Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[pull] main from envoyproxy:main #41

Merged
merged 497 commits into from
Jul 25, 2024
Merged
Changes from 1 commit
Commits
Show all changes
497 commits
Select commit Hold shift + click to select a range
11349b1
feat: Adding extension server policy handling. (#3371)
liorokman May 31, 2024
97895ba
fix: Reduce the amount of memory used by the in-memory extension mana…
liorokman May 31, 2024
7f2038f
API: add more oidc configuration settings (#3423)
zhaohuabing May 31, 2024
18f8c00
api: cookie based consistent hashing (#3444)
arkodg May 31, 2024
5619e74
feat: add generate API and Helm doc process with zh content update (#…
wilsonwu Jun 1, 2024
eaa685d
fix: merge race between #3418 and #3444,#3423 (#3513)
shawnh2 Jun 1, 2024
d961a1f
chore: update codecov ignore path (#3523)
shawnh2 Jun 3, 2024
9ece5e2
build(deps): bump github/codeql-action from 3.25.6 to 3.25.7 (#3518)
dependabot[bot] Jun 3, 2024
b1d95a0
build(deps): bump github.com/bufbuild/buf from 1.32.1 to 1.32.2 in /t…
dependabot[bot] Jun 3, 2024
ffe0fd8
build(deps): bump fortio.org/fortio from 1.63.8 to 1.63.9 (#3516)
dependabot[bot] Jun 3, 2024
01dd7b1
build(deps): bump docker/login-action from 3.1.0 to 3.2.0 (#3519)
dependabot[bot] Jun 3, 2024
6e946db
feat(oidc): implement additional OIDC configuration settings (#3514)
zetaab Jun 3, 2024
d2824e2
fix client backend mtls secrets updates (#3526)
alexwo Jun 3, 2024
3712659
feat(translator): Add names to filterchains based on the listener nam…
liorokman Jun 3, 2024
6d0bc1f
api: support user provided names for generated k8s resources (#3527)
arkodg Jun 4, 2024
af79e1c
feat: Enable the configuration of topologySpreadConstraints for the E…
alexwo Jun 4, 2024
ddd6e40
docs: highlight default 15s request timeout (#3529)
arkodg Jun 4, 2024
09fd519
feat(translator): implement backend API (#3495)
guydc Jun 4, 2024
607d8bc
helm: add envoy gateway addon helm chart support (#3470)
shawnh2 Jun 4, 2024
8f83c3d
fix: ReplaceFullPath not working for root path (/) (#3530)
arkodg Jun 5, 2024
cdd4e06
chore: remove redundant `helm-package` command (#3539)
shawnh2 Jun 5, 2024
516a27d
feat: keep core features supported when skipping extended tests (#3520)
levikobi Jun 5, 2024
b870e39
chore: Remove namespace restriction for EnvoyProxy parametersRef reso…
phantooom Jun 5, 2024
670f532
fix: doc broken links (#3553)
guydc Jun 6, 2024
85cac84
chore: bump go to 1.22.4 (#3552)
guydc Jun 6, 2024
92760c8
docs: Update docs on gwapi support for backendref filters (#3558)
cnvergence Jun 6, 2024
33fceb0
feat: support custom names for generated k8s resources (#3537)
arkodg Jun 7, 2024
5c884c6
build(deps): bump aquasecurity/trivy-action from 0.21.0 to 0.22.0 (#3…
dependabot[bot] Jun 10, 2024
f676799
build(deps): bump github/codeql-action from 3.25.7 to 3.25.8 (#3576)
dependabot[bot] Jun 10, 2024
ff202be
build(deps): bump google/osv-scanner-action from 1.7.3 to 1.7.4 (#3577)
dependabot[bot] Jun 10, 2024
be4f691
build(deps): bump fortio.org/fortio from 1.63.9 to 1.63.10 (#3571)
dependabot[bot] Jun 10, 2024
e56d4ac
bug: ClientTrafficPolicy resources are prevented from targeting a Sec…
liorokman Jun 10, 2024
3bd8f35
docs: backend (#3550)
guydc Jun 11, 2024
84921e5
build(deps): bump sigs.k8s.io/controller-runtime from 0.18.3 to 0.18.…
dependabot[bot] Jun 11, 2024
337c4c8
chore: automatically import Grafana dashboards when installing gatewa…
shawnh2 Jun 11, 2024
3520ce4
build(deps): bump github.com/golangci/golangci-lint from 1.59.0 to 1.…
dependabot[bot] Jun 11, 2024
242d69f
chore: update make helm-readme-gen (#3555)
shawnh2 Jun 11, 2024
bae64e3
chore: fix gen-check (#3585)
zirain Jun 11, 2024
4d699c5
ci: fix osv-scanner action (#3586)
zirain Jun 11, 2024
561b979
bug: cel tests are always run on a single version of Kubernetes (#3584)
liorokman Jun 11, 2024
e866ec1
build(deps): bump github.com/prometheus/common from 0.53.0 to 0.54.0 …
dependabot[bot] Jun 11, 2024
ab3a3d2
feat(api): Add http health check api to ClientTrafficPolicy (#3540)
aoledk Jun 11, 2024
0abdda7
feat: Allow configuring tolerations for the EG control plane installe…
coro Jun 12, 2024
7fdc738
feat: adding pod disruption budget support for envoy proxies (#3583)
alexwo Jun 12, 2024
845a5ec
e2e: basic multiple gc test (#2707)
cnvergence Jun 12, 2024
8a4b13d
