin.endpoint | string | `"[${env:MY_POD_IP}]:9411"` | | | opentelemetry-collector.config.service.extensions[0] | string | `"health_check"` | | | opentelemetry-collector.config.service.pipelines.logs.exporters[0] | string | `"loki"` | | | opentelemetry-collector.config.service.pipelines.logs.processors[0] | string | `"attributes"` | | @@ -127,6 +137,7 @@ To uninstall the chart: | opentelemetry-collector.config.service.pipelines.traces.receivers[0] | string | `"datadog"` | | | opentelemetry-collector.config.service.pipelines.traces.receivers[1] | string | `"otlp"` | | | opentelemetry-collector.config.service.pipelines.traces.receivers[2] | string | `"zipkin"` | | +| opentelemetry-collector.config.service.telemetry.metrics.address | string | `"[${env:MY_POD_IP}]:8888"` | | | opentelemetry-collector.enabled | bool | `false` | | | opentelemetry-collector.fullnameOverride | string | `"otel-collector"` | | | opentelemetry-collector.image.repository | string | `"otel/opentelemetry-collector-contrib"` | | diff --git a/charts/gateway-addons-helm/values.yaml b/charts/gateway-addons-helm/values.yaml index d3fb043ddd4..f8f80958129 100644 --- a/charts/gateway-addons-helm/values.yaml +++ b/charts/gateway-addons-helm/values.yaml @@ -60,6 +60,7 @@ prometheus: # Values for Fluent-bit dependency +# TODO: remove fluent-bit dependency fluent-bit: enabled: true image: @@ -167,6 +168,109 @@ loki: gateway: enabled: false +# Values for Alloy dependency +alloy: + enabled: false + fullnameOverride: alloy + alloy: + configMap: + content: |- + // Write your Alloy config here: + logging { + level = "info" + format = "logfmt" + } + loki.write "alloy" { + endpoint { + url = "http://loki.monitoring.svc:3100/loki/api/v1/push" + } + } + // discovery.kubernetes allows you to find scrape targets from Kubernetes resources. + // It watches cluster state and ensures targets are continually synced with what is currently running in your cluster. + discovery.kubernetes "pod" { + role = "pod" + } + + // discovery.relabel rewrites the label set of the input targets by applying one or more relabeling rules. + // If no rules are defined, then the input targets are exported as-is. + discovery.relabel "pod_logs" { + targets = discovery.kubernetes.pod.targets + + // Label creation - "namespace" field from "__meta_kubernetes_namespace" + rule { + source_labels = ["__meta_kubernetes_namespace"] + action = "replace" + target_label = "namespace" + } + + // Label creation - "pod" field from "__meta_kubernetes_pod_name" + rule { + source_labels = ["__meta_kubernetes_pod_name"] + action = "replace" + target_label = "pod" + } + + // Label creation - "container" field from "__meta_kubernetes_pod_container_name" + rule { + source_labels = ["__meta_kubernetes_pod_container_name"] + action = "replace" + target_label = "container" + } + + // Label creation - "app" field from "__meta_kubernetes_pod_label_app_kubernetes_io_name" + rule { + source_labels = ["__meta_kubernetes_pod_label_app_kubernetes_io_name"] + action = "replace" + target_label = "app" + } + + // Label creation - "job" field from "__meta_kubernetes_namespace" and "__meta_kubernetes_pod_container_name" + // Concatenate values __meta_kubernetes_namespace/__meta_kubernetes_pod_container_name + rule { + source_labels = ["__meta_kubernetes_namespace", "__meta_kubernetes_pod_container_name"] + action = "replace" + target_label = "job" + separator = "/" + replacement = "$1" + } + + // Label creation - "container" field from "__meta_kubernetes_pod_uid" and "__meta_kubernetes_pod_container_name" + // Concatenate values __meta_kubernetes_pod_uid/__meta_kubernetes_pod_container_name.log + rule { + source_labels = ["__meta_kubernetes_pod_uid", "__meta_kubernetes_pod_container_name"] + action = "replace" + target_label = "__path__" + separator = "/" + replacement = "/var/log/pods/*$1/*.log" + } + + // Label creation - "container_runtime" field from "__meta_kubernetes_pod_container_id" + rule { + source_labels = ["__meta_kubernetes_pod_container_id"] + action = "replace" + target_label = "container_runtime" + regex = "^(\\S+):\\/\\/.+$" + replacement = "$1" + } + } + + // loki.source.kubernetes tails logs from Kubernetes containers using the Kubernetes API. + loki.source.kubernetes "pod_logs" { + targets = discovery.relabel.pod_logs.output + forward_to = [loki.process.pod_logs.receiver] + } + // loki.process receives log entries from other Loki components, applies one or more processing stages, + // and forwards the results to the list of receivers in the component’s arguments. + loki.process "pod_logs" { + stage.static_labels { + values = { + cluster = "envoy-gateway", + } + } + + forward_to = [loki.write.alloy.receiver] + } + # Values for Tempo dependency tempo: @@ -186,7 +290,7 @@ opentelemetry-collector: config: exporters: prometheus: - endpoint: 0.0.0.0:19001 + endpoint: "[${env:MY_POD_IP}]:19001" debug: verbosity: detailed loki: @@ -196,10 +300,8 @@ opentelemetry-collector: tls: insecure: true extensions: - # The health_check extension is mandatory for this chart. - # Without the health_check extension the collector will fail the readiness and liveliness probes. - # The health_check extension can be modified, but should never be removed. - health_check: {} + health_check: + endpoint: "[${env:MY_POD_IP}]:13133" processors: attributes: actions: @@ -209,17 +311,36 @@ opentelemetry-collector: # Loki will convert this to k8s_pod_name label. value: k8s.pod.name, k8s.namespace.name receivers: + jaeger: + protocols: + grpc: + endpoint: "[${env:MY_POD_IP}]:14250" + thrift_http: + endpoint: "[${env:MY_POD_IP}]:14268" + thrift_compact: + endpoint: "[${env:MY_POD_IP}]:6831" datadog: - endpoint: ${env:MY_POD_IP}:8126 + endpoint: "[${env:MY_POD_IP}]:8126" zipkin: - endpoint: ${env:MY_POD_IP}:9411 + endpoint: "[${env:MY_POD_IP}]:9411" otlp: protocols: grpc: - endpoint: ${env:MY_POD_IP}:4317 + endpoint: "[${env:MY_POD_IP}]:4317" http: - endpoint: ${env:MY_POD_IP}:4318 + endpoint: "[${env:MY_POD_IP}]:4318" + prometheus: + config: + scrape_configs: + - job_name: opentelemetry-collector + scrape_interval: 10s + static_configs: + - targets: + - "[${env:MY_POD_IP}]:8888" service: + telemetry: + metrics: + address: "[${env:MY_POD_IP}]:8888" extensions: - health_check pipelines: diff --git a/charts/gateway-helm/README.md b/charts/gateway-helm/README.md index 61942016a29..5d9cecf616b 100644 --- a/charts/gateway-helm/README.md +++ b/charts/gateway-helm/README.md @@ -59,7 +59,7 @@ To uninstall the chart: | Key | Type | Default | Description | |-----|------|---------|-------------| -| certgen | object | `{"job":{"affinity":{},"annotations":{},"nodeSelector":{},"resources":{},"tolerations":[],"ttlSecondsAfterFinished":30},"rbac":{"annotations":{},"labels":{}}}` | Certgen is used to generate the certificates required by EnvoyGateway. If you want to construct a custom certificate, you can generate a custom certificate through Cert-Manager before installing EnvoyGateway. Certgen will not overwrite the custom certificate. Please do not manually modify `values.yaml` to disable certgen, it may cause EnvoyGateway OIDC,OAuth2,etc. to not work as expected. | +| certgen | object | `{"job":{"affinity":{},"annotations":{},"nodeSelector":{},"resources":{},"securityContext":{"allowPrivilegeEscalation":false,"capabilities":{"drop":["ALL"]},"privileged":false,"readOnlyRootFilesystem":true,"runAsGroup":65534,"runAsNonRoot":true,"runAsUser":65534,"seccompProfile":{"type":"RuntimeDefault"}},"tolerations":[],"ttlSecondsAfterFinished":30},"rbac":{"annotations":{},"labels":{}}}` | Certgen is used to generate the certificates required by EnvoyGateway. If you want to construct a custom certificate, you can generate a custom certificate through Cert-Manager before installing EnvoyGateway. Certgen will not overwrite the custom certificate. Please do not manually modify `values.yaml` to disable certgen, it may cause EnvoyGateway OIDC,OAuth2,etc. to not work as expected. | | config.envoyGateway.gateway.controllerName | string | `"gateway.envoyproxy.io/gatewayclass-controller"` | | | config.envoyGateway.logging.level.default | string | `"info"` | | | config.envoyGateway.provider.type | string | `"Kubernetes"` | | @@ -71,6 +71,13 @@ To uninstall the chart: | deployment.envoyGateway.resources.limits.memory | string | `"1024Mi"` | | | deployment.envoyGateway.resources.requests.cpu | string | `"100m"` | | | deployment.envoyGateway.resources.requests.memory | string | `"256Mi"` | | +| deployment.envoyGateway.securityContext.allowPrivilegeEscalation | bool | `false` | | +| deployment.envoyGateway.securityContext.capabilities.drop[0] | string | `"ALL"` | | +| deployment.envoyGateway.securityContext.privileged | bool | `false` | | +| deployment.envoyGateway.securityContext.runAsGroup | int | `65532` | | +| deployment.envoyGateway.securityContext.runAsNonRoot | bool | `true` | | +| deployment.envoyGateway.securityContext.runAsUser | int | `65532` | | +| deployment.envoyGateway.securityContext.seccompProfile.type | string | `"RuntimeDefault"` | | | deployment.pod.affinity | object | `{}` | | | deployment.pod.annotations."prometheus.io/port" | string | `"19001"` | | | deployment.pod.annotations."prometheus.io/scrape" | string | `"true"` | | diff --git a/charts/gateway-helm/templates/certgen.yaml b/charts/gateway-helm/templates/certgen.yaml index 00b7b6f8dca..f98c414ba22 100644 --- a/charts/gateway-helm/templates/certgen.yaml +++ b/charts/gateway-helm/templates/certgen.yaml @@ -39,17 +39,7 @@ spec: {{- toYaml . | nindent 10 }} {{- end }} securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - ALL - privileged: false - readOnlyRootFilesystem: true - runAsNonRoot: true - runAsGroup: 65534 - runAsUser: 65534 - seccompProfile: - type: RuntimeDefault + {{- toYaml .Values.certgen.job.securityContext | nindent 10 }} {{- include "eg.image.pullSecrets" . | nindent 6 }} {{- with .Values.certgen.job.affinity }} affinity: diff --git a/charts/gateway-helm/templates/envoy-gateway-deployment.yaml b/charts/gateway-helm/templates/envoy-gateway-deployment.yaml index 0be895fe76f..7746dd2e4ac 100644 --- a/charts/gateway-helm/templates/envoy-gateway-deployment.yaml +++ b/charts/gateway-helm/templates/envoy-gateway-deployment.yaml @@ -30,7 +30,7 @@ spec: {{- toYaml . | nindent 8 }} {{- end }} {{- with .Values.deployment.pod.nodeSelector }} - nodeSelector: + nodeSelector: {{ toYaml . | nindent 8 }} {{- end }} {{- with .Values.deployment.pod.topologySpreadConstraints }} @@ -73,19 +73,10 @@ spec: port: 8081 initialDelaySeconds: 5 periodSeconds: 10 - resources: {{- toYaml .Values.deployment.envoyGateway.resources | nindent 10 - }} + resources: + {{- toYaml .Values.deployment.envoyGateway.resources | nindent 10 }} securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - ALL - privileged: false - runAsNonRoot: true - runAsGroup: 65532 - runAsUser: 65532 - seccompProfile: - type: RuntimeDefault + {{- toYaml .Values.deployment.envoyGateway.securityContext | nindent 10 }} volumeMounts: - mountPath: /config name: envoy-gateway-config diff --git a/charts/gateway-helm/values.tmpl.yaml b/charts/gateway-helm/values.tmpl.yaml index 90e72f09956..cfcd9532491 100644 --- a/charts/gateway-helm/values.tmpl.yaml +++ b/charts/gateway-helm/values.tmpl.yaml @@ -35,6 +35,17 @@ deployment: requests: cpu: 100m memory: 256Mi + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + privileged: false + runAsNonRoot: true + runAsGroup: 65532 + runAsUser: 65532 + seccompProfile: + type: RuntimeDefault ports: - name: grpc port: 18000 @@ -86,6 +97,18 @@ certgen: tolerations: [] nodeSelector: {} ttlSecondsAfterFinished: 30 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + privileged: false + readOnlyRootFilesystem: true + runAsNonRoot: true + runAsGroup: 65534 + runAsUser: 65534 + seccompProfile: + type: RuntimeDefault rbac: annotations: {} labels: {} diff --git a/examples/envoy-als/Dockerfile b/examples/envoy-als/Dockerfile new file mode 100644 index 00000000000..0ad9437f993 --- /dev/null +++ b/examples/envoy-als/Dockerfile @@ -0,0 +1,23 @@ +FROM golang:1.23.1 AS builder + +ARG GO_LDFLAGS="" + +WORKDIR /workspace +COPY go.mod go.sum ./ +RUN --mount=type=cache,target=/root/.cache/go-build --mount=type=cache,target=/go/pkg/mod \ + go mod download + +COPY . ./ +RUN --mount=type=cache,target=/root/.cache/go-build --mount=type=cache,target=/go/pkg/mod \ + CGO_ENABLED=0 \ + GOOS=${TARGETOS} \ + GOARCH=${TARGETARCH} \ + go build -o /bin/envoy-als -ldflags "${GO_LDFLAGS}" . + +# Make our production image +FROM gcr.io/distroless/static-debian11:nonroot +COPY --from=builder /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/ +COPY --from=builder /bin/envoy-als / + +USER nonroot:nonroot +ENTRYPOINT ["/envoy-als"] diff --git a/examples/envoy-als/Makefile b/examples/envoy-als/Makefile new file mode 100644 index 00000000000..a8ca6cec25d --- /dev/null +++ b/examples/envoy-als/Makefile @@ -0,0 +1,8 @@ + +IMAGE_PREFIX ?= envoyproxy/gateway- +APP_NAME ?= envoy-als +TAG ?= latest + +.PHONY: docker-buildx +docker-buildx: + docker buildx build . -t $(IMAGE_PREFIX)$(APP_NAME):$(TAG) --build-arg GO_LDFLAGS="$(GO_LDFLAGS)" --load diff --git a/examples/envoy-als/go.mod b/examples/envoy-als/go.mod new file mode 100644 index 00000000000..610090483ad --- /dev/null +++ b/examples/envoy-als/go.mod @@ -0,0 +1,27 @@ +module github.com/envoyproxy/gateway-envoy-als + +go 1.23.1 + +require ( + github.com/envoyproxy/go-control-plane v0.13.1 + github.com/prometheus/client_golang v1.20.5 + google.golang.org/grpc v1.67.1 +) + +require ( + github.com/beorn7/perks v1.0.1 // indirect + github.com/cespare/xxhash/v2 v2.3.0 // indirect + github.com/cncf/xds/go v0.0.0-20240723142845-024c85f92f20 // indirect + github.com/envoyproxy/protoc-gen-validate v1.1.0 // indirect + github.com/klauspost/compress v1.17.9 // indirect + github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 // indirect + github.com/planetscale/vtprotobuf v0.6.1-0.20240319094008-0393e58bdf10 // indirect + github.com/prometheus/client_model v0.6.1 // indirect + github.com/prometheus/common v0.55.0 // indirect + github.com/prometheus/procfs v0.15.1 // indirect + golang.org/x/net v0.28.0 // indirect + golang.org/x/sys v0.24.0 // indirect + golang.org/x/text v0.17.0 // indirect + google.golang.org/genproto/googleapis/rpc v0.0.0-20240814211410-ddb44dafa142 // indirect + google.golang.org/protobuf v1.34.2 // indirect +) diff --git a/examples/envoy-als/go.sum b/examples/envoy-als/go.sum new file mode 100644 index 00000000000..1e30c20ec65 --- /dev/null +++ b/examples/envoy-als/go.sum @@ -0,0 +1,40 @@ +github.com/beorn7/perks v1.0.1 h1:VlbKKnNfV8bJzeqoa4cOKqO6bYr3WgKZxO8Z16+hsOM= +github.com/beorn7/perks v1.0.1/go.mod h1:G2ZrVWU2WbWT9wwq4/hrbKbnv/1ERSJQ0ibhJ6rlkpw= +github.com/cespare/xxhash/v2 v2.3.0 h1:UL815xU9SqsFlibzuggzjXhog7bL6oX9BbNZnL2UFvs= +github.com/cespare/xxhash/v2 v2.3.0/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XLFGgcrjCOs= +github.com/cncf/xds/go v0.0.0-20240723142845-024c85f92f20 h1:N+3sFI5GUjRKBi+i0TxYVST9h4Ie192jJWpHvthBBgg= +github.com/cncf/xds/go v0.0.0-20240723142845-024c85f92f20/go.mod h1:W+zGtBO5Y1IgJhy4+A9GOqVhqLpfZi+vwmdNXUehLA8= +github.com/envoyproxy/go-control-plane v0.13.1 h1:vPfJZCkob6yTMEgS+0TwfTUfbHjfy/6vOJ8hUWX/uXE= +github.com/envoyproxy/go-control-plane v0.13.1/go.mod h1:X45hY0mufo6Fd0KW3rqsGvQMw58jvjymeCzBU3mWyHw= +github.com/envoyproxy/protoc-gen-validate v1.1.0 h1:tntQDh69XqOCOZsDz0lVJQez/2L6Uu2PdjCQwWCJ3bM= +github.com/envoyproxy/protoc-gen-validate v1.1.0/go.mod h1:sXRDRVmzEbkM7CVcM06s9shE/m23dg3wzjl0UWqJ2q4= +github.com/google/go-cmp v0.6.0 h1:ofyhxvXcZhMsU5ulbFiLKl/XBFqE1GSq7atu8tAmTRI= +github.com/google/go-cmp v0.6.0/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY= +github.com/klauspost/compress v1.17.9 h1:6KIumPrER1LHsvBVuDa0r5xaG0Es51mhhB9BQB2qeMA= +github.com/klauspost/compress v1.17.9/go.mod h1:Di0epgTjJY877eYKx5yC51cX2A2Vl2ibi7bDH9ttBbw= +github.com/kylelemons/godebug v1.1.0 h1:RPNrshWIDI6G2gRW9EHilWtl7Z6Sb1BR0xunSBf0SNc= +github.com/kylelemons/godebug v1.1.0/go.mod h1:9/0rRGxNHcop5bhtWyNeEfOS8JIWk580+fNqagV/RAw= +github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 h1:C3w9PqII01/Oq1c1nUAm88MOHcQC9l5mIlSMApZMrHA= +github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822/go.mod h1:+n7T8mK8HuQTcFwEeznm/DIxMOiR9yIdICNftLE1DvQ= +github.com/planetscale/vtprotobuf v0.6.1-0.20240319094008-0393e58bdf10 h1:GFCKgmp0tecUJ0sJuv4pzYCqS9+RGSn52M3FUwPs+uo= +github.com/planetscale/vtprotobuf v0.6.1-0.20240319094008-0393e58bdf10/go.mod h1:t/avpk3KcrXxUnYOhZhMXJlSEyie6gQbtLq5NM3loB8= +github.com/prometheus/client_golang v1.20.5 h1:cxppBPuYhUnsO6yo/aoRol4L7q7UFfdm+bR9r+8l63Y= +github.com/prometheus/client_golang v1.20.5/go.mod h1:PIEt8X02hGcP8JWbeHyeZ53Y/jReSnHgO035n//V5WE= +github.com/prometheus/client_model v0.6.1 h1:ZKSh/rekM+n3CeS952MLRAdFwIKqeY8b62p8ais2e9E= +github.com/prometheus/client_model v0.6.1/go.mod h1:OrxVMOVHjw3lKMa8+x6HeMGkHMQyHDk9E3jmP2AmGiY= +github.com/prometheus/common v0.55.0 h1:KEi6DK7lXW/m7Ig5i47x0vRzuBsHuvJdi5ee6Y3G1dc= +github.com/prometheus/common v0.55.0/go.mod h1:2SECS4xJG1kd8XF9IcM1gMX6510RAEL65zxzNImwdc8= +github.com/prometheus/procfs v0.15.1 h1:YagwOFzUgYfKKHX6Dr+sHT7km/hxC76UB0learggepc= +github.com/prometheus/procfs v0.15.1/go.mod h1:fB45yRUv8NstnjriLhBQLuOUt+WW4BsoGhij/e3PBqk= +golang.org/x/net v0.28.0 h1:a9JDOJc5GMUJ0+UDqmLT86WiEy7iWyIhz8gz8E4e5hE= +golang.org/x/net v0.28.0/go.mod h1:yqtgsTWOOnlGLG9GFRrK3++bGOUEkNBoHZc8MEDWPNg= +golang.org/x/sys v0.24.0 h1:Twjiwq9dn6R1fQcyiK+wQyHWfaz/BJB+YIpzU/Cv3Xg= +golang.org/x/sys v0.24.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= +golang.org/x/text v0.17.0 h1:XtiM5bkSOt+ewxlOE/aE/AKEHibwj/6gvWMl9Rsh0Qc= +golang.org/x/text v0.17.0/go.mod h1:BuEKDfySbSR4drPmRPG/7iBdf8hvFMuRexcpahXilzY= +google.golang.org/genproto/googleapis/rpc v0.0.0-20240814211410-ddb44dafa142 h1:e7S5W7MGGLaSu8j3YjdezkZ+m1/Nm0uRVRMEMGk26Xs= +google.golang.org/genproto/googleapis/rpc v0.0.0-20240814211410-ddb44dafa142/go.mod h1:UqMtugtsSgubUsoxbuAoiCXvqvErP7Gf0so0mK9tHxU= +google.golang.org/grpc v1.67.1 h1:zWnc1Vrcno+lHZCOofnIMvycFcc0QRGIzm9dhnDX68E= +google.golang.org/grpc v1.67.1/go.mod h1:1gLDyUQU7CTLJI90u3nXZ9ekeghjeM7pTDZlqFNg2AA= +google.golang.org/protobuf v1.34.2 h1:6xV6lTsCfpGD21XK49h7MhtcApnLqkfYgPcdHftf6hg= +google.golang.org/protobuf v1.34.2/go.mod h1:qYOHts0dSfpeUzUFpOMr/WGzszTmLH+DiWniOlNbLDw= diff --git a/examples/envoy-als/main.go b/examples/envoy-als/main.go new file mode 100644 index 00000000000..9cecabe763a --- /dev/null +++ b/examples/envoy-als/main.go @@ -0,0 +1,115 @@ +// Copyright Envoy Gateway Authors +// SPDX-License-Identifier: Apache-2.0 +// The full text of the Apache license is available in the LICENSE file at +// the root of the repo. + +package main + +import ( + "log" + "net" + "net/http" + + alsv2 "github.com/envoyproxy/go-control-plane/envoy/service/accesslog/v2" + alsv3 "github.com/envoyproxy/go-control-plane/envoy/service/accesslog/v3" + "github.com/prometheus/client_golang/prometheus" + "github.com/prometheus/client_golang/prometheus/promhttp" + + "google.golang.org/grpc" +) + +var ( + LogCount = prometheus.NewCounterVec(prometheus.CounterOpts{ + Name: "log_count", + Help: "The total number of logs received.", + }, []string{"api_version"}) +) + +func init() { + // Register the summary and the histogram with Prometheus's default registry. + prometheus.MustRegister(LogCount) +} + +type ALSServer struct { +} + +func (a *ALSServer) StreamAccessLogs(logStream alsv2.AccessLogService_StreamAccessLogsServer) error { + log.Println("Streaming als v2 logs") + for { + data, err := logStream.Recv() + if err != nil { + return err + } + + httpLogs := data.GetHttpLogs() + if httpLogs != nil { + LogCount.WithLabelValues("v2").Add(float64(len(httpLogs.LogEntry))) + } + + log.Printf("Received v2 log data: %s\n", data.String()) + } +} + +type ALSServerV3 struct { +} + +func (a *ALSServerV3) StreamAccessLogs(logStream alsv3.AccessLogService_StreamAccessLogsServer) error { + log.Println("Streaming als v3 logs") + for { + data, err := logStream.Recv() + if err != nil { + return err + } + + httpLogs := data.GetHttpLogs() + if httpLogs != nil { + LogCount.WithLabelValues("v3").Add(float64(len(httpLogs.LogEntry))) + } + + log.Printf("Received v3 log data: %s\n", data.String()) + } +} + +func NewALSServer() *ALSServer { + return &ALSServer{} +} + +func NewALSServerV3() *ALSServerV3 { + return &ALSServerV3{} +} + +func main() { + mux := http.NewServeMux() + if err := addMonitor(mux); err != nil { + log.Printf("could not establish self-monitoring: %v\n", err) + } + + s := &http.Server{ + Addr: ":19001", + Handler: mux, + } + + go func() { + s.ListenAndServe() + }() + + listener, err := net.Listen("tcp", "0.0.0.0:8080") + if err != nil { + log.Fatalf("Failed to start listener on port 8080: %v", err) + } + + var opts []grpc.ServerOption + grpcServer := grpc.NewServer(opts...) + alsv2.RegisterAccessLogServiceServer(grpcServer, NewALSServer()) + alsv3.RegisterAccessLogServiceServer(grpcServer, NewALSServerV3()) + log.Println("Starting ALS Server") + if err := grpcServer.Serve(listener); err != nil { + log.Fatalf("grpc serve err: %v", err) + } +} + +func addMonitor(mux *http.ServeMux) error { + mux.Handle("/metrics", promhttp.HandlerFor(prometheus.DefaultGatherer, promhttp.HandlerOpts{EnableOpenMetrics: true})) + + return nil +} diff --git a/examples/extension-server/cmd/extension-server/main.go b/examples/extension-server/cmd/extension-server/main.go index 4a6b0474621..41a9018adc0 100644 --- a/examples/extension-server/cmd/extension-server/main.go +++ b/examples/extension-server/cmd/extension-server/main.go @@ -6,7 +6,6 @@ package main import ( - "fmt" "log/slog" "net" "os" @@ -82,7 +81,7 @@ func startExtensionServer(cCtx *cli.Context) error { logger := slog.New(slog.NewTextHandler(os.Stderr, &slog.HandlerOptions{ Level: level, })) - address := fmt.Sprintf("%s:%d", cCtx.String("host"), cCtx.Int("port")) + address := net.JoinHostPort(cCtx.String("host"), cCtx.String("port")) logger.Info("Starting the extension server", slog.String("host", address)) lis, err := net.Listen("tcp", address) if err != nil { diff --git a/examples/extension-server/go.mod b/examples/extension-server/go.mod index 25eb15516ef..7b09ae7320b 100644 --- a/examples/extension-server/go.mod +++ b/examples/extension-server/go.mod @@ -8,8 +8,8 @@ require ( github.com/urfave/cli/v2 v2.27.5 google.golang.org/grpc v1.67.1 google.golang.org/protobuf v1.35.1 - k8s.io/apimachinery v0.31.1 - sigs.k8s.io/controller-runtime v0.19.0 + k8s.io/apimachinery v0.31.2 + sigs.k8s.io/controller-runtime v0.19.1 sigs.k8s.io/gateway-api v1.2.0 ) diff --git a/examples/extension-server/go.sum b/examples/extension-server/go.sum index 29bfba9e9f4..42db960b446 100644 --- a/examples/extension-server/go.sum +++ b/examples/extension-server/go.sum @@ -123,16 +123,16 @@ gopkg.in/yaml.v2 v2.4.0 h1:D8xgwECY7CYvx+Y2n4sBz93Jn9JRvxdiyyo8CTfuKaY= gopkg.in/yaml.v2 v2.4.0/go.mod h1:RDklbk79AGWmwhnvt/jBztapEOGDOx6ZbXqjP6csGnQ= gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA= gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= -k8s.io/api v0.31.1 h1:Xe1hX/fPW3PXYYv8BlozYqw63ytA92snr96zMW9gWTU= -k8s.io/api v0.31.1/go.mod h1:sbN1g6eY6XVLeqNsZGLnI5FwVseTrZX7Fv3O26rhAaI= -k8s.io/apimachinery v0.31.1 h1:mhcUBbj7KUjaVhyXILglcVjuS4nYXiwC+KKFBgIVy7U= -k8s.io/apimachinery v0.31.1/go.mod h1:rsPdaZJfTfLsNJSQzNHQvYoTmxhoOEofxtOsF3rtsMo= +k8s.io/api v0.31.2 h1:3wLBbL5Uom/8Zy98GRPXpJ254nEFpl+hwndmk9RwmL0= +k8s.io/api v0.31.2/go.mod h1:bWmGvrGPssSK1ljmLzd3pwCQ9MgoTsRCuK35u6SygUk= +k8s.io/apimachinery v0.31.2 h1:i4vUt2hPK56W6mlT7Ry+AO8eEsyxMD1U44NR22CLTYw= +k8s.io/apimachinery v0.31.2/go.mod h1:rsPdaZJfTfLsNJSQzNHQvYoTmxhoOEofxtOsF3rtsMo= k8s.io/klog/v2 v2.130.1 h1:n9Xl7H1Xvksem4KFG4PYbdQCQxqc/tTUyrgXaOhHSzk= k8s.io/klog/v2 v2.130.1/go.mod h1:3Jpz1GvMt720eyJH1ckRHK1EDfpxISzJ7I9OYgaDtPE= k8s.io/utils v0.0.0-20240821151609-f90d01438635 h1:2wThSvJoW/Ncn9TmQEYXRnevZXi2duqHWf5OX9S3zjI= k8s.io/utils v0.0.0-20240821151609-f90d01438635/go.mod h1:OLgZIPagt7ERELqWJFomSt595RzquPNLL48iOWgYOg0= -sigs.k8s.io/controller-runtime v0.19.0 h1:nWVM7aq+Il2ABxwiCizrVDSlmDcshi9llbaFbC0ji/Q= -sigs.k8s.io/controller-runtime v0.19.0/go.mod h1:iRmWllt8IlaLjvTTDLhRBXIEtkCK6hwVBJJsYS9Ajf4= +sigs.k8s.io/controller-runtime v0.19.1 h1:Son+Q40+Be3QWb+niBXAg2vFiYWolDjjRfO8hn/cxOk= +sigs.k8s.io/controller-runtime v0.19.1/go.mod h1:iRmWllt8IlaLjvTTDLhRBXIEtkCK6hwVBJJsYS9Ajf4= sigs.k8s.io/gateway-api v1.2.0 h1:LrToiFwtqKTKZcZtoQPTuo3FxhrrhTgzQG0Te+YGSo8= sigs.k8s.io/gateway-api v1.2.0/go.mod h1:EpNfEXNjiYfUJypf0eZ0P5iXA9ekSGWaS1WgPaM42X0= sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd h1:EDPBXCAspyGV4jQlpZSudPeMmr1bNJefnuqLsRAsHZo= diff --git a/examples/grpc-ext-auth/Dockerfile b/examples/grpc-ext-auth/Dockerfile new file mode 100644 index 00000000000..4f6ea6ff545 --- /dev/null +++ b/examples/grpc-ext-auth/Dockerfile @@ -0,0 +1,23 @@ +FROM golang:1.23.1 AS builder + +ARG GO_LDFLAGS="" + +WORKDIR /workspace +COPY go.mod go.sum ./ +RUN --mount=type=cache,target=/root/.cache/go-build --mount=type=cache,target=/go/pkg/mod \ + go mod download + +COPY . ./ +RUN --mount=type=cache,target=/root/.cache/go-build --mount=type=cache,target=/go/pkg/mod \ + CGO_ENABLED=0 \ + GOOS=${TARGETOS} \ + GOARCH=${TARGETARCH} \ + go build -o /bin/grpc-ext-auth -ldflags "${GO_LDFLAGS}" . + +# Make our production image +FROM gcr.io/distroless/static-debian11:nonroot +COPY --from=builder /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/ +COPY --from=builder /bin/grpc-ext-auth / + +USER nonroot:nonroot +ENTRYPOINT ["/grpc-ext-auth"] diff --git a/examples/grpc-ext-auth/Makefile b/examples/grpc-ext-auth/Makefile new file mode 100644 index 00000000000..bdcb69d99eb --- /dev/null +++ b/examples/grpc-ext-auth/Makefile @@ -0,0 +1,8 @@ + +IMAGE_PREFIX ?= envoyproxy/gateway- +APP_NAME ?= grpc-ext-auth +TAG ?= latest + +.PHONY: docker-buildx +docker-buildx: + docker buildx build . -t $(IMAGE_PREFIX)$(APP_NAME):$(TAG) --build-arg GO_LDFLAGS="$(GO_LDFLAGS)" --load diff --git a/examples/grpc-ext-auth/go.mod b/examples/grpc-ext-auth/go.mod new file mode 100644 index 00000000000..8e3fcb7e061 --- /dev/null +++ b/examples/grpc-ext-auth/go.mod @@ -0,0 +1,20 @@ +module github.com/envoyproxy/gateway-grcp-ext-auth + +go 1.23.1 + +require ( + github.com/envoyproxy/go-control-plane v0.13.1 + github.com/golang/protobuf v1.5.4 + google.golang.org/genproto/googleapis/rpc v0.0.0-20241021214115-324edc3d5d38 + google.golang.org/grpc v1.67.1 +) + +require ( + github.com/cncf/xds/go v0.0.0-20240723142845-024c85f92f20 // indirect + github.com/envoyproxy/protoc-gen-validate v1.1.0 // indirect + github.com/planetscale/vtprotobuf v0.6.1-0.20240319094008-0393e58bdf10 // indirect + golang.org/x/net v0.28.0 // indirect + golang.org/x/sys v0.24.0 // indirect + golang.org/x/text v0.17.0 // indirect + google.golang.org/protobuf v1.35.1 // indirect +) diff --git a/examples/grpc-ext-auth/go.sum b/examples/grpc-ext-auth/go.sum new file mode 100644 index 00000000000..03b2f7f5cee --- /dev/null +++ b/examples/grpc-ext-auth/go.sum @@ -0,0 +1,24 @@ +github.com/cncf/xds/go v0.0.0-20240723142845-024c85f92f20 h1:N+3sFI5GUjRKBi+i0TxYVST9h4Ie192jJWpHvthBBgg= +github.com/cncf/xds/go v0.0.0-20240723142845-024c85f92f20/go.mod h1:W+zGtBO5Y1IgJhy4+A9GOqVhqLpfZi+vwmdNXUehLA8= +github.com/envoyproxy/go-control-plane v0.13.1 h1:vPfJZCkob6yTMEgS+0TwfTUfbHjfy/6vOJ8hUWX/uXE= +github.com/envoyproxy/go-control-plane v0.13.1/go.mod h1:X45hY0mufo6Fd0KW3rqsGvQMw58jvjymeCzBU3mWyHw= +github.com/envoyproxy/protoc-gen-validate v1.1.0 h1:tntQDh69XqOCOZsDz0lVJQez/2L6Uu2PdjCQwWCJ3bM= +github.com/envoyproxy/protoc-gen-validate v1.1.0/go.mod h1:sXRDRVmzEbkM7CVcM06s9shE/m23dg3wzjl0UWqJ2q4= +github.com/golang/protobuf v1.5.4 h1:i7eJL8qZTpSEXOPTxNKhASYpMn+8e5Q6AdndVa1dWek= +github.com/golang/protobuf v1.5.4/go.mod h1:lnTiLA8Wa4RWRcIUkrtSVa5nRhsEGBg48fD6rSs7xps= +github.com/google/go-cmp v0.6.0 h1:ofyhxvXcZhMsU5ulbFiLKl/XBFqE1GSq7atu8tAmTRI= +github.com/google/go-cmp v0.6.0/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY= +github.com/planetscale/vtprotobuf v0.6.1-0.20240319094008-0393e58bdf10 h1:GFCKgmp0tecUJ0sJuv4pzYCqS9+RGSn52M3FUwPs+uo= +github.com/planetscale/vtprotobuf v0.6.1-0.20240319094008-0393e58bdf10/go.mod h1:t/avpk3KcrXxUnYOhZhMXJlSEyie6gQbtLq5NM3loB8= +golang.org/x/net v0.28.0 h1:a9JDOJc5GMUJ0+UDqmLT86WiEy7iWyIhz8gz8E4e5hE= +golang.org/x/net v0.28.0/go.mod h1:yqtgsTWOOnlGLG9GFRrK3++bGOUEkNBoHZc8MEDWPNg= +golang.org/x/sys v0.24.0 h1:Twjiwq9dn6R1fQcyiK+wQyHWfaz/BJB+YIpzU/Cv3Xg= +golang.org/x/sys v0.24.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= +golang.org/x/text v0.17.0 h1:XtiM5bkSOt+ewxlOE/aE/AKEHibwj/6gvWMl9Rsh0Qc= +golang.org/x/text v0.17.0/go.mod h1:BuEKDfySbSR4drPmRPG/7iBdf8hvFMuRexcpahXilzY= +google.golang.org/genproto/googleapis/rpc v0.0.0-20241021214115-324edc3d5d38 h1:zciRKQ4kBpFgpfC5QQCVtnnNAcLIqweL7plyZRQHVpI= +google.golang.org/genproto/googleapis/rpc v0.0.0-20241021214115-324edc3d5d38/go.mod h1:GX3210XPVPUjJbTUbvwI8f2IpZDMZuPJWDzDuebbviI= +google.golang.org/grpc v1.67.1 h1:zWnc1Vrcno+lHZCOofnIMvycFcc0QRGIzm9dhnDX68E= +google.golang.org/grpc v1.67.1/go.mod h1:1gLDyUQU7CTLJI90u3nXZ9ekeghjeM7pTDZlqFNg2AA= +google.golang.org/protobuf v1.35.1 h1:m3LfL6/Ca+fqnjnlqQXNpFPABW1UD7mjh8KO2mKFytA= +google.golang.org/protobuf v1.35.1/go.mod h1:9fA7Ob0pmnwhb644+1+CVWFRbNajQ6iRojtC/QF5bRE= diff --git a/examples/grpc-ext-auth/main.go b/examples/grpc-ext-auth/main.go new file mode 100644 index 00000000000..f63b0ec1e85 --- /dev/null +++ b/examples/grpc-ext-auth/main.go @@ -0,0 +1,225 @@ +// Copyright Envoy Gateway Authors +// SPDX-License-Identifier: Apache-2.0 +// The full text of the Apache license is available in the LICENSE file at +// the root of the repo. + +package main + +import ( + "context" + "crypto/tls" + "crypto/x509" + "flag" + "fmt" + "log" + "net" + "net/http" + "os" + "strings" + + envoy_api_v3_core "github.com/envoyproxy/go-control-plane/envoy/config/core/v3" + envoy_service_auth_v3 "github.com/envoyproxy/go-control-plane/envoy/service/auth/v3" + "github.com/golang/protobuf/ptypes/wrappers" + "google.golang.org/genproto/googleapis/rpc/code" + "google.golang.org/genproto/googleapis/rpc/status" + "google.golang.org/grpc" + "google.golang.org/grpc/credentials" +) + +var ( + port int + certPath string +) + +func main() { + flag.IntVar(&port, "port", 9002, "gRPC port") + flag.StringVar(&certPath, "certPath", "", "path to server certificate and private key") + flag.Parse() + + lis, err := net.Listen("tcp", fmt.Sprintf(":%d", port)) + if err != nil { + log.Fatalf("failed to listen to %d: %v", port, err) + } + + users := TestUsers() + + // Load TLS credentials + creds, err := loadTLSCredentials(certPath) + if err != nil { + log.Fatalf("Failed to load TLS credentials: %v", err) + } + gs := grpc.NewServer(grpc.Creds(creds)) + + envoy_service_auth_v3.RegisterAuthorizationServer(gs, NewAuthServer(users)) + + log.Printf("starting gRPC server on: %d\n", port) + + go func() { + err = gs.Serve(lis) + if err != nil { + log.Fatalf("failed to serve: %v", err) + } + }() + + http.HandleFunc("/healthz", healthCheckHandler) + err = http.ListenAndServe(":8080", nil) + if err != nil { + log.Fatalf("failed to serve: %v", err) + } +} + +type authServer struct { + users Users +} + +var _ envoy_service_auth_v3.AuthorizationServer = &authServer{} + +// NewAuthServer creates a new authorization server. +func NewAuthServer(users Users) envoy_service_auth_v3.AuthorizationServer { + return &authServer{users} +} + +// Check implements authorization's Check interface which performs authorization check based on the +// attributes associated with the incoming request. +func (s *authServer) Check( + _ context.Context, + req *envoy_service_auth_v3.CheckRequest) (*envoy_service_auth_v3.CheckResponse, error) { + authorization := req.Attributes.Request.Http.Headers["authorization"] + log.Println(authorization) + + extracted := strings.Fields(authorization) + if len(extracted) == 2 && extracted[0] == "Bearer" { + valid, user := s.users.Check(extracted[1]) + if valid { + return &envoy_service_auth_v3.CheckResponse{ + HttpResponse: &envoy_service_auth_v3.CheckResponse_OkResponse{ + OkResponse: &envoy_service_auth_v3.OkHttpResponse{ + Headers: []*envoy_api_v3_core.HeaderValueOption{ + { + Append: &wrappers.BoolValue{Value: false}, + Header: &envoy_api_v3_core.HeaderValue{ + // For a successful request, the authorization server sets the + // x-current-user value. + Key: "x-current-user", + Value: user, + }, + }, + }, + }, + }, + Status: &status.Status{ + Code: int32(code.Code_OK), + }, + }, nil + } + } + + return &envoy_service_auth_v3.CheckResponse{ + Status: &status.Status{ + Code: int32(code.Code_PERMISSION_DENIED), + }, + }, nil +} + +// Users holds a list of users. +type Users map[string]string + +// Check checks if a key could retrieve a user from a list of users. +func (u Users) Check(key string) (bool, string) { + value, ok := u[key] + if !ok { + return false, "" + } + return ok, value +} + +func TestUsers() Users { + return map[string]string{ + "token1": "user1", + "token2": "user2", + "token3": "user3", + } +} + +func healthCheckHandler(w http.ResponseWriter, r *http.Request) { + certPool, err := loadCA(certPath) + if err != nil { + log.Fatalf("Could not load CA certificate: %v", err) + } + + // Create TLS configuration + tlsConfig := &tls.Config{ + RootCAs: certPool, + } + + // Create gRPC dial options + opts := []grpc.DialOption{ + grpc.WithTransportCredentials(credentials.NewTLS(tlsConfig)), + } + + conn, err := grpc.Dial("localhost:9002", opts...) + if err != nil { + log.Fatalf("Could not connect: %v", err) + } + client := envoy_service_auth_v3.NewAuthorizationClient(conn) + + response, err := client.Check(context.Background(), &envoy_service_auth_v3.CheckRequest{ + Attributes: &envoy_service_auth_v3.AttributeContext{ + Request: &envoy_service_auth_v3.AttributeContext_Request{ + Http: &envoy_service_auth_v3.AttributeContext_HttpRequest{ + Headers: map[string]string{ + "authorization": "Bearer token1", + }, + }, + }, + }, + }) + if err != nil { + log.Fatalf("Could not check: %v", err) + } + if response != nil && response.Status.Code == int32(code.Code_OK) { + w.WriteHeader(http.StatusOK) + } else { + w.WriteHeader(http.StatusServiceUnavailable) + } +} + +func loadTLSCredentials(certPath string) (credentials.TransportCredentials, error) { + // Load server's certificate and private key + crt := "server.crt" + key := "server.key" + + if certPath != "" { + if !strings.HasSuffix(certPath, "/") { + certPath = fmt.Sprintf("%s/", certPath) + } + crt = fmt.Sprintf("%s%s", certPath, crt) + key = fmt.Sprintf("%s%s", certPath, key) + } + certificate, err := tls.LoadX509KeyPair(crt, key) + if err != nil { + return nil, fmt.Errorf("could not load server key pair: %s", err) + } + + // Create a new credentials object + creds := credentials.NewTLS(&tls.Config{Certificates: []tls.Certificate{certificate}}) + + return creds, nil +} + +func loadCA(caPath string) (*x509.CertPool, error) { + ca := x509.NewCertPool() + caCertPath := "server.crt" + if caPath != "" { + if !strings.HasSuffix(caPath, "/") { + caPath = fmt.Sprintf("%s/", caPath) + } + caCertPath = fmt.Sprintf("%s%s", caPath, caCertPath) + } + caCert, err := os.ReadFile(caCertPath) + if err != nil { + return nil, fmt.Errorf("could not read ca certificate: %s", err) + } + ca.AppendCertsFromPEM(caCert) + return ca, nil +} diff --git a/examples/grpc-ext-proc/Dockerfile b/examples/grpc-ext-proc/Dockerfile new file mode 100644 index 00000000000..a07ab13f48b --- /dev/null +++ b/examples/grpc-ext-proc/Dockerfile @@ -0,0 +1,22 @@ +FROM golang:1.23.1 AS builder + +ARG GO_LDFLAGS="" + +WORKDIR /workspace +COPY go.mod go.sum ./ +RUN --mount=type=cache,target=/root/.cache/go-build --mount=type=cache,target=/go/pkg/mod \ + go mod download + +COPY . ./ +RUN --mount=type=cache,target=/root/.cache/go-build --mount=type=cache,target=/go/pkg/mod \ + CGO_ENABLED=0 \ + GOOS=${TARGETOS} \ + GOARCH=${TARGETARCH} \ + go build -o /bin/grpc-ext-proc -ldflags "${GO_LDFLAGS}" . + +# Need root user for UDS +FROM gcr.io/distroless/static-debian11 +COPY --from=builder /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/ +COPY --from=builder /bin/grpc-ext-proc / + +ENTRYPOINT ["/grpc-ext-proc"] diff --git a/examples/grpc-ext-proc/Makefile b/examples/grpc-ext-proc/Makefile new file mode 100644 index 00000000000..85de130d8fd --- /dev/null +++ b/examples/grpc-ext-proc/Makefile @@ -0,0 +1,8 @@ + +IMAGE_PREFIX ?= envoyproxy/gateway- +APP_NAME ?= grpc-ext-proc +TAG ?= latest + +.PHONY: docker-buildx +docker-buildx: + docker buildx build . -t $(IMAGE_PREFIX)$(APP_NAME):$(TAG) --build-arg GO_LDFLAGS="$(GO_LDFLAGS)" --load diff --git a/examples/grpc-ext-proc/go.mod b/examples/grpc-ext-proc/go.mod new file mode 100644 index 00000000000..bb18254c721 --- /dev/null +++ b/examples/grpc-ext-proc/go.mod @@ -0,0 +1,19 @@ +module github.com/envoyproxy/gateway-grpc-ext-proc + +go 1.23.1 + +require ( + github.com/envoyproxy/go-control-plane v0.13.1 + google.golang.org/grpc v1.67.1 +) + +require ( + github.com/cncf/xds/go v0.0.0-20240723142845-024c85f92f20 // indirect + github.com/envoyproxy/protoc-gen-validate v1.1.0 // indirect + github.com/planetscale/vtprotobuf v0.6.1-0.20240319094008-0393e58bdf10 // indirect + golang.org/x/net v0.28.0 // indirect + golang.org/x/sys v0.24.0 // indirect + golang.org/x/text v0.17.0 // indirect + google.golang.org/genproto/googleapis/rpc v0.0.0-20240814211410-ddb44dafa142 // indirect + google.golang.org/protobuf v1.34.2 // indirect +) diff --git a/examples/grpc-ext-proc/go.sum b/examples/grpc-ext-proc/go.sum new file mode 100644 index 00000000000..d3004724f02 --- /dev/null +++ b/examples/grpc-ext-proc/go.sum @@ -0,0 +1,22 @@ +github.com/cncf/xds/go v0.0.0-20240723142845-024c85f92f20 h1:N+3sFI5GUjRKBi+i0TxYVST9h4Ie192jJWpHvthBBgg= +github.com/cncf/xds/go v0.0.0-20240723142845-024c85f92f20/go.mod h1:W+zGtBO5Y1IgJhy4+A9GOqVhqLpfZi+vwmdNXUehLA8= +github.com/envoyproxy/go-control-plane v0.13.1 h1:vPfJZCkob6yTMEgS+0TwfTUfbHjfy/6vOJ8hUWX/uXE= +github.com/envoyproxy/go-control-plane v0.13.1/go.mod h1:X45hY0mufo6Fd0KW3rqsGvQMw58jvjymeCzBU3mWyHw= +github.com/envoyproxy/protoc-gen-validate v1.1.0 h1:tntQDh69XqOCOZsDz0lVJQez/2L6Uu2PdjCQwWCJ3bM= +github.com/envoyproxy/protoc-gen-validate v1.1.0/go.mod h1:sXRDRVmzEbkM7CVcM06s9shE/m23dg3wzjl0UWqJ2q4= +github.com/google/go-cmp v0.6.0 h1:ofyhxvXcZhMsU5ulbFiLKl/XBFqE1GSq7atu8tAmTRI= +github.com/google/go-cmp v0.6.0/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY= +github.com/planetscale/vtprotobuf v0.6.1-0.20240319094008-0393e58bdf10 h1:GFCKgmp0tecUJ0sJuv4pzYCqS9+RGSn52M3FUwPs+uo= +github.com/planetscale/vtprotobuf v0.6.1-0.20240319094008-0393e58bdf10/go.mod h1:t/avpk3KcrXxUnYOhZhMXJlSEyie6gQbtLq5NM3loB8= +golang.org/x/net v0.28.0 h1:a9JDOJc5GMUJ0+UDqmLT86WiEy7iWyIhz8gz8E4e5hE= +golang.org/x/net v0.28.0/go.mod h1:yqtgsTWOOnlGLG9GFRrK3++bGOUEkNBoHZc8MEDWPNg= +golang.org/x/sys v0.24.0 h1:Twjiwq9dn6R1fQcyiK+wQyHWfaz/BJB+YIpzU/Cv3Xg= +golang.org/x/sys v0.24.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= +golang.org/x/text v0.17.0 h1:XtiM5bkSOt+ewxlOE/aE/AKEHibwj/6gvWMl9Rsh0Qc= +golang.org/x/text v0.17.0/go.mod h1:BuEKDfySbSR4drPmRPG/7iBdf8hvFMuRexcpahXilzY= +google.golang.org/genproto/googleapis/rpc v0.0.0-20240814211410-ddb44dafa142 h1:e7S5W7MGGLaSu8j3YjdezkZ+m1/Nm0uRVRMEMGk26Xs= +google.golang.org/genproto/googleapis/rpc v0.0.0-20240814211410-ddb44dafa142/go.mod h1:UqMtugtsSgubUsoxbuAoiCXvqvErP7Gf0so0mK9tHxU= +google.golang.org/grpc v1.67.1 h1:zWnc1Vrcno+lHZCOofnIMvycFcc0QRGIzm9dhnDX68E= +google.golang.org/grpc v1.67.1/go.mod h1:1gLDyUQU7CTLJI90u3nXZ9ekeghjeM7pTDZlqFNg2AA= +google.golang.org/protobuf v1.34.2 h1:6xV6lTsCfpGD21XK49h7MhtcApnLqkfYgPcdHftf6hg= +google.golang.org/protobuf v1.34.2/go.mod h1:qYOHts0dSfpeUzUFpOMr/WGzszTmLH+DiWniOlNbLDw= diff --git a/examples/grpc-ext-proc/main.go b/examples/grpc-ext-proc/main.go new file mode 100644 index 00000000000..785480f1d20 --- /dev/null +++ b/examples/grpc-ext-proc/main.go @@ -0,0 +1,289 @@ +// Copyright Envoy Gateway Authors +// SPDX-License-Identifier: Apache-2.0 +// The full text of the Apache license is available in the LICENSE file at +// the root of the repo. + +package main + +import ( + "context" + "crypto/tls" + "crypto/x509" + "flag" + "fmt" + "io" + "log" + "net" + "net/http" + "os" + "strings" + + "google.golang.org/grpc/credentials" + + envoy_api_v3_core "github.com/envoyproxy/go-control-plane/envoy/config/core/v3" + envoy_service_proc_v3 "github.com/envoyproxy/go-control-plane/envoy/service/ext_proc/v3" + + "google.golang.org/grpc" + "google.golang.org/grpc/codes" + "google.golang.org/grpc/status" +) + +type extProcServer struct{} + +var ( + port int + certPath string +) + +func main() { + flag.IntVar(&port, "port", 9002, "gRPC port") + flag.StringVar(&certPath, "certPath", "", "path to extProcServer certificate and private key") + flag.Parse() + + lis, err := net.Listen("tcp", fmt.Sprintf(":%d", port)) + if err != nil { + log.Fatalf("failed to listen: %v", err) + } + + creds, err := loadTLSCredentials(certPath) + if err != nil { + log.Fatalf("Failed to load TLS credentials: %v", err) + } + gs := grpc.NewServer(grpc.Creds(creds)) + envoy_service_proc_v3.RegisterExternalProcessorServer(gs, &extProcServer{}) + + go func() { + err = gs.Serve(lis) + if err != nil { + log.Fatalf("failed to serve: %v", err) + } + }() + + // Create Unix listener + gus := grpc.NewServer(grpc.Creds(creds)) + envoy_service_proc_v3.RegisterExternalProcessorServer(gus, &extProcServer{}) + + udsAddr := "/var/run/ext-proc/extproc.sock" + if _, err := os.Stat(udsAddr); err == nil { + if err := os.RemoveAll(udsAddr); err != nil { + log.Fatalf("failed to remove: %v", err) + } + } + + ul, err := net.Listen("unix", udsAddr) + if err != nil { + log.Fatalf("failed to listen: %v", err) + } + + err = os.Chmod(udsAddr, 0700) + if err != nil { + log.Fatalf("failed to set permissions: %v", err) + } + + // envoy distroless uid + err = os.Chown(udsAddr, 65532, 0) + if err != nil { + log.Fatalf("failed to set permissions: %v", err) + } + + go func() { + err = gus.Serve(ul) + if err != nil { + log.Fatalf("failed to serve: %v", err) + } + }() + + http.HandleFunc("/healthz", healthCheckHandler) + err = http.ListenAndServe(":8080", nil) + if err != nil { + log.Fatalf("failed to serve: %v", err) + } +} + +// used by k8s readiness probes +// makes a processing request to check if the processor service is healthy +func healthCheckHandler(w http.ResponseWriter, r *http.Request) { + certPool, err := loadCA(certPath) + if err != nil { + log.Fatalf("Could not load CA certificate: %v", err) + } + + // Create TLS configuration + tlsConfig := &tls.Config{ + RootCAs: certPool, + ServerName: "grpc-ext-proc.envoygateway", + } + + // Create gRPC dial options + opts := []grpc.DialOption{ + grpc.WithTransportCredentials(credentials.NewTLS(tlsConfig)), + } + + conn, err := grpc.Dial("localhost:9002", opts...) + if err != nil { + log.Fatalf("Could not connect: %v", err) + } + client := envoy_service_proc_v3.NewExternalProcessorClient(conn) + + processor, err := client.Process(context.Background()) + if err != nil { + log.Fatalf("Could not check: %v", err) + } + + err = processor.Send(&envoy_service_proc_v3.ProcessingRequest{ + Request: &envoy_service_proc_v3.ProcessingRequest_RequestHeaders{ + RequestHeaders: &envoy_service_proc_v3.HttpHeaders{}, + }, + }) + if err != nil { + log.Fatalf("Could not check: %v", err) + } + + response, err := processor.Recv() + if err != nil { + log.Fatalf("Could not check: %v", err) + } + + if response != nil && response.GetRequestHeaders().Response.Status == envoy_service_proc_v3.CommonResponse_CONTINUE { + w.WriteHeader(http.StatusOK) + } else { + w.WriteHeader(http.StatusServiceUnavailable) + } +} + +func loadTLSCredentials(certPath string) (credentials.TransportCredentials, error) { + // Load extProcServer's certificate and private key + crt := "server.crt" + key := "server.key" + + if certPath != "" { + if !strings.HasSuffix(certPath, "/") { + certPath = fmt.Sprintf("%s/", certPath) + } + crt = fmt.Sprintf("%s%s", certPath, crt) + key = fmt.Sprintf("%s%s", certPath, key) + } + certificate, err := tls.LoadX509KeyPair(crt, key) + if err != nil { + return nil, fmt.Errorf("could not load extProcServer key pair: %s", err) + } + + // Create a new credentials object + creds := credentials.NewTLS(&tls.Config{Certificates: []tls.Certificate{certificate}}) + + return creds, nil +} + +func loadCA(caPath string) (*x509.CertPool, error) { + ca := x509.NewCertPool() + caCertPath := "server.crt" + if caPath != "" { + if !strings.HasSuffix(caPath, "/") { + caPath = fmt.Sprintf("%s/", caPath) + } + caCertPath = fmt.Sprintf("%s%s", caPath, caCertPath) + } + caCert, err := os.ReadFile(caCertPath) + if err != nil { + return nil, fmt.Errorf("could not read ca certificate: %s", err) + } + ca.AppendCertsFromPEM(caCert) + return ca, nil +} + +func (s *extProcServer) Process(srv envoy_service_proc_v3.ExternalProcessor_ProcessServer) error { + ctx := srv.Context() + for { + select { + case <-ctx.Done(): + return ctx.Err() + default: + } + req, err := srv.Recv() + if err == io.EOF { + return nil + } + if err != nil { + return status.Errorf(codes.Unknown, "cannot receive stream request: %v", err) + } + + resp := &envoy_service_proc_v3.ProcessingResponse{} + switch v := req.Request.(type) { + case *envoy_service_proc_v3.ProcessingRequest_RequestHeaders: + xrch := "" + if v.RequestHeaders != nil { + hdrs := v.RequestHeaders.Headers.GetHeaders() + for _, hdr := range hdrs { + if hdr.Key == "x-request-client-header" { + xrch = string(hdr.RawValue) + } + } + } + + rhq := &envoy_service_proc_v3.HeadersResponse{ + Response: &envoy_service_proc_v3.CommonResponse{ + HeaderMutation: &envoy_service_proc_v3.HeaderMutation{ + SetHeaders: []*envoy_api_v3_core.HeaderValueOption{ + { + Header: &envoy_api_v3_core.HeaderValue{ + Key: "x-request-ext-processed", + RawValue: []byte("true"), + }, + }, + }, + }, + }, + } + + if xrch != "" { + rhq.Response.HeaderMutation.SetHeaders = append(rhq.Response.HeaderMutation.SetHeaders, + &envoy_api_v3_core.HeaderValueOption{ + Header: &envoy_api_v3_core.HeaderValue{ + Key: "x-request-client-header", + RawValue: []byte("mutated"), + }, + }) + rhq.Response.HeaderMutation.SetHeaders = append(rhq.Response.HeaderMutation.SetHeaders, + &envoy_api_v3_core.HeaderValueOption{ + Header: &envoy_api_v3_core.HeaderValue{ + Key: "x-request-client-header-received", + RawValue: []byte(xrch), + }, + }) + } + + resp = &envoy_service_proc_v3.ProcessingResponse{ + Response: &envoy_service_proc_v3.ProcessingResponse_RequestHeaders{ + RequestHeaders: rhq, + }, + } + break + case *envoy_service_proc_v3.ProcessingRequest_ResponseHeaders: + rhq := &envoy_service_proc_v3.HeadersResponse{ + Response: &envoy_service_proc_v3.CommonResponse{ + HeaderMutation: &envoy_service_proc_v3.HeaderMutation{ + SetHeaders: []*envoy_api_v3_core.HeaderValueOption{ + { + Header: &envoy_api_v3_core.HeaderValue{ + Key: "x-response-ext-processed", + RawValue: []byte("true"), + }, + }, + }, + }, + }, + } + resp = &envoy_service_proc_v3.ProcessingResponse{ + Response: &envoy_service_proc_v3.ProcessingResponse_ResponseHeaders{ + ResponseHeaders: rhq, + }, + } + break + default: + log.Printf("Unknown Request type %v\n", v) + } + if err := srv.Send(resp); err != nil { + log.Printf("send error %v", err) + } + } +} diff --git a/examples/http-ext-auth/Dockerfile b/examples/http-ext-auth/Dockerfile new file mode 100644 index 00000000000..f3e3ef5d614 --- /dev/null +++ b/examples/http-ext-auth/Dockerfile @@ -0,0 +1,6 @@ +FROM node:19-bullseye + +COPY ./http-ext-auth.js . + +ENTRYPOINT ["node", "./http-ext-auth.js"] + diff --git a/examples/http-ext-auth/Makefile b/examples/http-ext-auth/Makefile new file mode 100644 index 00000000000..a0fe0063528 --- /dev/null +++ b/examples/http-ext-auth/Makefile @@ -0,0 +1,8 @@ + +IMAGE_PREFIX ?= envoyproxy/gateway- +APP_NAME ?= http-ext-auth +TAG ?= latest + +.PHONY: docker-buildx +docker-buildx: + docker buildx build . -t $(IMAGE_PREFIX)$(APP_NAME):$(TAG) --build-arg GO_LDFLAGS="$(GO_LDFLAGS)" --load diff --git a/examples/http-ext-auth/http-ext-auth.js b/examples/http-ext-auth/http-ext-auth.js new file mode 100644 index 00000000000..17ece921822 --- /dev/null +++ b/examples/http-ext-auth/http-ext-auth.js @@ -0,0 +1,38 @@ +// Copyright Envoy Gateway Authors +// SPDX-License-Identifier: Apache-2.0 +// The full text of the Apache license is available in the LICENSE file at +// the root of the repo. + +const Http = require("http"); +const path = require("path"); + +const tokens = { + "token1": "user1", + "token2": "user2", + "token3": "user3" +}; + +const server = new Http.Server((req, res) => { + const authorization = req.headers["authorization"] || ""; + const extracted = authorization.split(" "); + if (extracted.length === 2 && extracted[0] === "Bearer") { + const user = checkToken(extracted[1]); + console.log(`token: "${extracted[1]}" user: "${user}`); + if (user !== undefined) { + // The authorization server returns a response with "x-current-user" header for a successful + // request. + res.writeHead(200, { "x-current-user": user }); + return res.end(); + } + } + res.writeHead(403); + res.end(); +}); + +const port = process.env.PORT || 9002; +server.listen(port); +console.log(`starting HTTP server on: ${port}`); + +function checkToken(token) { + return tokens[token]; +} \ No newline at end of file diff --git a/examples/preserve-case-backend/Dockerfile b/examples/preserve-case-backend/Dockerfile new file mode 100644 index 00000000000..4616d465cb6 --- /dev/null +++ b/examples/preserve-case-backend/Dockerfile @@ -0,0 +1,22 @@ +FROM golang:1.23.1 AS builder + +ARG GO_LDFLAGS="" + +WORKDIR /workspace +COPY go.mod go.sum ./ +RUN --mount=type=cache,target=/root/.cache/go-build --mount=type=cache,target=/go/pkg/mod \ + go mod download + +COPY . ./ +RUN --mount=type=cache,target=/root/.cache/go-build --mount=type=cache,target=/go/pkg/mod \ + CGO_ENABLED=0 \ + GOOS=${TARGETOS} \ + GOARCH=${TARGETARCH} \ + go build -o /bin/preserve-case-backend -ldflags "${GO_LDFLAGS}" . + +# Need root user for UDS +FROM gcr.io/distroless/static-debian11 +COPY --from=builder /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/ +COPY --from=builder /bin/preserve-case-backend / + +ENTRYPOINT ["/preserve-case-backend"] diff --git a/examples/preserve-case-backend/Makefile b/examples/preserve-case-backend/Makefile new file mode 100644 index 00000000000..159725237f4 --- /dev/null +++ b/examples/preserve-case-backend/Makefile @@ -0,0 +1,8 @@ + +IMAGE_PREFIX ?= envoyproxy/gateway- +APP_NAME ?= preserve-case-backend +TAG ?= latest + +.PHONY: docker-buildx +docker-buildx: + docker buildx build . -t $(IMAGE_PREFIX)$(APP_NAME):$(TAG) --build-arg GO_LDFLAGS="$(GO_LDFLAGS)" --load diff --git a/examples/preserve-case-backend/go.mod b/examples/preserve-case-backend/go.mod new file mode 100644 index 00000000000..7a9712aa341 --- /dev/null +++ b/examples/preserve-case-backend/go.mod @@ -0,0 +1,11 @@ +module github.com/envoyproxy/gateway-preserve-case-backend + +go 1.23.1 + +require github.com/valyala/fasthttp v1.51.0 + +require ( + github.com/andybalholm/brotli v1.0.5 // indirect + github.com/klauspost/compress v1.17.0 // indirect + github.com/valyala/bytebufferpool v1.0.0 // indirect +) diff --git a/examples/preserve-case-backend/go.sum b/examples/preserve-case-backend/go.sum new file mode 100644 index 00000000000..cfe8f6c10e5 --- /dev/null +++ b/examples/preserve-case-backend/go.sum @@ -0,0 +1,8 @@ +github.com/andybalholm/brotli v1.0.5 h1:8uQZIdzKmjc/iuPu7O2ioW48L81FgatrcpfFmiq/cCs= +github.com/andybalholm/brotli v1.0.5/go.mod h1:fO7iG3H7G2nSZ7m0zPUDn85XEX2GTukHGRSepvi9Eig= +github.com/klauspost/compress v1.17.0 h1:Rnbp4K9EjcDuVuHtd0dgA4qNuv9yKDYKK1ulpJwgrqM= +github.com/klauspost/compress v1.17.0/go.mod h1:ntbaceVETuRiXiv4DpjP66DpAtAGkEQskQzEyD//IeE= +github.com/valyala/bytebufferpool v1.0.0 h1:GqA5TC/0021Y/b9FG4Oi9Mr3q7XYx6KllzawFIhcdPw= +github.com/valyala/bytebufferpool v1.0.0/go.mod h1:6bBcMArwyJ5K/AmCkWv1jt77kVWyCJ6HpOuEn7z0Csc= +github.com/valyala/fasthttp v1.51.0 h1:8b30A5JlZ6C7AS81RsWjYMQmrZG6feChmgAolCl1SqA= +github.com/valyala/fasthttp v1.51.0/go.mod h1:oI2XroL+lI7vdXyYoQk03bXBThfFl2cVdIA3Xl7cH8g= diff --git a/examples/preserve-case-backend/main.go b/examples/preserve-case-backend/main.go new file mode 100644 index 00000000000..1922d3c9b95 --- /dev/null +++ b/examples/preserve-case-backend/main.go @@ -0,0 +1,42 @@ +// Copyright Envoy Gateway Authors +// SPDX-License-Identifier: Apache-2.0 +// The full text of the Apache license is available in the LICENSE file at +// the root of the repo. + +package main + +import ( + "encoding/json" + "fmt" + "log" + "net" + + "github.com/valyala/fasthttp" +) + +func HandleFastHTTP(ctx *fasthttp.RequestCtx) { + ctx.QueryArgs().VisitAll(func(key, value []byte) { + if string(key) == "headers" { + ctx.Response.Header.Add(string(value), "PrEsEnT") + } + }) + headers := map[string][]string{} + ctx.Request.Header.VisitAll(func(key, value []byte) { + headers[string(key)] = append(headers[string(key)], string(value)) + }) + if d, err := json.MarshalIndent(headers, "", " "); err != nil { + ctx.Error(fmt.Sprintf("%s", err), fasthttp.StatusBadRequest) + } else { + fmt.Fprintf(ctx, string(d)+"\n") + } +} + +func main() { + s := fasthttp.Server{ + Handler: HandleFastHTTP, + DisableHeaderNamesNormalizing: true, + } + log.Printf("Starting on port 8000") + l, _ := net.Listen("tcp", ":8000") + log.Fatal(s.Serve(l)) +} diff --git a/go.mod b/go.mod index 1ec72d0a6bd..68fd42b5a31 100644 --- a/go.mod +++ b/go.mod @@ -15,7 +15,7 @@ require ( github.com/envoyproxy/go-control-plane v0.13.1 github.com/envoyproxy/ratelimit v1.4.1-0.20230427142404-e2a87f41d3a7 github.com/evanphx/json-patch/v5 v5.9.0 - github.com/fatih/color v1.17.0 + github.com/fatih/color v1.18.0 github.com/go-logfmt/logfmt v0.6.0 github.com/go-logr/logr v1.4.2 github.com/go-logr/zapr v1.3.0 @@ -26,14 +26,14 @@ require ( github.com/google/go-containerregistry v0.20.2 github.com/hashicorp/go-multierror v1.1.1 github.com/miekg/dns v1.1.62 - github.com/ohler55/ojg v1.24.1 + github.com/ohler55/ojg v1.25.0 github.com/prometheus/client_golang v1.20.5 - github.com/prometheus/common v0.60.0 + github.com/prometheus/common v0.60.1 github.com/spf13/cobra v1.8.1 github.com/spf13/pflag v1.0.5 github.com/stretchr/testify v1.9.0 github.com/telepresenceio/watchable v0.0.0-20220726211108-9bb86f92afa7 - github.com/tsaarni/certyaml v0.9.3 + github.com/tsaarni/certyaml v0.10.0 go.opentelemetry.io/otel v1.31.0 go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetricgrpc v1.31.0 go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetrichttp v1.31.0 @@ -48,14 +48,14 @@ require ( google.golang.org/protobuf v1.35.1 gopkg.in/yaml.v3 v3.0.1 helm.sh/helm/v3 v3.16.2 - k8s.io/api v0.31.1 - k8s.io/apiextensions-apiserver v0.31.1 - k8s.io/apimachinery v0.31.1 - k8s.io/cli-runtime v0.31.1 - k8s.io/client-go v0.31.1 - k8s.io/kubectl v0.31.1 + k8s.io/api v0.31.2 + k8s.io/apiextensions-apiserver v0.31.2 + k8s.io/apimachinery v0.31.2 + k8s.io/cli-runtime v0.31.2 + k8s.io/client-go v0.31.2 + k8s.io/kubectl v0.31.2 k8s.io/utils v0.0.0-20240821151609-f90d01438635 - sigs.k8s.io/controller-runtime v0.19.0 + sigs.k8s.io/controller-runtime v0.19.1 sigs.k8s.io/gateway-api v1.2.0 sigs.k8s.io/mcs-api v0.1.0 sigs.k8s.io/yaml v1.4.0 @@ -63,7 +63,7 @@ require ( require ( github.com/docker/docker v27.3.1+incompatible - github.com/replicatedhq/troubleshoot v0.107.1 + github.com/replicatedhq/troubleshoot v0.107.5 github.com/tetratelabs/func-e v1.1.5-0.20240822223546-c85a098d5bf0 google.golang.org/grpc v1.67.1 sigs.k8s.io/kubectl-validate v0.0.5-0.20240827210056-ce13d95db263 @@ -212,8 +212,8 @@ require ( golang.org/x/crypto/x509roots/fallback v0.0.0-20240904212608-c9da6b9a4008 // indirect gopkg.in/evanphx/json-patch.v4 v4.12.0 // indirect gopkg.in/ini.v1 v1.67.0 // indirect - k8s.io/apiserver v0.31.1 // indirect - k8s.io/metrics v0.31.1 // indirect + k8s.io/apiserver v0.31.2 // indirect + k8s.io/metrics v0.31.2 // indirect oras.land/oras-go v1.2.6 // indirect periph.io/x/host/v3 v3.8.2 // indirect sigs.k8s.io/apiserver-network-proxy/konnectivity-client v0.30.3 // indirect @@ -231,7 +231,7 @@ require ( github.com/envoyproxy/protoc-gen-validate v1.1.0 // indirect github.com/evanphx/json-patch v5.9.0+incompatible github.com/exponent-io/jsonpath v0.0.0-20210407135951-1de76d718b3f // indirect - github.com/fsnotify/fsnotify v1.7.0 + github.com/fsnotify/fsnotify v1.8.0 github.com/go-asn1-ber/asn1-ber v1.5.5 // indirect github.com/go-errors/errors v1.5.1 // indirect github.com/go-logr/stdr v1.2.2 // indirect @@ -289,7 +289,7 @@ require ( google.golang.org/genproto/googleapis/rpc v0.0.0-20241007155032-5fefd90f89a9 // indirect gopkg.in/inf.v0 v0.9.1 // indirect gopkg.in/yaml.v2 v2.4.0 // indirect - k8s.io/component-base v0.31.1 // indirect + k8s.io/component-base v0.31.2 // indirect k8s.io/klog/v2 v2.130.1 k8s.io/kube-openapi v0.0.0-20240521193020-835d969ad83a // indirect sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd // indirect diff --git a/go.sum b/go.sum index dbaf681efbb..00d7b32bb36 100644 --- a/go.sum +++ b/go.sum @@ -240,8 +240,8 @@ github.com/evanphx/json-patch/v5 v5.9.0/go.mod h1:VNkHZ/282BpEyt/tObQO8s5CMPmYYq github.com/exponent-io/jsonpath v0.0.0-20210407135951-1de76d718b3f h1:Wl78ApPPB2Wvf/TIe2xdyJxTlb6obmF18d8QdkxNDu4= github.com/exponent-io/jsonpath v0.0.0-20210407135951-1de76d718b3f/go.mod h1:OSYXu++VVOHnXeitef/D8n/6y4QV8uLHSFXX4NeXMGc= github.com/fatih/color v1.7.0/go.mod h1:Zm6kSWBoL9eyXnKyktHP6abPY2pDugNf5KwzbycvMj4= -github.com/fatih/color v1.17.0 h1:GlRw1BRJxkpqUCBKzKOw098ed57fEsKeNjpTe3cSjK4= -github.com/fatih/color v1.17.0/go.mod h1:YZ7TlrGPkiz6ku9fK3TLD/pl3CpsiFyu8N92HLgmosI= +github.com/fatih/color v1.18.0 h1:S8gINlzdQ840/4pfAwic/ZE0djQEH3wM94VfqLTZcOM= +github.com/fatih/color v1.18.0/go.mod h1:4FelSpRwEGDpQ12mAdzqdOukCy4u8WUtOY6lkT/6HfU= github.com/felixge/httpsnoop v1.0.4 h1:NFTV2Zj1bL4mc9sqWACXbQFVBBg2W3GPvqp8/ESS2Wg= github.com/felixge/httpsnoop v1.0.4/go.mod h1:m8KPJKqk1gH5J9DgRY2ASl2lWCfGKXixSwevea8zH2U= github.com/foxcpp/go-mockdns v1.1.0 h1:jI0rD8M0wuYAxL7r/ynTrCQQq0BVqfB99Vgk7DlmewI= @@ -250,8 +250,8 @@ github.com/frankban/quicktest v1.14.6 h1:7Xjx+VpznH+oBnejlPUj8oUpdxnVs4f8XU8WnHk github.com/frankban/quicktest v1.14.6/go.mod h1:4ptaffx2x8+WTWXmUCuVU6aPUX1/Mz7zb5vbUoiM6w0= github.com/fsnotify/fsnotify v1.4.7/go.mod h1:jwhsz4b93w/PPRr/qN1Yymfu8t87LnFCMoQvtojpjFo= github.com/fsnotify/fsnotify v1.4.9/go.mod h1:znqG4EE+3YCdAaPaxE2ZRY/06pZUdp0tY4IgpuI1SZQ= -github.com/fsnotify/fsnotify v1.7.0 h1:8JEhPFa5W2WU7YfeZzPNqzMP6Lwt7L2715Ggo0nosvA= -github.com/fsnotify/fsnotify v1.7.0/go.mod h1:40Bi/Hjc2AVfZrqy+aj+yEI+/bRxZnMJyTJwOpGvigM= +github.com/fsnotify/fsnotify v1.8.0 h1:dAwr6QBTBZIkG8roQaJjGof0pp0EeF+tNV7YBP3F/8M= +github.com/fsnotify/fsnotify v1.8.0/go.mod h1:8jBTzvmWwFyi3Pb8djgCCO5IBqzKJ/Jwo8TRcHyHii0= github.com/fxamacker/cbor/v2 v2.7.0 h1:iM5WgngdRBanHcxugY4JySA0nk1wZorNOpTgCMedv5E= github.com/fxamacker/cbor/v2 v2.7.0/go.mod h1:pxXPTn3joSm21Gbwsv0w9OSA2y1HFR9qXEeXQVeNoDQ= github.com/ghodss/yaml v0.0.0-20150909031657-73d445a93680/go.mod h1:4dBDuWmgqj2HViK6kFavaiC9ZROes6MMH2rRYeMEF04= @@ -629,8 +629,8 @@ github.com/mxk/go-flowrate v0.0.0-20140419014527-cca7078d478f/go.mod h1:ZdcZmHo+ github.com/nxadm/tail v1.4.4/go.mod h1:kenIhsEOeOJmVchQTgglprH7qJGnHDVpk1VPCcaMI8A= github.com/nxadm/tail v1.4.8 h1:nPr65rt6Y5JFSKQO7qToXr7pePgD6Gwiw05lkbyAQTE= github.com/nxadm/tail v1.4.8/go.mod h1:+ncqLTQzXmGhMZNUePPaPqPvBxHAIsmXswZKocGu+AU= -github.com/ohler55/ojg v1.24.1 h1:PaVLelrNgT5/0ppPaUtey54tOVp245z33fkhL2jljjY= -github.com/ohler55/ojg v1.24.1/go.mod h1:gQhDVpQLqrmnd2eqGAvJtn+NfKoYJbe/A4Sj3/Vro4o= +github.com/ohler55/ojg v1.25.0 h1:sDwc4u4zex65Uz5Nm7O1QwDKTT+YRcpeZQTy1pffRkw= +github.com/ohler55/ojg v1.25.0/go.mod h1:gQhDVpQLqrmnd2eqGAvJtn+NfKoYJbe/A4Sj3/Vro4o= github.com/oklog/ulid v1.3.1/go.mod h1:CirwcVhetQ6Lv90oh/F+FBtV6XMibvdAFo93nm5qn4U= github.com/olekukonko/tablewriter v0.0.0-20170122224234-a0225b3f23b5/go.mod h1:vsDQFd/mU46D+Z4whnwzcISnGGzXWMclvtLoiIKAKIo= github.com/onsi/ginkgo v0.0.0-20170829012221-11459a886d9c/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+WWjE= @@ -701,8 +701,8 @@ github.com/prometheus/common v0.0.0-20181113130724-41aa239b4cce/go.mod h1:daVV7q github.com/prometheus/common v0.4.0/go.mod h1:TNfzLD0ON7rHzMJeJkieUDPYmFC7Snx/y86RQel1bk4= github.com/prometheus/common v0.4.1/go.mod h1:TNfzLD0ON7rHzMJeJkieUDPYmFC7Snx/y86RQel1bk4= github.com/prometheus/common v0.6.0/go.mod h1:eBmuwkDJBwy6iBfxCBob6t6dR6ENT/y+J+Zk0j9GMYc= -github.com/prometheus/common v0.60.0 h1:+V9PAREWNvJMAuJ1x1BaWl9dewMW4YrHZQbx0sJNllA= -github.com/prometheus/common v0.60.0/go.mod h1:h0LYf1R1deLSKtD4Vdg8gy4RuOvENW2J/h19V5NADQw= +github.com/prometheus/common v0.60.1 h1:FUas6GcOw66yB/73KC+BOZoFJmbo/1pojoILArPAaSc= +github.com/prometheus/common v0.60.1/go.mod h1:h0LYf1R1deLSKtD4Vdg8gy4RuOvENW2J/h19V5NADQw= github.com/prometheus/procfs v0.0.0-20181005140218-185b4288413d/go.mod h1:c3At6R/oaqEKCNdg8wHV1ftS6bRYblBhIjjI8uT2IGk= github.com/prometheus/procfs v0.0.0-20190507164030-5867b95ac084/go.mod h1:TjEm7ze935MbeOT/UhFTIMYKhuLP4wbCsTZCD3I8kEA= github.com/prometheus/procfs v0.0.2/go.mod h1:TjEm7ze935MbeOT/UhFTIMYKhuLP4wbCsTZCD3I8kEA= @@ -717,8 +717,8 @@ github.com/redis/go-redis/extra/redisotel/v9 v9.0.5 h1:EfpWLLCyXw8PSM2/XNJLjI3Pb github.com/redis/go-redis/extra/redisotel/v9 v9.0.5/go.mod h1:WZjPDy7VNzn77AAfnAfVjZNvfJTYfPetfZk5yoSTLaQ= github.com/redis/go-redis/v9 v9.1.0 h1:137FnGdk+EQdCbye1FW+qOEcY5S+SpY9T0NiuqvtfMY= github.com/redis/go-redis/v9 v9.1.0/go.mod h1:urWj3He21Dj5k4TK1y59xH8Uj6ATueP8AH1cY3lZl4c= -github.com/replicatedhq/troubleshoot v0.107.1 h1:Hx9VbVv1r3M5fiH2fPTeoZ8LNIxh5R/e6vpe2jBgPfc= -github.com/replicatedhq/troubleshoot v0.107.1/go.mod h1:6mZzcO/EWVBNXVnFdSHfPaoTnjcQdV3sq61NkBF60YE= +github.com/replicatedhq/troubleshoot v0.107.5 h1:XrJEK8vN3HHEKmFnAe8rSmY+hPw8Fh5dsTMhhEBKQCM= +github.com/replicatedhq/troubleshoot v0.107.5/go.mod h1:QTV4q6TXiCO825IS1GcLzgJu2KHWekXiKdcHCqBJTck= github.com/rivo/uniseg v0.2.0/go.mod h1:J6wj4VEh+S6ZtnVlnTBMWIodfgj8LQOQFoIToxlJtxc= github.com/rivo/uniseg v0.4.7 h1:WUdvkW8uEhrYfLC4ZzdpI2ztxP1I582+49Oc5Mq64VQ= github.com/rivo/uniseg v0.4.7/go.mod h1:FN3SvrM+Zdj16jyLfmOkMNblXMcoc8DfTHruCPUcx88= @@ -828,8 +828,8 @@ github.com/tmc/grpc-websocket-proxy v0.0.0-20170815181823-89b8d40f7ca8/go.mod h1 github.com/tmc/grpc-websocket-proxy v0.0.0-20190109142713-0ad062ec5ee5/go.mod h1:ncp9v5uamzpCO7NfCPTXjqaC+bZgJeR0sMTm6dMHP7U= github.com/tmc/grpc-websocket-proxy v0.0.0-20220101234140-673ab2c3ae75 h1:6fotK7otjonDflCTK0BCfls4SPy3NcCVb5dqqmbRknE= github.com/tmc/grpc-websocket-proxy v0.0.0-20220101234140-673ab2c3ae75/go.mod h1:KO6IkyS8Y3j8OdNO85qEYBsRPuteD+YciPomcXdrMnk= -github.com/tsaarni/certyaml v0.9.3 h1:m8HHbuUzWVUOmv8IQU9HgVZZ8r5ICExKm++54DJKCs0= -github.com/tsaarni/certyaml v0.9.3/go.mod h1:hhuU1qYr5re488geArUP4gZWqMUMqGlj4HA2qUyGYLk= +github.com/tsaarni/certyaml v0.10.0 h1:8ZWHO4Zg4VHUf7YblZNju44PcG5M+YtlJawiArYUHRs= +github.com/tsaarni/certyaml v0.10.0/go.mod h1:rI1wDTE/VQIglHOyGbjfvqb+5mWTVT5uLFVDDcT1sq8= github.com/tsaarni/x500dn v1.0.0 h1:LvaWTkqRpse4VHBhB5uwf3wytokK4vF9IOyNAEyiA+U= github.com/tsaarni/x500dn v1.0.0/go.mod h1:QaHa3EcUKC4dfCAZmj8+ZRGLKukWgpGv9H3oOCsAbcE= github.com/ugorji/go v1.1.4/go.mod h1:uQMGLiO92mf5W77hV/PUCpI3pbzQx3CRekS0kk+RGrc= @@ -1159,32 +1159,32 @@ honnef.co/go/tools v0.0.0-20190106161140-3f1c8253044a/go.mod h1:rf3lG4BRIbNafJWh honnef.co/go/tools v0.0.0-20190523083050-ea95bdfd59fc/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4= k8s.io/api v0.18.2/go.mod h1:SJCWI7OLzhZSvbY7U8zwNl9UA4o1fizoug34OV/2r78= k8s.io/api v0.18.4/go.mod h1:lOIQAKYgai1+vz9J7YcDZwC26Z0zQewYOGWdyIPUUQ4= -k8s.io/api v0.31.1 h1:Xe1hX/fPW3PXYYv8BlozYqw63ytA92snr96zMW9gWTU= -k8s.io/api v0.31.1/go.mod h1:sbN1g6eY6XVLeqNsZGLnI5FwVseTrZX7Fv3O26rhAaI= +k8s.io/api v0.31.2 h1:3wLBbL5Uom/8Zy98GRPXpJ254nEFpl+hwndmk9RwmL0= +k8s.io/api v0.31.2/go.mod h1:bWmGvrGPssSK1ljmLzd3pwCQ9MgoTsRCuK35u6SygUk= k8s.io/apiextensions-apiserver v0.18.2/go.mod h1:q3faSnRGmYimiocj6cHQ1I3WpLqmDgJFlKL37fC4ZvY= k8s.io/apiextensions-apiserver v0.18.4/go.mod h1:NYeyeYq4SIpFlPxSAB6jHPIdvu3hL0pc36wuRChybio= -k8s.io/apiextensions-apiserver v0.31.1 h1:L+hwULvXx+nvTYX/MKM3kKMZyei+UiSXQWciX/N6E40= -k8s.io/apiextensions-apiserver v0.31.1/go.mod h1:tWMPR3sgW+jsl2xm9v7lAyRF1rYEK71i9G5dRtkknoQ= +k8s.io/apiextensions-apiserver v0.31.2 h1:W8EwUb8+WXBLu56ser5IudT2cOho0gAKeTOnywBLxd0= +k8s.io/apiextensions-apiserver v0.31.2/go.mod h1:i+Geh+nGCJEGiCGR3MlBDkS7koHIIKWVfWeRFiOsUcM= k8s.io/apimachinery v0.18.2/go.mod h1:9SnR/e11v5IbyPCGbvJViimtJ0SwHG4nfZFjU77ftcA= k8s.io/apimachinery v0.18.4/go.mod h1:OaXp26zu/5J7p0f92ASynJa1pZo06YlV9fG7BoWbCko= -k8s.io/apimachinery v0.31.1 h1:mhcUBbj7KUjaVhyXILglcVjuS4nYXiwC+KKFBgIVy7U= -k8s.io/apimachinery v0.31.1/go.mod h1:rsPdaZJfTfLsNJSQzNHQvYoTmxhoOEofxtOsF3rtsMo= +k8s.io/apimachinery v0.31.2 h1:i4vUt2hPK56W6mlT7Ry+AO8eEsyxMD1U44NR22CLTYw= +k8s.io/apimachinery v0.31.2/go.mod h1:rsPdaZJfTfLsNJSQzNHQvYoTmxhoOEofxtOsF3rtsMo= k8s.io/apiserver v0.18.2/go.mod h1:Xbh066NqrZO8cbsoenCwyDJ1OSi8Ag8I2lezeHxzwzw= k8s.io/apiserver v0.18.4/go.mod h1:q+zoFct5ABNnYkGIaGQ3bcbUNdmPyOCoEBcg51LChY8= -k8s.io/apiserver v0.31.1 h1:Sars5ejQDCRBY5f7R3QFHdqN3s61nhkpaX8/k1iEw1c= -k8s.io/apiserver v0.31.1/go.mod h1:lzDhpeToamVZJmmFlaLwdYZwd7zB+WYRYIboqA1kGxM= -k8s.io/cli-runtime v0.31.1 h1:/ZmKhmZ6hNqDM+yf9s3Y4KEYakNXUn5sod2LWGGwCuk= -k8s.io/cli-runtime v0.31.1/go.mod h1:pKv1cDIaq7ehWGuXQ+A//1OIF+7DI+xudXtExMCbe9U= +k8s.io/apiserver v0.31.2 h1:VUzOEUGRCDi6kX1OyQ801m4A7AUPglpsmGvdsekmcI4= +k8s.io/apiserver v0.31.2/go.mod h1:o3nKZR7lPlJqkU5I3Ove+Zx3JuoFjQobGX1Gctw6XuE= +k8s.io/cli-runtime v0.31.2 h1:7FQt4C4Xnqx8V1GJqymInK0FFsoC+fAZtbLqgXYVOLQ= +k8s.io/cli-runtime v0.31.2/go.mod h1:XROyicf+G7rQ6FQJMbeDV9jqxzkWXTYD6Uxd15noe0Q= k8s.io/client-go v0.18.2/go.mod h1:Xcm5wVGXX9HAA2JJ2sSBUn3tCJ+4SVlCbl2MNNv+CIU= k8s.io/client-go v0.18.4/go.mod h1:f5sXwL4yAZRkAtzOxRWUhA/N8XzGCb+nPZI8PfobZ9g= -k8s.io/client-go v0.31.1 h1:f0ugtWSbWpxHR7sjVpQwuvw9a3ZKLXX0u0itkFXufb0= -k8s.io/client-go v0.31.1/go.mod h1:sKI8871MJN2OyeqRlmA4W4KM9KBdBUpDLu/43eGemCg= +k8s.io/client-go v0.31.2 h1:Y2F4dxU5d3AQj+ybwSMqQnpZH9F30//1ObxOKlTI9yc= +k8s.io/client-go v0.31.2/go.mod h1:NPa74jSVR/+eez2dFsEIHNa+3o09vtNaWwWwb1qSxSs= k8s.io/code-generator v0.18.2/go.mod h1:+UHX5rSbxmR8kzS+FAv7um6dtYrZokQvjHpDSYRVkTc= k8s.io/code-generator v0.18.4/go.mod h1:TgNEVx9hCyPGpdtCWA34olQYLkh3ok9ar7XfSsr8b6c= k8s.io/component-base v0.18.2/go.mod h1:kqLlMuhJNHQ9lz8Z7V5bxUUtjFZnrypArGl58gmDfUM= k8s.io/component-base v0.18.4/go.mod h1:7jr/Ef5PGmKwQhyAz/pjByxJbC58mhKAhiaDu0vXfPk= -k8s.io/component-base v0.31.1 h1:UpOepcrX3rQ3ab5NB6g5iP0tvsgJWzxTyAo20sgYSy8= -k8s.io/component-base v0.31.1/go.mod h1:WGeaw7t/kTsqpVTaCoVEtillbqAhF2/JgvO0LDOMa0w= +k8s.io/component-base v0.31.2 h1:Z1J1LIaC0AV+nzcPRFqfK09af6bZ4D1nAOpWsy9owlA= +k8s.io/component-base v0.31.2/go.mod h1:9PeyyFN/drHjtJZMCTkSpQJS3U9OXORnHQqMLDz0sUQ= k8s.io/gengo v0.0.0-20190128074634-0689ccc1d7d6/go.mod h1:ezvh/TsK7cY6rbqRK0oQQ8IAqLxYwwyPxAX1Pzy0ii0= k8s.io/gengo v0.0.0-20200114144118-36b2048a9120/go.mod h1:ezvh/TsK7cY6rbqRK0oQQ8IAqLxYwwyPxAX1Pzy0ii0= k8s.io/klog v0.0.0-20181102134211-b9b56d5dfc92/go.mod h1:Gq+BEi5rUBO/HRz0bTSXDUcqjScdoY3a9IHpCEIOOfk= @@ -1193,16 +1193,16 @@ k8s.io/klog v1.0.0/go.mod h1:4Bi6QPql/J/LkTDqv7R/cd3hPo4k2DG6Ptcz060Ez5I= k8s.io/klog/v2 v2.0.0/go.mod h1:PBfzABfn139FHAV07az/IF9Wp1bkk3vpT2XSJ76fSDE= k8s.io/klog/v2 v2.130.1 h1:n9Xl7H1Xvksem4KFG4PYbdQCQxqc/tTUyrgXaOhHSzk= k8s.io/klog/v2 v2.130.1/go.mod h1:3Jpz1GvMt720eyJH1ckRHK1EDfpxISzJ7I9OYgaDtPE= -k8s.io/kms v0.31.1 h1:cGLyV3cIwb0ovpP/jtyIe2mEuQ/MkbhmeBF2IYCA9Io= -k8s.io/kms v0.31.1/go.mod h1:OZKwl1fan3n3N5FFxnW5C4V3ygrah/3YXeJWS3O6+94= +k8s.io/kms v0.31.2 h1:pyx7l2qVOkClzFMIWMVF/FxsSkgd+OIGH7DecpbscJI= +k8s.io/kms v0.31.2/go.mod h1:OZKwl1fan3n3N5FFxnW5C4V3ygrah/3YXeJWS3O6+94= k8s.io/kube-openapi v0.0.0-20200121204235-bf4fb3bd569c/go.mod h1:GRQhZsXIAJ1xR0C9bd8UpWHZ5plfAS9fzPjJuQ6JL3E= k8s.io/kube-openapi v0.0.0-20200410145947-61e04a5be9a6/go.mod h1:GRQhZsXIAJ1xR0C9bd8UpWHZ5plfAS9fzPjJuQ6JL3E= k8s.io/kube-openapi v0.0.0-20240521193020-835d969ad83a h1:zD1uj3Jf+mD4zmA7W+goE5TxDkI7OGJjBNBzq5fJtLA= k8s.io/kube-openapi v0.0.0-20240521193020-835d969ad83a/go.mod h1:UxDHUPsUwTOOxSU+oXURfFBcAS6JwiRXTYqYwfuGowc= -k8s.io/kubectl v0.31.1 h1:ih4JQJHxsEggFqDJEHSOdJ69ZxZftgeZvYo7M/cpp24= -k8s.io/kubectl v0.31.1/go.mod h1:aNuQoR43W6MLAtXQ/Bu4GDmoHlbhHKuyD49lmTC8eJM= -k8s.io/metrics v0.31.1 h1:h4I4dakgh/zKflWYAOQhwf0EXaqy8LxAIyE/GBvxqRc= -k8s.io/metrics v0.31.1/go.mod h1:JuH1S9tJiH9q1VCY0yzSCawi7kzNLsDzlWDJN4xR+iA= +k8s.io/kubectl v0.31.2 h1:gTxbvRkMBwvTSAlobiTVqsH6S8Aa1aGyBcu5xYLsn8M= +k8s.io/kubectl v0.31.2/go.mod h1:EyASYVU6PY+032RrTh5ahtSOMgoDRIux9V1JLKtG5xM= +k8s.io/metrics v0.31.2 h1:sQhujR9m3HN/Nu/0fTfTscjnswQl0qkQAodEdGBS0N4= +k8s.io/metrics v0.31.2/go.mod h1:QqqyReApEWO1UEgXOSXiHCQod6yTxYctbAAQBWZkboU= k8s.io/utils v0.0.0-20200324210504-a9aa75ae1b89/go.mod h1:sZAwmy6armz5eXlNoLmJcl4F1QuKu7sr+mFQ0byX7Ew= k8s.io/utils v0.0.0-20200603063816-c1c6865ac451/go.mod h1:jPW/WVKK9YHAvNhRxK0md/EJ228hCsBRufyofKtW8HA= k8s.io/utils v0.0.0-20240821151609-f90d01438635 h1:2wThSvJoW/Ncn9TmQEYXRnevZXi2duqHWf5OX9S3zjI= @@ -1215,8 +1215,8 @@ sigs.k8s.io/apiserver-network-proxy/konnectivity-client v0.0.7/go.mod h1:PHgbrJT sigs.k8s.io/apiserver-network-proxy/konnectivity-client v0.30.3 h1:2770sDpzrjjsAtVhSeUFseziht227YAWYHLGNM8QPwY= sigs.k8s.io/apiserver-network-proxy/konnectivity-client v0.30.3/go.mod h1:Ve9uj1L+deCXFrPOk1LpFXqTg7LCFzFso6PA48q/XZw= sigs.k8s.io/controller-runtime v0.6.1/go.mod h1:XRYBPdbf5XJu9kpS84VJiZ7h/u1hF3gEORz0efEja7A= -sigs.k8s.io/controller-runtime v0.19.0 h1:nWVM7aq+Il2ABxwiCizrVDSlmDcshi9llbaFbC0ji/Q= -sigs.k8s.io/controller-runtime v0.19.0/go.mod h1:iRmWllt8IlaLjvTTDLhRBXIEtkCK6hwVBJJsYS9Ajf4= +sigs.k8s.io/controller-runtime v0.19.1 h1:Son+Q40+Be3QWb+niBXAg2vFiYWolDjjRfO8hn/cxOk= +sigs.k8s.io/controller-runtime v0.19.1/go.mod h1:iRmWllt8IlaLjvTTDLhRBXIEtkCK6hwVBJJsYS9Ajf4= sigs.k8s.io/controller-tools v0.3.0/go.mod h1:enhtKGfxZD1GFEoMgP8Fdbu+uKQ/cq1/WGJhdVChfvI= sigs.k8s.io/gateway-api v1.2.0 h1:LrToiFwtqKTKZcZtoQPTuo3FxhrrhTgzQG0Te+YGSo8= sigs.k8s.io/gateway-api v1.2.0/go.mod h1:EpNfEXNjiYfUJypf0eZ0P5iXA9ekSGWaS1WgPaM42X0= diff --git a/internal/cmd/egctl/testdata/translate/in/backend-endpoint.yaml b/internal/cmd/egctl/testdata/translate/in/backend-endpoint.yaml