Feat: adding support for PodDisruptionBudget with eg control plane (#…
alexwo Jun 13, 2024
fb38c8d
release: v1.0.2 (#3594)
Xunzhuo Jun 14, 2024
2e975a7
docs: sync 1.0.2 release note to 1.0.2 and fix CI (#3605)
Xunzhuo Jun 14, 2024
eb29549
fix: egctl x status gatewayclass example msg (#3606)
Xunzhuo Jun 14, 2024
6425d03
helm: add more addons for gateway-addons-helm (#3541)
shawnh2 Jun 14, 2024
59614bd
feat(translator): support switching between service/clusterIP routing…
evacchi Jun 14, 2024
28e1a48
chore: enable importas for lint (#3603)
shawnh2 Jun 14, 2024
4e5a2c6
feat(translator): Support extension server hooks for TCP and UDP list…
liorokman Jun 14, 2024
68de2e1
doc: add certgen description into chart readme (#3569)
ShyunnY Jun 15, 2024
1059d93
feat(translator): Implement http health check filter (#3596)
aoledk Jun 15, 2024
ed7e178
feat(translator): Add formatter support for OpenTelemetry access logg…
aoledk Jun 16, 2024
821916f
docs(zh): translate roadmap into Chinese (#3531)
wilsonwu Jun 16, 2024
fa1ede1
build(deps): bump github.com/miekg/dns from 1.1.59 to 1.1.61 (#3616)
dependabot[bot] Jun 17, 2024
2c602d5
build(deps): bump github/codeql-action from 3.25.8 to 3.25.10 (#3619)
dependabot[bot] Jun 17, 2024
94f818c
add CEL validation for BackendRef Group (#3557)
phantooom Jun 18, 2024
bdff5d5
feat: support plural targetRefs on policies (#3581)
liorokman Jun 18, 2024
12feabd
build(deps): bump the k8s-io group with 6 updates (#3612)
dependabot[bot] Jun 18, 2024
5d2ce88
build(deps): bump go.opentelemetry.io/proto/otlp from 1.2.0 to 1.3.1 …
dependabot[bot] Jun 18, 2024
a26efaa
build(deps): bump codecov/codecov-action from 4.4.1 to 4.5.0 (#3618)
dependabot[bot] Jun 18, 2024
c771c97
build(deps): bump github.com/bufbuild/buf from 1.32.2 to 1.33.0 in /t…
dependabot[bot] Jun 18, 2024
246e3f1
build(deps): bump github.com/spf13/cobra from 1.8.0 to 1.8.1 (#3614)
dependabot[bot] Jun 18, 2024
88fc0bf
build(deps): bump actions/checkout from 4.1.6 to 4.1.7 (#3617)
dependabot[bot] Jun 18, 2024
9e2cfb4
build(deps): bump google.golang.org/protobuf from 1.34.1 to 1.34.2 (#…
dependabot[bot] Jun 19, 2024
67a696e
docs(zh): translate release note 1.0.2 into Chinese (#3636)
wilsonwu Jun 20, 2024
f2c9ec9
docs: ext-proc (#3608)
guydc Jun 20, 2024
d49337b
oidc: preserve authorization header (#3567)
zhaohuabing Jun 20, 2024
c752b88
feat: support attaching EnvoyProxy resource to Gateways (#3532)
haoqixu Jun 20, 2024
432b7e3
fix: envoy shutdown flaky test (#3646)
guydc Jun 22, 2024
c74f4fe
fix: do not propagate well-known port number for xds portRedirect (#3…
shawnh2 Jun 22, 2024
258eecd
follow-up: update docs and ci pipeline to utilize gateway-addons-helm…
shawnh2 Jun 22, 2024
9830c4d
fix: add retries to ext-proc tests (#3641)
guydc Jun 24, 2024
51196b4
api: Adding Zipkin Tracing support (#3630)
alexandermarston Jun 24, 2024
abe71c9
build(deps): bump fortio.org/fortio from 1.63.10 to 1.65.0 (#3658)
dependabot[bot] Jun 24, 2024
7ea2942
build(deps): bump softprops/action-gh-release from 2.0.5 to 2.0.6 (#3…
dependabot[bot] Jun 24, 2024
9a81492
build(deps): bump helm.sh/helm/v3 from 3.15.1 to 3.15.2 (#3657)
dependabot[bot] Jun 24, 2024
9d79cb8
build(deps): bump github.com/bufbuild/buf from 1.33.0 to 1.34.0 in /t…
dependabot[bot] Jun 24, 2024
e7048f2
build(deps): bump aquasecurity/trivy-action from 0.22.0 to 0.23.0 (#3…
dependabot[bot] Jun 24, 2024
798132c
docs: introduce shortcode boilerplate (#3652)
zirain Jun 24, 2024
0ebfae8
refactor: refactor client/backend connection (#3650)
ShyunnY Jun 24, 2024
95d0fc7
docs: remove docs-api-headings (#3653)
zirain Jun 25, 2024
8e34366
chore: update PR template to highlight the api changes (#3637)
shawnh2 Jun 25, 2024
abe33cc
chore: update gateway-addons-helm (#3649)
zirain Jun 25, 2024
68463d2
docs: rm backend redirect docs (#3591)
arkodg Jun 25, 2024
77f956c
feat: implement zipkin tracing (#3668)
alexandermarston Jun 25, 2024
fa5ccfb
docs: rm active development alert (#3674)
arkodg Jun 26, 2024
d784c32
docs: fix GATEWAY_HOST address for v1.0.2 and latest docs (#3676)
arkodg Jun 26, 2024
22984d7
api: support AccessLog filter (#3669)
zirain Jun 27, 2024
8abf1ef
chore: cleanup and upgrade some api to v1 (#3644)
shawnh2 Jun 27, 2024
2a86997
Add benchmark testing framework (#3599)
shawnh2 Jun 27, 2024
9ebcfac