new file mode 100644 index 00000000000..d2aa0f78f07 --- /dev/null +++ b/internal/cmd/egctl/testdata/translate/in/backend-endpoint.yaml @@ -0,0 +1,46 @@ +apiVersion: gateway.networking.k8s.io/v1 +kind: GatewayClass +metadata: + name: eg +spec: + controllerName: gateway.envoyproxy.io/gatewayclass-controller +--- +apiVersion: gateway.networking.k8s.io/v1 +kind: Gateway +metadata: + name: eg +spec: + gatewayClassName: eg + listeners: + - name: http + protocol: HTTP + port: 80 +--- +apiVersion: gateway.networking.k8s.io/v1 +kind: HTTPRoute +metadata: + name: backend +spec: + parentRefs: + - name: eg + hostnames: + - "www.example.com" + rules: + - backendRefs: + - group: gateway.envoyproxy.io + kind: Backend + name: backend + matches: + - path: + type: PathPrefix + value: / +--- +apiVersion: gateway.envoyproxy.io/v1alpha1 +kind: Backend +metadata: + name: backend +spec: + endpoints: + - ip: + address: 0.0.0.0 + port: 3000 diff --git a/internal/cmd/egctl/testdata/translate/out/backend-endpoint.all.yaml b/internal/cmd/egctl/testdata/translate/out/backend-endpoint.all.yaml new file mode 100644 index 00000000000..d3f3ed2c771 --- /dev/null +++ b/internal/cmd/egctl/testdata/translate/out/backend-endpoint.all.yaml @@ -0,0 +1,106 @@ +backends: +- kind: Backend + metadata: + creationTimestamp: null + name: backend + namespace: envoy-gateway-system + spec: + endpoints: + - ip: + address: 0.0.0.0 + port: 3000 + status: + conditions: + - lastTransitionTime: null + message: The Backend was accepted + reason: Accepted + status: "True" + type: Accepted +gatewayClass: + kind: GatewayClass + metadata: + creationTimestamp: null + name: eg + namespace: envoy-gateway-system + spec: + controllerName: gateway.envoyproxy.io/gatewayclass-controller + status: + conditions: + - lastTransitionTime: null + message: Valid GatewayClass + reason: Accepted + status: "True" + type: Accepted +gateways: +- kind: Gateway + metadata: + creationTimestamp: null + name: eg + namespace: envoy-gateway-system + spec: + gatewayClassName: eg + listeners: + - name: http + port: 80 + protocol: HTTP + status: + listeners: + - attachedRoutes: 1 + conditions: + - lastTransitionTime: null + message: Sending translated listener configuration to the data plane + reason: Programmed + status: "True" + type: Programmed + - lastTransitionTime: null + message: Listener has been successfully translated + reason: Accepted + status: "True" + type: Accepted + - lastTransitionTime: null + message: Listener references have been resolved + reason: ResolvedRefs + status: "True" + type: ResolvedRefs + name: http + supportedKinds: + - group: gateway.networking.k8s.io + kind: HTTPRoute + - group: gateway.networking.k8s.io + kind: GRPCRoute +httpRoutes: +- kind: HTTPRoute + metadata: + creationTimestamp: null + name: backend + namespace: envoy-gateway-system + spec: + hostnames: + - www.example.com + parentRefs: + - name: eg + rules: + - backendRefs: + - group: gateway.envoyproxy.io + kind: Backend + name: backend + matches: + - path: + type: PathPrefix + value: / + status: + parents: + - conditions: + - lastTransitionTime: null + message: Route is accepted + reason: Accepted + status: "True" + type: Accepted + - lastTransitionTime: null + message: Resolved all the Object references for the Route + reason: ResolvedRefs + status: "True" + type: ResolvedRefs + controllerName: gateway.envoyproxy.io/gatewayclass-controller + parentRef: + name: eg diff --git a/internal/cmd/egctl/testdata/translate/out/default-resources.all.yaml b/internal/cmd/egctl/testdata/translate/out/default-resources.all.yaml index b965d6d9818..26e42496459 100644 --- a/internal/cmd/egctl/testdata/translate/out/default-resources.all.yaml +++ b/internal/cmd/egctl/testdata/translate/out/default-resources.all.yaml @@ -778,6 +778,7 @@ xds: ads: {} resourceApiVersion: V3 serviceName: httproute/default/backend/rule/0 + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: httproute/default/backend/rule/0 outlierDetection: {} @@ -797,6 +798,7 @@ xds: ads: {} resourceApiVersion: V3 serviceName: grpcroute/default/backend/rule/0 + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: grpcroute/default/backend/rule/0 outlierDetection: {} @@ -823,6 +825,7 @@ xds: ads: {} resourceApiVersion: V3 serviceName: tcproute/default/backend/rule/-1 + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: tcproute/default/backend/rule/-1 outlierDetection: {} @@ -842,6 +845,7 @@ xds: ads: {} resourceApiVersion: V3 serviceName: tlsroute/default/backend/rule/-1 + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: tlsroute/default/backend/rule/-1 outlierDetection: {} @@ -861,6 +865,7 @@ xds: ads: {} resourceApiVersion: V3 serviceName: udproute/default/backend/rule/-1 + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: udproute/default/backend/rule/-1 outlierDetection: {} diff --git a/internal/cmd/egctl/testdata/translate/out/echo-gateway-api.cluster.yaml b/internal/cmd/egctl/testdata/translate/out/echo-gateway-api.cluster.yaml index f88b74ed0c4..cc99b73a833 100644 --- a/internal/cmd/egctl/testdata/translate/out/echo-gateway-api.cluster.yaml +++ b/internal/cmd/egctl/testdata/translate/out/echo-gateway-api.cluster.yaml @@ -106,6 +106,7 @@ xds: ads: {} resourceApiVersion: V3 serviceName: httproute/envoy-gateway-system/backend/rule/0 + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: httproute/envoy-gateway-system/backend/rule/0 outlierDetection: {} diff --git a/internal/cmd/egctl/testdata/translate/out/from-gateway-api-to-xds.all.json b/internal/cmd/egctl/testdata/translate/out/from-gateway-api-to-xds.all.json index 81f8f2b8c3d..a89e4bcdae3 100644 --- a/internal/cmd/egctl/testdata/translate/out/from-gateway-api-to-xds.all.json +++ b/internal/cmd/egctl/testdata/translate/out/from-gateway-api-to-xds.all.json @@ -466,6 +466,7 @@ }, "serviceName": "httproute/default/backend/rule/0" }, + "ignoreHealthOnHostRemoval": true, "lbPolicy": "LEAST_REQUEST", "name": "httproute/default/backend/rule/0", "outlierDetection": {}, @@ -495,6 +496,7 @@ }, "serviceName": "grpcroute/default/backend/rule/0" }, + "ignoreHealthOnHostRemoval": true, "lbPolicy": "LEAST_REQUEST", "name": "grpcroute/default/backend/rule/0", "outlierDetection": {}, @@ -535,6 +537,7 @@ }, "serviceName": "tcproute/default/backend/rule/-1" }, + "ignoreHealthOnHostRemoval": true, "lbPolicy": "LEAST_REQUEST", "name": "tcproute/default/backend/rule/-1", "outlierDetection": {}, @@ -564,6 +567,7 @@ }, "serviceName": "tlsroute/default/backend/rule/-1" }, + "ignoreHealthOnHostRemoval": true, "lbPolicy": "LEAST_REQUEST", "name": "tlsroute/default/backend/rule/-1", "outlierDetection": {}, @@ -593,6 +597,7 @@ }, "serviceName": "udproute/default/backend/rule/-1" }, + "ignoreHealthOnHostRemoval": true, "lbPolicy": "LEAST_REQUEST", "name": "udproute/default/backend/rule/-1", "outlierDetection": {}, diff --git a/internal/cmd/egctl/testdata/translate/out/from-gateway-api-to-xds.all.yaml b/internal/cmd/egctl/testdata/translate/out/from-gateway-api-to-xds.all.yaml index d4ceef84de2..fbb1df4f5b0 100644 --- a/internal/cmd/egctl/testdata/translate/out/from-gateway-api-to-xds.all.yaml +++ b/internal/cmd/egctl/testdata/translate/out/from-gateway-api-to-xds.all.yaml @@ -257,6 +257,7 @@ xds: ads: {} resourceApiVersion: V3 serviceName: httproute/default/backend/rule/0 + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: httproute/default/backend/rule/0 outlierDetection: {} @@ -276,6 +277,7 @@ xds: ads: {} resourceApiVersion: V3 serviceName: grpcroute/default/backend/rule/0 + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: grpcroute/default/backend/rule/0 outlierDetection: {} @@ -302,6 +304,7 @@ xds: ads: {} resourceApiVersion: V3 serviceName: tcproute/default/backend/rule/-1 + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: tcproute/default/backend/rule/-1 outlierDetection: {} @@ -321,6 +324,7 @@ xds: ads: {} resourceApiVersion: V3 serviceName: tlsroute/default/backend/rule/-1 + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: tlsroute/default/backend/rule/-1 outlierDetection: {} @@ -340,6 +344,7 @@ xds: ads: {} resourceApiVersion: V3 serviceName: udproute/default/backend/rule/-1 + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: udproute/default/backend/rule/-1 outlierDetection: {} diff --git a/internal/cmd/egctl/testdata/translate/out/from-gateway-api-to-xds.cluster.yaml b/internal/cmd/egctl/testdata/translate/out/from-gateway-api-to-xds.cluster.yaml index c9f782804a4..7545c4660d0 100644 --- a/internal/cmd/egctl/testdata/translate/out/from-gateway-api-to-xds.cluster.yaml +++ b/internal/cmd/egctl/testdata/translate/out/from-gateway-api-to-xds.cluster.yaml @@ -16,6 +16,7 @@ xds: ads: {} resourceApiVersion: V3 serviceName: httproute/default/backend/rule/0 + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: httproute/default/backend/rule/0 outlierDetection: {} @@ -35,6 +36,7 @@ xds: ads: {} resourceApiVersion: V3 serviceName: grpcroute/default/backend/rule/0 + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: grpcroute/default/backend/rule/0 outlierDetection: {} @@ -61,6 +63,7 @@ xds: ads: {} resourceApiVersion: V3 serviceName: tcproute/default/backend/rule/-1 + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: tcproute/default/backend/rule/-1 outlierDetection: {} @@ -80,6 +83,7 @@ xds: ads: {} resourceApiVersion: V3 serviceName: tlsroute/default/backend/rule/-1 + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: tlsroute/default/backend/rule/-1 outlierDetection: {} @@ -99,6 +103,7 @@ xds: ads: {} resourceApiVersion: V3 serviceName: udproute/default/backend/rule/-1 + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: udproute/default/backend/rule/-1 outlierDetection: {} diff --git a/internal/cmd/egctl/testdata/translate/out/jwt-single-route-single-match-to-xds.all.json b/internal/cmd/egctl/testdata/translate/out/jwt-single-route-single-match-to-xds.all.json index 782775f605f..6ce6ee01347 100644 --- a/internal/cmd/egctl/testdata/translate/out/jwt-single-route-single-match-to-xds.all.json +++ b/internal/cmd/egctl/testdata/translate/out/jwt-single-route-single-match-to-xds.all.json @@ -358,6 +358,7 @@ }, "serviceName": "httproute/envoy-gateway-system/backend/rule/0" }, + "ignoreHealthOnHostRemoval": true, "lbPolicy": "LEAST_REQUEST", "name": "httproute/envoy-gateway-system/backend/rule/0", "outlierDetection": {}, diff --git a/internal/cmd/egctl/testdata/translate/out/jwt-single-route-single-match-to-xds.all.yaml b/internal/cmd/egctl/testdata/translate/out/jwt-single-route-single-match-to-xds.all.yaml index 7579be57f5f..237f0f3a4ac 100644 --- a/internal/cmd/egctl/testdata/translate/out/jwt-single-route-single-match-to-xds.all.yaml +++ b/internal/cmd/egctl/testdata/translate/out/jwt-single-route-single-match-to-xds.all.yaml @@ -201,6 +201,7 @@ xds: ads: {} resourceApiVersion: V3 serviceName: httproute/envoy-gateway-system/backend/rule/0 + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: httproute/envoy-gateway-system/backend/rule/0 outlierDetection: {} diff --git a/internal/cmd/egctl/testdata/translate/out/jwt-single-route-single-match-to-xds.cluster.yaml b/internal/cmd/egctl/testdata/translate/out/jwt-single-route-single-match-to-xds.cluster.yaml index d0add370ce3..9d93c93a8a4 100644 --- a/internal/cmd/egctl/testdata/translate/out/jwt-single-route-single-match-to-xds.cluster.yaml +++ b/internal/cmd/egctl/testdata/translate/out/jwt-single-route-single-match-to-xds.cluster.yaml @@ -16,6 +16,7 @@ xds: ads: {} resourceApiVersion: V3 serviceName: httproute/envoy-gateway-system/backend/rule/0 + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: httproute/envoy-gateway-system/backend/rule/0 outlierDetection: {} diff --git a/internal/cmd/egctl/testdata/translate/out/no-service-cluster-ip.all.yaml b/internal/cmd/egctl/testdata/translate/out/no-service-cluster-ip.all.yaml index e6e91b9ec45..517f3482f9f 100644 --- a/internal/cmd/egctl/testdata/translate/out/no-service-cluster-ip.all.yaml +++ b/internal/cmd/egctl/testdata/translate/out/no-service-cluster-ip.all.yaml @@ -201,6 +201,7 @@ xds: ads: {} resourceApiVersion: V3 serviceName: httproute/envoy-gateway-system/routes/rule/0 + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: httproute/envoy-gateway-system/routes/rule/0 outlierDetection: {} diff --git a/internal/cmd/egctl/translate_test.go b/internal/cmd/egctl/translate_test.go index 9207c8bb75b..20cf76d0162 100644 --- a/internal/cmd/egctl/translate_test.go +++ b/internal/cmd/egctl/translate_test.go @@ -287,6 +287,12 @@ func TestTranslate(t *testing.T) { expect: true, extraArgs: []string{"--add-missing-resources"}, }, + { + name: "backend-endpoint", + from: "gateway-api", + to: "gateway-api", + expect: true, + }, } flag.Parse() diff --git a/internal/extension/registry/extension_manager.go b/internal/extension/registry/extension_manager.go index 918c9a7c018..cf4b86d3d08 100644 --- a/internal/extension/registry/extension_manager.go +++ b/internal/extension/registry/extension_manager.go @@ -11,6 +11,7 @@ import ( "errors" "fmt" "net" + "strconv" "google.golang.org/grpc" "google.golang.org/grpc/credentials" @@ -123,13 +124,13 @@ func getExtensionServerAddress(service *egv1a1.ExtensionService) string { var serverAddr string switch { case service.FQDN != nil: - serverAddr = fmt.Sprintf("%s:%d", service.FQDN.Hostname, service.FQDN.Port) + serverAddr = net.JoinHostPort(service.FQDN.Hostname, strconv.Itoa(int(service.FQDN.Port))) case service.IP != nil: - serverAddr = fmt.Sprintf("%s:%d", service.IP.Address, service.IP.Port) + serverAddr = net.JoinHostPort(service.IP.Address, strconv.Itoa(int(service.IP.Port))) case service.Unix != nil: serverAddr = fmt.Sprintf("unix://%s", service.Unix.Path) case service.Host != "": - serverAddr = fmt.Sprintf("%s:%d", service.Host, service.Port) + serverAddr = net.JoinHostPort(service.Host, strconv.Itoa(int(service.Port))) } return serverAddr } diff --git a/internal/gatewayapi/backendtlspolicy.go b/internal/gatewayapi/backendtlspolicy.go index a04f93c9c19..b76e215f99a 100644 --- a/internal/gatewayapi/backendtlspolicy.go +++ b/internal/gatewayapi/backendtlspolicy.go @@ -7,6 +7,7 @@ package gatewayapi import ( "fmt" + "reflect" "k8s.io/utils/ptr" gwapiv1 "sigs.k8s.io/gateway-api/apis/v1" @@ -145,13 +146,12 @@ func backendTLSTargetMatched(policy gwapiv1a3.BackendTLSPolicy, target gwapiv1a2 target.Kind == currTarget.Kind && backendNamespace == policy.Namespace && target.Name == currTarget.Name { - if currTarget.SectionName != nil { - if target.SectionName != nil && *currTarget.SectionName == *target.SectionName { - return true - } - return false + // if section name is not set, then it targets the entire backend + if currTarget.SectionName == nil { + return true + } else if reflect.DeepEqual(currTarget.SectionName, target.SectionName) { + return true } - return true } } return false diff --git a/internal/gatewayapi/contexts.go b/internal/gatewayapi/contexts.go index fbd4c588f9b..7bcf321d3a2 100644 --- a/internal/gatewayapi/contexts.go +++ b/internal/gatewayapi/contexts.go @@ -238,21 +238,26 @@ func GetRouteStatus(route RouteContext) *gwapiv1.RouteStatus { return &rs } -// GetRouteParentContext returns RouteParentContext by using the Route -// objects' ParentReference. +// GetRouteParentContext returns RouteParentContext by using the Route objects' ParentReference. +// It creates a new RouteParentContext and add a new RouteParentStatus to the Route's Status if the ParentReference is not found. func GetRouteParentContext(route RouteContext, forParentRef gwapiv1.ParentReference) *RouteParentContext { rv := reflect.ValueOf(route).Elem() pr := rv.FieldByName("ParentRefs") + + // If the ParentRefs field is nil, initialize it. if pr.IsNil() { mm := reflect.MakeMap(reflect.TypeOf(map[gwapiv1.ParentReference]*RouteParentContext{})) pr.Set(mm) } + // If the RouteParentContext is already in the RouteContext, return it. if p := pr.MapIndex(reflect.ValueOf(forParentRef)); p.IsValid() && !p.IsZero() { ctx := p.Interface().(*RouteParentContext) return ctx } + // Verify that the ParentReference is present in the Route.Spec.ParentRefs. + // This is just a sanity check, the parentRef should always be present, otherwise it's a programming error. var parentRef *gwapiv1.ParentReference specParentRefs := rv.FieldByName("Spec").FieldByName("ParentRefs") for i := 0; i < specParentRefs.Len(); i++ { @@ -266,25 +271,19 @@ func GetRouteParentContext(route RouteContext, forParentRef gwapiv1.ParentRefere panic("parentRef not found") } + // Find the parent in the Route's Status. routeParentStatusIdx := -1 - defaultNamespace := gwapiv1.Namespace(metav1.NamespaceDefault) statusParents := rv.FieldByName("Status").FieldByName("Parents") + for i := 0; i < statusParents.Len(); i++ { p := statusParents.Index(i).FieldByName("ParentRef").Interface().(gwapiv1.ParentReference) - // For those non-v1 routes, their underlying type of `ParentReference` is v1 as well. - // So we can skip upgrading these routes for simplicity. - if forParentRef.Namespace == nil { - forParentRef.Namespace = &defaultNamespace - } - if p.Namespace == nil { - p.Namespace = &defaultNamespace - } - if reflect.DeepEqual(p, forParentRef) { + if isParentRefEqual(p, *parentRef, route.GetNamespace()) { routeParentStatusIdx = i break } } + // If the parent is not found in the Route's Status, create a new RouteParentStatus and add it to the Route's Status. if routeParentStatusIdx == -1 { rParentStatus := gwapiv1a2.RouteParentStatus{ ControllerName: gwapiv1a2.GatewayController(rv.FieldByName("GatewayControllerName").String()), @@ -294,6 +293,7 @@ func GetRouteParentContext(route RouteContext, forParentRef gwapiv1.ParentRefere routeParentStatusIdx = statusParents.Len() - 1 } + // Also add the RouteParentContext to the RouteContext. ctx := &RouteParentContext{ ParentReference: parentRef, routeParentStatusIdx: routeParentStatusIdx, @@ -304,6 +304,34 @@ func GetRouteParentContext(route RouteContext, forParentRef gwapiv1.ParentRefere return ctx } +func isParentRefEqual(ref1, ref2 gwapiv1.ParentReference, routeNS string) bool { + defaultGroup := (*gwapiv1.Group)(&gwapiv1.GroupVersion.Group) + if ref1.Group == nil { + ref1.Group = defaultGroup + } + if ref2.Group == nil { + ref2.Group = defaultGroup + } + + defaultKind := gwapiv1.Kind(resource.KindGateway) + if ref1.Kind == nil { + ref1.Kind = &defaultKind + } + if ref2.Kind == nil { + ref2.Kind = &defaultKind + } + + // If the parent's namespace is not set, default to the namespace of the Route. + defaultNS := gwapiv1.Namespace(routeNS) + if ref1.Namespace == nil { + ref1.Namespace = &defaultNS + } + if ref2.Namespace == nil { + ref2.Namespace = &defaultNS + } + return reflect.DeepEqual(ref1, ref2) +} + // RouteParentContext wraps a ParentReference and provides helper methods for // setting conditions and other status information on the associated // HTTPRoute, TLSRoute etc. diff --git a/internal/gatewayapi/envoyextensionpolicy.go b/internal/gatewayapi/envoyextensionpolicy.go index 4abc9a69046..9ba561f1b5d 100644 --- a/internal/gatewayapi/envoyextensionpolicy.go +++ b/internal/gatewayapi/envoyextensionpolicy.go @@ -561,6 +561,8 @@ func (t *Translator) buildWasm( switch config.Code.Type { case egv1a1.HTTPWasmCodeSourceType: + var checksum string + // This is a sanity check, the validation should have caught this if config.Code.HTTP == nil { return nil, fmt.Errorf("missing HTTP field in Wasm code source") @@ -572,7 +574,7 @@ func (t *Translator) buildWasm( http := config.Code.HTTP - if servingURL, _, err = t.WasmCache.Get(http.URL, wasm.GetOptions{ + if servingURL, checksum, err = t.WasmCache.Get(http.URL, wasm.GetOptions{ Checksum: originalChecksum, PullPolicy: pullPolicy, ResourceName: irConfigNameForWasm(policy, idx), @@ -584,7 +586,7 @@ func (t *Translator) buildWasm( code = &ir.HTTPWasmCode{ ServingURL: servingURL, OriginalURL: http.URL, - SHA256: originalChecksum, + SHA256: checksum, } case egv1a1.ImageWasmCodeSourceType: diff --git a/internal/gatewayapi/helpers.go b/internal/gatewayapi/helpers.go index 1c1ecee7672..366a24b827e 100644 --- a/internal/gatewayapi/helpers.go +++ b/internal/gatewayapi/helpers.go @@ -86,6 +86,7 @@ var ( QueryParamMatchTypeDerefOr = ptr.Deref[gwapiv1.QueryParamMatchType] ) +// Deprecated: use k8s.io/utils/ptr ptr.Deref instead func NamespaceDerefOr(namespace *gwapiv1.Namespace, defaultNamespace string) string { if namespace != nil && *namespace != "" { return string(*namespace) diff --git a/internal/gatewayapi/resource/load.go b/internal/gatewayapi/resource/load.go index 2445a459c74..7c87ffb7918 100644 --- a/internal/gatewayapi/resource/load.go +++ b/internal/gatewayapi/resource/load.go @@ -44,7 +44,6 @@ func LoadResourcesFromYAMLBytes(yamlBytes []byte, addMissingResources bool) (*Re // loadKubernetesYAMLToResources converts a Kubernetes YAML string into GatewayAPI Resources. // TODO: add support for kind: -// - Backend (gateway.envoyproxy.io/v1alpha1) // - EnvoyExtensionPolicy (gateway.envoyproxy.io/v1alpha1) // - HTTPRouteFilter (gateway.envoyproxy.io/v1alpha1) // - BackendLPPolicy (gateway.networking.k8s.io/v1alpha2) @@ -295,6 +294,19 @@ func loadKubernetesYAMLToResources(input []byte, addMissingResources bool) (*Res Spec: typedSpec.(egv1a1.HTTPRouteFilterSpec), } resources.HTTPRouteFilters = append(resources.HTTPRouteFilters, httpRouteFilter) + case KindBackend: + typedSpec := spec.Interface() + backend := &egv1a1.Backend{ + TypeMeta: metav1.TypeMeta{ + Kind: KindBackend, + }, + ObjectMeta: metav1.ObjectMeta{ + Name: name, + Namespace: namespace, + }, + Spec: typedSpec.(egv1a1.BackendSpec), + } + resources.Backends = append(resources.Backends, backend) } return nil diff --git a/internal/gatewayapi/route.go b/internal/gatewayapi/route.go index 648aebaeb5c..e51947411d8 100644 --- a/internal/gatewayapi/route.go +++ b/internal/gatewayapi/route.go @@ -237,7 +237,7 @@ func (t *Translator) processHTTPRouteRules(httpRoute *HTTPRouteContext, parentRe // If the route has no valid backends then just use a direct response and don't fuss with weighted responses for _, ruleRoute := range ruleRoutes { noValidBackends := ruleRoute.Destination == nil || ruleRoute.Destination.ToBackendWeights().Valid == 0 - if noValidBackends && ruleRoute.Redirect == nil { + if ruleRoute.DirectResponse == nil && noValidBackends && ruleRoute.Redirect == nil { ruleRoute.DirectResponse = &ir.CustomResponse{ StatusCode: ptr.To(uint32(500)), } diff --git a/internal/gatewayapi/runner/runner.go b/internal/gatewayapi/runner/runner.go index bd093761911..62975892918 100644 --- a/internal/gatewayapi/runner/runner.go +++ b/internal/gatewayapi/runner/runner.go @@ -173,7 +173,7 @@ func (r *Runner) subscribeAndTranslate(ctx context.Context) { // Publish the IRs. // Also validate the ir before sending it. for key, val := range result.InfraIR { - r.Logger.WithValues("infra-ir", key).Info(val.JSONString()) + r.Logger.V(1).WithValues("infra-ir", key).Info(val.JSONString()) if err := val.Validate(); err != nil { r.Logger.Error(err, "unable to validate infra ir, skipped sending it") errChan <- err @@ -184,7 +184,7 @@ func (r *Runner) subscribeAndTranslate(ctx context.Context) { } for key, val := range result.XdsIR { - r.Logger.WithValues("xds-ir", key).Info(val.JSONString()) + r.Logger.V(1).WithValues("xds-ir", key).Info(val.JSONString()) if err := val.Validate(); err != nil { r.Logger.Error(err, "unable to validate xds ir, skipped sending it") errChan <- err diff --git a/internal/gatewayapi/securitypolicy.go b/internal/gatewayapi/securitypolicy.go index 302d5054507..3c2d2af31ed 100644 --- a/internal/gatewayapi/securitypolicy.go +++ b/internal/gatewayapi/securitypolicy.go @@ -9,6 +9,7 @@ import ( "encoding/json" "errors" "fmt" + "net" "net/http" "net/netip" "net/url" @@ -921,16 +922,16 @@ func backendRefAuthority(resources *resource.Resources, backendRef *gwapiv1.Back // TODO: exists multi FQDN endpoints? for _, ep := range backend.Spec.Endpoints { if ep.FQDN != nil { - return fmt.Sprintf("%s:%d", ep.FQDN.Hostname, ep.FQDN.Port) + return net.JoinHostPort(ep.FQDN.Hostname, strconv.Itoa(int(ep.FQDN.Port))) } } } } - return fmt.Sprintf("%s.%s:%d", - backendRef.Name, - backendNamespace, - *backendRef.Port) + return net.JoinHostPort( + fmt.Sprintf("%s.%s", backendRef.Name, backendNamespace), + strconv.Itoa(int(*backendRef.Port)), + ) } func (t *Translator) buildAuthorization(policy *egv1a1.SecurityPolicy) (*ir.Authorization, error) { diff --git a/internal/gatewayapi/testdata/backendtlspolicy-multiple-targets.in.yaml b/internal/gatewayapi/testdata/backendtlspolicy-multiple-targets.in.yaml new file mode 100644 index 00000000000..d3458d06da8 --- /dev/null +++ b/internal/gatewayapi/testdata/backendtlspolicy-multiple-targets.in.yaml @@ -0,0 +1,123 @@ +gateways: + - apiVersion: gateway.networking.k8s.io/v1 + kind: Gateway + metadata: + name: gateway-btls + namespace: envoy-gateway + spec: + gatewayClassName: envoy-gateway-class + listeners: + - name: http + protocol: HTTP + port: 80 + allowedRoutes: + namespaces: + from: All + +httpRoutes: + - apiVersion: gateway.networking.k8s.io/v1 + kind: HTTPRoute + metadata: + name: httproute-btls-1 + namespace: envoy-gateway + spec: + parentRefs: + - namespace: envoy-gateway + name: gateway-btls + sectionName: http + rules: + - matches: + - path: + type: Exact + value: "/exact-1" + backendRefs: + - name: http-backend + namespace: envoy-gateway + port: 8080 + - apiVersion: gateway.networking.k8s.io/v1 + kind: HTTPRoute + metadata: + name: httproute-btls-2 + namespace: envoy-gateway + spec: + parentRefs: + - namespace: envoy-gateway + name: gateway-btls + sectionName: http + rules: + - matches: + - path: + type: Exact + value: "/exact-2" + backendRefs: + - name: http-backend + namespace: envoy-gateway + port: 8081 + +services: + - apiVersion: v1 + kind: Service + metadata: + name: http-backend + namespace: envoy-gateway + spec: + clusterIP: 10.11.12.13 + ports: + - port: 8080 + name: http + protocol: TCP + targetPort: 8080 + - port: 8081 + name: http + protocol: TCP + targetPort: 8081 + +configMaps: + - apiVersion: v1 + kind: ConfigMap + metadata: + name: ca-cmap + namespace: envoy-gateway + data: + ca.crt: | + -----BEGIN CERTIFICATE----- + MIIDJzCCAg+gAwIBAgIUAl6UKIuKmzte81cllz5PfdN2IlIwDQYJKoZIhvcNAQEL + BQAwIzEQMA4GA1UEAwwHbXljaWVudDEPMA0GA1UECgwGa3ViZWRiMB4XDTIzMTAw + MjA1NDE1N1oXDTI0MTAwMTA1NDE1N1owIzEQMA4GA1UEAwwHbXljaWVudDEPMA0G + A1UECgwGa3ViZWRiMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAwSTc + 1yj8HW62nynkFbXo4VXKv2jC0PM7dPVky87FweZcTKLoWQVPQE2p2kLDK6OEszmM + yyr+xxWtyiveremrWqnKkNTYhLfYPhgQkczib7eUalmFjUbhWdLvHakbEgCodn3b + kz57mInX2VpiDOKg4kyHfiuXWpiBqrCx0KNLpxo3DEQcFcsQTeTHzh4752GV04RU + Ti/GEWyzIsl4Rg7tGtAwmcIPgUNUfY2Q390FGqdH4ahn+mw/6aFbW31W63d9YJVq + ioyOVcaMIpM5B/c7Qc8SuhCI1YGhUyg4cRHLEw5VtikioyE3X04kna3jQAj54YbR + bpEhc35apKLB21HOUQIDAQABo1MwUTAdBgNVHQ4EFgQUyvl0VI5vJVSuYFXu7B48 + 6PbMEAowHwYDVR0jBBgwFoAUyvl0VI5vJVSuYFXu7B486PbMEAowDwYDVR0TAQH/ + BAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEAMLxrgFVMuNRq2wAwcBt7SnNR5Cfz + 2MvXq5EUmuawIUi9kaYjwdViDREGSjk7JW17vl576HjDkdfRwi4E28SydRInZf6J + i8HZcZ7caH6DxR335fgHVzLi5NiTce/OjNBQzQ2MJXVDd8DBmG5fyatJiOJQ4bWE + A7FlP0RdP3CO3GWE0M5iXOB2m1qWkE2eyO4UHvwTqNQLdrdAXgDQlbam9e4BG3Gg + d/6thAkWDbt/QNT+EJHDCvhDRKh1RuGHyg+Y+/nebTWWrFWsktRrbOoHCZiCpXI1 + 3eXE6nt0YkgtDxG22KqnhpAg9gUSs2hlhoxyvkzyF0mu6NhPlwAgnq7+/Q== + -----END CERTIFICATE----- +backendTLSPolicies: + - apiVersion: gateway.networking.k8s.io/v1alpha2 + kind: BackendTLSPolicy + metadata: + name: policy-btls + namespace: envoy-gateway + spec: + targetRefs: + - group: "" + kind: Service + name: http-backend + sectionName: "8080" + - group: "" + kind: Service + name: http-backend + sectionName: "8081" + validation: + caCertificateRefs: + - name: ca-cmap + group: "" + kind: ConfigMap + hostname: example.com diff --git a/internal/gatewayapi/testdata/backendtlspolicy-multiple-targets.out.yaml b/internal/gatewayapi/testdata/backendtlspolicy-multiple-targets.out.yaml new file mode 100644 index 00000000000..8ecd25a2418 --- /dev/null +++ b/internal/gatewayapi/testdata/backendtlspolicy-multiple-targets.out.yaml @@ -0,0 +1,239 @@ +backendTLSPolicies: +- apiVersion: gateway.networking.k8s.io/v1alpha2 + kind: BackendTLSPolicy + metadata: + creationTimestamp: null + name: policy-btls + namespace: envoy-gateway + spec: + targetRefs: + - group: "" + kind: Service + name: http-backend + sectionName: "8080" + - group: "" + kind: Service + name: http-backend + sectionName: "8081" + validation: + caCertificateRefs: + - group: "" + kind: ConfigMap + name: ca-cmap + hostname: example.com + status: + ancestors: + - ancestorRef: + name: gateway-btls + namespace: envoy-gateway + sectionName: http + conditions: + - lastTransitionTime: null + message: Policy has been accepted. + reason: Accepted + status: "True" + type: Accepted + controllerName: gateway.envoyproxy.io/gatewayclass-controller +gateways: +- apiVersion: gateway.networking.k8s.io/v1 + kind: Gateway + metadata: + creationTimestamp: null + name: gateway-btls + namespace: envoy-gateway + spec: + gatewayClassName: envoy-gateway-class + listeners: + - allowedRoutes: + namespaces: + from: All + name: http + port: 80 + protocol: HTTP + status: + listeners: + - attachedRoutes: 2 + conditions: + - lastTransitionTime: null + message: Sending translated listener configuration to the data plane + reason: Programmed + status: "True" + type: Programmed + - lastTransitionTime: null + message: Listener has been successfully translated + reason: Accepted + status: "True" + type: Accepted + - lastTransitionTime: null + message: Listener references have been resolved + reason: ResolvedRefs + status: "True" + type: ResolvedRefs + name: http + supportedKinds: + - group: gateway.networking.k8s.io + kind: HTTPRoute + - group: gateway.networking.k8s.io + kind: GRPCRoute +httpRoutes: +- apiVersion: gateway.networking.k8s.io/v1 + kind: HTTPRoute + metadata: + creationTimestamp: null + name: httproute-btls-1 + namespace: envoy-gateway + spec: + parentRefs: + - name: gateway-btls + namespace: envoy-gateway + sectionName: http + rules: + - backendRefs: + - name: http-backend + namespace: envoy-gateway + port: 8080 + matches: + - path: + type: Exact + value: /exact-1 + status: + parents: + - conditions: + - lastTransitionTime: null + message: Route is accepted + reason: Accepted + status: "True" + type: Accepted + - lastTransitionTime: null + message: Resolved all the Object references for the Route + reason: ResolvedRefs + status: "True" + type: ResolvedRefs + controllerName: gateway.envoyproxy.io/gatewayclass-controller + parentRef: + name: gateway-btls + namespace: envoy-gateway + sectionName: http +- apiVersion: gateway.networking.k8s.io/v1 + kind: HTTPRoute + metadata: + creationTimestamp: null + name: httproute-btls-2 + namespace: envoy-gateway + spec: + parentRefs: + - name: gateway-btls + namespace: envoy-gateway + sectionName: http + rules: + - backendRefs: + - name: http-backend + namespace: envoy-gateway + port: 8081 + matches: + - path: + type: Exact + value: /exact-2 + status: + parents: + - conditions: + - lastTransitionTime: null + message: Route is accepted + reason: Accepted + status: "True" + type: Accepted + - lastTransitionTime: null + message: Resolved all the Object references for the Route + reason: ResolvedRefs + status: "True" + type: ResolvedRefs + controllerName: gateway.envoyproxy.io/gatewayclass-controller + parentRef: + name: gateway-btls + namespace: envoy-gateway + sectionName: http +infraIR: + envoy-gateway/gateway-btls: + proxy: + listeners: + - address: null + name: envoy-gateway/gateway-btls/http + ports: + - containerPort: 10080 + name: http-80 + protocol: HTTP + servicePort: 80 + metadata: + labels: + gateway.envoyproxy.io/owning-gateway-name: gateway-btls + gateway.envoyproxy.io/owning-gateway-namespace: envoy-gateway + name: envoy-gateway/gateway-btls +xdsIR: + envoy-gateway/gateway-btls: + accessLog: + text: + - path: /dev/stdout + http: + - address: 0.0.0.0 + hostnames: + - '*' + isHTTP2: false + metadata: + kind: Gateway + name: gateway-btls + namespace: envoy-gateway + sectionName: http + name: envoy-gateway/gateway-btls/http + path: + escapedSlashesAction: UnescapeAndRedirect + mergeSlashes: true + port: 10080 + routes: + - destination: + name: httproute/envoy-gateway/httproute-btls-1/rule/0 + settings: + - protocol: HTTP + tls: + alpnProtocols: null + caCertificate: + certificate: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURKekNDQWcrZ0F3SUJBZ0lVQWw2VUtJdUttenRlODFjbGx6NVBmZE4ySWxJd0RRWUpLb1pJaHZjTkFRRUwKQlFBd0l6RVFNQTRHQTFVRUF3d0hiWGxqYVdWdWRERVBNQTBHQTFVRUNnd0dhM1ZpWldSaU1CNFhEVEl6TVRBdwpNakExTkRFMU4xb1hEVEkwTVRBd01UQTFOREUxTjFvd0l6RVFNQTRHQTFVRUF3d0hiWGxqYVdWdWRERVBNQTBHCkExVUVDZ3dHYTNWaVpXUmlNSUlCSWpBTkJna3Foa2lHOXcwQkFRRUZBQU9DQVE4QU1JSUJDZ0tDQVFFQXdTVGMKMXlqOEhXNjJueW5rRmJYbzRWWEt2MmpDMFBNN2RQVmt5ODdGd2VaY1RLTG9XUVZQUUUycDJrTERLNk9Fc3ptTQp5eXIreHhXdHlpdmVyZW1yV3FuS2tOVFloTGZZUGhnUWtjemliN2VVYWxtRmpVYmhXZEx2SGFrYkVnQ29kbjNiCmt6NTdtSW5YMlZwaURPS2c0a3lIZml1WFdwaUJxckN4MEtOTHB4bzNERVFjRmNzUVRlVEh6aDQ3NTJHVjA0UlUKVGkvR0VXeXpJc2w0Umc3dEd0QXdtY0lQZ1VOVWZZMlEzOTBGR3FkSDRhaG4rbXcvNmFGYlczMVc2M2Q5WUpWcQppb3lPVmNhTUlwTTVCL2M3UWM4U3VoQ0kxWUdoVXlnNGNSSExFdzVWdGlraW95RTNYMDRrbmEzalFBajU0WWJSCmJwRWhjMzVhcEtMQjIxSE9VUUlEQVFBQm8xTXdVVEFkQmdOVkhRNEVGZ1FVeXZsMFZJNXZKVlN1WUZYdTdCNDgKNlBiTUVBb3dId1lEVlIwakJCZ3dGb0FVeXZsMFZJNXZKVlN1WUZYdTdCNDg2UGJNRUFvd0R3WURWUjBUQVFILwpCQVV3QXdFQi96QU5CZ2txaGtpRzl3MEJBUXNGQUFPQ0FRRUFNTHhyZ0ZWTXVOUnEyd0F3Y0J0N1NuTlI1Q2Z6CjJNdlhxNUVVbXVhd0lVaTlrYVlqd2RWaURSRUdTams3SlcxN3ZsNTc2SGpEa2RmUndpNEUyOFN5ZFJJblpmNkoKaThIWmNaN2NhSDZEeFIzMzVmZ0hWekxpNU5pVGNlL09qTkJRelEyTUpYVkRkOERCbUc1ZnlhdEppT0pRNGJXRQpBN0ZsUDBSZFAzQ08zR1dFME01aVhPQjJtMXFXa0UyZXlPNFVIdndUcU5RTGRyZEFYZ0RRbGJhbTllNEJHM0dnCmQvNnRoQWtXRGJ0L1FOVCtFSkhEQ3ZoRFJLaDFSdUdIeWcrWSsvbmViVFdXckZXc2t0UnJiT29IQ1ppQ3BYSTEKM2VYRTZudDBZa2d0RHhHMjJLcW5ocEFnOWdVU3MyaGxob3h5dmt6eUYwbXU2TmhQbHdBZ25xNysvUT09Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K + name: policy-btls/envoy-gateway-ca + sni: example.com + weight: 1 + directResponse: + statusCode: 500 + hostname: '*' + isHTTP2: false + metadata: + kind: HTTPRoute + name: httproute-btls-1 + namespace: envoy-gateway + name: httproute/envoy-gateway/httproute-btls-1/rule/0/match/0/* + pathMatch: + distinct: false + exact: /exact-1 + name: "" + - destination: + name: httproute/envoy-gateway/httproute-btls-2/rule/0 + settings: + - protocol: HTTP + tls: + alpnProtocols: null + caCertificate: + certificate: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURKekNDQWcrZ0F3SUJBZ0lVQWw2VUtJdUttenRlODFjbGx6NVBmZE4ySWxJd0RRWUpLb1pJaHZjTkFRRUwKQlFBd0l6RVFNQTRHQTFVRUF3d0hiWGxqYVdWdWRERVBNQTBHQTFVRUNnd0dhM1ZpWldSaU1CNFhEVEl6TVRBdwpNakExTkRFMU4xb1hEVEkwTVRBd01UQTFOREUxTjFvd0l6RVFNQTRHQTFVRUF3d0hiWGxqYVdWdWRERVBNQTBHCkExVUVDZ3dHYTNWaVpXUmlNSUlCSWpBTkJna3Foa2lHOXcwQkFRRUZBQU9DQVE4QU1JSUJDZ0tDQVFFQXdTVGMKMXlqOEhXNjJueW5rRmJYbzRWWEt2MmpDMFBNN2RQVmt5ODdGd2VaY1RLTG9XUVZQUUUycDJrTERLNk9Fc3ptTQp5eXIreHhXdHlpdmVyZW1yV3FuS2tOVFloTGZZUGhnUWtjemliN2VVYWxtRmpVYmhXZEx2SGFrYkVnQ29kbjNiCmt6NTdtSW5YMlZwaURPS2c0a3lIZml1WFdwaUJxckN4MEtOTHB4bzNERVFjRmNzUVRlVEh6aDQ3NTJHVjA0UlUKVGkvR0VXeXpJc2w0Umc3dEd0QXdtY0lQZ1VOVWZZMlEzOTBGR3FkSDRhaG4rbXcvNmFGYlczMVc2M2Q5WUpWcQppb3lPVmNhTUlwTTVCL2M3UWM4U3VoQ0kxWUdoVXlnNGNSSExFdzVWdGlraW95RTNYMDRrbmEzalFBajU0WWJSCmJwRWhjMzVhcEtMQjIxSE9VUUlEQVFBQm8xTXdVVEFkQmdOVkhRNEVGZ1FVeXZsMFZJNXZKVlN1WUZYdTdCNDgKNlBiTUVBb3dId1lEVlIwakJCZ3dGb0FVeXZsMFZJNXZKVlN1WUZYdTdCNDg2UGJNRUFvd0R3WURWUjBUQVFILwpCQVV3QXdFQi96QU5CZ2txaGtpRzl3MEJBUXNGQUFPQ0FRRUFNTHhyZ0ZWTXVOUnEyd0F3Y0J0N1NuTlI1Q2Z6CjJNdlhxNUVVbXVhd0lVaTlrYVlqd2RWaURSRUdTams3SlcxN3ZsNTc2SGpEa2RmUndpNEUyOFN5ZFJJblpmNkoKaThIWmNaN2NhSDZEeFIzMzVmZ0hWekxpNU5pVGNlL09qTkJRelEyTUpYVkRkOERCbUc1ZnlhdEppT0pRNGJXRQpBN0ZsUDBSZFAzQ08zR1dFME01aVhPQjJtMXFXa0UyZXlPNFVIdndUcU5RTGRyZEFYZ0RRbGJhbTllNEJHM0dnCmQvNnRoQWtXRGJ0L1FOVCtFSkhEQ3ZoRFJLaDFSdUdIeWcrWSsvbmViVFdXckZXc2t0UnJiT29IQ1ppQ3BYSTEKM2VYRTZudDBZa2d0RHhHMjJLcW5ocEFnOWdVU3MyaGxob3h5dmt6eUYwbXU2TmhQbHdBZ25xNysvUT09Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K + name: policy-btls/envoy-gateway-ca + sni: example.com + weight: 1 + directResponse: + statusCode: 500 + hostname: '*' + isHTTP2: false + metadata: + kind: HTTPRoute + name: httproute-btls-2 + namespace: envoy-gateway + name: httproute/envoy-gateway/httproute-btls-2/rule/0/match/0/* + pathMatch: + distinct: false + exact: /exact-2 + name: "" diff --git a/internal/gatewayapi/testdata/custom-filter-order.in.yaml b/internal/gatewayapi/testdata/custom-filter-order.in.yaml index 99b46e6de82..6f27637135c 100644 --- a/internal/gatewayapi/testdata/custom-filter-order.in.yaml +++ b/internal/gatewayapi/testdata/custom-filter-order.in.yaml @@ -111,7 +111,7 @@ envoyextensionpolicies: type: HTTP http: url: https://www.example.com/wasm-filter-1.wasm - sha256: 746df05c8f3a0b07a46c0967cfbc5cbe5b9d48d0f79b6177eeedf8be6c8b34b5 + sha256: 2d89c4c6ab2a1c615c7696ed37ade9e50654ac70384b5d45100eb08e62130ff4 config: parameter1: key1: value1 @@ -122,7 +122,7 @@ envoyextensionpolicies: type: HTTP http: url: https://www.example.com/wasm-filter-2.wasm - sha256: a1efca12ea51069abb123bf9c77889fcc2a31cc5483fc14d115e44fdf07c7980 + sha256: 84274ca23246855cc491b3c6a657a89167e0b109a7ae380f1e64df77c910307e config: parameter1: value1 parameter2: value2 diff --git a/internal/gatewayapi/testdata/custom-filter-order.out.yaml b/internal/gatewayapi/testdata/custom-filter-order.out.yaml index 6967bf280f3..043eeab1543 100644 --- a/internal/gatewayapi/testdata/custom-filter-order.out.yaml +++ b/internal/gatewayapi/testdata/custom-filter-order.out.yaml @@ -13,7 +13,7 @@ envoyExtensionPolicies: wasm: - code: http: - sha256: 746df05c8f3a0b07a46c0967cfbc5cbe5b9d48d0f79b6177eeedf8be6c8b34b5 + sha256: 2d89c4c6ab2a1c615c7696ed37ade9e50654ac70384b5d45100eb08e62130ff4 url: https://www.example.com/wasm-filter-1.wasm type: HTTP config: @@ -24,7 +24,7 @@ envoyExtensionPolicies: name: wasm-filter-1 - code: http: - sha256: a1efca12ea51069abb123bf9c77889fcc2a31cc5483fc14d115e44fdf07c7980 + sha256: 84274ca23246855cc491b3c6a657a89167e0b109a7ae380f1e64df77c910307e url: https://www.example.com/wasm-filter-2.wasm type: HTTP config: @@ -257,7 +257,7 @@ xdsIR: httpWasmCode: originalDownloadingURL: https://www.example.com/wasm-filter-1.wasm servingURL: https://envoy-gateway:18002/5c90b9a82642ce00a7753923fabead306b9d9a54a7c0bd2463a1af3efcfb110b.wasm - sha256: 746df05c8f3a0b07a46c0967cfbc5cbe5b9d48d0f79b6177eeedf8be6c8b34b5 + sha256: 2d89c4c6ab2a1c615c7696ed37ade9e50654ac70384b5d45100eb08e62130ff4 name: envoyextensionpolicy/envoy-gateway/policy-for-gateway/wasm/0 wasmName: wasm-filter-1 - config: @@ -267,7 +267,7 @@ xdsIR: httpWasmCode: originalDownloadingURL: https://www.example.com/wasm-filter-2.wasm servingURL: https://envoy-gateway:18002/593e4cc60a7e0fa4d4f86531a5e20e785213a52000f056a7a8b5c5afcb908052.wasm - sha256: a1efca12ea51069abb123bf9c77889fcc2a31cc5483fc14d115e44fdf07c7980 + sha256: 84274ca23246855cc491b3c6a657a89167e0b109a7ae380f1e64df77c910307e name: envoyextensionpolicy/envoy-gateway/policy-for-gateway/wasm/1 wasmName: wasm-filter-2 hostname: www.example.com diff --git a/internal/gatewayapi/testdata/envoyextensionpolicy-with-wasm-targetrefs.in.yaml b/internal/gatewayapi/testdata/envoyextensionpolicy-with-wasm-targetrefs.in.yaml index 106267da645..17026ebbad6 100644 --- a/internal/gatewayapi/testdata/envoyextensionpolicy-with-wasm-targetrefs.in.yaml +++ b/internal/gatewayapi/testdata/envoyextensionpolicy-with-wasm-targetrefs.in.yaml @@ -72,7 +72,7 @@ envoyextensionpolicies: type: HTTP http: url: https://www.example.com/wasm-filter-1.wasm - sha256: 746df05c8f3a0b07a46c0967cfbc5cbe5b9d48d0f79b6177eeedf8be6c8b34b5 + sha256: 2d89c4c6ab2a1c615c7696ed37ade9e50654ac70384b5d45100eb08e62130ff4 config: parameter1: key1: value1 @@ -83,7 +83,7 @@ envoyextensionpolicies: type: HTTP http: url: https://www.example.com/wasm-filter-2.wasm - sha256: a1efca12ea51069abb123bf9c77889fcc2a31cc5483fc14d115e44fdf07c7980 + sha256: 84274ca23246855cc491b3c6a657a89167e0b109a7ae380f1e64df77c910307e config: parameter1: value1 parameter2: value2 diff --git a/internal/gatewayapi/testdata/envoyextensionpolicy-with-wasm-targetrefs.out.yaml b/internal/gatewayapi/testdata/envoyextensionpolicy-with-wasm-targetrefs.out.yaml index 4abc9f59092..8c65fb9cf65 100644 --- a/internal/gatewayapi/testdata/envoyextensionpolicy-with-wasm-targetrefs.out.yaml +++ b/internal/gatewayapi/testdata/envoyextensionpolicy-with-wasm-targetrefs.out.yaml @@ -16,7 +16,7 @@ envoyExtensionPolicies: wasm: - code: http: - sha256: 746df05c8f3a0b07a46c0967cfbc5cbe5b9d48d0f79b6177eeedf8be6c8b34b5 + sha256: 2d89c4c6ab2a1c615c7696ed37ade9e50654ac70384b5d45100eb08e62130ff4 url: https://www.example.com/wasm-filter-1.wasm type: HTTP config: @@ -27,7 +27,7 @@ envoyExtensionPolicies: name: wasm-filter-1 - code: http: - sha256: a1efca12ea51069abb123bf9c77889fcc2a31cc5483fc14d115e44fdf07c7980 + sha256: 84274ca23246855cc491b3c6a657a89167e0b109a7ae380f1e64df77c910307e url: https://www.example.com/wasm-filter-2.wasm type: HTTP config: @@ -239,7 +239,7 @@ xdsIR: httpWasmCode: originalDownloadingURL: https://www.example.com/wasm-filter-1.wasm servingURL: https://envoy-gateway:18002/5c90b9a82642ce00a7753923fabead306b9d9a54a7c0bd2463a1af3efcfb110b.wasm - sha256: 746df05c8f3a0b07a46c0967cfbc5cbe5b9d48d0f79b6177eeedf8be6c8b34b5 + sha256: 2d89c4c6ab2a1c615c7696ed37ade9e50654ac70384b5d45100eb08e62130ff4 name: envoyextensionpolicy/envoy-gateway/policy-for-gateway/wasm/0 wasmName: wasm-filter-1 - config: @@ -249,7 +249,7 @@ xdsIR: httpWasmCode: originalDownloadingURL: https://www.example.com/wasm-filter-2.wasm servingURL: https://envoy-gateway:18002/593e4cc60a7e0fa4d4f86531a5e20e785213a52000f056a7a8b5c5afcb908052.wasm - sha256: a1efca12ea51069abb123bf9c77889fcc2a31cc5483fc14d115e44fdf07c7980 + sha256: 84274ca23246855cc491b3c6a657a89167e0b109a7ae380f1e64df77c910307e name: envoyextensionpolicy/envoy-gateway/policy-for-gateway/wasm/1 wasmName: wasm-filter-2 hostname: www.example.com @@ -280,7 +280,7 @@ xdsIR: httpWasmCode: originalDownloadingURL: https://www.example.com/wasm-filter-1.wasm servingURL: https://envoy-gateway:18002/5c90b9a82642ce00a7753923fabead306b9d9a54a7c0bd2463a1af3efcfb110b.wasm - sha256: 746df05c8f3a0b07a46c0967cfbc5cbe5b9d48d0f79b6177eeedf8be6c8b34b5 + sha256: 2d89c4c6ab2a1c615c7696ed37ade9e50654ac70384b5d45100eb08e62130ff4 name: envoyextensionpolicy/envoy-gateway/policy-for-gateway/wasm/0 wasmName: wasm-filter-1 - config: @@ -290,7 +290,7 @@ xdsIR: httpWasmCode: originalDownloadingURL: https://www.example.com/wasm-filter-2.wasm servingURL: https://envoy-gateway:18002/593e4cc60a7e0fa4d4f86531a5e20e785213a52000f056a7a8b5c5afcb908052.wasm - sha256: a1efca12ea51069abb123bf9c77889fcc2a31cc5483fc14d115e44fdf07c7980 + sha256: 84274ca23246855cc491b3c6a657a89167e0b109a7ae380f1e64df77c910307e name: envoyextensionpolicy/envoy-gateway/policy-for-gateway/wasm/1 wasmName: wasm-filter-2 hostname: www.example.com diff --git a/internal/gatewayapi/testdata/envoyextensionpolicy-with-wasm.in.yaml b/internal/gatewayapi/testdata/envoyextensionpolicy-with-wasm.in.yaml index 5cb2b192553..e7414013410 100644 --- a/internal/gatewayapi/testdata/envoyextensionpolicy-with-wasm.in.yaml +++ b/internal/gatewayapi/testdata/envoyextensionpolicy-with-wasm.in.yaml @@ -77,7 +77,7 @@ envoyextensionpolicies: type: HTTP http: url: https://www.example.com/wasm-filter-1.wasm - sha256: 746df05c8f3a0b07a46c0967cfbc5cbe5b9d48d0f79b6177eeedf8be6c8b34b5 + sha256: 2d89c4c6ab2a1c615c7696ed37ade9e50654ac70384b5d45100eb08e62130ff4 config: parameter1: key1: value1 @@ -91,7 +91,7 @@ envoyextensionpolicies: url: oci://www.example.com/wasm-filter-2:v1.0.0 pullSecretRef: name: my-pull-secret - sha256: a1efca12ea51069abb123bf9c77889fcc2a31cc5483fc14d115e44fdf07c7980 + sha256: 314100af781b98a8ca175d5bf90a8bf76576e20a2f397a88223404edc6ebfd46 config: parameter1: value1 parameter2: value2 @@ -115,7 +115,7 @@ envoyextensionpolicies: type: HTTP http: url: https://www.test.com/wasm-filter-4.wasm - sha256: a1f0b78b8c1320690327800e3a5de10e7dbba7b6c752e702193a395a52c727b6 + sha256: b6922722ab58109abfaa8d9eb16f339b38b2bb1c17076b083b34438b934e7463 config: parameter1: key1: value1 diff --git a/internal/gatewayapi/testdata/envoyextensionpolicy-with-wasm.out.yaml b/internal/gatewayapi/testdata/envoyextensionpolicy-with-wasm.out.yaml index 68cfaf92515..368c32a4055 100644 --- a/internal/gatewayapi/testdata/envoyextensionpolicy-with-wasm.out.yaml +++ b/internal/gatewayapi/testdata/envoyextensionpolicy-with-wasm.out.yaml @@ -13,7 +13,7 @@ envoyExtensionPolicies: wasm: - code: http: - sha256: a1f0b78b8c1320690327800e3a5de10e7dbba7b6c752e702193a395a52c727b6 + sha256: b6922722ab58109abfaa8d9eb16f339b38b2bb1c17076b083b34438b934e7463 url: https://www.test.com/wasm-filter-4.wasm type: HTTP config: @@ -53,7 +53,7 @@ envoyExtensionPolicies: wasm: - code: http: - sha256: 746df05c8f3a0b07a46c0967cfbc5cbe5b9d48d0f79b6177eeedf8be6c8b34b5 + sha256: 2d89c4c6ab2a1c615c7696ed37ade9e50654ac70384b5d45100eb08e62130ff4 url: https://www.example.com/wasm-filter-1.wasm type: HTTP config: @@ -68,7 +68,7 @@ envoyExtensionPolicies: group: null kind: null name: my-pull-secret - sha256: a1efca12ea51069abb123bf9c77889fcc2a31cc5483fc14d115e44fdf07c7980 + sha256: 314100af781b98a8ca175d5bf90a8bf76576e20a2f397a88223404edc6ebfd46 url: oci://www.example.com/wasm-filter-2:v1.0.0 type: Image config: @@ -277,7 +277,7 @@ xdsIR: httpWasmCode: originalDownloadingURL: https://www.test.com/wasm-filter-4.wasm servingURL: https://envoy-gateway:18002/fe571e7b1ef5dc626ceb2c2c86782a134a92989a2643485238951696ae4334c3.wasm - sha256: a1f0b78b8c1320690327800e3a5de10e7dbba7b6c752e702193a395a52c727b6 + sha256: b6922722ab58109abfaa8d9eb16f339b38b2bb1c17076b083b34438b934e7463 name: envoyextensionpolicy/default/policy-for-http-route/wasm/0 wasmName: wasm-filter-4 hostname: www.example.com @@ -311,7 +311,7 @@ xdsIR: httpWasmCode: originalDownloadingURL: https://www.example.com/wasm-filter-1.wasm servingURL: https://envoy-gateway:18002/5c90b9a82642ce00a7753923fabead306b9d9a54a7c0bd2463a1af3efcfb110b.wasm - sha256: 746df05c8f3a0b07a46c0967cfbc5cbe5b9d48d0f79b6177eeedf8be6c8b34b5 + sha256: 2d89c4c6ab2a1c615c7696ed37ade9e50654ac70384b5d45100eb08e62130ff4 name: envoyextensionpolicy/envoy-gateway/policy-for-gateway/wasm/0 wasmName: wasm-filter-1 - config: diff --git a/internal/gatewayapi/testdata/httproute-with-direct-response.in.yaml b/internal/gatewayapi/testdata/httproute-with-direct-response.in.yaml new file mode 100644 index 00000000000..bd9a316227e --- /dev/null +++ b/internal/gatewayapi/testdata/httproute-with-direct-response.in.yaml @@ -0,0 +1,119 @@ +gateways: +- apiVersion: gateway.networking.k8s.io/v1 + kind: Gateway + metadata: + namespace: envoy-gateway + name: gateway-1 + spec: + gatewayClassName: envoy-gateway-class + listeners: + - name: http + protocol: HTTP + port: 80 + hostname: "*.envoyproxy.io" + allowedRoutes: + namespaces: + from: All +httpRoutes: +- apiVersion: gateway.networking.k8s.io/v1 + kind: HTTPRoute + metadata: + name: direct-response + namespace: default + spec: + parentRefs: + - name: gateway-1 + namespace: envoy-gateway + sectionName: http + rules: + - matches: + - path: + type: PathPrefix + value: /inline + filters: + - type: ExtensionRef + extensionRef: + group: gateway.envoyproxy.io + kind: HTTPRouteFilter + name: direct-response-inline + - matches: + - path: + type: PathPrefix + value: /value-ref + filters: + - type: ExtensionRef + extensionRef: + group: gateway.envoyproxy.io + kind: HTTPRouteFilter + name: direct-response-value-ref +- apiVersion: gateway.networking.k8s.io/v1 + kind: HTTPRoute + metadata: + name: direct-response-with-errors + namespace: default + spec: + parentRefs: + - name: gateway-1 + namespace: envoy-gateway + sectionName: http + rules: + - matches: + - path: + type: PathPrefix + value: /value-ref-not-found + filters: + - type: ExtensionRef + extensionRef: + group: gateway.envoyproxy.io + kind: HTTPRouteFilter + name: direct-response-value-ref-not-found +configMaps: +- apiVersion: v1 + kind: ConfigMap + metadata: + name: value-ref-response + namespace: default + data: + response.body: '{"error": "Internal Server Error"}' +httpFilters: +- apiVersion: gateway.envoyproxy.io/v1alpha1 + kind: HTTPRouteFilter + metadata: + name: direct-response-inline + namespace: default + spec: + directResponse: + contentType: text/plain + body: + type: Inline + inline: "OK" +- apiVersion: gateway.envoyproxy.io/v1alpha1 + kind: HTTPRouteFilter + metadata: + name: direct-response-value-ref-not-exit + namespace: default + spec: + directResponse: + contentType: application/json + statusCode: 502 + body: + type: ValueRef + valueRef: + group: "" + kind: ConfigMap + name: value-ref-does-not-exist +- apiVersion: gateway.envoyproxy.io/v1alpha1 + kind: HTTPRouteFilter + metadata: + name: direct-response-value-ref + namespace: default + spec: + directResponse: + contentType: application/json + statusCode: 502 + body: + type: ValueRef + valueRef: + group: "" + kind: ConfigMap + name: value-ref-response diff --git a/internal/gatewayapi/testdata/httproute-with-direct-response.out.yaml b/internal/gatewayapi/testdata/httproute-with-direct-response.out.yaml new file mode 100644 index 00000000000..29b6b051366 --- /dev/null +++ b/internal/gatewayapi/testdata/httproute-with-direct-response.out.yaml @@ -0,0 +1,208 @@ +gateways: +- apiVersion: gateway.networking.k8s.io/v1 + kind: Gateway + metadata: + creationTimestamp: null + name: gateway-1 + namespace: envoy-gateway + spec: + gatewayClassName: envoy-gateway-class + listeners: + - allowedRoutes: + namespaces: + from: All + hostname: '*.envoyproxy.io' + name: http + port: 80 + protocol: HTTP + status: + listeners: + - attachedRoutes: 2 + conditions: + - lastTransitionTime: null + message: Sending translated listener configuration to the data plane + reason: Programmed + status: "True" + type: Programmed + - lastTransitionTime: null + message: Listener has been successfully translated + reason: Accepted + status: "True" + type: Accepted + - lastTransitionTime: null + message: Listener references have been resolved + reason: ResolvedRefs + status: "True" + type: ResolvedRefs + name: http + supportedKinds: + - group: gateway.networking.k8s.io + kind: HTTPRoute + - group: gateway.networking.k8s.io + kind: GRPCRoute +httpRoutes: +- apiVersion: gateway.networking.k8s.io/v1 + kind: HTTPRoute + metadata: + creationTimestamp: null + name: direct-response + namespace: default + spec: + parentRefs: + - name: gateway-1 + namespace: envoy-gateway + sectionName: http + rules: + - filters: + - extensionRef: + group: gateway.envoyproxy.io + kind: HTTPRouteFilter + name: direct-response-inline + type: ExtensionRef + matches: + - path: + type: PathPrefix + value: /inline + - filters: + - extensionRef: + group: gateway.envoyproxy.io + kind: HTTPRouteFilter + name: direct-response-value-ref + type: ExtensionRef + matches: + - path: + type: PathPrefix + value: /value-ref + status: + parents: + - conditions: + - lastTransitionTime: null + message: Route is accepted + reason: Accepted + status: "True" + type: Accepted + - lastTransitionTime: null + message: Resolved all the Object references for the Route + reason: ResolvedRefs + status: "True" + type: ResolvedRefs + controllerName: gateway.envoyproxy.io/gatewayclass-controller + parentRef: + name: gateway-1 + namespace: envoy-gateway + sectionName: http +- apiVersion: gateway.networking.k8s.io/v1 + kind: HTTPRoute + metadata: + creationTimestamp: null + name: direct-response-with-errors + namespace: default + spec: + parentRefs: + - name: gateway-1 + namespace: envoy-gateway + sectionName: http + rules: + - filters: + - extensionRef: + group: gateway.envoyproxy.io + kind: HTTPRouteFilter + name: direct-response-value-ref-not-found + type: ExtensionRef + matches: + - path: + type: PathPrefix + value: /value-ref-not-found + status: + parents: + - conditions: + - lastTransitionTime: null + message: 'Unable to translate HTTPRouteFilter: default/direct-response-value-ref-not-found' + reason: UnsupportedValue + status: "False" + type: Accepted + - lastTransitionTime: null + message: 'Unable to translate HTTPRouteFilter: default/direct-response-value-ref-not-found' + reason: BackendNotFound + status: "False" + type: ResolvedRefs + controllerName: gateway.envoyproxy.io/gatewayclass-controller + parentRef: + name: gateway-1 + namespace: envoy-gateway + sectionName: http +infraIR: + envoy-gateway/gateway-1: + proxy: + listeners: + - address: null + name: envoy-gateway/gateway-1/http + ports: + - containerPort: 10080 + name: http-80 + protocol: HTTP + servicePort: 80 + metadata: + labels: + gateway.envoyproxy.io/owning-gateway-name: gateway-1 + gateway.envoyproxy.io/owning-gateway-namespace: envoy-gateway + name: envoy-gateway/gateway-1 +xdsIR: + envoy-gateway/gateway-1: + accessLog: + text: + - path: /dev/stdout + http: + - address: 0.0.0.0 + hostnames: + - '*.envoyproxy.io' + isHTTP2: false + metadata: + kind: Gateway + name: gateway-1 + namespace: envoy-gateway + sectionName: http + name: envoy-gateway/gateway-1/http + path: + escapedSlashesAction: UnescapeAndRedirect + mergeSlashes: true + port: 10080 + routes: + - addResponseHeaders: + - append: false + name: Content-Type + value: + - application/json + directResponse: + body: '{"error": "Internal Server Error"}' + statusCode: 502 + hostname: '*.envoyproxy.io' + isHTTP2: false + metadata: + kind: HTTPRoute + name: direct-response + namespace: default + name: httproute/default/direct-response/rule/1/match/0/*_envoyproxy_io + pathMatch: + distinct: false + name: "" + prefix: /value-ref + - addResponseHeaders: + - append: false + name: Content-Type + value: + - text/plain + directResponse: + body: OK + statusCode: 200 + hostname: '*.envoyproxy.io' + isHTTP2: false + metadata: + kind: HTTPRoute + name: direct-response + namespace: default + name: httproute/default/direct-response/rule/0/match/0/*_envoyproxy_io + pathMatch: + distinct: false + name: "" + prefix: /inline diff --git a/internal/gatewayapi/testdata/httproute-with-multiple-gateways-from-different-ns.in.yaml b/internal/gatewayapi/testdata/httproute-with-multiple-gateways-from-different-ns.in.yaml new file mode 100644 index 00000000000..12aa992ef44 --- /dev/null +++ b/internal/gatewayapi/testdata/httproute-with-multiple-gateways-from-different-ns.in.yaml @@ -0,0 +1,55 @@ +gateways: + - apiVersion: gateway.networking.k8s.io/v1 + kind: Gateway + metadata: + name: gateway-a + namespace: default + spec: + gatewayClassName: envoy-gateway-class + listeners: + - name: default + port: 80 + protocol: HTTP + hostname: '*.a.example.com' + allowedRoutes: + namespaces: + from: All + - apiVersion: gateway.networking.k8s.io/v1 + kind: Gateway + metadata: + name: gateway-b + namespace: envoy-gateway + spec: + gatewayClassName: envoy-gateway-class + listeners: + - name: default + port: 80 + protocol: HTTP + hostname: '*.b.example.com' + allowedRoutes: + namespaces: + from: All +httpRoutes: + - apiVersion: gateway.networking.k8s.io/v1 + kind: HTTPRoute + metadata: + name: targeted-route + namespace: envoy-gateway + spec: + hostnames: + - targeted.a.example.com + - targeted.b.example.com + parentRefs: + - group: gateway.networking.k8s.io + kind: Gateway + name: gateway-a + namespace: default + - group: gateway.networking.k8s.io + kind: Gateway + name: gateway-b + rules: + - matches: + - method: GET + path: + type: PathPrefix + value: /toy diff --git a/internal/gatewayapi/testdata/httproute-with-multiple-gateways-from-different-ns.out.yaml b/internal/gatewayapi/testdata/httproute-with-multiple-gateways-from-different-ns.out.yaml new file mode 100644 index 00000000000..ba2f58b8667 --- /dev/null +++ b/internal/gatewayapi/testdata/httproute-with-multiple-gateways-from-different-ns.out.yaml @@ -0,0 +1,249 @@ +gateways: +- apiVersion: gateway.networking.k8s.io/v1 + kind: Gateway + metadata: + creationTimestamp: null + name: gateway-a + namespace: default + spec: + gatewayClassName: envoy-gateway-class + listeners: + - allowedRoutes: + namespaces: + from: All + hostname: '*.a.example.com' + name: default + port: 80 + protocol: HTTP + status: + listeners: + - attachedRoutes: 1 + conditions: + - lastTransitionTime: null + message: Sending translated listener configuration to the data plane + reason: Programmed + status: "True" + type: Programmed + - lastTransitionTime: null + message: Listener has been successfully translated + reason: Accepted + status: "True" + type: Accepted + - lastTransitionTime: null + message: Listener references have been resolved + reason: ResolvedRefs + status: "True" + type: ResolvedRefs + name: default + supportedKinds: + - group: gateway.networking.k8s.io + kind: HTTPRoute + - group: gateway.networking.k8s.io + kind: GRPCRoute +- apiVersion: gateway.networking.k8s.io/v1 + kind: Gateway + metadata: + creationTimestamp: null + name: gateway-b + namespace: envoy-gateway + spec: + gatewayClassName: envoy-gateway-class + listeners: + - allowedRoutes: + namespaces: + from: All + hostname: '*.b.example.com' + name: default + port: 80 + protocol: HTTP + status: + listeners: + - attachedRoutes: 1 + conditions: + - lastTransitionTime: null + message: Sending translated listener configuration to the data plane + reason: Programmed + status: "True" + type: Programmed + - lastTransitionTime: null + message: Listener has been successfully translated + reason: Accepted + status: "True" + type: Accepted + - lastTransitionTime: null + message: Listener references have been resolved + reason: ResolvedRefs + status: "True" + type: ResolvedRefs + name: default + supportedKinds: + - group: gateway.networking.k8s.io + kind: HTTPRoute + - group: gateway.networking.k8s.io + kind: GRPCRoute +httpRoutes: +- apiVersion: gateway.networking.k8s.io/v1 + kind: HTTPRoute + metadata: + creationTimestamp: null + name: targeted-route + namespace: envoy-gateway + spec: + hostnames: + - targeted.a.example.com + - targeted.b.example.com + parentRefs: + - group: gateway.networking.k8s.io + kind: Gateway + name: gateway-a + namespace: default + - group: gateway.networking.k8s.io + kind: Gateway + name: gateway-b + rules: + - matches: + - method: GET + path: + type: PathPrefix + value: /toy + status: + parents: + - conditions: + - lastTransitionTime: null + message: Route is accepted + reason: Accepted + status: "True" + type: Accepted + - lastTransitionTime: null + message: Resolved all the Object references for the Route + reason: ResolvedRefs + status: "True" + type: ResolvedRefs + controllerName: gateway.envoyproxy.io/gatewayclass-controller + parentRef: + group: gateway.networking.k8s.io + kind: Gateway + name: gateway-a + namespace: default + - conditions: + - lastTransitionTime: null + message: Route is accepted + reason: Accepted + status: "True" + type: Accepted + - lastTransitionTime: null + message: Resolved all the Object references for the Route + reason: ResolvedRefs + status: "True" + type: ResolvedRefs + controllerName: gateway.envoyproxy.io/gatewayclass-controller + parentRef: + group: gateway.networking.k8s.io + kind: Gateway + name: gateway-b +infraIR: + default/gateway-a: + proxy: + listeners: + - address: null + name: default/gateway-a/default + ports: + - containerPort: 10080 + name: http-80 + protocol: HTTP + servicePort: 80 + metadata: + labels: + gateway.envoyproxy.io/owning-gateway-name: gateway-a + gateway.envoyproxy.io/owning-gateway-namespace: default + name: default/gateway-a + envoy-gateway/gateway-b: + proxy: + listeners: + - address: null + name: envoy-gateway/gateway-b/default + ports: + - containerPort: 10080 + name: http-80 + protocol: HTTP + servicePort: 80 + metadata: + labels: + gateway.envoyproxy.io/owning-gateway-name: gateway-b + gateway.envoyproxy.io/owning-gateway-namespace: envoy-gateway + name: envoy-gateway/gateway-b +xdsIR: + default/gateway-a: + accessLog: + text: + - path: /dev/stdout + http: + - address: 0.0.0.0 + hostnames: + - '*.a.example.com' + isHTTP2: false + metadata: + kind: Gateway + name: gateway-a + namespace: default + sectionName: default + name: default/gateway-a/default + path: + escapedSlashesAction: UnescapeAndRedirect + mergeSlashes: true + port: 10080 + routes: + - directResponse: + statusCode: 500 + headerMatches: + - distinct: false + exact: GET + name: :method + hostname: targeted.a.example.com + isHTTP2: false + metadata: + kind: HTTPRoute + name: targeted-route + namespace: envoy-gateway + name: httproute/envoy-gateway/targeted-route/rule/0/match/0/targeted_a_example_com + pathMatch: + distinct: false + name: "" + prefix: /toy + envoy-gateway/gateway-b: + accessLog: + text: + - path: /dev/stdout + http: + - address: 0.0.0.0 + hostnames: + - '*.b.example.com' + isHTTP2: false + metadata: + kind: Gateway + name: gateway-b + namespace: envoy-gateway + sectionName: default + name: envoy-gateway/gateway-b/default + path: + escapedSlashesAction: UnescapeAndRedirect + mergeSlashes: true + port: 10080 + routes: + - directResponse: + statusCode: 500 + headerMatches: + - distinct: false + exact: GET + name: :method + hostname: targeted.b.example.com + isHTTP2: false + metadata: + kind: HTTPRoute + name: targeted-route + namespace: envoy-gateway + name: httproute/envoy-gateway/targeted-route/rule/0/match/0/targeted_b_example_com + pathMatch: + distinct: false + name: "" + prefix: /toy diff --git a/internal/gatewayapi/testdata/httproute-with-multiple-gateways-from-same-ns.in.yaml b/internal/gatewayapi/testdata/httproute-with-multiple-gateways-from-same-ns.in.yaml new file mode 100644 index 00000000000..6c9aa71d29c --- /dev/null +++ b/internal/gatewayapi/testdata/httproute-with-multiple-gateways-from-same-ns.in.yaml @@ -0,0 +1,54 @@ +gateways: + - apiVersion: gateway.networking.k8s.io/v1 + kind: Gateway + metadata: + name: gateway-a + namespace: envoy-gateway + spec: + gatewayClassName: envoy-gateway-class + listeners: + - name: default + port: 80 + protocol: HTTP + hostname: '*.a.example.com' + allowedRoutes: + namespaces: + from: All + - apiVersion: gateway.networking.k8s.io/v1 + kind: Gateway + metadata: + name: gateway-b + namespace: envoy-gateway + spec: + gatewayClassName: envoy-gateway-class + listeners: + - name: default + port: 80 + protocol: HTTP + hostname: '*.b.example.com' + allowedRoutes: + namespaces: + from: All +httpRoutes: + - apiVersion: gateway.networking.k8s.io/v1 + kind: HTTPRoute + metadata: + name: targeted-route + namespace: envoy-gateway + spec: + hostnames: + - targeted.a.example.com + - targeted.b.example.com + parentRefs: + - group: gateway.networking.k8s.io + kind: Gateway + name: gateway-a + - group: gateway.networking.k8s.io + kind: Gateway + name: gateway-b + rules: + - matches: + - method: GET + path: + type: PathPrefix + value: /toy diff --git a/internal/gatewayapi/testdata/httproute-with-multiple-gateways-from-same-ns.out.yaml b/internal/gatewayapi/testdata/httproute-with-multiple-gateways-from-same-ns.out.yaml new file mode 100644 index 00000000000..4e6bef64b9e --- /dev/null +++ b/internal/gatewayapi/testdata/httproute-with-multiple-gateways-from-same-ns.out.yaml @@ -0,0 +1,247 @@ +gateways: +- apiVersion: gateway.networking.k8s.io/v1 + kind: Gateway + metadata: + creationTimestamp: null + name: gateway-a + namespace: envoy-gateway + spec: + gatewayClassName: envoy-gateway-class + listeners: + - allowedRoutes: + namespaces: + from: All + hostname: '*.a.example.com' + name: default + port: 80 + protocol: HTTP + status: + listeners: + - attachedRoutes: 1 + conditions: + - lastTransitionTime: null + message: Sending translated listener configuration to the data plane + reason: Programmed + status: "True" + type: Programmed + - lastTransitionTime: null + message: Listener has been successfully translated + reason: Accepted + status: "True" + type: Accepted + - lastTransitionTime: null + message: Listener references have been resolved + reason: ResolvedRefs + status: "True" + type: ResolvedRefs + name: default + supportedKinds: + - group: gateway.networking.k8s.io + kind: HTTPRoute + - group: gateway.networking.k8s.io + kind: GRPCRoute +- apiVersion: gateway.networking.k8s.io/v1 + kind: Gateway + metadata: + creationTimestamp: null + name: gateway-b + namespace: envoy-gateway + spec: + gatewayClassName: envoy-gateway-class + listeners: + - allowedRoutes: + namespaces: + from: All + hostname: '*.b.example.com' + name: default + port: 80 + protocol: HTTP + status: + listeners: + - attachedRoutes: 1 + conditions: + - lastTransitionTime: null + message: Sending translated listener configuration to the data plane + reason: Programmed + status: "True" + type: Programmed + - lastTransitionTime: null + message: Listener has been successfully translated + reason: Accepted + status: "True" + type: Accepted + - lastTransitionTime: null + message: Listener references have been resolved + reason: ResolvedRefs + status: "True" + type: ResolvedRefs + name: default + supportedKinds: + - group: gateway.networking.k8s.io + kind: HTTPRoute + - group: gateway.networking.k8s.io + kind: GRPCRoute +httpRoutes: +- apiVersion: gateway.networking.k8s.io/v1 + kind: HTTPRoute + metadata: + creationTimestamp: null + name: targeted-route + namespace: envoy-gateway + spec: + hostnames: + - targeted.a.example.com + - targeted.b.example.com + parentRefs: + - group: gateway.networking.k8s.io + kind: Gateway + name: gateway-a + - group: gateway.networking.k8s.io + kind: Gateway + name: gateway-b + rules: + - matches: + - method: GET + path: + type: PathPrefix + value: /toy + status: + parents: + - conditions: + - lastTransitionTime: null + message: Route is accepted + reason: Accepted + status: "True" + type: Accepted + - lastTransitionTime: null + message: Resolved all the Object references for the Route + reason: ResolvedRefs + status: "True" + type: ResolvedRefs + controllerName: gateway.envoyproxy.io/gatewayclass-controller + parentRef: + group: gateway.networking.k8s.io + kind: Gateway + name: gateway-a + - conditions: + - lastTransitionTime: null + message: Route is accepted + reason: Accepted + status: "True" + type: Accepted + - lastTransitionTime: null + message: Resolved all the Object references for the Route + reason: ResolvedRefs + status: "True" + type: ResolvedRefs + controllerName: gateway.envoyproxy.io/gatewayclass-controller + parentRef: + group: gateway.networking.k8s.io + kind: Gateway + name: gateway-b +infraIR: + envoy-gateway/gateway-a: + proxy: + listeners: + - address: null + name: envoy-gateway/gateway-a/default + ports: + - containerPort: 10080 + name: http-80 + protocol: HTTP + servicePort: 80 + metadata: + labels: + gateway.envoyproxy.io/owning-gateway-name: gateway-a + gateway.envoyproxy.io/owning-gateway-namespace: envoy-gateway + name: envoy-gateway/gateway-a + envoy-gateway/gateway-b: + proxy: + listeners: + - address: null + name: envoy-gateway/gateway-b/default + ports: + - containerPort: 10080 + name: http-80 + protocol: HTTP + servicePort: 80 + metadata: + labels: + gateway.envoyproxy.io/owning-gateway-name: gateway-b + gateway.envoyproxy.io/owning-gateway-namespace: envoy-gateway + name: envoy-gateway/gateway-b +xdsIR: + envoy-gateway/gateway-a: + accessLog: + text: + - path: /dev/stdout + http: + - address: 0.0.0.0 + hostnames: + - '*.a.example.com' + isHTTP2: false + metadata: + kind: Gateway + name: gateway-a + namespace: envoy-gateway + sectionName: default + name: envoy-gateway/gateway-a/default + path: + escapedSlashesAction: UnescapeAndRedirect + mergeSlashes: true + port: 10080 + routes: + - directResponse: + statusCode: 500 + headerMatches: + - distinct: false + exact: GET + name: :method + hostname: targeted.a.example.com + isHTTP2: false + metadata: + kind: HTTPRoute + name: targeted-route + namespace: envoy-gateway + name: httproute/envoy-gateway/targeted-route/rule/0/match/0/targeted_a_example_com + pathMatch: + distinct: false + name: "" + prefix: /toy + envoy-gateway/gateway-b: + accessLog: + text: + - path: /dev/stdout + http: + - address: 0.0.0.0 + hostnames: + - '*.b.example.com' + isHTTP2: false + metadata: + kind: Gateway + name: gateway-b + namespace: envoy-gateway + sectionName: default + name: envoy-gateway/gateway-b/default + path: + escapedSlashesAction: UnescapeAndRedirect + mergeSlashes: true + port: 10080 + routes: + - directResponse: + statusCode: 500 + headerMatches: + - distinct: false + exact: GET + name: :method + hostname: targeted.b.example.com + isHTTP2: false + metadata: + kind: HTTPRoute + name: targeted-route + namespace: envoy-gateway + name: httproute/envoy-gateway/targeted-route/rule/0/match/0/targeted_b_example_com + pathMatch: + distinct: false + name: "" + prefix: /toy diff --git a/internal/gatewayapi/translator_test.go b/internal/gatewayapi/translator_test.go index 7184326fd62..39200342a5f 100644 --- a/internal/gatewayapi/translator_test.go +++ b/internal/gatewayapi/translator_test.go @@ -833,7 +833,7 @@ type mockWasmCache struct{} func (m *mockWasmCache) Start(_ context.Context) {} -func (m *mockWasmCache) Get(downloadURL string, _ wasm.GetOptions) (url string, checksum string, err error) { +func (m *mockWasmCache) Get(downloadURL string, options wasm.GetOptions) (url string, checksum string, err error) { // This is a mock implementation of the wasm.Cache.Get method. sha := sha256.Sum256([]byte(downloadURL)) hashedName := hex.EncodeToString(sha[:]) @@ -841,6 +841,9 @@ func (m *mockWasmCache) Get(downloadURL string, _ wasm.GetOptions) (url string, salt = append(salt, hashedName...) sha = sha256.Sum256(salt) checksum = hex.EncodeToString(sha[:]) + if options.Checksum != "" && checksum != options.Checksum { + return "", "", fmt.Errorf("module downloaded from %v has checksum %v, which does not match: %v", downloadURL, checksum, options.Checksum) + } return fmt.Sprintf("https://envoy-gateway:18002/%s.wasm", hashedName), checksum, nil } diff --git a/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/component-level.yaml b/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/component-level.yaml index bd91d900bb1..de77e642413 100644 --- a/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/component-level.yaml +++ b/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/component-level.yaml @@ -132,7 +132,7 @@ spec: fieldRef: apiVersion: v1 fieldPath: metadata.name - image: envoyproxy/gateway-dev:latest + image: docker.io/envoyproxy/gateway-dev:latest imagePullPolicy: IfNotPresent lifecycle: preStop: diff --git a/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/custom.yaml b/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/custom.yaml index 678eebb7cac..40b825d6f45 100644 --- a/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/custom.yaml +++ b/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/custom.yaml @@ -309,7 +309,7 @@ spec: fieldRef: apiVersion: v1 fieldPath: metadata.name - image: envoyproxy/gateway-dev:latest + image: docker.io/envoyproxy/gateway-dev:latest imagePullPolicy: IfNotPresent lifecycle: preStop: diff --git a/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/default-env.yaml b/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/default-env.yaml index 4cc285a5ea4..5179f48790b 100644 --- a/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/default-env.yaml +++ b/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/default-env.yaml @@ -308,7 +308,7 @@ spec: fieldRef: apiVersion: v1 fieldPath: metadata.name - image: envoyproxy/gateway-dev:latest + image: docker.io/envoyproxy/gateway-dev:latest imagePullPolicy: IfNotPresent lifecycle: preStop: diff --git a/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/default.yaml b/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/default.yaml index adf1b404e14..94bfc77c036 100644 --- a/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/default.yaml +++ b/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/default.yaml @@ -299,7 +299,7 @@ spec: fieldRef: apiVersion: v1 fieldPath: metadata.name - image: envoyproxy/gateway-dev:latest + image: docker.io/envoyproxy/gateway-dev:latest imagePullPolicy: IfNotPresent lifecycle: preStop: diff --git a/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/disable-prometheus.yaml b/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/disable-prometheus.yaml index 2ce6d9c6af1..ed5f24779f0 100644 --- a/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/disable-prometheus.yaml +++ b/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/disable-prometheus.yaml @@ -270,7 +270,7 @@ spec: fieldRef: apiVersion: v1 fieldPath: metadata.name - image: envoyproxy/gateway-dev:latest + image: docker.io/envoyproxy/gateway-dev:latest imagePullPolicy: IfNotPresent lifecycle: preStop: diff --git a/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/extension-env.yaml b/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/extension-env.yaml index 6642390520f..276b43fc833 100644 --- a/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/extension-env.yaml +++ b/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/extension-env.yaml @@ -312,7 +312,7 @@ spec: fieldRef: apiVersion: v1 fieldPath: metadata.name - image: envoyproxy/gateway-dev:latest + image: docker.io/envoyproxy/gateway-dev:latest imagePullPolicy: IfNotPresent lifecycle: preStop: diff --git a/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/override-labels-and-annotations.yaml b/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/override-labels-and-annotations.yaml index bcd59e73c0f..78c7fbc8dcf 100644 --- a/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/override-labels-and-annotations.yaml +++ b/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/override-labels-and-annotations.yaml @@ -308,7 +308,7 @@ spec: fieldRef: apiVersion: v1 fieldPath: metadata.name - image: envoyproxy/gateway-dev:latest + image: docker.io/envoyproxy/gateway-dev:latest imagePullPolicy: IfNotPresent lifecycle: preStop: diff --git a/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/patch-daemonset.yaml b/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/patch-daemonset.yaml index 255c6f51836..573c8533064 100644 --- a/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/patch-daemonset.yaml +++ b/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/patch-daemonset.yaml @@ -299,7 +299,7 @@ spec: fieldRef: apiVersion: v1 fieldPath: metadata.name - image: envoyproxy/gateway-dev:latest + image: docker.io/envoyproxy/gateway-dev:latest imagePullPolicy: IfNotPresent lifecycle: preStop: diff --git a/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/volumes.yaml b/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/volumes.yaml index ee1d74b0f16..56d527631de 100644 --- a/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/volumes.yaml +++ b/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/volumes.yaml @@ -312,7 +312,7 @@ spec: fieldRef: apiVersion: v1 fieldPath: metadata.name - image: envoyproxy/gateway-dev:latest + image: docker.io/envoyproxy/gateway-dev:latest imagePullPolicy: IfNotPresent lifecycle: preStop: diff --git a/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/with-annotations.yaml b/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/with-annotations.yaml index 479bc91bd4d..a3d0f681ea3 100644 --- a/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/with-annotations.yaml +++ b/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/with-annotations.yaml @@ -304,7 +304,7 @@ spec: fieldRef: apiVersion: v1 fieldPath: metadata.name - image: envoyproxy/gateway-dev:latest + image: docker.io/envoyproxy/gateway-dev:latest imagePullPolicy: IfNotPresent lifecycle: preStop: diff --git a/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/with-concurrency.yaml b/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/with-concurrency.yaml index 6f5a0d8f56a..20bca921e0c 100644 --- a/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/with-concurrency.yaml +++ b/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/with-concurrency.yaml @@ -132,7 +132,7 @@ spec: fieldRef: apiVersion: v1 fieldPath: metadata.name - image: envoyproxy/gateway-dev:latest + image: docker.io/envoyproxy/gateway-dev:latest imagePullPolicy: IfNotPresent lifecycle: preStop: diff --git a/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/with-extra-args.yaml b/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/with-extra-args.yaml index faf8ffd633a..a51fecae8e6 100644 --- a/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/with-extra-args.yaml +++ b/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/with-extra-args.yaml @@ -301,7 +301,7 @@ spec: fieldRef: apiVersion: v1 fieldPath: metadata.name - image: envoyproxy/gateway-dev:latest + image: docker.io/envoyproxy/gateway-dev:latest imagePullPolicy: IfNotPresent lifecycle: preStop: diff --git a/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/with-image-pull-secrets.yaml b/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/with-image-pull-secrets.yaml index 74ca2ad98bc..990a14c8c8b 100644 --- a/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/with-image-pull-secrets.yaml +++ b/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/with-image-pull-secrets.yaml @@ -299,7 +299,7 @@ spec: fieldRef: apiVersion: v1 fieldPath: metadata.name - image: envoyproxy/gateway-dev:latest + image: docker.io/envoyproxy/gateway-dev:latest imagePullPolicy: IfNotPresent lifecycle: preStop: diff --git a/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/with-name.yaml b/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/with-name.yaml index 5ac43575566..95ed6340e84 100644 --- a/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/with-name.yaml +++ b/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/with-name.yaml @@ -299,7 +299,7 @@ spec: fieldRef: apiVersion: v1 fieldPath: metadata.name - image: envoyproxy/gateway-dev:latest + image: docker.io/envoyproxy/gateway-dev:latest imagePullPolicy: IfNotPresent lifecycle: preStop: diff --git a/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/with-node-selector.yaml b/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/with-node-selector.yaml index a2cee5d74e0..e7a7a5178c1 100644 --- a/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/with-node-selector.yaml +++ b/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/with-node-selector.yaml @@ -299,7 +299,7 @@ spec: fieldRef: apiVersion: v1 fieldPath: metadata.name - image: envoyproxy/gateway-dev:latest + image: docker.io/envoyproxy/gateway-dev:latest imagePullPolicy: IfNotPresent lifecycle: preStop: diff --git a/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/with-topology-spread-constraints.yaml b/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/with-topology-spread-constraints.yaml index 25bd6953106..b1fca786103 100644 --- a/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/with-topology-spread-constraints.yaml +++ b/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/with-topology-spread-constraints.yaml @@ -299,7 +299,7 @@ spec: fieldRef: apiVersion: v1 fieldPath: metadata.name - image: envoyproxy/gateway-dev:latest + image: docker.io/envoyproxy/gateway-dev:latest imagePullPolicy: IfNotPresent lifecycle: preStop: diff --git a/internal/infrastructure/kubernetes/proxy/testdata/deployments/bootstrap.yaml b/internal/infrastructure/kubernetes/proxy/testdata/deployments/bootstrap.yaml index 077b6c6c56a..e26e671999d 100644 --- a/internal/infrastructure/kubernetes/proxy/testdata/deployments/bootstrap.yaml +++ b/internal/infrastructure/kubernetes/proxy/testdata/deployments/bootstrap.yaml @@ -135,7 +135,7 @@ spec: fieldRef: apiVersion: v1 fieldPath: metadata.name - image: envoyproxy/gateway-dev:latest + image: docker.io/envoyproxy/gateway-dev:latest imagePullPolicy: IfNotPresent lifecycle: preStop: diff --git a/internal/infrastructure/kubernetes/proxy/testdata/deployments/component-level.yaml b/internal/infrastructure/kubernetes/proxy/testdata/deployments/component-level.yaml index dd24ac2fe8a..5c8c25c3ee4 100644 --- a/internal/infrastructure/kubernetes/proxy/testdata/deployments/component-level.yaml +++ b/internal/infrastructure/kubernetes/proxy/testdata/deployments/component-level.yaml @@ -136,7 +136,7 @@ spec: fieldRef: apiVersion: v1 fieldPath: metadata.name - image: envoyproxy/gateway-dev:latest + image: docker.io/envoyproxy/gateway-dev:latest imagePullPolicy: IfNotPresent lifecycle: preStop: diff --git a/internal/infrastructure/kubernetes/proxy/testdata/deployments/custom.yaml b/internal/infrastructure/kubernetes/proxy/testdata/deployments/custom.yaml index 31841738dee..6c0cbc04bb8 100644 --- a/internal/infrastructure/kubernetes/proxy/testdata/deployments/custom.yaml +++ b/internal/infrastructure/kubernetes/proxy/testdata/deployments/custom.yaml @@ -314,7 +314,7 @@ spec: fieldRef: apiVersion: v1 fieldPath: metadata.name - image: envoyproxy/gateway-dev:latest + image: docker.io/envoyproxy/gateway-dev:latest imagePullPolicy: IfNotPresent lifecycle: preStop: diff --git a/internal/infrastructure/kubernetes/proxy/testdata/deployments/custom_with_initcontainers.yaml b/internal/infrastructure/kubernetes/proxy/testdata/deployments/custom_with_initcontainers.yaml index a81f3c8335a..a3cec93422c 100644 --- a/internal/infrastructure/kubernetes/proxy/testdata/deployments/custom_with_initcontainers.yaml +++ b/internal/infrastructure/kubernetes/proxy/testdata/deployments/custom_with_initcontainers.yaml @@ -316,7 +316,7 @@ spec: fieldRef: apiVersion: v1 fieldPath: metadata.name - image: envoyproxy/gateway-dev:latest + image: docker.io/envoyproxy/gateway-dev:latest imagePullPolicy: IfNotPresent lifecycle: preStop: diff --git a/internal/infrastructure/kubernetes/proxy/testdata/deployments/default-env.yaml b/internal/infrastructure/kubernetes/proxy/testdata/deployments/default-env.yaml index d90e6910a18..0dfc140ba9a 100644 --- a/internal/infrastructure/kubernetes/proxy/testdata/deployments/default-env.yaml +++ b/internal/infrastructure/kubernetes/proxy/testdata/deployments/default-env.yaml @@ -313,7 +313,7 @@ spec: fieldRef: apiVersion: v1 fieldPath: metadata.name - image: envoyproxy/gateway-dev:latest + image: docker.io/envoyproxy/gateway-dev:latest imagePullPolicy: IfNotPresent lifecycle: preStop: diff --git a/internal/infrastructure/kubernetes/proxy/testdata/deployments/default.yaml b/internal/infrastructure/kubernetes/proxy/testdata/deployments/default.yaml index 29197f2651c..95548c10f00 100644 --- a/internal/infrastructure/kubernetes/proxy/testdata/deployments/default.yaml +++ b/internal/infrastructure/kubernetes/proxy/testdata/deployments/default.yaml @@ -303,7 +303,7 @@ spec: fieldRef: apiVersion: v1 fieldPath: metadata.name - image: envoyproxy/gateway-dev:latest + image: docker.io/envoyproxy/gateway-dev:latest imagePullPolicy: IfNotPresent lifecycle: preStop: diff --git a/internal/infrastructure/kubernetes/proxy/testdata/deployments/disable-prometheus.yaml b/internal/infrastructure/kubernetes/proxy/testdata/deployments/disable-prometheus.yaml index ec1ee123a7c..ba8d010d140 100644 --- a/internal/infrastructure/kubernetes/proxy/testdata/deployments/disable-prometheus.yaml +++ b/internal/infrastructure/kubernetes/proxy/testdata/deployments/disable-prometheus.yaml @@ -274,7 +274,7 @@ spec: fieldRef: apiVersion: v1 fieldPath: metadata.name - image: envoyproxy/gateway-dev:latest + image: docker.io/envoyproxy/gateway-dev:latest imagePullPolicy: IfNotPresent lifecycle: preStop: diff --git a/internal/infrastructure/kubernetes/proxy/testdata/deployments/extension-env.yaml b/internal/infrastructure/kubernetes/proxy/testdata/deployments/extension-env.yaml index 53220f06d29..8dffdf1ea01 100644 --- a/internal/infrastructure/kubernetes/proxy/testdata/deployments/extension-env.yaml +++ b/internal/infrastructure/kubernetes/proxy/testdata/deployments/extension-env.yaml @@ -317,7 +317,7 @@ spec: fieldRef: apiVersion: v1 fieldPath: metadata.name - image: envoyproxy/gateway-dev:latest + image: docker.io/envoyproxy/gateway-dev:latest imagePullPolicy: IfNotPresent lifecycle: preStop: diff --git a/internal/infrastructure/kubernetes/proxy/testdata/deployments/override-labels-and-annotations.yaml b/internal/infrastructure/kubernetes/proxy/testdata/deployments/override-labels-and-annotations.yaml index ce139b7cc78..57307b4ce84 100644 --- a/internal/infrastructure/kubernetes/proxy/testdata/deployments/override-labels-and-annotations.yaml +++ b/internal/infrastructure/kubernetes/proxy/testdata/deployments/override-labels-and-annotations.yaml @@ -312,7 +312,7 @@ spec: fieldRef: apiVersion: v1 fieldPath: metadata.name - image: envoyproxy/gateway-dev:latest + image: docker.io/envoyproxy/gateway-dev:latest imagePullPolicy: IfNotPresent lifecycle: preStop: diff --git a/internal/infrastructure/kubernetes/proxy/testdata/deployments/patch-deployment.yaml b/internal/infrastructure/kubernetes/proxy/testdata/deployments/patch-deployment.yaml index 61a19e54bd0..b3f7fa5a175 100644 --- a/internal/infrastructure/kubernetes/proxy/testdata/deployments/patch-deployment.yaml +++ b/internal/infrastructure/kubernetes/proxy/testdata/deployments/patch-deployment.yaml @@ -303,7 +303,7 @@ spec: fieldRef: apiVersion: v1 fieldPath: metadata.name - image: envoyproxy/gateway-dev:latest + image: docker.io/envoyproxy/gateway-dev:latest imagePullPolicy: IfNotPresent lifecycle: preStop: diff --git a/internal/infrastructure/kubernetes/proxy/testdata/deployments/volumes.yaml b/internal/infrastructure/kubernetes/proxy/testdata/deployments/volumes.yaml index 62deebaba1e..bf360eb4d2b 100644 --- a/internal/infrastructure/kubernetes/proxy/testdata/deployments/volumes.yaml +++ b/internal/infrastructure/kubernetes/proxy/testdata/deployments/volumes.yaml @@ -317,7 +317,7 @@ spec: fieldRef: apiVersion: v1 fieldPath: metadata.name - image: envoyproxy/gateway-dev:latest + image: docker.io/envoyproxy/gateway-dev:latest imagePullPolicy: IfNotPresent lifecycle: preStop: diff --git a/internal/infrastructure/kubernetes/proxy/testdata/deployments/with-annotations.yaml b/internal/infrastructure/kubernetes/proxy/testdata/deployments/with-annotations.yaml index c24f94fe8fc..952e346c5af 100644 --- a/internal/infrastructure/kubernetes/proxy/testdata/deployments/with-annotations.yaml +++ b/internal/infrastructure/kubernetes/proxy/testdata/deployments/with-annotations.yaml @@ -308,7 +308,7 @@ spec: fieldRef: apiVersion: v1 fieldPath: metadata.name - image: envoyproxy/gateway-dev:latest + image: docker.io/envoyproxy/gateway-dev:latest imagePullPolicy: IfNotPresent lifecycle: preStop: diff --git a/internal/infrastructure/kubernetes/proxy/testdata/deployments/with-concurrency.yaml b/internal/infrastructure/kubernetes/proxy/testdata/deployments/with-concurrency.yaml index b13b6dbcced..0bd2860f6a5 100644 --- a/internal/infrastructure/kubernetes/proxy/testdata/deployments/with-concurrency.yaml +++ b/internal/infrastructure/kubernetes/proxy/testdata/deployments/with-concurrency.yaml @@ -136,7 +136,7 @@ spec: fieldRef: apiVersion: v1 fieldPath: metadata.name - image: envoyproxy/gateway-dev:latest + image: docker.io/envoyproxy/gateway-dev:latest imagePullPolicy: IfNotPresent lifecycle: preStop: diff --git a/internal/infrastructure/kubernetes/proxy/testdata/deployments/with-empty-memory-limits.yaml b/internal/infrastructure/kubernetes/proxy/testdata/deployments/with-empty-memory-limits.yaml index ab2641ff65c..8153e5d31f9 100644 --- a/internal/infrastructure/kubernetes/proxy/testdata/deployments/with-empty-memory-limits.yaml +++ b/internal/infrastructure/kubernetes/proxy/testdata/deployments/with-empty-memory-limits.yaml @@ -302,7 +302,7 @@ spec: fieldRef: apiVersion: v1 fieldPath: metadata.name - image: envoyproxy/gateway-dev:latest + image: docker.io/envoyproxy/gateway-dev:latest imagePullPolicy: IfNotPresent lifecycle: preStop: diff --git a/internal/infrastructure/kubernetes/proxy/testdata/deployments/with-extra-args.yaml b/internal/infrastructure/kubernetes/proxy/testdata/deployments/with-extra-args.yaml index f6ba26eab7c..7154978a93f 100644 --- a/internal/infrastructure/kubernetes/proxy/testdata/deployments/with-extra-args.yaml +++ b/internal/infrastructure/kubernetes/proxy/testdata/deployments/with-extra-args.yaml @@ -305,7 +305,7 @@ spec: fieldRef: apiVersion: v1 fieldPath: metadata.name - image: envoyproxy/gateway-dev:latest + image: docker.io/envoyproxy/gateway-dev:latest imagePullPolicy: IfNotPresent lifecycle: preStop: diff --git a/internal/infrastructure/kubernetes/proxy/testdata/deployments/with-image-pull-secrets.yaml b/internal/infrastructure/kubernetes/proxy/testdata/deployments/with-image-pull-secrets.yaml index 96588389310..d60f94518b8 100644 --- a/internal/infrastructure/kubernetes/proxy/testdata/deployments/with-image-pull-secrets.yaml +++ b/internal/infrastructure/kubernetes/proxy/testdata/deployments/with-image-pull-secrets.yaml @@ -303,7 +303,7 @@ spec: fieldRef: apiVersion: v1 fieldPath: metadata.name - image: envoyproxy/gateway-dev:latest + image: docker.io/envoyproxy/gateway-dev:latest imagePullPolicy: IfNotPresent lifecycle: preStop: diff --git a/internal/infrastructure/kubernetes/proxy/testdata/deployments/with-name.yaml b/internal/infrastructure/kubernetes/proxy/testdata/deployments/with-name.yaml index 16eb12b15e9..70023ba7e1b 100644 --- a/internal/infrastructure/kubernetes/proxy/testdata/deployments/with-name.yaml +++ b/internal/infrastructure/kubernetes/proxy/testdata/deployments/with-name.yaml @@ -303,7 +303,7 @@ spec: fieldRef: apiVersion: v1 fieldPath: metadata.name - image: envoyproxy/gateway-dev:latest + image: docker.io/envoyproxy/gateway-dev:latest imagePullPolicy: IfNotPresent lifecycle: preStop: diff --git a/internal/infrastructure/kubernetes/proxy/testdata/deployments/with-node-selector.yaml b/internal/infrastructure/kubernetes/proxy/testdata/deployments/with-node-selector.yaml index 6512c7a9dca..d780886d3fb 100644 --- a/internal/infrastructure/kubernetes/proxy/testdata/deployments/with-node-selector.yaml +++ b/internal/infrastructure/kubernetes/proxy/testdata/deployments/with-node-selector.yaml @@ -303,7 +303,7 @@ spec: fieldRef: apiVersion: v1 fieldPath: metadata.name - image: envoyproxy/gateway-dev:latest + image: docker.io/envoyproxy/gateway-dev:latest imagePullPolicy: IfNotPresent lifecycle: preStop: diff --git a/internal/infrastructure/kubernetes/proxy/testdata/deployments/with-topology-spread-constraints.yaml b/internal/infrastructure/kubernetes/proxy/testdata/deployments/with-topology-spread-constraints.yaml index 9c2a3e62192..1ccafdc751f 100644 --- a/internal/infrastructure/kubernetes/proxy/testdata/deployments/with-topology-spread-constraints.yaml +++ b/internal/infrastructure/kubernetes/proxy/testdata/deployments/with-topology-spread-constraints.yaml @@ -303,7 +303,7 @@ spec: fieldRef: apiVersion: v1 fieldPath: metadata.name - image: envoyproxy/gateway-dev:latest + image: docker.io/envoyproxy/gateway-dev:latest imagePullPolicy: IfNotPresent lifecycle: preStop: diff --git a/internal/ir/infra.go b/internal/ir/infra.go index 8bf433785fb..7044b695fda 100644 --- a/internal/ir/infra.go +++ b/internal/ir/infra.go @@ -36,7 +36,7 @@ func (i *Infra) YAMLString() string { } func (i *Infra) JSONString() string { - j, _ := json.MarshalIndent(i, "", "\t") + j, _ := json.Marshal(i) return string(j) } diff --git a/internal/ir/xds.go b/internal/ir/xds.go index 10c418af462..5e26af0f479 100644 --- a/internal/ir/xds.go +++ b/internal/ir/xds.go @@ -181,7 +181,7 @@ func (x *Xds) YAMLString() string { } func (x *Xds) JSONString() string { - j, _ := json.MarshalIndent(x.Printable(), "", "\t") + j, _ := json.Marshal(x.Printable()) return string(j) } diff --git a/internal/kubernetes/port_forwarder.go b/internal/kubernetes/port_forwarder.go index 176610dab3e..8e88b9c0212 100644 --- a/internal/kubernetes/port_forwarder.go +++ b/internal/kubernetes/port_forwarder.go @@ -8,8 +8,10 @@ package kubernetes import ( "fmt" "io" + "net" "net/http" "os" + "strconv" "k8s.io/apimachinery/pkg/types" "k8s.io/client-go/rest" @@ -134,5 +136,5 @@ func (f *localForwarder) WaitForStop() { } func (f *localForwarder) Address() string { - return fmt.Sprintf("%s:%d", netutil.DefaultLocalAddress, f.localPort) + return net.JoinHostPort(netutil.DefaultLocalAddress, strconv.Itoa(f.localPort)) } diff --git a/internal/provider/kubernetes/controller.go b/internal/provider/kubernetes/controller.go index 06d9dc39a0d..28a0eafaa77 100644 --- a/internal/provider/kubernetes/controller.go +++ b/internal/provider/kubernetes/controller.go @@ -65,6 +65,21 @@ type gatewayAPIReconciler struct { resources *message.ProviderResources extGVKs []schema.GroupVersionKind extServerPolicies []schema.GroupVersionKind + + backendCRDExists bool + bTLSPolicyCRDExists bool + btpCRDExists bool + ctpCRDExists bool + eepCRDExists bool + epCRDExists bool + eppCRDExists bool + hrfCRDExists bool + grpcRouteCRDExists bool + serviceImportCRDExists bool + spCRDExists bool + tcpRouteCRDExists bool + tlsRouteCRDExists bool + udpRouteCRDExists bool } // newGatewayAPIController @@ -197,42 +212,55 @@ func (r *gatewayAPIReconciler) Reconcile(ctx context.Context, _ reconcile.Reques return reconcile.Result{}, err } - // Add all EnvoyPatchPolicies to the resourceTree - if err = r.processEnvoyPatchPolicies(ctx, gwcResource, resourceMappings); err != nil { - return reconcile.Result{}, err + if r.eppCRDExists { + // Add all EnvoyPatchPolicies to the resourceTree + if err = r.processEnvoyPatchPolicies(ctx, gwcResource, resourceMappings); err != nil { + return reconcile.Result{}, err + } } - - // Add all ClientTrafficPolicies and their referenced resources to the resourceTree - if err = r.processClientTrafficPolicies(ctx, gwcResource, resourceMappings); err != nil { - return reconcile.Result{}, err + if r.ctpCRDExists { + // Add all ClientTrafficPolicies and their referenced resources to the resourceTree + if err = r.processClientTrafficPolicies(ctx, gwcResource, resourceMappings); err != nil { + return reconcile.Result{}, err + } } - // Add all BackendTrafficPolicies to the resourceTree - if err = r.processBackendTrafficPolicies(ctx, gwcResource, resourceMappings); err != nil { - return reconcile.Result{}, err + if r.btpCRDExists { + // Add all BackendTrafficPolicies to the resourceTree + if err = r.processBackendTrafficPolicies(ctx, gwcResource, resourceMappings); err != nil { + return reconcile.Result{}, err + } } - // Add all SecurityPolicies and their referenced resources to the resourceTree - if err = r.processSecurityPolicies(ctx, gwcResource, resourceMappings); err != nil { - return reconcile.Result{}, err + if r.spCRDExists { + // Add all SecurityPolicies and their referenced resources to the resourceTree + if err = r.processSecurityPolicies(ctx, gwcResource, resourceMappings); err != nil { + return reconcile.Result{}, err + } } - // Add all BackendTLSPolies to the resourceTree - if err = r.processBackendTLSPolicies(ctx, gwcResource, resourceMappings); err != nil { - return reconcile.Result{}, err + if r.bTLSPolicyCRDExists { + // Add all BackendTLSPolies to the resourceTree + if err = r.processBackendTLSPolicies(ctx, gwcResource, resourceMappings); err != nil { + return reconcile.Result{}, err + } } - // Add all EnvoyExtensionPolicies and their referenced resources to the resourceTree - if err = r.processEnvoyExtensionPolicies(ctx, gwcResource, resourceMappings); err != nil { - return reconcile.Result{}, err + if r.eepCRDExists { + // Add all EnvoyExtensionPolicies and their referenced resources to the resourceTree + if err = r.processEnvoyExtensionPolicies(ctx, gwcResource, resourceMappings); err != nil { + return reconcile.Result{}, err + } } if err = r.processExtensionServerPolicies(ctx, gwcResource); err != nil { return reconcile.Result{}, err } - if err = r.processBackends(ctx, gwcResource); err != nil { - return reconcile.Result{}, err + if r.backendCRDExists { + if err = r.processBackends(ctx, gwcResource); err != nil { + return reconcile.Result{}, err + } } // Add the referenced services, ServiceImports, and EndpointSlices in @@ -336,7 +364,7 @@ func (r *gatewayAPIReconciler) managedGatewayClasses(ctx context.Context) ([]*gw // so clean-up dependents. if !gwClass.DeletionTimestamp.IsZero() && !slice.ContainsString(gwClass.Finalizers, gatewayClassFinalizer) { - r.log.Info("gatewayclass marked for deletion") + r.log.Info("gatewayclass marked for deletion", "name", gwClass.Name) cc.removeMatch(&gwClass) continue } @@ -383,8 +411,9 @@ func (r *gatewayAPIReconciler) processBackendRefs(ctx context.Context, gwcResour "name", string(backendRef.Name)) } else { resourceMappings.allAssociatedNamespaces.Insert(serviceImport.Namespace) - if !resourceMappings.allAssociatedServiceImports.Has(utils.NamespacedName(serviceImport).String()) { - resourceMappings.allAssociatedServiceImports.Insert(utils.NamespacedName(serviceImport).String()) + key := utils.NamespacedName(serviceImport).String() + if !resourceMappings.allAssociatedServiceImports.Has(key) { + resourceMappings.allAssociatedServiceImports.Insert(key) gwcResource.ServiceImports = append(gwcResource.ServiceImports, serviceImport) r.log.Info("added ServiceImport to resource tree", "namespace", string(*backendRef.Namespace), "name", string(backendRef.Name)) @@ -399,11 +428,14 @@ func (r *gatewayAPIReconciler) processBackendRefs(ctx context.Context, gwcResour r.log.Error(err, "failed to get Backend", "namespace", string(*backendRef.Namespace), "name", string(backendRef.Name)) } else { - resourceMappings.allAssociatedNamespaces[backend.Namespace] = struct{}{} - backend.Status = egv1a1.BackendStatus{} - gwcResource.Backends = append(gwcResource.Backends, backend) - r.log.Info("added Backend to resource tree", "namespace", string(*backendRef.Namespace), - "name", string(backendRef.Name)) + resourceMappings.allAssociatedNamespaces.Insert(backend.Namespace) + key := utils.NamespacedName(backend).String() + if !resourceMappings.allAssociatedBackends.Has(key) { + resourceMappings.allAssociatedBackends.Insert(key) + gwcResource.Backends = append(gwcResource.Backends, backend) + r.log.Info("added Backend to resource tree", "namespace", string(*backendRef.Namespace), + "name", string(backendRef.Name)) + } } } @@ -414,17 +446,18 @@ func (r *gatewayAPIReconciler) processBackendRefs(ctx context.Context, gwcResour client.MatchingLabels(map[string]string{ endpointSliceLabelKey: string(backendRef.Name), }), - client.InNamespace(string(*backendRef.Namespace)), + client.InNamespace(*backendRef.Namespace), } if err := r.client.List(ctx, endpointSliceList, opts...); err != nil { r.log.Error(err, "failed to get EndpointSlices", "namespace", string(*backendRef.Namespace), backendRefKind, string(backendRef.Name)) } else { for _, endpointSlice := range endpointSliceList.Items { - endpointSlice := endpointSlice //nolint:copyloopvar - if !resourceMappings.allAssociatedEndpointSlices.Has(utils.NamespacedName(&endpointSlice).String()) { - resourceMappings.allAssociatedEndpointSlices.Insert(utils.NamespacedName(&endpointSlice).String()) - r.log.Info("added EndpointSlice to resource tree", "namespace", endpointSlice.Namespace, + key := utils.NamespacedName(&endpointSlice).String() + if !resourceMappings.allAssociatedEndpointSlices.Has(key) { + resourceMappings.allAssociatedEndpointSlices.Insert(key) + r.log.Info("added EndpointSlice to resource tree", + "namespace", endpointSlice.Namespace, "name", endpointSlice.Name) gwcResource.EndpointSlices = append(gwcResource.EndpointSlices, &endpointSlice) } @@ -567,8 +600,9 @@ func (r *gatewayAPIReconciler) processOIDCHMACSecret(ctx context.Context, resour return } - if !resourceMap.allAssociatedSecrets.Has(utils.NamespacedName(&secret).String()) { - resourceMap.allAssociatedSecrets.Insert(utils.NamespacedName(&secret).String()) + key := utils.NamespacedName(&secret).String() + if !resourceMap.allAssociatedSecrets.Has(key) { + resourceMap.allAssociatedSecrets.Insert(key) resourceTree.Secrets = append(resourceTree.Secrets, &secret) r.log.Info("processing OIDC HMAC Secret", "namespace", r.namespace, "name", oidcHMACSecretName) } @@ -625,9 +659,10 @@ func (r *gatewayAPIReconciler) processSecretRef( } } } - resourceMap.allAssociatedNamespaces.Insert(secretNS) // TODO Zhaohuabing do we need this line? - if !resourceMap.allAssociatedSecrets.Has(utils.NamespacedName(secret).String()) { - resourceMap.allAssociatedSecrets.Insert(utils.NamespacedName(secret).String()) + resourceMap.allAssociatedNamespaces.Insert(secretNS) + key := utils.NamespacedName(secret).String() + if !resourceMap.allAssociatedSecrets.Has(key) { + resourceMap.allAssociatedSecrets.Insert(key) resourceTree.Secrets = append(resourceTree.Secrets, secret) r.log.Info("processing Secret", "namespace", secretNS, "name", string(secretRef.Name)) } @@ -733,7 +768,7 @@ func (r *gatewayAPIReconciler) processConfigMapRef( } } } - resourceMap.allAssociatedNamespaces.Insert(configMapNS) // TODO Zhaohuabing do we need this line? + resourceMap.allAssociatedNamespaces.Insert(configMapNS) if !resourceMap.allAssociatedConfigMaps.Has(utils.NamespacedName(configMap).String()) { resourceMap.allAssociatedConfigMaps.Insert(utils.NamespacedName(configMap).String()) resourceTree.ConfigMaps = append(resourceTree.ConfigMaps, configMap) @@ -898,9 +933,12 @@ func (r *gatewayAPIReconciler) processGateways(ctx context.Context, managedGC *g gtwNamespacedName := utils.NamespacedName(>w).String() // Route Processing - // Get TLSRoute objects and check if it exists. - if err := r.processTLSRoutes(ctx, gtwNamespacedName, resourceMap, resourceTree); err != nil { - return err + + if r.tlsRouteCRDExists { + // Get TLSRoute objects and check if it exists. + if err := r.processTLSRoutes(ctx, gtwNamespacedName, resourceMap, resourceTree); err != nil { + return err + } } // Get HTTPRoute objects and check if it exists. @@ -908,21 +946,26 @@ func (r *gatewayAPIReconciler) processGateways(ctx context.Context, managedGC *g return err } - // Get GRPCRoute objects and check if it exists. - if err := r.processGRPCRoutes(ctx, gtwNamespacedName, resourceMap, resourceTree); err != nil { - return err + if r.grpcRouteCRDExists { + // Get GRPCRoute objects and check if it exists. + if err := r.processGRPCRoutes(ctx, gtwNamespacedName, resourceMap, resourceTree); err != nil { + return err + } } - // Get TCPRoute objects and check if it exists. - if err := r.processTCPRoutes(ctx, gtwNamespacedName, resourceMap, resourceTree); err != nil { - return err + if r.tcpRouteCRDExists { + // Get TCPRoute objects and check if it exists. + if err := r.processTCPRoutes(ctx, gtwNamespacedName, resourceMap, resourceTree); err != nil { + return err + } } - // Get UDPRoute objects and check if it exists. - if err := r.processUDPRoutes(ctx, gtwNamespacedName, resourceMap, resourceTree); err != nil { - return err + if r.udpRouteCRDExists { + // Get UDPRoute objects and check if it exists. + if err := r.processUDPRoutes(ctx, gtwNamespacedName, resourceMap, resourceTree); err != nil { + return err + } } - // Discard Status to reduce memory consumption in watchable // It will be recomputed by the gateway-api layer gtw.Status = gwapiv1.GatewayStatus{} @@ -1115,24 +1158,30 @@ func (r *gatewayAPIReconciler) watchResources(ctx context.Context, mgr manager.M return fmt.Errorf("failed to watch GatewayClass: %w", err) } - epPredicates := []predicate.TypedPredicate[*egv1a1.EnvoyProxy]{ - &predicate.TypedGenerationChangedPredicate[*egv1a1.EnvoyProxy]{}, - } - if r.namespaceLabel != nil { - epPredicates = append(epPredicates, predicate.NewTypedPredicateFuncs(func(ep *egv1a1.EnvoyProxy) bool { - return r.hasMatchingNamespaceLabels(ep) - })) - } - if err := c.Watch( - source.Kind(mgr.GetCache(), &egv1a1.EnvoyProxy{}, - handler.TypedEnqueueRequestsFromMapFunc(func(ctx context.Context, t *egv1a1.EnvoyProxy) []reconcile.Request { - return r.enqueueClass(ctx, t) - }), - epPredicates...)); err != nil { - return err - } - if err := addEnvoyProxyIndexers(ctx, mgr); err != nil { - return err + r.epCRDExists = r.crdExists(mgr, resource.KindEnvoyProxy, egv1a1.GroupVersion.String()) + if !r.epCRDExists { + r.log.Info("EnvoyProxy CRD not found, skipping EnvoyProxy watch") + } else { + epPredicates := []predicate.TypedPredicate[*egv1a1.EnvoyProxy]{ + &predicate.TypedGenerationChangedPredicate[*egv1a1.EnvoyProxy]{}, + } + if r.namespaceLabel != nil { + epPredicates = append(epPredicates, predicate.NewTypedPredicateFuncs(func(ep *egv1a1.EnvoyProxy) bool { + return r.hasMatchingNamespaceLabels(ep) + })) + } + + if err := c.Watch( + source.Kind(mgr.GetCache(), &egv1a1.EnvoyProxy{}, + handler.TypedEnqueueRequestsFromMapFunc(func(ctx context.Context, t *egv1a1.EnvoyProxy) []reconcile.Request { + return r.enqueueClass(ctx, t) + }), + epPredicates...)); err != nil { + return err + } + if err := addEnvoyProxyIndexers(ctx, mgr); err != nil { + return err + } } // Watch Gateway CRUDs and reconcile affected GatewayClass. @@ -1182,92 +1231,113 @@ func (r *gatewayAPIReconciler) watchResources(ctx context.Context, mgr manager.M return err } - // Watch GRPCRoute CRUDs and process affected Gateways. - grpcrPredicates := []predicate.TypedPredicate[*gwapiv1.GRPCRoute]{ - predicate.Or(predicate.TypedGenerationChangedPredicate[*gwapiv1.GRPCRoute]{}, - predicate.TypedLabelChangedPredicate[*gwapiv1.GRPCRoute]{}), - } - if r.namespaceLabel != nil { - grpcrPredicates = append(grpcrPredicates, predicate.NewTypedPredicateFuncs[*gwapiv1.GRPCRoute](func(grpc *gwapiv1.GRPCRoute) bool { - return r.hasMatchingNamespaceLabels(grpc) - })) - } - if err := c.Watch( - source.Kind(mgr.GetCache(), &gwapiv1.GRPCRoute{}, - handler.TypedEnqueueRequestsFromMapFunc[*gwapiv1.GRPCRoute](func(ctx context.Context, route *gwapiv1.GRPCRoute) []reconcile.Request { - return r.enqueueClass(ctx, route) - }), - grpcrPredicates...)); err != nil { - return err - } - if err := addGRPCRouteIndexers(ctx, mgr); err != nil { - return err + // TODO: Remove this optional check once most cloud providers and service meshes support GRPCRoute v1 + r.grpcRouteCRDExists = r.crdExists(mgr, resource.KindGRPCRoute, gwapiv1.GroupVersion.String()) + if !r.grpcRouteCRDExists { + r.log.Info("GRPCRoute CRD not found, skipping GRPCRoute watch") + } else { + // Watch GRPCRoute CRUDs and process affected Gateways. + grpcrPredicates := []predicate.TypedPredicate[*gwapiv1.GRPCRoute]{ + predicate.Or(predicate.TypedGenerationChangedPredicate[*gwapiv1.GRPCRoute]{}, + predicate.TypedLabelChangedPredicate[*gwapiv1.GRPCRoute]{}), + } + if r.namespaceLabel != nil { + grpcrPredicates = append(grpcrPredicates, predicate.NewTypedPredicateFuncs[*gwapiv1.GRPCRoute](func(grpc *gwapiv1.GRPCRoute) bool { + return r.hasMatchingNamespaceLabels(grpc) + })) + } + if err := c.Watch( + source.Kind(mgr.GetCache(), &gwapiv1.GRPCRoute{}, + handler.TypedEnqueueRequestsFromMapFunc[*gwapiv1.GRPCRoute](func(ctx context.Context, route *gwapiv1.GRPCRoute) []reconcile.Request { + return r.enqueueClass(ctx, route) + }), + grpcrPredicates...)); err != nil { + return err + } + if err := addGRPCRouteIndexers(ctx, mgr); err != nil { + return err + } } - // Watch TLSRoute CRUDs and process affected Gateways. - tlsrPredicates := []predicate.TypedPredicate[*gwapiv1a2.TLSRoute]{ - predicate.Or(predicate.TypedGenerationChangedPredicate[*gwapiv1a2.TLSRoute]{}, - predicate.TypedLabelChangedPredicate[*gwapiv1a2.TLSRoute]{}), - } - if r.namespaceLabel != nil { - tlsrPredicates = append(tlsrPredicates, predicate.NewTypedPredicateFuncs[*gwapiv1a2.TLSRoute](func(route *gwapiv1a2.TLSRoute) bool { - return r.hasMatchingNamespaceLabels(route) - })) - } - if err := c.Watch( - source.Kind(mgr.GetCache(), &gwapiv1a2.TLSRoute{}, - handler.TypedEnqueueRequestsFromMapFunc[*gwapiv1a2.TLSRoute](func(ctx context.Context, route *gwapiv1a2.TLSRoute) []reconcile.Request { - return r.enqueueClass(ctx, route) - }), - tlsrPredicates...)); err != nil { - return err - } - if err := addTLSRouteIndexers(ctx, mgr); err != nil { - return err + r.tlsRouteCRDExists = r.crdExists(mgr, resource.KindTLSRoute, gwapiv1a2.GroupVersion.String()) + if !r.tlsRouteCRDExists { + r.log.Info("TLSRoute CRD not found, skipping TLSRoute watch") + } else { + // Watch TLSRoute CRUDs and process affected Gateways. + tlsrPredicates := []predicate.TypedPredicate[*gwapiv1a2.TLSRoute]{ + predicate.Or(predicate.TypedGenerationChangedPredicate[*gwapiv1a2.TLSRoute]{}, + predicate.TypedLabelChangedPredicate[*gwapiv1a2.TLSRoute]{}), + } + if r.namespaceLabel != nil { + tlsrPredicates = append(tlsrPredicates, predicate.NewTypedPredicateFuncs[*gwapiv1a2.TLSRoute](func(route *gwapiv1a2.TLSRoute) bool { + return r.hasMatchingNamespaceLabels(route) + })) + } + if err := c.Watch( + source.Kind(mgr.GetCache(), &gwapiv1a2.TLSRoute{}, + handler.TypedEnqueueRequestsFromMapFunc[*gwapiv1a2.TLSRoute](func(ctx context.Context, route *gwapiv1a2.TLSRoute) []reconcile.Request { + return r.enqueueClass(ctx, route) + }), + tlsrPredicates...)); err != nil { + return err + } + if err := addTLSRouteIndexers(ctx, mgr); err != nil { + return err + } } - // Watch UDPRoute CRUDs and process affected Gateways. - udprPredicates := []predicate.TypedPredicate[*gwapiv1a2.UDPRoute]{ - predicate.Or(predicate.TypedGenerationChangedPredicate[*gwapiv1a2.UDPRoute]{}, - predicate.TypedLabelChangedPredicate[*gwapiv1a2.UDPRoute]{}), - } - if r.namespaceLabel != nil { - udprPredicates = append(udprPredicates, predicate.NewTypedPredicateFuncs[*gwapiv1a2.UDPRoute](func(route *gwapiv1a2.UDPRoute) bool { - return r.hasMatchingNamespaceLabels(route) - })) - } - if err := c.Watch( - source.Kind(mgr.GetCache(), &gwapiv1a2.UDPRoute{}, - handler.TypedEnqueueRequestsFromMapFunc[*gwapiv1a2.UDPRoute](func(ctx context.Context, route *gwapiv1a2.UDPRoute) []reconcile.Request { - return r.enqueueClass(ctx, route) - }), - udprPredicates...)); err != nil { - return err - } - if err := addUDPRouteIndexers(ctx, mgr); err != nil { - return err + r.udpRouteCRDExists = r.crdExists(mgr, resource.KindUDPRoute, gwapiv1a2.GroupVersion.String()) + if !r.udpRouteCRDExists { + r.log.Info("UDPRoute CRD not found, skipping UDPRoute watch") + } else { + // Watch UDPRoute CRUDs and process affected Gateways. + udprPredicates := []predicate.TypedPredicate[*gwapiv1a2.UDPRoute]{ + predicate.Or(predicate.TypedGenerationChangedPredicate[*gwapiv1a2.UDPRoute]{}, + predicate.TypedLabelChangedPredicate[*gwapiv1a2.UDPRoute]{}), + } + if r.namespaceLabel != nil { + udprPredicates = append(udprPredicates, predicate.NewTypedPredicateFuncs[*gwapiv1a2.UDPRoute](func(route *gwapiv1a2.UDPRoute) bool { + return r.hasMatchingNamespaceLabels(route) + })) + } + if err := c.Watch( + source.Kind(mgr.GetCache(), &gwapiv1a2.UDPRoute{}, + handler.TypedEnqueueRequestsFromMapFunc[*gwapiv1a2.UDPRoute](func(ctx context.Context, route *gwapiv1a2.UDPRoute) []reconcile.Request { + return r.enqueueClass(ctx, route) + }), + udprPredicates...)); err != nil { + return err + } + if err := addUDPRouteIndexers(ctx, mgr); err != nil { + return err + } } - // Watch TCPRoute CRUDs and process affected Gateways. - tcprPredicates := []predicate.TypedPredicate[*gwapiv1a2.TCPRoute]{ - predicate.Or(predicate.TypedGenerationChangedPredicate[*gwapiv1a2.TCPRoute]{}, - predicate.TypedLabelChangedPredicate[*gwapiv1a2.TCPRoute]{}), - } - if r.namespaceLabel != nil { - tcprPredicates = append(tcprPredicates, predicate.NewTypedPredicateFuncs[*gwapiv1a2.TCPRoute](func(route *gwapiv1a2.TCPRoute) bool { - return r.hasMatchingNamespaceLabels(route) - })) - } - if err := c.Watch( - source.Kind(mgr.GetCache(), &gwapiv1a2.TCPRoute{}, - handler.TypedEnqueueRequestsFromMapFunc[*gwapiv1a2.TCPRoute](func(ctx context.Context, route *gwapiv1a2.TCPRoute) []reconcile.Request { - return r.enqueueClass(ctx, route) - }), - tcprPredicates...)); err != nil { - return err - } - if err := addTCPRouteIndexers(ctx, mgr); err != nil { - return err + r.tcpRouteCRDExists = r.crdExists(mgr, resource.KindTCPRoute, gwapiv1a2.GroupVersion.String()) + if !r.tcpRouteCRDExists { + r.log.Info("TCPRoute CRD not found, skipping TCPRoute watch") + } else { + // Watch TCPRoute CRUDs and process affected Gateways. + tcprPredicates := []predicate.TypedPredicate[*gwapiv1a2.TCPRoute]{ + predicate.Or(predicate.TypedGenerationChangedPredicate[*gwapiv1a2.TCPRoute]{}, + predicate.TypedLabelChangedPredicate[*gwapiv1a2.TCPRoute]{}), + } + if r.namespaceLabel != nil { + tcprPredicates = append(tcprPredicates, predicate.NewTypedPredicateFuncs[*gwapiv1a2.TCPRoute](func(route *gwapiv1a2.TCPRoute) bool { + return r.hasMatchingNamespaceLabels(route) + })) + } + if err := c.Watch( + source.Kind(mgr.GetCache(), &gwapiv1a2.TCPRoute{}, + handler.TypedEnqueueRequestsFromMapFunc[*gwapiv1a2.TCPRoute](func(ctx context.Context, route *gwapiv1a2.TCPRoute) []reconcile.Request { + return r.enqueueClass(ctx, route) + }), + tcprPredicates...)); err != nil { + return err + } + if err := addTCPRouteIndexers(ctx, mgr); err != nil { + return err + } } // Watch Service CRUDs and process affected *Route objects. @@ -1291,11 +1361,10 @@ func (r *gatewayAPIReconciler) watchResources(ctx context.Context, mgr manager.M } // Watch ServiceImport CRUDs and process affected *Route objects. - serviceImportCRDExists := r.serviceImportCRDExists(mgr) - if !serviceImportCRDExists { + r.serviceImportCRDExists = r.crdExists(mgr, resource.KindServiceImport, mcsapiv1a1.GroupVersion.String()) + if !r.serviceImportCRDExists { r.log.Info("ServiceImport CRD not found, skipping ServiceImport watch") - } - if serviceImportCRDExists { + } else { if err := c.Watch( source.Kind(mgr.GetCache(), &mcsapiv1a1.ServiceImport{}, handler.TypedEnqueueRequestsFromMapFunc(func(ctx context.Context, si *mcsapiv1a1.ServiceImport) []reconcile.Request { @@ -1331,8 +1400,11 @@ func (r *gatewayAPIReconciler) watchResources(ctx context.Context, mgr manager.M return err } - // Watch Backend CRUDs and process affected *Route objects. - if r.envoyGateway.ExtensionAPIs != nil && r.envoyGateway.ExtensionAPIs.EnableBackend { + r.backendCRDExists = r.crdExists(mgr, resource.KindBackend, egv1a1.GroupVersion.String()) + if !r.backendCRDExists { + r.log.Info("Backend CRD not found, skipping Backend watch") + } else if r.envoyGateway.ExtensionAPIs != nil && r.envoyGateway.ExtensionAPIs.EnableBackend { + // Watch Backend CRUDs and process affected *Route objects. backendPredicates := []predicate.TypedPredicate[*egv1a1.Backend]{ predicate.TypedGenerationChangedPredicate[*egv1a1.Backend]{}, predicate.NewTypedPredicateFuncs[*egv1a1.Backend](func(be *egv1a1.Backend) bool { @@ -1478,7 +1550,10 @@ func (r *gatewayAPIReconciler) watchResources(ctx context.Context, mgr manager.M return err } - if r.envoyGateway.ExtensionAPIs != nil && r.envoyGateway.ExtensionAPIs.EnableEnvoyPatchPolicy { + r.eppCRDExists = r.crdExists(mgr, resource.KindEnvoyPatchPolicy, egv1a1.GroupVersion.String()) + if !r.eppCRDExists { + r.log.Info("EnvoyPatchPolicy CRD not found, skipping EnvoyPatchPolicy watch") + } else if r.envoyGateway.ExtensionAPIs != nil && r.envoyGateway.ExtensionAPIs.EnableEnvoyPatchPolicy { // Watch EnvoyPatchPolicy if enabled in config eppPredicates := []predicate.TypedPredicate[*egv1a1.EnvoyPatchPolicy]{ predicate.TypedGenerationChangedPredicate[*egv1a1.EnvoyPatchPolicy]{}, @@ -1499,118 +1574,143 @@ func (r *gatewayAPIReconciler) watchResources(ctx context.Context, mgr manager.M } } - // Watch ClientTrafficPolicy - ctpPredicates := []predicate.TypedPredicate[*egv1a1.ClientTrafficPolicy]{ - predicate.TypedGenerationChangedPredicate[*egv1a1.ClientTrafficPolicy]{}, - } - if r.namespaceLabel != nil { - ctpPredicates = append(ctpPredicates, predicate.NewTypedPredicateFuncs[*egv1a1.ClientTrafficPolicy](func(ctp *egv1a1.ClientTrafficPolicy) bool { - return r.hasMatchingNamespaceLabels(ctp) - })) - } + r.ctpCRDExists = r.crdExists(mgr, resource.KindClientTrafficPolicy, egv1a1.GroupVersion.String()) + if !r.ctpCRDExists { + r.log.Info("ClientTrafficPolicy CRD not found, skipping ClientTrafficPolicy watch") + } else { + // Watch ClientTrafficPolicy + ctpPredicates := []predicate.TypedPredicate[*egv1a1.ClientTrafficPolicy]{ + predicate.TypedGenerationChangedPredicate[*egv1a1.ClientTrafficPolicy]{}, + } + if r.namespaceLabel != nil { + ctpPredicates = append(ctpPredicates, predicate.NewTypedPredicateFuncs[*egv1a1.ClientTrafficPolicy](func(ctp *egv1a1.ClientTrafficPolicy) bool { + return r.hasMatchingNamespaceLabels(ctp) + })) + } - if err := c.Watch( - source.Kind(mgr.GetCache(), &egv1a1.ClientTrafficPolicy{}, - handler.TypedEnqueueRequestsFromMapFunc(func(ctx context.Context, ctp *egv1a1.ClientTrafficPolicy) []reconcile.Request { - return r.enqueueClass(ctx, ctp) - }), - ctpPredicates...)); err != nil { - return err - } + if err := c.Watch( + source.Kind(mgr.GetCache(), &egv1a1.ClientTrafficPolicy{}, + handler.TypedEnqueueRequestsFromMapFunc(func(ctx context.Context, ctp *egv1a1.ClientTrafficPolicy) []reconcile.Request { + return r.enqueueClass(ctx, ctp) + }), + ctpPredicates...)); err != nil { + return err + } - if err := addCtpIndexers(ctx, mgr); err != nil { - return err + if err := addCtpIndexers(ctx, mgr); err != nil { + return err + } } - // Watch BackendTrafficPolicy - btpPredicates := []predicate.TypedPredicate[*egv1a1.BackendTrafficPolicy]{ - predicate.TypedGenerationChangedPredicate[*egv1a1.BackendTrafficPolicy]{}, - } - if r.namespaceLabel != nil { - btpPredicates = append(btpPredicates, predicate.NewTypedPredicateFuncs[*egv1a1.BackendTrafficPolicy](func(btp *egv1a1.BackendTrafficPolicy) bool { - return r.hasMatchingNamespaceLabels(btp) - })) - } + r.btpCRDExists = r.crdExists(mgr, resource.KindBackendTrafficPolicy, egv1a1.GroupVersion.String()) + if !r.btpCRDExists { + r.log.Info("BackendTrafficPolicy CRD not found, skipping BackendTrafficPolicy watch") + } else { + // Watch BackendTrafficPolicy + btpPredicates := []predicate.TypedPredicate[*egv1a1.BackendTrafficPolicy]{ + predicate.TypedGenerationChangedPredicate[*egv1a1.BackendTrafficPolicy]{}, + } + if r.namespaceLabel != nil { + btpPredicates = append(btpPredicates, predicate.NewTypedPredicateFuncs[*egv1a1.BackendTrafficPolicy](func(btp *egv1a1.BackendTrafficPolicy) bool { + return r.hasMatchingNamespaceLabels(btp) + })) + } - if err := c.Watch( - source.Kind(mgr.GetCache(), &egv1a1.BackendTrafficPolicy{}, - handler.TypedEnqueueRequestsFromMapFunc(func(ctx context.Context, btp *egv1a1.BackendTrafficPolicy) []reconcile.Request { - return r.enqueueClass(ctx, btp) - }), - btpPredicates...)); err != nil { - return err - } + if err := c.Watch( + source.Kind(mgr.GetCache(), &egv1a1.BackendTrafficPolicy{}, + handler.TypedEnqueueRequestsFromMapFunc(func(ctx context.Context, btp *egv1a1.BackendTrafficPolicy) []reconcile.Request { + return r.enqueueClass(ctx, btp) + }), + btpPredicates...)); err != nil { + return err + } - if err := addBtpIndexers(ctx, mgr); err != nil { - return err + if err := addBtpIndexers(ctx, mgr); err != nil { + return err + } } - // Watch SecurityPolicy - spPredicates := []predicate.TypedPredicate[*egv1a1.SecurityPolicy]{ - predicate.TypedGenerationChangedPredicate[*egv1a1.SecurityPolicy]{}, - } - if r.namespaceLabel != nil { - spPredicates = append(spPredicates, predicate.NewTypedPredicateFuncs[*egv1a1.SecurityPolicy](func(sp *egv1a1.SecurityPolicy) bool { - return r.hasMatchingNamespaceLabels(sp) - })) - } + r.spCRDExists = r.crdExists(mgr, resource.KindSecurityPolicy, egv1a1.GroupVersion.String()) + if !r.spCRDExists { + r.log.Info("SecurityPolicy CRD not found, skipping SecurityPolicy watch") + } else { + // Watch SecurityPolicy + spPredicates := []predicate.TypedPredicate[*egv1a1.SecurityPolicy]{ + predicate.TypedGenerationChangedPredicate[*egv1a1.SecurityPolicy]{}, + } + if r.namespaceLabel != nil { + spPredicates = append(spPredicates, predicate.NewTypedPredicateFuncs[*egv1a1.SecurityPolicy](func(sp *egv1a1.SecurityPolicy) bool { + return r.hasMatchingNamespaceLabels(sp) + })) + } - if err := c.Watch( - source.Kind(mgr.GetCache(), &egv1a1.SecurityPolicy{}, - handler.TypedEnqueueRequestsFromMapFunc(func(ctx context.Context, sp *egv1a1.SecurityPolicy) []reconcile.Request { - return r.enqueueClass(ctx, sp) - }), - spPredicates...)); err != nil { - return err - } - if err := addSecurityPolicyIndexers(ctx, mgr); err != nil { - return err + if err := c.Watch( + source.Kind(mgr.GetCache(), &egv1a1.SecurityPolicy{}, + handler.TypedEnqueueRequestsFromMapFunc(func(ctx context.Context, sp *egv1a1.SecurityPolicy) []reconcile.Request { + return r.enqueueClass(ctx, sp) + }), + spPredicates...)); err != nil { + return err + } + if err := addSecurityPolicyIndexers(ctx, mgr); err != nil { + return err + } } - // Watch BackendTLSPolicy - btlsPredicates := []predicate.TypedPredicate[*gwapiv1a3.BackendTLSPolicy]{ - predicate.TypedGenerationChangedPredicate[*gwapiv1a3.BackendTLSPolicy]{}, - } - if r.namespaceLabel != nil { - btlsPredicates = append(btlsPredicates, predicate.NewTypedPredicateFuncs[*gwapiv1a3.BackendTLSPolicy](func(btp *gwapiv1a3.BackendTLSPolicy) bool { - return r.hasMatchingNamespaceLabels(btp) - })) - } + r.bTLSPolicyCRDExists = r.crdExists(mgr, resource.KindBackendTLSPolicy, gwapiv1a3.GroupVersion.String()) + if !r.bTLSPolicyCRDExists { + r.log.Info("BackendTLSPolicy CRD not found, skipping BackendTLSPolicy watch") + } else { + // Watch BackendTLSPolicy + btlsPredicates := []predicate.TypedPredicate[*gwapiv1a3.BackendTLSPolicy]{ + predicate.TypedGenerationChangedPredicate[*gwapiv1a3.BackendTLSPolicy]{}, + } + if r.namespaceLabel != nil { + btlsPredicates = append(btlsPredicates, predicate.NewTypedPredicateFuncs[*gwapiv1a3.BackendTLSPolicy](func(btp *gwapiv1a3.BackendTLSPolicy) bool { + return r.hasMatchingNamespaceLabels(btp) + })) + } - if err := c.Watch( - source.Kind(mgr.GetCache(), &gwapiv1a3.BackendTLSPolicy{}, - handler.TypedEnqueueRequestsFromMapFunc(func(ctx context.Context, btp *gwapiv1a3.BackendTLSPolicy) []reconcile.Request { - return r.enqueueClass(ctx, btp) - }), - btlsPredicates...)); err != nil { - return err - } + if err := c.Watch( + source.Kind(mgr.GetCache(), &gwapiv1a3.BackendTLSPolicy{}, + handler.TypedEnqueueRequestsFromMapFunc(func(ctx context.Context, btp *gwapiv1a3.BackendTLSPolicy) []reconcile.Request { + return r.enqueueClass(ctx, btp) + }), + btlsPredicates...)); err != nil { + return err + } - if err := addBtlsIndexers(ctx, mgr); err != nil { - return err + if err := addBtlsIndexers(ctx, mgr); err != nil { + return err + } } - // Watch EnvoyExtensionPolicy - eepPredicates := []predicate.TypedPredicate[*egv1a1.EnvoyExtensionPolicy]{ - predicate.TypedGenerationChangedPredicate[*egv1a1.EnvoyExtensionPolicy]{}, - } - if r.namespaceLabel != nil { - eepPredicates = append(eepPredicates, predicate.NewTypedPredicateFuncs[*egv1a1.EnvoyExtensionPolicy](func(eep *egv1a1.EnvoyExtensionPolicy) bool { - return r.hasMatchingNamespaceLabels(eep) - })) - } + r.eepCRDExists = r.crdExists(mgr, resource.KindEnvoyExtensionPolicy, egv1a1.GroupVersion.String()) + if !r.eepCRDExists { + r.log.Info("EnvoyExtensionPolicy CRD not found, skipping EnvoyExtensionPolicy watch") + } else { + // Watch EnvoyExtensionPolicy + eepPredicates := []predicate.TypedPredicate[*egv1a1.EnvoyExtensionPolicy]{ + predicate.TypedGenerationChangedPredicate[*egv1a1.EnvoyExtensionPolicy]{}, + } + if r.namespaceLabel != nil { + eepPredicates = append(eepPredicates, predicate.NewTypedPredicateFuncs[*egv1a1.EnvoyExtensionPolicy](func(eep *egv1a1.EnvoyExtensionPolicy) bool { + return r.hasMatchingNamespaceLabels(eep) + })) + } - // Watch EnvoyExtensionPolicy CRUDs - if err := c.Watch( - source.Kind(mgr.GetCache(), &egv1a1.EnvoyExtensionPolicy{}, - handler.TypedEnqueueRequestsFromMapFunc(func(ctx context.Context, eep *egv1a1.EnvoyExtensionPolicy) []reconcile.Request { - return r.enqueueClass(ctx, eep) - }), - eepPredicates...)); err != nil { - return err - } - if err := addEnvoyExtensionPolicyIndexers(ctx, mgr); err != nil { - return err + // Watch EnvoyExtensionPolicy CRUDs + if err := c.Watch( + source.Kind(mgr.GetCache(), &egv1a1.EnvoyExtensionPolicy{}, + handler.TypedEnqueueRequestsFromMapFunc(func(ctx context.Context, eep *egv1a1.EnvoyExtensionPolicy) []reconcile.Request { + return r.enqueueClass(ctx, eep) + }), + eepPredicates...)); err != nil { + return err + } + if err := addEnvoyExtensionPolicyIndexers(ctx, mgr); err != nil { + return err + } } r.log.Info("Watching gatewayAPI related objects") @@ -1649,31 +1749,35 @@ func (r *gatewayAPIReconciler) watchResources(ctx context.Context, mgr manager.M r.log.Info("Watching additional policy resource", "resource", gvk.String()) } - // Watch HTTPRouteFilter CRUDs and process affected HTTPRoute objects. - httpRouteFilter := []predicate.TypedPredicate[*egv1a1.HTTPRouteFilter]{ - predicate.TypedGenerationChangedPredicate[*egv1a1.HTTPRouteFilter]{}, - predicate.NewTypedPredicateFuncs[*egv1a1.HTTPRouteFilter](func(be *egv1a1.HTTPRouteFilter) bool { - return r.validateHTTPRouteFilterForReconcile(be) - }), - } - if r.namespaceLabel != nil { - httpRouteFilter = append(httpRouteFilter, predicate.NewTypedPredicateFuncs[*egv1a1.HTTPRouteFilter](func(be *egv1a1.HTTPRouteFilter) bool { - return r.hasMatchingNamespaceLabels(be) - })) - } - if err := c.Watch( - source.Kind(mgr.GetCache(), &egv1a1.HTTPRouteFilter{}, - handler.TypedEnqueueRequestsFromMapFunc(func(ctx context.Context, be *egv1a1.HTTPRouteFilter) []reconcile.Request { - return r.enqueueClass(ctx, be) + r.hrfCRDExists = r.crdExists(mgr, resource.KindHTTPRouteFilter, egv1a1.GroupVersion.String()) + if !r.hrfCRDExists { + r.log.Info("HTTPRouteFilter CRD not found, skipping HTTPRouteFilter watch") + } else { + // Watch HTTPRouteFilter CRUDs and process affected HTTPRoute objects. + httpRouteFilter := []predicate.TypedPredicate[*egv1a1.HTTPRouteFilter]{ + predicate.TypedGenerationChangedPredicate[*egv1a1.HTTPRouteFilter]{}, + predicate.NewTypedPredicateFuncs[*egv1a1.HTTPRouteFilter](func(be *egv1a1.HTTPRouteFilter) bool { + return r.validateHTTPRouteFilterForReconcile(be) }), - httpRouteFilter...)); err != nil { - return err - } + } + if r.namespaceLabel != nil { + httpRouteFilter = append(httpRouteFilter, predicate.NewTypedPredicateFuncs[*egv1a1.HTTPRouteFilter](func(be *egv1a1.HTTPRouteFilter) bool { + return r.hasMatchingNamespaceLabels(be) + })) + } + if err := c.Watch( + source.Kind(mgr.GetCache(), &egv1a1.HTTPRouteFilter{}, + handler.TypedEnqueueRequestsFromMapFunc(func(ctx context.Context, be *egv1a1.HTTPRouteFilter) []reconcile.Request { + return r.enqueueClass(ctx, be) + }), + httpRouteFilter...)); err != nil { + return err + } - if err := addRouteFilterIndexers(ctx, mgr); err != nil { - return err + if err := addRouteFilterIndexers(ctx, mgr); err != nil { + return err + } } - return nil } @@ -1813,8 +1917,8 @@ func (r *gatewayAPIReconciler) processEnvoyProxy(ep *egv1a1.EnvoyProxy, resource return nil } -// serviceImportCRDExists checks for the existence of the ServiceImport CRD in k8s APIServer before watching it -func (r *gatewayAPIReconciler) serviceImportCRDExists(mgr manager.Manager) bool { +// crdExists checks for the existence of the CRD in k8s APIServer before watching it +func (r *gatewayAPIReconciler) crdExists(mgr manager.Manager, kind string, groupVersion string) bool { discoveryClient, err := discovery.NewDiscoveryClientForConfig(mgr.GetConfig()) if err != nil { r.log.Error(err, "failed to create discovery client") @@ -1823,17 +1927,17 @@ func (r *gatewayAPIReconciler) serviceImportCRDExists(mgr manager.Manager) bool if err != nil { r.log.Error(err, "failed to get API resource list") } - serviceImportFound := false + found := false for _, list := range apiResourceList { for _, res := range list.APIResources { - if list.GroupVersion == mcsapiv1a1.GroupVersion.String() && res.Kind == resource.KindServiceImport { - serviceImportFound = true + if list.GroupVersion == groupVersion && res.Kind == kind { + found = true break } } } - return serviceImportFound + return found } func (r *gatewayAPIReconciler) processBackendTLSPolicyRefs( diff --git a/internal/provider/kubernetes/indexers.go b/internal/provider/kubernetes/indexers.go index ab3c098961e..031a2657a9c 100644 --- a/internal/provider/kubernetes/indexers.go +++ b/internal/provider/kubernetes/indexers.go @@ -40,6 +40,7 @@ const ( backendSecurityPolicyIndex = "backendSecurityPolicyIndex" configMapCtpIndex = "configMapCtpIndex" secretCtpIndex = "secretCtpIndex" + secretBtlsIndex = "secretBtlsIndex" configMapBtlsIndex = "configMapBtlsIndex" backendEnvoyExtensionPolicyIndex = "backendEnvoyExtensionPolicyIndex" backendEnvoyProxyTelemetryIndex = "backendEnvoyProxyTelemetryIndex" @@ -702,7 +703,7 @@ func configMapRouteFilterIndexFunc(rawObj client.Object) []string { return configMapReferences } -// addBtlsIndexers adds indexing on BackendTLSPolicy, for ConfigMap objects that are +// addBtlsIndexers adds indexing on BackendTLSPolicy, for ConfigMap and Secret objects that are // referenced in BackendTLSPolicy objects. This helps in querying for BackendTLSPolicies that are // affected by a particular ConfigMap CRUD. func addBtlsIndexers(ctx context.Context, mgr manager.Manager) error { @@ -710,6 +711,9 @@ func addBtlsIndexers(ctx context.Context, mgr manager.Manager) error { return err } + if err := mgr.GetFieldIndexer().IndexField(ctx, &gwapiv1a3.BackendTLSPolicy{}, secretBtlsIndex, secretBtlsIndexFunc); err != nil { + return err + } return nil } @@ -731,6 +735,24 @@ func configMapBtlsIndexFunc(rawObj client.Object) []string { return configMapReferences } +func secretBtlsIndexFunc(rawObj client.Object) []string { + btls := rawObj.(*gwapiv1a3.BackendTLSPolicy) + var secretReferences []string + if btls.Spec.Validation.CACertificateRefs != nil { + for _, caCertRef := range btls.Spec.Validation.CACertificateRefs { + if string(caCertRef.Kind) == resource.KindSecret { + secretReferences = append(secretReferences, + types.NamespacedName{ + Namespace: btls.Namespace, + Name: string(caCertRef.Name), + }.String(), + ) + } + } + } + return secretReferences +} + // addEnvoyExtensionPolicyIndexers adds indexing on EnvoyExtensionPolicy. // - For Service objects that are referenced in EnvoyExtensionPolicy objects via // `.spec.extProc.[*].service.backendObjectReference`. This helps in querying for diff --git a/internal/provider/kubernetes/predicates.go b/internal/provider/kubernetes/predicates.go index ae4f63ef3e9..d25ec2fb7d4 100644 --- a/internal/provider/kubernetes/predicates.go +++ b/internal/provider/kubernetes/predicates.go @@ -144,23 +144,53 @@ func (r *gatewayAPIReconciler) validateSecretForReconcile(obj client.Object) boo return true } - if r.isSecurityPolicyReferencingSecret(&nsName) { - return true + if r.spCRDExists { + if r.isSecurityPolicyReferencingSecret(&nsName) { + return true + } } - if r.isCtpReferencingSecret(&nsName) { - return true + if r.ctpCRDExists { + if r.isCtpReferencingSecret(&nsName) { + return true + } } if r.isOIDCHMACSecret(&nsName) { return true } - if r.isEnvoyProxyReferencingSecret(&nsName) { - return true + if r.epCRDExists { + if r.isEnvoyProxyReferencingSecret(&nsName) { + return true + } + } + + if r.eepCRDExists { + if r.isExtensionPolicyReferencingSecret(&nsName) { + return true + } + } + + if r.bTLSPolicyCRDExists { + if r.isBackendTLSPolicyReferencingSecret(&nsName) { + return true + } } - if r.isExtensionPolicyReferencingSecret(&nsName) { + return false +} + +func (r *gatewayAPIReconciler) isBackendTLSPolicyReferencingSecret(nsName *types.NamespacedName) bool { + btlsList := &gwapiv1a3.BackendTLSPolicyList{} + if err := r.client.List(context.Background(), btlsList, &client.ListOptions{ + FieldSelector: fields.OneTermEqualSelector(secretBtlsIndex, nsName.String()), + }); err != nil { + r.log.Error(err, "unable to find associated BackendTLSPolicy") + return false + } + + if len(btlsList.Items) > 0 { return true } @@ -283,15 +313,25 @@ func (r *gatewayAPIReconciler) validateServiceForReconcile(obj client.Object) bo return true } - if r.isSecurityPolicyReferencingBackend(&nsName) { - return true + if r.spCRDExists { + if r.isSecurityPolicyReferencingBackend(&nsName) { + return true + } } - if r.isEnvoyProxyReferencingBackend(&nsName) { - return true + if r.epCRDExists { + if r.isEnvoyProxyReferencingBackend(&nsName) { + return true + } + } + + if r.eepCRDExists { + if r.isEnvoyExtensionPolicyReferencingBackend(&nsName) { + return true + } } - return r.isEnvoyExtensionPolicyReferencingBackend(&nsName) + return false } // validateBackendForReconcile tries finding the owning Gateway of the Backend @@ -309,15 +349,25 @@ func (r *gatewayAPIReconciler) validateBackendForReconcile(obj client.Object) bo return true } - if r.isSecurityPolicyReferencingBackend(&nsName) { - return true + if r.spCRDExists { + if r.isSecurityPolicyReferencingBackend(&nsName) { + return true + } } - if r.isEnvoyProxyReferencingBackend(&nsName) { - return true + if r.epCRDExists { + if r.isEnvoyProxyReferencingBackend(&nsName) { + return true + } + } + + if r.eepCRDExists { + if r.isEnvoyExtensionPolicyReferencingBackend(&nsName) { + return true + } } - return r.isEnvoyExtensionPolicyReferencingBackend(&nsName) + return false } func (r *gatewayAPIReconciler) isSecurityPolicyReferencingBackend(nsName *types.NamespacedName) bool { @@ -357,47 +407,63 @@ func (r *gatewayAPIReconciler) isRouteReferencingBackend(nsName *types.Namespace r.log.Error(err, "failed to find associated HTTPRoutes") return false } - - grpcRouteList := &gwapiv1.GRPCRouteList{} - if err := r.client.List(ctx, grpcRouteList, &client.ListOptions{ - FieldSelector: fields.OneTermEqualSelector(backendGRPCRouteIndex, nsName.String()), - }); err != nil && !kerrors.IsNotFound(err) { - r.log.Error(err, "failed to find associated GRPCRoutes") - return false + if len(httpRouteList.Items) > 0 { + return true } - tlsRouteList := &gwapiv1a2.TLSRouteList{} - if err := r.client.List(ctx, tlsRouteList, &client.ListOptions{ - FieldSelector: fields.OneTermEqualSelector(backendTLSRouteIndex, nsName.String()), - }); err != nil && !kerrors.IsNotFound(err) { - r.log.Error(err, "failed to find associated TLSRoutes") - return false + if r.grpcRouteCRDExists { + grpcRouteList := &gwapiv1.GRPCRouteList{} + if err := r.client.List(ctx, grpcRouteList, &client.ListOptions{ + FieldSelector: fields.OneTermEqualSelector(backendGRPCRouteIndex, nsName.String()), + }); err != nil && !kerrors.IsNotFound(err) { + r.log.Error(err, "failed to find associated GRPCRoutes") + return false + } + if len(grpcRouteList.Items) > 0 { + return true + } } - tcpRouteList := &gwapiv1a2.TCPRouteList{} - if err := r.client.List(ctx, tcpRouteList, &client.ListOptions{ - FieldSelector: fields.OneTermEqualSelector(backendTCPRouteIndex, nsName.String()), - }); err != nil && !kerrors.IsNotFound(err) { - r.log.Error(err, "failed to find associated TCPRoutes") - return false + if r.tlsRouteCRDExists { + tlsRouteList := &gwapiv1a2.TLSRouteList{} + if err := r.client.List(ctx, tlsRouteList, &client.ListOptions{ + FieldSelector: fields.OneTermEqualSelector(backendTLSRouteIndex, nsName.String()), + }); err != nil && !kerrors.IsNotFound(err) { + r.log.Error(err, "failed to find associated TLSRoutes") + return false + } + if len(tlsRouteList.Items) > 0 { + return true + } } - udpRouteList := &gwapiv1a2.UDPRouteList{} - if err := r.client.List(ctx, udpRouteList, &client.ListOptions{ - FieldSelector: fields.OneTermEqualSelector(backendUDPRouteIndex, nsName.String()), - }); err != nil && !kerrors.IsNotFound(err) { - r.log.Error(err, "failed to find associated UDPRoutes") - return false + if r.tcpRouteCRDExists { + tcpRouteList := &gwapiv1a2.TCPRouteList{} + if err := r.client.List(ctx, tcpRouteList, &client.ListOptions{ + FieldSelector: fields.OneTermEqualSelector(backendTCPRouteIndex, nsName.String()), + }); err != nil && !kerrors.IsNotFound(err) { + r.log.Error(err, "failed to find associated TCPRoutes") + return false + } + if len(tcpRouteList.Items) > 0 { + return true + } } - // Check how many Route objects refer this Backend - allAssociatedRoutes := len(httpRouteList.Items) + - len(grpcRouteList.Items) + - len(tlsRouteList.Items) + - len(tcpRouteList.Items) + - len(udpRouteList.Items) + if r.udpRouteCRDExists { + udpRouteList := &gwapiv1a2.UDPRouteList{} + if err := r.client.List(ctx, udpRouteList, &client.ListOptions{ + FieldSelector: fields.OneTermEqualSelector(backendUDPRouteIndex, nsName.String()), + }); err != nil && !kerrors.IsNotFound(err) { + r.log.Error(err, "failed to find associated UDPRoutes") + return false + } + if len(udpRouteList.Items) > 0 { + return true + } + } - return allAssociatedRoutes != 0 + return false } // validateEndpointSliceForReconcile returns true if the endpointSlice references @@ -429,15 +495,25 @@ func (r *gatewayAPIReconciler) validateEndpointSliceForReconcile(obj client.Obje return true } - if r.isSecurityPolicyReferencingBackend(&nsName) { - return true + if r.spCRDExists { + if r.isSecurityPolicyReferencingBackend(&nsName) { + return true + } } - if r.isEnvoyProxyReferencingBackend(&nsName) { - return true + if r.epCRDExists { + if r.isEnvoyProxyReferencingBackend(&nsName) { + return true + } + } + + if r.eepCRDExists { + if r.isEnvoyExtensionPolicyReferencingBackend(&nsName) { + return true + } } - return r.isEnvoyExtensionPolicyReferencingBackend(&nsName) + return false } // validateObjectForReconcile tries finding the owning Gateway of the Deployment or DaemonSet @@ -596,52 +672,60 @@ func (r *gatewayAPIReconciler) validateConfigMapForReconcile(obj client.Object) return false } - ctpList := &egv1a1.ClientTrafficPolicyList{} - if err := r.client.List(context.Background(), ctpList, &client.ListOptions{ - FieldSelector: fields.OneTermEqualSelector(configMapCtpIndex, utils.NamespacedName(configMap).String()), - }); err != nil { - r.log.Error(err, "unable to find associated ClientTrafficPolicy") - return false - } + if r.ctpCRDExists { + ctpList := &egv1a1.ClientTrafficPolicyList{} + if err := r.client.List(context.Background(), ctpList, &client.ListOptions{ + FieldSelector: fields.OneTermEqualSelector(configMapCtpIndex, utils.NamespacedName(configMap).String()), + }); err != nil { + r.log.Error(err, "unable to find associated ClientTrafficPolicy") + return false + } - if len(ctpList.Items) > 0 { - return true + if len(ctpList.Items) > 0 { + return true + } } - btlsList := &gwapiv1a3.BackendTLSPolicyList{} - if err := r.client.List(context.Background(), btlsList, &client.ListOptions{ - FieldSelector: fields.OneTermEqualSelector(configMapBtlsIndex, utils.NamespacedName(configMap).String()), - }); err != nil { - r.log.Error(err, "unable to find associated BackendTLSPolicy") - return false - } + if r.bTLSPolicyCRDExists { + btlsList := &gwapiv1a3.BackendTLSPolicyList{} + if err := r.client.List(context.Background(), btlsList, &client.ListOptions{ + FieldSelector: fields.OneTermEqualSelector(configMapBtlsIndex, utils.NamespacedName(configMap).String()), + }); err != nil { + r.log.Error(err, "unable to find associated BackendTLSPolicy") + return false + } - if len(btlsList.Items) > 0 { - return true + if len(btlsList.Items) > 0 { + return true + } } - btpList := &egv1a1.BackendTrafficPolicyList{} - if err := r.client.List(context.Background(), btpList, &client.ListOptions{ - FieldSelector: fields.OneTermEqualSelector(configMapBtpIndex, utils.NamespacedName(configMap).String()), - }); err != nil { - r.log.Error(err, "unable to find associated BackendTrafficPolicy") - return false - } + if r.btpCRDExists { + btpList := &egv1a1.BackendTrafficPolicyList{} + if err := r.client.List(context.Background(), btpList, &client.ListOptions{ + FieldSelector: fields.OneTermEqualSelector(configMapBtpIndex, utils.NamespacedName(configMap).String()), + }); err != nil { + r.log.Error(err, "unable to find associated BackendTrafficPolicy") + return false + } - if len(btpList.Items) > 0 { - return true + if len(btpList.Items) > 0 { + return true + } } - routeFilterList := &egv1a1.HTTPRouteFilterList{} - if err := r.client.List(context.Background(), routeFilterList, &client.ListOptions{ - FieldSelector: fields.OneTermEqualSelector(configMapHTTPRouteFilterIndex, utils.NamespacedName(configMap).String()), - }); err != nil { - r.log.Error(err, "unable to find associated HTTPRouteFilter") - return false - } + if r.hrfCRDExists { + routeFilterList := &egv1a1.HTTPRouteFilterList{} + if err := r.client.List(context.Background(), routeFilterList, &client.ListOptions{ + FieldSelector: fields.OneTermEqualSelector(configMapHTTPRouteFilterIndex, utils.NamespacedName(configMap).String()), + }); err != nil { + r.log.Error(err, "unable to find associated HTTPRouteFilter") + return false + } - if len(routeFilterList.Items) > 0 { - return true + if len(routeFilterList.Items) > 0 { + return true + } } return false diff --git a/internal/provider/kubernetes/predicates_test.go b/internal/provider/kubernetes/predicates_test.go index 5954e94675e..d8abf845f4d 100644 --- a/internal/provider/kubernetes/predicates_test.go +++ b/internal/provider/kubernetes/predicates_test.go @@ -356,6 +356,9 @@ func TestValidateSecretForReconcile(t *testing.T) { r := gatewayAPIReconciler{ classController: egv1a1.GatewayControllerName, log: logger, + spCRDExists: true, + epCRDExists: true, + eepCRDExists: true, } for _, tc := range testCases { @@ -848,9 +851,16 @@ func TestValidateServiceForReconcile(t *testing.T) { logger := logging.DefaultLogger(egv1a1.LogLevelInfo) r := gatewayAPIReconciler{ - classController: egv1a1.GatewayControllerName, - log: logger, - mergeGateways: sets.New[string]("test-mg"), + classController: egv1a1.GatewayControllerName, + log: logger, + mergeGateways: sets.New[string]("test-mg"), + grpcRouteCRDExists: true, + tcpRouteCRDExists: true, + udpRouteCRDExists: true, + tlsRouteCRDExists: true, + spCRDExists: true, + eepCRDExists: true, + epCRDExists: true, } for _, tc := range testCases { diff --git a/internal/provider/kubernetes/resource.go b/internal/provider/kubernetes/resource.go index 4d3aafb6fa2..b867d6319d3 100644 --- a/internal/provider/kubernetes/resource.go +++ b/internal/provider/kubernetes/resource.go @@ -15,45 +15,47 @@ import ( ) type resourceMappings struct { - // Map for storing Gateways' NamespacedNames. + // Set for storing Gateways' NamespacedNames. allAssociatedGateways sets.Set[string] - // Map for storing ReferenceGrants' NamespacedNames. + // Set for storing ReferenceGrants' NamespacedNames. allAssociatedReferenceGrants sets.Set[string] - // Map for storing ServiceImports' NamespacedNames. + // Set for storing ServiceImports' NamespacedNames. allAssociatedServiceImports sets.Set[string] - // Map for storing EndpointSlices' NamespacedNames. + // Set for storing EndpointSlices' NamespacedNames. allAssociatedEndpointSlices sets.Set[string] - // Map for storing Secrets' NamespacedNames. + // Set for storing Backends' NamespacedNames. + allAssociatedBackends sets.Set[string] + // Set for storing Secrets' NamespacedNames. allAssociatedSecrets sets.Set[string] - // Map for storing ConfigMaps' NamespacedNames. + // Set for storing ConfigMaps' NamespacedNames. allAssociatedConfigMaps sets.Set[string] - // Map for storing namespaces for Route, Service and Gateway objects. + // Set for storing namespaces for Route, Service and Gateway objects. allAssociatedNamespaces sets.Set[string] - // Map for storing EnvoyProxies' NamespacedNames attaching to Gateway or GatewayClass. + // Set for storing EnvoyProxies' NamespacedNames attaching to Gateway or GatewayClass. allAssociatedEnvoyProxies sets.Set[string] - // Map for storing EnvoyPatchPolicies' NamespacedNames attaching to Gateway. + // Set for storing EnvoyPatchPolicies' NamespacedNames attaching to Gateway. allAssociatedEnvoyPatchPolicies sets.Set[string] - // Map for storing TLSRoutes' NamespacedNames attaching to various Gateway objects. + // Set for storing TLSRoutes' NamespacedNames attaching to various Gateway objects. allAssociatedTLSRoutes sets.Set[string] - // Map for storing HTTPRoutes' NamespacedNames attaching to various Gateway objects. + // Set for storing HTTPRoutes' NamespacedNames attaching to various Gateway objects. allAssociatedHTTPRoutes sets.Set[string] - // Map for storing GRPCRoutes' NamespacedNames attaching to various Gateway objects. + // Set for storing GRPCRoutes' NamespacedNames attaching to various Gateway objects. allAssociatedGRPCRoutes sets.Set[string] - // Map for storing TCPRoutes' NamespacedNames attaching to various Gateway objects. + // Set for storing TCPRoutes' NamespacedNames attaching to various Gateway objects. allAssociatedTCPRoutes sets.Set[string] - // Map for storing UDPRoutes' NamespacedNames attaching to various Gateway objects. + // Set for storing UDPRoutes' NamespacedNames attaching to various Gateway objects. allAssociatedUDPRoutes sets.Set[string] - // Map for storing backendRefs' BackendObjectReference referred by various Route objects. + // Set for storing backendRefs' BackendObjectReference referred by various Route objects. allAssociatedBackendRefs sets.Set[gwapiv1.BackendObjectReference] - // Map for storing ClientTrafficPolicies' NamespacedNames referred by various Route objects. + // Set for storing ClientTrafficPolicies' NamespacedNames referred by various Route objects. allAssociatedClientTrafficPolicies sets.Set[string] - // Map for storing BackendTrafficPolicies' NamespacedNames referred by various Route objects. + // Set for storing BackendTrafficPolicies' NamespacedNames referred by various Route objects. allAssociatedBackendTrafficPolicies sets.Set[string] - // Map for storing SecurityPolicies' NamespacedNames referred by various Route objects. + // Set for storing SecurityPolicies' NamespacedNames referred by various Route objects. allAssociatedSecurityPolicies sets.Set[string] - // Map for storing BackendTLSPolicies' NamespacedNames referred by various Backend objects. + // Set for storing BackendTLSPolicies' NamespacedNames referred by various Backend objects. allAssociatedBackendTLSPolicies sets.Set[string] - // Map for storing EnvoyExtensionPolicies' NamespacedNames attaching to various Gateway objects. + // Set for storing EnvoyExtensionPolicies' NamespacedNames attaching to various Gateway objects. allAssociatedEnvoyExtensionPolicies sets.Set[string] // extensionRefFilters is a map of filters managed by an extension. // The key is the namespaced name, group and kind of the filter and the value is the @@ -70,6 +72,7 @@ func newResourceMapping() *resourceMappings { allAssociatedReferenceGrants: sets.New[string](), allAssociatedServiceImports: sets.New[string](), allAssociatedEndpointSlices: sets.New[string](), + allAssociatedBackends: sets.New[string](), allAssociatedSecrets: sets.New[string](), allAssociatedConfigMaps: sets.New[string](), allAssociatedNamespaces: sets.New[string](), diff --git a/internal/provider/kubernetes/routes.go b/internal/provider/kubernetes/routes.go index dcc01631f3b..fa148ffd441 100644 --- a/internal/provider/kubernetes/routes.go +++ b/internal/provider/kubernetes/routes.go @@ -238,16 +238,17 @@ func (r *gatewayAPIReconciler) processHTTPRoutes(ctx context.Context, gatewayNam resourceMap *resourceMappings, resourceTree *resource.Resources, ) error { httpRouteList := &gwapiv1.HTTPRouteList{} + if r.hrfCRDExists { + httpFilters, err := r.getHTTPRouteFilters(ctx) + if err != nil { + return err + } - httpFilters, err := r.getHTTPRouteFilters(ctx) - if err != nil { - return err - } - - for i := range httpFilters { - filter := httpFilters[i] - resourceMap.httpRouteFilters[utils.GetNamespacedNameWithGroupKind(&filter)] = &filter - r.processRouteFilterConfigMapRef(ctx, &filter, resourceMap, resourceTree) + for i := range httpFilters { + filter := httpFilters[i] + resourceMap.httpRouteFilters[utils.GetNamespacedNameWithGroupKind(&filter)] = &filter + r.processRouteFilterConfigMapRef(ctx, &filter, resourceMap, resourceTree) + } } extensionRefFilters, err := r.getExtensionRefFilters(ctx) diff --git a/internal/provider/kubernetes/status.go b/internal/provider/kubernetes/status.go index c3d5553b0bf..a59eb82f75a 100644 --- a/internal/provider/kubernetes/status.go +++ b/internal/provider/kubernetes/status.go @@ -8,6 +8,7 @@ package kubernetes import ( "context" "fmt" + "reflect" kerrors "k8s.io/apimachinery/pkg/api/errors" "k8s.io/apimachinery/pkg/apis/meta/v1/unstructured" @@ -18,6 +19,7 @@ import ( gwapiv1a3 "sigs.k8s.io/gateway-api/apis/v1alpha3" egv1a1 "github.com/envoyproxy/gateway/api/v1alpha1" + "github.com/envoyproxy/gateway/internal/gatewayapi/resource" "github.com/envoyproxy/gateway/internal/gatewayapi/status" "github.com/envoyproxy/gateway/internal/message" "github.com/envoyproxy/gateway/internal/utils" @@ -74,7 +76,7 @@ func (r *gatewayAPIReconciler) subscribeAndUpdateStatus(ctx context.Context, ext panic(err) } hCopy := h.DeepCopy() - hCopy.Status.Parents = val.Parents + hCopy.Status.Parents = mergeRouteParentStatus(h.Namespace, h.Status.Parents, val.Parents) return hCopy }), }) @@ -97,15 +99,15 @@ func (r *gatewayAPIReconciler) subscribeAndUpdateStatus(ctx context.Context, ext NamespacedName: key, Resource: new(gwapiv1.GRPCRoute), Mutator: MutatorFunc(func(obj client.Object) client.Object { - h, ok := obj.