feat: Wasm OCI image (#3564)
zhaohuabing Jun 28, 2024
7338994
feat: add resources dashboard for envoy gateway (#3689)
shawnh2 Jun 28, 2024
51c6eb4
feat: AccessLog support CEL Filter (#3688)
zirain Jun 29, 2024
d670ecb
docs: Fix typo in bootstrap config (#3710)
pingiun Jul 1, 2024
4a74e60
chore: preallocate a list of addresses (#3712)
sanposhiho Jul 1, 2024
ab25757
chore: remove incorrect comment (#3716)
zirain Jul 1, 2024
c2983b5
chore: add "extproc" to extproc ir name (#3697)
zhaohuabing Jul 1, 2024
828edfb
chore: move benchmark-test job in build_and_test.yaml (#3692)
shawnh2 Jul 1, 2024
62949fe
build(deps): bump github/codeql-action from 3.25.10 to 3.25.11 (#3723)
dependabot[bot] Jul 2, 2024
da06a68
build(deps): bump google/osv-scanner-action from 1.7.4 to 1.8.1 (#3721)
dependabot[bot] Jul 2, 2024
3ff6156
build(deps): bump github.com/docker/cli from 26.1.3+incompatible to 2…
dependabot[bot] Jul 2, 2024
a2a8d9f
build(deps): bump github.com/google/go-containerregistry from 0.19.1 …
dependabot[bot] Jul 2, 2024
ba469e7
build(deps): bump github.com/docker/docker from 26.1.3+incompatible t…
dependabot[bot] Jul 2, 2024
4cab40a
build(deps): bump github.com/prometheus/common from 0.54.0 to 0.55.0 …
dependabot[bot] Jul 2, 2024
9a2a7f6
docs: Modify prerequisite go version (#3711)
sanposhiho Jul 2, 2024
d8f3d77
docs: install with brew (#3714)
zirain Jul 2, 2024
ec9945a
build(deps): bump github.com/docker/docker from 26.1.3+incompatible t…
dependabot[bot] Jul 2, 2024
1cf3016
docs: sync brew to v1.0.2 (#3729)
zirain Jul 2, 2024
acce649
feat(translator): xds route and vhost metadata (#3602)
guydc Jul 3, 2024
2ecfa06
feat: gRPC Access Log Service (ALS) sink (#3626)
zirain Jul 3, 2024
2d1c1d3
bump go to 1.22.5 (#3732)
zirain Jul 3, 2024
4602f6d
fix merge conflict (#3733)
zirain Jul 3, 2024
737b282
e2e: fix accesslog test
zirain Jul 3, 2024
de8a53d
lint
zirain Jul 3, 2024
5050e36
e2e: add CEL to accesslog test (#3730)
zirain Jul 3, 2024
015e7ff
refactor: rename control-plane metrics (#3727)
shawnh2 Jul 3, 2024
93019c3
feat: Implement target selectors for policies. (#3704)
liorokman Jul 3, 2024
612808c
e2e: Add backend health check e2e case via active http (#3677)
aoledk Jul 3, 2024
979f949
doc: add benchmarking section in contribution page (#3709)
shawnh2 Jul 3, 2024
9f8adfb
feat: cookie based consistent hashing (#3683)
arkodg Jul 4, 2024
780704c
chore: show golang version in the version command (#3750)
zhaohuabing Jul 4, 2024
d6b5415
xds: should use TCP as default protocol (#3749)
zirain Jul 4, 2024
df5c265
chore: enable lint for benchmark (#3754)
zirain Jul 5, 2024
b1e07ea
fix flaky wasm download test (#3759)
zhaohuabing Jul 5, 2024
eb9163a
e2e: zkipin tracing test (#3748)
zirain Jul 5, 2024
86ebbde
feat: mark programmed=false with an error when too many addresses are…
sanposhiho Jul 5, 2024
abb7c96
docs: CEL Expressions for Access Logging (#3739)
zirain Jul 5, 2024
17c89f9
docs: zikpin tracer (#3762)
zirain Jul 6, 2024
007617a
chore: update grafana dashboards (#3746)
shawnh2 Jul 6, 2024
9e13e1a
docs for customized filter order (#3761)
zhaohuabing Jul 6, 2024
bc62c63
build(deps): bump actions/download-artifact from 4.1.7 to 4.1.8 (#3776)
dependabot[bot] Jul 8, 2024
af9fb0c
fix basic auth doc (#3786)
zhaohuabing Jul 8, 2024
6791d6d
api: make accesslog format optional (#3770)
zirain Jul 8, 2024
f73c2c0
fix: fill missing clusterIP for service in egctl x translate (#3708)
shawnh2 Jul 8, 2024
b400b6e
build(deps): bump the go-opentelemetry-io group with 8 updates (#3779)
dependabot[bot] Jul 8, 2024
ef6ac4d
build(deps): bump actions/upload-artifact from 4.3.3 to 4.3.4 (#3777)
dependabot[bot] Jul 8, 2024
07e2852
build(deps): bump github.com/docker/cli from 27.0.2+incompatible to 2…
dependabot[bot] Jul 8, 2024
cd16153
docs: move Compatibility Matrix page out of version (#3767)
zirain Jul 9, 2024
e63ffa0
release: v1.1.0-rc.1 (#3791)
guydc Jul 9, 2024
3958ccc
fix quickstart link in helm chart (#3793)
zhaohuabing Jul 9, 2024
6432f09
fix release note file name (#3792)
guydc Jul 9, 2024
8fe5fb9
build(deps): bump golang.org/x/sys from 0.21.0 to 0.22.0 (#3780)
dependabot[bot] Jul 9, 2024
609c02e
build(deps): bump distroless/static from `e9ac71e` to `8dd8d3c` in /t…
dependabot[bot] Jul 9, 2024
89fdd1c
build(deps): bump fortio.org/log from 1.12.2 to 1.14.0 (#3782)