(*gwapiv1.GRPCRoute) + g, ok := obj.(*gwapiv1.GRPCRoute) if !ok { err := fmt.Errorf("unsupported object type %T", obj) errChan <- err panic(err) } - hCopy := h.DeepCopy() - hCopy.Status.Parents = val.Parents - return hCopy + gCopy := g.DeepCopy() + gCopy.Status.Parents = mergeRouteParentStatus(g.Namespace, g.Status.Parents, val.Parents) + return gCopy }), }) }, @@ -136,7 +138,7 @@ func (r *gatewayAPIReconciler) subscribeAndUpdateStatus(ctx context.Context, ext panic(err) } tCopy := t.DeepCopy() - tCopy.Status.Parents = val.Parents + tCopy.Status.Parents = mergeRouteParentStatus(t.Namespace, t.Status.Parents, val.Parents) return tCopy }), }) @@ -168,7 +170,7 @@ func (r *gatewayAPIReconciler) subscribeAndUpdateStatus(ctx context.Context, ext panic(err) } tCopy := t.DeepCopy() - tCopy.Status.Parents = val.Parents + tCopy.Status.Parents = mergeRouteParentStatus(t.Namespace, t.Status.Parents, val.Parents) return tCopy }), }) @@ -193,15 +195,15 @@ func (r *gatewayAPIReconciler) subscribeAndUpdateStatus(ctx context.Context, ext NamespacedName: key, Resource: new(gwapiv1a2.UDPRoute), Mutator: MutatorFunc(func(obj client.Object) client.Object { - t, ok := obj.(*gwapiv1a2.UDPRoute) + u, ok := obj.(*gwapiv1a2.UDPRoute) if !ok { err := fmt.Errorf("unsupported object type %T", obj) errChan <- err panic(err) } - tCopy := t.DeepCopy() - tCopy.Status.Parents = val.Parents - return tCopy + uCopy := u.DeepCopy() + uCopy.Status.Parents = mergeRouteParentStatus(u.Namespace, u.Status.Parents, val.Parents) + return uCopy }), }) }, @@ -469,6 +471,56 @@ func (r *gatewayAPIReconciler) subscribeAndUpdateStatus(ctx context.Context, ext } } +// mergeRouteParentStatus merges the old and new RouteParentStatus. +// This is needed because the RouteParentStatus doesn't support strategic merge patch yet. +func mergeRouteParentStatus(ns string, old, new []gwapiv1.RouteParentStatus) []gwapiv1.RouteParentStatus { + merged := make([]gwapiv1.RouteParentStatus, len(old)) + _ = copy(merged, old) + for _, parent := range new { + found := -1 + for i, existing := range old { + if isParentRefEqual(parent.ParentRef, existing.ParentRef, ns) { + found = i + break + } + } + if found >= 0 { + merged[found] = parent + } else { + merged = append(merged, parent) + } + } + return merged +} + +func isParentRefEqual(ref1, ref2 gwapiv1.ParentReference, routeNS string) bool { + defaultGroup := (*gwapiv1.Group)(&gwapiv1.GroupVersion.Group) + if ref1.Group == nil { + ref1.Group = defaultGroup + } + if ref2.Group == nil { + ref2.Group = defaultGroup + } + + defaultKind := gwapiv1.Kind(resource.KindGateway) + if ref1.Kind == nil { + ref1.Kind = &defaultKind + } + if ref2.Kind == nil { + ref2.Kind = &defaultKind + } + + // If the parent's namespace is not set, default to the namespace of the Route. + defaultNS := gwapiv1.Namespace(routeNS) + if ref1.Namespace == nil { + ref1.Namespace = &defaultNS + } + if ref2.Namespace == nil { + ref2.Namespace = &defaultNS + } + return reflect.DeepEqual(ref1, ref2) +} + func (r *gatewayAPIReconciler) updateStatusForGateway(ctx context.Context, gtw *gwapiv1.Gateway) { // nil check for unit tests. if r.statusUpdater == nil { diff --git a/internal/provider/kubernetes/status_test.go b/internal/provider/kubernetes/status_test.go new file mode 100644 index 00000000000..5e81c46135e --- /dev/null +++ b/internal/provider/kubernetes/status_test.go @@ -0,0 +1,294 @@ +// Copyright Envoy Gateway Authors +// SPDX-License-Identifier: Apache-2.0 +// The full text of the Apache license is available in the LICENSE file at +// the root of the repo. + +package kubernetes + +import ( + "reflect" + "testing" + + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + "k8s.io/utils/ptr" + gwapiv1 "sigs.k8s.io/gateway-api/apis/v1" +) + +func Test_mergeRouteParentStatus(t *testing.T) { + type args struct { + old []gwapiv1.RouteParentStatus + new []gwapiv1.RouteParentStatus + } + tests := []struct { + name string + args args + want []gwapiv1.RouteParentStatus + }{ + { + name: "merge old and new", + args: args{ + old: []gwapiv1.RouteParentStatus{ + { + ControllerName: "gateway.envoyproxy.io/gatewayclass-controller", + ParentRef: gwapiv1.ParentReference{ + Name: "gateway1", + Namespace: ptr.To[gwapiv1.Namespace]("default"), + SectionName: ptr.To[gwapiv1.SectionName]("listener1"), + Port: ptr.To[gwapiv1.PortNumber](80), + }, + Conditions: []metav1.Condition{ + { + Type: string(gwapiv1.RouteConditionAccepted), + Status: metav1.ConditionTrue, + Reason: "Accepted", + }, + { + Type: string(gwapiv1.RouteConditionResolvedRefs), + Status: metav1.ConditionTrue, + Reason: "ResolvedRefs", + }, + }, + }, + }, + new: []gwapiv1.RouteParentStatus{ + { + ControllerName: "gateway.envoyproxy.io/gatewayclass-controller", + ParentRef: gwapiv1.ParentReference{ + Name: "gateway2", + }, + Conditions: []metav1.Condition{ + { + Type: string(gwapiv1.RouteConditionAccepted), + Status: metav1.ConditionFalse, + Reason: "SomeReason", + }, + }, + }, + }, + }, + want: []gwapiv1.RouteParentStatus{ + { + ControllerName: "gateway.envoyproxy.io/gatewayclass-controller", + ParentRef: gwapiv1.ParentReference{ + Name: "gateway1", + Namespace: ptr.To[gwapiv1.Namespace]("default"), + SectionName: ptr.To[gwapiv1.SectionName]("listener1"), + Port: ptr.To[gwapiv1.PortNumber](80), + }, + Conditions: []metav1.Condition{ + { + Type: string(gwapiv1.RouteConditionAccepted), + Status: metav1.ConditionTrue, + Reason: "Accepted", + }, + { + Type: string(gwapiv1.RouteConditionResolvedRefs), + Status: metav1.ConditionTrue, + Reason: "ResolvedRefs", + }, + }, + }, + { + ControllerName: "gateway.envoyproxy.io/gatewayclass-controller", + ParentRef: gwapiv1.ParentReference{ + Name: "gateway2", + }, + Conditions: []metav1.Condition{ + { + Type: string(gwapiv1.RouteConditionAccepted), + Status: metav1.ConditionFalse, + Reason: "SomeReason", + }, + }, + }, + }, + }, + + { + name: "override an existing parent", + args: args{ + old: []gwapiv1.RouteParentStatus{ + { + ControllerName: "gateway.envoyproxy.io/gatewayclass-controller", + ParentRef: gwapiv1.ParentReference{ + Name: "gateway1", + }, + Conditions: []metav1.Condition{ + { + Type: string(gwapiv1.RouteConditionAccepted), + Status: metav1.ConditionTrue, + Reason: "Accepted", + }, + { + Type: string(gwapiv1.RouteConditionResolvedRefs), + Status: metav1.ConditionTrue, + Reason: "ResolvedRefs", + }, + }, + }, + { + ControllerName: "gateway.envoyproxy.io/gatewayclass-controller", + ParentRef: gwapiv1.ParentReference{ + Name: "gateway2", + Namespace: ptr.To[gwapiv1.Namespace]("default"), + }, + Conditions: []metav1.Condition{ + { + Type: string(gwapiv1.RouteConditionAccepted), + Status: metav1.ConditionTrue, + Reason: "Accepted", + }, + { + Type: string(gwapiv1.RouteConditionResolvedRefs), + Status: metav1.ConditionTrue, + Reason: "ResolvedRefs", + }, + }, + }, + }, + new: []gwapiv1.RouteParentStatus{ + { + ControllerName: "gateway.envoyproxy.io/gatewayclass-controller", + ParentRef: gwapiv1.ParentReference{ + Name: "gateway2", + }, + Conditions: []metav1.Condition{ + { + Type: string(gwapiv1.RouteConditionAccepted), + Status: metav1.ConditionFalse, + Reason: "SomeReason", + }, + }, + }, + }, + }, + want: []gwapiv1.RouteParentStatus{ + { + ControllerName: "gateway.envoyproxy.io/gatewayclass-controller", + ParentRef: gwapiv1.ParentReference{ + Name: "gateway1", + }, + Conditions: []metav1.Condition{ + { + Type: string(gwapiv1.RouteConditionAccepted), + Status: metav1.ConditionTrue, + Reason: "Accepted", + }, + { + Type: string(gwapiv1.RouteConditionResolvedRefs), + Status: metav1.ConditionTrue, + Reason: "ResolvedRefs", + }, + }, + }, + { + ControllerName: "gateway.envoyproxy.io/gatewayclass-controller", + ParentRef: gwapiv1.ParentReference{ + Name: "gateway2", + }, + Conditions: []metav1.Condition{ + { + Type: string(gwapiv1.RouteConditionAccepted), + Status: metav1.ConditionFalse, + Reason: "SomeReason", + }, + }, + }, + }, + }, + + { + name: "nothing changed", + args: args{ + old: []gwapiv1.RouteParentStatus{ + { + ControllerName: "gateway.envoyproxy.io/gatewayclass-controller", + ParentRef: gwapiv1.ParentReference{ + Name: "gateway1", + }, + Conditions: []metav1.Condition{ + { + Type: string(gwapiv1.RouteConditionAccepted), + Status: metav1.ConditionTrue, + Reason: "Accepted", + }, + { + Type: string(gwapiv1.RouteConditionResolvedRefs), + Status: metav1.ConditionTrue, + Reason: "ResolvedRefs", + }, + }, + }, + { + ControllerName: "gateway.envoyproxy.io/gatewayclass-controller", + ParentRef: gwapiv1.ParentReference{ + Name: "gateway2", + }, + Conditions: []metav1.Condition{ + { + Type: string(gwapiv1.RouteConditionAccepted), + Status: metav1.ConditionFalse, + Reason: "SomeReason", + }, + }, + }, + }, + new: []gwapiv1.RouteParentStatus{ + { + ControllerName: "gateway.envoyproxy.io/gatewayclass-controller", + ParentRef: gwapiv1.ParentReference{ + Name: "gateway2", + }, + Conditions: []metav1.Condition{ + { + Type: string(gwapiv1.RouteConditionAccepted), + Status: metav1.ConditionFalse, + Reason: "SomeReason", + }, + }, + }, + }, + }, + want: []gwapiv1.RouteParentStatus{ + { + ControllerName: "gateway.envoyproxy.io/gatewayclass-controller", + ParentRef: gwapiv1.ParentReference{ + Name: "gateway1", + }, + Conditions: []metav1.Condition{ + { + Type: string(gwapiv1.RouteConditionAccepted), + Status: metav1.ConditionTrue, + Reason: "Accepted", + }, + { + Type: string(gwapiv1.RouteConditionResolvedRefs), + Status: metav1.ConditionTrue, + Reason: "ResolvedRefs", + }, + }, + }, + { + ControllerName: "gateway.envoyproxy.io/gatewayclass-controller", + ParentRef: gwapiv1.ParentReference{ + Name: "gateway2", + }, + Conditions: []metav1.Condition{ + { + Type: string(gwapiv1.RouteConditionAccepted), + Status: metav1.ConditionFalse, + Reason: "SomeReason", + }, + }, + }, + }, + }, + } + for _, tt := range tests { + t.Run(tt.name, func(t *testing.T) { + if got := mergeRouteParentStatus("default", tt.args.old, tt.args.new); !reflect.DeepEqual(got, tt.want) { + t.Errorf("mergeRouteParentStatus() = %v, want %v", got, tt.want) + } + }) + } +} diff --git a/internal/utils/protocov/protocov.go b/internal/utils/protocov/protocov.go index 6533f84c543..2c5693ee9a3 100644 --- a/internal/utils/protocov/protocov.go +++ b/internal/utils/protocov/protocov.go @@ -12,30 +12,30 @@ import ( "google.golang.org/protobuf/types/known/anypb" ) -const ( - APIPrefix = "type.googleapis.com/" -) - -var marshalOpts = proto.MarshalOptions{} +// Deprecated: error should not be ignored, use ToAnyWithValidation instead. +func ToAny(msg proto.Message) *anypb.Any { + res, err := ToAnyWithValidation(msg) + if err != nil { + return nil + } + return res +} -func ToAnyWithError(msg proto.Message) (*anypb.Any, error) { +func ToAnyWithValidation(msg proto.Message) (*anypb.Any, error) { if msg == nil { return nil, errors.New("empty message received") } - b, err := marshalOpts.Marshal(msg) - if err != nil { - return nil, err + + // If the message has a ValidateAll method, call it before marshaling. + if validator, ok := msg.(interface{ ValidateAll() error }); ok { + if err := validator.ValidateAll(); err != nil { + return nil, err + } } - return &anypb.Any{ - TypeUrl: APIPrefix + string(msg.ProtoReflect().Descriptor().FullName()), - Value: b, - }, nil -} -func ToAny(msg proto.Message) *anypb.Any { - res, err := ToAnyWithError(msg) + any, err := anypb.New(msg) if err != nil { - return nil + return nil, err } - return res + return any, nil } diff --git a/internal/xds/bootstrap/bootstrap.go b/internal/xds/bootstrap/bootstrap.go index 0efad8c314f..e8aab4d836a 100644 --- a/internal/xds/bootstrap/bootstrap.go +++ b/internal/xds/bootstrap/bootstrap.go @@ -9,13 +9,15 @@ import ( // Register embed _ "embed" "fmt" + "net" + "strconv" "strings" "text/template" "k8s.io/apimachinery/pkg/util/sets" egv1a1 "github.com/envoyproxy/gateway/api/v1alpha1" - "github.com/envoyproxy/gateway/internal/utils/net" + netutils "github.com/envoyproxy/gateway/internal/utils/net" "github.com/envoyproxy/gateway/internal/utils/regex" ) @@ -199,9 +201,9 @@ func GetRenderedBootstrapConfig(opts *RenderBootstrapConfigOptions) (string, err host, port = *sink.OpenTelemetry.Host, uint32(sink.OpenTelemetry.Port) } if len(sink.OpenTelemetry.BackendRefs) > 0 { - host, port = net.BackendHostAndPort(sink.OpenTelemetry.BackendRefs[0].BackendObjectReference, "") + host, port = netutils.BackendHostAndPort(sink.OpenTelemetry.BackendRefs[0].BackendObjectReference, "") } - addr := fmt.Sprintf("%s:%d", host, port) + addr := net.JoinHostPort(host, strconv.Itoa(int(port))) if addresses.Has(addr) { continue } diff --git a/internal/xds/translator/accesslog.go b/internal/xds/translator/accesslog.go index 6660ba8fab6..076eb659d83 100644 --- a/internal/xds/translator/accesslog.go +++ b/internal/xds/translator/accesslog.go @@ -22,7 +22,6 @@ import ( "github.com/envoyproxy/go-control-plane/pkg/wellknown" otlpcommonv1 "go.opentelemetry.io/proto/otlp/common/v1" "golang.org/x/exp/maps" - "google.golang.org/protobuf/types/known/anypb" "google.golang.org/protobuf/types/known/structpb" egv1a1 "github.com/envoyproxy/gateway/api/v1alpha1" @@ -90,9 +89,9 @@ var ( } ) -func buildXdsAccessLog(al *ir.AccessLog, accessLogType ir.ProxyAccessLogType) []*accesslog.AccessLog { +func buildXdsAccessLog(al *ir.AccessLog, accessLogType ir.ProxyAccessLogType) ([]*accesslog.AccessLog, error) { if al == nil { - return nil + return nil, nil } totalLen := len(al.Text) + len(al.JSON) + len(al.OpenTelemetry) @@ -133,8 +132,10 @@ func buildXdsAccessLog(al *ir.AccessLog, accessLogType ir.ProxyAccessLogType) [] filelog.GetLogFormat().Formatters = formatters } - // TODO: find a better way to handle this - accesslogAny, _ := anypb.New(filelog) + accesslogAny, err := protocov.ToAnyWithValidation(filelog) + if err != nil { + return nil, err + } accessLogs = append(accessLogs, &accesslog.AccessLog{ Name: wellknown.FileAccessLog, ConfigType: &accesslog.AccessLog_TypedConfig{ @@ -185,7 +186,10 @@ func buildXdsAccessLog(al *ir.AccessLog, accessLogType ir.ProxyAccessLogType) [] filelog.GetLogFormat().Formatters = formatters } - accesslogAny, _ := anypb.New(filelog) + accesslogAny, err := protocov.ToAnyWithValidation(filelog) + if err != nil { + return nil, err + } accessLogs = append(accessLogs, &accesslog.AccessLog{ Name: wellknown.FileAccessLog, ConfigType: &accesslog.AccessLog_TypedConfig{ @@ -228,7 +232,10 @@ func buildXdsAccessLog(al *ir.AccessLog, accessLogType ir.ProxyAccessLogType) [] alCfg.AdditionalResponseTrailersToLog = als.HTTP.ResponseTrailers } - accesslogAny, _ := anypb.New(alCfg) + accesslogAny, err := protocov.ToAnyWithValidation(alCfg) + if err != nil { + return nil, err + } accessLogs = append(accessLogs, &accesslog.AccessLog{ Name: wellknown.HTTPGRPCAccessLog, ConfigType: &accesslog.AccessLog_TypedConfig{ @@ -241,7 +248,10 @@ func buildXdsAccessLog(al *ir.AccessLog, accessLogType ir.ProxyAccessLogType) [] CommonConfig: cc, } - accesslogAny, _ := anypb.New(alCfg) + accesslogAny, err := protocov.ToAnyWithValidation(alCfg) + if err != nil { + return nil, err + } accessLogs = append(accessLogs, &accesslog.AccessLog{ Name: tcpGRPCAccessLog, ConfigType: &accesslog.AccessLog_TypedConfig{ @@ -297,7 +307,10 @@ func buildXdsAccessLog(al *ir.AccessLog, accessLogType ir.ProxyAccessLogType) [] al.Formatters = formatters } - accesslogAny, _ := anypb.New(al) + accesslogAny, err := protocov.ToAnyWithValidation(al) + if err != nil { + return nil, err + } accessLogs = append(accessLogs, &accesslog.AccessLog{ Name: otelAccessLog, ConfigType: &accesslog.AccessLog_TypedConfig{ @@ -307,7 +320,7 @@ func buildXdsAccessLog(al *ir.AccessLog, accessLogType ir.ProxyAccessLogType) [] }) } - return accessLogs + return accessLogs, nil } func celAccessLogFilter(expr string) *accesslog.AccessLogFilter { diff --git a/internal/xds/translator/authorization.go b/internal/xds/translator/authorization.go index 0d2d19dc571..e19d1dbaf53 100644 --- a/internal/xds/translator/authorization.go +++ b/internal/xds/translator/authorization.go @@ -26,6 +26,7 @@ import ( egv1a1 "github.com/envoyproxy/gateway/api/v1alpha1" "github.com/envoyproxy/gateway/internal/ir" + "github.com/envoyproxy/gateway/internal/utils/protocov" "github.com/envoyproxy/gateway/internal/xds/types" ) @@ -75,7 +76,7 @@ func (*rbac) patchHCM( // buildHCMRBACFilter returns a RBAC filter from the provided IR listener. func buildHCMRBACFilter() (*hcmv3.HttpFilter, error) { rbacProto := &rbacv3.RBAC{} - rbacAny, err := anypb.New(rbacProto) + rbacAny, err := protocov.ToAnyWithValidation(rbacProto) if err != nil { return nil, err } @@ -133,7 +134,7 @@ func (*rbac) patchRoute(route *routev3.Route, irRoute *ir.HTTPRoute) error { return err } - if cfgAny, err = anypb.New(rbacPerRoute); err != nil { + if cfgAny, err = protocov.ToAnyWithValidation(rbacPerRoute); err != nil { return err } @@ -159,7 +160,7 @@ func buildRBACPerRoute(authorization *ir.Authorization) (*rbacv3.RBACPerRoute, e Name: "ALLOW", Action: rbacconfigv3.RBAC_ALLOW, } - if allowAction, err = anypb.New(allow); err != nil { + if allowAction, err = protocov.ToAnyWithValidation(allow); err != nil { return nil, err } @@ -167,7 +168,7 @@ func buildRBACPerRoute(authorization *ir.Authorization) (*rbacv3.RBACPerRoute, e Name: "DENY", Action: rbacconfigv3.RBAC_DENY, } - if denyAction, err = anypb.New(deny); err != nil { + if denyAction, err = protocov.ToAnyWithValidation(deny); err != nil { return nil, err } @@ -287,11 +288,6 @@ func buildRBACPerRoute(authorization *ir.Authorization) (*rbacv3.RBACPerRoute, e rbac.Rbac.Matcher.MatcherType = nil } - // We need to validate the RBACPerRoute message before converting it to an Any. - if err = rbac.ValidateAll(); err != nil { - return nil, err - } - return rbac, nil } @@ -316,11 +312,11 @@ func buildIPPredicate(clientCIDRs []*ir.CIDRMatch) (*matcherv3.Matcher_MatcherLi }) } - if ipMatcher, err = anypb.New(ipRangeMatcher); err != nil { + if ipMatcher, err = protocov.ToAnyWithValidation(ipRangeMatcher); err != nil { return nil, err } - if sourceIPInput, err = anypb.New(&networkinput.SourceIPInput{}); err != nil { + if sourceIPInput, err = protocov.ToAnyWithValidation(&networkinput.SourceIPInput{}); err != nil { return nil, err } @@ -389,11 +385,11 @@ func buildJWTPredicate(jwt egv1a1.JWTPrincipal) ([]*matcherv3.Matcher_MatcherLis }, } - if inputPb, err = anypb.New(input); err != nil { + if inputPb, err = protocov.ToAnyWithValidation(input); err != nil { return nil, err } - if matcherPb, err = anypb.New(scopeMatcher); err != nil { + if matcherPb, err = protocov.ToAnyWithValidation(scopeMatcher); err != nil { return nil, err } @@ -454,7 +450,7 @@ func buildJWTPredicate(jwt egv1a1.JWTPrincipal) ([]*matcherv3.Matcher_MatcherLis Path: path, } - if inputPb, err = anypb.New(input); err != nil { + if inputPb, err = protocov.ToAnyWithValidation(input); err != nil { return nil, err } @@ -492,7 +488,7 @@ func buildJWTPredicate(jwt egv1a1.JWTPrincipal) ([]*matcherv3.Matcher_MatcherLis } } - if matcherPb, err = anypb.New(&metadatav3.Metadata{ + if matcherPb, err = protocov.ToAnyWithValidation(&metadatav3.Metadata{ Value: valueMatcher, }); err != nil { return nil, err diff --git a/internal/xds/translator/basicauth.go b/internal/xds/translator/basicauth.go index 50c4935140b..31a421ae8a9 100644 --- a/internal/xds/translator/basicauth.go +++ b/internal/xds/translator/basicauth.go @@ -17,6 +17,7 @@ import ( egv1a1 "github.com/envoyproxy/gateway/api/v1alpha1" "github.com/envoyproxy/gateway/internal/ir" + "github.com/envoyproxy/gateway/internal/utils/protocov" "github.com/envoyproxy/gateway/internal/xds/types" ) @@ -84,7 +85,7 @@ func buildHCMBasicAuthFilter(basicAuth *ir.BasicAuth) (*hcmv3.HttpFilter, error) if err = basicAuthProto.ValidateAll(); err != nil { return nil, err } - if basicAuthAny, err = anypb.New(basicAuthProto); err != nil { + if basicAuthAny, err = protocov.ToAnyWithValidation(basicAuthProto); err != nil { return nil, err } @@ -134,7 +135,7 @@ func (*basicAuth) patchRoute(route *routev3.Route, irRoute *ir.HTTPRoute) error return err } - if basicAuthAny, err = anypb.New(basicAuthProto); err != nil { + if basicAuthAny, err = protocov.ToAnyWithValidation(basicAuthProto); err != nil { return err } diff --git a/internal/xds/translator/cluster.go b/internal/xds/translator/cluster.go index 145d616bde7..5a13076e456 100644 --- a/internal/xds/translator/cluster.go +++ b/internal/xds/translator/cluster.go @@ -30,6 +30,7 @@ import ( egv1a1 "github.com/envoyproxy/gateway/api/v1alpha1" "github.com/envoyproxy/gateway/internal/ir" + "github.com/envoyproxy/gateway/internal/utils/protocov" ) const ( @@ -157,6 +158,9 @@ func buildXdsCluster(args *xdsClusterArgs) *clusterv3.Cluster { }, }, } + // Dont wait for a health check to determine health and remove these endpoints + // if the endpoint has been removed via EDS by the control plane + cluster.IgnoreHealthOnHostRemoval = true } else { cluster.ClusterDiscoveryType = &clusterv3.Cluster_Type{Type: clusterv3.Cluster_STRICT_DNS} cluster.DnsRefreshRate = durationpb.New(30 * time.Second) @@ -509,7 +513,7 @@ func buildTypedExtensionProtocolOptions(args *xdsClusterArgs) map[string]*anypb. if args.http1Settings != nil { http1opts.EnableTrailers = args.http1Settings.EnableTrailers if args.http1Settings.PreserveHeaderCase { - preservecaseAny, _ := anypb.New(&preservecasev3.PreserveCaseFormatterConfig{}) + preservecaseAny, _ := protocov.ToAnyWithValidation(&preservecasev3.PreserveCaseFormatterConfig{}) http1opts.HeaderKeyFormat = &corev3.Http1ProtocolOptions_HeaderKeyFormat{ HeaderFormat: &corev3.Http1ProtocolOptions_HeaderKeyFormat_StatefulFormatter{ StatefulFormatter: &corev3.TypedExtensionConfig{ @@ -562,7 +566,7 @@ func buildTypedExtensionProtocolOptions(args *xdsClusterArgs) map[string]*anypb. } } - anyProtocolOptions, _ := anypb.New(&protocolOptions) + anyProtocolOptions, _ := protocov.ToAnyWithValidation(&protocolOptions) extensionOptions := map[string]*anypb.Any{ extensionOptionsKey: anyProtocolOptions, @@ -593,7 +597,7 @@ func buildProxyProtocolSocket(proxyProtocol *ir.ProxyProtocol, tSocket *corev3.T // If existing transport socket does not exist wrap around raw buffer if tSocket == nil { rawCtx := &rawbufferv3.RawBuffer{} - rawCtxAny, err := anypb.New(rawCtx) + rawCtxAny, err := protocov.ToAnyWithValidation(rawCtx) if err != nil { return nil } @@ -608,7 +612,7 @@ func buildProxyProtocolSocket(proxyProtocol *ir.ProxyProtocol, tSocket *corev3.T ppCtx.TransportSocket = tSocket } - ppCtxAny, err := anypb.New(ppCtx) + ppCtxAny, err := protocov.ToAnyWithValidation(ppCtx) if err != nil { return nil } diff --git a/internal/xds/translator/custom_response.go b/internal/xds/translator/custom_response.go index e5d48d21bfd..6cca67982e9 100644 --- a/internal/xds/translator/custom_response.go +++ b/internal/xds/translator/custom_response.go @@ -24,6 +24,7 @@ import ( egv1a1 "github.com/envoyproxy/gateway/api/v1alpha1" "github.com/envoyproxy/gateway/internal/ir" + "github.com/envoyproxy/gateway/internal/utils/protocov" "github.com/envoyproxy/gateway/internal/xds/types" ) @@ -85,7 +86,7 @@ func (c *customResponse) buildHCMCustomResponseFilter(ro *ir.ResponseOverride) ( return nil, err } - any, err := anypb.New(proto) + any, err := protocov.ToAnyWithValidation(proto) if err != nil { return nil, err } @@ -237,7 +238,7 @@ func (c *customResponse) buildHTTPAttributeCELInput() (*cncfv3.TypedExtensionCon err error ) - if pb, err = anypb.New(&matcherv3.HttpAttributesCelMatchInput{}); err != nil { + if pb, err = protocov.ToAnyWithValidation(&matcherv3.HttpAttributesCelMatchInput{}); err != nil { return nil, err } @@ -253,7 +254,7 @@ func (c *customResponse) buildStatusCodeInput() (*cncfv3.TypedExtensionConfig, e err error ) - if pb, err = anypb.New(&envoymatcherv3.HttpResponseStatusCodeMatchInput{}); err != nil { + if pb, err = protocov.ToAnyWithValidation(&envoymatcherv3.HttpResponseStatusCodeMatchInput{}); err != nil { return nil, err } @@ -364,7 +365,7 @@ func (c *customResponse) buildStatusCodeCELMatcher(codeRange ir.StatusCodeRange) return nil, err } - if pb, err = anypb.New(matcher); err != nil { + if pb, err = protocov.ToAnyWithValidation(matcher); err != nil { return nil, err } @@ -403,7 +404,7 @@ func (c *customResponse) buildAction(r ir.ResponseOverrideRule) (*matcherv3.Matc return nil, err } - if pb, err = anypb.New(response); err != nil { + if pb, err = protocov.ToAnyWithValidation(response); err != nil { return nil, err } diff --git a/internal/xds/translator/fault.go b/internal/xds/translator/fault.go index e0acbd6c840..192ce5bf8e9 100644 --- a/internal/xds/translator/fault.go +++ b/internal/xds/translator/fault.go @@ -20,6 +20,7 @@ import ( egv1a1 "github.com/envoyproxy/gateway/api/v1alpha1" "github.com/envoyproxy/gateway/internal/ir" + "github.com/envoyproxy/gateway/internal/utils/protocov" "github.com/envoyproxy/gateway/internal/xds/types" ) @@ -71,7 +72,7 @@ func buildHCMFaultFilter() (*hcmv3.HttpFilter, error) { return nil, err } - faultAny, err := anypb.New(faultProto) + faultAny, err := protocov.ToAnyWithValidation(faultProto) if err != nil { return nil, err } @@ -165,7 +166,7 @@ func (*fault) patchRoute(route *routev3.Route, irRoute *ir.HTTPRoute) error { return nil } - routeCfgAny, err := anypb.New(routeCfgProto) + routeCfgAny, err := protocov.ToAnyWithValidation(routeCfgProto) if err != nil { return err } diff --git a/internal/xds/translator/jwt.go b/internal/xds/translator/jwt.go index 53a20808ff6..f3f16b20c6f 100644 --- a/internal/xds/translator/jwt.go +++ b/internal/xds/translator/jwt.go @@ -22,6 +22,7 @@ import ( egv1a1 "github.com/envoyproxy/gateway/api/v1alpha1" "github.com/envoyproxy/gateway/internal/ir" + "github.com/envoyproxy/gateway/internal/utils/protocov" "github.com/envoyproxy/gateway/internal/xds/types" ) @@ -76,11 +77,7 @@ func buildHCMJWTFilter(irListener *ir.HTTPListener) (*hcmv3.HttpFilter, error) { return nil, err } - if err := jwtAuthnProto.ValidateAll(); err != nil { - return nil, err - } - - jwtAuthnAny, err := anypb.New(jwtAuthnProto) + jwtAuthnAny, err := protocov.ToAnyWithValidation(jwtAuthnProto) if err != nil { return nil, err } @@ -214,7 +211,7 @@ func buildXdsUpstreamTLSSocket(sni string) (*corev3.TransportSocket, error) { }, } - tlsCtxAny, err := anypb.New(tlsCtxProto) + tlsCtxAny, err := protocov.ToAnyWithValidation(tlsCtxProto) if err != nil { return nil, err } @@ -247,7 +244,7 @@ func (*jwt) patchRoute(route *routev3.Route, irRoute *ir.HTTPRoute) error { RequirementSpecifier: &jwtauthnv3.PerRouteConfig_RequirementName{RequirementName: irRoute.Name}, } - routeCfgAny, err := anypb.New(routeCfgProto) + routeCfgAny, err := protocov.ToAnyWithValidation(routeCfgProto) if err != nil { return err } diff --git a/internal/xds/translator/listener.go b/internal/xds/translator/listener.go index c855d3ddf92..9a68c5f3c1f 100644 --- a/internal/xds/translator/listener.go +++ b/internal/xds/translator/listener.go @@ -29,7 +29,6 @@ import ( "github.com/envoyproxy/go-control-plane/pkg/resource/v3" "github.com/envoyproxy/go-control-plane/pkg/wellknown" "google.golang.org/protobuf/proto" - "google.golang.org/protobuf/types/known/anypb" "google.golang.org/protobuf/types/known/durationpb" "google.golang.org/protobuf/types/known/wrapperspb" "k8s.io/utils/ptr" @@ -66,7 +65,7 @@ func http1ProtocolOptions(opts *ir.HTTP1Settings) *corev3.Http1ProtocolOptions { EnableTrailers: opts.EnableTrailers, } if opts.PreserveHeaderCase { - preservecaseAny, _ := anypb.New(&preservecasev3.PreserveCaseFormatterConfig{}) + preservecaseAny, _ := protocov.ToAnyWithValidation(&preservecasev3.PreserveCaseFormatterConfig{}) r.HeaderKeyFormat = &corev3.Http1ProtocolOptions_HeaderKeyFormat{ HeaderFormat: &corev3.Http1ProtocolOptions_HeaderKeyFormat_StatefulFormatter{ StatefulFormatter: &corev3.TypedExtensionConfig{ @@ -131,7 +130,7 @@ func originalIPDetectionExtensions(clientIPDetection *ir.ClientIPDetectionSettin rejectWithStatus = &typev3.HttpStatus{Code: typev3.StatusCode_Forbidden} } - customHeaderConfigAny, _ := anypb.New(&customheaderv3.CustomHeaderConfig{ + customHeaderConfigAny, _ := protocov.ToAnyWithValidation(&customheaderv3.CustomHeaderConfig{ HeaderName: clientIPDetection.CustomHeader.Name, RejectWithStatus: rejectWithStatus, @@ -179,9 +178,19 @@ func setAddressByIPFamily(socketAddress *corev3.SocketAddress, ipFamily *ir.IPFa // buildXdsTCPListener creates a xds Listener resource // TODO: Improve function parameters -func buildXdsTCPListener(name, address string, port uint32, ipFamily *ir.IPFamily, keepalive *ir.TCPKeepalive, connection *ir.ClientConnection, accesslog *ir.AccessLog) *listenerv3.Listener { +func buildXdsTCPListener( + name, address string, + port uint32, + ipFamily *ir.IPFamily, + keepalive *ir.TCPKeepalive, + connection *ir.ClientConnection, + accesslog *ir.AccessLog, +) (*listenerv3.Listener, error) { socketOptions := buildTCPSocketOptions(keepalive) - al := buildXdsAccessLog(accesslog, ir.ProxyAccessLogTypeListener) + al, err := buildXdsAccessLog(accesslog, ir.ProxyAccessLogTypeListener) + if err != nil { + return nil, err + } bufferLimitBytes := buildPerConnectionBufferLimitBytes(connection) listener := &listenerv3.Listener{ Name: name, @@ -203,7 +212,7 @@ func buildXdsTCPListener(name, address string, port uint32, ipFamily *ir.IPFamil socketAddress := listener.Address.GetSocketAddress() listener.AdditionalAddresses = setAddressByIPFamily(socketAddress, ipFamily, port) - return listener + return listener, nil } func buildPerConnectionBufferLimitBytes(connection *ir.ClientConnection) *wrapperspb.UInt32Value { @@ -214,10 +223,14 @@ func buildPerConnectionBufferLimitBytes(connection *ir.ClientConnection) *wrappe } // buildXdsQuicListener creates a xds Listener resource for quic -func buildXdsQuicListener(name, address string, port uint32, accesslog *ir.AccessLog) *listenerv3.Listener { +func buildXdsQuicListener(name, address string, port uint32, accesslog *ir.AccessLog) (*listenerv3.Listener, error) { + log, err := buildXdsAccessLog(accesslog, ir.ProxyAccessLogTypeListener) + if err != nil { + return nil, err + } xdsListener := &listenerv3.Listener{ Name: name + "-quic", - AccessLog: buildXdsAccessLog(accesslog, ir.ProxyAccessLogTypeListener), + AccessLog: log, Address: &corev3.Address{ Address: &corev3.Address_SocketAddress{ SocketAddress: &corev3.SocketAddress{ @@ -238,7 +251,7 @@ func buildXdsQuicListener(name, address string, port uint32, accesslog *ir.Acces DrainType: listenerv3.Listener_MODIFY_ONLY, } - return xdsListener + return xdsListener, nil } // addHCMToXDSListener adds a HCM filter to the listener's filter chain, and adds @@ -254,7 +267,10 @@ func buildXdsQuicListener(name, address string, port uint32, accesslog *ir.Acces func (t *Translator) addHCMToXDSListener(xdsListener *listenerv3.Listener, irListener *ir.HTTPListener, accesslog *ir.AccessLog, tracing *ir.Tracing, http3Listener bool, connection *ir.ClientConnection, ) error { - al := buildXdsAccessLog(accesslog, ir.ProxyAccessLogTypeRoute) + al, err := buildXdsAccessLog(accesslog, ir.ProxyAccessLogTypeRoute) + if err != nil { + return err + } hcmTracing, err := buildHCMTracing(tracing) if err != nil { @@ -454,7 +470,7 @@ func buildEarlyHeaderMutation(headers *ir.HeaderSettings) []*corev3.TypedExtensi mutationRules = append(mutationRules, mr) } - earlyHeaderMutationAny, _ := anypb.New(&early_header_mutationv3.HeaderMutation{ + earlyHeaderMutationAny, _ := protocov.ToAnyWithValidation(&early_header_mutationv3.HeaderMutation{ Mutations: mutationRules, }) @@ -526,9 +542,12 @@ func addXdsTCPFilterChain(xdsListener *listenerv3.Listener, irRoute *ir.TCPRoute // Append port to the statPrefix. statPrefix = strings.Join([]string{statPrefix, strconv.Itoa(int(xdsListener.Address.GetSocketAddress().GetPortValue()))}, "-") - + al, error := buildXdsAccessLog(accesslog, ir.ProxyAccessLogTypeRoute) + if error != nil { + return error + } mgr := &tcpv3.TcpProxy{ - AccessLog: buildXdsAccessLog(accesslog, ir.ProxyAccessLogTypeRoute), + AccessLog: al, StatPrefix: statPrefix, ClusterSpecifier: &tcpv3.TcpProxy_Cluster{ Cluster: clusterName, @@ -612,7 +631,7 @@ func addXdsTLSInspectorFilter(xdsListener *listenerv3.Listener) error { } tlsInspector := &tls_inspectorv3.TlsInspector{} - tlsInspectorAny, err := anypb.New(tlsInspector) + tlsInspectorAny, err := protocov.ToAnyWithValidation(tlsInspector) if err != nil { return err } @@ -660,7 +679,7 @@ func buildDownstreamQUICTransportSocket(tlsConfig *ir.TLSConfig) (*corev3.Transp setDownstreamTLSSessionSettings(tlsConfig, tlsCtx.DownstreamTlsContext) - tlsCtxAny, err := anypb.New(tlsCtx) + tlsCtxAny, err := protocov.ToAnyWithValidation(tlsCtx) if err != nil { return nil, err } @@ -702,7 +721,7 @@ func buildXdsDownstreamTLSSocket(tlsConfig *ir.TLSConfig) (*corev3.TransportSock setDownstreamTLSSessionSettings(tlsConfig, tlsCtx) - tlsCtxAny, err := anypb.New(tlsCtx) + tlsCtxAny, err := protocov.ToAnyWithValidation(tlsCtx) if err != nil { return nil, err } @@ -817,14 +836,18 @@ func buildXdsUDPListener(clusterName string, udpListener *ir.UDPListener, access route := &udpv3.Route{ Cluster: clusterName, } - routeAny, err := anypb.New(route) + routeAny, err := protocov.ToAnyWithValidation(route) if err != nil { return nil, err } + al, error := buildXdsAccessLog(accesslog, ir.ProxyAccessLogTypeRoute) + if error != nil { + return nil, error + } udpProxy := &udpv3.UdpProxyConfig{ StatPrefix: statPrefix, - AccessLog: buildXdsAccessLog(accesslog, ir.ProxyAccessLogTypeRoute), + AccessLog: al, RouteSpecifier: &udpv3.UdpProxyConfig_Matcher{ Matcher: &matcher.Matcher{ OnNoMatch: &matcher.Matcher_OnMatch{ @@ -838,14 +861,17 @@ func buildXdsUDPListener(clusterName string, udpListener *ir.UDPListener, access }, }, } - udpProxyAny, err := anypb.New(udpProxy) + udpProxyAny, err := protocov.ToAnyWithValidation(udpProxy) if err != nil { return nil, err } + if al, err = buildXdsAccessLog(accesslog, ir.ProxyAccessLogTypeListener); err != nil { + return nil, err + } xdsListener := &listenerv3.Listener{ Name: udpListener.Name, - AccessLog: buildXdsAccessLog(accesslog, ir.ProxyAccessLogTypeListener), + AccessLog: al, Address: &corev3.Address{ Address: &corev3.Address_SocketAddress{ SocketAddress: &corev3.SocketAddress{ @@ -892,7 +918,7 @@ func translateEscapePath(in ir.PathEscapedSlashAction) hcmv3.HttpConnectionManag } func toNetworkFilter(filterName string, filterProto proto.Message) (*listenerv3.Filter, error) { - filterAny, err := protocov.ToAnyWithError(filterProto) + filterAny, err := protocov.ToAnyWithValidation(filterProto) if err != nil { return nil, err } diff --git a/internal/xds/translator/listener_test.go b/internal/xds/translator/listener_test.go index 28572bb06be..fbb716c1ac4 100644 --- a/internal/xds/translator/listener_test.go +++ b/internal/xds/translator/listener_test.go @@ -10,6 +10,7 @@ import ( "reflect" "testing" + routev3 "github.com/envoyproxy/go-control-plane/envoy/config/route/v3" hcmv3 "github.com/envoyproxy/go-control-plane/envoy/extensions/filters/network/http_connection_manager/v3" typev3 "github.com/envoyproxy/go-control-plane/envoy/type/v3" "github.com/stretchr/testify/assert" @@ -25,12 +26,24 @@ func Test_toNetworkFilter(t *testing.T) { wantErr error }{ { - name: "valid filter", - proto: &hcmv3.HttpConnectionManager{}, + name: "valid filter", + proto: &hcmv3.HttpConnectionManager{ + StatPrefix: "stats", + RouteSpecifier: &hcmv3.HttpConnectionManager_RouteConfig{ + RouteConfig: &routev3.RouteConfiguration{ + Name: "route", + }, + }, + }, wantErr: nil, }, { name: "invalid proto msg", + proto: &hcmv3.HttpConnectionManager{}, + wantErr: errors.New("invalid HttpConnectionManager.StatPrefix: value length must be at least 1 runes; invalid HttpConnectionManager.RouteSpecifier: value is required"), + }, + { + name: "nil proto msg", proto: nil, wantErr: errors.New("empty message received"), }, @@ -39,7 +52,7 @@ func Test_toNetworkFilter(t *testing.T) { t.Run(tt.name, func(t *testing.T) { _, err := toNetworkFilter("name", tt.proto) if tt.wantErr != nil { - assert.Equalf(t, tt.wantErr, err, "toNetworkFilter(%v)", tt.proto) + assert.Containsf(t, err.Error(), tt.wantErr.Error(), "toNetworkFilter(%v)", tt.proto) } else { assert.NoErrorf(t, err, "toNetworkFilter(%v)", tt.proto) } diff --git a/internal/xds/translator/oidc.go b/internal/xds/translator/oidc.go index e4e7b4a0216..a706cae662f 100644 --- a/internal/xds/translator/oidc.go +++ b/internal/xds/translator/oidc.go @@ -16,12 +16,12 @@ import ( tlsv3 "github.com/envoyproxy/go-control-plane/envoy/extensions/transport_sockets/tls/v3" matcherv3 "github.com/envoyproxy/go-control-plane/envoy/type/matcher/v3" "github.com/golang/protobuf/ptypes/wrappers" - "google.golang.org/protobuf/types/known/anypb" "google.golang.org/protobuf/types/known/durationpb" "k8s.io/utils/ptr" egv1a1 "github.com/envoyproxy/gateway/api/v1alpha1" "github.com/envoyproxy/gateway/internal/ir" + "github.com/envoyproxy/gateway/internal/utils/protocov" "github.com/envoyproxy/gateway/internal/xds/types" ) @@ -83,7 +83,7 @@ func buildHCMOAuth2Filter(oidc *ir.OIDC) (*hcmv3.HttpFilter, error) { return nil, err } - OAuth2Any, err := anypb.New(oauth2Proto) + OAuth2Any, err := protocov.ToAnyWithValidation(oauth2Proto) if err != nil { return nil, err } diff --git a/internal/xds/translator/testdata/in/xds-ir/accesslog-without-format.yaml b/internal/xds/translator/testdata/in/xds-ir/accesslog-without-format.yaml index 90e9f0e0c9b..434f2fb524c 100644 --- a/internal/xds/translator/testdata/in/xds-ir/accesslog-without-format.yaml +++ b/internal/xds/translator/testdata/in/xds-ir/accesslog-without-format.yaml @@ -11,7 +11,8 @@ accesslog: protocol: "%PROTOCOL%" response_code: "%RESPONSE_CODE%" als: - - destination: + - name: als + destination: name: accesslog/monitoring/envoy-als/port/9000 settings: - addressType: IP diff --git a/internal/xds/translator/testdata/in/xds-ir/accesslog.yaml b/internal/xds/translator/testdata/in/xds-ir/accesslog.yaml index 5169bae040e..3f84816fdcf 100644 --- a/internal/xds/translator/testdata/in/xds-ir/accesslog.yaml +++ b/internal/xds/translator/testdata/in/xds-ir/accesslog.yaml @@ -13,7 +13,8 @@ accesslog: protocol: "%PROTOCOL%" response_code: "%RESPONSE_CODE%" als: - - destination: + - name: als + destination: name: accesslog/monitoring/envoy-als/port/9000 settings: - addressType: IP diff --git a/internal/xds/translator/testdata/in/xds-ir/authorization-multiple-principals.yaml b/internal/xds/translator/testdata/in/xds-ir/authorization-multiple-principals.yaml index c93708b4c8a..8b83e16d556 100644 --- a/internal/xds/translator/testdata/in/xds-ir/authorization-multiple-principals.yaml +++ b/internal/xds/translator/testdata/in/xds-ir/authorization-multiple-principals.yaml @@ -44,7 +44,7 @@ http: isIPv6: false maskLen: 24 jwt: - issuer: https://one.example.com + provider: https://one.example.com scopes: - foo claims: @@ -68,7 +68,7 @@ http: isIPv6: false maskLen: 24 jwt: - issuer: https://two.example.com + provider: https://two.example.com scopes: - for - bar diff --git a/internal/xds/translator/testdata/out/extension-xds-ir/extensionpolicy-tcp-udp-http.clusters.yaml b/internal/xds/translator/testdata/out/extension-xds-ir/extensionpolicy-tcp-udp-http.clusters.yaml index 8012c6fa499..cdbb352dd54 100644 --- a/internal/xds/translator/testdata/out/extension-xds-ir/extensionpolicy-tcp-udp-http.clusters.yaml +++ b/internal/xds/translator/testdata/out/extension-xds-ir/extensionpolicy-tcp-udp-http.clusters.yaml @@ -10,6 +10,7 @@ ads: {} resourceApiVersion: V3 serviceName: udp-route-dest + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: udp-route-dest outlierDetection: {} diff --git a/internal/xds/translator/testdata/out/extension-xds-ir/http-route-extension-filter.clusters.yaml b/internal/xds/translator/testdata/out/extension-xds-ir/http-route-extension-filter.clusters.yaml index 45f45f5c9bf..f986750be1b 100644 --- a/internal/xds/translator/testdata/out/extension-xds-ir/http-route-extension-filter.clusters.yaml +++ b/internal/xds/translator/testdata/out/extension-xds-ir/http-route-extension-filter.clusters.yaml @@ -10,6 +10,7 @@ ads: {} resourceApiVersion: V3 serviceName: first-route-dest + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: first-route-dest outlierDetection: {} diff --git a/internal/xds/translator/testdata/out/extension-xds-ir/http-route.clusters.yaml b/internal/xds/translator/testdata/out/extension-xds-ir/http-route.clusters.yaml index 45f45f5c9bf..f986750be1b 100644 --- a/internal/xds/translator/testdata/out/extension-xds-ir/http-route.clusters.yaml +++ b/internal/xds/translator/testdata/out/extension-xds-ir/http-route.clusters.yaml @@ -10,6 +10,7 @@ ads: {} resourceApiVersion: V3 serviceName: first-route-dest + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: first-route-dest outlierDetection: {} diff --git a/internal/xds/translator/testdata/out/xds-ir/accesslog-als-tcp.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/accesslog-als-tcp.clusters.yaml index be515fc1afb..9696a28a86c 100755 --- a/internal/xds/translator/testdata/out/xds-ir/accesslog-als-tcp.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/accesslog-als-tcp.clusters.yaml @@ -11,6 +11,7 @@ ads: {} resourceApiVersion: V3 serviceName: accesslog/monitoring/envoy-als/port/9000 + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: accesslog/monitoring/envoy-als/port/9000 outlierDetection: diff --git a/internal/xds/translator/testdata/out/xds-ir/accesslog-cel.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/accesslog-cel.clusters.yaml index 6d040000dbb..22d5e08aca3 100644 --- a/internal/xds/translator/testdata/out/xds-ir/accesslog-cel.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/accesslog-cel.clusters.yaml @@ -10,6 +10,7 @@ ads: {} resourceApiVersion: V3 serviceName: direct-route-dest + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: direct-route-dest outlierDetection: {} diff --git a/internal/xds/translator/testdata/out/xds-ir/accesslog-endpoint-stats.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/accesslog-endpoint-stats.clusters.yaml index ea9ef9405ee..7709f2c4e9c 100644 --- a/internal/xds/translator/testdata/out/xds-ir/accesslog-endpoint-stats.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/accesslog-endpoint-stats.clusters.yaml @@ -10,6 +10,7 @@ ads: {} resourceApiVersion: V3 serviceName: direct-route-dest + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: direct-route-dest outlierDetection: {} diff --git a/internal/xds/translator/testdata/out/xds-ir/accesslog-formatters.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/accesslog-formatters.clusters.yaml index 6d040000dbb..22d5e08aca3 100644 --- a/internal/xds/translator/testdata/out/xds-ir/accesslog-formatters.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/accesslog-formatters.clusters.yaml @@ -10,6 +10,7 @@ ads: {} resourceApiVersion: V3 serviceName: direct-route-dest + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: direct-route-dest outlierDetection: {} diff --git a/internal/xds/translator/testdata/out/xds-ir/accesslog-multi-cel.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/accesslog-multi-cel.clusters.yaml index 6d040000dbb..22d5e08aca3 100644 --- a/internal/xds/translator/testdata/out/xds-ir/accesslog-multi-cel.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/accesslog-multi-cel.clusters.yaml @@ -10,6 +10,7 @@ ads: {} resourceApiVersion: V3 serviceName: direct-route-dest + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: direct-route-dest outlierDetection: {} diff --git a/internal/xds/translator/testdata/out/xds-ir/accesslog-types.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/accesslog-types.clusters.yaml index e0328b6e26c..5e41cf09397 100644 --- a/internal/xds/translator/testdata/out/xds-ir/accesslog-types.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/accesslog-types.clusters.yaml @@ -10,6 +10,7 @@ ads: {} resourceApiVersion: V3 serviceName: direct-route-dest + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: direct-route-dest outlierDetection: {} @@ -27,6 +28,7 @@ ads: {} resourceApiVersion: V3 serviceName: accesslog_als_0_1 + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: accesslog_als_0_1 outlierDetection: {} @@ -51,6 +53,7 @@ ads: {} resourceApiVersion: V3 serviceName: accesslog_als_0_2 + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: accesslog_als_0_2 outlierDetection: {} @@ -75,6 +78,7 @@ ads: {} resourceApiVersion: V3 serviceName: accesslog_als_1_1 + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: accesslog_als_1_1 outlierDetection: {} @@ -99,6 +103,7 @@ ads: {} resourceApiVersion: V3 serviceName: accesslog_als_1_2 + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: accesslog_als_1_2 outlierDetection: {} @@ -123,6 +128,7 @@ ads: {} resourceApiVersion: V3 serviceName: accesslog_als_2_1 + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: accesslog_als_2_1 outlierDetection: {} @@ -147,6 +153,7 @@ ads: {} resourceApiVersion: V3 serviceName: accesslog_als_2_2 + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: accesslog_als_2_2 outlierDetection: {} diff --git a/internal/xds/translator/testdata/out/xds-ir/accesslog-without-format.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/accesslog-without-format.clusters.yaml index d9c561cee48..dbf145e7d6d 100644 --- a/internal/xds/translator/testdata/out/xds-ir/accesslog-without-format.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/accesslog-without-format.clusters.yaml @@ -10,6 +10,7 @@ ads: {} resourceApiVersion: V3 serviceName: direct-route-dest + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: direct-route-dest outlierDetection: {} @@ -27,6 +28,7 @@ ads: {} resourceApiVersion: V3 serviceName: accesslog/monitoring/envoy-als/port/9000 + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: accesslog/monitoring/envoy-als/port/9000 outlierDetection: {} diff --git a/internal/xds/translator/testdata/out/xds-ir/accesslog-without-format.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/accesslog-without-format.listeners.yaml index fecb2076871..9df135e671c 100644 --- a/internal/xds/translator/testdata/out/xds-ir/accesslog-without-format.listeners.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/accesslog-without-format.listeners.yaml @@ -43,6 +43,7 @@ grpcService: envoyGrpc: clusterName: accesslog/monitoring/envoy-als/port/9000 + logName: als transportApiVersion: V3 - filter: responseFlagFilter: @@ -119,6 +120,7 @@ grpcService: envoyGrpc: clusterName: accesslog/monitoring/envoy-als/port/9000 + logName: als transportApiVersion: V3 - name: envoy.access_loggers.open_telemetry typedConfig: diff --git a/internal/xds/translator/testdata/out/xds-ir/accesslog.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/accesslog.clusters.yaml index d9c561cee48..dbf145e7d6d 100644 --- a/internal/xds/translator/testdata/out/xds-ir/accesslog.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/accesslog.clusters.yaml @@ -10,6 +10,7 @@ ads: {} resourceApiVersion: V3 serviceName: direct-route-dest + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: direct-route-dest outlierDetection: {} @@ -27,6 +28,7 @@ ads: {} resourceApiVersion: V3 serviceName: accesslog/monitoring/envoy-als/port/9000 + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: accesslog/monitoring/envoy-als/port/9000 outlierDetection: {} diff --git a/internal/xds/translator/testdata/out/xds-ir/accesslog.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/accesslog.listeners.yaml index 3b52d45e8e8..0ef9cdc5fab 100644 --- a/internal/xds/translator/testdata/out/xds-ir/accesslog.listeners.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/accesslog.listeners.yaml @@ -43,6 +43,7 @@ grpcService: envoyGrpc: clusterName: accesslog/monitoring/envoy-als/port/9000 + logName: als transportApiVersion: V3 - filter: responseFlagFilter: @@ -119,6 +120,7 @@ grpcService: envoyGrpc: clusterName: accesslog/monitoring/envoy-als/port/9000 + logName: als transportApiVersion: V3 - name: envoy.access_loggers.open_telemetry typedConfig: diff --git a/internal/xds/translator/testdata/out/xds-ir/authorization-client-cidr.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/authorization-client-cidr.clusters.yaml index b3f75f0e04e..0002897cb8d 100644 --- a/internal/xds/translator/testdata/out/xds-ir/authorization-client-cidr.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/authorization-client-cidr.clusters.yaml @@ -10,6 +10,7 @@ ads: {} resourceApiVersion: V3 serviceName: httproute/default/httproute-3/rule/0 + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: httproute/default/httproute-3/rule/0 outlierDetection: {} @@ -27,6 +28,7 @@ ads: {} resourceApiVersion: V3 serviceName: httproute/default/httproute-1/rule/0 + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: httproute/default/httproute-1/rule/0 outlierDetection: {} @@ -44,6 +46,7 @@ ads: {} resourceApiVersion: V3 serviceName: httproute/default/httproute-2/rule/0 + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: httproute/default/httproute-2/rule/0 outlierDetection: {} diff --git a/internal/xds/translator/testdata/out/xds-ir/authorization-jwt-claim.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/authorization-jwt-claim.clusters.yaml index 660d4f6b224..f5211bc9922 100644 --- a/internal/xds/translator/testdata/out/xds-ir/authorization-jwt-claim.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/authorization-jwt-claim.clusters.yaml @@ -10,6 +10,7 @@ ads: {} resourceApiVersion: V3 serviceName: httproute/default/httproute-1/rule/0 + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: httproute/default/httproute-1/rule/0 outlierDetection: {} @@ -27,6 +28,7 @@ ads: {} resourceApiVersion: V3 serviceName: httproute/default/httproute-2/rule/0 + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: httproute/default/httproute-2/rule/0 outlierDetection: {} diff --git a/internal/xds/translator/testdata/out/xds-ir/authorization-jwt-scope.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/authorization-jwt-scope.clusters.yaml index 660d4f6b224..f5211bc9922 100644 --- a/internal/xds/translator/testdata/out/xds-ir/authorization-jwt-scope.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/authorization-jwt-scope.clusters.yaml @@ -10,6 +10,7 @@ ads: {} resourceApiVersion: V3 serviceName: httproute/default/httproute-1/rule/0 + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: httproute/default/httproute-1/rule/0 outlierDetection: {} @@ -27,6 +28,7 @@ ads: {} resourceApiVersion: V3 serviceName: httproute/default/httproute-2/rule/0 + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: httproute/default/httproute-2/rule/0 outlierDetection: {} diff --git a/internal/xds/translator/testdata/out/xds-ir/authorization-multiple-principals.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/authorization-multiple-principals.clusters.yaml index 9714612e3de..1c72d4f070f 100644 --- a/internal/xds/translator/testdata/out/xds-ir/authorization-multiple-principals.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/authorization-multiple-principals.clusters.yaml @@ -10,6 +10,7 @@ ads: {} resourceApiVersion: V3 serviceName: httproute/default/httproute-1/rule/0 + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: httproute/default/httproute-1/rule/0 outlierDetection: {} diff --git a/internal/xds/translator/testdata/out/xds-ir/authorization-multiple-principals.routes.yaml b/internal/xds/translator/testdata/out/xds-ir/authorization-multiple-principals.routes.yaml index c6510f63778..2b9a4906343 100644 --- a/internal/xds/translator/testdata/out/xds-ir/authorization-multiple-principals.routes.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/authorization-multiple-principals.routes.yaml @@ -59,7 +59,7 @@ '@type': type.googleapis.com/envoy.extensions.matching.common_inputs.network.v3.DynamicMetadataInput filter: envoy.filters.http.jwt_authn path: - - key: "" + - key: https://one.example.com - key: scope - orMatcher: predicate: @@ -79,7 +79,7 @@ '@type': type.googleapis.com/envoy.extensions.matching.common_inputs.network.v3.DynamicMetadataInput filter: envoy.filters.http.jwt_authn path: - - key: "" + - key: https://one.example.com - key: roles - singlePredicate: customMatch: @@ -97,7 +97,7 @@ '@type': type.googleapis.com/envoy.extensions.matching.common_inputs.network.v3.DynamicMetadataInput filter: envoy.filters.http.jwt_authn path: - - key: "" + - key: https://one.example.com - key: roles - singlePredicate: customMatch: @@ -113,7 +113,7 @@ '@type': type.googleapis.com/envoy.extensions.matching.common_inputs.network.v3.DynamicMetadataInput filter: envoy.filters.http.jwt_authn path: - - key: "" + - key: https://one.example.com - key: department - onMatch: action: @@ -155,7 +155,7 @@ '@type': type.googleapis.com/envoy.extensions.matching.common_inputs.network.v3.DynamicMetadataInput filter: envoy.filters.http.jwt_authn path: - - key: "" + - key: https://two.example.com - key: scope - singlePredicate: customMatch: @@ -173,7 +173,7 @@ '@type': type.googleapis.com/envoy.extensions.matching.common_inputs.network.v3.DynamicMetadataInput filter: envoy.filters.http.jwt_authn path: - - key: "" + - key: https://two.example.com - key: scope - orMatcher: predicate: @@ -193,7 +193,7 @@ '@type': type.googleapis.com/envoy.extensions.matching.common_inputs.network.v3.DynamicMetadataInput filter: envoy.filters.http.jwt_authn path: - - key: "" + - key: https://two.example.com - key: roles - singlePredicate: customMatch: @@ -211,7 +211,7 @@ '@type': type.googleapis.com/envoy.extensions.matching.common_inputs.network.v3.DynamicMetadataInput filter: envoy.filters.http.jwt_authn path: - - key: "" + - key: https://two.example.com - key: roles - orMatcher: predicate: @@ -229,7 +229,7 @@ '@type': type.googleapis.com/envoy.extensions.matching.common_inputs.network.v3.DynamicMetadataInput filter: envoy.filters.http.jwt_authn path: - - key: "" + - key: https://two.example.com - key: name - singlePredicate: customMatch: @@ -245,7 +245,7 @@ '@type': type.googleapis.com/envoy.extensions.matching.common_inputs.network.v3.DynamicMetadataInput filter: envoy.filters.http.jwt_authn path: - - key: "" + - key: https://two.example.com - key: name onNoMatch: action: diff --git a/internal/xds/translator/testdata/out/xds-ir/backend-buffer-limit.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/backend-buffer-limit.clusters.yaml index 33c8f6a68a4..e36a7f976be 100644 --- a/internal/xds/translator/testdata/out/xds-ir/backend-buffer-limit.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/backend-buffer-limit.clusters.yaml @@ -10,6 +10,7 @@ ads: {} resourceApiVersion: V3 serviceName: first-route-dest + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: first-route-dest outlierDetection: {} @@ -27,6 +28,7 @@ ads: {} resourceApiVersion: V3 serviceName: tcp-route-dest + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: tcp-route-dest outlierDetection: {} @@ -44,6 +46,7 @@ ads: {} resourceApiVersion: V3 serviceName: udp-route-dest + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: udp-route-dest outlierDetection: {} diff --git a/internal/xds/translator/testdata/out/xds-ir/backend-priority.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/backend-priority.clusters.yaml index b6f2821b650..4088295c2de 100644 --- a/internal/xds/translator/testdata/out/xds-ir/backend-priority.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/backend-priority.clusters.yaml @@ -10,6 +10,7 @@ ads: {} resourceApiVersion: V3 serviceName: httproute/default/httproute-1/rule/0 + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: httproute/default/httproute-1/rule/0 outlierDetection: {} @@ -27,6 +28,7 @@ ads: {} resourceApiVersion: V3 serviceName: httproute/default/httproute-2/rule/0 + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: httproute/default/httproute-2/rule/0 outlierDetection: {} @@ -44,6 +46,7 @@ ads: {} resourceApiVersion: V3 serviceName: envoyextensionpolicy/default/policy-for-http-route/0 + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: envoyextensionpolicy/default/policy-for-http-route/0 outlierDetection: {} diff --git a/internal/xds/translator/testdata/out/xds-ir/basic-auth.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/basic-auth.clusters.yaml index e4e5b8994bc..1c7cbaf45e0 100644 --- a/internal/xds/translator/testdata/out/xds-ir/basic-auth.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/basic-auth.clusters.yaml @@ -10,6 +10,7 @@ ads: {} resourceApiVersion: V3 serviceName: httproute/default/httproute-1/rule/0 + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: httproute/default/httproute-1/rule/0 outlierDetection: {} @@ -27,6 +28,7 @@ ads: {} resourceApiVersion: V3 serviceName: httproute/default/httproute-1/rule/1 + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: httproute/default/httproute-1/rule/1 outlierDetection: {} @@ -44,6 +46,7 @@ ads: {} resourceApiVersion: V3 serviceName: httproute/default/httproute-2/rule/0 + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: httproute/default/httproute-2/rule/0 outlierDetection: {} diff --git a/internal/xds/translator/testdata/out/xds-ir/circuit-breaker.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/circuit-breaker.clusters.yaml index 90636e8ffe1..93e5ebb91b6 100644 --- a/internal/xds/translator/testdata/out/xds-ir/circuit-breaker.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/circuit-breaker.clusters.yaml @@ -13,6 +13,7 @@ ads: {} resourceApiVersion: V3 serviceName: first-route-dest + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: first-route-dest outlierDetection: {} diff --git a/internal/xds/translator/testdata/out/xds-ir/client-buffer-limit.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/client-buffer-limit.clusters.yaml index 5aa4727b18a..045afb39e71 100644 --- a/internal/xds/translator/testdata/out/xds-ir/client-buffer-limit.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/client-buffer-limit.clusters.yaml @@ -10,6 +10,7 @@ ads: {} resourceApiVersion: V3 serviceName: first-route-dest + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: first-route-dest outlierDetection: {} @@ -27,6 +28,7 @@ ads: {} resourceApiVersion: V3 serviceName: tcp-route-dest + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: tcp-route-dest outlierDetection: {} diff --git a/internal/xds/translator/testdata/out/xds-ir/client-ip-detection.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/client-ip-detection.clusters.yaml index a89644e62d9..b7a2badfead 100644 --- a/internal/xds/translator/testdata/out/xds-ir/client-ip-detection.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/client-ip-detection.clusters.yaml @@ -10,6 +10,7 @@ ads: {} resourceApiVersion: V3 serviceName: first-route-dest + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: first-route-dest outlierDetection: {} @@ -27,6 +28,7 @@ ads: {} resourceApiVersion: V3 serviceName: second-route-dest + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: second-route-dest outlierDetection: {} @@ -44,6 +46,7 @@ ads: {} resourceApiVersion: V3 serviceName: third-route-dest + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: third-route-dest outlierDetection: {} diff --git a/internal/xds/translator/testdata/out/xds-ir/client-timeout.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/client-timeout.clusters.yaml index d65e267ad7d..820f85f625b 100644 --- a/internal/xds/translator/testdata/out/xds-ir/client-timeout.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/client-timeout.clusters.yaml @@ -10,6 +10,7 @@ ads: {} resourceApiVersion: V3 serviceName: first-route-dest + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: first-route-dest outlierDetection: {} @@ -27,6 +28,7 @@ ads: {} resourceApiVersion: V3 serviceName: second-route-dest + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: second-route-dest outlierDetection: {} diff --git a/internal/xds/translator/testdata/out/xds-ir/cors.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/cors.clusters.yaml index d53a7a1b2ce..9ada55d6523 100644 --- a/internal/xds/translator/testdata/out/xds-ir/cors.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/cors.clusters.yaml @@ -10,6 +10,7 @@ ads: {} resourceApiVersion: V3 serviceName: first-route-dest + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: first-route-dest outlierDetection: {} diff --git a/internal/xds/translator/testdata/out/xds-ir/custom-response.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/custom-response.clusters.yaml index 9714612e3de..1c72d4f070f 100644 --- a/internal/xds/translator/testdata/out/xds-ir/custom-response.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/custom-response.clusters.yaml @@ -10,6 +10,7 @@ ads: {} resourceApiVersion: V3 serviceName: httproute/default/httproute-1/rule/0 + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: httproute/default/httproute-1/rule/0 outlierDetection: {} diff --git a/internal/xds/translator/testdata/out/xds-ir/ext-auth-backend.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/ext-auth-backend.clusters.yaml index 880f77a06f0..18846488a59 100644 --- a/internal/xds/translator/testdata/out/xds-ir/ext-auth-backend.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/ext-auth-backend.clusters.yaml @@ -10,6 +10,7 @@ ads: {} resourceApiVersion: V3 serviceName: httproute/default/httproute-1/rule/0 + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: httproute/default/httproute-1/rule/0 outlierDetection: {} @@ -27,6 +28,7 @@ ads: {} resourceApiVersion: V3 serviceName: httproute/default/httproute-1/rule/1 + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: httproute/default/httproute-1/rule/1 outlierDetection: {} @@ -44,6 +46,7 @@ ads: {} resourceApiVersion: V3 serviceName: httproute/default/httproute-2/rule/0 + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: httproute/default/httproute-2/rule/0 outlierDetection: {} diff --git a/internal/xds/translator/testdata/out/xds-ir/ext-auth-recomputation.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/ext-auth-recomputation.clusters.yaml index 880f77a06f0..18846488a59 100644 --- a/internal/xds/translator/testdata/out/xds-ir/ext-auth-recomputation.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/ext-auth-recomputation.clusters.yaml @@ -10,6 +10,7 @@ ads: {} resourceApiVersion: V3 serviceName: httproute/default/httproute-1/rule/0 + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: httproute/default/httproute-1/rule/0 outlierDetection: {} @@ -27,6 +28,7 @@ ads: {} resourceApiVersion: V3 serviceName: httproute/default/httproute-1/rule/1 + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: httproute/default/httproute-1/rule/1 outlierDetection: {} @@ -44,6 +46,7 @@ ads: {} resourceApiVersion: V3 serviceName: httproute/default/httproute-2/rule/0 + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: httproute/default/httproute-2/rule/0 outlierDetection: {} diff --git a/internal/xds/translator/testdata/out/xds-ir/ext-auth.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/ext-auth.clusters.yaml index e478c2054cd..ba70eb86e94 100644 --- a/internal/xds/translator/testdata/out/xds-ir/ext-auth.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/ext-auth.clusters.yaml @@ -10,6 +10,7 @@ ads: {} resourceApiVersion: V3 serviceName: httproute/default/httproute-1/rule/0 + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: httproute/default/httproute-1/rule/0 outlierDetection: {} @@ -27,6 +28,7 @@ ads: {} resourceApiVersion: V3 serviceName: httproute/default/httproute-1/rule/1 + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: httproute/default/httproute-1/rule/1 outlierDetection: {} @@ -44,6 +46,7 @@ ads: {} resourceApiVersion: V3 serviceName: httproute/default/httproute-2/rule/0 + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: httproute/default/httproute-2/rule/0 outlierDetection: {} @@ -61,6 +64,7 @@ ads: {} resourceApiVersion: V3 serviceName: securitypolicy/default/policy-for-http-route-1/default/grpc-backend + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: securitypolicy/default/policy-for-http-route-1/default/grpc-backend outlierDetection: {} @@ -85,6 +89,7 @@ ads: {} resourceApiVersion: V3 serviceName: securitypolicy/default/policy-for-gateway-1/envoy-gateway/http-backend + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: securitypolicy/default/policy-for-gateway-1/envoy-gateway/http-backend outlierDetection: {} diff --git a/internal/xds/translator/testdata/out/xds-ir/ext-proc-with-traffic-settings.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/ext-proc-with-traffic-settings.clusters.yaml index 4e73328fa8e..3bac84394be 100644 --- a/internal/xds/translator/testdata/out/xds-ir/ext-proc-with-traffic-settings.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/ext-proc-with-traffic-settings.clusters.yaml @@ -10,6 +10,7 @@ ads: {} resourceApiVersion: V3 serviceName: httproute/default/httproute-1/rule/0 + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: httproute/default/httproute-1/rule/0 outlierDetection: {} @@ -27,6 +28,7 @@ ads: {} resourceApiVersion: V3 serviceName: httproute/default/httproute-2/rule/0 + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: httproute/default/httproute-2/rule/0 outlierDetection: {} @@ -45,6 +47,7 @@ ads: {} resourceApiVersion: V3 serviceName: envoyextensionpolicy/default/policy-for-http-route/0 + ignoreHealthOnHostRemoval: true name: envoyextensionpolicy/default/policy-for-http-route/0 outlierDetection: baseEjectionTime: 30s diff --git a/internal/xds/translator/testdata/out/xds-ir/ext-proc.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/ext-proc.clusters.yaml index 6ea0615cb31..ede262a5694 100755 --- a/internal/xds/translator/testdata/out/xds-ir/ext-proc.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/ext-proc.clusters.yaml @@ -10,6 +10,7 @@ ads: {} resourceApiVersion: V3 serviceName: httproute/default/httproute-1/rule/0 + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: httproute/default/httproute-1/rule/0 outlierDetection: {} @@ -27,6 +28,7 @@ ads: {} resourceApiVersion: V3 serviceName: httproute/default/httproute-2/rule/0 + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: httproute/default/httproute-2/rule/0 outlierDetection: {} @@ -44,6 +46,7 @@ ads: {} resourceApiVersion: V3 serviceName: envoyextensionpolicy/default/policy-for-route-2/0/grpc-backend-4 + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: envoyextensionpolicy/default/policy-for-route-2/0/grpc-backend-4 outlierDetection: {} @@ -68,6 +71,7 @@ ads: {} resourceApiVersion: V3 serviceName: envoyextensionpolicy/default/policy-for-route-1/0/grpc-backend-2 + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: envoyextensionpolicy/default/policy-for-route-1/0/grpc-backend-2 outlierDetection: {} @@ -92,6 +96,7 @@ ads: {} resourceApiVersion: V3 serviceName: envoyextensionpolicy/envoy-gateway/policy-for-gateway-2/0/grpc-backend-3 + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: envoyextensionpolicy/envoy-gateway/policy-for-gateway-2/0/grpc-backend-3 outlierDetection: {} @@ -116,6 +121,7 @@ ads: {} resourceApiVersion: V3 serviceName: envoyextensionpolicy/envoy-gateway/policy-for-gateway-1/0/grpc-backend + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: envoyextensionpolicy/envoy-gateway/policy-for-gateway-1/0/grpc-backend outlierDetection: {} diff --git a/internal/xds/translator/testdata/out/xds-ir/fault-injection.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/fault-injection.clusters.yaml index 03e10ccd7fc..ff3aedce52a 100644 --- a/internal/xds/translator/testdata/out/xds-ir/fault-injection.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/fault-injection.clusters.yaml @@ -10,6 +10,7 @@ ads: {} resourceApiVersion: V3 serviceName: first-route-dest + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: first-route-dest outlierDetection: {} @@ -27,6 +28,7 @@ ads: {} resourceApiVersion: V3 serviceName: second-route-dest + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: second-route-dest outlierDetection: {} @@ -44,6 +46,7 @@ ads: {} resourceApiVersion: V3 serviceName: third-route-dest + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: third-route-dest outlierDetection: {} @@ -61,6 +64,7 @@ ads: {} resourceApiVersion: V3 serviceName: fourth-route-dest + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: fourth-route-dest outlierDetection: {} @@ -78,6 +82,7 @@ ads: {} resourceApiVersion: V3 serviceName: fifth-route-dest + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: fifth-route-dest outlierDetection: {} diff --git a/internal/xds/translator/testdata/out/xds-ir/headers-with-preserve-x-request-id.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/headers-with-preserve-x-request-id.clusters.yaml index d65e267ad7d..820f85f625b 100755 --- a/internal/xds/translator/testdata/out/xds-ir/headers-with-preserve-x-request-id.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/headers-with-preserve-x-request-id.clusters.yaml @@ -10,6 +10,7 @@ ads: {} resourceApiVersion: V3 serviceName: first-route-dest + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: first-route-dest outlierDetection: {} @@ -27,6 +28,7 @@ ads: {} resourceApiVersion: V3 serviceName: second-route-dest + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: second-route-dest outlierDetection: {} diff --git a/internal/xds/translator/testdata/out/xds-ir/headers-with-underscores-action.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/headers-with-underscores-action.clusters.yaml index 7a7e90de25b..0a3d6ba340e 100755 --- a/internal/xds/translator/testdata/out/xds-ir/headers-with-underscores-action.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/headers-with-underscores-action.clusters.yaml @@ -10,6 +10,7 @@ ads: {} resourceApiVersion: V3 serviceName: first-route-dest + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: first-route-dest outlierDetection: {} @@ -27,6 +28,7 @@ ads: {} resourceApiVersion: V3 serviceName: second-route-dest + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: second-route-dest outlierDetection: {} @@ -44,6 +46,7 @@ ads: {} resourceApiVersion: V3 serviceName: third-route-dest + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: third-route-dest outlierDetection: {} @@ -61,6 +64,7 @@ ads: {} resourceApiVersion: V3 serviceName: fourth-route-dest + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: fourth-route-dest outlierDetection: {} diff --git a/internal/xds/translator/testdata/out/xds-ir/health-check.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/health-check.clusters.yaml index 485139eb2c8..09b9396270a 100644 --- a/internal/xds/translator/testdata/out/xds-ir/health-check.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/health-check.clusters.yaml @@ -25,6 +25,7 @@ interval: 3s timeout: 0.500s unhealthyThreshold: 3 + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: first-route-dest outlierDetection: @@ -61,6 +62,7 @@ interval: 5s timeout: 1s unhealthyThreshold: 3 + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: second-route-dest outlierDetection: @@ -94,6 +96,7 @@ text: "70696e67" timeout: 1s unhealthyThreshold: 3 + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: third-route-dest outlierDetection: @@ -127,6 +130,7 @@ binary: cGluZw== timeout: 1s unhealthyThreshold: 3 + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: fourth-route-dest outlierDetection: @@ -158,6 +162,7 @@ interval: 5s timeout: 1s unhealthyThreshold: 3 + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: fifth-route-dest outlierDetection: {} diff --git a/internal/xds/translator/testdata/out/xds-ir/http-early-header-mutation.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/http-early-header-mutation.clusters.yaml index 22e6727066a..35b68d18b32 100644 --- a/internal/xds/translator/testdata/out/xds-ir/http-early-header-mutation.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/http-early-header-mutation.clusters.yaml @@ -10,6 +10,7 @@ ads: {} resourceApiVersion: V3 serviceName: first-route-dest + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: first-route-dest outlierDetection: {} @@ -37,6 +38,7 @@ ads: {} resourceApiVersion: V3 serviceName: second-route-dest + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: second-route-dest outlierDetection: {} diff --git a/internal/xds/translator/testdata/out/xds-ir/http-endpoint-stats.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/http-endpoint-stats.clusters.yaml index e9ea29c138f..f1b16b07b54 100644 --- a/internal/xds/translator/testdata/out/xds-ir/http-endpoint-stats.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/http-endpoint-stats.clusters.yaml @@ -10,6 +10,7 @@ ads: {} resourceApiVersion: V3 serviceName: first-route-dest + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: first-route-dest outlierDetection: {} diff --git a/internal/xds/translator/testdata/out/xds-ir/http-health-check.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/http-health-check.clusters.yaml index d53a7a1b2ce..9ada55d6523 100644 --- a/internal/xds/translator/testdata/out/xds-ir/http-health-check.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/http-health-check.clusters.yaml @@ -10,6 +10,7 @@ ads: {} resourceApiVersion: V3 serviceName: first-route-dest + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: first-route-dest outlierDetection: {} diff --git a/internal/xds/translator/testdata/out/xds-ir/http-preserve-client-protocol.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/http-preserve-client-protocol.clusters.yaml index f8cfa834cdd..4f007ff7c47 100644 --- a/internal/xds/translator/testdata/out/xds-ir/http-preserve-client-protocol.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/http-preserve-client-protocol.clusters.yaml @@ -10,6 +10,7 @@ ads: {} resourceApiVersion: V3 serviceName: httproute/default/httproute-1/rule/0 + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: httproute/default/httproute-1/rule/0 outlierDetection: {} diff --git a/internal/xds/translator/testdata/out/xds-ir/http-req-resp-sizes-stats.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/http-req-resp-sizes-stats.clusters.yaml index 7d112afb676..9b420408aaa 100644 --- a/internal/xds/translator/testdata/out/xds-ir/http-req-resp-sizes-stats.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/http-req-resp-sizes-stats.clusters.yaml @@ -10,6 +10,7 @@ ads: {} resourceApiVersion: V3 serviceName: first-route-dest + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: first-route-dest outlierDetection: {} diff --git a/internal/xds/translator/testdata/out/xds-ir/http-route-direct-response.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/http-route-direct-response.clusters.yaml index f0ea3b32320..3e4300de532 100644 --- a/internal/xds/translator/testdata/out/xds-ir/http-route-direct-response.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/http-route-direct-response.clusters.yaml @@ -10,6 +10,7 @@ ads: {} resourceApiVersion: V3 serviceName: direct-route-dest + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: direct-route-dest outlierDetection: {} diff --git a/internal/xds/translator/testdata/out/xds-ir/http-route-mirror.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/http-route-mirror.clusters.yaml index 53d1f9a7c1a..0bd72d2b460 100644 --- a/internal/xds/translator/testdata/out/xds-ir/http-route-mirror.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/http-route-mirror.clusters.yaml @@ -10,6 +10,7 @@ ads: {} resourceApiVersion: V3 serviceName: route-dest + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: route-dest outlierDetection: {} diff --git a/internal/xds/translator/testdata/out/xds-ir/http-route-multiple-matches.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/http-route-multiple-matches.clusters.yaml index 0322cbb616d..d76408ee96f 100644 --- a/internal/xds/translator/testdata/out/xds-ir/http-route-multiple-matches.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/http-route-multiple-matches.clusters.yaml @@ -10,6 +10,7 @@ ads: {} resourceApiVersion: V3 serviceName: first-route-dest + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: first-route-dest outlierDetection: {} @@ -27,6 +28,7 @@ ads: {} resourceApiVersion: V3 serviceName: second-route-dest + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: second-route-dest outlierDetection: {} @@ -44,6 +46,7 @@ ads: {} resourceApiVersion: V3 serviceName: third-route-dest + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: third-route-dest outlierDetection: {} @@ -61,6 +64,7 @@ ads: {} resourceApiVersion: V3 serviceName: fourth-route-dest + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: fourth-route-dest outlierDetection: {} @@ -78,6 +82,7 @@ ads: {} resourceApiVersion: V3 serviceName: fifth-route-dest + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: fifth-route-dest outlierDetection: {} @@ -95,6 +100,7 @@ ads: {} resourceApiVersion: V3 serviceName: sixth-route-dest + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: sixth-route-dest outlierDetection: {} @@ -112,6 +118,7 @@ ads: {} resourceApiVersion: V3 serviceName: seventh-route-dest + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: seventh-route-dest outlierDetection: {} diff --git a/internal/xds/translator/testdata/out/xds-ir/http-route-multiple-mirrors.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/http-route-multiple-mirrors.clusters.yaml index 046021604df..7be6b0f7ade 100644 --- a/internal/xds/translator/testdata/out/xds-ir/http-route-multiple-mirrors.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/http-route-multiple-mirrors.clusters.yaml @@ -10,6 +10,7 @@ ads: {} resourceApiVersion: V3 serviceName: route-dest + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: route-dest outlierDetection: {} @@ -27,6 +28,7 @@ ads: {} resourceApiVersion: V3 serviceName: mirror-route-dest + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: mirror-route-dest outlierDetection: {} @@ -44,6 +46,7 @@ ads: {} resourceApiVersion: V3 serviceName: mirror-route-dest1 + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: mirror-route-dest1 outlierDetection: {} diff --git a/internal/xds/translator/testdata/out/xds-ir/http-route-partial-invalid.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/http-route-partial-invalid.clusters.yaml index 61496817710..565c93fd5ff 100644 --- a/internal/xds/translator/testdata/out/xds-ir/http-route-partial-invalid.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/http-route-partial-invalid.clusters.yaml @@ -10,6 +10,7 @@ ads: {} resourceApiVersion: V3 serviceName: valid-route-dest + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: valid-route-dest outlierDetection: {} diff --git a/internal/xds/translator/testdata/out/xds-ir/http-route-redirect.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/http-route-redirect.clusters.yaml index b435363bef7..c8dc8147580 100644 --- a/internal/xds/translator/testdata/out/xds-ir/http-route-redirect.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/http-route-redirect.clusters.yaml @@ -10,6 +10,7 @@ ads: {} resourceApiVersion: V3 serviceName: redirect-route-dest + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: redirect-route-dest outlierDetection: {} diff --git a/internal/xds/translator/testdata/out/xds-ir/http-route-regex.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/http-route-regex.clusters.yaml index 0f75e67e278..de1e5ced9a4 100644 --- a/internal/xds/translator/testdata/out/xds-ir/http-route-regex.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/http-route-regex.clusters.yaml @@ -10,6 +10,7 @@ ads: {} resourceApiVersion: V3 serviceName: regex-route-dest + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: regex-route-dest outlierDetection: {} diff --git a/internal/xds/translator/testdata/out/xds-ir/http-route-request-headers.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/http-route-request-headers.clusters.yaml index 2adb8e01e4d..1e0be1f0405 100644 --- a/internal/xds/translator/testdata/out/xds-ir/http-route-request-headers.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/http-route-request-headers.clusters.yaml @@ -10,6 +10,7 @@ ads: {} resourceApiVersion: V3 serviceName: request-header-route-dest + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: request-header-route-dest outlierDetection: {} diff --git a/internal/xds/translator/testdata/out/xds-ir/http-route-response-add-headers.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/http-route-response-add-headers.clusters.yaml index ca020e482fe..f3b7838ceee 100644 --- a/internal/xds/translator/testdata/out/xds-ir/http-route-response-add-headers.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/http-route-response-add-headers.clusters.yaml @@ -10,6 +10,7 @@ ads: {} resourceApiVersion: V3 serviceName: response-header-route-dest + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: response-header-route-dest outlierDetection: {} diff --git a/internal/xds/translator/testdata/out/xds-ir/http-route-response-add-remove-headers.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/http-route-response-add-remove-headers.clusters.yaml index ca020e482fe..f3b7838ceee 100644 --- a/internal/xds/translator/testdata/out/xds-ir/http-route-response-add-remove-headers.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/http-route-response-add-remove-headers.clusters.yaml @@ -10,6 +10,7 @@ ads: {} resourceApiVersion: V3 serviceName: response-header-route-dest + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: response-header-route-dest outlierDetection: {} diff --git a/internal/xds/translator/testdata/out/xds-ir/http-route-response-remove-headers.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/http-route-response-remove-headers.clusters.yaml index ca020e482fe..f3b7838ceee 100644 --- a/internal/xds/translator/testdata/out/xds-ir/http-route-response-remove-headers.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/http-route-response-remove-headers.clusters.yaml @@ -10,6 +10,7 @@ ads: {} resourceApiVersion: V3 serviceName: response-header-route-dest + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: response-header-route-dest outlierDetection: {} diff --git a/internal/xds/translator/testdata/out/xds-ir/http-route-rewrite-root-path-url-prefix.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/http-route-rewrite-root-path-url-prefix.clusters.yaml index 027db39fb29..3041d18c4eb 100644 --- a/internal/xds/translator/testdata/out/xds-ir/http-route-rewrite-root-path-url-prefix.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/http-route-rewrite-root-path-url-prefix.clusters.yaml @@ -10,6 +10,7 @@ ads: {} resourceApiVersion: V3 serviceName: rewrite-route-dest + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: rewrite-route-dest outlierDetection: {} diff --git a/internal/xds/translator/testdata/out/xds-ir/http-route-rewrite-sufixx-with-slash-url-prefix.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/http-route-rewrite-sufixx-with-slash-url-prefix.clusters.yaml index 027db39fb29..3041d18c4eb 100644 --- a/internal/xds/translator/testdata/out/xds-ir/http-route-rewrite-sufixx-with-slash-url-prefix.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/http-route-rewrite-sufixx-with-slash-url-prefix.clusters.yaml @@ -10,6 +10,7 @@ ads: {} resourceApiVersion: V3 serviceName: rewrite-route-dest + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: rewrite-route-dest outlierDetection: {} diff --git a/internal/xds/translator/testdata/out/xds-ir/http-route-rewrite-url-fullpath.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/http-route-rewrite-url-fullpath.clusters.yaml index 3a2b7308d8e..8290c2d1837 100644 --- a/internal/xds/translator/testdata/out/xds-ir/http-route-rewrite-url-fullpath.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/http-route-rewrite-url-fullpath.clusters.yaml @@ -10,6 +10,7 @@ ads: {} resourceApiVersion: V3 serviceName: rewrite-route + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: rewrite-route outlierDetection: {} diff --git a/internal/xds/translator/testdata/out/xds-ir/http-route-rewrite-url-host.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/http-route-rewrite-url-host.clusters.yaml index 027db39fb29..3041d18c4eb 100644 --- a/internal/xds/translator/testdata/out/xds-ir/http-route-rewrite-url-host.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/http-route-rewrite-url-host.clusters.yaml @@ -10,6 +10,7 @@ ads: {} resourceApiVersion: V3 serviceName: rewrite-route-dest + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: rewrite-route-dest outlierDetection: {} diff --git a/internal/xds/translator/testdata/out/xds-ir/http-route-rewrite-url-prefix.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/http-route-rewrite-url-prefix.clusters.yaml index 027db39fb29..3041d18c4eb 100644 --- a/internal/xds/translator/testdata/out/xds-ir/http-route-rewrite-url-prefix.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/http-route-rewrite-url-prefix.clusters.yaml @@ -10,6 +10,7 @@ ads: {} resourceApiVersion: V3 serviceName: rewrite-route-dest + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: rewrite-route-dest outlierDetection: {} diff --git a/internal/xds/translator/testdata/out/xds-ir/http-route-rewrite-url-regex.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/http-route-rewrite-url-regex.clusters.yaml index 3a2b7308d8e..8290c2d1837 100644 --- a/internal/xds/translator/testdata/out/xds-ir/http-route-rewrite-url-regex.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/http-route-rewrite-url-regex.clusters.yaml @@ -10,6 +10,7 @@ ads: {} resourceApiVersion: V3 serviceName: rewrite-route + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: rewrite-route outlierDetection: {} diff --git a/internal/xds/translator/testdata/out/xds-ir/http-route-session-persistence.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/http-route-session-persistence.clusters.yaml index 0f75e67e278..de1e5ced9a4 100644 --- a/internal/xds/translator/testdata/out/xds-ir/http-route-session-persistence.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/http-route-session-persistence.clusters.yaml @@ -10,6 +10,7 @@ ads: {} resourceApiVersion: V3 serviceName: regex-route-dest + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: regex-route-dest outlierDetection: {} diff --git a/internal/xds/translator/testdata/out/xds-ir/http-route-timeout.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/http-route-timeout.clusters.yaml index a89644e62d9..b7a2badfead 100644 --- a/internal/xds/translator/testdata/out/xds-ir/http-route-timeout.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/http-route-timeout.clusters.yaml @@ -10,6 +10,7 @@ ads: {} resourceApiVersion: V3 serviceName: first-route-dest + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: first-route-dest outlierDetection: {} @@ -27,6 +28,7 @@ ads: {} resourceApiVersion: V3 serviceName: second-route-dest + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: second-route-dest outlierDetection: {} @@ -44,6 +46,7 @@ ads: {} resourceApiVersion: V3 serviceName: third-route-dest + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: third-route-dest outlierDetection: {} diff --git a/internal/xds/translator/testdata/out/xds-ir/http-route-weighted-backend-uds-ip.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/http-route-weighted-backend-uds-ip.clusters.yaml index d53a7a1b2ce..9ada55d6523 100644 --- a/internal/xds/translator/testdata/out/xds-ir/http-route-weighted-backend-uds-ip.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/http-route-weighted-backend-uds-ip.clusters.yaml @@ -10,6 +10,7 @@ ads: {} resourceApiVersion: V3 serviceName: first-route-dest + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: first-route-dest outlierDetection: {} diff --git a/internal/xds/translator/testdata/out/xds-ir/http-route-weighted-backend-with-filters.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/http-route-weighted-backend-with-filters.clusters.yaml index d65e267ad7d..820f85f625b 100644 --- a/internal/xds/translator/testdata/out/xds-ir/http-route-weighted-backend-with-filters.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/http-route-weighted-backend-with-filters.clusters.yaml @@ -10,6 +10,7 @@ ads: {} resourceApiVersion: V3 serviceName: first-route-dest + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: first-route-dest outlierDetection: {} @@ -27,6 +28,7 @@ ads: {} resourceApiVersion: V3 serviceName: second-route-dest + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: second-route-dest outlierDetection: {} diff --git a/internal/xds/translator/testdata/out/xds-ir/http-route-weighted-backend.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/http-route-weighted-backend.clusters.yaml index d53a7a1b2ce..9ada55d6523 100644 --- a/internal/xds/translator/testdata/out/xds-ir/http-route-weighted-backend.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/http-route-weighted-backend.clusters.yaml @@ -10,6 +10,7 @@ ads: {} resourceApiVersion: V3 serviceName: first-route-dest + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: first-route-dest outlierDetection: {} diff --git a/internal/xds/translator/testdata/out/xds-ir/http-route-weighted-invalid-backend.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/http-route-weighted-invalid-backend.clusters.yaml index d53a7a1b2ce..9ada55d6523 100644 --- a/internal/xds/translator/testdata/out/xds-ir/http-route-weighted-invalid-backend.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/http-route-weighted-invalid-backend.clusters.yaml @@ -10,6 +10,7 @@ ads: {} resourceApiVersion: V3 serviceName: first-route-dest + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: first-route-dest outlierDetection: {} diff --git a/internal/xds/translator/testdata/out/xds-ir/http-route-with-clientcert.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/http-route-with-clientcert.clusters.yaml index 6d69b493981..a9be418a101 100644 --- a/internal/xds/translator/testdata/out/xds-ir/http-route-with-clientcert.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/http-route-with-clientcert.clusters.yaml @@ -10,6 +10,7 @@ ads: {} resourceApiVersion: V3 serviceName: httproute/envoy-gateway/httproute-btls/rule/0 + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: httproute/envoy-gateway/httproute-btls/rule/0 outlierDetection: {} diff --git a/internal/xds/translator/testdata/out/xds-ir/http-route-with-metadata.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/http-route-with-metadata.clusters.yaml index d65e267ad7d..820f85f625b 100644 --- a/internal/xds/translator/testdata/out/xds-ir/http-route-with-metadata.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/http-route-with-metadata.clusters.yaml @@ -10,6 +10,7 @@ ads: {} resourceApiVersion: V3 serviceName: first-route-dest + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: first-route-dest outlierDetection: {} @@ -27,6 +28,7 @@ ads: {} resourceApiVersion: V3 serviceName: second-route-dest + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: second-route-dest outlierDetection: {} diff --git a/internal/xds/translator/testdata/out/xds-ir/http-route-with-tls-system-truststore.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/http-route-with-tls-system-truststore.clusters.yaml index 573625b4671..fccf18807c5 100644 --- a/internal/xds/translator/testdata/out/xds-ir/http-route-with-tls-system-truststore.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/http-route-with-tls-system-truststore.clusters.yaml @@ -10,6 +10,7 @@ ads: {} resourceApiVersion: V3 serviceName: httproute/envoy-gateway/httproute-btls/rule/0 + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: httproute/envoy-gateway/httproute-btls/rule/0 outlierDetection: {} diff --git a/internal/xds/translator/testdata/out/xds-ir/http-route-with-tlsbundle-multiple-certs.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/http-route-with-tlsbundle-multiple-certs.clusters.yaml index ccfa16dbd99..51702c7c79b 100755 --- a/internal/xds/translator/testdata/out/xds-ir/http-route-with-tlsbundle-multiple-certs.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/http-route-with-tlsbundle-multiple-certs.clusters.yaml @@ -10,6 +10,7 @@ ads: {} resourceApiVersion: V3 serviceName: httproute/envoy-gateway/httproute-btls/rule/0 + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: httproute/envoy-gateway/httproute-btls/rule/0 outlierDetection: {} @@ -68,6 +69,7 @@ ads: {} resourceApiVersion: V3 serviceName: httproute/envoy-gateway/httproute-btls-2/rule/0 + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: httproute/envoy-gateway/httproute-btls-2/rule/0 outlierDetection: {} diff --git a/internal/xds/translator/testdata/out/xds-ir/http-route-with-tlsbundle.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/http-route-with-tlsbundle.clusters.yaml index f368f4c94d0..73cb7f276b2 100644 --- a/internal/xds/translator/testdata/out/xds-ir/http-route-with-tlsbundle.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/http-route-with-tlsbundle.clusters.yaml @@ -10,6 +10,7 @@ ads: {} resourceApiVersion: V3 serviceName: httproute/envoy-gateway/httproute-btls/rule/0 + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: httproute/envoy-gateway/httproute-btls/rule/0 outlierDetection: {} diff --git a/internal/xds/translator/testdata/out/xds-ir/http-route.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/http-route.clusters.yaml index d53a7a1b2ce..9ada55d6523 100644 --- a/internal/xds/translator/testdata/out/xds-ir/http-route.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/http-route.clusters.yaml @@ -10,6 +10,7 @@ ads: {} resourceApiVersion: V3 serviceName: first-route-dest + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: first-route-dest outlierDetection: {} diff --git a/internal/xds/translator/testdata/out/xds-ir/http1-preserve-case.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/http1-preserve-case.clusters.yaml index 1489e95f6fd..ee7ebf5a19f 100644 --- a/internal/xds/translator/testdata/out/xds-ir/http1-preserve-case.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/http1-preserve-case.clusters.yaml @@ -10,6 +10,7 @@ ads: {} resourceApiVersion: V3 serviceName: first-route-dest + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: first-route-dest outlierDetection: {} @@ -37,6 +38,7 @@ ads: {} resourceApiVersion: V3 serviceName: second-route-dest + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: second-route-dest outlierDetection: {} diff --git a/internal/xds/translator/testdata/out/xds-ir/http1-trailers.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/http1-trailers.clusters.yaml index 8c3dd7a549c..7fb571dc42f 100644 --- a/internal/xds/translator/testdata/out/xds-ir/http1-trailers.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/http1-trailers.clusters.yaml @@ -10,6 +10,7 @@ ads: {} resourceApiVersion: V3 serviceName: first-route-dest + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: first-route-dest outlierDetection: {} diff --git a/internal/xds/translator/testdata/out/xds-ir/http10.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/http10.clusters.yaml index 2cb022cfad0..de12099b7de 100644 --- a/internal/xds/translator/testdata/out/xds-ir/http10.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/http10.clusters.yaml @@ -10,6 +10,7 @@ ads: {} resourceApiVersion: V3 serviceName: first-route-dest + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: first-route-dest outlierDetection: {} diff --git a/internal/xds/translator/testdata/out/xds-ir/http2-route.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/http2-route.clusters.yaml index 05cf41776c6..0a2796cd6ac 100644 --- a/internal/xds/translator/testdata/out/xds-ir/http2-route.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/http2-route.clusters.yaml @@ -10,6 +10,7 @@ ads: {} resourceApiVersion: V3 serviceName: first-route-dest + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: first-route-dest outlierDetection: {} @@ -36,6 +37,7 @@ ads: {} resourceApiVersion: V3 serviceName: second-route-dest + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: second-route-dest outlierDetection: {} @@ -60,6 +62,7 @@ ads: {} resourceApiVersion: V3 serviceName: third-route-dest + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: third-route-dest outlierDetection: {} @@ -87,6 +90,7 @@ ads: {} resourceApiVersion: V3 serviceName: fourth-route-dest + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: fourth-route-dest outlierDetection: {} diff --git a/internal/xds/translator/testdata/out/xds-ir/http2.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/http2.clusters.yaml index d53a7a1b2ce..9ada55d6523 100755 --- a/internal/xds/translator/testdata/out/xds-ir/http2.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/http2.clusters.yaml @@ -10,6 +10,7 @@ ads: {} resourceApiVersion: V3 serviceName: first-route-dest + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: first-route-dest outlierDetection: {} diff --git a/internal/xds/translator/testdata/out/xds-ir/http3.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/http3.clusters.yaml index 9714612e3de..1c72d4f070f 100644 --- a/internal/xds/translator/testdata/out/xds-ir/http3.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/http3.clusters.yaml @@ -10,6 +10,7 @@ ads: {} resourceApiVersion: V3 serviceName: httproute/default/httproute-1/rule/0 + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: httproute/default/httproute-1/rule/0 outlierDetection: {} diff --git a/internal/xds/translator/testdata/out/xds-ir/jsonpatch-missing-resource.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/jsonpatch-missing-resource.clusters.yaml index d53a7a1b2ce..9ada55d6523 100644 --- a/internal/xds/translator/testdata/out/xds-ir/jsonpatch-missing-resource.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/jsonpatch-missing-resource.clusters.yaml @@ -10,6 +10,7 @@ ads: {} resourceApiVersion: V3 serviceName: first-route-dest + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: first-route-dest outlierDetection: {} diff --git a/internal/xds/translator/testdata/out/xds-ir/jsonpatch-with-jsonpath.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/jsonpatch-with-jsonpath.clusters.yaml index b3842b6e52e..f9a046becf5 100644 --- a/internal/xds/translator/testdata/out/xds-ir/jsonpatch-with-jsonpath.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/jsonpatch-with-jsonpath.clusters.yaml @@ -10,6 +10,7 @@ ads: {} resourceApiVersion: V3 serviceName: first-route-dest + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: first-route-dest outlierDetection: {} @@ -27,6 +28,7 @@ ads: {} resourceApiVersion: V3 serviceName: second-route-dest + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: second-route-dest outlierDetection: {} diff --git a/internal/xds/translator/testdata/out/xds-ir/jsonpatch.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/jsonpatch.clusters.yaml index b6e4ed1ae7d..745719faa2b 100644 --- a/internal/xds/translator/testdata/out/xds-ir/jsonpatch.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/jsonpatch.clusters.yaml @@ -10,6 +10,7 @@ ads: {} resourceApiVersion: V3 serviceName: first-route-dest + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: first-route-dest outlierDetection: {} diff --git a/internal/xds/translator/testdata/out/xds-ir/jwt-custom-extractor.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/jwt-custom-extractor.clusters.yaml index 8ede70cf99a..8f5d81ea045 100644 --- a/internal/xds/translator/testdata/out/xds-ir/jwt-custom-extractor.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/jwt-custom-extractor.clusters.yaml @@ -10,6 +10,7 @@ ads: {} resourceApiVersion: V3 serviceName: first-route-dest + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: first-route-dest outlierDetection: {} diff --git a/internal/xds/translator/testdata/out/xds-ir/jwt-multi-route-multi-provider.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/jwt-multi-route-multi-provider.clusters.yaml index 9de709310e6..308f92773e8 100644 --- a/internal/xds/translator/testdata/out/xds-ir/jwt-multi-route-multi-provider.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/jwt-multi-route-multi-provider.clusters.yaml @@ -10,6 +10,7 @@ ads: {} resourceApiVersion: V3 serviceName: first-route-www.test.com-dest + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: first-route-www.test.com-dest outlierDetection: {} @@ -27,6 +28,7 @@ ads: {} resourceApiVersion: V3 serviceName: second-route-www.test.com-dest + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: second-route-www.test.com-dest outlierDetection: {} @@ -71,6 +73,7 @@ ads: {} resourceApiVersion: V3 serviceName: "192_168_1_250_8080" + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: "192_168_1_250_8080" outlierDetection: {} diff --git a/internal/xds/translator/testdata/out/xds-ir/jwt-multi-route-single-provider.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/jwt-multi-route-single-provider.clusters.yaml index 8d7b2d37ca0..8555780dab4 100644 --- a/internal/xds/translator/testdata/out/xds-ir/jwt-multi-route-single-provider.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/jwt-multi-route-single-provider.clusters.yaml @@ -10,6 +10,7 @@ ads: {} resourceApiVersion: V3 serviceName: first-route-dest + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: first-route-dest outlierDetection: {} @@ -27,6 +28,7 @@ ads: {} resourceApiVersion: V3 serviceName: second-route-dest + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: second-route-dest outlierDetection: {} diff --git a/internal/xds/translator/testdata/out/xds-ir/jwt-optional.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/jwt-optional.clusters.yaml index 8ede70cf99a..8f5d81ea045 100644 --- a/internal/xds/translator/testdata/out/xds-ir/jwt-optional.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/jwt-optional.clusters.yaml @@ -10,6 +10,7 @@ ads: {} resourceApiVersion: V3 serviceName: first-route-dest + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: first-route-dest outlierDetection: {} diff --git a/internal/xds/translator/testdata/out/xds-ir/jwt-ratelimit.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/jwt-ratelimit.clusters.yaml index e75a68919d1..a5f1527ade9 100644 --- a/internal/xds/translator/testdata/out/xds-ir/jwt-ratelimit.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/jwt-ratelimit.clusters.yaml @@ -10,6 +10,7 @@ ads: {} resourceApiVersion: V3 serviceName: first-route-dest + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: first-route-dest outlierDetection: {} @@ -27,6 +28,7 @@ ads: {} resourceApiVersion: V3 serviceName: second-route-dest + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: second-route-dest outlierDetection: {} @@ -44,6 +46,7 @@ ads: {} resourceApiVersion: V3 serviceName: third-route-dest + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: third-route-dest outlierDetection: {} @@ -61,6 +64,7 @@ ads: {} resourceApiVersion: V3 serviceName: "192_168_1_250_443" + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: "192_168_1_250_443" outlierDetection: {} diff --git a/internal/xds/translator/testdata/out/xds-ir/jwt-single-route-single-match.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/jwt-single-route-single-match.clusters.yaml index 8ede70cf99a..8f5d81ea045 100644 --- a/internal/xds/translator/testdata/out/xds-ir/jwt-single-route-single-match.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/jwt-single-route-single-match.clusters.yaml @@ -10,6 +10,7 @@ ads: {} resourceApiVersion: V3 serviceName: first-route-dest + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: first-route-dest outlierDetection: {} diff --git a/internal/xds/translator/testdata/out/xds-ir/listener-connection-limit.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/listener-connection-limit.clusters.yaml index d65e267ad7d..820f85f625b 100644 --- a/internal/xds/translator/testdata/out/xds-ir/listener-connection-limit.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/listener-connection-limit.clusters.yaml @@ -10,6 +10,7 @@ ads: {} resourceApiVersion: V3 serviceName: first-route-dest + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: first-route-dest outlierDetection: {} @@ -27,6 +28,7 @@ ads: {} resourceApiVersion: V3 serviceName: second-route-dest + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: second-route-dest outlierDetection: {} diff --git a/internal/xds/translator/testdata/out/xds-ir/listener-proxy-protocol.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/listener-proxy-protocol.clusters.yaml index 454192ce491..c21b71ce6c5 100644 --- a/internal/xds/translator/testdata/out/xds-ir/listener-proxy-protocol.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/listener-proxy-protocol.clusters.yaml @@ -10,6 +10,7 @@ ads: {} resourceApiVersion: V3 serviceName: first-route-dest + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: first-route-dest outlierDetection: {} @@ -27,6 +28,7 @@ ads: {} resourceApiVersion: V3 serviceName: tls-route-dest + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: tls-route-dest outlierDetection: {} diff --git a/internal/xds/translator/testdata/out/xds-ir/listener-tcp-keepalive.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/listener-tcp-keepalive.clusters.yaml index d65e267ad7d..820f85f625b 100644 --- a/internal/xds/translator/testdata/out/xds-ir/listener-tcp-keepalive.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/listener-tcp-keepalive.clusters.yaml @@ -10,6 +10,7 @@ ads: {} resourceApiVersion: V3 serviceName: first-route-dest + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: first-route-dest outlierDetection: {} @@ -27,6 +28,7 @@ ads: {} resourceApiVersion: V3 serviceName: second-route-dest + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: second-route-dest outlierDetection: {} diff --git a/internal/xds/translator/testdata/out/xds-ir/load-balancer.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/load-balancer.clusters.yaml index 16792f24cb1..0c2202ce28f 100644 --- a/internal/xds/translator/testdata/out/xds-ir/load-balancer.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/load-balancer.clusters.yaml @@ -10,6 +10,7 @@ ads: {} resourceApiVersion: V3 serviceName: first-route-dest + ignoreHealthOnHostRemoval: true name: first-route-dest outlierDetection: {} perConnectionBufferLimitBytes: 32768 @@ -26,6 +27,7 @@ ads: {} resourceApiVersion: V3 serviceName: second-route-dest + ignoreHealthOnHostRemoval: true lbPolicy: RANDOM name: second-route-dest outlierDetection: {} @@ -43,6 +45,7 @@ ads: {} resourceApiVersion: V3 serviceName: third-route-dest + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: third-route-dest outlierDetection: {} @@ -60,6 +63,7 @@ ads: {} resourceApiVersion: V3 serviceName: fourth-route-dest + ignoreHealthOnHostRemoval: true lbPolicy: MAGLEV name: fourth-route-dest outlierDetection: {} @@ -77,6 +81,7 @@ ads: {} resourceApiVersion: V3 serviceName: fifth-route-dest + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST leastRequestLbConfig: slowStartConfig: @@ -97,6 +102,7 @@ ads: {} resourceApiVersion: V3 serviceName: sixth-route-dest + ignoreHealthOnHostRemoval: true name: sixth-route-dest outlierDetection: {} perConnectionBufferLimitBytes: 32768 @@ -116,6 +122,7 @@ ads: {} resourceApiVersion: V3 serviceName: seventh-route-dest + ignoreHealthOnHostRemoval: true lbPolicy: MAGLEV name: seventh-route-dest outlierDetection: {} @@ -133,6 +140,7 @@ ads: {} resourceApiVersion: V3 serviceName: eighth-route-dest + ignoreHealthOnHostRemoval: true lbPolicy: MAGLEV maglevLbConfig: tableSize: "524287" @@ -152,6 +160,7 @@ ads: {} resourceApiVersion: V3 serviceName: ninth-route-dest + ignoreHealthOnHostRemoval: true lbPolicy: MAGLEV name: ninth-route-dest outlierDetection: {} @@ -169,6 +178,7 @@ ads: {} resourceApiVersion: V3 serviceName: tenth-route-dest + ignoreHealthOnHostRemoval: true lbPolicy: MAGLEV name: tenth-route-dest outlierDetection: {} diff --git a/internal/xds/translator/testdata/out/xds-ir/local-ratelimit.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/local-ratelimit.clusters.yaml index a89644e62d9..b7a2badfead 100644 --- a/internal/xds/translator/testdata/out/xds-ir/local-ratelimit.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/local-ratelimit.clusters.yaml @@ -10,6 +10,7 @@ ads: {} resourceApiVersion: V3 serviceName: first-route-dest + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: first-route-dest outlierDetection: {} @@ -27,6 +28,7 @@ ads: {} resourceApiVersion: V3 serviceName: second-route-dest + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: second-route-dest outlierDetection: {} @@ -44,6 +46,7 @@ ads: {} resourceApiVersion: V3 serviceName: third-route-dest + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: third-route-dest outlierDetection: {} diff --git a/internal/xds/translator/testdata/out/xds-ir/metrics-virtual-host.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/metrics-virtual-host.clusters.yaml index d53a7a1b2ce..9ada55d6523 100644 --- a/internal/xds/translator/testdata/out/xds-ir/metrics-virtual-host.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/metrics-virtual-host.clusters.yaml @@ -10,6 +10,7 @@ ads: {} resourceApiVersion: V3 serviceName: first-route-dest + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: first-route-dest outlierDetection: {} diff --git a/internal/xds/translator/testdata/out/xds-ir/mixed-tls-jwt-authn.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/mixed-tls-jwt-authn.clusters.yaml index d53a7a1b2ce..9ada55d6523 100644 --- a/internal/xds/translator/testdata/out/xds-ir/mixed-tls-jwt-authn.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/mixed-tls-jwt-authn.clusters.yaml @@ -10,6 +10,7 @@ ads: {} resourceApiVersion: V3 serviceName: first-route-dest + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: first-route-dest outlierDetection: {} diff --git a/internal/xds/translator/testdata/out/xds-ir/multiple-listeners-same-port-with-different-filters.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/multiple-listeners-same-port-with-different-filters.clusters.yaml index 2b9b567cf39..c3b0666ab24 100755 --- a/internal/xds/translator/testdata/out/xds-ir/multiple-listeners-same-port-with-different-filters.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/multiple-listeners-same-port-with-different-filters.clusters.yaml @@ -10,6 +10,7 @@ ads: {} resourceApiVersion: V3 serviceName: httproute/default/httproute-1/rule/0 + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: httproute/default/httproute-1/rule/0 outlierDetection: {} @@ -27,6 +28,7 @@ ads: {} resourceApiVersion: V3 serviceName: httproute/default/httproute-2/rule/0 + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: httproute/default/httproute-2/rule/0 outlierDetection: {} @@ -44,6 +46,7 @@ ads: {} resourceApiVersion: V3 serviceName: securitypolicy/default/policy-for-http-route-2/envoy-gateway/http-backend + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: securitypolicy/default/policy-for-http-route-2/envoy-gateway/http-backend outlierDetection: {} @@ -61,6 +64,7 @@ ads: {} resourceApiVersion: V3 serviceName: httproute/default/httproute-3/rule/0 + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: httproute/default/httproute-3/rule/0 outlierDetection: {} diff --git a/internal/xds/translator/testdata/out/xds-ir/multiple-listeners-same-port.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/multiple-listeners-same-port.clusters.yaml index ce7f4361a40..bd6b6e1ae2e 100644 --- a/internal/xds/translator/testdata/out/xds-ir/multiple-listeners-same-port.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/multiple-listeners-same-port.clusters.yaml @@ -10,6 +10,7 @@ ads: {} resourceApiVersion: V3 serviceName: first-route-dest + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: first-route-dest outlierDetection: {} @@ -27,6 +28,7 @@ ads: {} resourceApiVersion: V3 serviceName: second-route-dest + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: second-route-dest outlierDetection: {} @@ -44,6 +46,7 @@ ads: {} resourceApiVersion: V3 serviceName: third-route-dest + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: third-route-dest outlierDetection: {} @@ -61,6 +64,7 @@ ads: {} resourceApiVersion: V3 serviceName: fourth-route-dest + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: fourth-route-dest outlierDetection: {} @@ -78,6 +82,7 @@ ads: {} resourceApiVersion: V3 serviceName: tcp-route-dest + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: tcp-route-dest outlierDetection: {} @@ -95,6 +100,7 @@ ads: {} resourceApiVersion: V3 serviceName: tls-route-dest + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: tls-route-dest outlierDetection: {} diff --git a/internal/xds/translator/testdata/out/xds-ir/multiple-simple-tcp-route-same-port.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/multiple-simple-tcp-route-same-port.clusters.yaml index e0f57c2a695..19e6869eb5e 100644 --- a/internal/xds/translator/testdata/out/xds-ir/multiple-simple-tcp-route-same-port.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/multiple-simple-tcp-route-same-port.clusters.yaml @@ -10,6 +10,7 @@ ads: {} resourceApiVersion: V3 serviceName: tcp-route-simple-dest + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: tcp-route-simple-dest outlierDetection: {} @@ -27,6 +28,7 @@ ads: {} resourceApiVersion: V3 serviceName: tcp-route-simple-1-dest + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: tcp-route-simple-1-dest outlierDetection: {} @@ -44,6 +46,7 @@ ads: {} resourceApiVersion: V3 serviceName: tcp-route-simple-2-dest + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: tcp-route-simple-2-dest outlierDetection: {} @@ -61,6 +64,7 @@ ads: {} resourceApiVersion: V3 serviceName: tcp-route-simple-3-dest + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: tcp-route-simple-3-dest outlierDetection: {} @@ -78,6 +82,7 @@ ads: {} resourceApiVersion: V3 serviceName: tcp-route-simple-4-dest + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: tcp-route-simple-4-dest outlierDetection: {} diff --git a/internal/xds/translator/testdata/out/xds-ir/mutual-tls-forward-client-certificate-with-custom-data.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/mutual-tls-forward-client-certificate-with-custom-data.clusters.yaml index 03e10ccd7fc..ff3aedce52a 100644 --- a/internal/xds/translator/testdata/out/xds-ir/mutual-tls-forward-client-certificate-with-custom-data.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/mutual-tls-forward-client-certificate-with-custom-data.clusters.yaml @@ -10,6 +10,7 @@ ads: {} resourceApiVersion: V3 serviceName: first-route-dest + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: first-route-dest outlierDetection: {} @@ -27,6 +28,7 @@ ads: {} resourceApiVersion: V3 serviceName: second-route-dest + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: second-route-dest outlierDetection: {} @@ -44,6 +46,7 @@ ads: {} resourceApiVersion: V3 serviceName: third-route-dest + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: third-route-dest outlierDetection: {} @@ -61,6 +64,7 @@ ads: {} resourceApiVersion: V3 serviceName: fourth-route-dest + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: fourth-route-dest outlierDetection: {} @@ -78,6 +82,7 @@ ads: {} resourceApiVersion: V3 serviceName: fifth-route-dest + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: fifth-route-dest outlierDetection: {} diff --git a/internal/xds/translator/testdata/out/xds-ir/mutual-tls-forward-client-certificate.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/mutual-tls-forward-client-certificate.clusters.yaml index 03e10ccd7fc..ff3aedce52a 100644 --- a/internal/xds/translator/testdata/out/xds-ir/mutual-tls-forward-client-certificate.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/mutual-tls-forward-client-certificate.clusters.yaml @@ -10,6 +10,7 @@ ads: {} resourceApiVersion: V3 serviceName: first-route-dest + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: first-route-dest outlierDetection: {} @@ -27,6 +28,7 @@ ads: {} resourceApiVersion: V3 serviceName: second-route-dest + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: second-route-dest outlierDetection: {} @@ -44,6 +46,7 @@ ads: {} resourceApiVersion: V3 serviceName: third-route-dest + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: third-route-dest outlierDetection: {} @@ -61,6 +64,7 @@ ads: {} resourceApiVersion: V3 serviceName: fourth-route-dest + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: fourth-route-dest outlierDetection: {} @@ -78,6 +82,7 @@ ads: {} resourceApiVersion: V3 serviceName: fifth-route-dest + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: fifth-route-dest outlierDetection: {} diff --git a/internal/xds/translator/testdata/out/xds-ir/mutual-tls-required-client-certificate-disabled.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/mutual-tls-required-client-certificate-disabled.clusters.yaml index 4dad0aad1a7..16f6727a1a1 100644 --- a/internal/xds/translator/testdata/out/xds-ir/mutual-tls-required-client-certificate-disabled.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/mutual-tls-required-client-certificate-disabled.clusters.yaml @@ -10,6 +10,7 @@ ads: {} resourceApiVersion: V3 serviceName: first-route-dest + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: first-route-dest outlierDetection: {} @@ -27,6 +28,7 @@ ads: {} resourceApiVersion: V3 serviceName: tls-terminate-dest + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: tls-terminate-dest outlierDetection: {} diff --git a/internal/xds/translator/testdata/out/xds-ir/mutual-tls.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/mutual-tls.clusters.yaml index 4dad0aad1a7..16f6727a1a1 100644 --- a/internal/xds/translator/testdata/out/xds-ir/mutual-tls.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/mutual-tls.clusters.yaml @@ -10,6 +10,7 @@ ads: {} resourceApiVersion: V3 serviceName: first-route-dest + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: first-route-dest outlierDetection: {} @@ -27,6 +28,7 @@ ads: {} resourceApiVersion: V3 serviceName: tls-terminate-dest + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: tls-terminate-dest outlierDetection: {} diff --git a/internal/xds/translator/testdata/out/xds-ir/oidc-backend-cluster-provider.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/oidc-backend-cluster-provider.clusters.yaml index 863e761bf9a..e467e24db53 100644 --- a/internal/xds/translator/testdata/out/xds-ir/oidc-backend-cluster-provider.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/oidc-backend-cluster-provider.clusters.yaml @@ -10,6 +10,7 @@ ads: {} resourceApiVersion: V3 serviceName: third-route-dest + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: third-route-dest outlierDetection: {} diff --git a/internal/xds/translator/testdata/out/xds-ir/oidc.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/oidc.clusters.yaml index 5309331d017..f196a3fdd9a 100644 --- a/internal/xds/translator/testdata/out/xds-ir/oidc.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/oidc.clusters.yaml @@ -10,6 +10,7 @@ ads: {} resourceApiVersion: V3 serviceName: first-route-dest + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: first-route-dest outlierDetection: {} @@ -27,6 +28,7 @@ ads: {} resourceApiVersion: V3 serviceName: second-route-dest + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: second-route-dest outlierDetection: {} diff --git a/internal/xds/translator/testdata/out/xds-ir/path-settings.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/path-settings.clusters.yaml index d53a7a1b2ce..9ada55d6523 100644 --- a/internal/xds/translator/testdata/out/xds-ir/path-settings.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/path-settings.clusters.yaml @@ -10,6 +10,7 @@ ads: {} resourceApiVersion: V3 serviceName: first-route-dest + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: first-route-dest outlierDetection: {} diff --git a/internal/xds/translator/testdata/out/xds-ir/proxy-protocol-upstream.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/proxy-protocol-upstream.clusters.yaml index 6441952eae8..47b4007397e 100644 --- a/internal/xds/translator/testdata/out/xds-ir/proxy-protocol-upstream.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/proxy-protocol-upstream.clusters.yaml @@ -10,6 +10,7 @@ ads: {} resourceApiVersion: V3 serviceName: first-route-dest + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: first-route-dest outlierDetection: {} diff --git a/internal/xds/translator/testdata/out/xds-ir/ratelimit-custom-domain.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/ratelimit-custom-domain.clusters.yaml index 45e8e0898ce..182245f1986 100644 --- a/internal/xds/translator/testdata/out/xds-ir/ratelimit-custom-domain.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/ratelimit-custom-domain.clusters.yaml @@ -10,6 +10,7 @@ ads: {} resourceApiVersion: V3 serviceName: first-route-dest + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: first-route-dest outlierDetection: {} @@ -27,6 +28,7 @@ ads: {} resourceApiVersion: V3 serviceName: second-route-dest + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: second-route-dest outlierDetection: {} @@ -44,6 +46,7 @@ ads: {} resourceApiVersion: V3 serviceName: third-route-dest + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: third-route-dest outlierDetection: {} diff --git a/internal/xds/translator/testdata/out/xds-ir/ratelimit-disable-headers.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/ratelimit-disable-headers.clusters.yaml index 0ba1749076a..d2577b68f8b 100644 --- a/internal/xds/translator/testdata/out/xds-ir/ratelimit-disable-headers.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/ratelimit-disable-headers.clusters.yaml @@ -10,6 +10,7 @@ ads: {} resourceApiVersion: V3 serviceName: first-route-dest + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: first-route-dest outlierDetection: {} @@ -27,6 +28,7 @@ ads: {} resourceApiVersion: V3 serviceName: second-route-dest + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: second-route-dest outlierDetection: {} @@ -44,6 +46,7 @@ ads: {} resourceApiVersion: V3 serviceName: third-route-dest + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: third-route-dest outlierDetection: {} diff --git a/internal/xds/translator/testdata/out/xds-ir/ratelimit-endpoint-stats.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/ratelimit-endpoint-stats.clusters.yaml index a3c9b6623c9..4e607e59dbb 100644 --- a/internal/xds/translator/testdata/out/xds-ir/ratelimit-endpoint-stats.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/ratelimit-endpoint-stats.clusters.yaml @@ -10,6 +10,7 @@ ads: {} resourceApiVersion: V3 serviceName: first-route-dest + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: first-route-dest outlierDetection: {} @@ -29,6 +30,7 @@ ads: {} resourceApiVersion: V3 serviceName: second-route-dest + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: second-route-dest outlierDetection: {} @@ -48,6 +50,7 @@ ads: {} resourceApiVersion: V3 serviceName: third-route-dest + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: third-route-dest outlierDetection: {} diff --git a/internal/xds/translator/testdata/out/xds-ir/ratelimit-headers-and-cidr.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/ratelimit-headers-and-cidr.clusters.yaml index 0ba1749076a..d2577b68f8b 100644 --- a/internal/xds/translator/testdata/out/xds-ir/ratelimit-headers-and-cidr.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/ratelimit-headers-and-cidr.clusters.yaml @@ -10,6 +10,7 @@ ads: {} resourceApiVersion: V3 serviceName: first-route-dest + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: first-route-dest outlierDetection: {} @@ -27,6 +28,7 @@ ads: {} resourceApiVersion: V3 serviceName: second-route-dest + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: second-route-dest outlierDetection: {} @@ -44,6 +46,7 @@ ads: {} resourceApiVersion: V3 serviceName: third-route-dest + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: third-route-dest outlierDetection: {} diff --git a/internal/xds/translator/testdata/out/xds-ir/ratelimit-sourceip.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/ratelimit-sourceip.clusters.yaml index 427f6d15340..8aff78e3195 100644 --- a/internal/xds/translator/testdata/out/xds-ir/ratelimit-sourceip.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/ratelimit-sourceip.clusters.yaml @@ -10,6 +10,7 @@ ads: {} resourceApiVersion: V3 serviceName: first-route-dest + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: first-route-dest outlierDetection: {} @@ -27,6 +28,7 @@ ads: {} resourceApiVersion: V3 serviceName: second-route-dest + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: second-route-dest outlierDetection: {} @@ -44,6 +46,7 @@ ads: {} resourceApiVersion: V3 serviceName: third-route-dest + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: third-route-dest outlierDetection: {} @@ -61,6 +64,7 @@ ads: {} resourceApiVersion: V3 serviceName: fourth-route-dest + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: fourth-route-dest outlierDetection: {} diff --git a/internal/xds/translator/testdata/out/xds-ir/ratelimit.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/ratelimit.clusters.yaml index 427f6d15340..8aff78e3195 100644 --- a/internal/xds/translator/testdata/out/xds-ir/ratelimit.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/ratelimit.clusters.yaml @@ -10,6 +10,7 @@ ads: {} resourceApiVersion: V3 serviceName: first-route-dest + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: first-route-dest outlierDetection: {} @@ -27,6 +28,7 @@ ads: {} resourceApiVersion: V3 serviceName: second-route-dest + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: second-route-dest outlierDetection: {} @@ -44,6 +46,7 @@ ads: {} resourceApiVersion: V3 serviceName: third-route-dest + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: third-route-dest outlierDetection: {} @@ -61,6 +64,7 @@ ads: {} resourceApiVersion: V3 serviceName: fourth-route-dest + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: fourth-route-dest outlierDetection: {} diff --git a/internal/xds/translator/testdata/out/xds-ir/retry-partial-invalid.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/retry-partial-invalid.clusters.yaml index d53a7a1b2ce..9ada55d6523 100644 --- a/internal/xds/translator/testdata/out/xds-ir/retry-partial-invalid.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/retry-partial-invalid.clusters.yaml @@ -10,6 +10,7 @@ ads: {} resourceApiVersion: V3 serviceName: first-route-dest + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: first-route-dest outlierDetection: {} diff --git a/internal/xds/translator/testdata/out/xds-ir/simple-tls.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/simple-tls.clusters.yaml index d53a7a1b2ce..9ada55d6523 100644 --- a/internal/xds/translator/testdata/out/xds-ir/simple-tls.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/simple-tls.clusters.yaml @@ -10,6 +10,7 @@ ads: {} resourceApiVersion: V3 serviceName: first-route-dest + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: first-route-dest outlierDetection: {} diff --git a/internal/xds/translator/testdata/out/xds-ir/suppress-envoy-headers.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/suppress-envoy-headers.clusters.yaml index d53a7a1b2ce..9ada55d6523 100644 --- a/internal/xds/translator/testdata/out/xds-ir/suppress-envoy-headers.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/suppress-envoy-headers.clusters.yaml @@ -10,6 +10,7 @@ ads: {} resourceApiVersion: V3 serviceName: first-route-dest + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: first-route-dest outlierDetection: {} diff --git a/internal/xds/translator/testdata/out/xds-ir/tcp-listener-ipfamily.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/tcp-listener-ipfamily.clusters.yaml index 3b5a7b58376..1daefb357c5 100644 --- a/internal/xds/translator/testdata/out/xds-ir/tcp-listener-ipfamily.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/tcp-listener-ipfamily.clusters.yaml @@ -10,6 +10,7 @@ ads: {} resourceApiVersion: V3 serviceName: tcp-route-dual-dest + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: tcp-route-dual-dest outlierDetection: {} diff --git a/internal/xds/translator/testdata/out/xds-ir/tcp-route-complex.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/tcp-route-complex.clusters.yaml index 382c2857a1f..c6291c77dd5 100644 --- a/internal/xds/translator/testdata/out/xds-ir/tcp-route-complex.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/tcp-route-complex.clusters.yaml @@ -10,6 +10,7 @@ ads: {} resourceApiVersion: V3 serviceName: tcp-route-complex-dest + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: tcp-route-complex-dest outlierDetection: {} diff --git a/internal/xds/translator/testdata/out/xds-ir/tcp-route-simple.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/tcp-route-simple.clusters.yaml index c845c64037d..aa8f0b0902b 100644 --- a/internal/xds/translator/testdata/out/xds-ir/tcp-route-simple.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/tcp-route-simple.clusters.yaml @@ -10,6 +10,7 @@ ads: {} resourceApiVersion: V3 serviceName: tcp-route-simple-dest + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: tcp-route-simple-dest outlierDetection: {} diff --git a/internal/xds/translator/testdata/out/xds-ir/tcp-route-tls-terminate.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/tcp-route-tls-terminate.clusters.yaml index a7bedbf76be..dbd196ef664 100644 --- a/internal/xds/translator/testdata/out/xds-ir/tcp-route-tls-terminate.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/tcp-route-tls-terminate.clusters.yaml @@ -10,6 +10,7 @@ ads: {} resourceApiVersion: V3 serviceName: tls-terminate-dest + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: tls-terminate-dest outlierDetection: {} @@ -27,6 +28,7 @@ ads: {} resourceApiVersion: V3 serviceName: tls-terminate-hostname-dest + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: tls-terminate-hostname-dest outlierDetection: {} diff --git a/internal/xds/translator/testdata/out/xds-ir/tcp-route-weighted-backend.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/tcp-route-weighted-backend.clusters.yaml index 849359c1385..2219185b250 100644 --- a/internal/xds/translator/testdata/out/xds-ir/tcp-route-weighted-backend.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/tcp-route-weighted-backend.clusters.yaml @@ -10,6 +10,7 @@ ads: {} resourceApiVersion: V3 serviceName: tcp-route-weighted-backend-dest + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: tcp-route-weighted-backend-dest outlierDetection: {} diff --git a/internal/xds/translator/testdata/out/xds-ir/timeout.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/timeout.clusters.yaml index e2156cb6aff..4c2749a767a 100644 --- a/internal/xds/translator/testdata/out/xds-ir/timeout.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/timeout.clusters.yaml @@ -10,6 +10,7 @@ ads: {} resourceApiVersion: V3 serviceName: first-route-dest + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: first-route-dest outlierDetection: {} diff --git a/internal/xds/translator/testdata/out/xds-ir/tls-route-passthrough.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/tls-route-passthrough.clusters.yaml index f60942991df..c2659deb6c9 100644 --- a/internal/xds/translator/testdata/out/xds-ir/tls-route-passthrough.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/tls-route-passthrough.clusters.yaml @@ -10,6 +10,7 @@ ads: {} resourceApiVersion: V3 serviceName: tls-passthrough-foo-dest + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: tls-passthrough-foo-dest outlierDetection: {} diff --git a/internal/xds/translator/testdata/out/xds-ir/tls-with-ciphers-versions-alpn.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/tls-with-ciphers-versions-alpn.clusters.yaml index 4dad0aad1a7..16f6727a1a1 100644 --- a/internal/xds/translator/testdata/out/xds-ir/tls-with-ciphers-versions-alpn.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/tls-with-ciphers-versions-alpn.clusters.yaml @@ -10,6 +10,7 @@ ads: {} resourceApiVersion: V3 serviceName: first-route-dest + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: first-route-dest outlierDetection: {} @@ -27,6 +28,7 @@ ads: {} resourceApiVersion: V3 serviceName: tls-terminate-dest + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: tls-terminate-dest outlierDetection: {} diff --git a/internal/xds/translator/testdata/out/xds-ir/tracing-datadog.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/tracing-datadog.clusters.yaml index 51ef591844c..7597e1328d9 100644 --- a/internal/xds/translator/testdata/out/xds-ir/tracing-datadog.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/tracing-datadog.clusters.yaml @@ -10,6 +10,7 @@ ads: {} resourceApiVersion: V3 serviceName: direct-route-dest + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: direct-route-dest outlierDetection: {} diff --git a/internal/xds/translator/testdata/out/xds-ir/tracing-endpoint-stats.