dependabot[bot] Jul 9, 2024
1819796
build(deps): bump google.golang.org/grpc from 1.64.0 to 1.65.0 (#3783)
dependabot[bot] Jul 9, 2024
f4c1f34
docs: move release-notes out of version (#3765)
zirain Jul 10, 2024
6610411
ci: update cherry-pick v1.1.0 (#3803)
guydc Jul 10, 2024
75b1530
doc: how to build a wasm image (#3806)
zhaohuabing Jul 10, 2024
376486e
Use Wasm instead of WASM (#3812)
mathetake Jul 11, 2024
40d095f
docs: generate v1.1.0-rc.1 release note (#3794)
Xunzhuo Jul 11, 2024
cbfb261
chore: release-notes-docs be part of generate (#3815)
zirain Jul 11, 2024
01c306b
fix: enable client timeout test (#3811)
guydc Jul 11, 2024
a9ffd75
chore: add benchmark report into release artifacts (#3756)
shawnh2 Jul 11, 2024
0af2f9f
docs: fix grafana link (#3818)
zirain Jul 11, 2024
06fdd9e
e2e: make sure ALS server is ready (#3816)
zirain Jul 11, 2024
118cf85
Revert "docs: fix grafana link" (#3822)
zirain Jul 11, 2024
7154609
feat: support target selectors on Envoy Gateway Extension Server poli…
liorokman Jul 11, 2024
9a60ed1
docs: updating the documentation for Extension Servers and adding an …
liorokman Jul 11, 2024
63453e3
docs for ip allowlist/denylist (#3784)
zhaohuabing Jul 11, 2024
5ca2c0e
docs: gRPC Access Log Service (ALS) sink (#3768)
zirain Jul 11, 2024
c9d3e45
docs: update v1.1.0-rc.1 release notes (#3821)
guydc Jul 12, 2024
b799c08
docs: add task for wasm extensions (#3796)
zhaohuabing Jul 12, 2024
4260d58
community: promote shawnh2 to maintainer and move qicz to emeritus (#…
Xunzhuo Jul 12, 2024
5a20e57
chore: report a translate error to errChan to make it observed correc…
sanposhiho Jul 12, 2024
9e155c2
chore: upgrade to golang v1.22.5 (#3829)
sanposhiho Jul 12, 2024
0d65801
chore: add `make lint.fix-golint` to address auto fixable lint issues…
sanposhiho Jul 12, 2024
11dd6d3
docs: patch field within EnvoyService (#3820)
shawnh2 Jul 12, 2024
b9d1493
accesslog: remove ALS gRPC initialMetadata (#3751)
zirain Jul 12, 2024
13b04fb
docs: add fixed links to the current version of eg docs (#3819)
zhaohuabing Jul 12, 2024
d5fde3e
fix: backendtls minversion (#3835)
guydc Jul 12, 2024
cceb42a
fix: enable use-client-protocol test (#3825)
guydc Jul 13, 2024
efb25d2
fix: backendtls client cert (#3839)
guydc Jul 13, 2024
762eb42
fix: prevent xdsIR updates from overwriting RateLimit configs from ot…
sanposhiho Jul 13, 2024
467bf9d
docs: use v[x.y] instead of v[x.y.z] (#3836)
zirain Jul 13, 2024
9ae48d4
e2e: fix basic auth flaky (#3833)
zirain Jul 13, 2024
7b09c21
design: add wasm extension supports OCI image code source (#3313)
zhaohuabing Jul 13, 2024
cd51ad3
fix: enable upgrade test (#3764)
guydc Jul 14, 2024
c14d7d2
chore: go mod tidy (#3842)
zirain Jul 15, 2024
a5047dc
fix flaky authorization tests (#3844)
zhaohuabing Jul 15, 2024
8c8ee14
build(deps): bump golang.org/x/net from 0.26.0 to 0.27.0 (#3849)
dependabot[bot] Jul 15, 2024
48bd08e
build(deps): bump fortio.org/fortio from 1.65.0 to 1.66.0 (#3848)
dependabot[bot] Jul 15, 2024
3da4859
build(deps): bump helm.sh/helm/v3 from 3.15.2 to 3.15.3 (#3850)
dependabot[bot] Jul 15, 2024
d0daf1f
chore: move UDP test resources out of the base (#3857)
zhaohuabing Jul 15, 2024
222d74d
chore: replace targetRef with targetRefs in e2e (#3858)
shawnh2 Jul 15, 2024
b2016db
docs: Remove the older versions from linkinator ignore list (#3846)
zirain Jul 15, 2024
5256c3a
build(deps): bump aquasecurity/trivy-action from 0.23.0 to 0.24.0 (#3…
dependabot[bot] Jul 15, 2024
6edbcdf
build(deps): bump github.com/norwoodj/helm-docs from 1.13.0 to 1.14.2…
dependabot[bot] Jul 15, 2024
0fc8d45
chore: move connection limit test resources out of the base (#3859)
zhaohuabing Jul 15, 2024
61e8701
build(deps): bump actions/setup-node from 4.0.2 to 4.0.3 (#3853)
dependabot[bot] Jul 16, 2024
441dfaf
build(deps): bump google/osv-scanner-action from 1.8.1 to 1.8.2 (#3851)
dependabot[bot] Jul 16, 2024
45ac78b
build(deps): bump actions/setup-go from 5.0.1 to 5.0.2 in /tools/gith…
dependabot[bot] Jul 16, 2024
e2088cc
build(deps): bump github/codeql-action from 3.25.11 to 3.25.12 (#3852)
dependabot[bot] Jul 16, 2024
0ec17ab
docs: add backend tls docs (#3843)
guydc Jul 16, 2024
a6590bf
chore: move zipkin test resources out of the base (#3864)
zhaohuabing Jul 16, 2024
435a4dc
chore: move tcp test resources out of the base (#3863)