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/tracing-endpoint-stats.clusters.yaml index 9e7469dd278..7ea8aa936c4 100644 --- a/internal/xds/translator/testdata/out/xds-ir/tracing-endpoint-stats.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/tracing-endpoint-stats.clusters.yaml @@ -10,6 +10,7 @@ ads: {} resourceApiVersion: V3 serviceName: direct-route-dest + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: direct-route-dest outlierDetection: {} diff --git a/internal/xds/translator/testdata/out/xds-ir/tracing-zipkin.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/tracing-zipkin.clusters.yaml index a9d0472bfac..f1a975a6e6a 100644 --- a/internal/xds/translator/testdata/out/xds-ir/tracing-zipkin.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/tracing-zipkin.clusters.yaml @@ -10,6 +10,7 @@ ads: {} resourceApiVersion: V3 serviceName: direct-route-dest + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: direct-route-dest outlierDetection: {} diff --git a/internal/xds/translator/testdata/out/xds-ir/tracing.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/tracing.clusters.yaml index 4d419611516..975086f5fff 100644 --- a/internal/xds/translator/testdata/out/xds-ir/tracing.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/tracing.clusters.yaml @@ -10,6 +10,7 @@ ads: {} resourceApiVersion: V3 serviceName: direct-route-dest + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: direct-route-dest outlierDetection: {} diff --git a/internal/xds/translator/testdata/out/xds-ir/udp-endpoint-stats.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/udp-endpoint-stats.clusters.yaml index e26cb444c5c..dd47af97cdd 100644 --- a/internal/xds/translator/testdata/out/xds-ir/udp-endpoint-stats.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/udp-endpoint-stats.clusters.yaml @@ -10,6 +10,7 @@ ads: {} resourceApiVersion: V3 serviceName: udp-route-dest + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: udp-route-dest outlierDetection: {} diff --git a/internal/xds/translator/testdata/out/xds-ir/udp-req-resp-sizes-stats.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/udp-req-resp-sizes-stats.clusters.yaml index f7c6a0bf095..7ce45648946 100644 --- a/internal/xds/translator/testdata/out/xds-ir/udp-req-resp-sizes-stats.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/udp-req-resp-sizes-stats.clusters.yaml @@ -10,6 +10,7 @@ ads: {} resourceApiVersion: V3 serviceName: udp-route-dest + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: udp-route-dest outlierDetection: {} diff --git a/internal/xds/translator/testdata/out/xds-ir/udp-route.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/udp-route.clusters.yaml index 0656b7c45e5..e153c882fd6 100644 --- a/internal/xds/translator/testdata/out/xds-ir/udp-route.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/udp-route.clusters.yaml @@ -10,6 +10,7 @@ ads: {} resourceApiVersion: V3 serviceName: udp-route-dest + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: udp-route-dest outlierDetection: {} diff --git a/internal/xds/translator/testdata/out/xds-ir/upstream-tcpkeepalive.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/upstream-tcpkeepalive.clusters.yaml index 6d5dffadf8c..eca236db657 100644 --- a/internal/xds/translator/testdata/out/xds-ir/upstream-tcpkeepalive.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/upstream-tcpkeepalive.clusters.yaml @@ -10,6 +10,7 @@ ads: {} resourceApiVersion: V3 serviceName: first-route-dest + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: first-route-dest outlierDetection: {} diff --git a/internal/xds/translator/testdata/out/xds-ir/wasm.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/wasm.clusters.yaml index 6a277bb94f6..408fc9c218e 100755 --- a/internal/xds/translator/testdata/out/xds-ir/wasm.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/wasm.clusters.yaml @@ -10,6 +10,7 @@ ads: {} resourceApiVersion: V3 serviceName: httproute/default/httproute-1/rule/0 + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: httproute/default/httproute-1/rule/0 outlierDetection: {} @@ -27,6 +28,7 @@ ads: {} resourceApiVersion: V3 serviceName: httproute/default/httproute-2/rule/0 + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: httproute/default/httproute-2/rule/0 outlierDetection: {} diff --git a/internal/xds/translator/tracing.go b/internal/xds/translator/tracing.go index c7777f94ba2..3e817bad1bf 100644 --- a/internal/xds/translator/tracing.go +++ b/internal/xds/translator/tracing.go @@ -50,7 +50,7 @@ func buildHCMTracing(tracing *ir.Tracing) (*hcm.HttpConnectionManager_Tracing, e ServiceName: tracing.ServiceName, CollectorCluster: tracing.Destination.Name, } - return protocov.ToAnyWithError(config) + return protocov.ToAnyWithValidation(config) } case egv1a1.TracingProviderTypeOpenTelemetry: providerName = envoyOpenTelemetry @@ -68,7 +68,7 @@ func buildHCMTracing(tracing *ir.Tracing) (*hcm.HttpConnectionManager_Tracing, e ServiceName: tracing.ServiceName, } - return protocov.ToAnyWithError(config) + return protocov.ToAnyWithValidation(config) } case egv1a1.TracingProviderTypeZipkin: providerName = envoyZipkin @@ -82,7 +82,7 @@ func buildHCMTracing(tracing *ir.Tracing) (*hcm.HttpConnectionManager_Tracing, e CollectorEndpointVersion: tracecfg.ZipkinConfig_HTTP_JSON, } - return protocov.ToAnyWithError(config) + return protocov.ToAnyWithValidation(config) } default: return nil, fmt.Errorf("unknown tracing provider type: %s", tracing.Provider.Type) diff --git a/internal/xds/translator/translator.go b/internal/xds/translator/translator.go index 30a54fe6990..27c0d3c5a04 100644 --- a/internal/xds/translator/translator.go +++ b/internal/xds/translator/translator.go @@ -217,7 +217,11 @@ func (t *Translator) processHTTPListenerXdsTranslation( case !xdsListenerOnSameAddressPortExists: // Create a new UDP(QUIC) listener for HTTP3 traffic if HTTP3 is enabled if http3Enabled { - quicXDSListener = buildXdsQuicListener(httpListener.Name, httpListener.Address, httpListener.Port, accessLog) + if quicXDSListener, err = buildXdsQuicListener(httpListener.Name, httpListener.Address, httpListener.Port, accessLog); err != nil { + errs = errors.Join(errs, err) + continue + } + if err = tCtx.AddXdsResource(resourcev3.ListenerType, quicXDSListener); err != nil { errs = errors.Join(errs, err) continue @@ -225,7 +229,13 @@ func (t *Translator) processHTTPListenerXdsTranslation( } // Create a new TCP listener for HTTP1/HTTP2 traffic. - tcpXDSListener = buildXdsTCPListener(httpListener.Name, httpListener.Address, httpListener.Port, httpListener.IPFamily, httpListener.TCPKeepalive, httpListener.Connection, accessLog) + if tcpXDSListener, err = buildXdsTCPListener( + httpListener.Name, httpListener.Address, httpListener.Port, httpListener.IPFamily, + httpListener.TCPKeepalive, httpListener.Connection, accessLog); err != nil { + errs = errors.Join(errs, err) + continue + } + if err = tCtx.AddXdsResource(resourcev3.ListenerType, tcpXDSListener); err != nil { errs = errors.Join(errs, err) continue @@ -514,7 +524,7 @@ func (t *Translator) addHTTPFiltersToHCM(filterChain *listenerv3.FilterChain, ht for i, filter := range filterChain.Filters { if filter.Name == wellknown.HTTPConnectionManager { var mgrAny *anypb.Any - if mgrAny, err = protocov.ToAnyWithError(hcm); err != nil { + if mgrAny, err = protocov.ToAnyWithValidation(hcm); err != nil { return err } @@ -560,12 +570,19 @@ func (t *Translator) processTCPListenerXdsTranslation( ) error { // The XDS translation is done in a best-effort manner, so we collect all // errors and return them at the end. - var errs error + var errs, err error for _, tcpListener := range tcpListeners { // Search for an existing listener, if it does not exist, create one. xdsListener := findXdsListenerByHostPort(tCtx, tcpListener.Address, tcpListener.Port, corev3.SocketAddress_TCP) if xdsListener == nil { - xdsListener = buildXdsTCPListener(tcpListener.Name, tcpListener.Address, tcpListener.Port, tcpListener.IPFamily, tcpListener.TCPKeepalive, tcpListener.Connection, accesslog) + if xdsListener, err = buildXdsTCPListener( + tcpListener.Name, tcpListener.Address, tcpListener.Port, tcpListener.IPFamily, + tcpListener.TCPKeepalive, tcpListener.Connection, accesslog); err != nil { + // skip this listener if failed to build xds listener + errs = errors.Join(errs, err) + continue + } + if err := tCtx.AddXdsResource(resourcev3.ListenerType, xdsListener); err != nil { // skip this listener if failed to add xds listener to the errs = errors.Join(errs, err) @@ -911,7 +928,7 @@ func buildXdsUpstreamTLSSocketWthCert(tlsConfig *ir.TLSUpstreamConfig) (*corev3. } } - tlsCtxAny, err := anypb.New(tlsCtx) + tlsCtxAny, err := protocov.ToAnyWithValidation(tlsCtx) if err != nil { return nil, err } diff --git a/osv-scanner.toml b/osv-scanner.toml index 6144707a297..bed9a0c7a6a 100644 --- a/osv-scanner.toml +++ b/osv-scanner.toml @@ -1,7 +1,3 @@ -[[IgnoredVulns]] -id = "GO-2022-0646" -reason = "No a real issue, just a warning about third party package." - [[PackageOverrides]] name = "github.com/AdaLogics/go-fuzz-headers" version = "0.0.0-20230811130428-ced1acdcaa24" @@ -16,13 +12,6 @@ ecosystem = "Go" license.override = ["MIT"] reason = "Unidentified license, remove once https://github.com/google/deps.dev/issues/87 is resolved" -[[PackageOverrides]] -name = "github.com/containers/storage" -version = "1.55.0" -ecosystem = "Go" -license.override = ["Apache-2.0"] -reason = "Unidentified license, remove once https://github.com/google/deps.dev/issues/104 is resolved" - [[PackageOverrides]] name = "github.com/distribution/distribution/v3" version = "3.0.0-beta.1" @@ -41,32 +30,28 @@ reason = "This package has dual license - the code is licensed under the Apache name = "github.com/go-sql-driver/mysql" version = "1.8.1" ecosystem = "Go" -# Override the license to an allowed one until https://github.com/google/osv-scanner/issues/1124 is resolved and we can skip it from license scanning instead -license.override = ["Apache-2.0"] +license.ignore = true reason = "This package has MPL-2.0 which is not approved in CNCF Allowlist, but it has an exception. See https://github.com/cncf/foundation/blob/main/license-exceptions/CNCF-licensing-exceptions.csv" [[PackageOverrides]] name = "github.com/hashicorp/errwrap" version = "1.1.0" ecosystem = "Go" -# Override the license to an allowed one until https://github.com/google/osv-scanner/issues/1124 is resolved and we can skip it from license scanning instead -license.override = ["Apache-2.0"] +license.ignore = true reason = "This package has MPL-2.0 which is not approved in CNCF Allowlist, but it has an exception. See https://github.com/cncf/foundation/blob/main/license-exceptions/CNCF-licensing-exceptions.csv" [[PackageOverrides]] name = "github.com/hashicorp/go-multierror" version = "1.1.1" ecosystem = "Go" -# Override the license to an allowed one until https://github.com/google/osv-scanner/issues/1124 is resolved and we can skip it from license scanning instead -license.override = ["Apache-2.0"] +license.ignore = true reason = "This package has MPL-2.0 which is not approved in CNCF Allowlist, but it has an exception. See https://github.com/cncf/foundation/blob/main/license-exceptions/CNCF-licensing-exceptions.csv" [[PackageOverrides]] name = "github.com/hashicorp/hcl" version = "1.0.0" ecosystem = "Go" -# Override the license to an allowed one until https://github.com/google/osv-scanner/issues/1124 is resolved and we can skip it from license scanning instead -license.override = ["Apache-2.0"] +license.ignore = true reason = "This package has MPL-2.0 which is not approved in CNCF Allowlist, but it has an exception. See https://github.com/cncf/foundation/blob/main/license-exceptions/CNCF-licensing-exceptions.csv" [[PackageOverrides]] @@ -80,8 +65,7 @@ reason = "This package has dual license - the code is licensed under the Apache name = "github.com/shoenig/go-m1cpu" version = "0.1.6" ecosystem = "Go" -# Override the license to an allowed one until https://github.com/google/osv-scanner/issues/1124 is resolved and we can skip it from license scanning instead -license.override = ["Apache-2.0"] +license.ignore = true reason = "This package has MPL-2.0 which is not approved in CNCF Allowlist, but it has an exception. See https://github.com/cncf/foundation/blob/main/license-exceptions/cncf-exceptions-2023-08-31.spdx" [[PackageOverrides]] @@ -89,10 +73,3 @@ name = "stdlib" ecosystem = "Go" license.override = ["BSD-3-Clause"] reason = "Unidentified license, remove once https://github.com/google/deps.dev/issues/86 is resolved" - -[[PackageOverrides]] -name = "sigs.k8s.io/json" -version = "0.0.0-20221116044647-bc3834ca7abd" -ecosystem = "Go" -license.override = ["Apache-2.0"] -reason = "https://github.com/kubernetes-sigs/json/blob/main/LICENSE" diff --git a/release-notes/current.yaml b/release-notes/current.yaml index bfc711148bd..2a028241148 100644 --- a/release-notes/current.yaml +++ b/release-notes/current.yaml @@ -10,11 +10,16 @@ security updates: | # New features or capabilities added in this release. new features: | - Add a new feature here + Add support for modifying container securityContext for Envoy Gateway deployment in Helm # Fixes for bugs identified in previous versions. bug fixes: | - Add a bug fix here + Only log endpoint configuration in verbose logging mode (`-v 4` or higher) + The xDS translation failed when wasm http code source configured without a sha + HTTPRoute status only shows one parent when targeting multiple Gateways from different GatewayClasses + Route with multiple parents has incorrect namespace in parentRef status + BackendTlsPolicy specify multiple targetRefs of the same service, only one will work + Helm chart fails for Flux HelmRelease # Enhancements that improve performance. performance improvements: | diff --git a/release-notes/v1.1.3.yaml b/release-notes/v1.1.3.yaml new file mode 100644 index 00000000000..7e2f9070888 --- /dev/null +++ b/release-notes/v1.1.3.yaml @@ -0,0 +1,28 @@ +date: November 1, 2024 + +# Changes that are expected to cause an incompatibility with previous versions, such as deletions or modifications to existing APIs. +breaking changes: | + +# New features or capabilities added in this release. +new features: | + +# Fixes for bugs identified in previous versions. +bug fixes: | + Fixed unsupported listener protocol type causing an error while updating Gateway Status + Fixed some status updates were being discarded by the status updater + Fixed error level logging for admin and metrics modules + Fixed Dashboard typos + Fixed Ratelimit Deployment ignoring pod labels and annotation merge + Fixed the API Server receives unnecessary requests + Fixed set invalid Listener.SupportedKinds to empty list + Fixed losing timeout settings that originate from the route when translating the backend traffic policy + Fixed xds translation failure when wasm http code source configured without sha + +# Enhancements that improve performance. +performance improvements: | + +# Other notable changes not covered by the above sections. +Other changes: | + Bumped Envoy proxy to 1.31.3 + Bumped github.com/docker/docker to 27.3.1+incompatible + diff --git a/site/content/en/contributions/CODEOWNERS.md b/site/content/en/contributions/CODEOWNERS.md index aeec0b7439b..071532f02c1 100644 --- a/site/content/en/contributions/CODEOWNERS.md +++ b/site/content/en/contributions/CODEOWNERS.md @@ -5,7 +5,6 @@ description: "This section includes Maintainers of Envoy Gateway." ## The following maintainers, listed in alphabetical order, own everything -- @AliceProxy - @arkodg - @qicz - @Xunzhuo @@ -19,3 +18,4 @@ description: "This section includes Maintainers of Envoy Gateway." - @LukeShu - @skriss - @youngnick +- @Alice-Lilith diff --git a/site/content/en/latest/api/extension_types.md b/site/content/en/latest/api/extension_types.md index 2999d46410c..23f69fd832a 100644 --- a/site/content/en/latest/api/extension_types.md +++ b/site/content/en/latest/api/extension_types.md @@ -15,21 +15,14 @@ API group. ### Resource Types - [Backend](#backend) -- [BackendList](#backendlist) - [BackendTrafficPolicy](#backendtrafficpolicy) -- [BackendTrafficPolicyList](#backendtrafficpolicylist) - [ClientTrafficPolicy](#clienttrafficpolicy) -- [ClientTrafficPolicyList](#clienttrafficpolicylist) - [EnvoyExtensionPolicy](#envoyextensionpolicy) -- [EnvoyExtensionPolicyList](#envoyextensionpolicylist) - [EnvoyGateway](#envoygateway) - [EnvoyPatchPolicy](#envoypatchpolicy) -- [EnvoyPatchPolicyList](#envoypatchpolicylist) - [EnvoyProxy](#envoyproxy) - [HTTPRouteFilter](#httproutefilter) -- [HTTPRouteFilterList](#httproutefilterlist) - [SecurityPolicy](#securitypolicy) -- [SecurityPolicyList](#securitypolicylist) @@ -267,8 +260,7 @@ _Appears in:_ Backend allows the user to configure the endpoints of a backend and the behavior of the connection from Envoy Proxy to the backend. -_Appears in:_ -- [BackendList](#backendlist) + | Field | Type | Required | Description | | --- | --- | --- | --- | @@ -328,22 +320,6 @@ _Appears in:_ | `unix` | _[UnixSocket](#unixsocket)_ | false | Unix defines the unix domain socket endpoint | -#### BackendList - - - -BackendList contains a list of Backend resources. - - - -| Field | Type | Required | Description | -| --- | --- | --- | --- | -| `apiVersion` | _string_ | |`gateway.envoyproxy.io/v1alpha1` -| `kind` | _string_ | |`BackendList` -| `metadata` | _[ListMeta](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.29/#listmeta-v1-meta)_ | true | Refer to Kubernetes API documentation for fields of `metadata`. | -| `items` | _[Backend](#backend) array_ | true | | - - #### BackendRef @@ -428,8 +404,7 @@ _Appears in:_ BackendTrafficPolicy allows the user to configure the behavior of the connection between the Envoy Proxy listener and the backend service. -_Appears in:_ -- [BackendTrafficPolicyList](#backendtrafficpolicylist) + | Field | Type | Required | Description | | --- | --- | --- | --- | @@ -440,22 +415,6 @@ _Appears in:_ | `status` | _[PolicyStatus](https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1alpha2.PolicyStatus)_ | true | status defines the current status of BackendTrafficPolicy. | -#### BackendTrafficPolicyList - - - -BackendTrafficPolicyList contains a list of BackendTrafficPolicy resources. - - - -| Field | Type | Required | Description | -| --- | --- | --- | --- | -| `apiVersion` | _string_ | |`gateway.envoyproxy.io/v1alpha1` -| `kind` | _string_ | |`BackendTrafficPolicyList` -| `metadata` | _[ListMeta](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.29/#listmeta-v1-meta)_ | true | Refer to Kubernetes API documentation for fields of `metadata`. | -| `items` | _[BackendTrafficPolicy](#backendtrafficpolicy) array_ | true | | - - #### BackendTrafficPolicySpec @@ -637,8 +596,7 @@ _Appears in:_ ClientTrafficPolicy allows the user to configure the behavior of the connection between the downstream client and Envoy Proxy listener. -_Appears in:_ -- [ClientTrafficPolicyList](#clienttrafficpolicylist) + | Field | Type | Required | Description | | --- | --- | --- | --- | @@ -649,22 +607,6 @@ _Appears in:_ | `status` | _[PolicyStatus](https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1alpha2.PolicyStatus)_ | true | Status defines the current status of ClientTrafficPolicy. | -#### ClientTrafficPolicyList - - - -ClientTrafficPolicyList contains a list of ClientTrafficPolicy resources. - - - -| Field | Type | Required | Description | -| --- | --- | --- | --- | -| `apiVersion` | _string_ | |`gateway.envoyproxy.io/v1alpha1` -| `kind` | _string_ | |`ClientTrafficPolicyList` -| `metadata` | _[ListMeta](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.29/#listmeta-v1-meta)_ | true | Refer to Kubernetes API documentation for fields of `metadata`. | -| `items` | _[ClientTrafficPolicy](#clienttrafficpolicy) array_ | true | | - - #### ClientTrafficPolicySpec @@ -957,8 +899,7 @@ _Appears in:_ EnvoyExtensionPolicy allows the user to configure various envoy extensibility options for the Gateway. -_Appears in:_ -- [EnvoyExtensionPolicyList](#envoyextensionpolicylist) + | Field | Type | Required | Description | | --- | --- | --- | --- | @@ -969,22 +910,6 @@ _Appears in:_ | `status` | _[PolicyStatus](https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1alpha2.PolicyStatus)_ | true | Status defines the current status of EnvoyExtensionPolicy. | -#### EnvoyExtensionPolicyList - - - -EnvoyExtensionPolicyList contains a list of EnvoyExtensionPolicy resources. - - - -| Field | Type | Required | Description | -| --- | --- | --- | --- | -| `apiVersion` | _string_ | |`gateway.envoyproxy.io/v1alpha1` -| `kind` | _string_ | |`EnvoyExtensionPolicyList` -| `metadata` | _[ListMeta](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.29/#listmeta-v1-meta)_ | true | Refer to Kubernetes API documentation for fields of `metadata`. | -| `items` | _[EnvoyExtensionPolicy](#envoyextensionpolicy) array_ | true | | - - #### EnvoyExtensionPolicySpec @@ -1350,8 +1275,7 @@ _Appears in:_ EnvoyPatchPolicy allows the user to modify the generated Envoy xDS resources by Envoy Gateway using this patch API -_Appears in:_ -- [EnvoyPatchPolicyList](#envoypatchpolicylist) + | Field | Type | Required | Description | | --- | --- | --- | --- | @@ -1362,22 +1286,6 @@ _Appears in:_ | `status` | _[PolicyStatus](https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1alpha2.PolicyStatus)_ | true | Status defines the current status of EnvoyPatchPolicy. | -#### EnvoyPatchPolicyList - - - -EnvoyPatchPolicyList contains a list of EnvoyPatchPolicy resources. - - - -| Field | Type | Required | Description | -| --- | --- | --- | --- | -| `apiVersion` | _string_ | |`gateway.envoyproxy.io/v1alpha1` -| `kind` | _string_ | |`EnvoyPatchPolicyList` -| `metadata` | _[ListMeta](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.29/#listmeta-v1-meta)_ | true | Refer to Kubernetes API documentation for fields of `metadata`. | -| `items` | _[EnvoyPatchPolicy](#envoypatchpolicy) array_ | true | | - - #### EnvoyPatchPolicySpec @@ -2026,8 +1934,7 @@ _Appears in:_ HTTPRouteFilter is a custom Envoy Gateway HTTPRouteFilter which provides extended traffic processing options such as path regex rewrite, direct response and more. -_Appears in:_ -- [HTTPRouteFilterList](#httproutefilterlist) + | Field | Type | Required | Description | | --- | --- | --- | --- | @@ -2037,22 +1944,6 @@ _Appears in:_ | `spec` | _[HTTPRouteFilterSpec](#httproutefilterspec)_ | true | Spec defines the desired state of HTTPRouteFilter. | -#### HTTPRouteFilterList - - - -HTTPRouteFilterList contains a list of HTTPRouteFilter resources. - - - -| Field | Type | Required | Description | -| --- | --- | --- | --- | -| `apiVersion` | _string_ | |`gateway.envoyproxy.io/v1alpha1` -| `kind` | _string_ | |`HTTPRouteFilterList` -| `metadata` | _[ListMeta](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.29/#listmeta-v1-meta)_ | true | Refer to Kubernetes API documentation for fields of `metadata`. | -| `items` | _[HTTPRouteFilter](#httproutefilter) array_ | true | | - - #### HTTPRouteFilterSpec @@ -3638,8 +3529,7 @@ _Appears in:_ SecurityPolicy allows the user to configure various security settings for a Gateway. -_Appears in:_ -- [SecurityPolicyList](#securitypolicylist) + | Field | Type | Required | Description | | --- | --- | --- | --- | @@ -3650,22 +3540,6 @@ _Appears in:_ | `status` | _[PolicyStatus](https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1alpha2.PolicyStatus)_ | true | Status defines the current status of SecurityPolicy. | -#### SecurityPolicyList - - - -SecurityPolicyList contains a list of SecurityPolicy resources. - - - -| Field | Type | Required | Description | -| --- | --- | --- | --- | -| `apiVersion` | _string_ | |`gateway.envoyproxy.io/v1alpha1` -| `kind` | _string_ | |`SecurityPolicyList` -| `metadata` | _[ListMeta](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.29/#listmeta-v1-meta)_ | true | Refer to Kubernetes API documentation for fields of `metadata`. | -| `items` | _[SecurityPolicy](#securitypolicy) array_ | true | | - - #### SecurityPolicySpec diff --git a/site/content/en/latest/install/gateway-addons-helm-api.md b/site/content/en/latest/install/gateway-addons-helm-api.md index 9835e21cd62..dce51039fa2 100644 --- a/site/content/en/latest/install/gateway-addons-helm-api.md +++ b/site/content/en/latest/install/gateway-addons-helm-api.md @@ -24,6 +24,7 @@ An Add-ons Helm chart for Envoy Gateway | Repository | Name | Version | |------------|------|---------| | https://fluent.github.io/helm-charts | fluent-bit | 0.30.4 | +| https://grafana.github.io/helm-charts | alloy | 0.9.2 | | https://grafana.github.io/helm-charts | grafana | 8.0.0 | | https://grafana.github.io/helm-charts | loki | 4.8.0 | | https://grafana.github.io/helm-charts | tempo | 1.3.1 | @@ -34,6 +35,9 @@ An Add-ons Helm chart for Envoy Gateway | Key | Type | Default | Description | |-----|------|---------|-------------| +| alloy.alloy.configMap.content | string | `"// Write your Alloy config here:\nlogging {\n level = \"info\"\n format = \"logfmt\"\n}\nloki.write \"alloy\" {\n endpoint {\n url = \"http://loki.monitoring.svc:3100/loki/api/v1/push\"\n }\n}\n// discovery.kubernetes allows you to find scrape targets from Kubernetes resources.\n// It watches cluster state and ensures targets are continually synced with what is currently running in your cluster.\ndiscovery.kubernetes \"pod\" {\n role = \"pod\"\n}\n\n// discovery.relabel rewrites the label set of the input targets by applying one or more relabeling rules.\n// If no rules are defined, then the input targets are exported as-is.\ndiscovery.relabel \"pod_logs\" {\n targets = discovery.kubernetes.pod.targets\n\n // Label creation - \"namespace\" field from \"__meta_kubernetes_namespace\"\n rule {\n source_labels = [\"__meta_kubernetes_namespace\"]\n action = \"replace\"\n target_label = \"namespace\"\n }\n\n // Label creation - \"pod\" field from \"__meta_kubernetes_pod_name\"\n rule {\n source_labels = [\"__meta_kubernetes_pod_name\"]\n action = \"replace\"\n target_label = \"pod\"\n }\n\n // Label creation - \"container\" field from \"__meta_kubernetes_pod_container_name\"\n rule {\n source_labels = [\"__meta_kubernetes_pod_container_name\"]\n action = \"replace\"\n target_label = \"container\"\n }\n\n // Label creation - \"app\" field from \"__meta_kubernetes_pod_label_app_kubernetes_io_name\"\n rule {\n source_labels = [\"__meta_kubernetes_pod_label_app_kubernetes_io_name\"]\n action = \"replace\"\n target_label = \"app\"\n }\n\n // Label creation - \"job\" field from \"__meta_kubernetes_namespace\" and \"__meta_kubernetes_pod_container_name\"\n // Concatenate values __meta_kubernetes_namespace/__meta_kubernetes_pod_container_name\n rule {\n source_labels = [\"__meta_kubernetes_namespace\", \"__meta_kubernetes_pod_container_name\"]\n action = \"replace\"\n target_label = \"job\"\n separator = \"/\"\n replacement = \"$1\"\n }\n\n // Label creation - \"container\" field from \"__meta_kubernetes_pod_uid\" and \"__meta_kubernetes_pod_container_name\"\n // Concatenate values __meta_kubernetes_pod_uid/__meta_kubernetes_pod_container_name.log\n rule {\n source_labels = [\"__meta_kubernetes_pod_uid\", \"__meta_kubernetes_pod_container_name\"]\n action = \"replace\"\n target_label = \"__path__\"\n separator = \"/\"\n replacement = \"/var/log/pods/*$1/*.log\"\n }\n\n // Label creation - \"container_runtime\" field from \"__meta_kubernetes_pod_container_id\"\n rule {\n source_labels = [\"__meta_kubernetes_pod_container_id\"]\n action = \"replace\"\n target_label = \"container_runtime\"\n regex = \"^(\\\\S+):\\\\/\\\\/.+$\"\n replacement = \"$1\"\n }\n}\n\n// loki.source.kubernetes tails logs from Kubernetes containers using the Kubernetes API.\nloki.source.kubernetes \"pod_logs\" {\n targets = discovery.relabel.pod_logs.output\n forward_to = [loki.process.pod_logs.receiver]\n}\n// loki.process receives log entries from other Loki components, applies one or more processing stages,\n// and forwards the results to the list of receivers in the component’s arguments.\nloki.process \"pod_logs\" {\n stage.static_labels {\n values = {\n cluster = \"envoy-gateway\",\n }\n }\n\n forward_to = [loki.write.alloy.receiver]\n}"` | | +| alloy.enabled | bool | `false` | | +| alloy.fullnameOverride | string | `"alloy"` | | | fluent-bit.config.filters | string | `"[FILTER]\n Name kubernetes\n Match kube.*\n Merge_Log On\n Keep_Log Off\n K8S-Logging.Parser On\n K8S-Logging.Exclude On\n\n[FILTER]\n Name grep\n Match kube.*\n Regex $kubernetes['container_name'] ^envoy$\n\n[FILTER]\n Name parser\n Match kube.*\n Key_Name log\n Parser envoy\n Reserve_Data True\n"` | | | fluent-bit.config.inputs | string | `"[INPUT]\n Name tail\n Path /var/log/containers/*.log\n multiline.parser docker, cri\n Tag kube.*\n Mem_Buf_Limit 5MB\n Skip_Long_Lines On\n"` | | | fluent-bit.config.outputs | string | `"[OUTPUT]\n Name loki\n Match kube.*\n Host loki.monitoring.svc.cluster.local\n Port 3100\n Labels job=fluentbit, app=$kubernetes['labels']['app'], k8s_namespace_name=$kubernetes['namespace_name'], k8s_pod_name=$kubernetes['pod_name'], k8s_container_name=$kubernetes['container_name']\n"` | | @@ -86,15 +90,21 @@ An Add-ons Helm chart for Envoy Gateway | opentelemetry-collector.config.exporters.loki.endpoint | string | `"http://loki.monitoring.svc:3100/loki/api/v1/push"` | | | opentelemetry-collector.config.exporters.otlp.endpoint | string | `"tempo.monitoring.svc:4317"` | | | opentelemetry-collector.config.exporters.otlp.tls.insecure | bool | `true` | | -| opentelemetry-collector.config.exporters.prometheus.endpoint | string | `"0.0.0.0:19001"` | | -| opentelemetry-collector.config.extensions.health_check | object | `{}` | | +| opentelemetry-collector.config.exporters.prometheus.endpoint | string | `"[${env:MY_POD_IP}]:19001"` | | +| opentelemetry-collector.config.extensions.health_check.endpoint | string | `"[${env:MY_POD_IP}]:13133"` | | | opentelemetry-collector.config.processors.attributes.actions[0].action | string | `"insert"` | | | opentelemetry-collector.config.processors.attributes.actions[0].key | string | `"loki.attribute.labels"` | | | opentelemetry-collector.config.processors.attributes.actions[0].value | string | `"k8s.pod.name, k8s.namespace.name"` | | -| opentelemetry-collector.config.receivers.datadog.endpoint | string | `"${env:MY_POD_IP}:8126"` | | -| opentelemetry-collector.config.receivers.otlp.protocols.grpc.endpoint | string | `"${env:MY_POD_IP}:4317"` | | -| opentelemetry-collector.config.receivers.otlp.protocols.http.endpoint | string | `"${env:MY_POD_IP}:4318"` | | -| opentelemetry-collector.config.receivers.zipkin.endpoint | string | `"${env:MY_POD_IP}:9411"` | | +| opentelemetry-collector.config.receivers.datadog.endpoint | string | `"[${env:MY_POD_IP}]:8126"` | | +| opentelemetry-collector.config.receivers.jaeger.protocols.grpc.endpoint | string | `"[${env:MY_POD_IP}]:14250"` | | +| opentelemetry-collector.config.receivers.jaeger.protocols.thrift_compact.endpoint | string | `"[${env:MY_POD_IP}]:6831"` | | +| opentelemetry-collector.config.receivers.jaeger.protocols.thrift_http.endpoint | string | `"[${env:MY_POD_IP}]:14268"` | | +| opentelemetry-collector.config.receivers.otlp.protocols.grpc.endpoint | string | `"[${env:MY_POD_IP}]:4317"` | | +| opentelemetry-collector.config.receivers.otlp.protocols.http.endpoint | string | `"[${env:MY_POD_IP}]:4318"` | | +| opentelemetry-collector.config.receivers.prometheus.config.scrape_configs[0].job_name | string | `"opentelemetry-collector"` | | +| opentelemetry-collector.config.receivers.prometheus.config.scrape_configs[0].scrape_interval | string | `"10s"` | | +| opentelemetry-collector.config.receivers.prometheus.config.scrape_configs[0].static_configs[0].targets[0] | string | `"[${env:MY_POD_IP}]:8888"` | | +| opentelemetry-collector.config.receivers.zipkin.endpoint | string | `"[${env:MY_POD_IP}]:9411"` | | | opentelemetry-collector.config.service.extensions[0] | string | `"health_check"` | | | opentelemetry-collector.config.service.pipelines.logs.exporters[0] | string | `"loki"` | | | opentelemetry-collector.config.service.pipelines.logs.processors[0] | string | `"attributes"` | | @@ -106,6 +116,7 @@ An Add-ons Helm chart for Envoy Gateway | opentelemetry-collector.config.service.pipelines.traces.receivers[0] | string | `"datadog"` | | | opentelemetry-collector.config.service.pipelines.traces.receivers[1] | string | `"otlp"` | | | opentelemetry-collector.config.service.pipelines.traces.receivers[2] | string | `"zipkin"` | | +| opentelemetry-collector.config.service.telemetry.metrics.address | string | `"[${env:MY_POD_IP}]:8888"` | | | opentelemetry-collector.enabled | bool | `false` | | | opentelemetry-collector.fullnameOverride | string | `"otel-collector"` | | | opentelemetry-collector.image.repository | string | `"otel/opentelemetry-collector-contrib"` | | diff --git a/site/content/en/latest/install/gateway-helm-api.md b/site/content/en/latest/install/gateway-helm-api.md index 99023e65c6c..bb817b992dc 100644 --- a/site/content/en/latest/install/gateway-helm-api.md +++ b/site/content/en/latest/install/gateway-helm-api.md @@ -23,7 +23,7 @@ The Helm chart for Envoy Gateway | Key | Type | Default | Description | |-----|------|---------|-------------| -| certgen | object | `{"job":{"affinity":{},"annotations":{},"nodeSelector":{},"resources":{},"tolerations":[],"ttlSecondsAfterFinished":30},"rbac":{"annotations":{},"labels":{}}}` | Certgen is used to generate the certificates required by EnvoyGateway. If you want to construct a custom certificate, you can generate a custom certificate through Cert-Manager before installing EnvoyGateway. Certgen will not overwrite the custom certificate. Please do not manually modify `values.yaml` to disable certgen, it may cause EnvoyGateway OIDC,OAuth2,etc. to not work as expected. | +| certgen | object | `{"job":{"affinity":{},"annotations":{},"nodeSelector":{},"resources":{},"securityContext":{"allowPrivilegeEscalation":false,"capabilities":{"drop":["ALL"]},"privileged":false,"readOnlyRootFilesystem":true,"runAsGroup":65534,"runAsNonRoot":true,"runAsUser":65534,"seccompProfile":{"type":"RuntimeDefault"}},"tolerations":[],"ttlSecondsAfterFinished":30},"rbac":{"annotations":{},"labels":{}}}` | Certgen is used to generate the certificates required by EnvoyGateway. If you want to construct a custom certificate, you can generate a custom certificate through Cert-Manager before installing EnvoyGateway. Certgen will not overwrite the custom certificate. Please do not manually modify `values.yaml` to disable certgen, it may cause EnvoyGateway OIDC,OAuth2,etc. to not work as expected. | | config.envoyGateway.gateway.controllerName | string | `"gateway.envoyproxy.io/gatewayclass-controller"` | | | config.envoyGateway.logging.level.default | string | `"info"` | | | config.envoyGateway.provider.type | string | `"Kubernetes"` | | @@ -35,6 +35,13 @@ The Helm chart for Envoy Gateway | deployment.envoyGateway.resources.limits.memory | string | `"1024Mi"` | | | deployment.envoyGateway.resources.requests.cpu | string | `"100m"` | | | deployment.envoyGateway.resources.requests.memory | string | `"256Mi"` | | +| deployment.envoyGateway.securityContext.allowPrivilegeEscalation | bool | `false` | | +| deployment.envoyGateway.securityContext.capabilities.drop[0] | string | `"ALL"` | | +| deployment.envoyGateway.securityContext.privileged | bool | `false` | | +| deployment.envoyGateway.securityContext.runAsGroup | int | `65532` | | +| deployment.envoyGateway.securityContext.runAsNonRoot | bool | `true` | | +| deployment.envoyGateway.securityContext.runAsUser | int | `65532` | | +| deployment.envoyGateway.securityContext.seccompProfile.type | string | `"RuntimeDefault"` | | | deployment.pod.affinity | object | `{}` | | | deployment.pod.annotations."prometheus.io/port" | string | `"19001"` | | | deployment.pod.annotations."prometheus.io/scrape" | string | `"true"` | | diff --git a/site/content/en/latest/tasks/security/jwt-claim-authorization.md b/site/content/en/latest/tasks/security/jwt-claim-authorization.md new file mode 100644 index 00000000000..2e67ea7ffe9 --- /dev/null +++ b/site/content/en/latest/tasks/security/jwt-claim-authorization.md @@ -0,0 +1,226 @@ +--- +title: "JWT Claim-Based Authorization" +--- + +This task provides instructions for configuring JWT claim-based authorization. JWT claim-based authorization checks if an incoming request has the required JWT claims before routing the request to a backend service. + +Envoy Gateway introduces a new CRD called [SecurityPolicy][SecurityPolicy] that allows the user to configure JWT claim-based authorization. + +This instantiated resource can be linked to a [Gateway][Gateway], [HTTPRoute][HTTPRoute] or [GRPCRoute][GRPCRoute] resource. + +## Prerequisites + +{{< boilerplate prerequisites >}} + +## Configuration + +### Create a SecurityPolicy + +Please note that the JWT claim-based authorization requires the JWT token to be present in the request. A JWT authentication must be configured in the same SecurityPolicy to validate the JWT token and extract the claims. + +The below SecurityPolicy configuration allows requests with a valid JWT token that has the following claims: +- `user.name` claim with the value `John Doe` +- `user.roles` claim with the value `admin` +- `scope` claim with the values `read`, `add`, and `modify` + +{{< tabpane text=true >}} +{{% tab header="Apply from stdin" %}} + +```shell +cat <}} + +Verify the SecurityPolicy configuration: + +```shell +kubectl get securitypolicy/authorization-jwt-claim -o yaml +``` + +## Testing + +Ensure the `GATEWAY_HOST` environment variable from the [Quickstart](../../quickstart) is set. If not, follow the +Quickstart instructions to set the variable. + +```shell +echo $GATEWAY_HOST +``` + +Define a JWT token with the required claims. + +```shell +export VALID_TOKEN="eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsImtpZCI6ImI1MjBiM2MyYzRiZDc1YTEwZTljZWJjOTU3NjkzM2RjIn0.eyJpc3MiOiJodHRwczovL2Zvby5iYXIuY29tIiwic3ViIjoiMTIzNDU2Nzg5MCIsInVzZXIiOnsibmFtZSI6IkpvaG4gRG9lIiwiZW1haWwiOiJqb2huLmRvZUBleGFtcGxlLmNvbSIsInJvbGVzIjpbImFkbWluIiwiZWRpdG9yIl19LCJwcmVtaXVtX3VzZXIiOnRydWUsImlhdCI6MTUxNjIzOTAyMiwic2NvcGUiOiJyZWFkIGFkZCBkZWxldGUgbW9kaWZ5In0.P36iAlmiRCC79OiB3vstF5Q_9OqUYAMGF3a3H492GlojbV6DcuOz8YIEYGsRSWc-BNJaBKlyvUKsKsGVPtYbbF8ajwZTs64wyO-zhd2R8riPkg_HsW7iwGswV12f5iVRpfQ4AG2owmdOToIaoch0aym89He1ZzEjcShr9olgqlAbbmhnk-namd1rP-xpzPnWhhIVI3mCz5hYYgDTMcM7qbokM5FzFttTRXAn5_Luor23U1062Ct_K53QArwxBvwJ-QYiqcBycHf-hh6sMx_941cUswrZucCpa-EwA3piATf9PKAyeeWHfHV9X-y8ipGOFg3mYMMVBuUZ1lBkJCik9f9kboRY6QzpOISARQj9PKMXfxZdIPNuGmA7msSNAXQgqkvbx04jMwb9U7eCEdGZztH4C8LhlRjgj0ZdD7eNbRjeH2F6zrWyMUpGWaWyq6rMuP98W2DWM5ZflK6qvT1c7FuFsWPvWLkgxQwTWQKrHdKwdbsu32Sj8VtUBJ0-ddEb" +``` + +Decode the JWT token to verify that it has the required claims. + +```shell +jq -R 'split(".") | .[0],.[1] | @base64d | fromjson' <<< $(echo ${VALID_TOKEN}) +``` + +The decoded JWT token should look like the following: + +```json +{ + "typ": "JWT", + "alg": "RS256", + "kid": "b520b3c2c4bd75a10e9cebc9576933dc" +} +{ + "iss": "https://foo.bar.com", + "sub": "1234567890", + "user": { + "name": "John Doe", + "email": "john.doe@example.com", + "roles": [ + "admin", + "editor" + ] + }, + "premium_user": true, + "iat": 1516239022, + "scope": "read add delete modify" +} +``` + +Send a request to the backend service with the valid JWT token: + +```shell +curl -H "Host: www.example.com" -H "Authorization: Bearer ${VALID_TOKEN}" "http://${GATEWAY_HOST}/" +``` + +The request should be allowed and you should see the response from the backend service. + +Define a JWT token without the required claims. + +```shell +export INVALID_TOKEN="eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsImtpZCI6ImI1MjBiM2MyYzRiZDc1YTEwZTljZWJjOTU3NjkzM2RjIn0.eyJpc3MiOiJodHRwczovL2Zvby5iYXIuY29tIiwic3ViIjoiMTIzNDU2Nzg5MCIsInVzZXIiOnsibmFtZSI6IkFsaWNlIFNtaXRoIiwiZW1haWwiOiJhbGljZS5zbWl0aEBleGFtcGxlLmNvbSIsInJvbGVzIjpbImRldmVsb3BlciJdfSwicHJlbWl1bV91c2VyIjpmYWxzZSwiaWF0IjoxNTE2MjM5MDIyLCJzY29wZSI6InJlYWQgYWRkIGRlbGV0ZSJ9.Da547nNXzuQXm5E7LuLAiyFswXsW4RDhuitD_rpadtR7PTwzzOsJoqrVWJ_u1jJDaOTWIpLF4gwxDoY-Aoz_couzXzlAbECLs45ZFoc_UdffpfIbGKqTZx8VtwKuDLFsAeDDDqqx1flxFhvXHftJJdZYr1FgFz9u-absMmRU90DLmEZX3Hnyc8k8eBgeiu6vsWUD0-aNy8cWkFRbwRggkGmucFyUTG8Z1MY3iyH5E66W-ISoX8G9bzE9PTxVAAPDTvefD5iLJPSDJ8qV69OuMCJ8Dczq0L9Dd_w0sF-D1s9MTvexmGg4zBWluJ3r-pU9NHEdhqBypehp_yH8xF5Rt9AE7stZ4oPFZNyfrtkE-4IOnSEkMmzcC65g_rscn0ycerv4N5ZNpkr0x2IYYM4iGuo-ULv5Htnli3rffST45kx1XA8cdsrT1D0K3aPxdIxDIk8sTJf5-WVqRyo-bwxXXltwQLB9jCM_7QbTWQBYAJwUpi-0RW4jCl44-42gZnXf" +``` + +Decode the JWT token to verify that it does not have the required claims. + +```shell +jq -R 'split(".") | .[0],.[1] | @base64d | fromjson' <<< $(echo ${INVALID_TOKEN}) +``` + +The decoded JWT token should look like the following: + +```json +{ + "typ": "JWT", + "alg": "RS256", + "kid": "b520b3c2c4bd75a10e9cebc9576933dc" +} +{ + "iss": "https://foo.bar.com", + "sub": "1234567890", + "user": { + "name": "Alice Smith", + "email": "alice.smith@example.com", + "roles": [ + "developer" + ] + }, + "premium_user": false, + "iat": 1516239022, + "scope": "read add delete" +} +``` + +Send a request to the backend service with the invalid JWT token: + +```shell +curl -v -H "Host: www.example.com" -H "Authorization: Bearer ${INVALID_TOKEN}" "http://${GATEWAY_HOST}/" +``` + +The request should be denied and you should see a `403 Forbidden` response. + +## Clean-Up + +Follow the steps from the [Quickstart](../../quickstart) to uninstall Envoy Gateway and the example manifest. + +Delete the SecurityPolicy and the ClientTrafficPolicy + +```shell +kubectl delete securitypolicy/authorization-jwt-claim +``` + +## Next Steps + +Checkout the [Developer Guide](../../../contributions/develop) to get involved in the project. + +[SecurityPolicy]: ../../../contributions/design/security-policy +[Gateway]: https://gateway-api.sigs.k8s.io/api-types/gateway +[HTTPRoute]: https://gateway-api.sigs.k8s.io/api-types/httproute +[GRPCRoute]: https://gateway-api.sigs.k8s.io/api-types/grpcroute diff --git a/site/content/en/latest/tasks/traffic/direct-response.md b/site/content/en/latest/tasks/traffic/direct-response.md new file mode 100644 index 00000000000..4b9aaa5551e --- /dev/null +++ b/site/content/en/latest/tasks/traffic/direct-response.md @@ -0,0 +1,284 @@ +--- +title: "Direct Response" +--- + +Direct responses are valuable in cases where you want the gateway itself +to handle certain requests without forwarding them to backend services. +This task shows you how to configure them. + +## Installation + +Follow the steps from the [Quickstart](../../quickstart) to install Envoy Gateway and the example manifest. +Before proceeding, you should be able to query the example backend using HTTP. + +## Testing Direct Response + +{{< tabpane text=true >}} +{{% tab header="Apply from stdin" %}} + +```shell +cat <}} + +```shell +curl --header "Host: timeout.example.com" http://${GATEWAY_HOST}/?delay=3s -I +``` + +```console +HTTP/1.1 200 OK +content-type: application/json +x-content-type-options: nosniff +date: Mon, 04 Mar 2024 02:34:21 GMT +content-length: 480 +``` + +Then we set the request timeout to 2 seconds. In this case, Envoy Gateway will respond with a timeout. + +{{< tabpane text=true >}} +{{% tab header="Apply from stdin" %}} + +```shell +cat <}} + +```shell +curl --verbose --header "Host: www.example.com" http://$GATEWAY_HOST/inline +``` + +```console +* Trying 127.0.0.1:80... +* Connected to 127.0.0.1 (127.0.0.1) port 80 +> GET /inline HTTP/1.1 +> Host: www.example.com +> User-Agent: curl/8.4.0 +> Accept: */* +> +< HTTP/1.1 503 Service Unavailable +< content-type: text/plain +< content-length: 32 +< date: Sat, 02 Nov 2024 00:35:48 GMT +< +* Connection #0 to host 127.0.0.1 left intact +Oops! Your request is not found. +``` + +```shell +curl --verbose --header "Host: www.example.com" http://$GATEWAY_HOST/value-ref +``` + +```console +* Trying 127.0.0.1:80... +* Connected to 127.0.0.1 (127.0.0.1) port 80 +> GET /value-ref HTTP/1.1 +> Host: www.example.com +> User-Agent: curl/8.4.0 +> Accept: */* +> +< HTTP/1.1 500 Internal Server Error +< content-type: application/json +< content-length: 34 +< date: Sat, 02 Nov 2024 00:35:55 GMT +< +* Connection #0 to host 127.0.0.1 left intact +{"error": "Internal Server Error"} +``` diff --git a/site/content/en/news/releases/_index.md b/site/content/en/news/releases/_index.md index 71ff48fd392..4449a100c7e 100644 --- a/site/content/en/news/releases/_index.md +++ b/site/content/en/news/releases/_index.md @@ -31,7 +31,7 @@ communications with the Envoy Gateway community, and the mechanics of the releas |:-------:|:--------------------------------------------------------------:| | 2022 Q4 | Daneyon Hansen ([danehans](https://github.com/danehans)) | | 2023 Q1 | Xunzhuo Liu ([Xunzhuo](https://github.com/Xunzhuo)) | -| 2023 Q2 | Alice Wasko ([AliceProxy](https://github.com/AliceProxy)) | +| 2023 Q2 | Alice Wasko ([Alice-Lilith](https://github.com/Alice-Lilith)) | | 2023 Q3 | Arko Dasgupta ([arkodg](https://github.com/arkodg)) | | 2023 Q4 | Arko Dasgupta ([arkodg](https://github.com/arkodg)) | | 2024 Q1 | Xunzhuo Liu ([Xunzhuo](https://github.com/Xunzhuo)) | diff --git a/site/content/en/news/releases/notes/v1.1.3.md b/site/content/en/news/releases/notes/v1.1.3.md new file mode 100644 index 00000000000..97128c1cc6c --- /dev/null +++ b/site/content/en/news/releases/notes/v1.1.3.md @@ -0,0 +1,31 @@ +--- +title: "v1.1.3" +publishdate: 2024-11-01 +--- + +Date: November 1, 2024 + +## Breaking changes +- + +## New features +- + +## Bug fixes +- Fixed unsupported listener protocol type causing an error while updating Gateway Status +- Fixed some status updates were being discarded by the status updater +- Fixed error level logging for admin and metrics modules +- Fixed Dashboard typos +- Fixed Ratelimit Deployment ignoring pod labels and annotation merge +- Fixed the API Server receives unnecessary requests +- Fixed set invalid Listener.SupportedKinds to empty list +- Fixed losing timeout settings that originate from the route when translating the backend traffic policy +- Fixed xds translation failure when wasm http code source configured without sha + +## Performance improvements +- + +## Other changes +- Bumped Envoy proxy to 1.31.3 +- Bumped github.com/docker/docker to 27.3.1+incompatible + diff --git a/site/content/en/v0.2/contributions/CODEOWNERS.md b/site/content/en/v0.2/contributions/CODEOWNERS.md index 63b751abde5..b4c4c737e19 100644 --- a/site/content/en/v0.2/contributions/CODEOWNERS.md +++ b/site/content/en/v0.2/contributions/CODEOWNERS.md @@ -5,7 +5,7 @@ description: "This section includes Maintainers of Envoy Gateway." ## The following maintainers, listed in alphabetical order, own everything -- @AliceProxy +- @Alice-Lilith - @arkodg - @Xunzhuo - @zirain diff --git a/site/content/en/v0.2/contributions/RELEASING.md b/site/content/en/v0.2/contributions/RELEASING.md index bad13a6830c..ad0143bdeb9 100644 --- a/site/content/en/v0.2/contributions/RELEASING.md +++ b/site/content/en/v0.2/contributions/RELEASING.md @@ -97,10 +97,10 @@ Configuration looks like following: cherrypick/release-v0.4 # put release manager here reviewers: | - AliceProxy + Alice-Lilith ``` -Replace `v0.4` with real branch name, and `AliceProxy` with the real name of RM. +Replace `v0.4` with real branch name, and `Alice-Lilith` with the real name of RM. ## Minor Release diff --git a/site/content/en/v0.3/contributions/CODEOWNERS.md b/site/content/en/v0.3/contributions/CODEOWNERS.md index 63b751abde5..b4c4c737e19 100644 --- a/site/content/en/v0.3/contributions/CODEOWNERS.md +++ b/site/content/en/v0.3/contributions/CODEOWNERS.md @@ -5,7 +5,7 @@ description: "This section includes Maintainers of Envoy Gateway." ## The following maintainers, listed in alphabetical order, own everything -- @AliceProxy +- @Alice-Lilith - @arkodg - @Xunzhuo - @zirain diff --git a/site/content/en/v0.3/contributions/RELEASING.md b/site/content/en/v0.3/contributions/RELEASING.md index bad13a6830c..ad0143bdeb9 100644 --- a/site/content/en/v0.3/contributions/RELEASING.md +++ b/site/content/en/v0.3/contributions/RELEASING.md @@ -97,10 +97,10 @@ Configuration looks like following: cherrypick/release-v0.4 # put release manager here reviewers: | - AliceProxy + Alice-Lilith ``` -Replace `v0.4` with real branch name, and `AliceProxy` with the real name of RM. +Replace `v0.4` with real branch name, and `Alice-Lilith` with the real name of RM. ## Minor Release diff --git a/site/content/en/v0.4/contributions/CODEOWNERS.md b/site/content/en/v0.4/contributions/CODEOWNERS.md index 63b751abde5..b4c4c737e19 100644 --- a/site/content/en/v0.4/contributions/CODEOWNERS.md +++ b/site/content/en/v0.4/contributions/CODEOWNERS.md @@ -5,7 +5,7 @@ description: "This section includes Maintainers of Envoy Gateway." ## The following maintainers, listed in alphabetical order, own everything -- @AliceProxy +- @Alice-Lilith - @arkodg - @Xunzhuo - @zirain diff --git a/site/content/en/v0.4/contributions/RELEASING.md b/site/content/en/v0.4/contributions/RELEASING.md index bad13a6830c..ad0143bdeb9 100644 --- a/site/content/en/v0.4/contributions/RELEASING.md +++ b/site/content/en/v0.4/contributions/RELEASING.md @@ -97,10 +97,10 @@ Configuration looks like following: cherrypick/release-v0.4 # put release manager here reviewers: | - AliceProxy + Alice-Lilith ``` -Replace `v0.4` with real branch name, and `AliceProxy` with the real name of RM. +Replace `v0.4` with real branch name, and `Alice-Lilith` with the real name of RM. ## Minor Release diff --git a/site/content/en/v0.5/contributions/CODEOWNERS.md b/site/content/en/v0.5/contributions/CODEOWNERS.md index 63b751abde5..b4c4c737e19 100644 --- a/site/content/en/v0.5/contributions/CODEOWNERS.md +++ b/site/content/en/v0.5/contributions/CODEOWNERS.md @@ -5,7 +5,7 @@ description: "This section includes Maintainers of Envoy Gateway." ## The following maintainers, listed in alphabetical order, own everything -- @AliceProxy +- @Alice-Lilith - @arkodg - @Xunzhuo - @zirain diff --git a/site/content/en/v0.5/contributions/RELEASING.md b/site/content/en/v0.5/contributions/RELEASING.md index 206c9f0589d..7e02ccff581 100644 --- a/site/content/en/v0.5/contributions/RELEASING.md +++ b/site/content/en/v0.5/contributions/RELEASING.md @@ -97,10 +97,10 @@ Configuration looks like following: cherrypick/release-v0.4 # put release manager here reviewers: | - AliceProxy + Alice-Lilith ``` -Replace `v0.4` with real branch name, and `AliceProxy` with the real name of RM. +Replace `v0.4` with real branch name, and `Alice-Lilith` with the real name of RM. ## Minor Release diff --git a/site/content/en/v0.6/contributions/CODEOWNERS.md b/site/content/en/v0.6/contributions/CODEOWNERS.md index 63b751abde5..b4c4c737e19 100644 --- a/site/content/en/v0.6/contributions/CODEOWNERS.md +++ b/site/content/en/v0.6/contributions/CODEOWNERS.md @@ -5,7 +5,7 @@ description: "This section includes Maintainers of Envoy Gateway." ## The following maintainers, listed in alphabetical order, own everything -- @AliceProxy +- @Alice-Lilith - @arkodg - @Xunzhuo - @zirain diff --git a/site/content/en/v0.6/contributions/RELEASING.md b/site/content/en/v0.6/contributions/RELEASING.md index 5abb7ba4503..37336d96acd 100644 --- a/site/content/en/v0.6/contributions/RELEASING.md +++ b/site/content/en/v0.6/contributions/RELEASING.md @@ -100,10 +100,10 @@ Configuration looks like following: cherrypick/release-v0.4 # put release manager here reviewers: | - AliceProxy + Alice-Lilith ``` -Replace `v0.4` with real branch name, and `AliceProxy` with the real name of RM. +Replace `v0.4` with real branch name, and `Alice-Lilith` with the real name of RM. ## Minor Release diff --git a/site/content/zh/contributions/CODEOWNERS.md b/site/content/zh/contributions/CODEOWNERS.md index 74e885d852a..d7ad10786d4 100644 --- a/site/content/zh/contributions/CODEOWNERS.md +++ b/site/content/zh/contributions/CODEOWNERS.md @@ -5,7 +5,6 @@ description: "本部分包括 Envoy Gateway 的维护者。" ## 以下是拥有所有权限的维护者(按字母顺序排列) {#the-following-maintainers-listed-in-alphabetical-order-own-everything} -- @AliceProxy - @arkodg - @qicz - @Xunzhuo @@ -19,3 +18,4 @@ description: "本部分包括 Envoy Gateway 的维护者。" - @LukeShu - @skriss - @youngnick +- @Alice-Lilith diff --git a/site/content/zh/contributions/RELEASING.md b/site/content/zh/contributions/RELEASING.md index e1412e4eb7c..fd4b0af328e 100644 --- a/site/content/zh/contributions/RELEASING.md +++ b/site/content/zh/contributions/RELEASING.md @@ -102,10 +102,10 @@ export GITHUB_REMOTE=origin cherrypick/release-v0.4 # 将发布经理名字放在这里 reviewers: | - AliceProxy + Alice-Lilith ``` -将 `v0.4` 替换为真实的分支名称,并将 `AliceProxy` 替换为 RM 的真实名称。 +将 `v0.4` 替换为真实的分支名称,并将 `Alice-Lilith` 替换为 RM 的真实名称。 ## 次要版本 {#minor-release} diff --git a/site/content/zh/latest/api/extension_types.md b/site/content/zh/latest/api/extension_types.md index 2999d46410c..23f69fd832a 100644 --- a/site/content/zh/latest/api/extension_types.md +++ b/site/content/zh/latest/api/extension_types.md @@ -15,21 +15,14 @@ API group. ### Resource Types - [Backend](#backend) -- [BackendList](#backendlist) - [BackendTrafficPolicy](#backendtrafficpolicy) -- [BackendTrafficPolicyList](#backendtrafficpolicylist) - [ClientTrafficPolicy](#clienttrafficpolicy) -- [ClientTrafficPolicyList](#clienttrafficpolicylist) - [EnvoyExtensionPolicy](#envoyextensionpolicy) -- [EnvoyExtensionPolicyList](#envoyextensionpolicylist) - [EnvoyGateway](#envoygateway) - [EnvoyPatchPolicy](#envoypatchpolicy) -- [EnvoyPatchPolicyList](#envoypatchpolicylist) - [EnvoyProxy](#envoyproxy) - [HTTPRouteFilter](#httproutefilter) -- [HTTPRouteFilterList](#httproutefilterlist) - [SecurityPolicy](#securitypolicy) -- [SecurityPolicyList](#securitypolicylist) @@ -267,8 +260,7 @@ _Appears in:_ Backend allows the user to configure the endpoints of a backend and the behavior of the connection from Envoy Proxy to the backend. -_Appears in:_ -- [BackendList](#backendlist) + | Field | Type | Required | Description | | --- | --- | --- | --- | @@ -328,22 +320,6 @@ _Appears in:_ | `unix` | _[UnixSocket](#unixsocket)_ | false | Unix defines the unix domain socket endpoint | -#### BackendList - - - -BackendList contains a list of Backend resources. - - - -| Field | Type | Required | Description | -| --- | --- | --- | --- | -| `apiVersion` | _string_ | |`gateway.envoyproxy.io/v1alpha1` -| `kind` | _string_ | |`BackendList` -| `metadata` | _[ListMeta](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.29/#listmeta-v1-meta)_ | true | Refer to Kubernetes API documentation for fields of `metadata`. | -| `items` | _[Backend](#backend) array_ | true | | - - #### BackendRef @@ -428,8 +404,7 @@ _Appears in:_ BackendTrafficPolicy allows the user to configure the behavior of the connection between the Envoy Proxy listener and the backend service. -_Appears in:_ -- [BackendTrafficPolicyList](#backendtrafficpolicylist) + | Field | Type | Required | Description | | --- | --- | --- | --- | @@ -440,22 +415,6 @@ _Appears in:_ | `status` | _[PolicyStatus](https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1alpha2.PolicyStatus)_ | true | status defines the current status of BackendTrafficPolicy. | -#### BackendTrafficPolicyList - - - -BackendTrafficPolicyList contains a list of BackendTrafficPolicy resources. - - - -| Field | Type | Required | Description | -| --- | --- | --- | --- | -| `apiVersion` | _string_ | |`gateway.envoyproxy.io/v1alpha1` -| `kind` | _string_ | |`BackendTrafficPolicyList` -| `metadata` | _[ListMeta](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.29/#listmeta-v1-meta)_ | true | Refer to Kubernetes API documentation for fields of `metadata`. | -| `items` | _[BackendTrafficPolicy](#backendtrafficpolicy) array_ | true | | - - #### BackendTrafficPolicySpec @@ -637,8 +596,7 @@ _Appears in:_ ClientTrafficPolicy allows the user to configure the behavior of the connection between the downstream client and Envoy Proxy listener. -_Appears in:_ -- [ClientTrafficPolicyList](#clienttrafficpolicylist) + | Field | Type | Required | Description | | --- | --- | --- | --- | @@ -649,22 +607,6 @@ _Appears in:_ | `status` | _[PolicyStatus](https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1alpha2.PolicyStatus)_ | true | Status defines the current status of ClientTrafficPolicy. | -#### ClientTrafficPolicyList - - - -ClientTrafficPolicyList contains a list of ClientTrafficPolicy resources. - - - -| Field | Type | Required | Description | -| --- | --- | --- | --- | -| `apiVersion` | _string_ | |`gateway.envoyproxy.io/v1alpha1` -| `kind` | _string_ | |`ClientTrafficPolicyList` -| `metadata` | _[ListMeta](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.29/#listmeta-v1-meta)_ | true | Refer to Kubernetes API documentation for fields of `metadata`. | -| `items` | _[ClientTrafficPolicy](#clienttrafficpolicy) array_ | true | | - - #### ClientTrafficPolicySpec @@ -957,8 +899,7 @@ _Appears in:_ EnvoyExtensionPolicy allows the user to configure various envoy extensibility options for the Gateway. -_Appears in:_ -- [EnvoyExtensionPolicyList](#envoyextensionpolicylist) + | Field | Type | Required | Description | | --- | --- | --- | --- | @@ -969,22 +910,6 @@ _Appears in:_ | `status` | _[PolicyStatus](https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1alpha2.PolicyStatus)_ | true | Status defines the current status of EnvoyExtensionPolicy. | -#### EnvoyExtensionPolicyList - - - -EnvoyExtensionPolicyList contains a list of EnvoyExtensionPolicy resources. - - - -| Field | Type | Required | Description | -| --- | --- | --- | --- | -| `apiVersion` | _string_ | |`gateway.envoyproxy.io/v1alpha1` -| `kind` | _string_ | |`EnvoyExtensionPolicyList` -| `metadata` | _[ListMeta](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.29/#listmeta-v1-meta)_ | true | Refer to Kubernetes API documentation for fields of `metadata`. | -| `items` | _[EnvoyExtensionPolicy](#envoyextensionpolicy) array_ | true | | - - #### EnvoyExtensionPolicySpec @@ -1350,8 +1275,7 @@ _Appears in:_ EnvoyPatchPolicy allows the user to modify the generated Envoy xDS resources by Envoy Gateway using this patch API -_Appears in:_ -- [EnvoyPatchPolicyList](#envoypatchpolicylist) + | Field | Type | Required | Description | | --- | --- | --- | --- | @@ -1362,22 +1286,6 @@ _Appears in:_ | `status` | _[PolicyStatus](https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1alpha2.PolicyStatus)_ | true | Status defines the current status of EnvoyPatchPolicy. | -#### EnvoyPatchPolicyList - - - -EnvoyPatchPolicyList contains a list of EnvoyPatchPolicy resources. - - - -| Field | Type | Required | Description | -| --- | --- | --- | --- | -| `apiVersion` | _string_ | |`gateway.envoyproxy.io/v1alpha1` -| `kind` | _string_ | |`EnvoyPatchPolicyList` -| `metadata` | _[ListMeta](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.29/#listmeta-v1-meta)_ | true | Refer to Kubernetes API documentation for fields of `metadata`. | -| `items` | _[EnvoyPatchPolicy](#envoypatchpolicy) array_ | true | | - - #### EnvoyPatchPolicySpec @@ -2026,8 +1934,7 @@ _Appears in:_ HTTPRouteFilter is a custom Envoy Gateway HTTPRouteFilter which provides extended traffic processing options such as path regex rewrite, direct response and more. -_Appears in:_ -- [HTTPRouteFilterList](#httproutefilterlist) + | Field | Type | Required | Description | | --- | --- | --- | --- | @@ -2037,22 +1944,6 @@ _Appears in:_ | `spec` | _[HTTPRouteFilterSpec](#httproutefilterspec)_ | true | Spec defines the desired state of HTTPRouteFilter. | -#### HTTPRouteFilterList - - - -HTTPRouteFilterList contains a list of HTTPRouteFilter resources. - - - -| Field | Type | Required | Description | -| --- | --- | --- | --- | -| `apiVersion` | _string_ | |`gateway.envoyproxy.io/v1alpha1` -| `kind` | _string_ | |`HTTPRouteFilterList` -| `metadata` | _[ListMeta](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.29/#listmeta-v1-meta)_ | true | Refer to Kubernetes API documentation for fields of `metadata`. | -| `items` | _[HTTPRouteFilter](#httproutefilter) array_ | true | | - - #### HTTPRouteFilterSpec @@ -3638,8 +3529,7 @@ _Appears in:_ SecurityPolicy allows the user to configure various security settings for a Gateway. -_Appears in:_ -- [SecurityPolicyList](#securitypolicylist) + | Field | Type | Required | Description | | --- | --- | --- | --- | @@ -3650,22 +3540,6 @@ _Appears in:_ | `status` | _[PolicyStatus](https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1alpha2.PolicyStatus)_ | true | Status defines the current status of SecurityPolicy. | -#### SecurityPolicyList - - - -SecurityPolicyList contains a list of SecurityPolicy resources. - - - -| Field | Type | Required | Description | -| --- | --- | --- | --- | -| `apiVersion` | _string_ | |`gateway.envoyproxy.io/v1alpha1` -| `kind` | _string_ | |`SecurityPolicyList` -| `metadata` | _[ListMeta](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.29/#listmeta-v1-meta)_ | true | Refer to Kubernetes API documentation for fields of `metadata`. | -| `items` | _[SecurityPolicy](#securitypolicy) array_ | true | | - - #### SecurityPolicySpec diff --git a/site/content/zh/latest/install/gateway-addons-helm-api.md b/site/content/zh/latest/install/gateway-addons-helm-api.md index 9835e21cd62..dce51039fa2 100644 --- a/site/content/zh/latest/install/gateway-addons-helm-api.md +++ b/site/content/zh/latest/install/gateway-addons-helm-api.md @@ -24,6 +24,7 @@ An Add-ons Helm chart for Envoy Gateway | Repository | Name | Version | |------------|------|---------| | https://fluent.github.io/helm-charts | fluent-bit | 0.30.4 | +| https://grafana.github.io/helm-charts | alloy | 0.9.2 | | https://grafana.github.io/helm-charts | grafana | 8.0.0 | | https://grafana.github.io/helm-charts | loki | 4.8.0 | | https://grafana.github.io/helm-charts | tempo | 1.3.1 | @@ -34,6 +35,9 @@ An Add-ons Helm chart for Envoy Gateway | Key | Type | Default | Description | |-----|------|---------|-------------| +| alloy.alloy.configMap.content | string | `"// Write your Alloy config here:\nlogging {\n level = \"info\"\n format = \"logfmt\"\n}\nloki.write \"alloy\" {\n endpoint {\n url = \"http://loki.monitoring.svc:3100/loki/api/v1/push\"\n }\n}\n// discovery.kubernetes allows you to find scrape targets from Kubernetes resources.\n// It watches cluster state and ensures targets are continually synced with what is currently running in your cluster.\ndiscovery.kubernetes \"pod\" {\n role = \"pod\"\n}\n\n// discovery.relabel rewrites the label set of the input targets by applying one or more relabeling rules.\n// If no rules are defined, then the input targets are exported as-is.\ndiscovery.relabel \"pod_logs\" {\n targets = discovery.kubernetes.pod.targets\n\n // Label creation - \"namespace\" field from \"__meta_kubernetes_namespace\"\n rule {\n source_labels = [\"__meta_kubernetes_namespace\"]\n action = \"replace\"\n target_label = \"namespace\"\n }\n\n // Label creation - \"pod\" field from \"__meta_kubernetes_pod_name\"\n rule {\n source_labels = [\"__meta_kubernetes_pod_name\"]\n action = \"replace\"\n target_label = \"pod\"\n }\n\n // Label creation - \"container\" field from \"__meta_kubernetes_pod_container_name\"\n rule {\n source_labels = [\"__meta_kubernetes_pod_container_name\"]\n action = \"replace\"\n target_label = \"container\"\n }\n\n // Label creation - \"app\" field from \"__meta_kubernetes_pod_label_app_kubernetes_io_name\"\n rule {\n source_labels = [\"__meta_kubernetes_pod_label_app_kubernetes_io_name\"]\n action = \"replace\"\n target_label = \"app\"\n }\n\n // Label creation - \"job\" field from \"__meta_kubernetes_namespace\" and \"__meta_kubernetes_pod_container_name\"\n // Concatenate values __meta_kubernetes_namespace/__meta_kubernetes_pod_container_name\n rule {\n source_labels = [\"__meta_kubernetes_namespace\", \"__meta_kubernetes_pod_container_name\"]\n action = \"replace\"\n target_label = \"job\"\n separator = \"/\"\n replacement = \"$1\"\n }\n\n // Label creation - \"container\" field from \"__meta_kubernetes_pod_uid\" and \"__meta_kubernetes_pod_container_name\"\n // Concatenate values __meta_kubernetes_pod_uid/__meta_kubernetes_pod_container_name.log\n rule {\n source_labels = [\"__meta_kubernetes_pod_uid\", \"__meta_kubernetes_pod_container_name\"]\n action = \"replace\"\n target_label = \"__path__\"\n separator = \"/\"\n replacement = \"/var/log/pods/*$1/*.log\"\n }\n\n // Label creation - \"container_runtime\" field from \"__meta_kubernetes_pod_container_id\"\n rule {\n source_labels = [\"__meta_kubernetes_pod_container_id\"]\n action = \"replace\"\n target_label = \"container_runtime\"\n regex = \"^(\\\\S+):\\\\/\\\\/.+$\"\n replacement = \"$1\"\n }\n}\n\n// loki.source.kubernetes tails logs from Kubernetes containers using the Kubernetes API.\nloki.source.kubernetes \"pod_logs\" {\n targets = discovery.relabel.pod_logs.output\n forward_to = [loki.process.pod_logs.receiver]\n}\n// loki.process receives log entries from other Loki components, applies one or more processing stages,\n// and forwards the results to the list of receivers in the component’s arguments.\nloki.process \"pod_logs\" {\n stage.static_labels {\n values = {\n cluster = \"envoy-gateway\",\n }\n }\n\n forward_to = [loki.write.alloy.receiver]\n}"` | | +| alloy.enabled | bool | `false` | | +| alloy.fullnameOverride | string | `"alloy"` | | | fluent-bit.config.filters | string | `"[FILTER]\n Name kubernetes\n Match kube.*\n Merge_Log On\n Keep_Log Off\n K8S-Logging.Parser On\n K8S-Logging.Exclude On\n\n[FILTER]\n Name grep\n Match kube.*\n Regex $kubernetes['container_name'] ^envoy$\n\n[FILTER]\n Name parser\n Match kube.*\n Key_Name log\n Parser envoy\n Reserve_Data True\n"` | | | fluent-bit.config.inputs | string | `"[INPUT]\n Name tail\n Path /var/log/containers/*.log\n multiline.parser docker, cri\n Tag kube.*\n Mem_Buf_Limit 5MB\n Skip_Long_Lines On\n"` | | | fluent-bit.config.outputs | string | `"[OUTPUT]\n Name loki\n Match kube.*\n Host loki.monitoring.svc.cluster.local\n Port 3100\n Labels job=fluentbit, app=$kubernetes['labels']['app'], k8s_namespace_name=$kubernetes['namespace_name'], k8s_pod_name=$kubernetes['pod_name'], k8s_container_name=$kubernetes['container_name']\n"` | | @@ -86,15 +90,21 @@ An Add-ons Helm chart for Envoy Gateway | opentelemetry-collector.config.exporters.loki.endpoint | string | `"http://loki.monitoring.svc:3100/loki/api/v1/push"` | | | opentelemetry-collector.config.exporters.otlp.endpoint | string | `"tempo.monitoring.svc:4317"` | | | opentelemetry-collector.config.exporters.otlp.tls.insecure | bool | `true` | | -| opentelemetry-collector.config.exporters.prometheus.endpoint | string | `"0.0.0.0:19001"` | | -| opentelemetry-collector.config.extensions.health_check | object | `{}` | | +| opentelemetry-collector.config.exporters.prometheus.endpoint | string | `"[${env:MY_POD_IP}]:19001"` | | +| opentelemetry-collector.config.extensions.health_check.endpoint | string | `"[${env:MY_POD_IP}]:13133"` | | | opentelemetry-collector.config.processors.attributes.actions[0].action | string | `"insert"` | | | opentelemetry-collector.config.processors.attributes.actions[0].key | string | `"loki.attribute.labels"` | | | opentelemetry-collector.config.processors.attributes.actions[0].value | string | `"k8s.pod.name, k8s.namespace.name"` | | -| opentelemetry-collector.config.receivers.datadog.endpoint | string | `"${env:MY_POD_IP}:8126"` | | -| opentelemetry-collector.config.receivers.otlp.protocols.grpc.endpoint | string | `"${env:MY_POD_IP}:4317"` | | -| opentelemetry-collector.config.receivers.otlp.protocols.http.endpoint | string | `"${env:MY_POD_IP}:4318"` | | -| opentelemetry-collector.config.receivers.zipkin.endpoint | string | `"${env:MY_POD_IP}:9411"` | | +| opentelemetry-collector.config.receivers.datadog.endpoint | string | `"[${env:MY_POD_IP}]:8126"` | | +| opentelemetry-collector.config.receivers.jaeger.protocols.grpc.endpoint | string | `"[${env:MY_POD_IP}]:14250"` | | +| opentelemetry-collector.config.receivers.jaeger.protocols.thrift_compact.endpoint | string | `"[${env:MY_POD_IP}]:6831"` | | +| opentelemetry-collector.config.receivers.jaeger.protocols.thrift_http.endpoint | string | `"[${env:MY_POD_IP}]:14268"` | | +| opentelemetry-collector.config.receivers.otlp.protocols.grpc.endpoint | string | `"[${env:MY_POD_IP}]:4317"` | | +| opentelemetry-collector.config.receivers.otlp.protocols.http.endpoint | string | `"[${env:MY_POD_IP}]:4318"` | | +| opentelemetry-collector.config.receivers.prometheus.config.scrape_configs[0].job_name | string | `"opentelemetry-collector"` | | +| opentelemetry-collector.config.receivers.prometheus.config.scrape_configs[0].scrape_interval | string | `"10s"` | | +| opentelemetry-collector.config.receivers.prometheus.config.scrape_configs[0].static_configs[0].targets[0] | string | `"[${env:MY_POD_IP}]:8888"` | | +| opentelemetry-collector.config.receivers.zipkin.endpoint | string | `"[${env:MY_POD_IP}]:9411"` | | | opentelemetry-collector.config.service.extensions[0] | string | `"health_check"` | | | opentelemetry-collector.config.service.pipelines.logs.exporters[0] | string | `"loki"` | | | opentelemetry-collector.config.service.pipelines.logs.processors[0] | string | `"attributes"` | | @@ -106,6 +116,7 @@ An Add-ons Helm chart for Envoy Gateway | opentelemetry-collector.config.service.pipelines.traces.receivers[0] | string | `"datadog"` | | | opentelemetry-collector.config.service.pipelines.traces.receivers[1] | string | `"otlp"` | | | opentelemetry-collector.config.service.pipelines.traces.receivers[2] | string | `"zipkin"` | | +| opentelemetry-collector.config.service.telemetry.metrics.address | string | `"[${env:MY_POD_IP}]:8888"` | | | opentelemetry-collector.enabled | bool | `false` | | | opentelemetry-collector.fullnameOverride | string | `"otel-collector"` | | | opentelemetry-collector.image.repository | string | `"otel/opentelemetry-collector-contrib"` | | diff --git a/site/content/zh/latest/install/gateway-helm-api.md b/site/content/zh/latest/install/gateway-helm-api.md index 99023e65c6c..bb817b992dc 100644 --- a/site/content/zh/latest/install/gateway-helm-api.md +++ b/site/content/zh/latest/install/gateway-helm-api.md @@ -23,7 +23,7 @@ The Helm chart for Envoy Gateway | Key | Type | Default | Description | |-----|------|---------|-------------| -| certgen | object | `{"job":{"affinity":{},"annotations":{},"nodeSelector":{},"resources":{},"tolerations":[],"ttlSecondsAfterFinished":30},"rbac":{"annotations":{},"labels":{}}}` | Certgen is used to generate the certificates required by EnvoyGateway. If you want to construct a custom certificate, you can generate a custom certificate through Cert-Manager before installing EnvoyGateway. Certgen will not overwrite the custom certificate. Please do not manually modify `values.yaml` to disable certgen, it may cause EnvoyGateway OIDC,OAuth2,etc. to not work as expected. | +| certgen | object | `{"job":{"affinity":{},"annotations":{},"nodeSelector":{},"resources":{},"securityContext":{"allowPrivilegeEscalation":false,"capabilities":{"drop":["ALL"]},"privileged":false,"readOnlyRootFilesystem":true,"runAsGroup":65534,"runAsNonRoot":true,"runAsUser":65534,"seccompProfile":{"type":"RuntimeDefault"}},"tolerations":[],"ttlSecondsAfterFinished":30},"rbac":{"annotations":{},"labels":{}}}` | Certgen is used to generate the certificates required by EnvoyGateway. If you want to construct a custom certificate, you can generate a custom certificate through Cert-Manager before installing EnvoyGateway. Certgen will not overwrite the custom certificate. Please do not manually modify `values.yaml` to disable certgen, it may cause EnvoyGateway OIDC,OAuth2,etc. to not work as expected. | | config.envoyGateway.gateway.controllerName | string | `"gateway.envoyproxy.io/gatewayclass-controller"` | | | config.envoyGateway.logging.level.default | string | `"info"` | | | config.envoyGateway.provider.type | string | `"Kubernetes"` | | @@ -35,6 +35,13 @@ The Helm chart for Envoy Gateway | deployment.envoyGateway.resources.limits.memory | string | `"1024Mi"` | | | deployment.envoyGateway.resources.requests.cpu | string | `"100m"` | | | deployment.envoyGateway.resources.requests.memory | string | `"256Mi"` | | +| deployment.envoyGateway.securityContext.allowPrivilegeEscalation | bool | `false` | | +| deployment.envoyGateway.securityContext.capabilities.drop[0] | string | `"ALL"` | | +| deployment.envoyGateway.securityContext.privileged | bool | `false` | | +| deployment.envoyGateway.securityContext.runAsGroup | int | `65532` | | +| deployment.envoyGateway.securityContext.runAsNonRoot | bool | `true` | | +| deployment.envoyGateway.securityContext.runAsUser | int | `65532` | | +| deployment.envoyGateway.securityContext.seccompProfile.type | string | `"RuntimeDefault"` | | | deployment.pod.affinity | object | `{}` | | | deployment.pod.annotations."prometheus.io/port" | string | `"19001"` | | | deployment.pod.annotations."prometheus.io/scrape" | string | `"true"` | | diff --git a/site/content/zh/news/releases/_index.md b/site/content/zh/news/releases/_index.md index 8afc5916c6e..0862210010f 100644 --- a/site/content/zh/news/releases/_index.md +++ b/site/content/zh/news/releases/_index.md @@ -32,7 +32,7 @@ Envoy Gateway 的稳定版本包括: |:-------:|:--------------------------------------------------------------:| | 2022 Q4 | Daneyon Hansen ([danehans](https://github.com/danehans)) | | 2023 Q1 | Xunzhuo Liu ([Xunzhuo](https://github.com/Xunzhuo)) | -| 2023 Q2 | Alice Wasko ([AliceProxy](https://github.com/AliceProxy)) | +| 2023 Q2 | Alice Wasko ([Alice-Lilith](https://github.com/Alice-Lilith)) | | 2023 Q3 | Arko Dasgupta ([arkodg](https://github.com/arkodg)) | | 2023 Q4 | Arko Dasgupta ([arkodg](https://github.com/arkodg)) | | 2024 Q1 | Xunzhuo Liu ([Xunzhuo](https://github.com/Xunzhuo)) | diff --git a/site/layouts/shortcodes/helm-version.html b/site/layouts/shortcodes/helm-version.html index 704c3dfde80..0bdf6092027 100644 --- a/site/layouts/shortcodes/helm-version.html +++ b/site/layouts/shortcodes/helm-version.html @@ -3,8 +3,8 @@ {{- "v0.0.0-latest" -}} {{- end -}} {{- with (strings.HasPrefix $pagePrefix "v1.1") -}} -{{- "v1.1.2" -}} +{{- "v1.1.3" -}} {{- end -}} {{- with (strings.HasPrefix $pagePrefix "doc") -}} -{{- "v1.1.2" -}} +{{- "v1.1.3" -}} {{- end -}} diff --git a/site/layouts/shortcodes/yaml-version.html b/site/layouts/shortcodes/yaml-version.html index eced902814a..fd96ac1799e 100644 --- a/site/layouts/shortcodes/yaml-version.html +++ b/site/layouts/shortcodes/yaml-version.html @@ -3,8 +3,8 @@ {{- "latest" -}} {{- end -}} {{- with (strings.HasPrefix $pagePrefix "v1.1") -}} -{{- "v1.1.2" -}} +{{- "v1.1.3" -}} {{- end -}} {{- with (strings.HasPrefix $pagePrefix "doc") -}} -{{- "v1.1.2" -}} +{{- "v1.1.3" -}} {{- end -}} diff --git a/test/e2e/base/manifests.yaml b/test/e2e/base/manifests.yaml index 714dd296067..c7390d6d70d 100644 --- a/test/e2e/base/manifests.yaml +++ b/test/e2e/base/manifests.yaml @@ -424,113 +424,6 @@ spec: cpu: 10m --- apiVersion: v1 -kind: Namespace -metadata: - name: gateway-preserve-case-backend ---- -apiVersion: v1 -kind: ConfigMap -metadata: - name: go-server - namespace: gateway-preserve-case-backend -data: - go.mod: | - module srvr - go 1.22 - require ( - github.com/andybalholm/brotli v1.0.5 // indirect - github.com/klauspost/compress v1.17.0 // indirect - github.com/valyala/bytebufferpool v1.0.0 // indirect - github.com/valyala/fasthttp v1.51.0 // indirect - ) - go.sum: | - github.com/andybalholm/brotli v1.0.5 h1:8uQZIdzKmjc/iuPu7O2ioW48L81FgatrcpfFmiq/cCs= - github.com/andybalholm/brotli v1.0.5/go.mod h1:fO7iG3H7G2nSZ7m0zPUDn85XEX2GTukHGRSepvi9Eig= - github.com/klauspost/compress v1.17.0 h1:Rnbp4K9EjcDuVuHtd0dgA4qNuv9yKDYKK1ulpJwgrqM= - github.com/klauspost/compress v1.17.0/go.mod h1:ntbaceVETuRiXiv4DpjP66DpAtAGkEQskQzEyD//IeE= - github.com/valyala/bytebufferpool v1.0.0 h1:GqA5TC/0021Y/b9FG4Oi9Mr3q7XYx6KllzawFIhcdPw= - github.com/valyala/bytebufferpool v1.0.0/go.mod h1:6bBcMArwyJ5K/AmCkWv1jt77kVWyCJ6HpOuEn7z0Csc= - github.com/valyala/fasthttp v1.51.0 h1:8b30A5JlZ6C7AS81RsWjYMQmrZG6feChmgAolCl1SqA= - github.com/valyala/fasthttp v1.51.0/go.mod h1:oI2XroL+lI7vdXyYoQk03bXBThfFl2cVdIA3Xl7cH8g= - main.go: | - package main - import ( - "encoding/json" - "fmt" - "log" - "github.com/valyala/fasthttp" - ) - func HandleFastHTTP(ctx *fasthttp.RequestCtx) { - ctx.QueryArgs().VisitAll(func(key, value []byte) { - if string(key) == "headers" { - ctx.Response.Header.Add(string(value), "PrEsEnT") - } - }) - headers := map[string][]string{} - ctx.Request.Header.VisitAll(func(key, value []byte) { - headers[string(key)] = append(headers[string(key)], string(value)) - }) - if d, err := json.MarshalIndent(headers, "", " "); err != nil { - ctx.Error(fmt.Sprintf("%s", err), fasthttp.StatusBadRequest) - } else { - fmt.Fprintf(ctx, string(d)+"\n") - } - } - func main() { - s := fasthttp.Server{ - Handler: HandleFastHTTP, - DisableHeaderNamesNormalizing: true, - } - log.Printf("Starting on port 8000") - log.Fatal(s.ListenAndServe(":8000")) - } ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: golang-app-deployment - namespace: gateway-preserve-case-backend -spec: - replicas: 1 - selector: - matchLabels: - app: golang-app - template: - metadata: - labels: - app: golang-app - spec: - containers: - - name: golang-app-container - command: - - sh - - "-c" - - "cp -a /app /app-live && cd /app-live && go run . " - image: golang:1.22.3-alpine - ports: - - containerPort: 8000 - volumeMounts: - - name: go-server - mountPath: /app - volumes: - - name: go-server - configMap: - name: go-server ---- -apiVersion: v1 -kind: Service -metadata: - name: fasthttp-backend - namespace: gateway-preserve-case-backend -spec: - selector: - app: golang-app - ports: - - protocol: TCP - port: 8000 - targetPort: 8000 ---- -apiVersion: v1 data: tls.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURPVENDQWlHZ0F3SUJBZ0lVUWNxbnZtQXlkRUtuOEdqWTdjZzVDb3A2QWp3d0RRWUpLb1pJaHZjTkFRRUwKQlFBd1JURUxNQWtHQTFVRUJoTUNRVlV4RXpBUkJnTlZCQWdNQ2xOdmJXVXRVM1JoZEdVeElUQWZCZ05WQkFvTQpHRWx1ZEdWeWJtVjBJRmRwWkdkcGRITWdVSFI1SUV4MFpEQWVGdzB5TkRBMU1USXhOakF3TlROYUZ3MHlOVEExCk1USXhOakF3TlROYU1FVXhDekFKQmdOVkJBWVRBa0ZWTVJNd0VRWURWUVFJREFwVGIyMWxMVk4wWVhSbE1TRXcKSHdZRFZRUUtEQmhKYm5SbGNtNWxkQ0JYYVdSbmFYUnpJRkIwZVNCTWRHUXdnZ0VpTUEwR0NTcUdTSWIzRFFFQgpBUVVBQTRJQkR3QXdnZ0VLQW9JQkFRQ2kzUis1WGx3SnlYSTNidTRVQ3E0NXgwSkdWQVBTVXRFTFlLUkxpOEo2CnlxOStySE1hVUtubDhsdldLaHlCNDk4WkJBdVVGS0RpcGhkS1A2eU0rRGl1azVIa2UrK0NmeGxkUDFiSGZiNlkKSGFWczh2cFMyUThneUF6NEZqc3NnNThMV1NKWTdEeEhSOWJibUVWelhSUjNWOEtDeDVaYVlkZ3RxU0NZTGJMTwozaGtGRGQramZxSzM3RHdiT253d21OQ2R0QmpRSTF1TmF2dm1QZzB0c3pwd29TQUtPRitPR0pHcTZHcDdNY0NtClFHZ3dYNkV0YzMwd3hJQTd6c3RnTWwzT293a3p4NHNMcFdJamdCSDVlVk9oYnB6NXROLzB2VFZ3Z3hlbTlOVisKQURjSTFBcnY5M1ZsaFB6VEFmZUNDUlljeFFiNlp4dnBuMWlRbVIrZkVpT0JBZ01CQUFHaklUQWZNQjBHQTFVZApEZ1FXQkJTMGRnRHNtQ3AyU0pZVzNPa3pkNDZtbFNndHZ6QU5CZ2txaGtpRzl3MEJBUXNGQUFPQ0FRRUFab0NCCnE0M2taV1RZT21QR3JYMU5RMllIVTQ2Y0pzRGxsN2JFL0ZIRUo1eEJEcWRGaUdhWkZBcGRkK3Mra2tkUUw5NUUKcU1SVk9nYS83TUFIL042dlRmb2tXcnVKUUFqaStpLzhGSllWb1VZTWMyeUxqYXp3ZS9ZMHlzTDRWRTNGUlZybApmVHRCTC9nVkhjNk9ZOFBpVFh4eitqdy9FN2kxQkRxZkdSK29sYmt4ZkVmWnhHN0tEZUVtQnVva0dxbDlYQXhSCjMzbnhSbFZuODdxSnJrdUlzdWl2ZzczaVVNMVpGUE1CRVp0OEJjU05MaWhxZEx0b29FVy9mcGZ1am9oaC9yTjUKOFA1ajJpWm9KOGpBS0t4YW5SaWhXTklSNzJtYnJ1R2hYOFRIQkxzczFvZlpLdHBXMzlUOTBTM2hnWkFwSmNZYQp2aGVwSnRtbm9jcHNnYUJiL0E9PQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg== tls.key: LS0tLS1CRUdJTiBQUklWQVRFIEtFWS0tLS0tCk1JSUV2UUlCQURBTkJna3Foa2lHOXcwQkFRRUZBQVNDQktjd2dnU2pBZ0VBQW9JQkFRQ2kzUis1WGx3SnlYSTMKYnU0VUNxNDV4MEpHVkFQU1V0RUxZS1JMaThKNnlxOStySE1hVUtubDhsdldLaHlCNDk4WkJBdVVGS0RpcGhkSwpQNnlNK0RpdWs1SGtlKytDZnhsZFAxYkhmYjZZSGFWczh2cFMyUThneUF6NEZqc3NnNThMV1NKWTdEeEhSOWJiCm1FVnpYUlIzVjhLQ3g1WmFZZGd0cVNDWUxiTE8zaGtGRGQramZxSzM3RHdiT253d21OQ2R0QmpRSTF1TmF2dm0KUGcwdHN6cHdvU0FLT0YrT0dKR3E2R3A3TWNDbVFHZ3dYNkV0YzMwd3hJQTd6c3RnTWwzT293a3p4NHNMcFdJagpnQkg1ZVZPaGJwejV0Ti8wdlRWd2d4ZW05TlYrQURjSTFBcnY5M1ZsaFB6VEFmZUNDUlljeFFiNlp4dnBuMWlRCm1SK2ZFaU9CQWdNQkFBRUNnZ0VBQkZlOUxUbXNMb3VBWGZTWmdRZStnT0pZbU1pTDZpcG91aWI0Wlk1dFUvM3kKYVZoRXlOVHhuVlRadkoyT2lWc0JzWVNLWUo5TzBaRmFSOUhJSnBHR1BTYzRvOGNYWGpkb2RqUmFrbjdtbDQ2NwprT3JQR0lsQ3ZFb0NVTVdTdkExNXpzMGdmNTZUdmthMjFxL2VHdmtPZ3c3SVBEbVJSNEZpT05nNGt3ODlwRU1FClhNMVROK1NZSGR1eU50RG1wSy90bjFFcUxtOUJUVy9XSk8rMHhLaG1EVStDZnN6Y2hmcS82QitQSVNteEhXUTUKV2JVL3BBNVlvRlM3TWZYbjhMcXVuSG55RGcvNERaQ2NXQkpZZTdZNWtqczVVd2c2MnJBanZxTUZPaWk2ZEgvWgpSQWFWbzlUeEEwZVB4TkZIY2w5M2xuQzRvSGpFV0pvajIzOUdTb3pMWVFLQmdRRGJaNDhNOUpNdkJ2Q2JvSWlXCi9jc3U2ZFRNNmlRTzd3dVJEekhETlpGN0pxWmxOVUhkMU1hZXVYOGhYaE1YeWZpN2FFcGhKMGFZOXNwZ29SdWYKamIyeWVhb3JBbnlOL1VIZ2NjdG5ESWdheEJ0K1JVREZUeE1uTnhrRUVnTnF5WDJCZllOdlNyMmxOVm9PbGhUWQo4VzV6UGJyekNDbUgzSXd6bkhmcW54QVZJUUtCZ1FDK0IwOEVpRERZd1ZKRU9uNyt3eDZyZWlQQklmanBFNUNICjM4ekpYVVBUaWRLZWpORnU4aUlGZmkrdzEvY0VBTTJXcE1xVEtnM2RCSTlzUGZnWXZFSUlvMW5adUFNVnhaY04Kb0k2QXdUckdWMldHSjdQNlNNbjhyWTJhUGRQcDl1ZXE2MFEwZ2p2NVQ1eUliekdPaElmeUpxSXJHYlFvbGdkagp3cXg4K2ZQaVlRS0JnRWJSdklqd0FQb3pBVU1hcER3b200Yi9EeU05aUhvUml1Zzl3VkJEWUR3aUU1K2pleWxCClh3TW8yUEpLVFZ0bVpCVUo2c2hGUnpKa3BwcGVKbTV2OEFWRjVEbVJ5ZWFERXRxQm9LZ1lrVzRpVXNXRlVRemYKSTAyTEtWWDVBb1ZibUZsTnpEa0dKUVRJbmRNTGVwczBBdlRMdmlab1FnK0tqdTZ4Mkxzd3NKNUJBb0dCQUxFcApDUzcxZFd5dkZ1NUxCdGltdWpJdDVhV0o4WkFDVUcyTVpWU1o0Y0VXcmNocENsdi8yMTM1bmFhbVFVRjNLalEyCm9ER0JOSG1JWmRvSkVBS25pSHliSmdwSGRvRFd2SlBVeXVZWXY1M29IdHRxcW0wOWJTcG45eXNFVjB1NWg1UWUKVUhFUHRiQWgyNUtLNzgycG0wQlRhajc2Y0s2aDZIUEdLNTg4UEhZaEFvR0FILzJMS044WnJ3c1R6Nmx6T2c3ZApzdUFuaDVFTUp0TEhTSDJHeFJ5aFcrYVFHdGNxdDZYK1dkNDZnd1BMQjRjd2QzL01nQkFvcFhGazhYV3pTVUlhCnI5SG9SQzZJT2tzQ0lOallCd2h2TjArcm5oN3JzTm5XZVd5Z2tWQ2tERDN5NlNTa2RTZjliOUZzWUJtOHY0VkcKYzFqdmVjWVF6S243QzFRU2FtUnAzRUk9Ci0tLS0tRU5EIFBSSVZBVEUgS0VZLS0tLS0K diff --git a/test/e2e/testdata/accesslog-als.yaml b/test/e2e/testdata/accesslog-als.yaml index cd998df4655..569195aba1a 100644 --- a/test/e2e/testdata/accesslog-als.yaml +++ b/test/e2e/testdata/accesslog-als.yaml @@ -15,186 +15,6 @@ spec: - name: infra-backend-v1 port: 8080 --- -apiVersion: v1 -kind: ConfigMap -metadata: - name: envoy-als - namespace: monitoring -data: - go.mod: | - module envoy-als - go 1.22 - require ( - github.com/envoyproxy/go-control-plane v0.12.0 - github.com/prometheus/client_golang v1.19.1 - google.golang.org/grpc v1.64.0 - ) - - require ( - github.com/beorn7/perks v1.0.1 // indirect - github.com/cespare/xxhash/v2 v2.2.0 // indirect - github.com/cncf/xds/go v0.0.0-20240318125728-8a4994d93e50 // indirect - github.com/envoyproxy/protoc-gen-validate v1.0.4 // indirect - github.com/golang/protobuf v1.5.4 // indirect - github.com/prometheus/client_model v0.5.0 // indirect - github.com/prometheus/common v0.48.0 // indirect - github.com/prometheus/procfs v0.12.0 // indirect - golang.org/x/net v0.22.0 // indirect - golang.org/x/sys v0.18.0 // indirect - golang.org/x/text v0.14.0 // indirect - google.golang.org/genproto/googleapis/rpc v0.0.0-20240318140521-94a12d6c2237 // indirect - google.golang.org/protobuf v1.33.0 // indirect - ) - go.sum: | - github.com/beorn7/perks v1.0.1 h1:VlbKKnNfV8bJzeqoa4cOKqO6bYr3WgKZxO8Z16+hsOM= - github.com/beorn7/perks v1.0.1/go.mod h1:G2ZrVWU2WbWT9wwq4/hrbKbnv/1ERSJQ0ibhJ6rlkpw= - github.com/cespare/xxhash/v2 v2.2.0 h1:DC2CZ1Ep5Y4k3ZQ899DldepgrayRUGE6BBZ/cd9Cj44= - github.com/cespare/xxhash/v2 v2.2.0/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XLFGgcrjCOs= - github.com/cncf/xds/go v0.0.0-20240318125728-8a4994d93e50 h1:DBmgJDC9dTfkVyGgipamEh2BpGYxScCH1TOF1LL1cXc= - github.com/cncf/xds/go v0.0.0-20240318125728-8a4994d93e50/go.mod h1:5e1+Vvlzido69INQaVO6d87Qn543Xr6nooe9Kz7oBFM= - github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c= - github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= - github.com/envoyproxy/go-control-plane v0.12.0 h1:4X+VP1GHd1Mhj6IB5mMeGbLCleqxjletLK6K0rbxyZI= - github.com/envoyproxy/go-control-plane v0.12.0/go.mod h1:ZBTaoJ23lqITozF0M6G4/IragXCQKCnYbmlmtHvwRG0= - github.com/envoyproxy/protoc-gen-validate v1.0.4 h1:gVPz/FMfvh57HdSJQyvBtF00j8JU4zdyUgIUNhlgg0A= - github.com/envoyproxy/protoc-gen-validate v1.0.4/go.mod h1:qys6tmnRsYrQqIhm2bvKZH4Blx/1gTIZ2UKVY1M+Yew= - github.com/golang/protobuf v1.5.4 h1:i7eJL8qZTpSEXOPTxNKhASYpMn+8e5Q6AdndVa1dWek= - github.com/golang/protobuf v1.5.4/go.mod h1:lnTiLA8Wa4RWRcIUkrtSVa5nRhsEGBg48fD6rSs7xps= - github.com/google/go-cmp v0.6.0 h1:ofyhxvXcZhMsU5ulbFiLKl/XBFqE1GSq7atu8tAmTRI= - github.com/google/go-cmp v0.6.0/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY= - github.com/prometheus/client_golang v1.19.1 h1:wZWJDwK+NameRJuPGDhlnFgx8e8HN3XHQeLaYJFJBOE= - github.com/prometheus/client_golang v1.19.1/go.mod h1:mP78NwGzrVks5S2H6ab8+ZZGJLZUq1hoULYBAYBw1Ho= - github.com/prometheus/client_model v0.5.0 h1:VQw1hfvPvk3Uv6Qf29VrPF32JB6rtbgI6cYPYQjL0Qw= - github.com/prometheus/client_model v0.5.0/go.mod h1:dTiFglRmd66nLR9Pv9f0mZi7B7fk5Pm3gvsjB5tr+kI= - github.com/prometheus/common v0.48.0 h1:QO8U2CdOzSn1BBsmXJXduaaW+dY/5QLjfB8svtSzKKE= - github.com/prometheus/common v0.48.0/go.mod h1:0/KsvlIEfPQCQ5I2iNSAWKPZziNCvRs5EC6ILDTlAPc= - github.com/prometheus/procfs v0.12.0 h1:jluTpSng7V9hY0O2R9DzzJHYb2xULk9VTR1V1R/k6Bo= - github.com/prometheus/procfs v0.12.0/go.mod h1:pcuDEFsWDnvcgNzo4EEweacyhjeA9Zk3cnaOZAZEfOo= - golang.org/x/net v0.22.0 h1:9sGLhx7iRIHEiX0oAJ3MRZMUCElJgy7Br1nO+AMN3Tc= - golang.org/x/net v0.22.0/go.mod h1:JKghWKKOSdJwpW2GEx0Ja7fmaKnMsbu+MWVZTokSYmg= - golang.org/x/sys v0.18.0 h1:DBdB3niSjOA/O0blCZBqDefyWNYveAYMNF1Wum0DYQ4= - golang.org/x/sys v0.18.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= - golang.org/x/text v0.14.0 h1:ScX5w1eTa3QqT8oi6+ziP7dTV1S2+ALU0bI+0zXKWiQ= - golang.org/x/text v0.14.0/go.mod h1:18ZOQIKpY8NJVqYksKHtTdi31H5itFRjB5/qKTNYzSU= - google.golang.org/genproto/googleapis/rpc v0.0.0-20240318140521-94a12d6c2237 h1:NnYq6UN9ReLM9/Y01KWNOWyI5xQ9kbIms5GGJVwS/Yc= - google.golang.org/genproto/googleapis/rpc v0.0.0-20240318140521-94a12d6c2237/go.mod h1:WtryC6hu0hhx87FDGxWCDptyssuo68sk10vYjF+T9fY= - google.golang.org/grpc v1.64.0 h1:KH3VH9y/MgNQg1dE7b3XfVK0GsPSIzJwdF617gUSbvY= - google.golang.org/grpc v1.64.0/go.mod h1:oxjF8E3FBnjp+/gVFYdWacaLDx9na1aqy9oovLpxQYg= - google.golang.org/protobuf v1.33.0 h1:uNO2rsAINq/JlFpSdYEKIZ0uKD/R9cpdv0T+yoGwGmI= - google.golang.org/protobuf v1.33.0/go.mod h1:c6P6GXX6sHbq/GpV6MGZEdwhWPcYBgnhAHhKbcUYpos= - main.go: | - package main - - import ( - "log" - "net" - "net/http" - - alsv2 "github.com/envoyproxy/go-control-plane/envoy/service/accesslog/v2" - alsv3 "github.com/envoyproxy/go-control-plane/envoy/service/accesslog/v3" - "github.com/prometheus/client_golang/prometheus" - "github.com/prometheus/client_golang/prometheus/promhttp" - - "google.golang.org/grpc" - ) - - var ( - LogCount = prometheus.NewCounterVec(prometheus.CounterOpts{ - Name: "log_count", - Help: "The total number of logs received.", - }, []string{"api_version"}) - ) - - func init() { - // Register the summary and the histogram with Prometheus's default registry. - prometheus.MustRegister(LogCount) - } - - type ALSServer struct { - } - - func (a *ALSServer) StreamAccessLogs(logStream alsv2.AccessLogService_StreamAccessLogsServer) error { - log.Println("Streaming als v2 logs") - for { - data, err := logStream.Recv() - if err != nil { - return err - } - - httpLogs := data.GetHttpLogs() - if httpLogs != nil { - LogCount.WithLabelValues("v2").Add(float64(len(httpLogs.LogEntry))) - } - - log.Printf("Received v2 log data: %s\n", data.String()) - } - } - - type ALSServerV3 struct { - } - - func (a *ALSServerV3) StreamAccessLogs(logStream alsv3.AccessLogService_StreamAccessLogsServer) error { - log.Println("Streaming als v3 logs") - for { - data, err := logStream.Recv() - if err != nil { - return err - } - - httpLogs := data.GetHttpLogs() - if httpLogs != nil { - LogCount.WithLabelValues("v3").Add(float64(len(httpLogs.LogEntry))) - } - - log.Printf("Received v3 log data: %s\n", data.String()) - } - } - - func NewALSServer() *ALSServer { - return &ALSServer{} - } - - func NewALSServerV3() *ALSServerV3 { - return &ALSServerV3{} - } - - func main() { - mux := http.NewServeMux() - if err := addMonitor(mux); err != nil { - log.Printf("could not establish self-monitoring: %v\n", err) - } - - s := &http.Server{ - Addr: ":19001", - Handler: mux, - } - - go func() { - s.ListenAndServe() - }() - - listener, err := net.Listen("tcp", "0.0.0.0:8080") - if err != nil { - log.Fatalf("Failed to start listener on port 8080: %v", err) - } - - var opts []grpc.ServerOption - grpcServer := grpc.NewServer(opts...) - alsv2.RegisterAccessLogServiceServer(grpcServer, NewALSServer()) - alsv3.RegisterAccessLogServiceServer(grpcServer, NewALSServerV3()) - log.Println("Starting ALS Server") - if err := grpcServer.Serve(listener); err != nil { - log.Fatalf("grpc serve err: %v", err) - } - } - - func addMonitor(mux *http.ServeMux) error { - mux.Handle("/metrics", promhttp.HandlerFor(prometheus.DefaultGatherer, promhttp.HandlerOpts{EnableOpenMetrics: true})) - - return nil - } - ---- apiVersion: apps/v1 kind: Deployment metadata: @@ -215,18 +35,8 @@ spec: spec: containers: - name: envoy-als - command: - - sh - - "-c" - - "cp -a /app /app-live && cd /app-live && go run . " - image: golang:1.22.3-alpine + image: envoyproxy/gateway-envoy-als + imagePullPolicy: IfNotPresent ports: - containerPort: 8080 - containerPort: 19001 - volumeMounts: - - name: envoy-als - mountPath: /app - volumes: - - name: envoy-als - configMap: - name: envoy-als diff --git a/test/e2e/testdata/direct-response.yaml b/test/e2e/testdata/direct-response.yaml new file mode 100644 index 00000000000..a1d2d81e8bb --- /dev/null +++ b/test/e2e/testdata/direct-response.yaml @@ -0,0 +1,64 @@ +apiVersion: gateway.networking.k8s.io/v1 +kind: HTTPRoute +metadata: + name: direct-response + namespace: gateway-conformance-infra +spec: + parentRefs: + - name: same-namespace + rules: + - matches: + - path: + type: PathPrefix + value: /inline + filters: + - type: ExtensionRef + extensionRef: + group: gateway.envoyproxy.io + kind: HTTPRouteFilter + name: direct-response-inline + - matches: + - path: + type: PathPrefix + value: /value-ref + filters: + - type: ExtensionRef + extensionRef: + group: gateway.envoyproxy.io + kind: HTTPRouteFilter + name: direct-response-value-ref +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: value-ref-response + namespace: gateway-conformance-infra +data: + response.body: '{"error": "Internal Server Error"}' +--- +apiVersion: gateway.envoyproxy.io/v1alpha1 +kind: HTTPRouteFilter +metadata: + name: direct-response-inline + namespace: gateway-conformance-infra +spec: + directResponse: + contentType: text/plain + body: + type: Inline + inline: "Oops! Your request is not found." +--- +apiVersion: gateway.envoyproxy.io/v1alpha1 +kind: HTTPRouteFilter +metadata: + name: direct-response-value-ref + namespace: gateway-conformance-infra +spec: + directResponse: + contentType: application/json + body: + type: ValueRef + valueRef: + group: "" + kind: ConfigMap + name: value-ref-response diff --git a/test/e2e/testdata/ext-auth-grpc-service.yaml b/test/e2e/testdata/ext-auth-grpc-service.yaml index 744be444ba0..587dad8a860 100644 --- a/test/e2e/testdata/ext-auth-grpc-service.yaml +++ b/test/e2e/testdata/ext-auth-grpc-service.yaml @@ -1,276 +1,5 @@ --- apiVersion: v1 -kind: ConfigMap -metadata: - name: grpc-ext-auth - namespace: gateway-conformance-infra -data: - go.mod: | - module github.com/envoyproxy/gateway - - go 1.21 - - require ( - github.com/envoyproxy/go-control-plane v0.12.0 - github.com/golang/protobuf v1.5.4 - google.golang.org/genproto/googleapis/rpc v0.0.0-20240304212257-790db918fca8 - google.golang.org/grpc v1.62.1 - ) - - require ( - github.com/cncf/xds/go v0.0.0-20231128003011-0fa0005c9caa // indirect - github.com/envoyproxy/protoc-gen-validate v1.0.4 // indirect - golang.org/x/net v0.20.0 // indirect - golang.org/x/sys v0.16.0 // indirect - golang.org/x/text v0.14.0 // indirect - google.golang.org/protobuf v1.33.0 // indirect - ) - go.sum: | - github.com/cncf/xds/go v0.0.0-20231128003011-0fa0005c9caa h1:jQCWAUqqlij9Pgj2i/PB79y4KOPYVyFYdROxgaCwdTQ= - github.com/cncf/xds/go v0.0.0-20231128003011-0fa0005c9caa/go.mod h1:x/1Gn8zydmfq8dk6e9PdstVsDgu9RuyIIJqAaF//0IM= - github.com/envoyproxy/go-control-plane v0.12.0 h1:4X+VP1GHd1Mhj6IB5mMeGbLCleqxjletLK6K0rbxyZI= - github.com/envoyproxy/go-control-plane v0.12.0/go.mod h1:ZBTaoJ23lqITozF0M6G4/IragXCQKCnYbmlmtHvwRG0= - github.com/envoyproxy/protoc-gen-validate v1.0.4 h1:gVPz/FMfvh57HdSJQyvBtF00j8JU4zdyUgIUNhlgg0A= - github.com/envoyproxy/protoc-gen-validate v1.0.4/go.mod h1:qys6tmnRsYrQqIhm2bvKZH4Blx/1gTIZ2UKVY1M+Yew= - github.com/golang/protobuf v1.5.4 h1:i7eJL8qZTpSEXOPTxNKhASYpMn+8e5Q6AdndVa1dWek= - github.com/golang/protobuf v1.5.4/go.mod h1:lnTiLA8Wa4RWRcIUkrtSVa5nRhsEGBg48fD6rSs7xps= - github.com/google/go-cmp v0.6.0 h1:ofyhxvXcZhMsU5ulbFiLKl/XBFqE1GSq7atu8tAmTRI= - github.com/google/go-cmp v0.6.0/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY= - golang.org/x/net v0.20.0 h1:aCL9BSgETF1k+blQaYUBx9hJ9LOGP3gAVemcZlf1Kpo= - golang.org/x/net v0.20.0/go.mod h1:z8BVo6PvndSri0LbOE3hAn0apkU+1YvI6E70E9jsnvY= - golang.org/x/sys v0.16.0 h1:xWw16ngr6ZMtmxDyKyIgsE93KNKz5HKmMa3b8ALHidU= - golang.org/x/sys v0.16.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= - golang.org/x/text v0.14.0 h1:ScX5w1eTa3QqT8oi6+ziP7dTV1S2+ALU0bI+0zXKWiQ= - golang.org/x/text v0.14.0/go.mod h1:18ZOQIKpY8NJVqYksKHtTdi31H5itFRjB5/qKTNYzSU= - google.golang.org/genproto/googleapis/rpc v0.0.0-20240304212257-790db918fca8 h1:IR+hp6ypxjH24bkMfEJ0yHR21+gwPWdV+/IBrPQyn3k= - google.golang.org/genproto/googleapis/rpc v0.0.0-20240304212257-790db918fca8/go.mod h1:UCOku4NytXMJuLQE5VuqA5lX3PcHCBo8pxNyvkf4xBs= - google.golang.org/grpc v1.62.1 h1:B4n+nfKzOICUXMgyrNd19h/I9oH0L1pizfk1d4zSgTk= - google.golang.org/grpc v1.62.1/go.mod h1:IWTG0VlJLCh1SkC58F7np9ka9mx/WNkjl4PGJaiq+QE= - google.golang.org/protobuf v1.33.0 h1:uNO2rsAINq/JlFpSdYEKIZ0uKD/R9cpdv0T+yoGwGmI= - google.golang.org/protobuf v1.33.0/go.mod h1:c6P6GXX6sHbq/GpV6MGZEdwhWPcYBgnhAHhKbcUYpos= - main.go: | - package main - - import ( - "context" - "crypto/tls" - "crypto/x509" - "flag" - "fmt" - "log" - "net" - "net/http" - "os" - "strings" - - envoy_api_v3_core "github.com/envoyproxy/go-control-plane/envoy/config/core/v3" - envoy_service_auth_v3 "github.com/envoyproxy/go-control-plane/envoy/service/auth/v3" - "github.com/golang/protobuf/ptypes/wrappers" - "google.golang.org/genproto/googleapis/rpc/code" - "google.golang.org/genproto/googleapis/rpc/status" - "google.golang.org/grpc" - "google.golang.org/grpc/credentials" - ) - - var ( - port int - certPath string - ) - - func main() { - flag.IntVar(&port, "port", 9002, "gRPC port") - flag.StringVar(&certPath, "certPath", "", "path to server certificate and private key") - flag.Parse() - - lis, err := net.Listen("tcp", fmt.Sprintf(":%d", port)) - if err != nil { - log.Fatalf("failed to listen to %d: %v", port, err) - } - - users := TestUsers() - - // Load TLS credentials - creds, err := loadTLSCredentials(certPath) - if err != nil { - log.Fatalf("Failed to load TLS credentials: %v", err) - } - gs := grpc.NewServer(grpc.Creds(creds)) - - envoy_service_auth_v3.RegisterAuthorizationServer(gs, NewAuthServer(users)) - - log.Printf("starting gRPC server on: %d\n", port) - - go func() { - err = gs.Serve(lis) - if err != nil { - log.Fatalf("failed to serve: %v", err) - } - }() - - http.HandleFunc("/healthz", healthCheckHandler) - err = http.ListenAndServe(":8080", nil) - if err != nil { - log.Fatalf("failed to serve: %v", err) - } - } - - type authServer struct { - users Users - } - - var _ envoy_service_auth_v3.AuthorizationServer = &authServer{} - - // NewAuthServer creates a new authorization server. - func NewAuthServer(users Users) envoy_service_auth_v3.AuthorizationServer { - return &authServer{users} - } - - // Check implements authorization's Check interface which performs authorization check based on the - // attributes associated with the incoming request. - func (s *authServer) Check( - _ context.Context, - req *envoy_service_auth_v3.CheckRequest) (*envoy_service_auth_v3.CheckResponse, error) { - authorization := req.Attributes.Request.Http.Headers["authorization"] - log.Println(authorization) - - extracted := strings.Fields(authorization) - if len(extracted) == 2 && extracted[0] == "Bearer" { - valid, user := s.users.Check(extracted[1]) - if valid { - return &envoy_service_auth_v3.CheckResponse{ - HttpResponse: &envoy_service_auth_v3.CheckResponse_OkResponse{ - OkResponse: &envoy_service_auth_v3.OkHttpResponse{ - Headers: []*envoy_api_v3_core.HeaderValueOption{ - { - Append: &wrappers.BoolValue{Value: false}, - Header: &envoy_api_v3_core.HeaderValue{ - // For a successful request, the authorization server sets the - // x-current-user value. - Key: "x-current-user", - Value: user, - }, - }, - }, - }, - }, - Status: &status.Status{ - Code: int32(code.Code_OK), - }, - }, nil - } - } - - return &envoy_service_auth_v3.CheckResponse{ - Status: &status.Status{ - Code: int32(code.Code_PERMISSION_DENIED), - }, - }, nil - } - - // Users holds a list of users. - type Users map[string]string - - // Check checks if a key could retrieve a user from a list of users. - func (u Users) Check(key string) (bool, string) { - value, ok := u[key] - if !ok { - return false, "" - } - return ok, value - } - - func TestUsers() Users { - return map[string]string{ - "token1": "user1", - "token2": "user2", - "token3": "user3", - } - } - - func healthCheckHandler(w http.ResponseWriter, r *http.Request) { - certPool, err := loadCA(certPath) - if err != nil { - log.Fatalf("Could not load CA certificate: %v", err) - } - - // Create TLS configuration - tlsConfig := &tls.Config{ - RootCAs: certPool, - } - - // Create gRPC dial options - opts := []grpc.DialOption{ - grpc.WithTransportCredentials(credentials.NewTLS(tlsConfig)), - } - - conn, err := grpc.Dial("localhost:9002", opts...) - if err != nil { - log.Fatalf("Could not connect: %v", err) - } - client := envoy_service_auth_v3.NewAuthorizationClient(conn) - - response, err := client.Check(context.Background(), &envoy_service_auth_v3.CheckRequest{ - Attributes: &envoy_service_auth_v3.AttributeContext{ - Request: &envoy_service_auth_v3.AttributeContext_Request{ - Http: &envoy_service_auth_v3.AttributeContext_HttpRequest{ - Headers: map[string]string{ - "authorization": "Bearer token1", - }, - }, - }, - }, - }) - if err != nil { - log.Fatalf("Could not check: %v", err) - } - if response != nil && response.Status.Code == int32(code.Code_OK) { - w.WriteHeader(http.StatusOK) - } else { - w.WriteHeader(http.StatusServiceUnavailable) - } - } - - func loadTLSCredentials(certPath string) (credentials.TransportCredentials, error) { - // Load server's certificate and private key - crt := "server.crt" - key := "server.key" - - if certPath != "" { - if !strings.HasSuffix(certPath, "/") { - certPath = fmt.Sprintf("%s/", certPath) - } - crt = fmt.Sprintf("%s%s", certPath, crt) - key = fmt.Sprintf("%s%s", certPath, key) - } - certificate, err := tls.LoadX509KeyPair(crt, key) - if err != nil { - return nil, fmt.Errorf("could not load server key pair: %s", err) - } - - // Create a new credentials object - creds := credentials.NewTLS(&tls.Config{Certificates: []tls.Certificate{certificate}}) - - return creds, nil - } - - func loadCA(caPath string) (*x509.CertPool, error) { - ca := x509.NewCertPool() - caCertPath := "server.crt" - if caPath != "" { - if !strings.HasSuffix(caPath, "/") { - caPath = fmt.Sprintf("%s/", caPath) - } - caCertPath = fmt.Sprintf("%s%s", caPath, caCertPath) - } - caCert, err := os.ReadFile(caCertPath) - if err != nil { - return nil, fmt.Errorf("could not read ca certificate: %s", err) - } - ca.AppendCertsFromPEM(caCert) - return ca, nil - } ---- -apiVersion: v1 kind: Secret metadata: name: grpc-ext-auth-secret @@ -287,39 +16,39 @@ metadata: namespace: gateway-conformance-infra data: ca.crt: | - -----BEGIN CERTIFICATE----- - MIIFqzCCA5OgAwIBAgIUVuzUBkjFNxlNvZ+MPyR1AC7Tqb8wDQYJKoZIhvcNAQEL - BQAwGDEWMBQGA1UEAwwNZ3JwYy1leHQtYXV0aDAeFw0yNDAzMDkwMzUzMTdaFw0z - NDAzMDcwMzUzMTdaMBgxFjAUBgNVBAMMDWdycGMtZXh0LWF1dGgwggIiMA0GCSqG - SIb3DQEBAQUAA4ICDwAwggIKAoICAQCZnjeGlZbDVent0vEvFQZYLR8X/FeMN9O8 - zxFIZu9wGBEHk3Swn/Zxo8maNNB1L7R1/Ns2uT0uGWu/XHuUyRr8nsx3FKmnNLH7 - tXSlllEWSW3NTNt6OiMUqQygBpNlyHDL4WDzMXnwKm4lQaDYjpgsQVO3zIXDVEU2 - 4FFYN5RRdi29PK2TSMlVaktDLbsimXS4Yr0BPdm6GE73j1sSgzXwyFvzkn+AcHTV - u0d7gbOS0R0cE1T+BRIQ1TCB1boFwC5nA63rIC+oIseAIKk88v2OzkWGPx39+9EM - 0TEjmFBtoYqtsmxFVPzbGao+bxfJGH7pnEIctWXuXxaxEdonm0ZUIbjBZlQ9UhrG - qPZp7dpxc+lGafNTVrx0oXl4LKzVTNuJfqIuvpVTSwxNY2hdO0xwjl0VbZ/ojs5Z - UuKSp16KMj+i7gk2cyrLnBTDGaiZq2Uu0gmPV73MKc8LEqoI7g8bi6opAb93hlil - sJCmYkgy6Bw+H3rtLzYx+EpCQf5rZz6CxAd+L/ZHADFcGuTSRDOC6wuDfi4QCIbO - 7r6gso+sznqmRCd8B1vRT/NF6T8IaSY6hbpfFB+7kX1rC++V7NfVx81WKjTPsISi - 80kobVvC8qjvv/6lCDHvL5fbZb6bu0HoE7y3+YkaOXhKNpwGifPOkhm38O8Gwo41 - wM6mUnGtvwIDAQABo4HsMIHpMB0GA1UdDgQWBBQFwa6nI2fNbFi/gBpoGWzaiGba - zzAfBgNVHSMEGDAWgBQFwa6nI2fNbFi/gBpoGWzaiGbazzAJBgNVHRMEAjAAMAsG - A1UdDwQEAwIF4DATBgNVHSUEDDAKBggrBgEFBQcDATBMBgNVHREERTBDgg1ncnBj - LWV4dC1hdXRogidncnBjLWV4dC1hdXRoLmdhdGV3YXktY29uZm9ybWFuY2UtaW5m - cmGCCWxvY2FsaG9zdDAsBglghkgBhvhCAQ0EHxYdT3BlblNTTCBHZW5lcmF0ZWQg - Q2VydGlmaWNhdGUwDQYJKoZIhvcNAQELBQADggIBAJIzSoC9PQ/R8f02p+4DWvTz - W78vKJIxiLko7onR1qt0H2OLv5Kc4atnT/jxt7VZWy4UJkfj0bVqTuWU4WyahmlH - b1QKwWiX3bjv+swbo8/wZJ22sHw0boqn0GVrgrQX0hEbh6T47eYCcBtvgVVmCKnr - issmU0Hhpox6roT3wan8l9dFD4xo9ihq4rHuorBlIMCgvEhdIUHT0wyX2z4KXRSZ - bgE8ezUgoyueOjgoE6agLbtK8KUUQWfLLqgFQOs8rA7HfvnQxB7wiJduvIdeyf+i - tn7fQVCqpWzsHuGfvY3ivjnAcQb9Toq+Q4I+/Xtq17Gh39go6+1nm/V/oJPEagEg - XL+OzcOF6cOMD7Zyov3PWVbJmRFsqvi2/ijf8vtgm5fGUFRIcJKZak7f4C9D5Cij - +3yyi8PhoQHyqC6q+GMEaxs2FCXWAmo1xWU67pCCYOMgegKcmXahGhVDpwTuuDsH - e1QwTLfMACks0vQWt9lL0u17OtqzQ94zNtLE9dSuLaZvSXqi0PjIVquMuqUBu9v8 - 01Z1TVBfFwUNO0tgUAiMRMcVlfjKj3fE0xNZeB/mXhvaiy5hZa6vUqIrEc9yxrIw - uCo3Acgff9aF+3AUBX4oWiaDmP0ZL5V0rD0dVSWeAmjagWUtTsVFzY8cbyOG6hWx - iFI1UfLQ/CuOtNsDTbi0 - -----END CERTIFICATE----- + -----BEGIN CERTIFICATE----- + MIIFqzCCA5OgAwIBAgIUVuzUBkjFNxlNvZ+MPyR1AC7Tqb8wDQYJKoZIhvcNAQEL + BQAwGDEWMBQGA1UEAwwNZ3JwYy1leHQtYXV0aDAeFw0yNDAzMDkwMzUzMTdaFw0z + NDAzMDcwMzUzMTdaMBgxFjAUBgNVBAMMDWdycGMtZXh0LWF1dGgwggIiMA0GCSqG + SIb3DQEBAQUAA4ICDwAwggIKAoICAQCZnjeGlZbDVent0vEvFQZYLR8X/FeMN9O8 + zxFIZu9wGBEHk3Swn/Zxo8maNNB1L7R1/Ns2uT0uGWu/XHuUyRr8nsx3FKmnNLH7 + tXSlllEWSW3NTNt6OiMUqQygBpNlyHDL4WDzMXnwKm4lQaDYjpgsQVO3zIXDVEU2 + 4FFYN5RRdi29PK2TSMlVaktDLbsimXS4Yr0BPdm6GE73j1sSgzXwyFvzkn+AcHTV + u0d7gbOS0R0cE1T+BRIQ1TCB1boFwC5nA63rIC+oIseAIKk88v2OzkWGPx39+9EM + 0TEjmFBtoYqtsmxFVPzbGao+bxfJGH7pnEIctWXuXxaxEdonm0ZUIbjBZlQ9UhrG + qPZp7dpxc+lGafNTVrx0oXl4LKzVTNuJfqIuvpVTSwxNY2hdO0xwjl0VbZ/ojs5Z + UuKSp16KMj+i7gk2cyrLnBTDGaiZq2Uu0gmPV73MKc8LEqoI7g8bi6opAb93hlil + sJCmYkgy6Bw+H3rtLzYx+EpCQf5rZz6CxAd+L/ZHADFcGuTSRDOC6wuDfi4QCIbO + 7r6gso+sznqmRCd8B1vRT/NF6T8IaSY6hbpfFB+7kX1rC++V7NfVx81WKjTPsISi + 80kobVvC8qjvv/6lCDHvL5fbZb6bu0HoE7y3+YkaOXhKNpwGifPOkhm38O8Gwo41 + wM6mUnGtvwIDAQABo4HsMIHpMB0GA1UdDgQWBBQFwa6nI2fNbFi/gBpoGWzaiGba + zzAfBgNVHSMEGDAWgBQFwa6nI2fNbFi/gBpoGWzaiGbazzAJBgNVHRMEAjAAMAsG + A1UdDwQEAwIF4DATBgNVHSUEDDAKBggrBgEFBQcDATBMBgNVHREERTBDgg1ncnBj + LWV4dC1hdXRogidncnBjLWV4dC1hdXRoLmdhdGV3YXktY29uZm9ybWFuY2UtaW5m + cmGCCWxvY2FsaG9zdDAsBglghkgBhvhCAQ0EHxYdT3BlblNTTCBHZW5lcmF0ZWQg + Q2VydGlmaWNhdGUwDQYJKoZIhvcNAQELBQADggIBAJIzSoC9PQ/R8f02p+4DWvTz + W78vKJIxiLko7onR1qt0H2OLv5Kc4atnT/jxt7VZWy4UJkfj0bVqTuWU4WyahmlH + b1QKwWiX3bjv+swbo8/wZJ22sHw0boqn0GVrgrQX0hEbh6T47eYCcBtvgVVmCKnr + issmU0Hhpox6roT3wan8l9dFD4xo9ihq4rHuorBlIMCgvEhdIUHT0wyX2z4KXRSZ + bgE8ezUgoyueOjgoE6agLbtK8KUUQWfLLqgFQOs8rA7HfvnQxB7wiJduvIdeyf+i + tn7fQVCqpWzsHuGfvY3ivjnAcQb9Toq+Q4I+/Xtq17Gh39go6+1nm/V/oJPEagEg + XL+OzcOF6cOMD7Zyov3PWVbJmRFsqvi2/ijf8vtgm5fGUFRIcJKZak7f4C9D5Cij + +3yyi8PhoQHyqC6q+GMEaxs2FCXWAmo1xWU67pCCYOMgegKcmXahGhVDpwTuuDsH + e1QwTLfMACks0vQWt9lL0u17OtqzQ94zNtLE9dSuLaZvSXqi0PjIVquMuqUBu9v8 + 01Z1TVBfFwUNO0tgUAiMRMcVlfjKj3fE0xNZeB/mXhvaiy5hZa6vUqIrEc9yxrIw + uCo3Acgff9aF+3AUBX4oWiaDmP0ZL5V0rD0dVSWeAmjagWUtTsVFzY8cbyOG6hWx + iFI1UfLQ/CuOtNsDTbi0 + -----END CERTIFICATE----- --- apiVersion: apps/v1 kind: Deployment @@ -337,35 +66,30 @@ spec: app: grpc-ext-auth spec: containers: - - name: golang-app-container - command: - - sh - - "-c" - - "cp -a /app /app-live && cd /app-live && go run . --certPath=/app-live/certs/ " - image: golang:1.21.3-alpine - ports: - - containerPort: 8000 - volumeMounts: - - name: grpc-ext-auth - mountPath: /app - - name: grpc-ext-auth-secret - mountPath: /app/certs - readinessProbe: - httpGet: - path: /healthz - port: 8080 + - name: golang-app-container + command: + - /grpc-ext-auth + - "--certPath=/app/certs" + image: envoyproxy/gateway-grpc-ext-auth:latest + imagePullPolicy: IfNotPresent + ports: + - containerPort: 8000 + volumeMounts: + - name: grpc-ext-auth-secret + mountPath: /app/certs + readinessProbe: + httpGet: + path: /healthz + port: 8080 volumes: - - name: grpc-ext-auth - configMap: - name: grpc-ext-auth - - name: grpc-ext-auth-secret - secret: - secretName: grpc-ext-auth-secret - items: - - key: tls.crt - path: server.crt - - key: tls.key - path: server.key + - name: grpc-ext-auth-secret + secret: + secretName: grpc-ext-auth-secret + items: + - key: tls.crt + path: server.crt + - key: tls.key + path: server.key --- apiVersion: v1 kind: Service @@ -376,6 +100,6 @@ spec: selector: app: grpc-ext-auth ports: - - protocol: TCP - port: 9002 - targetPort: 9002 + - protocol: TCP + port: 9002 + targetPort: 9002 diff --git a/test/e2e/testdata/ext-auth-http-service.yaml b/test/e2e/testdata/ext-auth-http-service.yaml index cf08cc20751..a4e96928292 100644 --- a/test/e2e/testdata/ext-auth-http-service.yaml +++ b/test/e2e/testdata/ext-auth-http-service.yaml @@ -1,45 +1,4 @@ --- -apiVersion: v1 -kind: ConfigMap -metadata: - name: http-ext-auth - namespace: gateway-conformance-infra -data: - http-ext-auth.js: | - const Http = require("http"); - const path = require("path"); - - const tokens = { - "token1": "user1", - "token2": "user2", - "token3": "user3" - }; - - const server = new Http.Server((req, res) => { - const authorization = req.headers["authorization"] || ""; - const extracted = authorization.split(" "); - if (extracted.length === 2 && extracted[0] === "Bearer") { - const user = checkToken(extracted[1]); - console.log(`token: "${extracted[1]}" user: "${user}`); - if (user !== undefined) { - // The authorization server returns a response with "x-current-user" header for a successful - // request. - res.writeHead(200, { "x-current-user": user }); - return res.end(); - } - } - res.writeHead(403); - res.end(); - }); - - const port = process.env.PORT || 9002; - server.listen(port); - console.log(`starting HTTP server on: ${port}`); - - function checkToken(token) { - return tokens[token]; - } ---- apiVersion: apps/v1 kind: Deployment metadata: @@ -56,26 +15,17 @@ spec: app: http-ext-auth spec: containers: - - name: http-ext-auth - command: - - node - - /usr/src/app/http-ext-auth.js - image: node:19-bullseye - ports: - - containerPort: 9002 - volumeMounts: - name: http-ext-auth - mountPath: /usr/src/app - readinessProbe: - httpGet: - httpHeaders: - - name: authorization - value: "Bearer token1" - port: 9002 - volumes: - - name: http-ext-auth - configMap: - name: http-ext-auth + image: envoyproxy/gateway-http-ext-auth + imagePullPolicy: IfNotPresent + ports: + - containerPort: 9002 + readinessProbe: + httpGet: + httpHeaders: + - name: authorization + value: "Bearer token1" + port: 9002 --- apiVersion: v1 kind: Service @@ -86,6 +36,6 @@ spec: selector: app: http-ext-auth ports: - - protocol: TCP - port: 9002 - targetPort: 9002 + - protocol: TCP + port: 9002 + targetPort: 9002 diff --git a/test/e2e/testdata/ext-proc-service.yaml b/test/e2e/testdata/ext-proc-service.yaml index 23b325f2031..3dc4796e123 100644 --- a/test/e2e/testdata/ext-proc-service.yaml +++ b/test/e2e/testdata/ext-proc-service.yaml @@ -1,343 +1,3 @@ ---- -apiVersion: v1 -kind: ConfigMap -metadata: - name: grpc-ext-proc - namespace: gateway-conformance-infra -data: - go.mod: | - module github.com/envoyproxy/gateway - - go 1.22 - - require ( - github.com/envoyproxy/go-control-plane v0.12.1-0.20240322155512-db0b36a50fa8 - google.golang.org/grpc v1.62.1 - ) - - require ( - github.com/cncf/xds/go v0.0.0-20231128003011-0fa0005c9caa // indirect - github.com/envoyproxy/protoc-gen-validate v1.0.4 // indirect - github.com/golang/protobuf v1.5.4 // indirect - github.com/planetscale/vtprotobuf v0.5.1-0.20231212170721-e7d721933795 // indirect - golang.org/x/net v0.20.0 // indirect - golang.org/x/sys v0.16.0 // indirect - golang.org/x/text v0.14.0 // indirect - google.golang.org/genproto/googleapis/rpc v0.0.0-20240123012728-ef4313101c80 // indirect - google.golang.org/protobuf v1.33.0 // indirect - ) - go.sum: | - github.com/cncf/xds/go v0.0.0-20231128003011-0fa0005c9caa h1:jQCWAUqqlij9Pgj2i/PB79y4KOPYVyFYdROxgaCwdTQ= - github.com/cncf/xds/go v0.0.0-20231128003011-0fa0005c9caa/go.mod h1:x/1Gn8zydmfq8dk6e9PdstVsDgu9RuyIIJqAaF//0IM= - github.com/envoyproxy/go-control-plane v0.12.1-0.20240322155512-db0b36a50fa8 h1:Zghtu+wdlGvrmutCyhU9Ew5ozU18PVpxP+zGSgyUpFs= - github.com/envoyproxy/go-control-plane v0.12.1-0.20240322155512-db0b36a50fa8/go.mod h1:YtsM9q/kVkKyvmemY+BF/ZK7I93OWsx4uk4Do2Mr/OA= - github.com/envoyproxy/protoc-gen-validate v1.0.4 h1:gVPz/FMfvh57HdSJQyvBtF00j8JU4zdyUgIUNhlgg0A= - github.com/envoyproxy/protoc-gen-validate v1.0.4/go.mod h1:qys6tmnRsYrQqIhm2bvKZH4Blx/1gTIZ2UKVY1M+Yew= - github.com/golang/protobuf v1.5.4 h1:i7eJL8qZTpSEXOPTxNKhASYpMn+8e5Q6AdndVa1dWek= - github.com/golang/protobuf v1.5.4/go.mod h1:lnTiLA8Wa4RWRcIUkrtSVa5nRhsEGBg48fD6rSs7xps= - github.com/google/go-cmp v0.6.0 h1:ofyhxvXcZhMsU5ulbFiLKl/XBFqE1GSq7atu8tAmTRI= - github.com/google/go-cmp v0.6.0/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY= - github.com/planetscale/vtprotobuf v0.5.1-0.20231212170721-e7d721933795 h1:pH+U6pJP0BhxqQ4njBUjOg0++WMMvv3eByWzB+oATBY= - github.com/planetscale/vtprotobuf v0.5.1-0.20231212170721-e7d721933795/go.mod h1:t/avpk3KcrXxUnYOhZhMXJlSEyie6gQbtLq5NM3loB8= - golang.org/x/net v0.20.0 h1:aCL9BSgETF1k+blQaYUBx9hJ9LOGP3gAVemcZlf1Kpo= - golang.org/x/net v0.20.0/go.mod h1:z8BVo6PvndSri0LbOE3hAn0apkU+1YvI6E70E9jsnvY= - golang.org/x/sys v0.16.0 h1:xWw16ngr6ZMtmxDyKyIgsE93KNKz5HKmMa3b8ALHidU= - golang.org/x/sys v0.16.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= - golang.org/x/text v0.14.0 h1:ScX5w1eTa3QqT8oi6+ziP7dTV1S2+ALU0bI+0zXKWiQ= - golang.org/x/text v0.14.0/go.mod h1:18ZOQIKpY8NJVqYksKHtTdi31H5itFRjB5/qKTNYzSU= - google.golang.org/genproto/googleapis/rpc v0.0.0-20240123012728-ef4313101c80 h1:AjyfHzEPEFp/NpvfN5g+KDla3EMojjhRVZc1i7cj+oM= - google.golang.org/genproto/googleapis/rpc v0.0.0-20240123012728-ef4313101c80/go.mod h1:PAREbraiVEVGVdTZsVWjSbbTtSyGbAgIIvni8a8CD5s= - google.golang.org/grpc v1.62.1 h1:B4n+nfKzOICUXMgyrNd19h/I9oH0L1pizfk1d4zSgTk= - google.golang.org/grpc v1.62.1/go.mod h1:IWTG0VlJLCh1SkC58F7np9ka9mx/WNkjl4PGJaiq+QE= - google.golang.org/protobuf v1.33.0 h1:uNO2rsAINq/JlFpSdYEKIZ0uKD/R9cpdv0T+yoGwGmI= - google.golang.org/protobuf v1.33.0/go.mod h1:c6P6GXX6sHbq/GpV6MGZEdwhWPcYBgnhAHhKbcUYpos= - main.go: | - package main - - import ( - "context" - "crypto/tls" - "crypto/x509" - "flag" - "fmt" - "io" - "log" - "net" - "net/http" - "os" - "strings" - - "google.golang.org/grpc/credentials" - - envoy_api_v3_core "github.com/envoyproxy/go-control-plane/envoy/config/core/v3" - envoy_service_proc_v3 "github.com/envoyproxy/go-control-plane/envoy/service/ext_proc/v3" - - "google.golang.org/grpc" - "google.golang.org/grpc/codes" - "google.golang.org/grpc/status" - ) - - type extProcServer struct{} - - var ( - port int - certPath string - ) - - func main() { - flag.IntVar(&port, "port", 9002, "gRPC port") - flag.StringVar(&certPath, "certPath", "", "path to extProcServer certificate and private key") - flag.Parse() - - lis, err := net.Listen("tcp", fmt.Sprintf(":%d", port)) - if err != nil { - log.Fatalf("failed to listen: %v", err) - } - - creds, err := loadTLSCredentials(certPath) - if err != nil { - log.Fatalf("Failed to load TLS credentials: %v", err) - } - gs := grpc.NewServer(grpc.Creds(creds)) - envoy_service_proc_v3.RegisterExternalProcessorServer(gs, &extProcServer{}) - - go func() { - err = gs.Serve(lis) - if err != nil { - log.Fatalf("failed to serve: %v", err) - } - }() - - // Create Unix listener - gus := grpc.NewServer(grpc.Creds(creds)) - envoy_service_proc_v3.RegisterExternalProcessorServer(gus, &extProcServer{}) - - udsAddr := "/var/run/ext-proc/extproc.sock" - if _, err := os.Stat(udsAddr); err == nil { - if err := os.RemoveAll(udsAddr); err != nil { - log.Fatalf("failed to remove: %v", err) - } - } - - ul, err := net.Listen("unix", udsAddr) - if err != nil { - log.Fatalf("failed to listen: %v", err) - } - - err = os.Chmod(udsAddr, 0700) - if err != nil { - log.Fatalf("failed to set permissions: %v", err) - } - - // envoy distroless uid - err = os.Chown(udsAddr, 65532, 0) - if err != nil { - log.Fatalf("failed to set permissions: %v", err) - } - - go func() { - err = gus.Serve(ul) - if err != nil { - log.Fatalf("failed to serve: %v", err) - } - }() - - http.HandleFunc("/healthz", healthCheckHandler) - err = http.ListenAndServe(":8080", nil) - if err != nil { - log.Fatalf("failed to serve: %v", err) - } - } - - // used by k8s readiness probes - // makes a processing request to check if the processor service is healthy - func healthCheckHandler(w http.ResponseWriter, r *http.Request) { - certPool, err := loadCA(certPath) - if err != nil { - log.Fatalf("Could not load CA certificate: %v", err) - } - - // Create TLS configuration - tlsConfig := &tls.Config{ - RootCAs: certPool, - ServerName: "grpc-ext-proc.envoygateway", - } - - // Create gRPC dial options - opts := []grpc.DialOption{ - grpc.WithTransportCredentials(credentials.NewTLS(tlsConfig)), - } - - conn, err := grpc.Dial("localhost:9002", opts...) - if err != nil { - log.Fatalf("Could not connect: %v", err) - } - client := envoy_service_proc_v3.NewExternalProcessorClient(conn) - - processor, err := client.Process(context.Background()) - if err != nil { - log.Fatalf("Could not check: %v", err) - } - - err = processor.Send(&envoy_service_proc_v3.ProcessingRequest{ - Request: &envoy_service_proc_v3.ProcessingRequest_RequestHeaders{ - RequestHeaders: &envoy_service_proc_v3.HttpHeaders{}, - }, - }) - if err != nil { - log.Fatalf("Could not check: %v", err) - } - - response, err := processor.Recv() - if err != nil { - log.Fatalf("Could not check: %v", err) - } - - if response != nil && response.GetRequestHeaders().Response.Status == envoy_service_proc_v3.CommonResponse_CONTINUE { - w.WriteHeader(http.StatusOK) - } else { - w.WriteHeader(http.StatusServiceUnavailable) - } - } - - func loadTLSCredentials(certPath string) (credentials.TransportCredentials, error) { - // Load extProcServer's certificate and private key - crt := "server.crt" - key := "server.key" - - if certPath != "" { - if !strings.HasSuffix(certPath, "/") { - certPath = fmt.Sprintf("%s/", certPath) - } - crt = fmt.Sprintf("%s%s", certPath, crt) - key = fmt.Sprintf("%s%s", certPath, key) - } - certificate, err := tls.LoadX509KeyPair(crt, key) - if err != nil { - return nil, fmt.Errorf("could not load extProcServer key pair: %s", err) - } - - // Create a new credentials object - creds := credentials.NewTLS(&tls.Config{Certificates: []tls.Certificate{certificate}}) - - return creds, nil - } - - func loadCA(caPath string) (*x509.CertPool, error) { - ca := x509.NewCertPool() - caCertPath := "server.crt" - if caPath != "" { - if !strings.HasSuffix(caPath, "/") { - caPath = fmt.Sprintf("%s/", caPath) - } - caCertPath = fmt.Sprintf("%s%s", caPath, caCertPath) - } - caCert, err := os.ReadFile(caCertPath) - if err != nil { - return nil, fmt.Errorf("could not read ca certificate: %s", err) - } - ca.AppendCertsFromPEM(caCert) - return ca, nil - } - - func (s *extProcServer) Process(srv envoy_service_proc_v3.ExternalProcessor_ProcessServer) error { - ctx := srv.Context() - for { - select { - case <-ctx.Done(): - return ctx.Err() - default: - } - req, err := srv.Recv() - if err == io.EOF { - return nil - } - if err != nil { - return status.Errorf(codes.Unknown, "cannot receive stream request: %v", err) - } - - resp := &envoy_service_proc_v3.ProcessingResponse{} - switch v := req.Request.(type) { - case *envoy_service_proc_v3.ProcessingRequest_RequestHeaders: - xrch := "" - if v.RequestHeaders != nil { - hdrs := v.RequestHeaders.Headers.GetHeaders() - for _, hdr := range hdrs { - if hdr.Key == "x-request-client-header" { - xrch = string(hdr.RawValue) - } - } - } - - rhq := &envoy_service_proc_v3.HeadersResponse{ - Response: &envoy_service_proc_v3.CommonResponse{ - HeaderMutation: &envoy_service_proc_v3.HeaderMutation{ - SetHeaders: []*envoy_api_v3_core.HeaderValueOption{ - { - Header: &envoy_api_v3_core.HeaderValue{ - Key: "x-request-ext-processed", - RawValue: []byte("true"), - }, - }, - }, - }, - }, - } - - if xrch != "" { - rhq.Response.HeaderMutation.SetHeaders = append(rhq.Response.HeaderMutation.SetHeaders, - &envoy_api_v3_core.HeaderValueOption{ - Header: &envoy_api_v3_core.HeaderValue{ - Key: "x-request-client-header", - RawValue: []byte("mutated"), - }, - }) - rhq.Response.HeaderMutation.SetHeaders = append(rhq.Response.HeaderMutation.SetHeaders, - &envoy_api_v3_core.HeaderValueOption{ - Header: &envoy_api_v3_core.HeaderValue{ - Key: "x-request-client-header-received", - RawValue: []byte(xrch), - }, - }) - } - - resp = &envoy_service_proc_v3.ProcessingResponse{ - Response: &envoy_service_proc_v3.ProcessingResponse_RequestHeaders{ - RequestHeaders: rhq, - }, - } - break - case *envoy_service_proc_v3.ProcessingRequest_ResponseHeaders: - rhq := &envoy_service_proc_v3.HeadersResponse{ - Response: &envoy_service_proc_v3.CommonResponse{ - HeaderMutation: &envoy_service_proc_v3.HeaderMutation{ - SetHeaders: []*envoy_api_v3_core.HeaderValueOption{ - { - Header: &envoy_api_v3_core.HeaderValue{ - Key: "x-response-ext-processed", - RawValue: []byte("true"), - }, - }, - }, - }, - }, - } - resp = &envoy_service_proc_v3.ProcessingResponse{ - Response: &envoy_service_proc_v3.ProcessingResponse_ResponseHeaders{ - ResponseHeaders: rhq, - }, - } - break - default: - log.Printf("Unknown Request type %v\n", v) - } - if err := srv.Send(resp); err != nil { - log.Printf("send error %v", err) - } - } - } - - --- apiVersion: v1 kind: Secret @@ -394,16 +54,13 @@ spec: spec: containers: - name: golang-app-container - command: - - sh - - "-c" - - "cd /app && go run . --certPath=/app/certs/" - image: golang:1.22.3-alpine + image: envoyproxy/gateway-grpc-ext-proc:latest + imagePullPolicy: IfNotPresent + args: + - --certPath=/app/certs/ ports: - containerPort: 8000 volumeMounts: - - name: grpc-ext-proc - mountPath: /app - name: grpc-ext-proc-secret mountPath: /app/certs - name: socket-dir @@ -413,9 +70,6 @@ spec: path: /healthz port: 8080 volumes: - - name: grpc-ext-proc - configMap: - name: grpc-ext-proc - name: grpc-ext-proc-secret secret: secretName: grpc-ext-proc-secret diff --git a/test/e2e/testdata/gateway-with-envoyproxy.yaml b/test/e2e/testdata/gateway-with-envoyproxy.yaml new file mode 100644 index 00000000000..0d04562c13d --- /dev/null +++ b/test/e2e/testdata/gateway-with-envoyproxy.yaml @@ -0,0 +1,49 @@ +apiVersion: gateway.networking.k8s.io/v1 +kind: Gateway +metadata: + name: gateway-with-envoyproxy + namespace: gateway-conformance-infra +spec: + gatewayClassName: "{GATEWAY_CLASS_NAME}" + infrastructure: + parametersRef: + group: gateway.envoyproxy.io + kind: EnvoyProxy + name: test + listeners: + - name: http + protocol: HTTP + port: 80 + allowedRoutes: + namespaces: + from: All +--- +apiVersion: gateway.envoyproxy.io/v1alpha1 +kind: EnvoyProxy +metadata: + namespace: gateway-conformance-infra + name: test +spec: + routingType: Service +--- +apiVersion: gateway.networking.k8s.io/v1 +kind: HTTPRoute +metadata: + name: http-route + namespace: gateway-conformance-infra +spec: + parentRefs: + - name: gateway-with-envoyproxy + rules: + - matches: + - path: + value: / + backendRefs: + - name: infra-backend-v1 + port: 8080 + filters: + - type: ResponseHeaderModifier + responseHeaderModifier: + add: + - name: upstream-host + value: '%UPSTREAM_HOST%' diff --git a/test/e2e/testdata/oidc-keycloak.yaml b/test/e2e/testdata/oidc-keycloak.yaml index 5e7eca54013..8921b9eb204 100644 --- a/test/e2e/testdata/oidc-keycloak.yaml +++ b/test/e2e/testdata/oidc-keycloak.yaml @@ -43,7 +43,7 @@ spec: serviceAccountName: keycloak containers: - name: keycloak - image: quay.io/keycloak/keycloak:23.0.6 + image: quay.io/keycloak/keycloak:26.0.4 imagePullPolicy: IfNotPresent args: - "start-dev" diff --git a/test/e2e/testdata/preserve-case.yaml b/test/e2e/testdata/preserve-case.yaml index c815a19e332..52f061662d1 100644 --- a/test/e2e/testdata/preserve-case.yaml +++ b/test/e2e/testdata/preserve-case.yaml @@ -1,3 +1,9 @@ +--- +apiVersion: v1 +kind: Namespace +metadata: + name: gateway-preserve-case-backend +--- apiVersion: gateway.networking.k8s.io/v1beta1 kind: ReferenceGrant metadata: @@ -5,12 +11,12 @@ metadata: namespace: gateway-preserve-case-backend spec: from: - - group: gateway.networking.k8s.io - kind: HTTPRoute - namespace: gateway-conformance-infra + - group: gateway.networking.k8s.io + kind: HTTPRoute + namespace: gateway-conformance-infra to: - - group: "" - kind: Service + - group: "" + kind: Service --- apiVersion: gateway.envoyproxy.io/v1alpha1 kind: ClientTrafficPolicy @@ -19,9 +25,9 @@ metadata: namespace: gateway-conformance-infra spec: targetRefs: - - group: gateway.networking.k8s.io - kind: Gateway - name: same-namespace + - group: gateway.networking.k8s.io + kind: Gateway + name: same-namespace http1: preserveHeaderCase: true --- @@ -32,13 +38,48 @@ metadata: namespace: gateway-conformance-infra spec: parentRefs: - - name: same-namespace + - name: same-namespace rules: - - matches: - - path: - type: PathPrefix - value: /preserve - backendRefs: - - name: fasthttp-backend - namespace: gateway-preserve-case-backend + - matches: + - path: + type: PathPrefix + value: /preserve + backendRefs: + - name: fasthttp-backend + namespace: gateway-preserve-case-backend + port: 8000 +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: preserve-case + namespace: gateway-preserve-case-backend +spec: + replicas: 1 + selector: + matchLabels: + app: preserve-case + template: + metadata: + labels: + app: preserve-case + spec: + containers: + - name: preserve-case + image: envoyproxy/gateway-preserve-case-backend + imagePullPolicy: IfNotPresent + ports: + - containerPort: 8000 +--- +apiVersion: v1 +kind: Service +metadata: + name: fasthttp-backend + namespace: gateway-preserve-case-backend +spec: + selector: + app: preserve-case + ports: + - protocol: TCP port: 8000 + targetPort: 8000 diff --git a/test/e2e/testdata/wasm-http.yaml b/test/e2e/testdata/wasm-http.yaml index 2bc1aae0ab3..856d381a517 100644 --- a/test/e2e/testdata/wasm-http.yaml +++ b/test/e2e/testdata/wasm-http.yaml @@ -19,6 +19,24 @@ spec: --- apiVersion: gateway.networking.k8s.io/v1 kind: HTTPRoute +metadata: + name: http-with-http-wasm-source-no-sha + namespace: gateway-conformance-infra +spec: + parentRefs: + - name: same-namespace + hostnames: ["www.example.com"] + rules: + - matches: + - path: + type: PathPrefix + value: /wasm-http-no-sha + backendRefs: + - name: infra-backend-v1 + port: 8080 +--- +apiVersion: gateway.networking.k8s.io/v1 +kind: HTTPRoute metadata: name: http-without-wasm namespace: gateway-conformance-infra @@ -53,3 +71,21 @@ spec: http: url: https://raw.githubusercontent.com/envoyproxy/examples/main/wasm-cc/lib/envoy_filter_http_wasm_example.wasm sha256: 79c9f85128bb0177b6511afa85d587224efded376ac0ef76df56595f1e6315c0 +--- +apiVersion: gateway.envoyproxy.io/v1alpha1 +kind: EnvoyExtensionPolicy +metadata: + name: http-wasm-source-test-no-sha + namespace: gateway-conformance-infra +spec: + targetRefs: + - group: gateway.networking.k8s.io + kind: HTTPRoute + name: http-with-http-wasm-source-no-sha + wasm: + - name: wasm-filter + rootID: my_root_id + code: + type: HTTP + http: + url: https://raw.githubusercontent.com/envoyproxy/examples/main/wasm-cc/lib/envoy_filter_http_wasm_example.wasm diff --git a/test/e2e/tests/accesslog.go b/test/e2e/tests/accesslog.go index b2c9a28ac94..4edc12f7c55 100644 --- a/test/e2e/tests/accesslog.go +++ b/test/e2e/tests/accesslog.go @@ -30,9 +30,9 @@ var FileAccessLogTest = suite.ConformanceTest{ Manifests: []string{"testdata/accesslog-file.yaml"}, Test: func(t *testing.T, suite *suite.ConformanceTestSuite) { labels := map[string]string{ - "job": "fluentbit", - "k8s_namespace_name": "envoy-gateway-system", - "k8s_container_name": "envoy", + "job": "envoy-gateway-system/envoy", + "namespace": "envoy-gateway-system", + "container": "envoy", } match := "test-annotation-value" diff --git a/test/e2e/tests/authorization_client_ip.go b/test/e2e/tests/authorization_client_ip.go index 8887c46b1a0..698a4d73a6a 100644 --- a/test/e2e/tests/authorization_client_ip.go +++ b/test/e2e/tests/authorization_client_ip.go @@ -26,7 +26,7 @@ func init() { } var AuthorizationClientIPTest = suite.ConformanceTest{ - ShortName: "Authorization with client IP", + ShortName: "AuthzWithClientIP", Description: "Authorization with client IP Allow/Deny list", Manifests: []string{"testdata/authorization-client-ip.yaml"}, Test: func(t *testing.T, suite *suite.ConformanceTestSuite) { diff --git a/test/e2e/tests/authorization_default_action.go b/test/e2e/tests/authorization_default_action.go index 88462808dd9..81345fa3ee9 100644 --- a/test/e2e/tests/authorization_default_action.go +++ b/test/e2e/tests/authorization_default_action.go @@ -26,7 +26,7 @@ func init() { } var AuthorizationDefaultActionTest = suite.ConformanceTest{ - ShortName: "Authorization with default actions", + ShortName: "AuthzWithDefaultActions", Description: "Authorization with default actions", Manifests: []string{"testdata/authorization-default-action.yaml"}, Test: func(t *testing.T, suite *suite.ConformanceTestSuite) { diff --git a/test/e2e/tests/authorization_jwt.go b/test/e2e/tests/authorization_jwt.go index 66f5a526a2d..635bdbc451c 100644 --- a/test/e2e/tests/authorization_jwt.go +++ b/test/e2e/tests/authorization_jwt.go @@ -59,7 +59,7 @@ func init() { } var AuthorizationJWTTest = suite.ConformanceTest{ - ShortName: "Authorization with jwt claims and scopes", + ShortName: "AuthzWithJWTClaimsScopes", Description: "Authorization with jwt claims and scopes", Manifests: []string{"testdata/authorization-jwt.yaml"}, Test: func(t *testing.T, suite *suite.ConformanceTestSuite) { diff --git a/test/e2e/tests/backend_tls_settings.go b/test/e2e/tests/backend_tls_settings.go index e007a791fdd..6545be196da 100644 --- a/test/e2e/tests/backend_tls_settings.go +++ b/test/e2e/tests/backend_tls_settings.go @@ -46,7 +46,7 @@ func init() { } var BackendTLSSettingsTest = suite.ConformanceTest{ - ShortName: "Backend tls settings", + ShortName: "BackendTLSSettings", Description: "Use envoy proxy tls settings with backend", Manifests: []string{"testdata/backend-tls-settings.yaml"}, Test: func(t *testing.T, suite *suite.ConformanceTestSuite) { diff --git a/test/e2e/tests/direct-response.go b/test/e2e/tests/direct-response.go new file mode 100644 index 00000000000..12c667fdd30 --- /dev/null +++ b/test/e2e/tests/direct-response.go @@ -0,0 +1,38 @@ +// Copyright Envoy Gateway Authors +// SPDX-License-Identifier: Apache-2.0 +// The full text of the Apache license is available in the LICENSE file at +// the root of the repo. + +//go:build e2e + +package tests + +import ( + "testing" + + "k8s.io/apimachinery/pkg/types" + "sigs.k8s.io/gateway-api/conformance/utils/kubernetes" + "sigs.k8s.io/gateway-api/conformance/utils/suite" +) + +func init() { + ConformanceTests = append(ConformanceTests, DirectResponseTest) +} + +var DirectResponseTest = suite.ConformanceTest{ + ShortName: "DirectResponse", + Description: "Direct", + Manifests: []string{"testdata/direct-response.yaml"}, + Test: func(t *testing.T, suite *suite.ConformanceTestSuite) { + t.Run("direct response", func(t *testing.T) { + ns := "gateway-conformance-infra" + routeNN := types.NamespacedName{Name: "direct-response", Namespace: ns} + gwNN := types.NamespacedName{Name: "same-namespace", Namespace: ns} + gwAddr := kubernetes.GatewayAndHTTPRoutesMustBeAccepted(t, suite.Client, suite.TimeoutConfig, suite.ControllerName, kubernetes.NewGatewayRef(gwNN), routeNN) + + kubernetes.HTTPRouteMustHaveResolvedRefsConditionsTrue(t, suite.Client, suite.TimeoutConfig, routeNN, gwNN) + verifyCustomResponse(t, suite.TimeoutConfig, gwAddr, "/inline", "text/plain", "Oops! Your request is not found.") + verifyCustomResponse(t, suite.TimeoutConfig, gwAddr, "/value-ref", "application/json", `{"error": "Internal Server Error"}`) + }) + }, +} diff --git a/test/e2e/tests/gateway_infra_resource.go b/test/e2e/tests/gateway_infra_resource.go index 213b6de1238..0a92f9d311e 100644 --- a/test/e2e/tests/gateway_infra_resource.go +++ b/test/e2e/tests/gateway_infra_resource.go @@ -27,7 +27,7 @@ func init() { } var GatewayInfraResourceTest = suite.ConformanceTest{ - ShortName: "GatewayInfraResourceTest", + ShortName: "GatewayInfraResource", Description: "Gateway Infra Resource E2E Test", Test: func(t *testing.T, suite *suite.ConformanceTestSuite) { gatewayTypeMeta := metav1.TypeMeta{ diff --git a/test/e2e/tests/gatewayt-with-envoyproxy.go b/test/e2e/tests/gatewayt-with-envoyproxy.go new file mode 100644 index 00000000000..ec9f7252a5e --- /dev/null +++ b/test/e2e/tests/gatewayt-with-envoyproxy.go @@ -0,0 +1,59 @@ +// Copyright Envoy Gateway Authors +// SPDX-License-Identifier: Apache-2.0 +// The full text of the Apache license is available in the LICENSE file at +// the root of the repo. + +//go:build e2e + +package tests + +import ( + "context" + "testing" + + "github.com/stretchr/testify/require" + corev1 "k8s.io/api/core/v1" + "k8s.io/apimachinery/pkg/types" + "sigs.k8s.io/gateway-api/conformance/utils/http" + "sigs.k8s.io/gateway-api/conformance/utils/kubernetes" + "sigs.k8s.io/gateway-api/conformance/utils/suite" +) + +func init() { + ConformanceTests = append(ConformanceTests, GatewayWithEnvoyProxy) +} + +var GatewayWithEnvoyProxy = suite.ConformanceTest{ + ShortName: "GatewayWithEnvoyProxy", + Description: "Attach an EnvoyProxy to a Gateway", + Manifests: []string{"testdata/gateway-with-envoyproxy.yaml"}, + Test: func(t *testing.T, suite *suite.ConformanceTestSuite) { + t.Run("Attach an EnvoyProxy to a Gateway and set RoutingType to Service", func(t *testing.T) { + ns := "gateway-conformance-infra" + routeNN := types.NamespacedName{Name: "http-route", Namespace: ns} + gwNN := types.NamespacedName{Name: "gateway-with-envoyproxy", Namespace: ns} + gwAddr := kubernetes.GatewayAndHTTPRoutesMustBeAccepted(t, suite.Client, suite.TimeoutConfig, suite.ControllerName, kubernetes.NewGatewayRef(gwNN), routeNN) + + backendNN := types.NamespacedName{Name: "infra-backend-v1", Namespace: ns} + svc := corev1.Service{} + require.NoError(t, suite.Client.Get(context.Background(), backendNN, &svc)) + + expectedResponse := http.ExpectedResponse{ + Request: http.Request{ + Path: "/basic-auth-1", + }, + Response: http.Response{ + StatusCode: 200, + + // Verify that the RouteType is set to Service by the attached EnvoyProxy + Headers: map[string]string{ + "upstream-host": svc.Spec.ClusterIP + ":8080", + }, + }, + Namespace: ns, + } + + http.MakeRequestAndExpectEventuallyConsistentResponse(t, suite.RoundTripper, suite.TimeoutConfig, gwAddr, expectedResponse) + }) + }, +} diff --git a/test/e2e/tests/oidc-backendcluster.go b/test/e2e/tests/oidc-backendcluster.go index b2bcc93cecb..146c5f194ab 100644 --- a/test/e2e/tests/oidc-backendcluster.go +++ b/test/e2e/tests/oidc-backendcluster.go @@ -18,7 +18,7 @@ func init() { ConformanceTests = append(ConformanceTests, OIDCBackendClusterTest) } -// OIDCTest tests OIDC authentication for an http route with OIDC configured. +// OIDCBackendClusterTest tests OIDC authentication for an http route with OIDC configured. // The http route points to an application to verify that OIDC authentication works on application/http path level. var OIDCBackendClusterTest = suite.ConformanceTest{ ShortName: "OIDC with BackendCluster", @@ -26,12 +26,7 @@ var OIDCBackendClusterTest = suite.ConformanceTest{ Manifests: []string{"testdata/oidc-keycloak.yaml", "testdata/oidc-securitypolicy-backendcluster.yaml"}, Test: func(t *testing.T, suite *suite.ConformanceTestSuite) { t.Run("oidc provider represented by a BackendCluster", func(t *testing.T) { - // Add a function to dump current cluster status - t.Cleanup(func() { - CollectAndDump(t, suite.RestConfig) - }) - - testOIDC(t, suite) + testOIDC(t, suite, "testdata/oidc-securitypolicy-backendcluster.yaml") }) }, } diff --git a/test/e2e/tests/oidc.go b/test/e2e/tests/oidc.go index f03512c1e27..ccc11bc02c5 100644 --- a/test/e2e/tests/oidc.go +++ b/test/e2e/tests/oidc.go @@ -17,6 +17,7 @@ import ( "github.com/stretchr/testify/require" corev1 "k8s.io/api/core/v1" + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" "k8s.io/apimachinery/pkg/types" "k8s.io/apimachinery/pkg/util/wait" gwapiv1 "sigs.k8s.io/gateway-api/apis/v1" @@ -26,6 +27,7 @@ import ( "sigs.k8s.io/gateway-api/conformance/utils/suite" "sigs.k8s.io/gateway-api/conformance/utils/tlog" + egv1a1 "github.com/envoyproxy/gateway/api/v1alpha1" "github.com/envoyproxy/gateway/internal/gatewayapi" "github.com/envoyproxy/gateway/internal/gatewayapi/resource" ) @@ -48,12 +50,7 @@ var OIDCTest = suite.ConformanceTest{ Manifests: []string{"testdata/oidc-keycloak.yaml", "testdata/oidc-securitypolicy.yaml"}, Test: func(t *testing.T, suite *suite.ConformanceTestSuite) { t.Run("oidc provider represented by a URL", func(t *testing.T) { - // Add a function to dump current cluster status - t.Cleanup(func() { - CollectAndDump(t, suite.RestConfig) - }) - - testOIDC(t, suite) + testOIDC(t, suite, "testdata/oidc-securitypolicy.yaml") }) t.Run("http route without oidc authentication", func(t *testing.T) { @@ -97,7 +94,7 @@ var OIDCTest = suite.ConformanceTest{ }, } -func testOIDC(t *testing.T, suite *suite.ConformanceTestSuite) { +func testOIDC(t *testing.T, suite *suite.ConformanceTestSuite, securityPolicyManifest string) { var ( testURL = "http://www.example.com/myapp" logoutURL = "http://www.example.com/myapp/logout" @@ -124,7 +121,7 @@ func testOIDC(t *testing.T, suite *suite.ConformanceTestSuite) { WaitForPods(t, suite.Client, ns, map[string]string{"job-name": "setup-keycloak"}, corev1.PodSucceeded, podInitialized) // Initialize the test OIDC client that will keep track of the state of the OIDC login process - client, err := NewOIDCTestClient( + oidcClient, err := NewOIDCTestClient( WithLoggingOptions(t.Log, true), // Map the application and keycloak cluster DNS name to the gateway address WithCustomAddressMappings(map[string]string{ @@ -140,13 +137,31 @@ func testOIDC(t *testing.T, suite *suite.ConformanceTestSuite) { // Send a request to the http route with OIDC configured. // It will be redirected to the keycloak login page - res, err := client.Get(testURL, true) - require.NoError(t, err, "Failed to get the login page") - require.Equal(t, 200, res.StatusCode, "Expected 200 OK") + res, err := oidcClient.Get(testURL, true) + if err != nil { + tlog.Logf(t, "failed to get the login page: %v", err) + return false, nil + } + if res.StatusCode != http.StatusOK { + tlog.Logf(t, "Failed to get the login page, expected 200 OK, got %d", res.StatusCode) + return false, nil + } // Parse the response body to get the URL where the login page would post the user-entered credentials - if err := client.ParseLoginForm(res.Body, keyCloakLoginFormID); err != nil { + if err := oidcClient.ParseLoginForm(res.Body, keyCloakLoginFormID); err != nil { tlog.Logf(t, "failed to parse login form: %v", err) + // recreate the security policy to force repushing the configuration to the envoy proxy to recover from the error. + // This is a workaround for the flaky test: https://github.com/envoyproxy/gateway/issues/3898 + // TODO: we should investigate the root cause of the flakiness and remove this workaround + existingSP := &egv1a1.SecurityPolicy{ + ObjectMeta: metav1.ObjectMeta{ + Namespace: ns, + Name: sp, + }, + } + require.NoError(t, suite.Client.Delete(context.TODO(), existingSP)) + suite.Applier.MustApplyWithCleanup(t, suite.Client, suite.TimeoutConfig, securityPolicyManifest, false) + SecurityPolicyMustBeAccepted(t, suite.Client, types.NamespacedName{Name: sp, Namespace: ns}, suite.ControllerName, ancestorRef) return false, nil } @@ -158,7 +173,7 @@ func testOIDC(t *testing.T, suite *suite.ConformanceTestSuite) { // Submit the login form to the IdP. // This will authenticate and redirect back to the application - res, err := client.Login(map[string]string{"username": username, "password": password, "credentialId": ""}) + res, err := oidcClient.Login(map[string]string{"username": username, "password": password, "credentialId": ""}) require.NoError(t, err, "Failed to login to the IdP") // Verify that we get the expected response from the application @@ -168,14 +183,14 @@ func testOIDC(t *testing.T, suite *suite.ConformanceTestSuite) { require.Contains(t, string(body), "infra-backend-v1", "Expected response from the application") // Verify that we can access the application without logging in again - res, err = client.Get(testURL, false) + res, err = oidcClient.Get(testURL, false) require.NoError(t, err) require.Equal(t, http.StatusOK, res.StatusCode) require.Contains(t, string(body), "infra-backend-v1", "Expected response from the application") // Verify that we can logout // Note: OAuth2 filter just clears its cookies and does not log out from the IdP. - res, err = client.Get(logoutURL, false) + res, err = oidcClient.Get(logoutURL, false) require.NoError(t, err) require.Equal(t, http.StatusFound, res.StatusCode) diff --git a/test/e2e/tests/preservecase.go b/test/e2e/tests/preservecase.go index 82e865aaad0..6c81dfe5092 100644 --- a/test/e2e/tests/preservecase.go +++ b/test/e2e/tests/preservecase.go @@ -17,6 +17,7 @@ import ( "regexp" "testing" + corev1 "k8s.io/api/core/v1" "k8s.io/apimachinery/pkg/types" "sigs.k8s.io/gateway-api/conformance/utils/http" "sigs.k8s.io/gateway-api/conformance/utils/kubernetes" @@ -101,7 +102,7 @@ func casePreservingRoundTrip(request roundtripper.Request, transport nethttp.Rou } var PreserveCaseTest = suite.ConformanceTest{ - ShortName: "Preserve Case", + ShortName: "PreserveCase", Description: "Preserve header cases", Manifests: []string{"testdata/preserve-case.yaml"}, Test: func(t *testing.T, suite *suite.ConformanceTestSuite) { @@ -111,6 +112,7 @@ var PreserveCaseTest = suite.ConformanceTest{ gwNN := types.NamespacedName{Name: "same-namespace", Namespace: ns} gwAddr := kubernetes.GatewayAndHTTPRoutesMustBeAccepted(t, suite.Client, suite.TimeoutConfig, suite.ControllerName, kubernetes.NewGatewayRef(gwNN), routeNN) + WaitForPods(t, suite.Client, "gateway-preserve-case-backend", map[string]string{"app": "preserve-case"}, corev1.PodRunning, PodReady) // Can't use the standard method for checking the response, since the remote side isn't the // conformance echo server and it returns a differently formatted response. expectedResponse := http.ExpectedResponse{ diff --git a/test/e2e/tests/ratelimit.go b/test/e2e/tests/ratelimit.go index d1e18f74b92..17ce6d245cf 100644 --- a/test/e2e/tests/ratelimit.go +++ b/test/e2e/tests/ratelimit.go @@ -9,7 +9,6 @@ package tests import ( "context" - "fmt" "net" "testing" "time" @@ -495,7 +494,7 @@ var RateLimitMultipleListenersTest = suite.ConformanceTest{ gwPorts := []string{"80", "8080"} for _, port := range gwPorts { - gwAddr = fmt.Sprintf("%s:%s", gwIP, port) + gwAddr = net.JoinHostPort(gwIP, port) ratelimitHeader := make(map[string]string) expectOkResp := http.ExpectedResponse{ diff --git a/test/e2e/tests/response-override.go b/test/e2e/tests/response-override.go index b21db88e242..c7c12bd2c10 100644 --- a/test/e2e/tests/response-override.go +++ b/test/e2e/tests/response-override.go @@ -8,18 +8,20 @@ package tests import ( - "fmt" "io" "net/http" "net/url" "testing" + "time" "k8s.io/apimachinery/pkg/types" gwapiv1 "sigs.k8s.io/gateway-api/apis/v1" gwapiv1a2 "sigs.k8s.io/gateway-api/apis/v1alpha2" + "sigs.k8s.io/gateway-api/conformance/utils/config" httputils "sigs.k8s.io/gateway-api/conformance/utils/http" "sigs.k8s.io/gateway-api/conformance/utils/kubernetes" "sigs.k8s.io/gateway-api/conformance/utils/suite" + "sigs.k8s.io/gateway-api/conformance/utils/tlog" "github.com/envoyproxy/gateway/internal/gatewayapi" "github.com/envoyproxy/gateway/internal/gatewayapi/resource" @@ -47,37 +49,47 @@ var ResponseOverrideTest = suite.ConformanceTest{ Name: gwapiv1.ObjectName(gwNN.Name), } BackendTrafficPolicyMustBeAccepted(t, suite.Client, types.NamespacedName{Name: "response-override", Namespace: ns}, suite.ControllerName, ancestorRef) - verifyResponseOverride(t, gwAddr, 404, "text/plain", "Oops! Your request is not found.") - verifyResponseOverride(t, gwAddr, 500, "application/json", `{"error": "Internal Server Error"}`) + verifyCustomResponse(t, suite.TimeoutConfig, gwAddr, "/status/404", "text/plain", "Oops! Your request is not found.") + verifyCustomResponse(t, suite.TimeoutConfig, gwAddr, "/status/500", "application/json", `{"error": "Internal Server Error"}`) }) }, } -func verifyResponseOverride(t *testing.T, gwAddr string, statusCode int, expectedContentType string, expectedBody string) { +func verifyCustomResponse(t *testing.T, timeoutConfig config.TimeoutConfig, gwAddr, path, expectedContentType, expectedBody string) { reqURL := url.URL{ Scheme: "http", Host: httputils.CalculateHost(t, gwAddr, "http"), - Path: fmt.Sprintf("/status/%d", statusCode), + Path: path, } - rsp, err := http.Get(reqURL.String()) - if err != nil { - t.Fatalf("failed to get response: %v", err) - } + httputils.AwaitConvergence(t, timeoutConfig.RequiredConsecutiveSuccesses, timeoutConfig.MaxTimeToConsistency, func(elapsed time.Duration) bool { + rsp, err := http.Get(reqURL.String()) + if err != nil { + tlog.Logf(t, "failed to get response: %v", err) + return false + } - // Verify that the response body is overridden - defer rsp.Body.Close() - body, err := io.ReadAll(rsp.Body) - if err != nil { - t.Fatalf("failed to read response body: %v", err) - } - if string(body) != expectedBody { - t.Errorf("expected response body to be %s but got %s", expectedBody, string(body)) - } + // Verify that the response body is overridden + defer rsp.Body.Close() + body, err := io.ReadAll(rsp.Body) + if err != nil { + tlog.Logf(t, "failed to read response body: %v", err) + return false + } + if string(body) != expectedBody { + tlog.Logf(t, "expected response body to be %s but got %s", expectedBody, string(body)) + return false + } - // Verify that the content type is overridden - contentType := rsp.Header.Get("Content-Type") - if contentType != expectedContentType { - t.Errorf("expected content type to be %s but got %s", expectedContentType, contentType) - } + // Verify that the content type is overridden + contentType := rsp.Header.Get("Content-Type") + if contentType != expectedContentType { + tlog.Logf(t, "expected content type to be %s but got %s", expectedContentType, contentType) + return false + } + + return true + }) + + tlog.Logf(t, "Request passed") } diff --git a/test/e2e/tests/wasm_http.go b/test/e2e/tests/wasm_http.go index e5ef2e14c82..824e9b3d2f4 100644 --- a/test/e2e/tests/wasm_http.go +++ b/test/e2e/tests/wasm_http.go @@ -27,54 +27,16 @@ func init() { // HTTPWasmTest tests Wasm extension for an http route with HTTP Wasm configured. var HTTPWasmTest = suite.ConformanceTest{ - ShortName: "Wasm HTTP Code Source", + ShortName: "WasmHTTPCodeSource", Description: "Test Wasm extension that adds response headers", Manifests: []string{"testdata/wasm-http.yaml"}, Test: func(t *testing.T, suite *suite.ConformanceTestSuite) { t.Run("http route with http wasm source", func(t *testing.T) { - ns := "gateway-conformance-infra" - routeNN := types.NamespacedName{Name: "http-with-http-wasm-source", Namespace: ns} - gwNN := types.NamespacedName{Name: "same-namespace", Namespace: ns} - gwAddr := kubernetes.GatewayAndHTTPRoutesMustBeAccepted(t, suite.Client, suite.TimeoutConfig, suite.ControllerName, kubernetes.NewGatewayRef(gwNN), routeNN) - - ancestorRef := gwapiv1a2.ParentReference{ - Group: gatewayapi.GroupPtr(gwapiv1.GroupName), - Kind: gatewayapi.KindPtr(resource.KindGateway), - Namespace: gatewayapi.NamespacePtr(gwNN.Namespace), - Name: gwapiv1.ObjectName(gwNN.Name), - } - EnvoyExtensionPolicyMustBeAccepted(t, suite.Client, types.NamespacedName{Name: "http-wasm-source-test", Namespace: ns}, suite.ControllerName, ancestorRef) - - expectedResponse := http.ExpectedResponse{ - Request: http.Request{ - Host: "www.example.com", - Path: "/wasm-http", - }, - - // Set the expected request properties to empty strings. - // This is a workaround to avoid the test failure. - // These values can't be extracted from the json format response - // body because the test wasm code appends a "Hello, world" text - // to the response body, invalidating the json format. - ExpectedRequest: &http.ExpectedRequest{ - Request: http.Request{ - Host: "", - Method: "", - Path: "", - Headers: nil, - }, - }, - Namespace: "", - - Response: http.Response{ - StatusCode: 200, - Headers: map[string]string{ - "x-wasm-custom": "FOO", // response header added by wasm - }, - }, - } + testWasmHTTPCodeSource(t, suite, "http-with-http-wasm-source", "http-wasm-source-test", "/wasm-http") + }) - http.MakeRequestAndExpectEventuallyConsistentResponse(t, suite.RoundTripper, suite.TimeoutConfig, gwAddr, expectedResponse) + t.Run("http route with http wasm source no sha", func(t *testing.T) { + testWasmHTTPCodeSource(t, suite, "http-with-http-wasm-source-no-sha", "http-wasm-source-test-no-sha", "/wasm-http-no-sha") }) t.Run("http route without wasm", func(t *testing.T) { @@ -115,3 +77,49 @@ var HTTPWasmTest = suite.ConformanceTest{ }) }, } + +func testWasmHTTPCodeSource(t *testing.T, suite *suite.ConformanceTestSuite, route, eep, path string) { + ns := "gateway-conformance-infra" + routeNN := types.NamespacedName{Name: route, Namespace: ns} + gwNN := types.NamespacedName{Name: "same-namespace", Namespace: ns} + gwAddr := kubernetes.GatewayAndHTTPRoutesMustBeAccepted(t, suite.Client, suite.TimeoutConfig, suite.ControllerName, kubernetes.NewGatewayRef(gwNN), routeNN) + + ancestorRef := gwapiv1a2.ParentReference{ + Group: gatewayapi.GroupPtr(gwapiv1.GroupName), + Kind: gatewayapi.KindPtr(resource.KindGateway), + Namespace: gatewayapi.NamespacePtr(gwNN.Namespace), + Name: gwapiv1.ObjectName(gwNN.Name), + } + EnvoyExtensionPolicyMustBeAccepted(t, suite.Client, types.NamespacedName{Name: eep, Namespace: ns}, suite.ControllerName, ancestorRef) + + expectedResponse := http.ExpectedResponse{ + Request: http.Request{ + Host: "www.example.com", + Path: path, + }, + + // Set the expected request properties to empty strings. + // This is a workaround to avoid the test failure. + // These values can't be extracted from the json format response + // body because the test wasm code appends a "Hello, world" text + // to the response body, invalidating the json format. + ExpectedRequest: &http.ExpectedRequest{ + Request: http.Request{ + Host: "", + Method: "", + Path: "", + Headers: nil, + }, + }, + Namespace: "", + + Response: http.Response{ + StatusCode: 200, + Headers: map[string]string{ + "x-wasm-custom": "FOO", // response header added by wasm + }, + }, + } + + http.MakeRequestAndExpectEventuallyConsistentResponse(t, suite.RoundTripper, suite.TimeoutConfig, gwAddr, expectedResponse) +} diff --git a/test/e2e/tests/wasm_oci.go b/test/e2e/tests/wasm_oci.go index 4a6a53f6603..514ab937352 100644 --- a/test/e2e/tests/wasm_oci.go +++ b/test/e2e/tests/wasm_oci.go @@ -15,6 +15,7 @@ import ( "errors" "fmt" "io" + "net" "testing" "time" @@ -60,7 +61,7 @@ func init() { // OCIWasmTest tests Wasm extension for an http route with OCI Wasm configured. var OCIWasmTest = suite.ConformanceTest{ - ShortName: "Wasm OCI Image Code Source", + ShortName: "WasmOCIImageCodeSource", Description: "Test OCI Wasm extension", Manifests: []string{"testdata/wasm-oci.yaml", "testdata/wasm-oci-registry-test-server.yaml"}, Test: func(t *testing.T, suite *suite.ConformanceTestSuite) { @@ -70,7 +71,7 @@ var OCIWasmTest = suite.ConformanceTest{ if err != nil { t.Fatalf("failed to get registry IP: %v", err) } - registryAddr := fmt.Sprintf("%s:5000", registryIP) + registryAddr := net.JoinHostPort(registryIP, "5000") // Push the wasm image to the registry digest := pushWasmImageForTest(t, suite, registryAddr) diff --git a/test/helm/gateway-addons-helm/e2e.in.yaml b/test/helm/gateway-addons-helm/e2e.in.yaml index 93ce0d8d622..bf913c259a9 100644 --- a/test/helm/gateway-addons-helm/e2e.in.yaml +++ b/test/helm/gateway-addons-helm/e2e.in.yaml @@ -1,4 +1,8 @@ +alloy: + enabled: true grafana: enabled: false opentelemetry-collector: enabled: true +fluent-bit: + enabled: false diff --git a/test/helm/gateway-addons-helm/e2e.out.yaml b/test/helm/gateway-addons-helm/e2e.out.yaml index 1e7c8fda8ff..5a2f32ed2c8 100644 --- a/test/helm/gateway-addons-helm/e2e.out.yaml +++ b/test/helm/gateway-addons-helm/e2e.out.yaml @@ -1,16 +1,19 @@ --- -# Source: gateway-addons-helm/charts/fluent-bit/templates/serviceaccount.yaml +# Source: gateway-addons-helm/charts/alloy/templates/serviceaccount.yaml apiVersion: v1 kind: ServiceAccount metadata: - name: fluent-bit + name: alloy namespace: monitoring labels: - helm.sh/chart: fluent-bit-0.30.4 - app.kubernetes.io/name: fluent-bit + helm.sh/chart: alloy-0.9.2 + app.kubernetes.io/name: alloy app.kubernetes.io/instance: gateway-addons-helm - app.kubernetes.io/version: "2.1.4" + + app.kubernetes.io/version: "v1.4.3" app.kubernetes.io/managed-by: Helm + app.kubernetes.io/part-of: alloy + app.kubernetes.io/component: rbac --- # Source: gateway-addons-helm/charts/loki/templates/serviceaccount.yaml apiVersion: v1 @@ -69,73 +72,117 @@ metadata: app.kubernetes.io/managed-by: Helm automountServiceAccountToken: true --- -# Source: gateway-addons-helm/charts/fluent-bit/templates/configmap.yaml +# Source: gateway-addons-helm/charts/alloy/templates/configmap.yaml apiVersion: v1 kind: ConfigMap metadata: - name: fluent-bit - namespace: monitoring + name: alloy labels: - helm.sh/chart: fluent-bit-0.30.4 - app.kubernetes.io/name: fluent-bit + helm.sh/chart: alloy-0.9.2 + app.kubernetes.io/name: alloy app.kubernetes.io/instance: gateway-addons-helm - app.kubernetes.io/version: "2.1.4" + + app.kubernetes.io/version: "v1.4.3" app.kubernetes.io/managed-by: Helm + app.kubernetes.io/part-of: alloy + app.kubernetes.io/component: config data: - custom_parsers.conf: | - [PARSER] - Name docker_no_time - Format json - Time_Keep Off - Time_Key time - Time_Format %Y-%m-%dT%H:%M:%S.