zhaohuabing Jul 16, 2024
ae93d1a
docs: create concepts docs page and diagram (#3808)
missBerg Jul 16, 2024
6c5ee36
benchmark: enable prometheus to scrape metrics from (#3772)
shawnh2 Jul 16, 2024
85e57ae
chore: move backend tls test resources out of the base (#3862)
zhaohuabing Jul 16, 2024
995803c
chore: remove cherrypicker action (#3831)
zirain Jul 17, 2024
cdc9a5f
chore: update linkinator comment (#3870)
zirain Jul 17, 2024
7f86844
chore: make format as part of gen-check (#3877)
zirain Jul 17, 2024
5870f21
chore: update LINKINATOR_IGNORE (#3879)
zirain Jul 17, 2024
7df99b6
return 500 error for failed SecurityPolicies to avoid unauthorized ac…
zhaohuabing Jul 17, 2024
9eff541
lint: update yamllint and codespell skip (#3882)
zirain Jul 17, 2024
4ebd397
e2e: increase test timeout (#3883)
zirain Jul 17, 2024
953a8d8
chore: client mtls test (#3874)
guydc Jul 17, 2024
f9eac40
fix: nil pointer err during hash load balancing build (#3886)
shawnh2 Jul 17, 2024
f9b5b99
fix override issue for EEP (#3881)
zhaohuabing Jul 17, 2024
7cbbcb5
accesslog: fix different CelMatches on AccessLog (#3885)
zirain Jul 17, 2024
6b232f1
rm gateway-api translation error message from direct response (#3878)
arkodg Jul 18, 2024
09fcfb3
GetParentReferences should use namespace from RouteContext (#3876)
zirain Jul 18, 2024
f2ce0a2
Add e2e test for load balancing (#3868)
shawnh2 Jul 18, 2024
445c342
egctl: introduce `egctl x collect` (#3775)
zirain Jul 18, 2024
d4e028d
e2e: add e2e test for cookie based consistent hash load balancing (#3…
shawnh2 Jul 18, 2024
06166c5
enable HTTPRouteBackendRequestHeaderModifier test (#3891)
arkodg Jul 18, 2024
035e489
disable writing into GatewayClass.Status.SupportedFeatures
arkodg Jul 17, 2024
fe0db24
comment out test snippet
arkodg Jul 18, 2024
e80c41d
validate for reconcile should check reference from EnvoyProxy (#3895)
zirain Jul 19, 2024
ed34ee4
chore: add grafonnet dashboards support (#3785)
shawnh2 Jul 19, 2024
fa65316
add startupProbe to all provisioned containers (#3893)
arkodg Jul 19, 2024
cdfcf3d
e2e: move als test resources out of the base (#3884)
zirain Jul 19, 2024
9c31f4b
e2e: fix ZipkinTracing flaky (#3899)
zirain Jul 19, 2024
976616e
doc: add load balancing usage (#3903)
shawnh2 Jul 20, 2024
e94351e
fix: typos in release notes (#3909)
Xunzhuo Jul 20, 2024
7c080fe
fix: fix the CEL definitions to allow policies that use target select…
liorokman Jul 20, 2024
a2e9bb5
feat(logger): Add tlog for better test logging (#3913)
Manoramsharma Jul 21, 2024
edb926b
e2e: add hook to debug OIDC fail (#3914)
zirain Jul 22, 2024
f4a1292
e2e: refactor and improve lb test (#3912)
zirain Jul 22, 2024
fda9376
tools: remove sphinx (#3927)
zirain Jul 22, 2024
da5abdb
release v1.1.0 (#3932)
guydc Jul 22, 2024
4baab02
build(deps): bump github.com/google/go-containerregistry from 0.19.2 …
dependabot[bot] Jul 22, 2024
34f65f2
build(deps): bump github/codeql-action from 3.25.12 to 3.25.13 (#3921)
dependabot[bot] Jul 23, 2024
8ba1bfb
build(deps): bump softprops/action-gh-release from 2.0.6 to 2.0.8 (#3…
dependabot[bot] Jul 23, 2024
9852333
build(deps): bump fortio.org/log from 1.14.0 to 1.15.0 (#3926)
dependabot[bot] Jul 23, 2024
5508a7c
build(deps): bump github.com/replicatedhq/troubleshoot from 0.95.1-0.…
dependabot[bot] Jul 24, 2024
f29c1d6
doc: utilize hugo boilerplates for latest (#3910)
shawnh2 Jul 24, 2024
8ec0b71
fix: flaky e2e gateway_with_conflicted_listener_cannot_be_merged (#3911)
shawnh2 Jul 24, 2024
c78f427
docs: add helm-version and yaml-version shortcode (#3766)
zirain Jul 24, 2024
a813084
fix: remove namespace in policies (#3947)
Xunzhuo Jul 24, 2024
6453668
doc: authorization api (#3949)
zhaohuabing Jul 24, 2024
e82d10a
chore: Update k8s (#3936)
zirain Jul 24, 2024
92782a8
chore: cleaning up EnvoyFilter types (#3948)
zhaohuabing Jul 24, 2024
46dbeb9
docs: add note for Mac user (#3953)
zirain Jul 25, 2024
a0c0e48
printing name of the target when a policy fails to attach (#3943)
sadovnikov Jul 25, 2024
a07b083
docs: use yaml-version for quickstart yaml (#3952)
zirain Jul 25, 2024
1a7d0c6
chore: bump crd-ref-docs (#3945)
zirain Jul 25, 2024
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Prev Previous commit
Next Next commit
feat(oidc): implement additional OIDC configuration settings (envoypr…
…oxy#3514)