%L + config.alloy: |- + // Write your Alloy config here: + logging { + level = "info" + format = "logfmt" + } + loki.write "alloy" { + endpoint { + url = "http://loki.monitoring.svc:3100/loki/api/v1/push" + } + } + // discovery.kubernetes allows you to find scrape targets from Kubernetes resources. + // It watches cluster state and ensures targets are continually synced with what is currently running in your cluster. + discovery.kubernetes "pod" { + role = "pod" + } - fluent-bit.conf: | - [SERVICE] - Daemon Off - Flush 1 - Log_Level info - Parsers_File parsers.conf - Parsers_File custom_parsers.conf - HTTP_Server On - HTTP_Listen 0.0.0.0 - HTTP_Port 2020 - Health_Check On + // discovery.relabel rewrites the label set of the input targets by applying one or more relabeling rules. + // If no rules are defined, then the input targets are exported as-is. + discovery.relabel "pod_logs" { + targets = discovery.kubernetes.pod.targets - [INPUT] - Name tail - Path /var/log/containers/*.log - multiline.parser docker, cri - Tag kube.* - Mem_Buf_Limit 5MB - Skip_Long_Lines On + // Label creation - "namespace" field from "__meta_kubernetes_namespace" + rule { + source_labels = ["__meta_kubernetes_namespace"] + action = "replace" + target_label = "namespace" + } - [FILTER] - Name kubernetes - Match kube.* - Merge_Log On - Keep_Log Off - K8S-Logging.Parser On - K8S-Logging.Exclude On + // Label creation - "pod" field from "__meta_kubernetes_pod_name" + rule { + source_labels = ["__meta_kubernetes_pod_name"] + action = "replace" + target_label = "pod" + } - [FILTER] - Name grep - Match kube.* - Regex $kubernetes['container_name'] ^envoy$ + // Label creation - "container" field from "__meta_kubernetes_pod_container_name" + rule { + source_labels = ["__meta_kubernetes_pod_container_name"] + action = "replace" + target_label = "container" + } - [FILTER] - Name parser - Match kube.* - Key_Name log - Parser envoy - Reserve_Data True + // Label creation - "app" field from "__meta_kubernetes_pod_label_app_kubernetes_io_name" + rule { + source_labels = ["__meta_kubernetes_pod_label_app_kubernetes_io_name"] + action = "replace" + target_label = "app" + } + + // Label creation - "job" field from "__meta_kubernetes_namespace" and "__meta_kubernetes_pod_container_name" + // Concatenate values __meta_kubernetes_namespace/__meta_kubernetes_pod_container_name + rule { + source_labels = ["__meta_kubernetes_namespace", "__meta_kubernetes_pod_container_name"] + action = "replace" + target_label = "job" + separator = "/" + replacement = "$1" + } - [OUTPUT] - Name loki - Match kube.* - Host loki.monitoring.svc.cluster.local - Port 3100 - Labels job=fluentbit, app=$kubernetes['labels']['app'], k8s_namespace_name=$kubernetes['namespace_name'], k8s_pod_name=$kubernetes['pod_name'], k8s_container_name=$kubernetes['container_name'] + // Label creation - "container" field from "__meta_kubernetes_pod_uid" and "__meta_kubernetes_pod_container_name" + // Concatenate values __meta_kubernetes_pod_uid/__meta_kubernetes_pod_container_name.log + rule { + source_labels = ["__meta_kubernetes_pod_uid", "__meta_kubernetes_pod_container_name"] + action = "replace" + target_label = "__path__" + separator = "/" + replacement = "/var/log/pods/*$1/*.log" + } + + // Label creation - "container_runtime" field from "__meta_kubernetes_pod_container_id" + rule { + source_labels = ["__meta_kubernetes_pod_container_id"] + action = "replace" + target_label = "container_runtime" + regex = "^(\\S+):\\/\\/.+$" + replacement = "$1" + } + } + + // loki.source.kubernetes tails logs from Kubernetes containers using the Kubernetes API. + loki.source.kubernetes "pod_logs" { + targets = discovery.relabel.pod_logs.output + forward_to = [loki.process.pod_logs.receiver] + } + // loki.process receives log entries from other Loki components, applies one or more processing stages, + // and forwards the results to the list of receivers in the component’s arguments. + loki.process "pod_logs" { + stage.static_labels { + values = { + cluster = "envoy-gateway", + } + } + + forward_to = [loki.write.alloy.receiver] + } --- # Source: gateway-addons-helm/charts/loki/templates/configmap.yaml apiVersion: v1 @@ -237,10 +284,10 @@ data: tls: insecure: true prometheus: - endpoint: 0.0.0.0:19001 + endpoint: '[${env:MY_POD_IP}]:19001' extensions: health_check: - endpoint: ${env:MY_POD_IP}:13133 + endpoint: '[${env:MY_POD_IP}]:13133' processors: attributes: actions: @@ -254,21 +301,21 @@ data: spike_limit_percentage: 25 receivers: datadog: - endpoint: ${env:MY_POD_IP}:8126 + endpoint: '[${env:MY_POD_IP}]:8126' jaeger: protocols: grpc: - endpoint: ${env:MY_POD_IP}:14250 + endpoint: '[${env:MY_POD_IP}]:14250' thrift_compact: - endpoint: ${env:MY_POD_IP}:6831 + endpoint: '[${env:MY_POD_IP}]:6831' thrift_http: - endpoint: ${env:MY_POD_IP}:14268 + endpoint: '[${env:MY_POD_IP}]:14268' otlp: protocols: grpc: - endpoint: ${env:MY_POD_IP}:4317 + endpoint: '[${env:MY_POD_IP}]:4317' http: - endpoint: ${env:MY_POD_IP}:4318 + endpoint: '[${env:MY_POD_IP}]:4318' prometheus: config: scrape_configs: @@ -276,9 +323,9 @@ data: scrape_interval: 10s static_configs: - targets: - - ${env:MY_POD_IP}:8888 + - '[${env:MY_POD_IP}]:8888' zipkin: - endpoint: ${env:MY_POD_IP}:9411 + endpoint: '[${env:MY_POD_IP}]:9411' service: extensions: - health_check @@ -311,7 +358,7 @@ data: - zipkin telemetry: metrics: - address: ${env:MY_POD_IP}:8888 + address: '[${env:MY_POD_IP}]:8888' --- # Source: gateway-addons-helm/charts/prometheus/templates/cm.yaml apiVersion: v1 @@ -9298,27 +9345,105 @@ data: "uid": "f7aeb41676b7865cf31ae49691325f91" } --- -# Source: gateway-addons-helm/charts/fluent-bit/templates/clusterrole.yaml +# Source: gateway-addons-helm/charts/alloy/templates/rbac.yaml apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: - name: fluent-bit + name: alloy labels: - helm.sh/chart: fluent-bit-0.30.4 - app.kubernetes.io/name: fluent-bit + helm.sh/chart: alloy-0.9.2 + app.kubernetes.io/name: alloy app.kubernetes.io/instance: gateway-addons-helm - app.kubernetes.io/version: "2.1.4" + + app.kubernetes.io/version: "v1.4.3" app.kubernetes.io/managed-by: Helm + app.kubernetes.io/part-of: alloy + app.kubernetes.io/component: rbac rules: + # Rules which allow discovery.kubernetes to function. - apiGroups: - "" + - "discovery.k8s.io" + - "networking.k8s.io" resources: - - namespaces + - endpoints + - endpointslices + - ingresses + - nodes + - nodes/proxy + - nodes/metrics - pods + - services + verbs: + - get + - list + - watch + # Rules which allow loki.source.kubernetes and loki.source.podlogs to work. + - apiGroups: + - "" + resources: + - pods + - pods/log + - namespaces + verbs: + - get + - list + - watch + - apiGroups: + - "monitoring.grafana.com" + resources: + - podlogs + verbs: + - get + - list + - watch + # Rules which allow mimir.rules.kubernetes to work. + - apiGroups: ["monitoring.coreos.com"] + resources: + - prometheusrules + verbs: + - get + - list + - watch + - nonResourceURLs: + - /metrics + verbs: + - get + # Rules for prometheus.kubernetes.* + - apiGroups: ["monitoring.coreos.com"] + resources: + - podmonitors + - servicemonitors + - probes + verbs: + - get + - list + - watch + # Rules which allow eventhandler to work. + - apiGroups: + - "" + resources: + - events verbs: - get - list - watch + # needed for remote.kubernetes.* + - apiGroups: [""] + resources: + - "configmaps" + - "secrets" + verbs: + - get + - list + - watch + # needed for otelcol.processor.k8sattributes + - apiGroups: ["apps"] + resources: ["replicasets"] + verbs: ["get", "list", "watch"] + - apiGroups: ["extensions"] + resources: ["replicasets"] + verbs: ["get", "list", "watch"] --- # Source: gateway-addons-helm/charts/prometheus/templates/clusterrole.yaml apiVersion: rbac.authorization.k8s.io/v1 @@ -9372,24 +9497,27 @@ rules: verbs: - get --- -# Source: gateway-addons-helm/charts/fluent-bit/templates/clusterrolebinding.yaml +# Source: gateway-addons-helm/charts/alloy/templates/rbac.yaml apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: - name: fluent-bit + name: alloy labels: - helm.sh/chart: fluent-bit-0.30.4 - app.kubernetes.io/name: fluent-bit + helm.sh/chart: alloy-0.9.2 + app.kubernetes.io/name: alloy app.kubernetes.io/instance: gateway-addons-helm - app.kubernetes.io/version: "2.1.4" + + app.kubernetes.io/version: "v1.4.3" app.kubernetes.io/managed-by: Helm + app.kubernetes.io/part-of: alloy + app.kubernetes.io/component: rbac roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole - name: fluent-bit + name: alloy subjects: - kind: ServiceAccount - name: fluent-bit + name: alloy namespace: monitoring --- # Source: gateway-addons-helm/charts/prometheus/templates/clusterrolebinding.yaml @@ -9414,28 +9542,31 @@ roleRef: kind: ClusterRole name: prometheus --- -# Source: gateway-addons-helm/charts/fluent-bit/templates/service.yaml +# Source: gateway-addons-helm/charts/alloy/templates/service.yaml apiVersion: v1 kind: Service metadata: - name: fluent-bit - namespace: monitoring + name: alloy labels: - helm.sh/chart: fluent-bit-0.30.4 - app.kubernetes.io/name: fluent-bit + helm.sh/chart: alloy-0.9.2 + app.kubernetes.io/name: alloy app.kubernetes.io/instance: gateway-addons-helm - app.kubernetes.io/version: "2.1.4" + + app.kubernetes.io/version: "v1.4.3" app.kubernetes.io/managed-by: Helm + app.kubernetes.io/part-of: alloy + app.kubernetes.io/component: networking spec: type: ClusterIP - ports: - - port: 2020 - targetPort: http - protocol: TCP - name: http selector: - app.kubernetes.io/name: fluent-bit + app.kubernetes.io/name: alloy app.kubernetes.io/instance: gateway-addons-helm + internalTrafficPolicy: Cluster + ports: + - name: http-metrics + port: 12345 + targetPort: 12345 + protocol: "TCP" --- # Source: gateway-addons-helm/charts/loki/templates/service-memberlist.yaml apiVersion: v1 @@ -9651,84 +9782,82 @@ spec: app.kubernetes.io/name: tempo app.kubernetes.io/instance: gateway-addons-helm --- -# Source: gateway-addons-helm/charts/fluent-bit/templates/daemonset.yaml +# Source: gateway-addons-helm/charts/alloy/templates/controllers/daemonset.yaml apiVersion: apps/v1 kind: DaemonSet metadata: - name: fluent-bit - namespace: monitoring + name: alloy labels: - helm.sh/chart: fluent-bit-0.30.4 - app.kubernetes.io/name: fluent-bit + helm.sh/chart: alloy-0.9.2 + app.kubernetes.io/name: alloy app.kubernetes.io/instance: gateway-addons-helm - app.kubernetes.io/version: "2.1.4" + + app.kubernetes.io/version: "v1.4.3" app.kubernetes.io/managed-by: Helm + app.kubernetes.io/part-of: alloy spec: + minReadySeconds: 10 selector: matchLabels: - app.kubernetes.io/name: fluent-bit + app.kubernetes.io/name: alloy app.kubernetes.io/instance: gateway-addons-helm template: metadata: annotations: - checksum/config: 03d122555879033ccf6443369f73463490b100f195550b1483d337f497c749e3 - checksum/luascripts: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 - fluentbit.io/exclude: "true" - prometheus.io/path: /api/v1/metrics/prometheus - prometheus.io/port: "2020" - prometheus.io/scrape: "true" + kubectl.kubernetes.io/default-container: alloy labels: - app.kubernetes.io/name: fluent-bit + app.kubernetes.io/name: alloy app.kubernetes.io/instance: gateway-addons-helm spec: - serviceAccountName: fluent-bit - hostNetwork: false - dnsPolicy: ClusterFirst + serviceAccountName: alloy containers: - - name: fluent-bit - image: "fluent/fluent-bit:2.1.4" - imagePullPolicy: Always + - name: alloy + image: docker.io/grafana/alloy:v1.4.3 + imagePullPolicy: IfNotPresent + args: + - run + - /etc/alloy/config.alloy + - --storage.path=/tmp/alloy + - --server.http.listen-addr=0.0.0.0:12345 + - --server.http.ui-path-prefix=/ + - --stability.level=generally-available + env: + - name: ALLOY_DEPLOY_MODE + value: "helm" + - name: HOSTNAME + valueFrom: + fieldRef: + fieldPath: spec.nodeName ports: - - name: http - containerPort: 2020 - protocol: TCP - livenessProbe: - httpGet: - path: / - port: http + - containerPort: 12345 + name: http-metrics readinessProbe: httpGet: - path: /api/v1/health - port: http + path: /-/ready + port: 12345 + scheme: HTTP + initialDelaySeconds: 10 + timeoutSeconds: 1 volumeMounts: - - mountPath: /fluent-bit/etc/fluent-bit.conf - name: config - subPath: fluent-bit.conf - - mountPath: /fluent-bit/etc/custom_parsers.conf - name: config - subPath: custom_parsers.conf - - mountPath: /var/log - name: varlog - - mountPath: /var/lib/docker/containers - name: varlibdockercontainers - readOnly: true - - mountPath: /etc/machine-id - name: etcmachineid - readOnly: true + - name: config + mountPath: /etc/alloy + - name: config-reloader + image: ghcr.io/jimmidyson/configmap-reload:v0.12.0 + args: + - --volume-dir=/etc/alloy + - --webhook-url=http://localhost:12345/-/reload + volumeMounts: + - name: config + mountPath: /etc/alloy + resources: + requests: + cpu: 1m + memory: 5Mi + dnsPolicy: ClusterFirst volumes: - name: config configMap: - name: fluent-bit - - hostPath: - path: /var/log - name: varlog - - hostPath: - path: /var/lib/docker/containers - name: varlibdockercontainers - - hostPath: - path: /etc/machine-id - type: File - name: etcmachineid + name: alloy --- # Source: gateway-addons-helm/charts/opentelemetry-collector/templates/deployment.yaml apiVersion: apps/v1 @@ -9756,7 +9885,7 @@ spec: template: metadata: annotations: - checksum/config: 270a8503091b51a264317115cf6df46b4501b03fc135eca95b93dca57a522a70 + checksum/config: 77c11cf41a890ec6a75a644880450d53887eca3e37511c3139cf0b3e8ebbe1ee labels: app.kubernetes.io/name: opentelemetry-collector diff --git a/test/helm/gateway-helm/certjen-custom-scheduling.out.yaml b/test/helm/gateway-helm/certjen-custom-scheduling.out.yaml index f0c1e0d1309..37d0212f719 100644 --- a/test/helm/gateway-helm/certjen-custom-scheduling.out.yaml +++ b/test/helm/gateway-helm/certjen-custom-scheduling.out.yaml @@ -432,8 +432,8 @@ spec: drop: - ALL privileged: false - runAsNonRoot: true runAsGroup: 65532 + runAsNonRoot: true runAsUser: 65532 seccompProfile: type: RuntimeDefault @@ -563,8 +563,8 @@ spec: - ALL privileged: false readOnlyRootFilesystem: true - runAsNonRoot: true runAsGroup: 65534 + runAsNonRoot: true runAsUser: 65534 seccompProfile: type: RuntimeDefault diff --git a/test/helm/gateway-helm/control-plane-with-pdb.out.yaml b/test/helm/gateway-helm/control-plane-with-pdb.out.yaml index ab0c09e3ed3..69f08e1dbb7 100644 --- a/test/helm/gateway-helm/control-plane-with-pdb.out.yaml +++ b/test/helm/gateway-helm/control-plane-with-pdb.out.yaml @@ -447,8 +447,8 @@ spec: drop: - ALL privileged: false - runAsNonRoot: true runAsGroup: 65532 + runAsNonRoot: true runAsUser: 65532 seccompProfile: type: RuntimeDefault @@ -578,8 +578,8 @@ spec: - ALL privileged: false readOnlyRootFilesystem: true - runAsNonRoot: true runAsGroup: 65534 + runAsNonRoot: true runAsUser: 65534 seccompProfile: type: RuntimeDefault diff --git a/test/helm/gateway-helm/default-config.out.yaml b/test/helm/gateway-helm/default-config.out.yaml index 655c1b7fbeb..6e1b1846bae 100644 --- a/test/helm/gateway-helm/default-config.out.yaml +++ b/test/helm/gateway-helm/default-config.out.yaml @@ -432,8 +432,8 @@ spec: drop: - ALL privileged: false - runAsNonRoot: true runAsGroup: 65532 + runAsNonRoot: true runAsUser: 65532 seccompProfile: type: RuntimeDefault @@ -563,8 +563,8 @@ spec: - ALL privileged: false readOnlyRootFilesystem: true - runAsNonRoot: true runAsGroup: 65534 + runAsNonRoot: true runAsUser: 65534 seccompProfile: type: RuntimeDefault diff --git a/test/helm/gateway-helm/deployment-custom-topology.out.yaml b/test/helm/gateway-helm/deployment-custom-topology.out.yaml index 879ca6a2351..0bc5809337c 100644 --- a/test/helm/gateway-helm/deployment-custom-topology.out.yaml +++ b/test/helm/gateway-helm/deployment-custom-topology.out.yaml @@ -460,8 +460,8 @@ spec: drop: - ALL privileged: false - runAsNonRoot: true runAsGroup: 65532 + runAsNonRoot: true runAsUser: 65532 seccompProfile: type: RuntimeDefault @@ -591,8 +591,8 @@ spec: - ALL privileged: false readOnlyRootFilesystem: true - runAsNonRoot: true runAsGroup: 65534 + runAsNonRoot: true runAsUser: 65534 seccompProfile: type: RuntimeDefault diff --git a/test/helm/gateway-helm/deployment-images-config.out.yaml b/test/helm/gateway-helm/deployment-images-config.out.yaml index 28eba2f209e..f99a89039d8 100644 --- a/test/helm/gateway-helm/deployment-images-config.out.yaml +++ b/test/helm/gateway-helm/deployment-images-config.out.yaml @@ -432,8 +432,8 @@ spec: drop: - ALL privileged: false - runAsNonRoot: true runAsGroup: 65532 + runAsNonRoot: true runAsUser: 65532 seccompProfile: type: RuntimeDefault @@ -565,8 +565,8 @@ spec: - ALL privileged: false readOnlyRootFilesystem: true - runAsNonRoot: true runAsGroup: 65534 + runAsNonRoot: true runAsUser: 65534 seccompProfile: type: RuntimeDefault diff --git a/test/helm/gateway-helm/deployment-priorityclass.out.yaml b/test/helm/gateway-helm/deployment-priorityclass.out.yaml index 28375ac5bf0..3757e360d95 100644 --- a/test/helm/gateway-helm/deployment-priorityclass.out.yaml +++ b/test/helm/gateway-helm/deployment-priorityclass.out.yaml @@ -432,8 +432,8 @@ spec: drop: - ALL privileged: false - runAsNonRoot: true runAsGroup: 65532 + runAsNonRoot: true runAsUser: 65532 seccompProfile: type: RuntimeDefault @@ -564,8 +564,8 @@ spec: - ALL privileged: false readOnlyRootFilesystem: true - runAsNonRoot: true runAsGroup: 65534 + runAsNonRoot: true runAsUser: 65534 seccompProfile: type: RuntimeDefault diff --git a/test/helm/gateway-helm/deployment-securitycontext.in.yaml b/test/helm/gateway-helm/deployment-securitycontext.in.yaml new file mode 100644 index 00000000000..47b8d1cec23 --- /dev/null +++ b/test/helm/gateway-helm/deployment-securitycontext.in.yaml @@ -0,0 +1,32 @@ +global: + images: + envoyGateway: + image: "docker.io/envoyproxy/gateway-dev:latest" + pullPolicy: Always +deployment: + envoyGateway: + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + privileged: false + runAsNonRoot: true + runAsGroup: 1000 + runAsUser: 1000 + seccompProfile: + type: RuntimeDefault +certgen: + job: + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + privileged: false + readOnlyRootFilesystem: true + runAsNonRoot: true + runAsGroup: 1000 + runAsUser: 1000 + seccompProfile: + type: RuntimeDefault diff --git a/test/helm/gateway-helm/deployment-securitycontext.out.yaml b/test/helm/gateway-helm/deployment-securitycontext.out.yaml new file mode 100644 index 00000000000..e98bd1e9730 --- /dev/null +++ b/test/helm/gateway-helm/deployment-securitycontext.out.yaml @@ -0,0 +1,574 @@ +--- +# Source: gateway-helm/templates/envoy-gateway-serviceaccount.yaml +apiVersion: v1 +kind: ServiceAccount +metadata: + name: envoy-gateway + namespace: 'envoy-gateway-system' + labels: + helm.sh/chart: gateway-helm-v0.0.0-latest + app.kubernetes.io/name: gateway-helm + app.kubernetes.io/instance: gateway-helm + app.kubernetes.io/version: "latest" + app.kubernetes.io/managed-by: Helm +--- +# Source: gateway-helm/templates/envoy-gateway-config.yaml +apiVersion: v1 +kind: ConfigMap +metadata: + name: envoy-gateway-config + namespace: 'envoy-gateway-system' + labels: + helm.sh/chart: gateway-helm-v0.0.0-latest + app.kubernetes.io/name: gateway-helm + app.kubernetes.io/instance: gateway-helm + app.kubernetes.io/version: "latest" + app.kubernetes.io/managed-by: Helm +data: + envoy-gateway.yaml: | + apiVersion: gateway.envoyproxy.io/v1alpha1 + kind: EnvoyGateway + gateway: + controllerName: gateway.envoyproxy.io/gatewayclass-controller + logging: + level: + default: info + provider: + kubernetes: + rateLimitDeployment: + container: + image: docker.io/envoyproxy/ratelimit:master + patch: + type: StrategicMerge + value: + spec: + template: + spec: + containers: + - imagePullPolicy: IfNotPresent + name: envoy-ratelimit + shutdownManager: + image: docker.io/envoyproxy/gateway-dev:latest + type: Kubernetes +--- +# Source: gateway-helm/templates/envoy-gateway-rbac.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + creationTimestamp: null + name: gateway-helm-envoy-gateway-role +rules: +- apiGroups: + - "" + resources: + - nodes + - namespaces + verbs: + - get + - list + - watch +- apiGroups: + - gateway.networking.k8s.io + resources: + - gatewayclasses + verbs: + - get + - list + - patch + - update + - watch +- apiGroups: + - gateway.networking.k8s.io + resources: + - gatewayclasses/status + verbs: + - update +- apiGroups: + - multicluster.x-k8s.io + resources: + - serviceimports + verbs: + - get + - list + - watch +- apiGroups: + - "" + resources: + - configmaps + - secrets + - services + verbs: + - get + - list + - watch +- apiGroups: + - apps + resources: + - deployments + - daemonsets + verbs: + - get + - list + - watch +- apiGroups: + - discovery.k8s.io + resources: + - endpointslices + verbs: + - get + - list + - watch +- apiGroups: + - gateway.envoyproxy.io + resources: + - envoyproxies + - envoypatchpolicies + - clienttrafficpolicies + - backendtrafficpolicies + - securitypolicies + - envoyextensionpolicies + - backends + - httproutefilters + verbs: + - get + - list + - watch +- apiGroups: + - gateway.envoyproxy.io + resources: + - envoypatchpolicies/status + - clienttrafficpolicies/status + - backendtrafficpolicies/status + - securitypolicies/status + - envoyextensionpolicies/status + - backends/status + verbs: + - update +- apiGroups: + - gateway.networking.k8s.io + resources: + - gateways + - grpcroutes + - httproutes + - referencegrants + - tcproutes + - tlsroutes + - udproutes + - backendtlspolicies + verbs: + - get + - list + - watch +- apiGroups: + - gateway.networking.k8s.io + resources: + - gateways/status + - grpcroutes/status + - httproutes/status + - tcproutes/status + - tlsroutes/status + - udproutes/status + - backendtlspolicies/status + verbs: + - update +--- +# Source: gateway-helm/templates/envoy-gateway-rbac.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: gateway-helm-envoy-gateway-rolebinding +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: gateway-helm-envoy-gateway-role +subjects: +- kind: ServiceAccount + name: 'envoy-gateway' + namespace: 'envoy-gateway-system' +--- +# Source: gateway-helm/templates/infra-manager-rbac.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: gateway-helm-infra-manager + namespace: 'envoy-gateway-system' + labels: + helm.sh/chart: gateway-helm-v0.0.0-latest + app.kubernetes.io/name: gateway-helm + app.kubernetes.io/instance: gateway-helm + app.kubernetes.io/version: "latest" + app.kubernetes.io/managed-by: Helm +rules: +- apiGroups: + - "" + resources: + - serviceaccounts + - services + - configmaps + verbs: + - create + - get + - delete + - deletecollection + - patch +- apiGroups: + - apps + resources: + - deployments + - daemonsets + verbs: + - create + - get + - delete + - deletecollection + - patch +- apiGroups: + - autoscaling + - policy + resources: + - horizontalpodautoscalers + - poddisruptionbudgets + verbs: + - create + - get + - delete + - deletecollection + - patch +--- +# Source: gateway-helm/templates/leader-election-rbac.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: gateway-helm-leader-election-role + namespace: 'envoy-gateway-system' + labels: + helm.sh/chart: gateway-helm-v0.0.0-latest + app.kubernetes.io/name: gateway-helm + app.kubernetes.io/instance: gateway-helm + app.kubernetes.io/version: "latest" + app.kubernetes.io/managed-by: Helm +rules: +- apiGroups: + - "" + resources: + - configmaps + verbs: + - get + - list + - watch + - create + - update + - patch + - delete +- apiGroups: + - coordination.k8s.io + resources: + - leases + verbs: + - get + - list + - watch + - create + - update + - patch + - delete +- apiGroups: + - "" + resources: + - events + verbs: + - create + - patch +--- +# Source: gateway-helm/templates/infra-manager-rbac.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: gateway-helm-infra-manager + namespace: 'envoy-gateway-system' + labels: + helm.sh/chart: gateway-helm-v0.0.0-latest + app.kubernetes.io/name: gateway-helm + app.kubernetes.io/instance: gateway-helm + app.kubernetes.io/version: "latest" + app.kubernetes.io/managed-by: Helm +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: 'gateway-helm-infra-manager' +subjects: +- kind: ServiceAccount + name: 'envoy-gateway' + namespace: 'envoy-gateway-system' +--- +# Source: gateway-helm/templates/leader-election-rbac.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: gateway-helm-leader-election-rolebinding + namespace: 'envoy-gateway-system' + labels: + helm.sh/chart: gateway-helm-v0.0.0-latest + app.kubernetes.io/name: gateway-helm + app.kubernetes.io/instance: gateway-helm + app.kubernetes.io/version: "latest" + app.kubernetes.io/managed-by: Helm +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: 'gateway-helm-leader-election-role' +subjects: +- kind: ServiceAccount + name: 'envoy-gateway' + namespace: 'envoy-gateway-system' +--- +# Source: gateway-helm/templates/envoy-gateway-service.yaml +apiVersion: v1 +kind: Service +metadata: + name: envoy-gateway + namespace: 'envoy-gateway-system' + labels: + control-plane: envoy-gateway + helm.sh/chart: gateway-helm-v0.0.0-latest + app.kubernetes.io/name: gateway-helm + app.kubernetes.io/instance: gateway-helm + app.kubernetes.io/version: "latest" + app.kubernetes.io/managed-by: Helm +spec: + selector: + control-plane: envoy-gateway + app.kubernetes.io/name: gateway-helm + app.kubernetes.io/instance: gateway-helm + ports: + - name: grpc + port: 18000 + targetPort: 18000 + - name: ratelimit + port: 18001 + targetPort: 18001 + - name: wasm + port: 18002 + targetPort: 18002 + - name: metrics + port: 19001 + targetPort: 19001 +--- +# Source: gateway-helm/templates/envoy-gateway-deployment.yaml +apiVersion: apps/v1 +kind: Deployment +metadata: + name: envoy-gateway + namespace: 'envoy-gateway-system' + labels: + control-plane: envoy-gateway + helm.sh/chart: gateway-helm-v0.0.0-latest + app.kubernetes.io/name: gateway-helm + app.kubernetes.io/instance: gateway-helm + app.kubernetes.io/version: "latest" + app.kubernetes.io/managed-by: Helm +spec: + replicas: 1 + selector: + matchLabels: + control-plane: envoy-gateway + app.kubernetes.io/name: gateway-helm + app.kubernetes.io/instance: gateway-helm + template: + metadata: + annotations: + prometheus.io/port: "19001" + prometheus.io/scrape: "true" + labels: + control-plane: envoy-gateway + app.kubernetes.io/name: gateway-helm + app.kubernetes.io/instance: gateway-helm + spec: + containers: + - args: + - server + - --config-path=/config/envoy-gateway.yaml + env: + - name: ENVOY_GATEWAY_NAMESPACE + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.namespace + - name: KUBERNETES_CLUSTER_DOMAIN + value: cluster.local + image: docker.io/envoyproxy/gateway-dev:latest + imagePullPolicy: Always + livenessProbe: + httpGet: + path: /healthz + port: 8081 + initialDelaySeconds: 15 + periodSeconds: 20 + name: envoy-gateway + ports: + - containerPort: 18000 + name: grpc + - containerPort: 18001 + name: ratelimit + - containerPort: 18002 + name: wasm + - containerPort: 19001 + name: metrics + readinessProbe: + httpGet: + path: /readyz + port: 8081 + initialDelaySeconds: 5 + periodSeconds: 10 + resources: + limits: + memory: 1024Mi + requests: + cpu: 100m + memory: 256Mi + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + privileged: false + runAsGroup: 1000 + runAsNonRoot: true + runAsUser: 1000 + seccompProfile: + type: RuntimeDefault + volumeMounts: + - mountPath: /config + name: envoy-gateway-config + readOnly: true + - mountPath: /certs + name: certs + readOnly: true + imagePullSecrets: [] + serviceAccountName: envoy-gateway + terminationGracePeriodSeconds: 10 + volumes: + - configMap: + defaultMode: 420 + name: envoy-gateway-config + name: envoy-gateway-config + - name: certs + secret: + secretName: envoy-gateway +--- +# Source: gateway-helm/templates/certgen-rbac.yaml +apiVersion: v1 +kind: ServiceAccount +metadata: + name: gateway-helm-certgen + namespace: 'envoy-gateway-system' + labels: + helm.sh/chart: gateway-helm-v0.0.0-latest + app.kubernetes.io/name: gateway-helm + app.kubernetes.io/instance: gateway-helm + app.kubernetes.io/version: "latest" + app.kubernetes.io/managed-by: Helm + annotations: + "helm.sh/hook": pre-install +--- +# Source: gateway-helm/templates/certgen-rbac.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: gateway-helm-certgen + namespace: 'envoy-gateway-system' + labels: + helm.sh/chart: gateway-helm-v0.0.0-latest + app.kubernetes.io/name: gateway-helm + app.kubernetes.io/instance: gateway-helm + app.kubernetes.io/version: "latest" + app.kubernetes.io/managed-by: Helm + annotations: + "helm.sh/hook": pre-install +rules: +- apiGroups: + - "" + resources: + - secrets + verbs: + - get + - create + - update +--- +# Source: gateway-helm/templates/certgen-rbac.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: gateway-helm-certgen + namespace: 'envoy-gateway-system' + labels: + helm.sh/chart: gateway-helm-v0.0.0-latest + app.kubernetes.io/name: gateway-helm + app.kubernetes.io/instance: gateway-helm + app.kubernetes.io/version: "latest" + app.kubernetes.io/managed-by: Helm + annotations: + "helm.sh/hook": pre-install +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: 'gateway-helm-certgen' +subjects: +- kind: ServiceAccount + name: 'gateway-helm-certgen' + namespace: 'envoy-gateway-system' +--- +# Source: gateway-helm/templates/certgen.yaml +apiVersion: batch/v1 +kind: Job +metadata: + name: gateway-helm-certgen + namespace: 'envoy-gateway-system' + labels: + helm.sh/chart: gateway-helm-v0.0.0-latest + app.kubernetes.io/name: gateway-helm + app.kubernetes.io/instance: gateway-helm + app.kubernetes.io/version: "latest" + app.kubernetes.io/managed-by: Helm + annotations: + "helm.sh/hook": pre-install, pre-upgrade +spec: + backoffLimit: 1 + completions: 1 + parallelism: 1 + template: + metadata: + labels: + app: certgen + spec: + containers: + - command: + - envoy-gateway + - certgen + env: + - name: ENVOY_GATEWAY_NAMESPACE + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.namespace + - name: KUBERNETES_CLUSTER_DOMAIN + value: cluster.local + image: docker.io/envoyproxy/gateway-dev:latest + imagePullPolicy: Always + name: envoy-gateway-certgen + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + privileged: false + readOnlyRootFilesystem: true + runAsGroup: 1000 + runAsNonRoot: true + runAsUser: 1000 + seccompProfile: + type: RuntimeDefault + imagePullSecrets: [] + restartPolicy: Never + serviceAccountName: gateway-helm-certgen + ttlSecondsAfterFinished: 30 diff --git a/test/helm/gateway-helm/envoy-gateway-config.out.yaml b/test/helm/gateway-helm/envoy-gateway-config.out.yaml index e401a1062ee..fb1e51f2209 100644 --- a/test/helm/gateway-helm/envoy-gateway-config.out.yaml +++ b/test/helm/gateway-helm/envoy-gateway-config.out.yaml @@ -434,8 +434,8 @@ spec: drop: - ALL privileged: false - runAsNonRoot: true runAsGroup: 65532 + runAsNonRoot: true runAsUser: 65532 seccompProfile: type: RuntimeDefault @@ -565,8 +565,8 @@ spec: - ALL privileged: false readOnlyRootFilesystem: true - runAsNonRoot: true runAsGroup: 65534 + runAsNonRoot: true runAsUser: 65534 seccompProfile: type: RuntimeDefault diff --git a/test/helm/gateway-helm/global-images-config.out.yaml b/test/helm/gateway-helm/global-images-config.out.yaml index 14129b666b6..ebcda594b19 100644 --- a/test/helm/gateway-helm/global-images-config.out.yaml +++ b/test/helm/gateway-helm/global-images-config.out.yaml @@ -436,8 +436,8 @@ spec: drop: - ALL privileged: false - runAsNonRoot: true runAsGroup: 65532 + runAsNonRoot: true runAsUser: 65532 seccompProfile: type: RuntimeDefault @@ -569,8 +569,8 @@ spec: - ALL privileged: false readOnlyRootFilesystem: true - runAsNonRoot: true runAsGroup: 65534 + runAsNonRoot: true runAsUser: 65534 seccompProfile: type: RuntimeDefault diff --git a/test/helm/gateway-helm/service-annotations.out.yaml b/test/helm/gateway-helm/service-annotations.out.yaml index 64676e18497..9d37bdffcde 100644 --- a/test/helm/gateway-helm/service-annotations.out.yaml +++ b/test/helm/gateway-helm/service-annotations.out.yaml @@ -434,8 +434,8 @@ spec: drop: - ALL privileged: false - runAsNonRoot: true runAsGroup: 65532 + runAsNonRoot: true runAsUser: 65532 seccompProfile: type: RuntimeDefault @@ -565,8 +565,8 @@ spec: - ALL privileged: false readOnlyRootFilesystem: true - runAsNonRoot: true runAsGroup: 65534 + runAsNonRoot: true runAsUser: 65534 seccompProfile: type: RuntimeDefault diff --git a/tools/crd-ref-docs/config.yaml b/tools/crd-ref-docs/config.yaml index f63d53b2bf0..c29ec42ff40 100644 --- a/tools/crd-ref-docs/config.yaml +++ b/tools/crd-ref-docs/config.yaml @@ -1,7 +1,7 @@ processor: # RE2 regular expressions describing types that should be excluded from the generated documentation. ignoreTypes: - - "(EnvoyProxy)List$" + - "(.+)List$" # RE2 regular expressions describing type fields that should be excluded from the generated documentation. ignoreFields: - "TypeMeta$" diff --git a/tools/docker/envoy-gateway/Dockerfile b/tools/docker/envoy-gateway/Dockerfile index 1f5ad0cb8d0..5fef537da10 100644 --- a/tools/docker/envoy-gateway/Dockerfile +++ b/tools/docker/envoy-gateway/Dockerfile @@ -4,7 +4,7 @@ RUN mkdir -p /var/lib/eg # Use distroless as minimal base image to package the manager binary # Refer to https://github.com/GoogleContainerTools/distroless for more details -FROM gcr.io/distroless/static:nonroot@sha256:26f9b99f2463f55f20db19feb4d96eb88b056e0f1be7016bb9296a464a89d772 +FROM gcr.io/distroless/static:nonroot@sha256:3a03fc0826340c7deb82d4755ca391bef5adcedb8892e58412e1a6008199fa91 ARG TARGETPLATFORM COPY $TARGETPLATFORM/envoy-gateway /usr/local/bin/ COPY --from=source --chown=65532:65532 /var/lib /var/lib diff --git a/tools/github-actions/setup-deps/action.yaml b/tools/github-actions/setup-deps/action.yaml index 7de23aac7ec..6dca9f5e1c3 100644 --- a/tools/github-actions/setup-deps/action.yaml +++ b/tools/github-actions/setup-deps/action.yaml @@ -6,7 +6,7 @@ runs: steps: - shell: bash run: sudo apt-get install libbtrfs-dev -y - - uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.1 + - uses: actions/setup-go@41dfa10bad2bb2ae585af6ee5bb4d7d973ad74ed # v5.0.1 with: go-version: 1.23.x cache: true diff --git a/tools/make/common.mk b/tools/make/common.mk index 4d5d42a7626..4eca7ce06ec 100644 --- a/tools/make/common.mk +++ b/tools/make/common.mk @@ -79,6 +79,7 @@ include tools/make/kube.mk include tools/make/docs.mk include tools/make/helm.mk include tools/make/proto.mk +include tools/make/examples.mk # Log the running target LOG_TARGET = echo -e "\033[0;32m===========> Running $@ ... \033[0m" diff --git a/tools/make/examples.mk b/tools/make/examples.mk new file mode 100644 index 00000000000..5caf9846e63 --- /dev/null +++ b/tools/make/examples.mk @@ -0,0 +1,20 @@ + +EXAMPLE_APPS := grpc-ext-auth envoy-als grpc-ext-proc http-ext-auth preserve-case-backend +EXAMPLE_IMAGE_PREFIX ?= envoyproxy/gateway- +EXAMPLE_TAG ?= latest + +.PHONY: kube-build-examples-image +kube-build-examples-image: + @$(LOG_TARGET) + @for app in $(EXAMPLE_APPS); do \ + pushd $(ROOT_DIR)/examples/$$app; \ + make docker-buildx; \ + popd; \ + done + +.PHONY: kube-install-examples-image +kube-install-examples-image: kube-build-examples-image + @$(LOG_TARGET) + @for app in $(EXAMPLE_APPS); do \ + tools/hack/kind-load-image.sh $(EXAMPLE_IMAGE_PREFIX)$$app $(EXAMPLE_TAG); \ + done \ No newline at end of file diff --git a/tools/make/kube.mk b/tools/make/kube.mk index 430084dc544..d53c1931360 100644 --- a/tools/make/kube.mk +++ b/tools/make/kube.mk @@ -132,7 +132,9 @@ experimental-conformance: create-cluster kube-install-image kube-deploy run-expe benchmark: create-cluster kube-install-image kube-deploy-for-benchmark-test run-benchmark delete-cluster ## Create a kind cluster, deploy EG into it, run Envoy Gateway benchmark test, and clean up. .PHONY: e2e -e2e: create-cluster kube-install-image kube-deploy install-ratelimit install-e2e-telemetry run-e2e delete-cluster +e2e: create-cluster kube-install-image kube-deploy \ + install-ratelimit install-eg-addons kube-install-examples-image \ + run-e2e delete-cluster .PHONY: install-ratelimit install-ratelimit: @@ -188,10 +190,10 @@ uninstall-benchmark-server: ## Uninstall nighthawk server for benchmark test kubectl delete configmap test-server-config -n benchmark-test kubectl delete namespace benchmark-test -.PHONY: install-e2e-telemetry -install-e2e-telemetry: helm-generate.gateway-addons-helm +.PHONY: install-eg-addons +install-eg-addons: helm-generate.gateway-addons-helm @$(LOG_TARGET) - helm upgrade -i eg-addons charts/gateway-addons-helm --set grafana.enabled=false,opentelemetry-collector.enabled=true -n monitoring --create-namespace --timeout='$(WAIT_TIMEOUT)' --wait --wait-for-jobs + helm upgrade -i eg-addons charts/gateway-addons-helm -f test/helm/gateway-addons-helm/e2e.in.yaml -n monitoring --create-namespace --timeout='$(WAIT_TIMEOUT)' --wait --wait-for-jobs # Change loki service type from ClusterIP to LoadBalancer kubectl patch service loki -n monitoring -p '{"spec": {"type": "LoadBalancer"}}' # Wait service Ready @@ -202,8 +204,8 @@ install-e2e-telemetry: helm-generate.gateway-addons-helm kubectl rollout restart -n monitoring deployment/otel-collector kubectl rollout status --watch --timeout=5m -n monitoring deployment/otel-collector -.PHONY: uninstall-e2e-telemetry -uninstall-e2e-telemetry: +.PHONY: uninstall-eg-addons +uninstall-eg-addons: @$(LOG_TARGET) helm delete $(shell helm list -n monitoring -q) -n monitoring @@ -249,16 +251,7 @@ generate-manifests: helm-generate.gateway-helm ## Generate Kubernetes release ma @$(call log, "Added: $(OUTPUT_DIR)/quickstart.yaml") .PHONY: generate-artifacts -generate-artifacts: generate-manifests generate-egctl-releases ## Generate release artifacts. +generate-artifacts: generate-manifests ## Generate release artifacts. @$(LOG_TARGET) cp -r $(ROOT_DIR)/release-notes/$(TAG).yaml $(OUTPUT_DIR)/release-notes.yaml @$(call log, "Added: $(OUTPUT_DIR)/release-notes.yaml") - -.PHONY: generate-egctl-releases -generate-egctl-releases: ## Generate egctl releases - @$(LOG_TARGET) - mkdir -p $(OUTPUT_DIR)/ - curl -sSL https://github.com/envoyproxy/gateway/releases/download/latest/egctl_latest_darwin_amd64.tar.gz -o $(OUTPUT_DIR)/egctl_$(TAG)_darwin_amd64.tar.gz - curl -sSL https://github.com/envoyproxy/gateway/releases/download/latest/egctl_latest_darwin_arm64.tar.gz -o $(OUTPUT_DIR)/egctl_$(TAG)_darwin_arm64.tar.gz - curl -sSL https://github.com/envoyproxy/gateway/releases/download/latest/egctl_latest_linux_amd64.tar.gz -o $(OUTPUT_DIR)/egctl_$(TAG)_linux_amd64.tar.gz - curl -sSL https://github.com/envoyproxy/gateway/releases/download/latest/egctl_latest_linux_arm64.tar.gz -o $(OUTPUT_DIR)/egctl_$(TAG)_linux_arm64.tar.gz diff --git a/tools/src/buf/go.mod b/tools/src/buf/go.mod index b2022d8afde..d8bea4a9f7c 100644 --- a/tools/src/buf/go.mod +++ b/tools/src/buf/go.mod @@ -2,15 +2,15 @@ module local go 1.23.1 -require github.com/bufbuild/buf v1.45.0 +require github.com/bufbuild/buf v1.46.0 require ( - buf.build/gen/go/bufbuild/bufplugin/protocolbuffers/go v1.34.2-20240928190436-5e8abcfd7a7e.2 // indirect - buf.build/gen/go/bufbuild/protovalidate/protocolbuffers/go v1.34.2-20240920164238-5a7b106cbb87.2 // indirect - buf.build/gen/go/bufbuild/registry/connectrpc/go v1.17.0-20240925012807-1610ffa05635.1 // indirect - buf.build/gen/go/bufbuild/registry/protocolbuffers/go v1.34.2-20240925012807-1610ffa05635.2 // indirect - buf.build/gen/go/pluginrpc/pluginrpc/protocolbuffers/go v1.34.2-20240828222655-5345c0a56177.2 // indirect - buf.build/go/bufplugin v0.5.0 // indirect + buf.build/gen/go/bufbuild/bufplugin/protocolbuffers/go v1.35.1-20241023225133-42bdb4b67625.1 // indirect + buf.build/gen/go/bufbuild/protovalidate/protocolbuffers/go v1.35.1-20240920164238-5a7b106cbb87.1 // indirect + buf.build/gen/go/bufbuild/registry/connectrpc/go v1.17.0-20241025140216-aa40f2c93090.1 // indirect + buf.build/gen/go/bufbuild/registry/protocolbuffers/go v1.35.1-20241025140216-aa40f2c93090.1 // indirect + buf.build/gen/go/pluginrpc/pluginrpc/protocolbuffers/go v1.35.1-20241007202033-cf42259fcbfc.1 // indirect + buf.build/go/bufplugin v0.6.0 // indirect buf.build/go/protoyaml v0.2.0 // indirect buf.build/go/spdx v0.2.0 // indirect connectrpc.com/connect v1.17.0 // indirect @@ -21,11 +21,11 @@ require ( github.com/antlr4-go/antlr/v4 v4.13.1 // indirect github.com/bufbuild/protocompile v0.14.1 // indirect github.com/bufbuild/protoplugin v0.0.0-20240911180120-7bb73e41a54a // indirect - github.com/bufbuild/protovalidate-go v0.7.2 // indirect + github.com/bufbuild/protovalidate-go v0.7.3-0.20241015162221-1446f1e1d576 // indirect github.com/containerd/cgroups/v3 v3.0.3 // indirect - github.com/containerd/containerd v1.7.22 // indirect + github.com/containerd/containerd v1.7.23 // indirect github.com/containerd/continuity v0.4.3 // indirect - github.com/containerd/errdefs v0.2.0 // indirect + github.com/containerd/errdefs v0.3.0 // indirect github.com/containerd/log v0.1.0 // indirect github.com/containerd/platforms v0.2.1 // indirect github.com/containerd/stargz-snapshotter/estargz v0.15.1 // indirect @@ -50,12 +50,12 @@ require ( github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da // indirect github.com/google/cel-go v0.21.0 // indirect github.com/google/go-containerregistry v0.20.2 // indirect - github.com/google/pprof v0.0.0-20241001023024-f4c0cfd0cf1d // indirect + github.com/google/pprof v0.0.0-20241017200806-017d972448fc // indirect github.com/google/uuid v1.6.0 // indirect github.com/grpc-ecosystem/grpc-gateway/v2 v2.20.0 // indirect github.com/inconshreveable/mousetrap v1.1.0 // indirect github.com/jdx/go-netrc v1.0.0 // indirect - github.com/klauspost/compress v1.17.10 // indirect + github.com/klauspost/compress v1.17.11 // indirect github.com/klauspost/pgzip v1.2.6 // indirect github.com/mattn/go-isatty v0.0.20 // indirect github.com/mitchellh/go-homedir v1.1.0 // indirect @@ -77,7 +77,7 @@ require ( github.com/pkg/errors v0.9.1 // indirect github.com/pkg/profile v1.7.0 // indirect github.com/quic-go/qpack v0.5.1 // indirect - github.com/quic-go/quic-go v0.47.0 // indirect + github.com/quic-go/quic-go v0.48.1 // indirect github.com/rogpeppe/go-internal v1.10.0 // indirect github.com/rs/cors v1.11.1 // indirect github.com/russross/blackfriday/v2 v2.1.0 // indirect @@ -94,19 +94,19 @@ require ( go.lsp.dev/protocol v0.12.0 // indirect go.lsp.dev/uri v0.3.0 // indirect go.opencensus.io v0.24.0 // indirect - go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.55.0 // indirect - go.opentelemetry.io/otel v1.30.0 // indirect + go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.56.0 // indirect + go.opentelemetry.io/otel v1.31.0 // indirect go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.22.0 // indirect - go.opentelemetry.io/otel/metric v1.30.0 // indirect + go.opentelemetry.io/otel/metric v1.31.0 // indirect go.opentelemetry.io/otel/sdk v1.30.0 // indirect - go.opentelemetry.io/otel/trace v1.30.0 // indirect + go.opentelemetry.io/otel/trace v1.31.0 // indirect go.uber.org/atomic v1.11.0 // indirect - go.uber.org/mock v0.4.0 // indirect + go.uber.org/mock v0.5.0 // indirect go.uber.org/multierr v1.11.0 // indirect go.uber.org/zap v1.27.0 // indirect - go.uber.org/zap/exp v0.1.1-0.20240913022758-ede8e1888f83 // indirect + go.uber.org/zap/exp v0.3.0 // indirect golang.org/x/crypto v0.28.0 // indirect - golang.org/x/exp v0.0.0-20241004190924-225e2abe05e6 // indirect + golang.org/x/exp v0.0.0-20241009180824-f66d83c29e7c // indirect golang.org/x/mod v0.21.0 // indirect golang.org/x/net v0.30.0 // indirect golang.org/x/sync v0.8.0 // indirect @@ -117,7 +117,7 @@ require ( google.golang.org/genproto/googleapis/api v0.0.0-20240930140551-af27646dc61f // indirect google.golang.org/genproto/googleapis/rpc v0.0.0-20240930140551-af27646dc61f // indirect google.golang.org/grpc v1.67.1 // indirect - google.golang.org/protobuf v1.34.3-0.20240906163944-03df6c145d96 // indirect + google.golang.org/protobuf v1.35.1 // indirect gopkg.in/yaml.v3 v3.0.1 // indirect pluginrpc.com/pluginrpc v0.5.0 // indirect ) diff --git a/tools/src/buf/go.sum b/tools/src/buf/go.sum index 6fb21576d0e..b2a67028e40 100644 --- a/tools/src/buf/go.sum +++ b/tools/src/buf/go.sum @@ -1,15 +1,15 @@ -buf.build/gen/go/bufbuild/bufplugin/protocolbuffers/go v1.34.2-20240928190436-5e8abcfd7a7e.2 h1:BQVQ0fcYgqpe6F/2ZPJUR1rTN+nwdrj2z7IAbAu9XAQ= -buf.build/gen/go/bufbuild/bufplugin/protocolbuffers/go v1.34.2-20240928190436-5e8abcfd7a7e.2/go.mod h1:B+9TKHRYqoAUW57pLjhkLOnBCu0DQYMV+f7imQ9nXwI= -buf.build/gen/go/bufbuild/protovalidate/protocolbuffers/go v1.34.2-20240920164238-5a7b106cbb87.2 h1:hl0FrmGlNpQZIGvU1/jDz0lsPDd0BhCE0QDRwPfLZcA= -buf.build/gen/go/bufbuild/protovalidate/protocolbuffers/go v1.34.2-20240920164238-5a7b106cbb87.2/go.mod h1:ylS4c28ACSI59oJrOdW4pHS4n0Hw4TgSPHn8rpHl4Yw= -buf.build/gen/go/bufbuild/registry/connectrpc/go v1.17.0-20240925012807-1610ffa05635.1 h1:p4A9QnhBrKjCquBt1mKqfO37QseLwgWqQp+Wb9ZjasE= -buf.build/gen/go/bufbuild/registry/connectrpc/go v1.17.0-20240925012807-1610ffa05635.1/go.mod h1:7WtU+waNF+dyxDsuNaqmG3d0w3y2poNju8cvun1/jLs= -buf.build/gen/go/bufbuild/registry/protocolbuffers/go v1.34.2-20240925012807-1610ffa05635.2 h1:3sSS9z8k6zVe7rNNt9R6DN2fOFBVClEflmICIjbXwms= -buf.build/gen/go/bufbuild/registry/protocolbuffers/go v1.34.2-20240925012807-1610ffa05635.2/go.mod h1:psseUmlKRo9v5LZJtR/aTpdTLuyp9o3X7rnLT87SZEo= -buf.build/gen/go/pluginrpc/pluginrpc/protocolbuffers/go v1.34.2-20240828222655-5345c0a56177.2 h1:oSi+Adw4xvIjXrW8eY8QGR3sBdfWeY5HN/RefnRt52M= -buf.build/gen/go/pluginrpc/pluginrpc/protocolbuffers/go v1.34.2-20240828222655-5345c0a56177.2/go.mod h1:GjH0gjlY/ns16X8d6eaXV2W+6IFwsO5Ly9WVnzyd1E0= -buf.build/go/bufplugin v0.5.0 h1:pmK1AloAMp+4woH5hEisK9qVmDdLySzIKexUUVZLJ2Q= -buf.build/go/bufplugin v0.5.0/go.mod h1:r7Y8tpqpErLtUXUecEgwAHnjihY03YbN0IaBFNJF/x0= +buf.build/gen/go/bufbuild/bufplugin/protocolbuffers/go v1.35.1-20241023225133-42bdb4b67625.1 h1:O31Hu5Oho5suEWOD7FuMU9vfzeQT07ukTu4YuBVjLbw= +buf.build/gen/go/bufbuild/bufplugin/protocolbuffers/go v1.35.1-20241023225133-42bdb4b67625.1/go.mod h1:rYPnjsUZ2lGpoQ/T322HWZQil9/MIZF2njP+/u/0GKg= +buf.build/gen/go/bufbuild/protovalidate/protocolbuffers/go v1.35.1-20240920164238-5a7b106cbb87.1 h1:9wP6ZZYWnF2Z0TxmII7m3XNykxnP4/w8oXeth6ekcRI= +buf.build/gen/go/bufbuild/protovalidate/protocolbuffers/go v1.35.1-20240920164238-5a7b106cbb87.1/go.mod h1:Duw/9JoXkXIydyASnLYIiufkzySThoqavOsF+IihqvM= +buf.build/gen/go/bufbuild/registry/connectrpc/go v1.17.0-20241025140216-aa40f2c93090.1 h1:FHQXg3T7S2jp8yc7/bQJgqEH1yza/rrDHXITUK2Tm0g= +buf.build/gen/go/bufbuild/registry/connectrpc/go v1.17.0-20241025140216-aa40f2c93090.1/go.mod h1:5iwF5l+9lKCnvr1zLvDgUHrv6X+vU5nNPjvig1sbnao= +buf.build/gen/go/bufbuild/registry/protocolbuffers/go v1.35.1-20241025140216-aa40f2c93090.1 h1:PyqnJojY+BXNuJHp5aEfN9wPiP1dzrobXVmgLrUMe+A= +buf.build/gen/go/bufbuild/registry/protocolbuffers/go v1.35.1-20241025140216-aa40f2c93090.1/go.mod h1:x5Mti5bhMO87zJxCkcEbr7Lz+bHiFsqpxnpqSB1okG0= +buf.build/gen/go/pluginrpc/pluginrpc/protocolbuffers/go v1.35.1-20241007202033-cf42259fcbfc.1 h1:rPi3qs3qpDIXIl5QW2IPOaYZhppRkvuVKwEZrfhpy78= +buf.build/gen/go/pluginrpc/pluginrpc/protocolbuffers/go v1.35.1-20241007202033-cf42259fcbfc.1/go.mod h1:4IVMTaeh4JIjBYcGFLlTorfWpKVEXDjDfHAgKTeR0Ds= +buf.build/go/bufplugin v0.6.0 h1:3lhoh+0z+IUPS3ZajTPn/27LaLIkero2BDVnV7yXD1s= +buf.build/go/bufplugin v0.6.0/go.mod h1:hWCjxxv24xdR6F5pNlQavZV2oo0J3uF4Ff1XEoyV6vU= buf.build/go/protoyaml v0.2.0 h1:2g3OHjtLDqXBREIOjpZGHmQ+U/4mkN1YiQjxNB68Ip8= buf.build/go/protoyaml v0.2.0/go.mod h1:L/9QvTDkTWcDTzAL6HMfN+mYC6CmZRm2KnsUA054iL0= buf.build/go/spdx v0.2.0 h1:IItqM0/cMxvFJJumcBuP8NrsIzMs/UYjp/6WSpq8LTw= @@ -30,14 +30,14 @@ github.com/Microsoft/hcsshim v0.12.7 h1:MP6R1spmjxTE4EU4J3YsrTxn8CjvN9qwjTKJXldF github.com/Microsoft/hcsshim v0.12.7/go.mod h1:HPbAuJ9BvQYYZbB4yEQcyGIsTP5L4yHKeO9XO149AEM= github.com/antlr4-go/antlr/v4 v4.13.1 h1:SqQKkuVZ+zWkMMNkjy5FZe5mr5WURWnlpmOuzYWrPrQ= github.com/antlr4-go/antlr/v4 v4.13.1/go.mod h1:GKmUxMtwp6ZgGwZSva4eWPC5mS6vUAmOABFgjdkM7Nw= -github.com/bufbuild/buf v1.45.0 h1:WdaM5OCjqEURmzOiz3h9gVilFXqWpt6X+zbOVqKti1A= -github.com/bufbuild/buf v1.45.0/go.mod h1:j+GjGIKS+CvubKtPiC0KpEiHAd3wS9/5sn2/U5WlA20= +github.com/bufbuild/buf v1.46.0 h1:QqlFiy2l0F+hhyTF9xm7j91E7ovGyZVnneG2y38F0rk= +github.com/bufbuild/buf v1.46.0/go.mod h1:oN16LKwdlgji2eHLn3R07dxnQjxm9Q0pdUor5VXj3H8= github.com/bufbuild/protocompile v0.14.1 h1:iA73zAf/fyljNjQKwYzUHD6AD4R8KMasmwa/FBatYVw= github.com/bufbuild/protocompile v0.14.1/go.mod h1:ppVdAIhbr2H8asPk6k4pY7t9zB1OU5DoEw9xY/FUi1c= github.com/bufbuild/protoplugin v0.0.0-20240911180120-7bb73e41a54a h1:l3RhVoG0RtC61h6TVWnkniGj4TgBebuyPQRdleFAmTg= github.com/bufbuild/protoplugin v0.0.0-20240911180120-7bb73e41a54a/go.mod h1:c5D8gWRIZ2HLWO3gXYTtUfw/hbJyD8xikv2ooPxnklQ= -github.com/bufbuild/protovalidate-go v0.7.2 h1:UuvKyZHl5p7u3ztEjtRtqtDxOjRKX5VUOgKFq6p6ETk= -github.com/bufbuild/protovalidate-go v0.7.2/go.mod h1:PHV5pFuWlRzdDW02/cmVyNzdiQ+RNNwo7idGxdzS7o4= +github.com/bufbuild/protovalidate-go v0.7.3-0.20241015162221-1446f1e1d576 h1:A4TfjZJqApnAvGKDgxHqA1rG6BK1OswyNcTcnSrDbJc= +github.com/bufbuild/protovalidate-go v0.7.3-0.20241015162221-1446f1e1d576/go.mod h1:R/UFeIPyFAh0eH7Ic/JJbO2ABdkxFuZZKDbzsI5UiwM= github.com/cenkalti/backoff/v4 v4.3.0 h1:MyRJ/UdXutAwSAT+s3wNd7MfTIcy71VQueUuFK343L8= github.com/cenkalti/backoff/v4 v4.3.0/go.mod h1:Y3VNntkOUPxTVeUxJ/G5vcM//AlwfmyYozVcomhLiZE= github.com/census-instrumentation/opencensus-proto v0.2.1/go.mod h1:f6KPmirojxKA12rnyqOA5BBL4O983OfeGPqjHWSTneU= @@ -54,12 +54,12 @@ github.com/client9/misspell v0.3.4/go.mod h1:qj6jICC3Q7zFZvVWo7KLAzC3yx5G7kyvSDk github.com/cncf/udpa/go v0.0.0-20191209042840-269d4d468f6f/go.mod h1:M8M6+tZqaGXZJjfX53e64911xZQV5JYwmTeXPW+k8Sc= github.com/containerd/cgroups/v3 v3.0.3 h1:S5ByHZ/h9PMe5IOQoN7E+nMc2UcLEM/V48DGDJ9kip0= github.com/containerd/cgroups/v3 v3.0.3/go.mod h1:8HBe7V3aWGLFPd/k03swSIsGjZhHI2WzJmticMgVuz0= -github.com/containerd/containerd v1.7.22 h1:nZuNnNRA6T6jB975rx2RRNqqH2k6ELYKDZfqTHqwyy0= -github.com/containerd/containerd v1.7.22/go.mod h1:e3Jz1rYRUZ2Lt51YrH9Rz0zPyJBOlSvB3ghr2jbVD8g= +github.com/containerd/containerd v1.7.23 h1:H2CClyUkmpKAGlhQp95g2WXHfLYc7whAuvZGBNYOOwQ= +github.com/containerd/containerd v1.7.23/go.mod h1:7QUzfURqZWCZV7RLNEn1XjUCQLEf0bkaK4GjUaZehxw= github.com/containerd/continuity v0.4.3 h1:6HVkalIp+2u1ZLH1J/pYX2oBVXlJZvh1X1A7bEZ9Su8= github.com/containerd/continuity v0.4.3/go.mod h1:F6PTNCKepoxEaXLQp3wDAjygEnImnZ/7o4JzpodfroQ= -github.com/containerd/errdefs v0.2.0 h1:XllDESRfJtVrMwMmR2mCabxyvBK4UlbyyiWI3MvRw0o= -github.com/containerd/errdefs v0.2.0/go.mod h1:C28ixlj3dKhQS9hsQ13b+HIb4X7+s2G4FYhbSPcRDLM= +github.com/containerd/errdefs v0.3.0 h1:FSZgGOeK4yuT/+DnF07/Olde/q4KBoMsaamhXxIMDp4= +github.com/containerd/errdefs v0.3.0/go.mod h1:+YBYIdtsnF4Iw6nWZhJcqGSg/dwvV7tyJ/kCkyJ2k+M= github.com/containerd/log v0.1.0 h1:TCJt7ioM2cr/tfR8GPbGf9/VRAX8D2B4PjzCpfX540I= github.com/containerd/log v0.1.0/go.mod h1:VRRf09a7mHDIRezVKTRCrOq78v577GXq3bSa3EhrzVo= github.com/containerd/platforms v0.2.1 h1:zvwtM3rz2YHPQsF2CHYM8+KtB5dvhISiXh5ZpSBQv6A= @@ -147,8 +147,8 @@ github.com/google/go-containerregistry v0.20.2 h1:B1wPJ1SN/S7pB+ZAimcciVD+r+yV/l github.com/google/go-containerregistry v0.20.2/go.mod h1:z38EKdKh4h7IP2gSfUUqEvalZBqs6AoLeWfUy34nQC8= github.com/google/pprof v0.0.0-20211214055906-6f57359322fd/go.mod h1:KgnwoLYCZ8IQu3XUZ8Nc/bM9CCZFOyjUNOSygVozoDg= github.com/google/pprof v0.0.0-20240227163752-401108e1b7e7/go.mod h1:czg5+yv1E0ZGTi6S6vVK1mke0fV+FaUhNGcd6VRS9Ik= -github.com/google/pprof v0.0.0-20241001023024-f4c0cfd0cf1d h1:Jaz2JzpQaQXyET0AjLBXShrthbpqMkhGiEfkcQAiAUs= -github.com/google/pprof v0.0.0-20241001023024-f4c0cfd0cf1d/go.mod h1:vavhavw2zAxS5dIdcRluK6cSGGPlZynqzFM8NdvU144= +github.com/google/pprof v0.0.0-20241017200806-017d972448fc h1:NGyrhhFhwvRAZg02jnYVg3GBQy0qGBKmFQJwaPmpmxs= +github.com/google/pprof v0.0.0-20241017200806-017d972448fc/go.mod h1:vavhavw2zAxS5dIdcRluK6cSGGPlZynqzFM8NdvU144= github.com/google/uuid v1.1.2/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo= github.com/google/uuid v1.6.0 h1:NIvaJDMOsjHA8n1jAhLSgzrAzy1Hgr+hNrb57e+94F0= github.com/google/uuid v1.6.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo= @@ -165,8 +165,8 @@ github.com/jhump/protoreflect/v2 v2.0.0-beta.2/go.mod h1:4tnOYkB/mq7QTyS3YKtVtNr github.com/josharian/intern v1.0.0/go.mod h1:5DoeVV0s6jJacbCEi61lwdGj/aVlrQvzHFFd8Hwg//Y= github.com/kisielk/errcheck v1.5.0/go.mod h1:pFxgyoBC7bSaBwPgfKdkLd5X25qrDl4LWUI2bnpBCr8= github.com/kisielk/gotool v1.0.0/go.mod h1:XhKaO+MFFWcvkIS/tQcRk01m1F5IRFswLeQ+oQHNcck= -github.com/klauspost/compress v1.17.10 h1:oXAz+Vh0PMUvJczoi+flxpnBEPxoER1IaAnU/NMPtT0= -github.com/klauspost/compress v1.17.10/go.mod h1:pMDklpSncoRMuLFrf1W9Ss9KT+0rH90U12bZKk7uwG0= +github.com/klauspost/compress v1.17.11 h1:In6xLpyWOi1+C7tXUUWv2ot1QvBjxevKAaI6IXrJmUc= +github.com/klauspost/compress v1.17.11/go.mod h1:pMDklpSncoRMuLFrf1W9Ss9KT+0rH90U12bZKk7uwG0= github.com/klauspost/pgzip v1.2.6 h1:8RXeL5crjEUFnR2/Sn6GJNWtSQ3Dk8pq4CL3jvdDyjU= github.com/klauspost/pgzip v1.2.6/go.mod h1:Ch1tH69qFZu15pkjo5kYi6mth2Zzwzt50oCQKQE9RUs= github.com/kr/pretty v0.3.1 h1:flRD4NNwYAUpkphVc1HcthR4KEIFJ65n8Mw5qdRn3LE= @@ -225,8 +225,8 @@ github.com/prometheus/procfs v0.15.1 h1:YagwOFzUgYfKKHX6Dr+sHT7km/hxC76UB0leargg github.com/prometheus/procfs v0.15.1/go.mod h1:fB45yRUv8NstnjriLhBQLuOUt+WW4BsoGhij/e3PBqk= github.com/quic-go/qpack v0.5.1 h1:giqksBPnT/HDtZ6VhtFKgoLOWmlyo9Ei6u9PqzIMbhI= github.com/quic-go/qpack v0.5.1/go.mod h1:+PC4XFrEskIVkcLzpEkbLqq1uCoxPhQuvK5rH1ZgaEg= -github.com/quic-go/quic-go v0.47.0 h1:yXs3v7r2bm1wmPTYNLKAAJTHMYkPEsfYJmTazXrCZ7Y= -github.com/quic-go/quic-go v0.47.0/go.mod h1:3bCapYsJvXGZcipOHuu7plYtaV6tnF+z7wIFsU0WK9E= +github.com/quic-go/quic-go v0.48.1 h1:y/8xmfWI9qmGTc+lBr4jKRUWLGSlSigv847ULJ4hYXA= +github.com/quic-go/quic-go v0.48.1/go.mod h1:yBgs3rWBOADpga7F+jJsb6Ybg1LSYiQvwWlLX+/6HMs= github.com/rogpeppe/go-internal v1.10.0 h1:TMyTOH3F/DB16zRVcYyreMH6GnZZrwQVAoYjRBZyWFQ= github.com/rogpeppe/go-internal v1.10.0/go.mod h1:UQnix2H7Ngw/k4C5ijL5+65zddjncjaFoBhdsK/akog= github.com/rs/cors v1.11.1 h1:eU3gRzXLRK57F5rKMGMZURNdIG4EoAmX8k94r9wXWHA= @@ -270,44 +270,44 @@ go.lsp.dev/uri v0.3.0 h1:KcZJmh6nFIBeJzTugn5JTU6OOyG0lDOo3R9KwTxTYbo= go.lsp.dev/uri v0.3.0/go.mod h1:P5sbO1IQR+qySTWOCnhnK7phBx+W3zbLqSMDJNTw88I= go.opencensus.io v0.24.0 h1:y73uSU6J157QMP2kn2r30vwW1A2W2WFwSCGnAVxeaD0= go.opencensus.io v0.24.0/go.mod h1:vNK8G9p7aAivkbmorf4v+7Hgx+Zs0yY+0fOtgBfjQKo= -go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.55.0 h1:ZIg3ZT/aQ7AfKqdwp7ECpOK6vHqquXXuyTjIO8ZdmPs= -go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.55.0/go.mod h1:DQAwmETtZV00skUwgD6+0U89g80NKsJE3DCKeLLPQMI= -go.opentelemetry.io/otel v1.30.0 h1:F2t8sK4qf1fAmY9ua4ohFS/K+FUuOPemHUIXHtktrts= -go.opentelemetry.io/otel v1.30.0/go.mod h1:tFw4Br9b7fOS+uEao81PJjVMjW/5fvNCbpsDIXqP0pc= +go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.56.0 h1:UP6IpuHFkUgOQL9FFQFrZ+5LiwhhYRbi7VZSIx6Nj5s= +go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.56.0/go.mod h1:qxuZLtbq5QDtdeSHsS7bcf6EH6uO6jUAgk764zd3rhM= +go.opentelemetry.io/otel v1.31.0 h1:NsJcKPIW0D0H3NgzPDHmo0WW6SptzPdqg/L1zsIm2hY= +go.opentelemetry.io/otel v1.31.0/go.mod h1:O0C14Yl9FgkjqcCZAsE053C13OaddMYr/hz6clDkEJE= go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.22.0 h1:9M3+rhx7kZCIQQhQRYaZCdNu1V73tm4TvXs2ntl98C4= go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.22.0/go.mod h1:noq80iT8rrHP1SfybmPiRGc9dc5M8RPmGvtwo7Oo7tc= go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp v1.19.0 h1:IeMeyr1aBvBiPVYihXIaeIZba6b8E1bYp7lbdxK8CQg= go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp v1.19.0/go.mod h1:oVdCUtjq9MK9BlS7TtucsQwUcXcymNiEDjgDD2jMtZU= -go.opentelemetry.io/otel/metric v1.30.0 h1:4xNulvn9gjzo4hjg+wzIKG7iNFEaBMX00Qd4QIZs7+w= -go.opentelemetry.io/otel/metric v1.30.0/go.mod h1:aXTfST94tswhWEb+5QjlSqG+cZlmyXy/u8jFpor3WqQ= +go.opentelemetry.io/otel/metric v1.31.0 h1:FSErL0ATQAmYHUIzSezZibnyVlft1ybhy4ozRPcF2fE= +go.opentelemetry.io/otel/metric v1.31.0/go.mod h1:C3dEloVbLuYoX41KpmAhOqNriGbA+qqH6PQ5E5mUfnY= go.opentelemetry.io/otel/sdk v1.30.0 h1:cHdik6irO49R5IysVhdn8oaiR9m8XluDaJAs4DfOrYE= go.opentelemetry.io/otel/sdk v1.30.0/go.mod h1:p14X4Ok8S+sygzblytT1nqG98QG2KYKv++HE0LY/mhg= go.opentelemetry.io/otel/sdk/metric v1.19.0 h1:EJoTO5qysMsYCa+w4UghwFV/ptQgqSL/8Ni+hx+8i1k= go.opentelemetry.io/otel/sdk/metric v1.19.0/go.mod h1:XjG0jQyFJrv2PbMvwND7LwCEhsJzCzV5210euduKcKY= -go.opentelemetry.io/otel/trace v1.30.0 h1:7UBkkYzeg3C7kQX8VAidWh2biiQbtAKjyIML8dQ9wmc= -go.opentelemetry.io/otel/trace v1.30.0/go.mod h1:5EyKqTzzmyqB9bwtCCq6pDLktPK6fmGf/Dph+8VI02o= +go.opentelemetry.io/otel/trace v1.31.0 h1:ffjsj1aRouKewfr85U2aGagJ46+MvodynlQ1HYdmJys= +go.opentelemetry.io/otel/trace v1.31.0/go.mod h1:TXZkRk7SM2ZQLtR6eoAWQFIHPvzQ06FJAsO1tJg480A= go.opentelemetry.io/proto/otlp v1.0.0 h1:T0TX0tmXU8a3CbNXzEKGeU5mIVOdf0oykP+u2lIVU/I= go.opentelemetry.io/proto/otlp v1.0.0/go.mod h1:Sy6pihPLfYHkr3NkUbEhGHFhINUSI/v80hjKIs5JXpM= go.uber.org/atomic v1.11.0 h1:ZvwS0R+56ePWxUNi+Atn9dWONBPp/AUETXlHW0DxSjE= go.uber.org/atomic v1.11.0/go.mod h1:LUxbIzbOniOlMKjJjyPfpl4v+PKK2cNJn91OQbhoJI0= go.uber.org/goleak v1.3.0 h1:2K3zAYmnTNqV73imy9J1T3WC+gmCePx2hEGkimedGto= go.uber.org/goleak v1.3.0/go.mod h1:CoHD4mav9JJNrW/WLlf7HGZPjdw8EucARQHekz1X6bE= -go.uber.org/mock v0.4.0 h1:VcM4ZOtdbR4f6VXfiOpwpVJDL6lCReaZ6mw31wqh7KU= -go.uber.org/mock v0.4.0/go.mod h1:a6FSlNadKUHUa9IP5Vyt1zh4fC7uAwxMutEAscFbkZc= +go.uber.org/mock v0.5.0 h1:KAMbZvZPyBPWgD14IrIQ38QCyjwpvVVV6K/bHl1IwQU= +go.uber.org/mock v0.5.0/go.mod h1:ge71pBPLYDk7QIi1LupWxdAykm7KIEFchiOqd6z7qMM= go.uber.org/multierr v1.11.0 h1:blXXJkSxSSfBVBlC76pxqeO+LN3aDfLQo+309xJstO0= go.uber.org/multierr v1.11.0/go.mod h1:20+QtiLqy0Nd6FdQB9TLXag12DsQkrbs3htMFfDN80Y= go.uber.org/zap v1.27.0 h1:aJMhYGrd5QSmlpLMr2MftRKl7t8J8PTZPA732ud/XR8= go.uber.org/zap v1.27.0/go.mod h1:GB2qFLM7cTU87MWRP2mPIjqfIDnGu+VIO4V/SdhGo2E= -go.uber.org/zap/exp v0.1.1-0.20240913022758-ede8e1888f83 h1:wpjRiPjppWaUIH+GC0bRvsdaH2K4Dw49dEJa7MX01Mk= -go.uber.org/zap/exp v0.1.1-0.20240913022758-ede8e1888f83/go.mod h1:5I384qq7XGxYyByIhHm6jg5CHkGY0nsTfbDLgDDlgJQ= +go.uber.org/zap/exp v0.3.0 h1:6JYzdifzYkGmTdRR59oYH+Ng7k49H9qVpWwNSsGJj3U= +go.uber.org/zap/exp v0.3.0/go.mod h1:5I384qq7XGxYyByIhHm6jg5CHkGY0nsTfbDLgDDlgJQ= golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w= golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI= golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto= golang.org/x/crypto v0.28.0 h1:GBDwsMXVQi34v5CCYUm2jkJvu4cbtru2U4TN2PSyQnw= golang.org/x/crypto v0.28.0/go.mod h1:rmgy+3RHxRZMyY0jjAJShp2zgEdOqj2AO7U0pYmeQ7U= golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA= -golang.org/x/exp v0.0.0-20241004190924-225e2abe05e6 h1:1wqE9dj9NpSm04INVsJhhEUzhuDVjbcyKH91sVyPATw= -golang.org/x/exp v0.0.0-20241004190924-225e2abe05e6/go.mod h1:NQtJDoLvd6faHhE7m4T/1IY708gDefGGjR/iUW8yQQ8= +golang.org/x/exp v0.0.0-20241009180824-f66d83c29e7c h1:7dEasQXItcW1xKJ2+gg5VOiBnqWrJc+rq0DPKyvvdbY= +golang.org/x/exp v0.0.0-20241009180824-f66d83c29e7c/go.mod h1:NQtJDoLvd6faHhE7m4T/1IY708gDefGGjR/iUW8yQQ8= golang.org/x/lint v0.0.0-20181026193005-c67002cb31c3/go.mod h1:UVdnD1Gm6xHRNCYTkRU2/jEulfH38KcIWyp/GAMgvoE= golang.org/x/lint v0.0.0-20190227174305-5b3e6a55c961/go.mod h1:wehouNa3lNwaWXcvxsM5YxQ5yQlVC4a0KAMCusXpPoU= golang.org/x/lint v0.0.0-20190313153728-d0100b6bd8b3/go.mod h1:6SW0HCj/g11FgYtHlgUYUwCkIfeOF89ocIRzGO/8vkc= @@ -393,8 +393,8 @@ google.golang.org/protobuf v1.22.0/go.mod h1:EGpADcykh3NcUnDUJcl1+ZksZNG86OlYog2 google.golang.org/protobuf v1.23.0/go.mod h1:EGpADcykh3NcUnDUJcl1+ZksZNG86OlYog2l/sGQquU= google.golang.org/protobuf v1.23.1-0.20200526195155-81db48ad09cc/go.mod h1:EGpADcykh3NcUnDUJcl1+ZksZNG86OlYog2l/sGQquU= google.golang.org/protobuf v1.25.0/go.mod h1:9JNX74DMeImyA3h4bdi1ymwjUzf21/xIlbajtzgsN7c= -google.golang.org/protobuf v1.34.3-0.20240906163944-03df6c145d96 h1:gqpvySYmKe3qf25lfA3WIEMTXBU+lfISbNkPH2BA844= -google.golang.org/protobuf v1.34.3-0.20240906163944-03df6c145d96/go.mod h1:9fA7Ob0pmnwhb644+1+CVWFRbNajQ6iRojtC/QF5bRE= +google.golang.org/protobuf v1.35.1 h1:m3LfL6/Ca+fqnjnlqQXNpFPABW1UD7mjh8KO2mKFytA= +google.golang.org/protobuf v1.35.1/go.mod h1:9fA7Ob0pmnwhb644+1+CVWFRbNajQ6iRojtC/QF5bRE= gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c h1:Hei/4ADfdWqJk1ZMxUNpqntNwaWcugrBjAiHlqqRiVk= gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c/go.mod h1:JHkPIbrfpd72SG/EVd6muEfDQjcINNoR0C8j2r3qZ4Q=