implement additional OIDC configuration settings

Signed-off-by: Jesse Haka <haka.jesse@gmail.com>
zetaab authored Jun 3, 2024

Verified

This commit was created on GitHub.com and signed with GitHub’s verified signature.
commit 6e946db23c593e7f8caf425808dbb823bd714db5
6 changes: 1 addition & 5 deletions api/v1alpha1/oidc_types.go
Original file line number Diff line number Diff line change
@@ -63,8 +63,7 @@ type OIDC struct {
// via the Authorization header Bearer scheme to the upstream.
// If not specified, defaults to false.
// +optional
// +notImplementedHide
ForwardAccessToken *bool `json:"ForwardAccessToken,omitempty"`
ForwardAccessToken *bool `json:"forwardAccessToken,omitempty"`

// DefaultTokenTTL is the default lifetime of the id token and access token.
// Please note that Envoy will always use the expiry time from the response
@@ -76,7 +75,6 @@ type OIDC struct {
// OAuth flow will fail.
//
// +optional
// +notImplementedHide
DefaultTokenTTL *metav1.Duration `json:"defaultTokenTTL,omitempty"`

// RefreshToken indicates whether the Envoy should automatically refresh the
@@ -86,7 +84,6 @@ type OIDC struct {
//
// If not specified, defaults to false.
// +optional
// +notImplementedHide
RefreshToken *bool `json:"refreshToken,omitempty"`

// DefaultRefreshTokenTTL is the default lifetime of the refresh token.
@@ -96,7 +93,6 @@ type OIDC struct {
// If not specified, defaults to 604800s (one week).
// Note: this field is only applicable when the "refreshToken" field is set to true.
// +optional
// +notImplementedHide
DefaultRefreshTokenTTL *metav1.Duration `json:"defaultRefreshTokenTTL,omitempty"`
}

Original file line number Diff line number Diff line change
@@ -811,12 +811,6 @@ spec:
description: OIDC defines the configuration for the OpenID Connect
(OIDC) authentication.
properties:
ForwardAccessToken:
description: |-
ForwardAccessToken indicates whether the Envoy should forward the access token
via the Authorization header Bearer scheme to the upstream.
If not specified, defaults to false.
type: boolean
clientID:
description: |-
The client ID to be used in the OIDC
@@ -913,6 +907,12 @@ spec:
the authorization response must be set by the authorization server, or the
OAuth flow will fail.
type: string
forwardAccessToken:
description: |-
ForwardAccessToken indicates whether the Envoy should forward the access token
via the Authorization header Bearer scheme to the upstream.
If not specified, defaults to false.
type: boolean
logoutPath:
description: |-
The path to log a user out, clearing their credential cookies.
50 changes: 32 additions & 18 deletions internal/gatewayapi/securitypolicy.go
Original file line number Diff line number Diff line change
@@ -32,9 +32,11 @@ import (
)

const (
defaultRedirectURL = "%REQ(x-forwarded-proto)%://%REQ(:authority)%/oauth2/callback"
defaultRedirectPath = "/oauth2/callback"
defaultLogoutPath = "/logout"
defaultRedirectURL = "%REQ(x-forwarded-proto)%://%REQ(:authority)%/oauth2/callback"
defaultRedirectPath = "/oauth2/callback"
defaultLogoutPath = "/logout"
defaultForwardAccessToken = false
defaultRefreshToken = false

// nolint: gosec
oidcHMACSecretName = "envoy-oidc-hmac"
@@ -587,9 +589,11 @@ func (t *Translator) buildOIDC(
scopes := appendOpenidScopeIfNotExist(oidc.Scopes)

var (
redirectURL = defaultRedirectURL
redirectPath = defaultRedirectPath
logoutPath = defaultLogoutPath
redirectURL = defaultRedirectURL
redirectPath = defaultRedirectPath
logoutPath = defaultLogoutPath
forwardAccessToken = defaultForwardAccessToken
refreshToken = defaultRefreshToken
)

if oidc.RedirectURL != nil {
@@ -603,6 +607,12 @@ func (t *Translator) buildOIDC(
if oidc.LogoutPath != nil {
logoutPath = *oidc.LogoutPath
}
if oidc.ForwardAccessToken != nil {
forwardAccessToken = *oidc.ForwardAccessToken
}
if oidc.RefreshToken != nil {
refreshToken = *oidc.RefreshToken
}

// Generate a unique cookie suffix for oauth filters.
// This is to avoid cookie name collision when multiple security policies are applied
@@ -624,18 +634,22 @@ func (t *Translator) buildOIDC(
}

return &ir.OIDC{
Name: irConfigName(policy),
Provider: *provider,
ClientID: oidc.ClientID,
ClientSecret: clientSecretBytes,
Scopes: scopes,
Resources: oidc.Resources,
RedirectURL: redirectURL,
RedirectPath: redirectPath,
LogoutPath: logoutPath,
CookieSuffix: suffix,
CookieNameOverrides: policy.Spec.OIDC.CookieNames,
HMACSecret: hmacData,
Name: irConfigName(policy),
Provider: *provider,
ClientID: oidc.ClientID,
ClientSecret: clientSecretBytes,
Scopes: scopes,
Resources: oidc.Resources,
RedirectURL: redirectURL,
RedirectPath: redirectPath,
LogoutPath: logoutPath,
ForwardAccessToken: forwardAccessToken,
DefaultTokenTTL: oidc.DefaultTokenTTL,
RefreshToken: refreshToken,
DefaultRefreshTokenTTL: oidc.DefaultRefreshTokenTTL,
CookieSuffix: suffix,
CookieNameOverrides: policy.Spec.OIDC.CookieNames,
HMACSecret: hmacData,
}, nil
}

8 changes: 8 additions & 0 deletions internal/gatewayapi/testdata/securitypolicy-with-oidc.in.yaml
Original file line number Diff line number Diff line change
@@ -101,6 +101,10 @@ securityPolicies:
name: "client1-secret"
redirectURL: "https://www.example.com/bar/oauth2/callback"
logoutPath: "/bar/logout"
forwardAccessToken: true
defaultTokenTTL: 30m
refreshToken: true
defaultRefreshTokenTTL: 24h
- apiVersion: gateway.envoyproxy.io/v1alpha1
kind: SecurityPolicy
metadata:
@@ -124,3 +128,7 @@ securityPolicies:
resources: ["api"]
redirectURL: "https://www.example.com/foo/oauth2/callback"
logoutPath: "/foo/logout"
forwardAccessToken: true
defaultTokenTTL: 1h
refreshToken: true
defaultRefreshTokenTTL: 48h
16 changes: 16 additions & 0 deletions internal/gatewayapi/testdata/securitypolicy-with-oidc.out.yaml
Original file line number Diff line number Diff line change
@@ -147,12 +147,16 @@ securityPolicies:
group: null
kind: null
name: client2-secret
defaultRefreshTokenTTL: 48h0m0s
defaultTokenTTL: 1h0m0s
forwardAccessToken: true
logoutPath: /foo/logout
provider:
authorizationEndpoint: https://oauth.foo.com/oauth2/v2/auth
issuer: https://oauth.foo.com
tokenEndpoint: https://oauth.foo.com/token
redirectURL: https://www.example.com/foo/oauth2/callback
refreshToken: true
resources:
- api
scopes:
@@ -192,10 +196,14 @@ securityPolicies:
group: null
kind: null
name: client1-secret
defaultRefreshTokenTTL: 24h0m0s
defaultTokenTTL: 30m0s
forwardAccessToken: true
logoutPath: /bar/logout
provider:
issuer: https://accounts.google.com
redirectURL: https://www.example.com/bar/oauth2/callback
refreshToken: true
targetRef:
group: gateway.networking.k8s.io
kind: Gateway
@@ -257,6 +265,9 @@ xdsIR:
clientID: client2.oauth.foo.com
clientSecret: Y2xpZW50MTpzZWNyZXQK
cookieSuffix: 5f93c2e4
defaultRefreshTokenTTL: 48h0m0s
defaultTokenTTL: 1h0m0s
forwardAccessToken: true
hmacSecret: qrOYACHXoe7UEDI/raOjNSx+Z9ufXSc/22C3T6X/zPY=
logoutPath: /foo/logout
name: securitypolicy/default/policy-for-http-route
@@ -265,6 +276,7 @@ xdsIR:
tokenEndpoint: https://oauth.foo.com/token
redirectPath: /foo/oauth2/callback
redirectURL: https://www.example.com/foo/oauth2/callback
refreshToken: true
resources:
- api
scopes:
@@ -292,6 +304,9 @@ xdsIR:
clientID: client1.apps.googleusercontent.com
clientSecret: Y2xpZW50MTpzZWNyZXQK
cookieSuffix: b0a1b740
defaultRefreshTokenTTL: 24h0m0s
defaultTokenTTL: 30m0s
forwardAccessToken: true
hmacSecret: qrOYACHXoe7UEDI/raOjNSx+Z9ufXSc/22C3T6X/zPY=
logoutPath: /bar/logout
name: securitypolicy/envoy-gateway/policy-for-gateway
@@ -300,5 +315,6 @@ xdsIR:
tokenEndpoint: https://oauth2.googleapis.com/token
redirectPath: /bar/oauth2/callback
redirectURL: https://www.example.com/bar/oauth2/callback
refreshToken: true
scopes:
- openid
14 changes: 14 additions & 0 deletions internal/ir/xds.go
Original file line number Diff line number Diff line change
@@ -695,6 +695,20 @@ type OIDC struct {
// The path to log a user out, clearing their credential cookies.
LogoutPath string `json:"logoutPath,omitempty"`

// ForwardAccessToken indicates whether the Envoy should forward the access token
// via the Authorization header Bearer scheme to the upstream.
ForwardAccessToken bool `json:"forwardAccessToken,omitempty"`

// DefaultTokenTTL is the default lifetime of the id token and access token.
DefaultTokenTTL *metav1.Duration `json:"defaultTokenTTL,omitempty"`

// RefreshToken indicates whether the Envoy should automatically refresh the
// id token and access token when they expire.
RefreshToken bool `json:"refreshToken,omitempty"`

// DefaultRefreshTokenTTL is the default lifetime of the refresh token.
DefaultRefreshTokenTTL *metav1.Duration `json:"defaultRefreshTokenTTL,omitempty"`

// CookieSuffix will be added to the name of the cookies set by the oauth filter.
// Adding a suffix avoids multiple oauth filters from overwriting each other's cookies.
// These cookies are set by the oauth filter, including: AccessToken,
10 changes: 10 additions & 0 deletions internal/ir/zz_generated.deepcopy.go

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

16 changes: 15 additions & 1 deletion internal/xds/translator/oidc.go
Original file line number Diff line number Diff line change
@@ -15,6 +15,7 @@ import (
hcmv3 "github.com/envoyproxy/go-control-plane/envoy/extensions/filters/network/http_connection_manager/v3"
tlsv3 "github.com/envoyproxy/go-control-plane/envoy/extensions/transport_sockets/tls/v3"
matcherv3 "github.com/envoyproxy/go-control-plane/envoy/type/matcher/v3"
"github.com/golang/protobuf/ptypes/wrappers"
"google.golang.org/protobuf/types/known/anypb"
"google.golang.org/protobuf/types/known/durationpb"
"k8s.io/utils/ptr"
@@ -145,7 +146,8 @@ func oauth2Config(oidc *ir.OIDC) (*oauth2v3.OAuth2, error) {
},
},
},
ForwardBearerToken: true,
UseRefreshToken: &wrappers.BoolValue{Value: oidc.RefreshToken},
ForwardBearerToken: oidc.ForwardAccessToken,
Credentials: &oauth2v3.OAuth2Credentials{
ClientId: oidc.ClientID,
TokenSecret: &tlsv3.SdsSecretConfig{
@@ -173,6 +175,18 @@ func oauth2Config(oidc *ir.OIDC) (*oauth2v3.OAuth2, error) {
},
}

if oidc.DefaultTokenTTL != nil {
oauth2.Config.DefaultExpiresIn = &durationpb.Duration{
Seconds: int64(oidc.DefaultTokenTTL.Seconds()),
}
}

if oidc.DefaultRefreshTokenTTL != nil {
oauth2.Config.DefaultRefreshTokenExpiresIn = &durationpb.Duration{
Seconds: int64(oidc.DefaultRefreshTokenTTL.Seconds()),
}
}

if oidc.CookieNameOverrides != nil &&
oidc.CookieNameOverrides.AccessToken != nil {
oauth2.Config.Credentials.CookieNames.BearerToken = *oidc.CookieNameOverrides.AccessToken
4 changes: 4 additions & 0 deletions internal/xds/translator/testdata/in/xds-ir/oidc.yaml
Original file line number Diff line number Diff line change
@@ -37,6 +37,10 @@ http:
redirectPath: "/foo/oauth2/callback"
logoutPath: "/foo/logout"
cookieSuffix: 5F93C2E4
forwardAccessToken: true
defaultTokenTTL: 1h
refreshToken: true
defaultRefreshTokenTTL: 48h
- name: "second-route"
hostname: "*"
pathMatch:
Original file line number Diff line number Diff line change
@@ -132,7 +132,6 @@
sdsConfig:
ads: {}
resourceApiVersion: V3
forwardBearerToken: true
redirectPathMatcher:
path:
exact: /foo/oauth2/callback
@@ -144,6 +143,7 @@
cluster: oauth_foo_com_443
timeout: 10s
uri: https://oauth.foo.com/token
useRefreshToken: false
- name: envoy.filters.http.router
typedConfig:
'@type': type.googleapis.com/envoy.extensions.filters.http.router.v3.Router
Original file line number Diff line number Diff line change
@@ -43,6 +43,8 @@
sdsConfig:
ads: {}
resourceApiVersion: V3
defaultExpiresIn: 3600s
defaultRefreshTokenExpiresIn: 172800s
forwardBearerToken: true
redirectPathMatcher:
path:
@@ -57,6 +59,7 @@
cluster: oauth_foo_com_443
timeout: 10s
uri: https://oauth.foo.com/token
useRefreshToken: true
- disabled: true
name: envoy.filters.http.oauth2/securitypolicy/default/policy-for-second-route
typedConfig:
@@ -86,7 +89,6 @@
sdsConfig:
ads: {}
resourceApiVersion: V3
forwardBearerToken: true
redirectPathMatcher:
path:
exact: /bar/oauth2/callback
@@ -100,6 +102,7 @@
cluster: oauth_bar_com_443
timeout: 10s
uri: https://oauth.bar.com/token
useRefreshToken: false
- name: envoy.filters.http.router
typedConfig:
'@type': type.googleapis.com/envoy.extensions.filters.http.router.v3.Router
4 changes: 4 additions & 0 deletions site/content/en/latest/api/extension_types.md
Original file line number Diff line number Diff line change
@@ -2390,6 +2390,10 @@ _Appears in:_
| `resources` | _string array_ | false | The OIDC resources to be used in the<br />[Authentication Request](https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest). |
| `redirectURL` | _string_ | true | The redirect URL to be used in the OIDC<br />[Authentication Request](https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest).<br />If not specified, uses the default redirect URI "%REQ(x-forwarded-proto)%://%REQ(:authority)%/oauth2/callback" |
| `logoutPath` | _string_ | true | The path to log a user out, clearing their credential cookies.<br /><br />If not specified, uses a default logout path "/logout" |
| `forwardAccessToken` | _boolean_ | false | ForwardAccessToken indicates whether the Envoy should forward the access token<br />via the Authorization header Bearer scheme to the upstream.<br />If not specified, defaults to false. |
| `defaultTokenTTL` | _[Duration](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.29/#duration-v1-meta)_ | false | DefaultTokenTTL is the default lifetime of the id token and access token.<br />Please note that Envoy will always use the expiry time from the response<br />of the authorization server if it is provided. This field is only used when<br />the expiry time is not provided by the authorization.<br /><br />If not specified, defaults to 0. In this case, the "expires_in" field in<br />the authorization response must be set by the authorization server, or the<br />OAuth flow will fail. |
| `refreshToken` | _boolean_ | false | RefreshToken indicates whether the Envoy should automatically refresh the<br />id token and access token when they expire.<br />When set to true, the Envoy will use the refresh token to get a new id token<br />and access token when they expire.<br /><br />If not specified, defaults to false. |
| `defaultRefreshTokenTTL` | _[Duration](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.29/#duration-v1-meta)_ | false | DefaultRefreshTokenTTL is the default lifetime of the refresh token.<br />This field is only used when the exp (expiration time) claim is omitted in<br />the refresh token or the refresh token is not JWT.<br /><br />If not specified, defaults to 604800s (one week).<br />Note: this field is only applicable when the "refreshToken" field is set to true. |


#### OIDCCookieNames
4 changes: 4 additions & 0 deletions site/content/zh/latest/api/extension_types.md
Original file line number Diff line number Diff line change
@@ -2390,6 +2390,10 @@ _Appears in:_
| `resources` | _string array_ | false | The OIDC resources to be used in the<br />[Authentication Request](https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest). |
| `redirectURL` | _string_ | true | The redirect URL to be used in the OIDC<br />[Authentication Request](https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest).<br />If not specified, uses the default redirect URI "%REQ(x-forwarded-proto)%://%REQ(:authority)%/oauth2/callback" |
| `logoutPath` | _string_ | true | The path to log a user out, clearing their credential cookies.<br /><br />If not specified, uses a default logout path "/logout" |
| `forwardAccessToken` | _boolean_ | false | ForwardAccessToken indicates whether the Envoy should forward the access token<br />via the Authorization header Bearer scheme to the upstream.<br />If not specified, defaults to false. |
| `defaultTokenTTL` | _[Duration](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.29/#duration-v1-meta)_ | false | DefaultTokenTTL is the default lifetime of the id token and access token.<br />Please note that Envoy will always use the expiry time from the response<br />of the authorization server if it is provided. This field is only used when<br />the expiry time is not provided by the authorization.<br /><br />If not specified, defaults to 0. In this case, the "expires_in" field in<br />the authorization response must be set by the authorization server, or the<br />OAuth flow will fail. |
| `refreshToken` | _boolean_ | false | RefreshToken indicates whether the Envoy should automatically refresh the<br />id token and access token when they expire.<br />When set to true, the Envoy will use the refresh token to get a new id token<br />and access token when they expire.<br /><br />If not specified, defaults to false. |
| `defaultRefreshTokenTTL` | _[Duration](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.29/#duration-v1-meta)_ | false | DefaultRefreshTokenTTL is the default lifetime of the refresh token.<br />This field is only used when the exp (expiration time) claim is omitted in<br />the refresh token or the refresh token is not JWT.<br /><br />If not specified, defaults to 604800s (one week).<br />Note: this field is only applicable when the "refreshToken" field is set to true. |


#### OIDCCookieNames